Thcipriani has uploaded a new change for review.
https://gerrit.wikimedia.org/r/232843
Change subject: Add servicedeploy user; Modifiy keyholder service
......................................................................
Add servicedeploy user; Modifiy keyholder service
These are changes necessary servicedeploy to work inside beta.
servicedeploy user
---
Creates a servicedeploy user that will be used to execute remote
commands on RESTBase nodes in the RESTBase remote deploy directory
(`/srv/deployment/restbase/deploy`).
This user is for RESTBase hosts
To ensure that this new user has full control over the remote repository
(currently deployed via trebuchet) the ownership of the remote directory
is modified via a puppet exec.
The exec call (as well as deployment via trebuchet) will
be removed as the scap3 project progresses.
servicedeploy group
---
Creates a servicedeploy group which has access to the ssh-agent proxy
containing the private key for the servicedeploy user on RESTBase hosts.
This group is for tin.
Keyholder service modifications
---
For mediawiki deploy the current user for remote execution is mwdeploy
and the current group for ssh-agent access is wikidev.
To make sure that the new deploy user key is available only to
servicedeploy group members, a second keyholder agent and proxy pair is
necessary.
This patch changes the keyholder::agent class to a keyholder::agent
resource.
NOTE: old keyholder files and sockets should be cleaned:
sudo service keyholder-agent stop
sudo service keyholder-proxy stop
sudo rm /etc/init/keyholder-agent
sudo rm /etc/init/keyholder-proxy
sudo rm /run/keyholder/proxy.sock
sudo rm /run/keyholder/agent.sock
Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6
---
M hieradata/hosts/tin.yaml
M manifests/role/deployment.pp
M modules/admin/data/data.yaml
M modules/beta/templates/pam-access.conf.erb
D modules/keyholder/files/keyholder-agent.conf
A modules/keyholder/manifests/agent.pp
M modules/keyholder/manifests/init.pp
A modules/keyholder/templates/keyholder-agent.conf.erb
M modules/keyholder/templates/keyholder-proxy.conf.erb
A modules/restbase/manifests/deploy.pp
M modules/restbase/manifests/init.pp
11 files changed, 193 insertions(+), 91 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/43/232843/1
diff --git a/hieradata/hosts/tin.yaml b/hieradata/hosts/tin.yaml
index 71b61c0..e7b376e 100644
--- a/hieradata/hosts/tin.yaml
+++ b/hieradata/hosts/tin.yaml
@@ -5,6 +5,7 @@
- codfw.wmnet
admin::groups:
- deployment
+ - servicedeploy
- parsoid-admin
- ocg-render-admins
- wdqs-admins
diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp
index b962df9..75865c1 100644
--- a/manifests/role/deployment.pp
+++ b/manifests/role/deployment.pp
@@ -5,10 +5,6 @@
}
class role::deployment::server(
- # Source of the key, change this if not in production, with hiera.
- # lint:ignore:puppet_url_without_modules
- $key_source = 'puppet:///private/ssh/tin/mwdeploy_rsa',
- # lint:endignore
$apache_fqdn = $::fqdn,
$deployment_group = 'wikidev',
) {
@@ -59,11 +55,8 @@
remote_branch => 'readonly/master'
}
- class { '::keyholder': trusted_group => $deployment_group, } ->
- class { '::keyholder::monitoring': } ->
- keyholder::private_key { 'mwdeploy_rsa':
- source => $key_source,
- }
+ include role::deployment::mediawiki
+ include role::deployment::services
file { '/srv/deployment':
ensure => directory,
@@ -142,6 +135,30 @@
}
}
+class role::deployment::mediawiki(
+ $keyholder_user = 'mwdeploy',
+ $keyholder_group = 'wikidev',
+) {
+ require ::keyholder
+ require ::keyholder::monitoring
+
+ keyholder::agent{ $keyholder_user:
+ trusted_group => $keyholder_group,
+ }
+}
+
+class role::deployment::services (
+ $keyholder_user = 'servicedeploy',
+ $keyholder_group = 'servicedeploy',
+) {
+ require ::keyholder
+ require ::keyholder::monitoring
+
+ keyholder::agent{ $keyholder_user:
+ trusted_group => $keyholder_group,
+ }
+}
+
class role::deployment::test {
package { 'test/testrepo':
provider => 'trebuchet',
diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index d08cf5b..324fbaa 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -364,6 +364,12 @@
gid: 760
description: users who can login on fluorine and read mediawiki logs
members: [tjones]
+ servicedeploy:
+ gid: 761
+ description: Service deploy users
+ members: [eevans, gwicke, mobrovac, demon, twentyafterfour, thcipriani,
dduvall]
+ privileges: []
+
users:
rush:
ensure: present
diff --git a/modules/beta/templates/pam-access.conf.erb
b/modules/beta/templates/pam-access.conf.erb
index a46decb..78d1ed6 100644
--- a/modules/beta/templates/pam-access.conf.erb
+++ b/modules/beta/templates/pam-access.conf.erb
@@ -3,5 +3,5 @@
# users except for members of the nova project
# that this instance is a member of:
-+ : mwdeploy : <%= @bastion_ip %>
++ : servicedeploy mwdeploy : <%= @bastion_ip %>
-:ALL EXCEPT (project-deployment-prep) root:ALL
diff --git a/modules/keyholder/files/keyholder-agent.conf
b/modules/keyholder/files/keyholder-agent.conf
deleted file mode 100644
index 21a57ba..0000000
--- a/modules/keyholder/files/keyholder-agent.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# keyholder-agent - Shared SSH-agent
-#
-# Runs the ssh-agent(1) instance that holds shared identities.
