[DPE-7685] setrpiv shim (#1027)

* Don't switch _daemon_ directly

* Revert timeout

* Wait for cluster to init before starting the observer

* Bring back create dirs

* Reorder peer tls hook

* Fake cert location

* Run as root

* Use revisions from edge

Author: dragomirp

refresh_versions.toml

@@ -6,6 +6,6 @@ name = "charmed-postgresql"
 
 [snap.revisions]
 # amd64
-x86_64 = "197"
+x86_64 = "201"
 # arm64
-aarch64 = "198"
+aarch64 = "202"

scripts/cluster_topology_observer.py

@@ -97,12 +97,12 @@ def check_for_database_changes(run_cmd, unit, charm_dir, previous_databases):
         password = conf_file_contents["postgresql"]["authentication"]["superuser"]["password"]
     env = environ.copy()
     env["PGPASSWORD"] = password
+    # Fake cert location for patronictl
+    env["PGSSLCERT"] = "/var/snap/charmed-postgresql/current/etc/patroni/nonexistent_cert.pem"
     command = [
         "sudo",
         "-E",
         "-H",
-        "-u",
-        "_daemon_",
         "charmed-postgresql.patronictl",
         "-c",
         conf_file_path,

src/backups.py

@@ -6,7 +6,6 @@
 import json
 import logging
 import os
-import pwd
 import re
 import shutil
 import tempfile
@@ -342,22 +341,11 @@ def _execute_command(
         timeout: int | None = None,
     ) -> tuple[int, str, str]:
         """Execute a command in the workload container."""
-
-        def demote():
-            pw_record = pwd.getpwnam("_daemon_")
-
-            def result():
-                os.setgid(pw_record.pw_gid)
-                os.setuid(pw_record.pw_uid)
-
-            return result
-
         # Input is generated by the charm
         process = run(  # noqa: S603
             command,
             input=command_input,
             capture_output=True,
-            preexec_fn=demote(),
             timeout=timeout,
         )
         return process.returncode, process.stdout.decode(), process.stderr.decode()

src/charm.py

@@ -1324,16 +1324,6 @@ def _on_install(self, event: InstallEvent) -> None:
         except snap.SnapError:
             logger.warning("Unable to create psql alias")
 
-        # Create the user home directory for the _daemon_ user.
-        # This is needed due to https://bugs.launchpad.net/snapd/+bug/2011581.
-        try:
-            # Input is hardcoded
-            subprocess.check_call(["mkdir", "-p", "/home/_daemon_"])  # noqa: S607
-            subprocess.check_call(["chown", "_daemon_:_daemon_", "/home/_daemon_"])  # noqa: S607
-            subprocess.check_call(["usermod", "-d", "/home/_daemon_", "_daemon_"])  # noqa: S607
-        except subprocess.CalledProcessError:
-            logger.exception("Unable to create _daemon_ home dir")
-
         self.set_unit_status(WaitingStatus("waiting to start PostgreSQL"))
 
     def _on_leader_elected(self, event: LeaderElectedEvent) -> None:  # noqa: C901

tests/integration/test_tls.py

@@ -113,7 +113,7 @@ async def test_tls_enabled(ops_test: OpsTest) -> None:
                 await run_command_on_unit(
                     ops_test,
                     replica,
-                    "sudo -u _daemon_ charmed-postgresql.pg-ctl -D /var/snap/charmed-postgresql/common/var/lib/postgresql/ promote",
+                    "sudo charmed-postgresql.pg-ctl -D /var/snap/charmed-postgresql/common/var/lib/postgresql/ promote",
                 )
 
