beacon-node-builds: allow staff group membets to start builds

I was thinking of defining the jobs as nimbus user systemd units, but that would not work unless nimbus user logged in at least once. And Systemd services have no functionality for allowing non-root users to start/stop/restart system services, so sudo is the simplest way. Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-02-08 11:46:24 +01:00 · 2021-02-08 11:46:24 +01:00 · f96fe517e7
parent e5037a6751
commit f96fe517e7
4 changed files with 22 additions and 4 deletions
--- a/ansible/roles/beacon-node-builds/defaults/main.yml
+++ b/ansible/roles/beacon-node-builds/defaults/main.yml
@ -1,5 +1,6 @@
 ---
 beacon_node_builds_user: 'nimbus'
+beacon_node_builds_group: 'staff'
 beacon_node_builds_path: '/data/beacon-node-builds'
 beacon_node_builds_image_name: 'statusteam/nimbus_beacon_node'

--- a/ansible/roles/beacon-node-builds/tasks/build.yml
+++ b/ansible/roles/beacon-node-builds/tasks/build.yml
@ -22,15 +22,15 @@
    dest: '{{ beacon_node_builds_path }}/{{ item.name }}/build.sh'
    owner: '{{ beacon_node_builds_user }}'
    group: 'adm'
-    mode: 0755
+    mode: 0775

 - name: '{{ item.name }} - Create Dockerfile'
  template:
    src: 'Dockerfile.j2'
    dest: '{{ beacon_node_builds_path }}/{{ item.name }}/Dockerfile'
    owner: '{{ beacon_node_builds_user }}'
-    group: 'adm'
-    mode: 0644
+    group: '{{ beacon_node_builds_group }}'
+    mode: 0664

 - name: '{{ item.name }} - Create .dockerignore'
  copy:
@ -45,6 +45,7 @@
  vars:
    systemd_timer_name: 'beacon-node-build-{{ item.name }}'
    systemd_timer_user: '{{ beacon_node_builds_user }}'
+    systemd_timer_service_group: '{{ beacon_node_builds_group }}'
    systemd_timer_description: 'Docker image build for Nimbus beacon node'
    systemd_timer_requires_extra: 'docker.service'
    systemd_timer_start_on_creation: false
--- a/ansible/roles/beacon-node-builds/tasks/user.yml
+++ b/ansible/roles/beacon-node-builds/tasks/user.yml
@ -2,7 +2,7 @@
 - name: Create user for beacon node builds
  user:
    name: '{{ beacon_node_builds_user }}'
-    group: 'adm'
+    group: '{{ beacon_node_builds_group }}'
    groups: ['docker']
    shell: '/bin/zsh'

@ -18,3 +18,9 @@
    username: '{{ beacon_node_builds_docker_hub_user | mandatory }}'
    password: '{{ beacon_node_builds_docker_hub_token | mandatory }}'
  become_user: '{{ beacon_node_builds_user }}'
+
+- name: Sudoers file to let non-root users start jobs
+  template:
+    src: 'builds_sudoers.j2'
+    dest: '/etc/sudoers.d/80-beacon-node-builds'
+    mode: 0440
--- a/ansible/roles/beacon-node-builds/templates/builds_sudoers.j2
+++ b/ansible/roles/beacon-node-builds/templates/builds_sudoers.j2
@ -0,0 +1,10 @@
+# Allow non-root users start Nimbus builds with sudo.
+
+{% for service in beacon_node_builds_branches %}
+# {{ service.name }}
+%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *status beacon-node-build-{{ service.name }}[.service]
+%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *start beacon-node-build-{{ service.name }}[.service]
+%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *stop beacon-node-build-{{ service.name }}[.service]
+%{{ beacon_node_builds_group }} ALL= NOPASSWD: /usr/bin/systemctl *restart beacon-node-build-{{ service.name }}[.service]
+
+{% endfor %}