Change how we set permission for config file

2024-02-06 14:19:58 +01:00 · 2024-02-06 14:19:58 +01:00 · b33da5a6a3
parent 5814e62e55
commit b33da5a6a3
2 changed files with 36 additions and 10 deletions
--- a/manifests/runner.pp
+++ b/manifests/runner.pp
@ -28,11 +28,9 @@ class podmanrunner::runner (
      group  => "root",
    }

-  if $aaa {
+  $runnerdata.each |$user,$userdata| {

-  $runnerdata.each |$user| {
-
-    user { "${user}${}":
+      user { "${user}${userpostfix}":
      ensure => present,
      home   => "/opt/${user}${userpostfix}",
      shell  => '/usr/sbin/nologin',
@ -72,6 +70,7 @@ class podmanrunner::runner (
      }
    }

+    unless find_file("/opt/${user}${userpostfix}/runnerdata/config.yml") {
      file { "/opt/${user}${userpostfix}/runnerdata/config.yml":
        ensure  => file,
        source => 'puppet:///modules/podmanrunner/forgejo-runner-config.yml',
@ -79,6 +78,7 @@ class podmanrunner::runner (
        group   => "${user}${userpostfix}",
        mode    => '0400',
      }
+    }

 # Make sure the podman user can read the /data dir
    exec { "make-${user}${userpostfix}-own-runnerdata":
@ -89,6 +89,15 @@ class podmanrunner::runner (
      unless   => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare stat --format %u /opt/${user}${userpostfix}/runnerdata | grep ^1000$ && podman unshare stat --format %g /opt/${user}${userpostfix}/runnerdata | grep ^1000$'",
    }

+    # Make sure the podman user can read the /data/config.yml file
+    exec { "podman-${user}${userpostfix}-own-runner-config":
+      command  => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare chown 1000:1000 /opt/${user}${userpostfix}/runnerdata/config.yml'",
+      path     => '/usr/bin:/usr/sbin:/bin',
+      provider => shell,
+      logoutput => false,
+      unless   => "systemd-run --wait --user --machine=${user}${userpostfix}@ /bin/bash -c 'podman unshare stat --format %u /opt/${user}${userpostfix}/runnerdata/config.yml | grep ^1000$ && podman unshare stat --format %g /opt/${user}${userpostfix}/runnerdata/config.yml | grep ^1000$'",
+    }
+
    exec { "enable-${user}${userpostfix}-linger":
      command  => "loginctl  enable-linger ${user}${userpostfix}",
      path     => '/usr/bin:/usr/sbin:/bin',
--- a/templates/docker-compose.yaml.erb
+++ b/templates/docker-compose.yaml.erb
@ -0,0 +1,17 @@
+version: "3"
+services:
+  actionrunner:
+    name: actionrunner
+    image: podmanrunner-3.3.0
+    build:
+      context: ./runnerimage
+    volumes:
+     - runnerdata:/data:Z
+
+volume:
+  runnerdata:
+    driver: local
+    driver_opts:
+      device: /opt/runneruser1runner/runnerdata
+      o: bind
+      type: none