Merge pull request #141 from philips/etcd-restrictions

feat(dev-db/etcd): run as etcd user

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-base/coreos-base-0.ebuild

@@ -197,7 +197,7 @@ pkg_postinst() {
 	copy_or_add_daemon_user "polkituser" 206  # For policykit
 #	copy_or_add_daemon_user "tss" 207         # For trousers (TSS/TPM)
 	copy_or_add_daemon_user "pkcs11" 208      # For pkcs11 clients
-	copy_or_add_daemon_user "qdlservice" 209  # for QDLService
+#	copy_or_add_daemon_user "qdlservice" 209  # for QDLService
 #	copy_or_add_daemon_user "cromo" 210       # For cromo (modem manager)
 #	copy_or_add_daemon_user "cashew" 211      # Deprecated, do not reuse
 	copy_or_add_daemon_user "ipsec" 212       # For strongswan/ipsec VPN
@@ -220,6 +220,7 @@ pkg_postinst() {
 #	copy_or_add_daemon_user "watchdog" 229    # For daisydog
 #	copy_or_add_daemon_user "devbroker" 230   # For permission_broker
 #	copy_or_add_daemon_user "xorg" 231        # For Xorg
+	copy_or_add_daemon_user "etcd" 232        # For etcd
 	# Reserve some UIDs/GIDs between 300 and 349 for sandboxing FUSE-based
 	# filesystem daemons.
 #	copy_or_add_daemon_user "ntfs-3g" 300     # For ntfs-3g prcoess

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/etcd-0.0.1.ebuild

@@ -33,8 +33,12 @@ src_install() {
 	dobin ${S}/${PN}
 	dobin ${FILESDIR}/coreos-c10n
 	dobin ${FILESDIR}/etcd-bootstrap
+	dobin ${FILESDIR}/etcd-pre-exec
 	dobin ${FILESDIR}/block-until-url
 
+	keepdir /var/lib/${PN}
+	fowners etcd:etcd /var/lib/${PN}
+
 	systemd_dounit "${FILESDIR}"/${PN}.service
 	systemd_enable_service multi-user.target ${PN}.service
 }

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/etcd-99999.ebuild

@@ -21,8 +21,8 @@ KEYWORDS="~amd64"
 IUSE=""
 
 DEPEND=">=dev-lang/go-1.1"
-GOROOT="${ED}usr/$(get_libdir)/go"
-GOPKG="${PN}"
+
+ETCD_PACKAGE="github.com/coreos/etcd"
 
 src_compile() {
 	./build
@@ -32,6 +32,11 @@ src_install() {
 	dobin ${S}/${PN}
 	dobin ${FILESDIR}/coreos-c10n
 	dobin ${FILESDIR}/etcd-bootstrap
+	dobin ${FILESDIR}/etcd-pre-exec
+	dobin ${FILESDIR}/block-until-url
+
+	keepdir /var/lib/${PN}
+	fowners etcd:etcd /var/lib/${PN}
 
 	systemd_dounit "${FILESDIR}"/${PN}.service
 	systemd_enable_service multi-user.target ${PN}.service

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/coreos-c10n

@@ -4,7 +4,6 @@ C10N_ENDPOINT=https://core-api.appspot.com/v1/c10n/group
 META_URL="http://169.254.169.254/latest"
 
 ETCD_BOOTSTRAP="/var/run/etcd/bootstrap.config"
-[ ! -e "/var/run/etcd/" ] && mkdir "/var/run/etcd/"
 
 /usr/bin/block-until-url $C10N_ENDPOINT
 /usr/bin/block-until-url $META_URL

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/etcd-bootstrap

@@ -7,7 +7,7 @@ MY_IP=$(curl -s $META_URL/meta-data/local-ipv4)
 BOOTSTRAP="/var/run/etcd/bootstrap.config"
 
 # for etcd
-STATE=/media/state/etcd
+STATE=/var/lib/etcd
 mkdir -p $STATE
 
 [ ! -e $BOOTSTRAP ] && echo bootstrap config missing && exit 1

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/etcd-pre-exec

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+# Fixup the old state directory
+OLD_STATE=/media/state/etcd
+STATE=/var/lib/etcd
+
+if [ -d /media/state/etcd ]; then
+  cp -R ${OLD_STATE}/. ${STATE}
+  rm -R ${OLD_STATE}
+  chown -R etcd:etcd ${STATE}
+fi
+
+mkdir -p /var/run/etcd
+chown etcd:etcd /var/run/etcd

sdk_container/src/third_party/coreos-overlay/dev-db/etcd/files/etcd.service

@@ -1,4 +1,7 @@
 [Service]
+User=etcd
+PermissionsStartOnly=true
+ExecStartPre=/usr/bin/etcd-pre-exec
 ExecStart=/usr/bin/etcd-bootstrap
 
 [Install]