Author:
Hash:
Timestamp:
+51 -10 +/-4 browse
Kevin Schoon [me@kevinschoon.com]
74a29b04fbe824cfde8257a1a675c55aca1997ef
Sun, 28 Apr 2024 16:26:58 +0000 (1.5 years ago)
| 1 | diff --git a/ayllu/src/job_server/mod.rs b/ayllu/src/job_server/mod.rs |
| 2 | index 374fac6..d81e0d5 100644 |
| 3 | --- a/ayllu/src/job_server/mod.rs |
| 4 | +++ b/ayllu/src/job_server/mod.rs |
| 5 | @@ -10,7 +10,7 @@ use ayllu_api::jobs::Server; |
| 6 | use ayllu_database::Builder; |
| 7 | use ayllu_rpc::{ |
| 8 | futures::prelude::*, |
| 9 | - init_socket, spawn, |
| 10 | + init_socket, set_group_writable, spawn, |
| 11 | tarpc::{ |
| 12 | server::{BaseChannel, Channel}, |
| 13 | tokio_serde::formats::Bincode, |
| 14 | @@ -31,6 +31,7 @@ pub async fn serve(cfg: &Config) -> Result<(), Box<dyn Error>> { |
| 15 | init_socket(socket_path)?; |
| 16 | info!("job server listening @ {:?}", socket_path); |
| 17 | let mut listener = unix::listen(socket_path, Bincode::default).await?; |
| 18 | + set_group_writable(socket_path)?; |
| 19 | listener.config_mut().max_frame_length(usize::MAX); |
| 20 | listener |
| 21 | // Ignore accept errors. |
| 22 | diff --git a/containers/multiuser/run_all.sh b/containers/multiuser/run_all.sh |
| 23 | index 0db983d..ea7b797 100755 |
| 24 | --- a/containers/multiuser/run_all.sh |
| 25 | +++ b/containers/multiuser/run_all.sh |
| 26 | @@ -6,6 +6,8 @@ |
| 27 | AYLLU_HOME="/home/ayllu" |
| 28 | AYLLU_SSH_AUTHORIZED_KEYS_FILE="$AYLLU_HOME/.ssh/authorized_keys" |
| 29 | |
| 30 | + mkdir -p /var/lib/ayllu |
| 31 | + chown -R ayllu:ayllu /var/lib/ayllu |
| 32 | mkdir -p "$AYLLU_HOME/.ssh" |
| 33 | chown ayllu:ayllu "$AYLLU_HOME/.ssh" |
| 34 | echo /dev/null > "$AYLLU_SSH_AUTHORIZED_KEYS_FILE" |
| 35 | @@ -28,6 +30,7 @@ do |
| 36 | echo "creating user $username" |
| 37 | |
| 38 | adduser -h "/home/$username" -D -g "Ayllu Managed User" "$username" |
| 39 | + addgroup "$username" ayllu |
| 40 | mkdir -p "/home/$username/.ssh" |
| 41 | echo /dev/null > "/home/$username/.ssh/authorized_keys" |
| 42 | |
| 43 | @@ -35,10 +38,10 @@ do |
| 44 | replacement=$(printf "s/%s=//" "$env_key") |
| 45 | all_keys="$(echo "$env_entry" | sed "${replacement}")" |
| 46 | |
| 47 | - echo "$all_keys" | sed 's/::/\n/g' | while IFS= read -r key_entry |
| 48 | - do |
| 49 | - echo "$key_entry" >> "/home/$username/.ssh/authorized_keys" |
| 50 | - done |
| 51 | + echo "$all_keys" | sed 's/::/\n/g' | while IFS= read -r key_entry |
| 52 | + do |
| 53 | + echo "$key_entry" >> "/home/$username/.ssh/authorized_keys" |
| 54 | + done |
| 55 | |
| 56 | chown -R "$username:$username" "/home/$username" |
| 57 | chmod 644 "/home/$username/.ssh/authorized_keys" |
| 58 | diff --git a/crates/rpc/src/lib.rs b/crates/rpc/src/lib.rs |
| 59 | index 752b26c..103f6ce 100644 |
| 60 | --- a/crates/rpc/src/lib.rs |
