Allow worker repo shared perms
Authored by
mfwolffe <wolffemf@dukes.jmu.edu>
- SHA
8a002e530e83cd343af64755c4c2dffacc5e2d2c- Parents
-
0d477a4 - Tree
d1d7ccc
tenseleyflow/shithub
/
8a002e5
Browse files
3 changed files
| Status | File | + | - |
|---|---|---|---|
| M |
.github/workflows/deploy.yml
|
1 | 1 |
| M |
deploy/redeploy.sh
|
9 | 2 |
| M |
deploy/systemd/shithubd-worker.service
|
7 | 1 |
.github/workflows/deploy.ymlmodified@@ -87,7 +87,7 @@ jobs: | |||
| 87 | DEPLOY_USER: ${{ secrets.DEPLOY_USER }} | 87 | DEPLOY_USER: ${{ secrets.DEPLOY_USER }} |
| 88 | run: | | 88 | run: | |
| 89 | ssh -o BatchMode=yes "${DEPLOY_USER}@${DEPLOY_HOST}" \ | 89 | ssh -o BatchMode=yes "${DEPLOY_USER}@${DEPLOY_HOST}" \ |
| 90 | - 'bash /root/src/shithub/deploy/redeploy.sh' | 90 | + 'cd /root/src/shithub && git fetch --quiet origin trunk && git reset --hard origin/trunk && bash deploy/redeploy.sh' |
| 91 | 91 | ||
| 92 | # Mirror the just-deployed SHA to the self-hosted shithub.sh | 92 | # Mirror the just-deployed SHA to the self-hosted shithub.sh |
| 93 | # instance so anyone reading the source on shithub.sh sees the | 93 | # instance so anyone reading the source on shithub.sh sees the |
deploy/redeploy.shmodified@@ -14,8 +14,9 @@ | |||
| 14 | # 1. fast-forward the source tree so deploy/ artifacts (this script, | 14 | # 1. fast-forward the source tree so deploy/ artifacts (this script, |
| 15 | # systemd units, env templates) match the binary that just landed | 15 | # systemd units, env templates) match the binary that just landed |
| 16 | # 2. atomically swap /usr/local/bin/shithubd | 16 | # 2. atomically swap /usr/local/bin/shithubd |
| 17 | -# 3. apply pending migrations BEFORE restart (forward-compat only) | 17 | +# 3. install app systemd unit templates and daemon-reload |
| 18 | -# 4. restart web + worker, assert is-active | 18 | +# 4. apply pending migrations BEFORE restart (forward-compat only) |
| 19 | +# 5. restart web + worker, assert is-active | ||
| 19 | 20 | ||
| 20 | set -euo pipefail | 21 | set -euo pipefail |
| 21 | 22 | ||
@@ -37,6 +38,12 @@ git reset --hard origin/trunk | |||
| 37 | chmod 0755 "$NEW" | 38 | chmod 0755 "$NEW" |
| 38 | mv -f "$NEW" "$BIN" | 39 | mv -f "$NEW" "$BIN" |
| 39 | 40 | ||
| 41 | +install -m 0644 deploy/systemd/shithubd-web.service /etc/systemd/system/shithubd-web.service | ||
| 42 | +install -m 0644 deploy/systemd/shithubd-worker.service /etc/systemd/system/shithubd-worker.service | ||
| 43 | +install -m 0644 deploy/systemd/shithubd-cron.service /etc/systemd/system/shithubd-cron.service | ||
| 44 | +install -m 0644 deploy/systemd/shithubd-cron.timer /etc/systemd/system/shithubd-cron.timer | ||
| 45 | +systemctl daemon-reload | ||
| 46 | + | ||
| 40 | # Migrations are usually invoked by the web unit's ExecStartPre, which | 47 | # Migrations are usually invoked by the web unit's ExecStartPre, which |
| 41 | # pulls env from /etc/shithub/web.env. Replicate that here so we apply | 48 | # pulls env from /etc/shithub/web.env. Replicate that here so we apply |
| 42 | # the schema before the restart instead of mid-startup race. | 49 | # the schema before the restart instead of mid-startup race. |
deploy/systemd/shithubd-worker.servicemodified@@ -25,7 +25,13 @@ ProtectKernelLogs=yes | |||
| 25 | ProtectControlGroups=yes | 25 | ProtectControlGroups=yes |
| 26 | RestrictNamespaces=yes | 26 | RestrictNamespaces=yes |
| 27 | RestrictRealtime=yes | 27 | RestrictRealtime=yes |
| 28 | -RestrictSUIDSGID=yes | 28 | +# RestrictSUIDSGID intentionally OFF: org GitHub imports create repos |
| 29 | +# from the worker, and `git init --bare --shared=group` calls chmod g+s | ||
| 30 | +# on the directories it creates so cross-user writes inherit the shared | ||
| 31 | +# group. With RestrictSUIDSGID=yes the kernel returns EPERM and git emits | ||
| 32 | +# "Could not make .../branches/ writable by group", leaving imports | ||
| 33 | +# failed before any fetch occurs. | ||
| 34 | +RestrictSUIDSGID=no | ||
| 29 | LockPersonality=yes | 35 | LockPersonality=yes |
| 30 | 36 | ||
| 31 | [Install] | 37 | [Install] |