Remove acl-restore.sh, and add user to kvm group instead#2580
Conversation
GoogleCuttlefishTesterBot
removed
the
kokoro:force-run
GoogleCuttlefishTesterBot
removed
the
kokoro:force-run
GoogleCuttlefishTesterBot
removed
the
kokoro:force-run
0405ysj
force-pushed
the
setfacl
branch
6 times, most recently
from
593edcf to
79d27c1
Compare
| for unique_group in "${unique_groups[@]}"; do | ||
| sudo usermod -aG "$unique_group" "$username" | ||
| done | ||
| echo "Warning: Please reboot the machine (or log out and log back in) before using podcvd." |
There was a problem hiding this comment.
The whole point of having the restore acls service is that logging out and back in is not necessary. Also, the groups for the device nodes can change, in fact cuttlefish-base changes them, so depending on those can be risky.
There was a problem hiding this comment.
I believe the change around cuttlefish-base is #2589, but it's fine as it doesn't introduce any new group in overall.(Needed kvm and cvdnetwork before, but will need kvm only) Though I agree that groups for device nodes could be changed, I don't think doing chown on device nodes is a common behavior.
The most critical problem I faced at was using setfacl could be problematic for some machines. Machine details are described at b/514558958. While creating Cuttlefish instances, udev change action on /dev/kvm is triggered, and it flushes existing ACL but not recover it.
I think we can make a conversation around acl-restore.sh later but resolving the critical problem is urgent, because it's highly coupled with deployment of its skill. So I'd separate this PR into two, one for doing sudo usermod -aG "$unique_group" "$username" (#2590) and the other for removing acl-restore.sh. I'm targeting to merge former one within today, but please feel free to leave comments afterwards.
0405ysj
force-pushed
the
setfacl
branch
3 times, most recently
from
f4f62a1 to
e2b36d1
Compare
3 participants
Context: b/514558958