From 275976f1e61b0fded4e3cb3dea693ae9efe60df6 Mon Sep 17 00:00:00 2001 From: Johanna Dorothea Reichmann Date: Fri, 26 Aug 2022 11:26:58 +0200 Subject: [PATCH] fix(mastodon): mount host user into container properly --- roles/mastodon/defaults/main.yml | 8 +++++- roles/mastodon/tasks/main.yml | 40 +++++++++++++++++++++++------- roles/mastodon/templates/group.j2 | 40 ++++++++++++++++++++++++++++++ roles/mastodon/templates/passwd.j2 | 20 +++++++++++++++ 4 files changed, 98 insertions(+), 10 deletions(-) create mode 100644 roles/mastodon/templates/group.j2 create mode 100644 roles/mastodon/templates/passwd.j2 diff --git a/roles/mastodon/defaults/main.yml b/roles/mastodon/defaults/main.yml index 3296e0a..d261a0c 100644 --- a/roles/mastodon/defaults/main.yml +++ b/roles/mastodon/defaults/main.yml @@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data" mastodon_repo_path: "{{ mastodon_base_path }}/src" mastodon_config_path: "{{ mastodon_base_path }}/config" mastodon_config_env_file: "{{ mastodon_config_path }}/env.production" +mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group" +mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd" mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config" mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf" mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache" @@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c mastodon_container_networks: - name: "{{ mastodon_container_network_name }}" -mastodon_container_base_volumes_streaming: [] +mastodon_container_base_volumes_streaming: + - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro" + - "{{ mastodon_config_group_file }}:/etc/group:ro" mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}" mastodon_container_volumes_streaming: >- {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }} @@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >- mastodon_container_base_volumes: - "{{ mastodon_repo_path }}/public:/mastodon/public:z" + - "{{ mastodon_config_passwd_file }}:/etc/passwd:ro" + - "{{ mastodon_config_group_file }}:/etc/group:ro" mastodon_container_extra_volumes: [] mastodon_container_volumes: >- {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }} diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml index 98caf9d..9997181 100644 --- a/roles/mastodon/tasks/main.yml +++ b/roles/mastodon/tasks/main.yml @@ -43,6 +43,24 @@ mode: "0640" notify: restart-mastodon-nginx +- name: Ensure fake passwd file is templated + template: + src: passwd.j2 + dest: "{{ mastodon_config_passwd_file }}" + owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}" + group: "{{ mastodon_user_info.group | default(mastodon_user) }}" + mode: "0644" + notify: restart-mastodon + +- name: Ensure fake passwd file is templated + template: + src: group.j2 + dest: "{{ mastodon_config_group_file }}" + owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}" + group: "{{ mastodon_user_info.group | default(mastodon_user) }}" + mode: "0644" + notify: restart-mastodon + - name: Ensure mastodon git repository is present and up-to-date git: repo: "{{ mastodon_git_upstream_url }}" @@ -52,6 +70,8 @@ force: no recursive: yes track_submodules: yes + become: yes + become_user: "{{ mastodon_user }}" register: git_repo_info - name: Ensure mastodon git repository and children belong to {{ mastodon_user }} @@ -131,6 +151,7 @@ command: "node ./streaming" restart_policy: "{{ mastodon_container_restart_policy }}" ports: "{{ mastodon_container_ports_streaming }}" + user: "{{ mastodon_user }}" healthcheck: test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"] interval: 5s @@ -148,7 +169,7 @@ command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\"" restart_policy: "{{ mastodon_container_restart_policy }}" ports: "{{ mastodon_container_ports }}" - user: "{{ mastodon_user }}" + user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}" healthcheck: test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"] interval: 5s @@ -156,6 +177,12 @@ start_period: 0s timeout: 5s +- name: Ensure container paths belong to the mastodon user + community.docker.docker_container_exec: + container: "{{ mastodon_container_name }}" + command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon" + user: "0" + - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running docker_container: name: "{{ mastodon_container_nginx_name }}" @@ -165,12 +192,7 @@ restart_policy: "{{ mastodon_container_restart_policy }}" - name: Ensure assets are precompiled - docker_container: - name: "{{ mastodon_container_name }}" - env_file: "{{ mastodon_config_env_file }}" - command: "bash -c \"bundle exec rails assets:precompile\"" - user: "{{ mastodon_user }}" - tty: yes - interactive: yes - detach: no + community.docker.docker_container_exec: + container: "{{ mastodon_container_name }}" + command: "bundle exec rails assets:precompile" when: git_repo_info.before != git_repo_info.after diff --git a/roles/mastodon/templates/group.j2 b/roles/mastodon/templates/group.j2 new file mode 100644 index 0000000..0b3e147 --- /dev/null +++ b/roles/mastodon/templates/group.j2 @@ -0,0 +1,40 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +{{ mastodon_user }}:x:{{ mastodon_user_info.group }}: diff --git a/roles/mastodon/templates/passwd.j2 b/roles/mastodon/templates/passwd.j2 new file mode 100644 index 0000000..a5220d3 --- /dev/null +++ b/roles/mastodon/templates/passwd.j2 @@ -0,0 +1,20 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +_apt:x:100:65534::/nonexistent:/usr/sbin/nologin +{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh