contrib/systemd: Run bootcfg with bootcfg user/group

* Setup data dir with the bootcfg group

Documentation/deployment.md

@@ -72,6 +72,21 @@ Install the `bootcfg` static binary to `/usr/local/bin`.
 
     $ sudo make install
 
+### User/Group
+
+The `bootcfg` service should be run by a non-root user with access to the `bootcfg` data directory (e.g. `/var/lib/bootcfg`). Create a `bootcfg` user and group.
+
+    sudo useradd -U bootcfg
+
+Run the provided script to setup the `bootcfg` data directory.
+
+    sudo ./scripts/setup-data-dir
+
+Add yourself to the `bootcfg` group if you'd like to data by modifying files rather than through the `bootcmd` client.
+
+    SELF=$(whoami)
+    sudo gpasswd --add $SELF bootcfg
+
 ### Run
 
 Run the `bootcfg` server.

Makefile

@@ -12,23 +12,17 @@ test:
 	./test
 
 install:
+	touch ${ENV_FILE}
 	cp bin/bootcfg $(BIN_DIR)
 	cp bin/bootcmd $(BIN_DIR)
-	mkdir -p $(DATA_DIR)/{profiles,groups,ignition,cloud,assets}
-	cp -n -R examples/profiles $(DATA_DIR)
-	cp -n -R examples/groups $(DATA_DIR)
-	cp -n -R examples/ignition $(DATA_DIR)
-	cp -n -R examples/cloud $(DATA_DIR)
-	touch ${ENV_FILE}
 	@echo "**************"
 	@echo "INSTALL SUCESS"
 	@echo "**************"
 	@echo "bootcfg was installed to /usr/local/bin/bootcfg"
 	@echo "bootcmd was installed to /usr/local/bin/bootcmd"
-	@echo "The default data directory is located at /var/lib/bootcfg"
 
 uninstall:
 	rm $(BIN_DIR)/bootcfg
 	rm $(BIN_DIR)/bootcmd
 
-.PHONY: build
+.PHONY: build test install

contrib/systemd/bootcfg.service

@@ -4,8 +4,15 @@ Documentation=https://github.com/coreos/coreos-baremetal
 
 [Service]
 Type=simple
+User=bootcfg
+Group=bootcfg
 EnvironmentFile=/etc/bootcfg.env
 ExecStart=/usr/local/bin/bootcfg -address=0.0.0.0:8080 -log-level=debug
 
+# systemd.exec
+ProtectHome=yes
+ProtectSystem=full
+ReadWriteDirectories=/var/lib/bootcfg
+
 [Install]
 WantedBy=multi-user.target

scripts/setup-data-dir

@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+# USAGE:
+# ./setup-data-dir [/path/to/data/dir]
+# Sets up a bootcfg data directory at the given path or assumes the default
+# data directory path /var/lib/bootcfg.
+
+if [ "$EUID" -ne 0 ]
+  then echo "Please run as root"
+  exit
+fi
+
+# default to /var/lib/bootcfg
+datadir=${1:-"/var/lib/bootcfg"}
+
+# Create the directory with the given mode and group
+# 1 - directory to create if it does not exist
+# 2 - mode to set the directory to
+make_bootcfg_directory() {
+    local dir="${1}"
+    local mode="${2}"
+
+    if [[ -e "${dir}" ]]; then
+        chmod "${mode}" "${dir}"
+    else
+        mkdir --mode="${mode}" "${dir}"
+    fi
+    chgrp bootcfg "${dir}"
+}
+
+# SGID bit so all files created will have the correct group
+make_bootcfg_directory ${datadir} 2550
+make_bootcfg_directory "${datadir}/assets" 2550
+
+make_bootcfg_directory "${datadir}/profiles" 2770
+make_bootcfg_directory "${datadir}/groups" 2770
+make_bootcfg_directory "${datadir}/ignition" 2770
+make_bootcfg_directory "${datadir}/cloud" 2770