Update sandbox permissions

tuhaihe · tuhaihe · commit fc4cef2d0150 · 2025-11-17T18:54:01.000+08:00
diff --git a/devops/sandbox/Dockerfile.RELEASE.rockylinux9 b/devops/sandbox/Dockerfile.RELEASE.rockylinux9
@@ -222,8 +222,8 @@ RUN groupadd -r gpadmin && \
     echo "gpadmin ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/gpadmin && \
     chmod 440 /etc/sudoers.d/gpadmin
 
-# Prepare SSH daemon: generate host keys and ensure runtime dir
-RUN ssh-keygen -A && mkdir -p /run/sshd
+# Prepare SSH daemon: generate host keys, ensure runtime dir, and allow gpadmin to start it
+RUN ssh-keygen -A && mkdir -p /run/sshd && chmod u+s /usr/sbin/sshd
 
 # Copy built Cloudberry from builder stage
 COPY --from=builder /usr/local/cloudberry-db /usr/local/cloudberry-db
@@ -246,7 +246,13 @@ RUN echo "cdw" > /tmp/gpdb-hosts && \
     chmod 755 /tmp/gpinitsystem_multinode && \
     chmod 755 /tmp/init_system.sh && \
     mkdir -p /data0/database/coordinator /data0/database/primary /data0/database/mirror && \
-    chown -R gpadmin:gpadmin /data0 && \
+    chown -R gpadmin:gpadmin \
+      /usr/local/cloudberry-db \
+      /tmp/gpinitsystem_singlenode \
+      /tmp/gpinitsystem_multinode \
+      /tmp/gpdb-hosts \
+      /tmp/multinode-gpinit-hosts \
+      /data0 && \
     echo "export COORDINATOR_DATA_DIRECTORY=/data0/database/coordinator/gpseg-1" >> /home/gpadmin/.bashrc && \
     echo -e '\n# Add Cloudberry entries\nif [ -f /usr/local/cloudberry-db/cloudberry-env.sh ]; then\n  source /usr/local/cloudberry-db/cloudberry-env.sh\nfi\n# Add Greenplum compatibility entries\nif [ -f /usr/local/cloudberry-db/greenplum_path.sh ]; then\n  source /usr/local/cloudberry-db/greenplum_path.sh\nfi' >> /home/gpadmin/.bashrc
 
diff --git a/devops/sandbox/Dockerfile.main.rockylinux9 b/devops/sandbox/Dockerfile.main.rockylinux9
@@ -177,8 +177,8 @@ RUN groupadd -r gpadmin && \
     echo "gpadmin ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/gpadmin && \
     chmod 440 /etc/sudoers.d/gpadmin
 
-# Prepare SSH daemon: generate host keys and ensure runtime dir
-RUN ssh-keygen -A && mkdir -p /run/sshd
+# Prepare SSH daemon: generate host keys, ensure runtime dir, and allow gpadmin to start it
+RUN ssh-keygen -A && mkdir -p /run/sshd && chmod u+s /usr/sbin/sshd
 
 # Copy built Cloudberry from builder stage
 COPY --from=builder /usr/local/cloudberry-db /usr/local/cloudberry-db
@@ -201,7 +201,13 @@ RUN echo "cdw" > /tmp/gpdb-hosts && \
     chmod 755 /tmp/gpinitsystem_multinode && \
     chmod 755 /tmp/init_system.sh && \
     mkdir -p /data0/database/coordinator /data0/database/primary /data0/database/mirror && \
-    chown -R gpadmin:gpadmin /data0 && \
+    chown -R gpadmin:gpadmin \
+      /usr/local/cloudberry-db \
+      /tmp/gpinitsystem_singlenode \
+      /tmp/gpinitsystem_multinode \
+      /tmp/gpdb-hosts \
+      /tmp/multinode-gpinit-hosts \
+      /data0 && \
     echo "export COORDINATOR_DATA_DIRECTORY=/data0/database/coordinator/gpseg-1" >> /home/gpadmin/.bashrc && \
     echo -e '\n# Add Cloudberry entries\nif [ -f /usr/local/cloudberry-db/cloudberry-env.sh ]; then\n  source /usr/local/cloudberry-db/cloudberry-env.sh\nfi' >> /home/gpadmin/.bashrc
 
diff --git a/devops/sandbox/configs/init_system.sh b/devops/sandbox/configs/init_system.sh
@@ -29,11 +29,11 @@
 # SSH. This is useful for development and debugging purposes.
 # ----------------------------------------------------------------------
 
-# Ensure SSH directory exists
-sudo mkdir -p /run/sshd
+# Ensure SSH directory exists (created at build time; ignore errors if any)
+mkdir -p /run/sshd 2>/dev/null || true
 
-# Start SSH daemon (base image already handles most SSH setup)
-if ! sudo /usr/sbin/sshd; then
+# Start SSH daemon directly (binary is setuid-root in the image)
+if ! /usr/sbin/sshd; then
     echo "Failed to start SSH daemon" >&2
     exit 1
 fi
@@ -47,15 +47,7 @@ sleep 5
 # The /run/nologin file, if present, prevents users from logging into
 # the system. This file is removed to ensure that users can log in via SSH.
 # ----------------------------------------------------------------------
-sudo rm -rf /run/nologin
-
-# ## Set gpadmin ownership - Cloudberry install directory and supporting
-# ## cluster creation files.
-sudo chown -R gpadmin.gpadmin /usr/local/cloudberry-db \
-                              /tmp/gpinitsystem_singlenode \
-                              /tmp/gpinitsystem_multinode \
-                              /tmp/gpdb-hosts \
-                              /tmp/multinode-gpinit-hosts
+rm -f /run/nologin 2>/dev/null || true
 
 # ----------------------------------------------------------------------
 # Configure passwordless SSH access for 'gpadmin' user
@@ -127,12 +119,11 @@ elif [[ "${MULTINODE:-false}" == "true" && "$HOSTNAME" == "cdw" ]]; then
     done
 
     # Clean up any existing data directories to avoid conflicts
-    sudo rm -rf /data0/database/coordinator/* /data0/database/primary/* /data0/database/mirror/* 2>/dev/null || true
+    rm -rf /data0/database/coordinator/* /data0/database/primary/* /data0/database/mirror/* 2>/dev/null || true
 
     # Ensure database directories exist with proper permissions
-    sudo mkdir -p /data0/database/coordinator /data0/database/primary /data0/database/mirror
-    sudo chown -R gpadmin:gpadmin /data0/database
-    sudo chmod -R 700 /data0/database
+    mkdir -p /data0/database/coordinator /data0/database/primary /data0/database/mirror
+    chmod -R 700 /data0/database
 
     gpinitsystem -a \
                  -c /tmp/gpinitsystem_multinode \
