WIP: make upgrading demo accounts available via a config option.#3614
Draft
zenhack wants to merge 3 commits intosandstorm-io:masterfrom
Draft
WIP: make upgrading demo accounts available via a config option.#3614zenhack wants to merge 3 commits intosandstorm-io:masterfrom
zenhack wants to merge 3 commits intosandstorm-io:masterfrom
Conversation
Doing this is the source of sandstorm-io#3584. Instead, make sure we've fully entered a new user namespace before we have to do anything that would require the capabilities that are dropped on exec(). We also need to be in a new pid namespace, since we try to mount /proc so it needs to be a procfs that we own. We use clone() instead of unshare() for this so we don't have to disturb the process hierarchy.
This fixes sandstorm-io#3239 by providing a config option to re-enable the ability to upgrade demo accounts to full accounts, which was removed in order to allow alpha to act as the demo server when oasis was shut down. Unfortunately, this seems to break *other* tests. The handful I examined resulted in permission errors trying to upload the test app; presumably when this is enabled our test accounts are somehow getting marked as not allowed to upload their own apps.
Collaborator
Author
|
(Note that this includes the commits from #3609, since those are necessary for any of the tests to pass). |
Collaborator
|
Does ALLOW_UNINVITED permit users who sign in without an invite to create grains? I am not sure if the config option is self-explanatory enough. How does this interact with the permission to allow demo accounts, and what happens if one but not the other is set? ...Which is to say, I maybe might suggest a better config variable name, and definitely would like to see the docs updated in the PR. |
Collaborator
Author
|
Yeah, I should definitely update the docs before this is merged, and I just copied the name from the meteor setting, so could probably be improved. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This fixes #3239 by providing a config option to re-enable the ability
to upgrade demo accounts to full accounts, which was removed in order to
allow alpha to act as the demo server when oasis was shut down.
Unfortunately, this seems to break other tests. The handful I examined
resulted in permission errors trying to upload the test app; presumably
when this is enabled our test accounts are somehow getting marked as
not allowed to upload their own apps.
Accordingly, I'm marking this as a draft until that can be debugged.