From c8b8c580ae58189ab433124edbe27097433febbd Mon Sep 17 00:00:00 2001 From: Daniel Pawlik Date: Mon, 21 Feb 2022 14:42:46 +0100 Subject: [PATCH] Change service directory permission; change python3 to python38 User inside the container images for logscraper and loggearman is setting lowest value that is set in the system which is 1000. This uid and gid is provided for other user and the services should be running with different uids/gids. In that case, the logscraper service gid/uid is 10210 and loggearman gid/uid is set to 10211. Change-Id: Ida0e2ceaf341fb7cbea18f3eaf161daa836e8ea7 --- Dockerfile | 10 +++++----- ansible/playbooks/check-services.yml | 6 ++++++ ansible/roles/loggearman/defaults/main.yml | 2 ++ ansible/roles/loggearman/tasks/main.yml | 8 +++++++- ansible/roles/loggearman/templates/loggearman.sh.j2 | 5 ++++- ansible/roles/logscraper/defaults/main.yml | 2 ++ ansible/roles/logscraper/tasks/main.yml | 3 +++ ansible/roles/logscraper/tasks/service.yml | 8 ++++++++ ansible/roles/logscraper/templates/logscraper.sh.j2 | 3 +++ loggearman/Dockerfile | 10 +++++----- 10 files changed, 45 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 666149e..85dc0b3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,13 +17,13 @@ FROM quay.io/centos/centos:stream8 ENV PATH=/workspace/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -RUN groupadd logscraper && \ - useradd --home-dir /home/logscraper -g logscraper logscraper +RUN groupadd logscraper --gid 1000 && \ + useradd --home-dir /home/logscraper --gid 1000 --uid 1000 logscraper RUN dnf update -y && \ - dnf install -y python3 python3-setuptools \ - python3-devel python3-wheel \ - python3-pip git + dnf install -y python38 python38-setuptools \ + python38-devel python38-wheel \ + python38-pip git COPY . /tmp/src RUN cd /tmp/src && \ diff --git a/ansible/playbooks/check-services.yml b/ansible/playbooks/check-services.yml index 2565ab9..dbf5eb8 100644 --- a/ansible/playbooks/check-services.yml +++ b/ansible/playbooks/check-services.yml @@ -22,5 +22,11 @@ - https://zuul.opendev.org/api/tenant/openstack insecure: false job_names: [] + pre_tasks: + - name: Update all packages + become: true + package: + name: "*" + state: latest roles: - check-services diff --git a/ansible/roles/loggearman/defaults/main.yml b/ansible/roles/loggearman/defaults/main.yml index cd53d66..d9e942f 100644 --- a/ansible/roles/loggearman/defaults/main.yml +++ b/ansible/roles/loggearman/defaults/main.yml @@ -1,6 +1,8 @@ --- loggearman_user: loggearman loggearman_group: loggearman +loggearman_gid: 10211 +loggearman_uid: 10211 loggearman_dir: /etc/loggearman loggearman_log_dir: /var/log/loggearman diff --git a/ansible/roles/loggearman/tasks/main.yml b/ansible/roles/loggearman/tasks/main.yml index 68e982c..6a227ac 100644 --- a/ansible/roles/loggearman/tasks/main.yml +++ b/ansible/roles/loggearman/tasks/main.yml @@ -2,6 +2,7 @@ - name: Create decidated group group: name: "{{ loggearman_group }}" + gid: "{{ loggearman_gid }}" state: present - name: Create dedicated user @@ -10,6 +11,7 @@ state: present comment: "Dedicated user for loggearman" group: "{{ loggearman_group }}" + uid: "{{ loggearman_uid }}" shell: "/sbin/nologin" create_home: false @@ -19,6 +21,7 @@ state: directory owner: "{{ loggearman_user }}" group: "{{ loggearman_group }}" + mode: "0755" loop: - "{{ loggearman_dir }}" - "{{ loggearman_log_dir }}" @@ -29,7 +32,7 @@ state: touch owner: "{{ loggearman_user }}" group: "{{ loggearman_group }}" - mode: "0666" + mode: "0644" loop: - client - worker @@ -43,6 +46,9 @@ template: src: "{{ item }}.yml.j2" dest: "{{ loggearman_dir }}/{{ item }}.yml" + owner: "{{ loggearman_user }}" + group: "{{ loggearman_group }}" + mode: "0644" loop: - client - worker