| 61 | +++ b/crates/rpc/src/lib.rs |
| 62 | @@ -1,6 +1,7 @@ |
| 63 | - use std::fs::remove_file; |
| 64 | + use std::fs::{create_dir_all, remove_file}; |
| 65 | use std::future::Future; |
| 66 | use std::io::Error as IoError; |
| 67 | + use std::os::unix::fs::PermissionsExt; |
| 68 | use std::path::Path; |
| 69 | |
| 70 | // TODO: due to https://github.com/google/tarpc/issues/421 it's not currently |
| 71 | @@ -17,8 +18,19 @@ pub async fn spawn(fut: impl Future<Output = ()> + Send + 'static) { |
| 72 | |
| 73 | /// Initialize the socket for listening |
| 74 | pub fn init_socket(path: &Path) -> Result<(), IoError> { |
| 75 | + if let Some(basepath) = path.parent() { |
| 76 | + create_dir_all(basepath)?; |
| 77 | + } |
| 78 | if path.exists() { |
| 79 | remove_file(path)?; |
| 80 | } |
| 81 | Ok(()) |
| 82 | } |
| 83 | + |
| 84 | + /// Set the socket to be group writable |
| 85 | + pub fn set_group_writable(path: &Path) -> Result<(), IoError> { |
| 86 | + let metadata = path.metadata()?; |
| 87 | + let mut permissions = metadata.permissions(); |
| 88 | + permissions.set_mode(0o755); |
| 89 | + Ok(()) |
| 90 | + } |
| 91 | diff --git a/scripts/push_container.sh b/scripts/push_container.sh |
| 92 | index e0f386b..45a3b52 100755 |
| 93 | --- a/scripts/push_container.sh |
| 94 | +++ b/scripts/push_container.sh |
| 95 | @@ -1,11 +1,36 @@ |
| 96 | #!/bin/sh |
| 97 | set -e |
| 98 | |
| 99 | - REGISTRY="registry-auth.ayllu-forge.org" |
| 100 | + REGISTRY="registry.ayllu-forge.org" |
| 101 | + REGISTRY_AUTH="registry-auth.ayllu-forge.org" |
| 102 | IMAGE_NAME="projects/ayllu" |
| 103 | COMMIT_ID="$(git rev-parse HEAD)" |
| 104 | BRANCH_NAME="$(git branch --show-current)" |
| 105 | |
| 106 | - podman login "$REGISTRY" |
| 107 | - podman push "$REGISTRY/$IMAGE_NAME:$COMMIT_ID" |
| 108 | - podman push "$REGISTRY/$IMAGE_NAME:$BRANCH_NAME" |
| 109 | + usage() { |
| 110 | + printf "USAGE: push_container.sh PATH\n" |
| 111 | + exit 1 |
| 112 | + } |
| 113 | + |
| 114 | + TARGET_DIR="$1" |
| 115 | + |
| 116 | + [ -z "$TARGET_DIR" ] && usage |
| 117 | + |
| 118 | + FLAVOR="$(basename "$TARGET_DIR")" |
| 119 | + if [ "$FLAVOR" = "base" ]; then |
| 120 | + DETAILED_TAG="$COMMIT_ID" |
| 121 | + FRIENDLY_TAG="$BRANCH_NAME" |
| 122 | + else |
| 123 | + DETAILED_TAG="$FLAVOR-$COMMIT_ID" |
| 124 | + FRIENDLY_TAG="$FLAVOR-$BRANCH_NAME" |
| 125 | + fi |
| 126 | + |
| 127 | + podman login "$REGISTRY_AUTH" |
| 128 | + |
| 129 | + podman tag \ |
| 130 | + "$REGISTRY/$IMAGE_NAME:$DETAILED_TAG" "$REGISTRY_AUTH/$IMAGE_NAME:$DETAILED_TAG" |
| 131 | + podman tag \ |
| 132 | + "$REGISTRY/$IMAGE_NAME:$FRIENDLY_TAG" "$REGISTRY_AUTH/$IMAGE_NAME:$FRIENDLY_TAG" |
| 133 | + |
| 134 | + podman push "$REGISTRY_AUTH/$IMAGE_NAME:$DETAILED_TAG" |
| 135 | + podman push "$REGISTRY_AUTH/$IMAGE_NAME:$FRIENDLY_TAG" |