AixPb: Put /usr/bin to the front of the PATH

[Haroon-Khel]

Following on from a discussion with @sxa in slack, /usr/bin should be at the beginning of the PATH variable, ahead of /opt/freeware/bin

[Haroon-Khel]

ping @aixtools

[aixtools]

Perhaps a typo - missing '/' in string PATH=usr/bin:...

Also, why not use something like the PATH: statement on line 11:

   +10    environment:
  +11      PATH: "/opt/IBM/xlC/13.1.3/bin:/opt/freeware/bin:{{ ansible_env.PATH }}"

And, I wonder if it should not ALSO be changed on line 11?

[Haroon-Khel]

I searched through the aix playbook. I dont think that PATH environment variable is used at all. Will need to make a more thorough search

[Haroon-Khel]

Before merging, I will have to test a build and test with this new PATH variable

[Haroon-Khel]

jdk11 hotspot build on test-ibm-aix71-ppc64-1 with the new PATH variable to test
https://ci.adoptopenjdk.net/job/build-scripts/job/jobs/job/jdk11u/job/jdk11u-aix-ppc64-hotspot/890/console

[Haroon-Khel]

jdk11 hotspot build on test-ibm-aix71-ppc64-1 with the new PATH variable to test
https://ci.adoptopenjdk.net/job/build-scripts/job/jobs/job/jdk11u/job/jdk11u-aix-ppc64-hotspot/890/console

That passed. Running a jdk11 openjdk sanity test
https://ci.adoptopenjdk.net/job/Grinder/7960/console

[Haroon-Khel]

That too passed. A nightly openj9 jdk8 job is running on the machine. Just for safe measure it can be used as a final indicator as to whether this new PATH variable breaks anything
https://ci.adoptopenjdk.net/job/build-scripts/job/jobs/job/jdk8u/job/jdk8u-aix-ppc64-openj9/999/consoleFull

[Haroon-Khel]

The above job passed. Ping @sxa for review

[aixtools]

While this works - have you tested it to be sure it works a second time?
i.e., when PATH=/usr/bin:/opt/IBM/xlC/13.1.3/bin:/opt/freeware/bin/:...

does not regexp to:

PATH=/usr/bin:/opt/IBM/xlC/13.1.3/bin:/opt/freeware/bin/:/opt/IBM/xlC/13.1.3/bin:/opt/freeware/bin/:...

How about including /etc in the regexp but replacing it - in a way that the regexp will not match a second time around?

[Haroon-Khel]

@aixtools Youre right it does.

The /etc idea is good, but the question is will all new machines have a /usr/bin:/etc block in their PATH?

I was thinking the updated PATH could start with /opt/IBM/xlC/13.1.3/bin:/usr/bin:/opt/freeware/bin instead? That would make the change idempotent as there wouldnt be a PATH=/usr/bin to for ansible to find

[aixtools]

I can look at few more systems for a default. If needed - in the future this could use an with: items: on the regexp. For now, =/usr/bin:/etc:... seems to have been default PATH for many levels.

…

On 24/03/2021 14:51, Haroon Khel wrote: @aixtools <https://github.com/aixtools> Youre right it does. The |/etc| idea is good, but the question is will all new machines have a |/usr/bin:/etc| block in their PATH? I was thinking the new PATH could be |/opt/IBM/xlC/13.1.3/bin:/usr/bin:/opt/freeware/bin|? That would make the change idempotent as there wouldnt be a |PATH=/usr/bin| to for ansible to find — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2057 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACSZR5J3A4MVIPS25XO25OLTFHU43ANCNFSM4ZORVH4Q>.

[Haroon-Khel]

That works. This regexp is now idempotent

[sxa]

Can we ensure that this does not run if the adoptopenjdk tag is skipped - we shouldn't be modfiying system defaults like this if someone else is running them and skipping the adoptopenjdk ones, especially since it could remove things that they already have in there.

[Haroon-Khel]

@sxa Just that task? Or the other login_shell tagged tasks too?

    - name: Add bash to available login shells
      replace:
        path: /etc/security/login.cfg
        regexp: 'shells = '
        replace: 'shells = /bin/bash,'
      tags: login_shell

    - name: Add bash to available login shells
      blockinfile:
        dest: /etc/shells
        block: |
          /bin/bash
      tags: login_shell

    # move to role later
    - name: Set variables for global environment
      blockinfile:
        dest: /etc/environment
        block: |
          AIXTHREAD_HRT=true
          PKG_CONFIG_PATH=/opt/freeware/lib64/pkgconfig:/opt/freeware/lib/pkgconfig
          PERL5LIB=/opt/freemarker/lib/perl5
      tags: login_shell

[sxa]

Can we ensure that this does not run if the adoptopenjdk tag is skipped - we shouldn't be modfiying system defaults like this if someone else is running them and skipping the adoptopenjdk ones, especially since it could remove things that they already have in there.