diff --git a/ansible/roles/loggearman/templates/loggearman.sh.j2 b/ansible/roles/loggearman/templates/loggearman.sh.j2 index dad55ac..e29c25e 100644 --- a/ansible/roles/loggearman/templates/loggearman.sh.j2 +++ b/ansible/roles/loggearman/templates/loggearman.sh.j2 @@ -4,8 +4,11 @@ /usr/bin/podman run \ --network host \ --rm \ + --user 1000:1000 \ + --uidmap 0:{{ loggearman_uid + 1 }}:999 \ + --uidmap 1000:{{ loggearman_uid }}:1 \ --name loggearman-{{ item }} \ - --volume {{ loggearman_dir }}:{{ loggearman_dir }}:Z \ + --volume {{ loggearman_dir }}:{{ loggearman_dir }}:z \ --volume {{ loggearman_log_dir }}:{{ loggearman_log_dir }}:z \ {{ container_images['loggearman'] }} \ log-gearman-{{ item }} \ diff --git a/ansible/roles/logscraper/defaults/main.yml b/ansible/roles/logscraper/defaults/main.yml index 4236271..7a34351 100644 --- a/ansible/roles/logscraper/defaults/main.yml +++ b/ansible/roles/logscraper/defaults/main.yml @@ -1,6 +1,8 @@ --- logscraper_user: logscraper logscraper_group: logscraper +logscraper_gid: 10210 +logscraper_uid: 10210 logscraper_dir: /etc/logscraper container_images: diff --git a/ansible/roles/logscraper/tasks/main.yml b/ansible/roles/logscraper/tasks/main.yml index b77ee7f..b1795db 100644 --- a/ansible/roles/logscraper/tasks/main.yml +++ b/ansible/roles/logscraper/tasks/main.yml @@ -2,6 +2,7 @@ - name: Create dedicated group group: name: "{{ logscraper_group }}" + gid: "{{ logscraper_gid }}" state: present - name: Create dedicated user @@ -10,6 +11,7 @@ state: present comment: "Dedicated user for logscraper" group: "{{ logscraper_group }}" + uid: "{{ logscraper_uid }}" shell: "/sbin/nologin" create_home: false @@ -19,6 +21,7 @@ state: directory owner: "{{ logscraper_user }}" group: "{{ logscraper_group }}" + mode: "0755" - name: Ensure container software is installed package: diff --git a/ansible/roles/logscraper/tasks/service.yml b/ansible/roles/logscraper/tasks/service.yml index 75a186b..03a2528 100644 --- a/ansible/roles/logscraper/tasks/service.yml +++ b/ansible/roles/logscraper/tasks/service.yml @@ -13,6 +13,14 @@ owner: root group: root +- name: Set empty logscraper checkpoint file + file: + path: "{{ item.checkpoint_file | default(logscraper_dir + '/checkpoint') }}" + state: touch + owner: "{{ logscraper_user }}" + group: "{{ logscraper_group }}" + mode: "0644" + - name: Enable and restart service service: name: logscraper-{{ item.tenant }} diff --git a/ansible/roles/logscraper/templates/logscraper.sh.j2 b/ansible/roles/logscraper/templates/logscraper.sh.j2 index 07184cc..f416504 100644 --- a/ansible/roles/logscraper/templates/logscraper.sh.j2 +++ b/ansible/roles/logscraper/templates/logscraper.sh.j2 @@ -3,6 +3,9 @@ /usr/bin/podman run \ --network host \ --rm \ + --user 1000:1000 \ + --uidmap 0:{{ logscraper_uid + 1 }}:999 \ + --uidmap 1000:{{ logscraper_uid }}:1 \ --name logscraper-{{ item.tenant }} \ --volume {{ logscraper_dir }}:{{ logscraper_dir }}:z \ {{ container_images['logscraper'] }} \ diff --git a/loggearman/Dockerfile b/loggearman/Dockerfile index 94d7e52..e4557b8 100644 --- a/loggearman/Dockerfile +++ b/loggearman/Dockerfile @@ -18,13 +18,13 @@ FROM quay.io/centos/centos:stream8 ENV OSLO_PACKAGE_VERSION='0.0.1' ENV PATH=~/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -RUN groupadd loggearman && \ - useradd --home-dir /home/loggearman -g loggearman loggearman +RUN groupadd --gid 1000 loggearman && \ + useradd --home-dir /home/loggearman --gid 1000 --uid 1000 loggearman RUN dnf update -y && \ - dnf install -y python3 python3-setuptools \ - python3-devel python3-wheel \ - python3-pip git + dnf install -y python38 python38-setuptools \ + python38-devel python38-wheel \ + python38-pip git COPY . /tmp/src RUN cd /tmp/src && \