From f96fe517e7f6e6f28c6640967492c31e2e200201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Mon, 8 Feb 2021 11:46:24 +0100 Subject: [PATCH] beacon-node-builds: allow staff group membets to start builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I was thinking of defining the jobs as nimbus user systemd units, but that would not work unless nimbus user logged in at least once. And Systemd services have no functionality for allowing non-root users to start/stop/restart system services, so sudo is the simplest way. Signed-off-by: Jakub SokoĊ‚owski --- ansible/roles/beacon-node-builds/defaults/main.yml | 1 + ansible/roles/beacon-node-builds/tasks/build.yml | 7 ++++--- ansible/roles/beacon-node-builds/tasks/user.yml | 8 +++++++- .../beacon-node-builds/templates/builds_sudoers.j2 | 10 ++++++++++ 4 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 ansible/roles/beacon-node-builds/templates/builds_sudoers.j2 diff --git a/ansible/roles/beacon-node-builds/defaults/main.yml b/ansible/roles/beacon-node-builds/defaults/main.yml index cb14c59..993f203 100644 --- a/ansible/roles/beacon-node-builds/defaults/main.yml +++ b/ansible/roles/beacon-node-builds/defaults/main.yml @@ -1,5 +1,6 @@ --- beacon_node_builds_user: 'nimbus' +beacon_node_builds_group: 'staff' beacon_node_builds_path: '/data/beacon-node-builds' beacon_node_builds_image_name: 'statusteam/nimbus_beacon_node' diff --git a/ansible/roles/beacon-node-builds/tasks/build.yml b/ansible/roles/beacon-node-builds/tasks/build.yml index 085f668..5061608 100644 --- a/ansible/roles/beacon-node-builds/tasks/build.yml +++ b/ansible/roles/beacon-node-builds/tasks/build.yml @@ -22,15 +22,15 @@ dest: '{{ beacon_node_builds_path }}/{{ item.name }}/build.sh' owner: '{{ beacon_node_builds_user }}' group: 'adm' - mode: 0755 + mode: 0775 - name: '{{ item.name }} - Create Dockerfile' template: src: 'Dockerfile.j2' dest: '{{ beacon_node_builds_path }}/{{ item.name }}/Dockerfile' owner: '{{ beacon_node_builds_user }}' - group: 'adm' - mode: 0644 + group: '{{ beacon_node_builds_group }}' + mode: 0664 - name: '{{ item.name }} - Create .dockerignore' copy: @@ -45,6 +45,7 @@ vars: systemd_timer_name: 'beacon-node-build-{{ item.name }}' systemd_timer_user: '{{ beacon_node_builds_user }}' + systemd_timer_service_group: '{{ beacon_node_builds_group }}' systemd_timer_description: 'Docker image build for Nimbus beacon node' systemd_timer_requires_extra: 'docker.service' systemd_timer_start_on_creation: false diff --git a/ansible/roles/beacon-node-builds/tasks/user.yml b/ansible/roles/beacon-node-builds/tasks/user.yml index daf6d08..5fb313e 100644 --- a/ansible/roles/beacon-node-builds/tasks/user.yml +++ b/ansible/roles/beacon-node-builds/tasks/user.yml @@ -2,7 +2,7 @@ - name: Create user for beacon node builds user: name: '{{ beacon_node_builds_user }}' - group: 'adm' + group: '{{ beacon_node_builds_group }}' groups: ['docker'] shell: '/bin/zsh' @@ -18,3 +18,9 @@ username: '{{ beacon_node_builds_docker_hub_user | mandatory }}' password: '{{ beacon_node_builds_docker_hub_token | mandatory }}' become_user: '{{ beacon_node_builds_user }}' + +- name: Sudoers file to let non-root users start jobs + template: + src: 'builds_sudoers.j2' + dest: '/etc/sudoers.d/80-beacon-node-builds' + mode: 0440 diff --git a/ansible/roles/beacon-node-builds/templates/builds_sudoers.j2 b/ansible/roles/beacon-node-builds/templates/builds_sudoers.j2 new file mode 100644 index 0000000..8d21d6b --- /dev/null +++ b/ansible/roles/beacon-node-builds/templates/builds_sudoers.j2 @@ -0,0 +1,10 @@ +# Allow non-root users start Nimbus builds with sudo. + +{% for service in beacon_node_builds_branches %} +# {{ service.name }} +%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *status beacon-node-build-{{ service.name }}[.service] +%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *start beacon-node-build-{{ service.name }}[.service] +%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *stop beacon-node-build-{{ service.name }}[.service] +%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *restart beacon-node-build-{{ service.name }}[.service] + +{% endfor %}