From 5cd35d8606562f7e4e1837cabb0fbcc3097126ac Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 17 May 2016 11:40:12 -0700 Subject: [PATCH] contrib/systemd: Run bootcfg with bootcfg user/group * Setup data dir with the bootcfg group --- Documentation/deployment.md | 15 +++++++++++++ Makefile | 10 ++------- contrib/systemd/bootcfg.service | 7 ++++++ scripts/setup-data-dir | 38 +++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 8 deletions(-) create mode 100755 scripts/setup-data-dir diff --git a/Documentation/deployment.md b/Documentation/deployment.md index ce067166..9d83d52c 100644 --- a/Documentation/deployment.md +++ b/Documentation/deployment.md @@ -72,6 +72,21 @@ Install the `bootcfg` static binary to `/usr/local/bin`. $ sudo make install +### User/Group + +The `bootcfg` service should be run by a non-root user with access to the `bootcfg` data directory (e.g. `/var/lib/bootcfg`). Create a `bootcfg` user and group. + + sudo useradd -U bootcfg + +Run the provided script to setup the `bootcfg` data directory. + + sudo ./scripts/setup-data-dir + +Add yourself to the `bootcfg` group if you'd like to data by modifying files rather than through the `bootcmd` client. + + SELF=$(whoami) + sudo gpasswd --add $SELF bootcfg + ### Run Run the `bootcfg` server. diff --git a/Makefile b/Makefile index 47dea510..6615c855 100644 --- a/Makefile +++ b/Makefile @@ -12,23 +12,17 @@ test: ./test install: + touch ${ENV_FILE} cp bin/bootcfg $(BIN_DIR) cp bin/bootcmd $(BIN_DIR) - mkdir -p $(DATA_DIR)/{profiles,groups,ignition,cloud,assets} - cp -n -R examples/profiles $(DATA_DIR) - cp -n -R examples/groups $(DATA_DIR) - cp -n -R examples/ignition $(DATA_DIR) - cp -n -R examples/cloud $(DATA_DIR) - touch ${ENV_FILE} @echo "**************" @echo "INSTALL SUCESS" @echo "**************" @echo "bootcfg was installed to /usr/local/bin/bootcfg" @echo "bootcmd was installed to /usr/local/bin/bootcmd" - @echo "The default data directory is located at /var/lib/bootcfg" uninstall: rm $(BIN_DIR)/bootcfg rm $(BIN_DIR)/bootcmd -.PHONY: build +.PHONY: build test install diff --git a/contrib/systemd/bootcfg.service b/contrib/systemd/bootcfg.service index ccd84d1e..f1f3e66c 100644 --- a/contrib/systemd/bootcfg.service +++ b/contrib/systemd/bootcfg.service @@ -4,8 +4,15 @@ Documentation=https://github.com/coreos/coreos-baremetal [Service] Type=simple +User=bootcfg +Group=bootcfg EnvironmentFile=/etc/bootcfg.env ExecStart=/usr/local/bin/bootcfg -address=0.0.0.0:8080 -log-level=debug +# systemd.exec +ProtectHome=yes +ProtectSystem=full +ReadWriteDirectories=/var/lib/bootcfg + [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/setup-data-dir b/scripts/setup-data-dir new file mode 100755 index 00000000..6eb450b6 --- /dev/null +++ b/scripts/setup-data-dir @@ -0,0 +1,38 @@ +#!/bin/bash -e + +# USAGE: +# ./setup-data-dir [/path/to/data/dir] +# Sets up a bootcfg data directory at the given path or assumes the default +# data directory path /var/lib/bootcfg. + +if [ "$EUID" -ne 0 ] + then echo "Please run as root" + exit +fi + +# default to /var/lib/bootcfg +datadir=${1:-"/var/lib/bootcfg"} + +# Create the directory with the given mode and group +# 1 - directory to create if it does not exist +# 2 - mode to set the directory to +make_bootcfg_directory() { + local dir="${1}" + local mode="${2}" + + if [[ -e "${dir}" ]]; then + chmod "${mode}" "${dir}" + else + mkdir --mode="${mode}" "${dir}" + fi + chgrp bootcfg "${dir}" +} + +# SGID bit so all files created will have the correct group +make_bootcfg_directory ${datadir} 2550 +make_bootcfg_directory "${datadir}/assets" 2550 + +make_bootcfg_directory "${datadir}/profiles" 2770 +make_bootcfg_directory "${datadir}/groups" 2770 +make_bootcfg_directory "${datadir}/ignition" 2770 +make_bootcfg_directory "${datadir}/cloud" 2770