Enable LHC native tasks

MentalFS · Feb 12, 2024 · e8bef52 · e8bef52
1 parent 222b638
commit e8bef52
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,19 +3,21 @@ RUN set -eux; \
     export DEBIAN_FRONTEND=noninteractive; \
     apt update; \
     apt -y install --no-install-recommends boinc-client \
-      intel-opencl-icd mesa-opencl-icd \
-      boinctui bash-completion clinfo procps vim-tiny; \
+      intel-opencl-icd mesa-opencl-icd sudo \
+      boinctui bash-completion clinfo curl procps vim-tiny; \
     update-alternatives --install /usr/bin/vim vim /usr/bin/vim.tiny 0 || echo WARNING; \
     apt clean; rm -rf /var/lib/apt/lists/* /var/log/*
 
 # Replace symbolic links
 FROM install AS build
+COPY start /
 RUN set -eux; \
     chown boinc:boinc /etc/boinc-client/*; \
     mkdir -p /var/lib/boinc-client/locale; \
     mv /etc/boinc-client/cc_config.xml /var/lib/boinc-client/ -f; \
     mv /etc/boinc-client/global_prefs_override.xml /var/lib/boinc-client/ -f
-COPY start /
+COPY sudoers.d/50-lhcathome_boinc_theory_native /etc/sudoers.d/
+RUN set -eux; chmod a-w /etc/sudoers.d/50-lhcathome_boinc_theory_native; chmod o-r /etc/sudoers.d/50-lhcathome_boinc_theory_native
 USER boinc
 WORKDIR /var/lib/boinc-client
 ENTRYPOINT ["/start"]

diff --git a/sudoers.d/50-lhcathome_boinc_theory_native b/sudoers.d/50-lhcathome_boinc_theory_native
@@ -0,0 +1,23 @@
+## generated with:
+## docker run --rm debian:stable-slim bash -c "apt update && apt -y install sudo curl && curl \"https://lhcathome.cern.ch/lhcathome/download/prepare_theory_native_environment\" | bash && tail -vn +0 /etc/sudoers.d/*"
+
+# save this file as '/etc/sudoers.d/50-lhcathome_boinc_theory_native'
+# ownership must be 'root:root' and access rights must be '-r--r-----'
+# '@includedir /etc/sudoers.d' must be enabled in /etc/sudoers
+
+# regular expressions are enclosed between '^' and '$'
+# this is supported since sudo version 1.9.10
+# for more information read 'man sudoers'
+
+# the regex patterns given here must match the command arguments in the calling script
+# missing/additional arguments or an argument order not in sync causes a command to be rejected
+
+# the commands are permitted for the local group 'boinc'
+# ensure the calling user is a member of that group
+
+
+Cmnd_Alias LHCATHOMEBOINC_01 = /usr/bin/cat ^/etc/sudoers.d/50-lhcathome_boinc_theory_native$
+Cmnd_Alias LHCATHOMEBOINC_02 = /usr/bin/systemctl ^(freeze|thaw) Theory_[-a-zA-Z0-9_]+\.scope$
+Cmnd_Alias LHCATHOMEBOINC_03 = /usr/bin/systemd-run ^--scope -u [a-zA-Z0-9_-]+ -p BindsTo=[a-zA-Z0-9_\.@-]+ -p After=[a-zA-Z0-9_\.@-]+ --slice-inherit --uid=[a-zA-Z0-9_-]+ --gid=boinc --same-dir -q -G /[a-zA-Z0-9_\./-]+/(runc|runc\.new|runc\.old) --root state run -b cernvm [a-zA-Z0-9_-]+$
+
+%boinc     ALL = (ALL) NOPASSWD: LHCATHOMEBOINC_01, LHCATHOMEBOINC_02, LHCATHOMEBOINC_03