From ded27cbb5da19a929e1fb60a7e8061158aec449d Mon Sep 17 00:00:00 2001 From: Jack Morgan Date: Tue, 1 Mar 2022 17:28:31 -0800 Subject: [PATCH] Adds support for running zuul-registry as a non-root user Signed-off-by: Jack Morgan Change-Id: I89594affb04639b49b409a569036d6afac997251 --- inventory/service/group_vars/registry.yaml | 3 ++ playbooks/roles/registry/tasks/main.yaml | 54 +++++++++++++++++-- .../docker-compose.yaml.j2} | 3 +- 3 files changed, 55 insertions(+), 5 deletions(-) rename playbooks/roles/registry/{files/registry-docker/docker-compose.yaml => templates/docker-compose.yaml.j2} (82%) diff --git a/inventory/service/group_vars/registry.yaml b/inventory/service/group_vars/registry.yaml index 011126ba3a..a40a857cc9 100644 --- a/inventory/service/group_vars/registry.yaml +++ b/inventory/service/group_vars/registry.yaml @@ -1,3 +1,6 @@ +# Note: creating separate userid/groupid from the zuul service user registry_user: zuul +registry_service_user_id: 10001 +registry_service_group_id: 10001 iptables_extra_public_tcp_ports: - 5000 diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml index dc3b68b332..11b6f2ec53 100644 --- a/playbooks/roles/registry/tasks/main.yaml +++ b/playbooks/roles/registry/tasks/main.yaml @@ -1,34 +1,80 @@ -- name: Synchronize docker-compose directory - synchronize: - src: registry-docker/ - dest: /etc/registry-docker/ +- name: Create registry_service group + group: + name: "registry" + gid: "{{ registry_service_group_id }}" + system: yes + +- name: Create registry_service user + user: + name: "registry" + group: "registry" + uid: "{{ registry_service_user_id }}" + home: "/var/registry" + system: yes + +- name: Make docker-compose dir + file: + state: directory + path: /etc/registry-docker + owner: root + group: root + mode: 0755 + +- name: Write docker-compose.yaml + template: + src: docker-compose.yaml.j2 + dest: /etc/registry-docker/docker-compose.yaml + owner: root + group: root + mode: 644 + +- name: Ensure directory permission + file: + state: directory + path: /var/registry/ + owner: registry + group: registry + mode: 0755 + - name: Ensure registry volume directories exists file: state: directory path: "/var/registry/{{ item }}" + owner: registry + group: registry loop: - certs - conf - etc + - name: Write clouds.yaml template: src: clouds.yaml.j2 dest: /var/registry/etc/clouds.yaml + owner: registry + group: registry + - name: Write registry config template: src: registry.yaml.j2 dest: /var/registry/conf/registry.yaml + owner: registry + group: registry + - name: Run docker-compose pull shell: cmd: docker-compose pull chdir: /etc/registry-docker/ + - name: Run docker-compose up shell: cmd: docker-compose up -d chdir: /etc/registry-docker/ + - name: Run docker prune to cleanup unneeded images shell: cmd: docker image prune -f + # Temporarily disable to aid debug of mysteriously absent blobs # -corvus 2019-10-09 # - name: Install cron to garbage collect the registry daily diff --git a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml b/playbooks/roles/registry/templates/docker-compose.yaml.j2 similarity index 82% rename from playbooks/roles/registry/files/registry-docker/docker-compose.yaml rename to playbooks/roles/registry/templates/docker-compose.yaml.j2 index 0204c59eb1..e99d094e3c 100644 --- a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml +++ b/playbooks/roles/registry/templates/docker-compose.yaml.j2 @@ -5,8 +5,9 @@ version: '2' services: registry: restart: always - image: docker.io/zuul/zuul-registry network_mode: host + image: docker.io/zuul/zuul-registry + user: "{{ registry_service_user_id }}:{{ registry_service_group_id }}" volumes: - /var/registry/certs:/certs - /var/registry/conf:/conf