Skip to content

ci: drop running COSA as UID 0 #1716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dustymabe merged 3 commits into from
Jan 16, 2026
Merged

ci: drop running COSA as UID 0 #1716

dustymabe merged 3 commits into from
Jan 16, 2026
+9 −9

Conversation

@dustymabe
Copy link
Member

@dustymabe dustymabe commented Jan 7, 2026

No description provided.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 7, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to improve security by no longer running the COSA container as root. This is a great improvement. However, by removing the root privileges, the mechanism for using the newly built coreos-installer binary was removed but not replaced. My review includes a critical suggestion to fix this by updating the PATH environment variable, ensuring that the CI continues to test the correct binary.

dustymabe added a commit to dustymabe/coreos-assembler that referenced this pull request Jan 9, 2026
@dustymabe
build.sh: allow group write on /usr/bin
a76a5d1 
Allow group write permissions on /usr/bin because in upstream
project's CI we want to overwrite binaries for testing. The dir is
owned by root:root and CI runs in openshift as a user that is a
member of the `root` (GID: 0) group.

See coreos/coreos-installer#1716
@dustymabe dustymabe mentioned this pull request Jan 9, 2026
Merged
@dustymabe
Copy link
Member Author

dustymabe commented Jan 9, 2026

Ok I think this should be ready to go.

requires https://github.com/coreos/coreos-assembler/pull/4410/changes (please review)

@dustymabe dustymabe force-pushed the dusty-ci-as-root branch 2 times, most recently from 697848f to 7994979 Compare January 9, 2026 15:02
@dustymabe dustymabe marked this pull request as ready for review January 9, 2026 20:41
dustymabe added a commit to dustymabe/coreos-assembler that referenced this pull request Jan 16, 2026
@dustymabe
build.sh: allow group write on /usr/*
b0f5abb 
Allow group write permissions on /usr/ because in upstream project's
CI we want to overwrite software for testing. The directories
are typically owned by root:root and CI runs in openshift as a user
that is a member of the `root` (GID: 0) group.

See coreos/coreos-installer#1716
dustymabe added a commit to dustymabe/coreos-assembler that referenced this pull request Jan 16, 2026
@dustymabe
build.sh: allow group write on /usr/*
59fb249 
Allow group write permissions on /usr/ because in upstream project's
CI we want to overwrite software for testing. The directories
are typically owned by root:root and CI runs in openshift as a user
that is a member of the `root` (GID: 0) group.
See coreos/coreos-installer#1716

Also add an exception for /etc/grub.d for OSTree upstream CI.
dustymabe added a commit to coreos/coreos-assembler that referenced this pull request Jan 16, 2026
@dustymabe
build.sh: allow group write on /usr/*
17b3f52 
Allow group write permissions on /usr/ because in upstream project's
CI we want to overwrite software for testing. The directories
are typically owned by root:root and CI runs in openshift as a user
that is a member of the `root` (GID: 0) group.
See coreos/coreos-installer#1716

Also add an exception for /etc/grub.d for OSTree upstream CI.
@dustymabe dustymabe added the skip-notes This PR does not need release notes label Jan 16, 2026
@dustymabe dustymabe force-pushed the dusty-ci-as-root branch 2 times, most recently from ded3cd3 to 30f7807 Compare January 16, 2026 20:18
@dustymabe dustymabe enabled auto-merge (rebase) January 16, 2026 20:18
@aaradhak
Copy link
Member

aaradhak commented Jan 16, 2026
edited
Loading

minor: Typo in the first commit message

ci: drop buildroot param to cosaPod
This _becaome_ obsolete when buildPod was introduced in

@dustymabe
ci: drop buildroot param to cosaPod
92adcf0 
This became obsolete when buildPod was introduced in
coreos/coreos-ci-lib@f2a82bd
@dustymabe
ci: drop running COSA as UID 0
5bf07eb 
We opened up the permissions when building the COSA container [1] so
this isn't necessary any longer with a few adjustments here.

[1] coreos/coreos-assembler#4410
@dustymabe
ci: stop denylisted ext.config.kdump.crash test
014c8ff 
This issue should have been fixed a long time ago. Let's drop this
old workaround.
@dustymabe
Copy link
Member Author

dustymabe commented Jan 16, 2026

minor: Typo in the first commit message

ci: drop buildroot param to cosaPod
This _becaome_ obsolete when buildPod was introduced in

fixed!

aaradhak
aaradhak approved these changes Jan 16, 2026
View reviewed changes
Copy link
Member

@aaradhak aaradhak left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All three commits LGTM.

@dustymabe dustymabe merged commit 055bf09 into coreos:main Jan 16, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlebon jlebon jlebon left review comments

@HuijingHei HuijingHei HuijingHei left review comments

@aaradhak aaradhak aaradhak approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

skip-notes This PR does not need release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dustymabe @aaradhak @jlebon @HuijingHei