Revert "Drop linux capabilities and rework users/groups"

2026-02-28 09:39:12 +03:00 · 2017-02-06 15:58:54 +03:00
parent b7bf502e02
commit fd30131dc2
48 changed files with 81 additions and 413 deletions
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -3,26 +3,10 @@ etcd_bin_dir: "{{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/

 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
+etcd_cert_group: root

 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"

-# Linux capabilities to be dropped for container engines
-etcd_drop_cap:
-  - chown
-  - dac_override
-  - fowner
-  - fsetid
-  - kill
-  - setgid
-  - setuid
-  - setpcap
-  - net_bind_service
-  - net_raw
-  - sys_chroot
-  - mknod
-  - audit_write
-  - setfcap
-
 # Limits
 etcd_memory_limit: 512M
 etcd_cpu_limit: 300m
--- a/roles/etcd/files/make-ssl-etcd.sh
+++ b/roles/etcd/files/make-ssl-etcd.sh
@@ -94,8 +94,5 @@ if [ -n "$HOSTS" ]; then
    done
 fi

-# Grant the group read access
-chmod g+r *.pem
-
 # Install certs
 mv *.pem ${SSLDIR}/
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -2,7 +2,7 @@
 dependencies:
  - role: adduser
    user: "{{ addusers.etcd }}"
-    tags: bootstrap-os
+    when: not ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
  - role: download
    file: "{{ downloads.etcd }}"
    tags: download
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -4,15 +4,14 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    mode=0750
-    owner={{ etcd_user }}
+    owner=root
    recurse=yes

 - name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
  file:
    path: "{{ etcd_script_dir }}"
    state: directory
-    owner: "{{ etcd_user }}"
+    owner: root
  run_once: yes
  delegate_to: "{{groups['etcd'][0]}}"

@@ -21,8 +20,7 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    mode=0750
-    owner={{ etcd_user }}
+    owner=root
    recurse=yes
  run_once: yes
  delegate_to: "{{groups['etcd'][0]}}"
@@ -126,12 +124,12 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    owner={{ etcd_user }}
+    owner=kube
    recurse=yes
  tags: facts

- name: Gen_certs | set shared group permissions on keys
-  shell: chmod 0640 {{ etcd_cert_dir}}/*.pem
+- name: Gen_certs | set permissions on keys
+  shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
  when: inventory_hostname in groups['etcd']
  changed_when: false

--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,8 +1,6 @@
 ---
 - include: pre_upgrade.yml
  tags: etcd-pre-upgrade
- include: set_facts.yml
-  tags: [bootstrap-os, facts]
 - include: check_certs.yml
  tags: [etcd-secrets, facts]
 - include: gen_certs.yml
--- a/roles/etcd/tasks/pre_upgrade.yml
+++ b/roles/etcd/tasks/pre_upgrade.yml
@@ -1,4 +1,3 @@
---
 - name: "Pre-upgrade | check for etcd-proxy unit file"
  stat:
    path: /etc/systemd/system/etcd-proxy.service
@@ -50,7 +49,3 @@
    awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
  run_once: true
  when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
-
- name: "Pre-upgrade | share access to etcd certs for its users"
-  shell: chmod g+r {{ etcd_cert_dir }}/*.pem
-  failed_when: false
--- a/roles/etcd/tasks/set_facts.yml
+++ b/roles/etcd/tasks/set_facts.yml
@@ -1,17 +0,0 @@
---
- name: Etcd | get etcd user ID
-  shell: /usr/bin/id -u {{ etcd_user }} || echo 0
-  register: etcd_uid
-
- name: Etcd | get etcd group ID
-  shell: /usr/bin/getent group {{ etcd_group }} | cut -d':' -f3 || echo 0
-  register: etcd_gid
-
- name: Etcd | get etcd cert group ID
-  shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
-  register: etcd_cert_gid
-
- set_fact:
-    etcd_user_id: "{{ etcd_uid.stdout }}"
-    etcd_group_id: "{{ etcd_gid.stdout }}"
-    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
--- a/roles/etcd/templates/etcd-docker.service.j2
+++ b/roles/etcd/templates/etcd-docker.service.j2
@@ -14,12 +14,8 @@ ExecStart={{ docker_bin_dir }}/docker run --restart=on-failure:5 \
 -v /etc/ssl/certs:/etc/ssl/certs:ro \
 -v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
 -v /var/lib/etcd:/var/lib/etcd:rw \
-{% for c in etcd_drop_cap %}
--cap-drop={{ c }} \
-{% endfor %}
 --memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
 --name={{ etcd_member_name | default("etcd") }} \
-u {{ etcd_user_id }}:{{ etcd_group_id }} --group-add {{ etcd_cert_group_id }} \
 {{ etcd_image_repo }}:{{ etcd_image_tag }} \
 {% if etcd_after_v3 %}
 {{ etcd_container_bin_dir }}etcd
--- a/roles/etcd/templates/etcd-rkt.service.j2
+++ b/roles/etcd/templates/etcd-rkt.service.j2
@@ -8,9 +8,6 @@ Restart=on-failure
 RestartSec=10s
 TimeoutStartSec=0
 LimitNOFILE=40000
-User=root
-Group={{ etcd_group_id }}
-SupplementaryGroups={{ etcd_cert_group_id }}

 ExecStart=/usr/bin/rkt run \
 --uuid-file-save=/var/run/etcd.uuid \
@@ -23,11 +20,6 @@ ExecStart=/usr/bin/rkt run \
 --set-env-file=/etc/etcd.env \
 --stage1-from-dir=stage1-fly.aci \
 {{ etcd_image_repo }}:{{ etcd_image_tag }} \
-{% for c in etcd_drop_cap %}
--caps-remove=CAP_{{ c.upper() }} \
-{% endfor %}
--memory={{ etcd_memory_limit }} --cpu={{ etcd_cpu_limit }} \
--user={{ etcd_user_id }} --group={{ etcd_group_id }} \
 --name={{ etcd_member_name | default("etcd") }}

 ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid