From 856866fdde6fd1e1217a65edf07665665090df7c Mon Sep 17 00:00:00 2001 From: Sorin Sbarnea Date: Thu, 27 Aug 2020 18:41:21 +0100 Subject: [PATCH] More E208 mode fixes Change-Id: I8157ec1f31b8c5a064b63002e8311b91ef9ce9ab See: https://ansible-lint.readthedocs.io/en/latest/default_rules.html#file-permissions-not-mentioned --- roles/build-docker-image/tasks/setup-buildx.yaml | 1 + roles/git-prepare-nodecache/tasks/main.yaml | 1 + roles/use-buildset-registry/tasks/main.yaml | 5 +++++ roles/use-buildset-registry/tasks/user-config.yaml | 1 + roles/use-docker-mirror/tasks/mirror.yaml | 1 + util-tasks/run-docker-registry.yaml | 2 ++ 6 files changed, 11 insertions(+) diff --git a/roles/build-docker-image/tasks/setup-buildx.yaml b/roles/build-docker-image/tasks/setup-buildx.yaml index 51720a4c9..0b80c4bfe 100644 --- a/roles/build-docker-image/tasks/setup-buildx.yaml +++ b/roles/build-docker-image/tasks/setup-buildx.yaml @@ -28,6 +28,7 @@ copy: content: "{{ buildset_registry.cert }}" dest: "{{ buildkit_cert_tmp.path }}" + mode: preserve when: buildset_registry is defined and buildset_registry.cert - name: Copy buildset registry TLS cert into worker container diff --git a/roles/git-prepare-nodecache/tasks/main.yaml b/roles/git-prepare-nodecache/tasks/main.yaml index 0f69804c2..224c3ce3c 100644 --- a/roles/git-prepare-nodecache/tasks/main.yaml +++ b/roles/git-prepare-nodecache/tasks/main.yaml @@ -2,6 +2,7 @@ file: path: "{{ git_cache_root }}/{{ zj_project.canonical_name | dirname }}" state: directory + mode: 0775 with_items: "{{ zuul.projects.values() | list }}" loop_control: loop_var: zj_project diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index 6c4bc0e50..13c902bc9 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -34,11 +34,13 @@ file: state: directory path: /etc/docker + mode: 0755 - name: Write buildset registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" dest: "{{ ca_dir }}/{{ buildset_registry_alias }}.crt" + mode: 0644 register: _tls_ca - name: Update CA certs command: "{{ ca_command }}" @@ -74,6 +76,7 @@ copy: content: "{{ docker_config | to_nice_json }}" dest: /etc/docker/daemon.json + mode: 0644 become: true - name: Restart docker daemon @@ -89,6 +92,7 @@ file: state: directory path: /etc/containers + mode: 0755 - name: Modify registries.conf become: yes modify_registries_conf: @@ -102,6 +106,7 @@ file: state: directory path: /etc/buildkit/ + mode: 0755 - name: Modify buildkitd.toml become: yes modify_buildkitd_toml: diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml index b4c9eea61..e133503ea 100644 --- a/roles/use-buildset-registry/tasks/user-config.yaml +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -48,6 +48,7 @@ copy: content: "{{ docker_config | to_nice_json }}" dest: "/run/user/{{ ansible_user_uid }}/auth.json" + mode: 0600 # The next two tasks are for supporting k8s - name: Check if /var/lib/kubelet exists stat: diff --git a/roles/use-docker-mirror/tasks/mirror.yaml b/roles/use-docker-mirror/tasks/mirror.yaml index 17a968666..d845bae55 100644 --- a/roles/use-docker-mirror/tasks/mirror.yaml +++ b/roles/use-docker-mirror/tasks/mirror.yaml @@ -3,6 +3,7 @@ file: state: directory path: /etc/docker + mode: 0755 - name: Set docker_mirror fact when: diff --git a/util-tasks/run-docker-registry.yaml b/util-tasks/run-docker-registry.yaml index 92c2441c1..b40f06976 100644 --- a/util-tasks/run-docker-registry.yaml +++ b/util-tasks/run-docker-registry.yaml @@ -19,6 +19,7 @@ file: path: "{{ registry_tempdir.path }}/auth" state: directory + mode: 0755 - name: Install passlib for htpasswd become: true @@ -33,6 +34,7 @@ create: true crypt_scheme: bcrypt path: "{{ registry_tempdir.path }}/auth/htpasswd" + mode: 0644 name: "{{ registry.username }}" password: "{{ registry.password }}"