allow to run service without root privileges

github · Apr 13, 2023 · 8152ce5 · 8152ce5
1 parent 101de4d
commit 8152ce5
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 6 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -5,9 +5,9 @@
 
   file { $orchestrator::config:
     ensure  => file,
-    owner   => 0,
-    group   => 0,
-    mode    => '0644',
+    owner   => $orchestrator::service_user,
+    group   => $orchestrator::service_group,
+    mode    => '0640',
     content => template($orchestrator::config_template),
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -24,6 +24,10 @@
 #   if true module willl manage service
 # @param service_name
 #   service name to manage. Default 'orchestrator'
+# @param service_user
+#   user to own the service. Default 'orchestrator'
+# @param service_group
+#   group to own the service. Default 'orchestrator'
 class orchestrator (
   String $config                        = $orchestrator::params::config,
   Hash[String[1], Any] $config_defaults = $orchestrator::params::config_defaults,
@@ -37,6 +41,8 @@
   String $service_ensure                = $orchestrator::params::service_ensure,
   Boolean $service_manage               = $orchestrator::params::service_manage,
   String $service_name                  = $orchestrator::params::service_name,
+  String $service_user                  = $orchestrator::params::service_user,
+  String $service_group                 = $orchestrator::params::service_group,
 ) inherits orchestrator::params {
   validate_absolute_path($config)
   validate_string($config_template)

diff --git a/manifests/my_cnf.pp b/manifests/my_cnf.pp
@@ -3,11 +3,17 @@
   $cnf_erb = 'orchestrator/orchestrator.cnf.erb'
 
   file { $orchestrator::topology_cnf:
+    ensure  => file,
+    owner   => $orchestrator::service_user,
+    group   => $orchestrator::service_group,
+    mode    => '0640',
     content => template($cnf_erb),
-    mode    => '0644',
   }
   file { $orchestrator::srv_cnf:
+    ensure  => file,
+    owner   => $orchestrator::service_user,
+    group   => $orchestrator::service_group,
+    mode    => '0640',
     content => template($cnf_erb),
-    mode    => '0644',
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -10,6 +10,8 @@
   $service_ensure    = 'running'
   $service_manage    = true
   $service_name      = 'orchestrator'
+  $service_user      = 'root'
+  $service_group     = 'root'
   $srv_cnf           = '/etc/orchestrator_srv.cnf'
   $topology_cnf      = '/etc/orchestrator.cnf'
 

diff --git a/manifests/service.pp b/manifests/service.pp
@@ -5,6 +5,19 @@
   }
 
   if $orchestrator::service_manage == true {
+    if 'systemd' in $facts['init_systems'] {
+      include systemd
+
+      systemd::manage_dropin { '10_user.conf':
+        ensure        => 'present',
+        unit          => 'orchestrator.service',
+        service_entry => {
+          'User'  => $orchestrator::service_user,
+          'Group' => $orchestrator::service_group,
+        },
+      }
+    }
+
     service { 'orchestrator':
       ensure     => $orchestrator::service_ensure,
       enable     => $orchestrator::service_enable,

diff --git a/metadata.json b/metadata.json
@@ -57,6 +57,7 @@
   ],
   "dependencies": [
     { "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 <5.0.0" },
-    { "name": "computology/packagecloud", "version_requirement": ">= 0.2.0" }
+    { "name": "computology/packagecloud", "version_requirement": ">= 0.2.0" },
+    { "name": "voxpupuli/systemd", "version_requirement": ">= 4.1.0" }
   ]
 }