Run SUSE service as user _rmt and group nginx

[schaefi]

The SUSE cgyle service is expected to run as user _rmt

[schaefi]

@joelgordon this can only be merged if the user _rmt is allowed to write to /var/lib/registry

[schaefi]

@joelgordon I'm not merging this prior your approval :)

[joelgordon]

_rmt is not currently allowed to write to /var/lib/registry

[joelgordon]

If it is not already, we would like to make this path configurable. In the short term we would like the path on our servers to be /var/lib/rmt/public/repo/registry so that we do not have to create a new disk or symlink. Later when we are forced to add a new disk, we would like to be able to change the path.

[schaefi]

If it is not already, we would like to make this path configurable. In the short term we would like the path on our servers to be /var/lib/rmt/public/repo/registry so that we do not have to create a new disk or symlink. Later when we are forced to add a new disk, we would like to be able to change the path.

@joelgordon The path to the registry is already configurable. At the moment you see among others in the systemd service file the following option setting:

--updatecache local://distribution:/var/lib/registry

if you change the registry location this setting needs to be changed to e.g

--updatecache local://distribution:/var/lib/rmt/public/repo/registry

Please note cgyle does not offer migration code from one path to another. So the copy of data from former-path to new-path is not a responsibility of cgyle. If you start empty at the new path a full caching procedure will be the result

[schaefi]

@joelgordon I pushed a commit here to change the registry path to /var/lib/rmt/public/repo/registry

[schaefi]

@joelgordon I'll keep this PR open until you approve. Thanks

[joelgordon]

LGTM, you can merge whenever you would like.

[schaefi]

LGTM, you can merge whenever you would like.

@joelgordon Thanks for the review. I did a test of the change on the test RMT server and found a couple of issues. I sent you details on my findings in a private chat on slack. As a summary to make cgyle work on our RMT servers under the _rmt user, the following modifications on the RMT server are required:

sudo mkdir /home/_rmt
sudo chown _rmt:nginx /home/_rmt/

sudo mkdir /var/log/cgyle
sudo chown _rmt:nginx /var/log/cgyle/

echo "_rmt:1017504:65536" >> /etc/subuid
echo "_rmt:1017504:65536" >> /etc/subgid

sudo podman system migrate

[joelgordon]

I added a link to the steps into the release plan. We will capture the initial step into a SALT state. We will also need to go back and decide how to handle this on new deployments. We could just add the salt state to the highstate and call it a day, or we could build it into the configuration python steps(My least favorite option here), or we could and it to the image build. @renu-saini @joelgordon