                 # Check that the replica was promoted.

tests/unit/test_backups.py

@@ -2,7 +2,7 @@
 # See LICENSE file for licensing details.
 from os import cpu_count
 from subprocess import CompletedProcess, TimeoutExpired
-from unittest.mock import ANY, MagicMock, PropertyMock, call, mock_open, patch
+from unittest.mock import MagicMock, PropertyMock, call, mock_open, patch
 
 import botocore as botocore
 import pytest
@@ -483,29 +483,21 @@ def test_change_connectivity_to_database(harness):
 def test_execute_command(harness):
     with (
         patch("backups.run") as _run,
-        patch("pwd.getpwnam") as _getpwnam,
     ):
         # Test when the command fails.
         command = ["rm", "-r", "/var/snap/charmed-postgresql/common/data/db"]
         _run.return_value = CompletedProcess(command, 1, b"", b"fake stderr")
         assert harness.charm.backup._execute_command(command) == (1, "", "fake stderr")
-        _run.assert_called_once_with(
-            command, input=None, capture_output=True, preexec_fn=ANY, timeout=None
-        )
-        _getpwnam.assert_called_once_with("_daemon_")
+        _run.assert_called_once_with(command, input=None, capture_output=True, timeout=None)
 
         # Test when the command runs successfully.
         _run.reset_mock()
-        _getpwnam.reset_mock()
         _run.side_effect = None
         _run.return_value = CompletedProcess(command, 0, b"fake stdout", b"")
         assert harness.charm.backup._execute_command(
             command, command_input=b"fake input", timeout=5
         ) == (0, "fake stdout", "")
-        _run.assert_called_once_with(
-            command, input=b"fake input", capture_output=True, preexec_fn=ANY, timeout=5
-        )
-        _getpwnam.assert_called_once_with("_daemon_")
+        _run.assert_called_once_with(command, input=b"fake input", capture_output=True, timeout=5)
 
 
 def test_format_backup_list(harness):

tests/unit/test_charm.py

@@ -64,7 +64,6 @@ def harness():
 
 def test_on_install(harness):
     with (
-        patch("charm.subprocess.check_call") as _check_call,
         patch("charm.snap.SnapCache") as _snap_cache,
         patch("charm.PostgresqlOperatorCharm._install_snap_package") as _install_snap_package,
         patch(
@@ -88,45 +87,6 @@ def test_on_install(harness):
         pg_snap.alias.assert_any_call("psql")
         pg_snap.alias.assert_any_call("patronictl")
 
-        assert _check_call.call_count == 3
-        _check_call.assert_any_call(["mkdir", "-p", "/home/_daemon_"])
-        _check_call.assert_any_call(["chown", "_daemon_:_daemon_", "/home/_daemon_"])
-        _check_call.assert_any_call(["usermod", "-d", "/home/_daemon_", "_daemon_"])
-
-        # Assert the status set by the event handler.
-        assert isinstance(harness.model.unit.status, WaitingStatus)
-
-
-def test_on_install_failed_to_create_home(harness):
-    with (
-        patch("charm.subprocess.check_call") as _check_call,
-        patch("charm.snap.SnapCache") as _snap_cache,
-        patch("charm.PostgresqlOperatorCharm._install_snap_package") as _install_snap_package,
-        patch(
-            "charm.PostgresqlOperatorCharm._reboot_on_detached_storage"
-        ) as _reboot_on_detached_storage,
-        patch(
-            "charm.PostgresqlOperatorCharm._is_storage_attached",
-            side_effect=[False, True, True],
-        ) as _is_storage_attached,
-        patch("charm.logger.exception") as _logger_exception,
-    ):
-        # Test without storage.
-        harness.charm.on.install.emit()
-        _reboot_on_detached_storage.assert_called_once()
-        pg_snap = _snap_cache.return_value[charm_refresh.snap_name()]
-        _check_call.side_effect = [subprocess.CalledProcessError(-1, ["test"])]
-
-        # Test without adding Patroni resource.
-        harness.charm.on.install.emit()
-        # Assert that the needed calls were made.
-        _install_snap_package.assert_called_once_with(revision=None)
-        assert pg_snap.alias.call_count == 2
-        pg_snap.alias.assert_any_call("psql")
-        pg_snap.alias.assert_any_call("patronictl")
-
-        _logger_exception.assert_called_once_with("Unable to create _daemon_ home dir")
-
         # Assert the status set by the event handler.
         assert isinstance(harness.model.unit.status, WaitingStatus)