ansible/hg-web: allow mozbuild-eval to set its cgroup (
bug 1263973); r?kang
See the inline comment for why we need this.
This "just worked" in CentOS 6. My guess is the default permissions
for cgroups changed.
The other alternative to this is making the tasks file permission 777
so anybody can add tasks to it. If there aren't security risks with
that, that approach is more flexible because it doesn't limit the users
that can run `mozbuild-eval`.
MozReview-Commit-ID: D7WD1CS89pj
--- a/ansible/roles/hg-web/files/cgconfig-mozbuild.conf
+++ b/ansible/roles/hg-web/files/cgconfig-mozbuild.conf
@@ -1,10 +1,28 @@
# Control group policy for moz.build evaluation.
group mozbuild {
+ # The sandbox starts running as the "hg" user via hgweb. And that
+ # is the user it is running as when it does cgroup manipulation in the
+ # sandboxed process (before it changes to "mozbuild"). So give
+ # the "hg" user access to add tasks to this cgroup.
+ perm {
+ task {
+ uid = hg;
+ gid = hg;
+ fperm = 770;
+ }
+
+ admin {
+ uid = root;
+ gid = root;
+ fperm = 770;
+ }
+ }
+
# Give I/O the lowest priority possible.
blkio {
blkio.weight = 100;
}
# Limit processes to a single CPU core.
# moz.build reading should never consume more than 1 core. Enforce
# that.