Pre-create rstudio-server user and set directory permissions#116
Pre-create rstudio-server user and set directory permissions#116ssinnott wants to merge 8 commits into
Conversation
Pre-create the rstudio-server user/group at UID/GID 999 before package installation so the deb postinst finds the existing account and does not reassign UIDs/GIDs. Expand the Configure Workbench layer to create and own all runtime directories (conf, body, proxy, launcher, log, run) up front, with group-writable setgid bits so members of rstudio-server can write without requiring root. Update goss tests accordingly and remove the Ubuntu 24.04 GID workaround that is no longer needed.
ssinnott
requested review from
bschwedler,
ianpittwood and
zachhannum
as code owners
bschwedler
left a comment
bschwedler
left a comment
There was a problem hiding this comment.
Is the purpose for this change primarily consistency of gid across OSes?
It looks like gid 999 is not working as intended on the daily builds:
[2](https://github.com/posit-dev/images-workbench/actions/runs/26548171667/job/78204610426?pr=116#step:10:11053)
ERROR: failed to build: failed to solve: process "/bin/sh -c groupadd --system --gid 999 rstudio-server && useradd --system --uid 999 --gid 999 --no-create-home --home-dir /var/lib/rstudio-server --shell /usr/sbin/nologin rstudio-server" did not complete successfully: exit code: 4
| group: | ||
| rstudio-server: | ||
| exists: true | ||
| gid: {% raw %}{{ if and (eq .Env.IMAGE_VARIANT "Standard") (and (eq .Env.IMAGE_OS_NAME "ubuntu") (eq .Env.IMAGE_OS_VERSION "24.04")) }}997{{ else }}999{{ end }}{% endraw %} |
There was a problem hiding this comment.
This reverts difference in gid between Ubuntu 22 and 24. I recall we ran into something with this, but don't remember the specifics of why or what it was. d8b1ced
It could just be that the packages installed before took the higher gid before the rstudio-server user/group was created.
There was a problem hiding this comment.
In workbench:2026.05.0-ubuntu-24.04
users:100 ← base ubuntu:24.04
messagebus:101 ← from dbus (Standard pkgs pull it in)
sssd:102 ← from sssd (Standard-only)
rstudio-server:997 ← workbench install
systemd-network:998 ← from libnss-systemd/systemd-resolved (Standard pkgs)
systemd-journal:999 ← from systemd (Standard pkgs)
ubuntu:1000 ← base ubuntu:24.04
There was a problem hiding this comment.
So it looks like the cause is the installation of sssd, which in turn pulls in dbus and libnss-systemd
There was a problem hiding this comment.
Yeah. So this is related to the helm changes we're working on to run as a service account.
In there you want a stable UUID and GID because it is what you set the workbench pod to run as. I can take a look at the failure - I think it would be better if this was stable between workbench versions.
There was a problem hiding this comment.
Got it. I understand the motivation now. In that case, I would like us to try to apply this to all existing versions of the images so that they work with the helm chart out of the box.
@ianpittwood What do you think?
Move the pre-create groupadd/useradd to the first RUN after the ENV block so the stable identifier is locked in before any apt packages that may create system users from the 999-down range.
The launcher resets /var/lib/rstudio-launcher to 0755 on startup, so the build-time setgid mode never survives to test time. Assert only ownership.
Move the supervisord socket and pidfile into a group-writable /var/run/supervisor directory and drop the root user pin, so supervisord can run under an arbitrary Kubernetes UID in the rstudio-server group. Create and setgid the directory in the Containerfiles and assert it in goss. Gated to development images to match the rest of this branch.
3 participants
Pre-create the rstudio-server user/group at UID/GID 999 before package installation so the deb postinst finds the existing account and does not reassign UIDs/GIDs. Expand the Configure Workbench layer to create and own all runtime directories (conf, body, proxy, launcher, log, run) up front, with group-writable setgid bits so members of rstudio-server can write without requiring root. Update goss tests accordingly and remove the Ubuntu 24.04 GID workaround that is no longer needed.