fix(mastodon): mount host user into container properly

This commit is contained in:
transcaffeine 2022-08-26 11:26:58 +02:00
parent 6a0924c72c
commit 275976f1e6
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
4 changed files with 98 additions and 10 deletions

View File

@ -11,6 +11,8 @@ mastodon_data_path: "{{ mastodon_base_path }}/data"
mastodon_repo_path: "{{ mastodon_base_path }}/src" mastodon_repo_path: "{{ mastodon_base_path }}/src"
mastodon_config_path: "{{ mastodon_base_path }}/config" mastodon_config_path: "{{ mastodon_base_path }}/config"
mastodon_config_env_file: "{{ mastodon_config_path }}/env.production" mastodon_config_env_file: "{{ mastodon_config_path }}/env.production"
mastodon_config_group_file: "{{ mastodon_config_path }}/mastodon-group"
mastodon_config_passwd_file: "{{ mastodon_config_path }}/mastodon-passwd"
mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config" mastodon_nginx_config_path: "{{ mastodon_base_path }}/nginx-config"
mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf" mastodon_nginx_config_file: "{{ mastodon_nginx_config_path }}/nginx.conf"
mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache" mastodon_nginx_cache_path: "{{ mastodon_base_path }}/nginx-cache"
@ -29,7 +31,9 @@ mastodon_container_image_ref: "{{ mastodon_container_image_name }}:{{ mastodon_c
mastodon_container_networks: mastodon_container_networks:
- name: "{{ mastodon_container_network_name }}" - name: "{{ mastodon_container_network_name }}"
mastodon_container_base_volumes_streaming: [] mastodon_container_base_volumes_streaming:
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}" mastodon_container_extra_volumes_streaming: "{{ mastodon_container_extra_volumes }}"
mastodon_container_volumes_streaming: >- mastodon_container_volumes_streaming: >-
{{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }} {{ mastodon_container_base_volumes_streaming + mastodon_container_extra_volumes_streaming }}
@ -42,6 +46,8 @@ mastodon_container_volumes_sidekiq: >-
mastodon_container_base_volumes: mastodon_container_base_volumes:
- "{{ mastodon_repo_path }}/public:/mastodon/public:z" - "{{ mastodon_repo_path }}/public:/mastodon/public:z"
- "{{ mastodon_config_passwd_file }}:/etc/passwd:ro"
- "{{ mastodon_config_group_file }}:/etc/group:ro"
mastodon_container_extra_volumes: [] mastodon_container_extra_volumes: []
mastodon_container_volumes: >- mastodon_container_volumes: >-
{{ mastodon_container_base_volumes + mastodon_container_extra_volumes }} {{ mastodon_container_base_volumes + mastodon_container_extra_volumes }}

View File

@ -43,6 +43,24 @@
mode: "0640" mode: "0640"
notify: restart-mastodon-nginx notify: restart-mastodon-nginx
- name: Ensure fake passwd file is templated
template:
src: passwd.j2
dest: "{{ mastodon_config_passwd_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure fake passwd file is templated
template:
src: group.j2
dest: "{{ mastodon_config_group_file }}"
owner: "{{ mastodon_user_info.uid | default(mastodon_user) }}"
group: "{{ mastodon_user_info.group | default(mastodon_user) }}"
mode: "0644"
notify: restart-mastodon
- name: Ensure mastodon git repository is present and up-to-date - name: Ensure mastodon git repository is present and up-to-date
git: git:
repo: "{{ mastodon_git_upstream_url }}" repo: "{{ mastodon_git_upstream_url }}"
@ -52,6 +70,8 @@
force: no force: no
recursive: yes recursive: yes
track_submodules: yes track_submodules: yes
become: yes
become_user: "{{ mastodon_user }}"
register: git_repo_info register: git_repo_info
- name: Ensure mastodon git repository and children belong to {{ mastodon_user }} - name: Ensure mastodon git repository and children belong to {{ mastodon_user }}
@ -131,6 +151,7 @@
command: "node ./streaming" command: "node ./streaming"
restart_policy: "{{ mastodon_container_restart_policy }}" restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports_streaming }}" ports: "{{ mastodon_container_ports_streaming }}"
user: "{{ mastodon_user }}"
healthcheck: healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"] test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1"]
interval: 5s interval: 5s
@ -148,7 +169,7 @@
command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\"" command: "bash -c \"rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000\""
restart_policy: "{{ mastodon_container_restart_policy }}" restart_policy: "{{ mastodon_container_restart_policy }}"
ports: "{{ mastodon_container_ports }}" ports: "{{ mastodon_container_ports }}"
user: "{{ mastodon_user }}" user: "{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}"
healthcheck: healthcheck:
test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"] test: ["CMD-SHELL", "wget -q --spider --proxy=off localhost:3000/health || exit 1"]
interval: 5s interval: 5s
@ -156,6 +177,12 @@
start_period: 0s start_period: 0s
timeout: 5s timeout: 5s
- name: Ensure container paths belong to the mastodon user
community.docker.docker_container_exec:
container: "{{ mastodon_container_name }}"
command: "chown -R {{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }} /opt/mastodon"
user: "0"
- name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running - name: Ensure mastodon-nginx container '{{ mastodon_container_nginx_name }}' is running
docker_container: docker_container:
name: "{{ mastodon_container_nginx_name }}" name: "{{ mastodon_container_nginx_name }}"
@ -165,12 +192,7 @@
restart_policy: "{{ mastodon_container_restart_policy }}" restart_policy: "{{ mastodon_container_restart_policy }}"
- name: Ensure assets are precompiled - name: Ensure assets are precompiled
docker_container: community.docker.docker_container_exec:
name: "{{ mastodon_container_name }}" container: "{{ mastodon_container_name }}"
env_file: "{{ mastodon_config_env_file }}" command: "bundle exec rails assets:precompile"
command: "bash -c \"bundle exec rails assets:precompile\""
user: "{{ mastodon_user }}"
tty: yes
interactive: yes
detach: no
when: git_repo_info.before != git_repo_info.after when: git_repo_info.before != git_repo_info.after

View File

@ -0,0 +1,40 @@
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
{{ mastodon_user }}:x:{{ mastodon_user_info.group }}:

View File

@ -0,0 +1,20 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
{{ mastodon_user }}:x:{{ mastodon_user_info.uid }}:{{ mastodon_user_info.group }}::/opt/mastodon:/bin/sh