This commit is contained in:
20
install.sh
20
install.sh
@@ -176,6 +176,22 @@ create_user() {
|
|||||||
else
|
else
|
||||||
echo -e "${YELLOW}User $SERVICE_USER already exists${NC}"
|
echo -e "${YELLOW}User $SERVICE_USER already exists${NC}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Add user to disk group for block device access (required for ZFS)
|
||||||
|
if getent group disk > /dev/null 2>&1; then
|
||||||
|
usermod -a -G disk "$SERVICE_USER"
|
||||||
|
echo -e "${GREEN}Added $SERVICE_USER to disk group${NC}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create sudoers configuration for ZFS commands
|
||||||
|
echo -e "${GREEN}Configuring sudo for ZFS operations...${NC}"
|
||||||
|
cat > /etc/sudoers.d/atlas-zfs <<EOF
|
||||||
|
# Allow atlas user to run ZFS commands without password
|
||||||
|
# This is required for ZFS pool operations
|
||||||
|
$SERVICE_USER ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/bin/zpool, /sbin/zpool, /usr/sbin/zfs, /usr/bin/zfs, /sbin/zfs
|
||||||
|
EOF
|
||||||
|
chmod 440 /etc/sudoers.d/atlas-zfs
|
||||||
|
echo -e "${GREEN}Sudo configuration created${NC}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create directories
|
# Create directories
|
||||||
@@ -479,7 +495,9 @@ Environment="ATLAS_LOG_LEVEL=INFO"
|
|||||||
Environment="ATLAS_LOG_FORMAT=json"
|
Environment="ATLAS_LOG_FORMAT=json"
|
||||||
|
|
||||||
# Security
|
# Security
|
||||||
NoNewPrivileges=true
|
# Note: NoNewPrivileges is set to false to allow sudo for ZFS operations
|
||||||
|
# This is necessary for ZFS pool management
|
||||||
|
NoNewPrivileges=false
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ProtectHome=true
|
ProtectHome=true
|
||||||
|
|||||||
@@ -27,8 +27,28 @@ func New() *Service {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// execCommand executes a shell command and returns output
|
// execCommand executes a shell command and returns output
|
||||||
|
// For ZFS operations that require elevated privileges, it uses sudo
|
||||||
func (s *Service) execCommand(name string, args ...string) (string, error) {
|
func (s *Service) execCommand(name string, args ...string) (string, error) {
|
||||||
cmd := exec.Command(name, args...)
|
// Commands that require root privileges
|
||||||
|
privilegedCommands := []string{"zpool", "zfs"}
|
||||||
|
useSudo := false
|
||||||
|
|
||||||
|
for _, cmd := range privilegedCommands {
|
||||||
|
if strings.Contains(name, cmd) {
|
||||||
|
useSudo = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var cmd *exec.Cmd
|
||||||
|
if useSudo {
|
||||||
|
// Use sudo for privileged commands
|
||||||
|
sudoArgs := append([]string{name}, args...)
|
||||||
|
cmd = exec.Command("sudo", sudoArgs...)
|
||||||
|
} else {
|
||||||
|
cmd = exec.Command(name, args...)
|
||||||
|
}
|
||||||
|
|
||||||
var stdout, stderr bytes.Buffer
|
var stdout, stderr bytes.Buffer
|
||||||
cmd.Stdout = &stdout
|
cmd.Stdout = &stdout
|
||||||
cmd.Stderr = &stderr
|
cmd.Stderr = &stderr
|
||||||
|
|||||||
Reference in New Issue
Block a user