ansible/roles/nomad-client: support adding docker caps

give builders sys_admin cap so xbps-src -t can run properly in container-based buildbot workers
void-linux · Jul 6, 2024 · a0e5e4e · a0e5e4e
1 parent 88a7474
commit a0e5e4e
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml b/ansible/host_vars/a-fsn-de.m.voidlinux.org.yml
@@ -39,3 +39,6 @@ nomad_host_volumes:
   - name: ccache
     path: /hostdir/ccache
     read_only: true
+
+nomad_extra_caps:
+  - sys_admin
diff --git a/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml b/ansible/host_vars/a-hel-fi.m.voidlinux.org.yml
@@ -50,6 +50,9 @@ nomad_host_volumes:
     path: /hostdir/ccache
     read_only: true
 
+nomad_extra_caps:
+  - sys_admin
+
 nomad_reserved_ports:
   - 80  # Legacy nginx on this host
   - 443 # Legacy nginx on this host
diff --git a/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml b/ansible/host_vars/b-fsn-de.m.voidlinux.org.yml
@@ -12,3 +12,6 @@ nomad_host_volumes:
   - name: aarch64_hostdir
     path: /hostdir
     read_only: false
+
+nomad_extra_caps:
+  - sys_admin
diff --git a/ansible/roles/nomad-client/templates/40-client.hcl b/ansible/roles/nomad-client/templates/40-client.hcl
@@ -56,5 +56,12 @@ vault {
 plugin "docker" {
   config {
     extra_labels = ["*"]
+    # default from https://developer.hashicorp.com/nomad/docs/drivers/docker#allow_caps
+    allow_caps = [
+      "audit_write", "chown", "dac_override", "fowner",
+      "fsetid", "kill", "mknod", "net_bind_service",
+      "setfcap", "setgid", "setpcap", "setuid", "sys_chroot",
+      {% for cap in nomad_extra_caps|default([]) %}"{{cap}}", {% endfor %}
+    ]
   }
 }