From 7f9f1a2fad80b3c01bb0fbba3c9bbc6d8ca43891 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 4 Nov 2021 16:45:19 -0700 Subject: [PATCH] Run matrix-gerritbot with gerritbot user This updates matrix-gerritbot to run with the same user as gerritbot. Change-Id: Id2a473db9354871aa48ac9fd851573843cbac1b5 --- .../roles/matrix-gerritbot/defaults/main.yaml | 2 ++ .../roles/matrix-gerritbot/tasks/main.yaml | 27 ++++++++++++++++++- .../templates/docker-compose.yaml.j2 | 5 ++-- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/playbooks/roles/matrix-gerritbot/defaults/main.yaml b/playbooks/roles/matrix-gerritbot/defaults/main.yaml index b5dec3d032..c349425987 100644 --- a/playbooks/roles/matrix-gerritbot/defaults/main.yaml +++ b/playbooks/roles/matrix-gerritbot/defaults/main.yaml @@ -1,3 +1,5 @@ +gerritbot_gid: 11000 +gerritbot_uid: 11000 gerritbot_matrix_version: 4aeeac8 gerritbot_matrix_image: quay.io/software-factory/gerritbot-matrix:{{ gerritbot_matrix_version }} gerritbot_matrix_prometheus_port: 9001 diff --git a/playbooks/roles/matrix-gerritbot/tasks/main.yaml b/playbooks/roles/matrix-gerritbot/tasks/main.yaml index f89ca95d9e..237a532ef6 100644 --- a/playbooks/roles/matrix-gerritbot/tasks/main.yaml +++ b/playbooks/roles/matrix-gerritbot/tasks/main.yaml @@ -1,7 +1,24 @@ +- name: Create gerritbot group + group: + name: "gerritbot" + gid: "{{ gerritbot_gid }}" + system: yes +- name: Create gerritbot user + user: + name: "gerritbot" + group: "gerritbot" + uid: "{{ gerritbot_uid }}" + home: "/var/lib/gerritbot" + create_home: yes + shell: /bin/bash + system: yes + - name: Ensure bot directories file: state: directory path: '/var/lib/matrix-gerritbot/{{ item }}' + owner: gerritbot + group: gerritbot mode: 0700 loop: - config @@ -11,6 +28,8 @@ copy: src: gerritbot.yaml dest: /var/lib/matrix-gerritbot/config/gerritbot.yaml + owner: gerritbot + group: gerritbot register: _gerritbot_config - name: Lookup the configuration schema @@ -25,7 +44,7 @@ vars: config: /var/lib/matrix-gerritbot/config yaml_to_dhall: >- - docker run -i -v {{ config }}:{{ config }} + docker run --user {{ gerritbot_uid }}:{{ gerritbot_gid }} -i -v {{ config }}:{{ config }} --rm docker.io/dhallhaskell/dhall-yaml yaml-to-dhall schema: "List {{ _gerritbot_schema.stdout }}" @@ -34,17 +53,23 @@ content: "{{ gerritbot_ssh_key }}" dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}" mode: 0400 + owner: gerritbot + group: gerritbot no_log: true - name: Install gerritbot ssh key copy: content: "{{ gerritbot_ssh_pubkey }}" dest: "/var/lib/matrix-gerritbot/ssh/id_{{ gerritbot_ssh_key_format }}.pub" + owner: gerritbot + group: gerritbot - name: Install gerritbot known host copy: content: "{{ gerritbot_known_hosts }}" dest: "/var/lib/matrix-gerritbot/ssh/known_hosts" + owner: gerritbot + group: gerritbot - name: Ensure /etc/matrix-gerritbot-docker directory file: diff --git a/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2 b/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2 index 0f0b1d97fa..9148c9d4ae 100644 --- a/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2 +++ b/playbooks/roles/matrix-gerritbot/templates/docker-compose.yaml.j2 @@ -6,6 +6,7 @@ services: gerritbot-matrix: image: {{ gerritbot_matrix_image }} network_mode: host + user: "{{ gerritbot_uid }}:{{ gerritbot_gid }}" restart: always logging: driver: syslog @@ -15,8 +16,8 @@ services: MATRIX_TOKEN: {{ gerritbot_matrix_access_token }} MATRIX_IDENTITY_TOKEN: {{ gerritbot_matrix_identity_token }} volumes: - - /var/lib/matrix-gerritbot/config:/config - - /var/lib/matrix-gerritbot/ssh:/root/.ssh + - /var/lib/matrix-gerritbot/config:/config:ro + - /var/lib/matrix-gerritbot/ssh:/root/.ssh:ro healthcheck: test: "gerritbot-matrix check {{ gerritbot_matrix_prometheus_port }}" retries: 6