opendev/system-config
Code Issues Proposed changes

Adds support for running zuul-registry as a non-root user

Browse Source 
Signed-off-by: Jack Morgan <jack@jento.io>
Change-Id: I89594affb04639b49b409a569036d6afac997251
This commit is contained in:
Jack Morgan 2022-03-01 17:28:31 -08:00
parent bb93b17c05
commit ded27cbb5d
3 changed files with 55 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inventory/service/group_vars/registry.yaml
View File

@ -1,3 +1,6 @@
# Note: creating separate userid/groupid from the zuul service user
registry_user: zuul registry_user: zuul
registry_service_user_id: 10001
registry_service_group_id: 10001
iptables_extra_public_tcp_ports: iptables_extra_public_tcp_ports:
- 5000 - 5000

54
playbooks/roles/registry/tasks/main.yaml
View File

@ -1,34 +1,80 @@
- name: Synchronize docker-compose directory - name: Create registry_service group
synchronize: group:
src: registry-docker/ name: "registry"
dest: /etc/registry-docker/ gid: "{{ registry_service_group_id }}"
system: yes
- name: Create registry_service user
user:
name: "registry"
group: "registry"
uid: "{{ registry_service_user_id }}"
home: "/var/registry"
system: yes
- name: Make docker-compose dir
file:
state: directory
path: /etc/registry-docker
owner: root
group: root
mode: 0755
- name: Write docker-compose.yaml
template:
src: docker-compose.yaml.j2
dest: /etc/registry-docker/docker-compose.yaml
owner: root
group: root
mode: 644
- name: Ensure directory permission
file:
state: directory
path: /var/registry/
owner: registry
group: registry
mode: 0755
- name: Ensure registry volume directories exists - name: Ensure registry volume directories exists
file: file:
state: directory state: directory
path: "/var/registry/{{ item }}" path: "/var/registry/{{ item }}"
owner: registry
group: registry
loop: loop:
- certs - certs
- conf - conf
- etc - etc
- name: Write clouds.yaml - name: Write clouds.yaml
template: template:
src: clouds.yaml.j2 src: clouds.yaml.j2
dest: /var/registry/etc/clouds.yaml dest: /var/registry/etc/clouds.yaml
owner: registry
group: registry
- name: Write registry config - name: Write registry config
template: template:
src: registry.yaml.j2 src: registry.yaml.j2
dest: /var/registry/conf/registry.yaml dest: /var/registry/conf/registry.yaml
owner: registry
group: registry
- name: Run docker-compose pull - name: Run docker-compose pull
shell: shell:
cmd: docker-compose pull cmd: docker-compose pull
chdir: /etc/registry-docker/ chdir: /etc/registry-docker/
- name: Run docker-compose up - name: Run docker-compose up
shell: shell:
cmd: docker-compose up -d cmd: docker-compose up -d
chdir: /etc/registry-docker/ chdir: /etc/registry-docker/
- name: Run docker prune to cleanup unneeded images - name: Run docker prune to cleanup unneeded images
shell: shell:
cmd: docker image prune -f cmd: docker image prune -f
# Temporarily disable to aid debug of mysteriously absent blobs # Temporarily disable to aid debug of mysteriously absent blobs
# -corvus 2019-10-09 # -corvus 2019-10-09
# - name: Install cron to garbage collect the registry daily # - name: Install cron to garbage collect the registry daily

3
playbooks/roles/registry/files/registry-docker/docker-compose.yaml → playbooks/roles/registry/templates/docker-compose.yaml.j2
View File

@ -5,8 +5,9 @@ version: '2'
services: services:
registry: registry:
restart: always restart: always
image: docker.io/zuul/zuul-registry
network_mode: host network_mode: host
image: docker.io/zuul/zuul-registry
user: "{{ registry_service_user_id }}:{{ registry_service_group_id }}"
volumes: volumes:
- /var/registry/certs:/certs - /var/registry/certs:/certs
- /var/registry/conf:/conf - /var/registry/conf:/conf