Most of those are additions rather than potentially breaking things, so while it's not as critical, I'd say that yes they should all have it, although I'm not sure why we need to add bash to the list. It shouldn't be critical for jenkins to work.

[aixtools]

Couple of things:

• Considering /bin/bash is a symbolic link outside of / I do not consider it a fantastic argument for a shell (for AIX admin accounts - /bin/sh and /bin/ksh used to be as login shells AND the AIX install makes sure 'shells' are installed as binary programs - not links - these may be in the default shells - BETTER - would be (even as a symbolic link) as more inline with AIX user administration to have the bash shell be /usr/bin/bash.
• Also, the regexp used to add bash as a shell leaves it open for recursive addition
• Suggestion: replace regexp with 'shells = /bin' and the new string to be 'shells = /usr/bin/bash,/usr'

[aixtools]

• replace /bin/bash with /usr/bin/bash

[aixtools]

Urgh - my two - now comments - are meant as request changes - so this comment is actually two requests for change

[Haroon-Khel]

@aixtools instead of a regexp, why not something like

chsec -f /etc/security/login.cfg -s usw -a shells=/usr/bin/bash ?

On ojdk06, the shells in /etc/security/login.cfg in the usw stanza are

/usr/bin/ksh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/bin/false

So how about something tidier like

chsec -f /etc/security/login.cfg -s usw -a shells=/usr/bin/bash,/usr/bin/ksh ?

Would that suffice? This command is also idempotent

[aixtools]

• That the shells include /bin/false is part of my standard hardening (and I have already shortened the default list of shells)
• Using command: chsec seems like a good idea - but to be completely idempotent still use something to check if bash is already among the shells (e.g, not the first one).
• Deleting shells is not a major issue (it mainly affects chsh iirc, but please leave /bin/false as a security measure (to block accounts that are not meant to have a shell from ever getting a shell, even via su).

[Haroon-Khel]

@aixtools regarding your idempotency comment, would it not be more consistent for all new systems to simply have /usr/bin/bash,/usr/bin/ksh,/bin/false in their shells line?

Also, would changing this list of shells affect the way jenkins behaves on the machine?

[aixtools]

@aixtools regarding your idempotency comment, would it not be more consistent for all new systems to simply have /usr/bin/bash,/usr/bin/ksh,/bin/false in their shells line?

Also, would changing this list of shells affect the way jenkins behaves on the machine?

• No, won't change anything for existing accounts. It changes the behavior of mkuser, chuser, and chsh - all from memory.
• I am fine with only three shells in the setting - and the regexp can be to test for that string, and change it if it is different. Should something additional ever be needed - there will be an issue and a PR to fix it. I don't expect anything. Although - would be nice to leave ksh93. :)

[aixtools]

Can we ensure that this does not run if the adoptopenjdk tag is skipped - we shouldn't be modfiying system defaults like this if someone else is running them and skipping the adoptopenjdk ones, especially since it could remove things that they already have in there.

Most of those are additions rather than potentially breaking things, so while it's not as critical, I'd say that yes they should all have it, although I'm not sure why we need to add bash to the list. It shouldn't be critical for jenkins to work.

FYI: jenkins userid does not need bash as shell. iirc - gmake is calling bash directly.

[aixtools]

Fixes: #1544

[sxa]

FYI: jenkins userid does not need bash as shell. iirc - gmake is calling bash directly.
Correct - in fact the playbooks create the jenkins user with /usr/bin/ksh as the shell so ... to be honest I don't know why we even make that change - presumably somewhere in the past liked creating other user IDs with bash as the shell ;-)

[sxa]

For reference, the existing /etc/security/login.cfg on aix72-2 (ojdk04) looks like this:
shells = /bin/bash,/bin/bash,/bin/bash,/bin/bash,/bin/bash,/bin/bash,/bin/bash,/bin/bash,/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
And the chsec command will wipe most of those out, which seems somewat undersirable. I feel this role needs to just add entries, not change the ones already on the system.

However I'm not sure what the relationship between these entries and /etc/shells is - @aixtools do you know?

[aixtools]

@sxa - not sure why or when /etc/shells showed up in AIX.

• it exists in AIX 5.3 (so as early as 2004)
• it may have come with AIX 5.1 as part of Linux affinity (since Linux chsh uses /etc/shells the same way AIX chsh uses shells attribute of stanza usw in /etc/login.cfg.
• As far as I know the shells attribute is the only bit that affects chsh, and perhaps [mk|ch]user commands.

[Haroon-Khel]

Closing due to pr not passing eclipse auth check. Reopened at #2288