From 2b5efeac0490b08947c4916ab678b319d0055e6e Mon Sep 17 00:00:00 2001
From: Seth Hoenig <shoenig@duck.com>
Date: Wed, 8 Mar 2023 14:41:08 -0600
Subject: [PATCH] e2e: setup nomad permissions correctly (client vs. server)
 (#16399)

This PR configures

- server nodes with a systemd unit running the agent as the nomad service user
- client nodes with a root owned nomad data directory
---
 e2e/terraform/etc/nomad.d/nomad-client.service | 3 ++-
 e2e/terraform/etc/nomad.d/nomad-server.service | 3 ++-
 e2e/terraform/provision-nomad/install-linux.tf | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/e2e/terraform/etc/nomad.d/nomad-client.service b/e2e/terraform/etc/nomad.d/nomad-client.service
index 8490fc9c8..e37b995c0 100644
--- a/e2e/terraform/etc/nomad.d/nomad-client.service
+++ b/e2e/terraform/etc/nomad.d/nomad-client.service
@@ -1,11 +1,12 @@
 [Unit]
-Description=Nomad Agent
+Description=Nomad Client Agent
 Requires=network-online.target
 After=network-online.target
 StartLimitIntervalSec=0
 StartLimitBurst=3
 
 [Service]
+User=root
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
 EnvironmentFile=-/etc/nomad.d/.environment
diff --git a/e2e/terraform/etc/nomad.d/nomad-server.service b/e2e/terraform/etc/nomad.d/nomad-server.service
index 8490fc9c8..ddba05a41 100644
--- a/e2e/terraform/etc/nomad.d/nomad-server.service
+++ b/e2e/terraform/etc/nomad.d/nomad-server.service
@@ -1,11 +1,12 @@
 [Unit]
-Description=Nomad Agent
+Description=Nomad Server Agent
 Requires=network-online.target
 After=network-online.target
 StartLimitIntervalSec=0
 StartLimitBurst=3
 
 [Service]
+User=nomad
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
 EnvironmentFile=-/etc/nomad.d/.environment
diff --git a/e2e/terraform/provision-nomad/install-linux.tf b/e2e/terraform/provision-nomad/install-linux.tf
index 0ce334ba1..90dbdb4f7 100644
--- a/e2e/terraform/provision-nomad/install-linux.tf
+++ b/e2e/terraform/provision-nomad/install-linux.tf
@@ -58,6 +58,10 @@ resource "null_resource" "install_consul_configs_linux" {
   }
 }
 
+locals {
+  data_owner = var.role == "client" ? "root" : "nomad"
+}
+
 resource "null_resource" "install_nomad_configs_linux" {
   count = var.platform == "linux" ? 1 : 0
 
@@ -79,6 +83,7 @@ resource "null_resource" "install_nomad_configs_linux" {
       "mkdir -p /etc/nomad.d",
       "mkdir -p /opt/nomad/data",
       "sudo chmod 0700 /opt/nomad/data",
+      "sudo chown ${local.data_owner}:${local.data_owner} /opt/nomad/data",
       "sudo rm -rf /etc/nomad.d/*",
       "sudo mv /tmp/consul.hcl /etc/nomad.d/consul.hcl",
       "sudo mv /tmp/vault.hcl /etc/nomad.d/vault.hcl",