Adds support for running zuul-registry as a non-root user

Signed-off-by: Jack Morgan <jack@jento.io> Change-Id: I89594affb04639b49b409a569036d6afac997251
2022-03-01 17:28:31 -08:00 · 2022-03-01 17:28:31 -08:00 · ded27cbb5d
commit ded27cbb5d
parent bb93b17c05
3 changed files with 55 additions and 5 deletions
--- a/inventory/service/group_vars/registry.yaml
+++ b/inventory/service/group_vars/registry.yaml
@ -1,3 +1,6 @@
+# Note: creating separate userid/groupid from the zuul service user
 registry_user: zuul
+registry_service_user_id: 10001
+registry_service_group_id: 10001
 iptables_extra_public_tcp_ports:
  - 5000
--- a/playbooks/roles/registry/tasks/main.yaml
+++ b/playbooks/roles/registry/tasks/main.yaml
@ -1,34 +1,80 @@
- name: Synchronize docker-compose directory
-  synchronize:
-    src: registry-docker/
-    dest: /etc/registry-docker/
+- name: Create registry_service group
+  group:
+    name: "registry"
+    gid: "{{ registry_service_group_id }}"
+    system: yes
+
+- name: Create registry_service user
+  user:
+    name: "registry"
+    group: "registry"
+    uid: "{{ registry_service_user_id }}"
+    home: "/var/registry"
+    system: yes
+
+- name: Make docker-compose dir
+  file:
+    state: directory
+    path: /etc/registry-docker
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Write docker-compose.yaml
+  template:
+    src: docker-compose.yaml.j2
+    dest: /etc/registry-docker/docker-compose.yaml
+    owner: root
+    group: root
+    mode: 644
+
+- name: Ensure directory permission
+  file:
+    state: directory
+    path: /var/registry/
+    owner: registry
+    group: registry
+    mode: 0755
+
 - name: Ensure registry volume directories exists
  file:
    state: directory
    path: "/var/registry/{{ item }}"
+    owner: registry
+    group: registry
  loop:
    - certs
    - conf
    - etc
+
 - name: Write clouds.yaml
  template:
    src: clouds.yaml.j2
    dest: /var/registry/etc/clouds.yaml
+    owner: registry
+    group: registry
+
 - name: Write registry config
  template:
    src: registry.yaml.j2
    dest: /var/registry/conf/registry.yaml
+    owner: registry
+    group: registry
+
 - name: Run docker-compose pull
  shell:
    cmd: docker-compose pull
    chdir: /etc/registry-docker/
+
 - name: Run docker-compose up
  shell:
    cmd: docker-compose up -d
    chdir: /etc/registry-docker/
+
 - name: Run docker prune to cleanup unneeded images
  shell:
    cmd: docker image prune -f
+
 # Temporarily disable to aid debug of mysteriously absent blobs
 # -corvus 2019-10-09
 # - name: Install cron to garbage collect the registry daily
--- a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
+++ b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
@ -5,8 +5,9 @@ version: '2'
 services:
  registry:
    restart: always
-    image: docker.io/zuul/zuul-registry
    network_mode: host
+    image: docker.io/zuul/zuul-registry
+    user: "{{ registry_service_user_id }}:{{ registry_service_group_id }}"
    volumes:
      - /var/registry/certs:/certs
      - /var/registry/conf:/conf