This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-terraform.git
The following commit(s) were added to refs/heads/main by this push:
new 83275ab Change OAP and WebUI server unit files to run as non-root
user (#16)
83275ab is described below
commit 83275abe1b163e44db52474df8dcd94b552b9f14
Author: Rahul Bajaj <[email protected]>
AuthorDate: Sun Aug 6 03:31:12 2023 -0400
Change OAP and WebUI server unit files to run as non-root user (#16)
---
ansible/ansible.cfg | 1 -
ansible/playbooks/install-skywalking.yml | 12 ++++++++++--
ansible/roles/skywalking/tasks/main.yml | 21 ++++++++++-----------
.../skywalking/templates/skywalking-oap.service.j2 | 2 ++
.../skywalking/templates/skywalking-ui.service.j2 | 2 ++
5 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 6886e12..0284e81 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -21,4 +21,3 @@ timeout = 60
[privilege_escalation]
become = yes
become_method = sudo
-become_flags = 'su -c'
diff --git a/ansible/playbooks/install-skywalking.yml
b/ansible/playbooks/install-skywalking.yml
index b24499a..1720cb2 100644
--- a/ansible/playbooks/install-skywalking.yml
+++ b/ansible/playbooks/install-skywalking.yml
@@ -14,6 +14,16 @@
# limitations under the License.
---
+- hosts: all
+ gather_facts: false
+ tasks:
+ - name: Create user skywalking
+ become: true
+ user:
+ name: skywalking
+ group: skywalking
+ state: present
+
- name: Install Java
hosts: all
gather_facts: true
@@ -23,13 +33,11 @@
- name: Download and configure Apache SkyWalking APM OAP Service
hosts: skywalking_oap
gather_facts: false
-
roles:
- skywalking
- name: Download and configure Apache SkyWalking APM UI Service
hosts: skywalking_ui
gather_facts: false
-
roles:
- skywalking
diff --git a/ansible/roles/skywalking/tasks/main.yml
b/ansible/roles/skywalking/tasks/main.yml
index c00dba3..065239b 100644
--- a/ansible/roles/skywalking/tasks/main.yml
+++ b/ansible/roles/skywalking/tasks/main.yml
@@ -14,21 +14,13 @@
# limitations under the License.
---
-- name: Create skywalking directory
- file:
- path: /usr/local/skywalking
- state: directory
- mode: "0755"
- owner: root
- group: root
-
-- name: Set ownership and permissions for skywalking directory
+- name: Create and set permissions for skywalking directory
file:
path: /usr/local/skywalking
state: directory
recurse: yes
- owner: root
- group: root
+ owner: skywalking
+ group: skywalking
mode: "0755"
- name: Download Apache SkyWalking tar file
@@ -43,6 +35,13 @@
remote_src: yes
extra_opts: [--strip-components=1]
+- name: Set ownership for extracted files
+ ansible.builtin.file:
+ path: /usr/local/skywalking
+ owner: skywalking
+ group: skywalking
+ recurse: yes
+
- name: Check hostgroup size
set_fact:
group_size: "{{ groups['skywalking_oap'] | length }}"
diff --git a/ansible/roles/skywalking/templates/skywalking-oap.service.j2
b/ansible/roles/skywalking/templates/skywalking-oap.service.j2
index 8306913..aff39da 100644
--- a/ansible/roles/skywalking/templates/skywalking-oap.service.j2
+++ b/ansible/roles/skywalking/templates/skywalking-oap.service.j2
@@ -19,6 +19,8 @@ After=network.target
[Service]
Type=simple
+User=skywalking
+Group=skywalking
ExecStart=/usr/local/skywalking/bin/oapService.sh
TimeoutSec=300
KillMode=process
diff --git a/ansible/roles/skywalking/templates/skywalking-ui.service.j2
b/ansible/roles/skywalking/templates/skywalking-ui.service.j2
index 1bd331d..c087c7a 100644
--- a/ansible/roles/skywalking/templates/skywalking-ui.service.j2
+++ b/ansible/roles/skywalking/templates/skywalking-ui.service.j2
@@ -20,6 +20,8 @@ After=network.target
[Service]
Type=simple
EnvironmentFile=/usr/local/skywalking/webapp/sw_ui_env_file
+User=skywalking
+Group=skywalking
ExecStart=/usr/local/skywalking/bin/webappService.sh
TimeoutSec=300
KillMode=process