-
-description "Shared SSH agent"
-
-start on (local-filesystems and net-device-up IFACE!=lo)
-
-setgid keyholder
-setuid keyholder
-
-exec /usr/bin/ssh-agent -d -a /run/keyholder/agent.sock
-post-start exec [ -S /run/keyholder/agent.sock ] || sleep 1
-post-stop exec /bin/rm -f /run/keyholder/agent.sock
-
-# vim: set ft=upstart:
diff --git a/modules/keyholder/manifests/agent.pp
b/modules/keyholder/manifests/agent.pp
new file mode 100644
index 0000000..660768d
--- /dev/null
+++ b/modules/keyholder/manifests/agent.pp
@@ -0,0 +1,75 @@
+# == keyholder::agent
+#
+# Resource for creating keyholder agents on a node
+#
+# === Parameters
+#
+# [*name*]
+# Used for service names, socket names, and default key name
+#
+# [*key_file*]
+# The name of the key file stored in puppet private
+# Should exist prior to running a defined resource
+#
+# [*trusted_group*]
+# The name or GID of the trusted user group with which the agent
+# should be shared. It is the caller's responsibility to ensure
+# the group exists.
+#
+# === Examples
+#
+# keyholder::agent { 'mwdeploy':
+# trusted_group => 'wikidev',
+# require => Group['wikidev'],
+# }
+#
+define keyholder::agent(
+ $trusted_group,
+ $key_file = "${name}_rsa",
+) {
+
+ $agent_socket = "/run/keyholder/agent-${name}.sock"
+ $proxy_socket = "/run/keyholder/proxy-${name}.sock"
+
+ # The `keyholder-agent` service is responsible for running
+ # the ssh-agent instance that will hold shared key(s).
+
+ file { "/etc/init/keyholder-${name}-agent.conf":
+ content => template('keyholder/keyholder-agent.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Service["keyholder-${name}-agent"],
+ }
+
+ service { "keyholder-${name}-agent":
+ ensure => running,
+ provider => 'upstart',
+ require => File['/run/keyholder'],
+ }
+
+
+ # The `keyholder-proxy` service runs the filtering ssh-agent proxy
+ # that acts as an intermediary between users in the trusted group
+ # and the backend ssh-agent that holds the shared key(s).
+
+ file { "/etc/init/keyholder-${name}-proxy.conf":
+ content => template('keyholder/keyholder-proxy.conf.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Service["keyholder-${name}-proxy"],
+ }
+
+ service { "keyholder-${name}-proxy":
+ ensure => running,
+ provider => 'upstart',
+ require => Service["keyholder-${name}-agent"],
+ }
+
+ # lint:ignore:puppet_url_without_modules
+ keyholder::private_key { $key_file:
+ source => "puppet:///private/ssh/tin/${key_file}",
+ }
+ # lint:endignore
+}
diff --git a/modules/keyholder/manifests/init.pp
b/modules/keyholder/manifests/init.pp
index 3db511f..f4caa4d 100644
--- a/modules/keyholder/manifests/init.pp
+++ b/modules/keyholder/manifests/init.pp
@@ -26,27 +26,12 @@
#
# $ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh remote-host ...
#
-# === Parameters
-#
-# [*trusted_group*]
-# The name or GID of the trusted user group with which the agent
-# should be shared. It is the caller's responsibility to ensure
-# the group exists.
-#
-# === Examples
-#
-# class { 'keyholder':
-# trusted_group => 'wikidev',
-# require => Group['wikidev'],
-# }
-#
+
# === Bugs
#
-# It is currently only possible to have a single agent / proxy pair
-# (shared with just one group) on a particular node.
+# It is currently only possible to share an agent with a single group
#
-class keyholder( $trusted_group ) {
-
+class keyholder {
require_package('python3')
group { 'keyholder':
@@ -84,46 +69,10 @@
owner => 'root',
group => 'root',
mode => '0555',
- notify => Service['keyholder-agent'],
+
+ # Not possible for more than one keyholder per box
+ # notify => Service['keyholder-agent'],
}
-
-
- # The `keyholder-agent` service is responsible for running
- # the ssh-agent instance that will hold shared key(s).
-
- file { '/etc/init/keyholder-agent.conf':
- source => 'puppet:///modules/keyholder/keyholder-agent.conf',
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => Service['keyholder-agent'],
- }
-
- service { 'keyholder-agent':
- ensure => running,
- provider => 'upstart',
- require => File['/run/keyholder'],
- }
-
-
- # The `keyholder-proxy` service runs the filtering ssh-agent proxy
- # that acts as an intermediary between users in the trusted group
- # and the backend ssh-agent that holds the shared key(s).
-
- file { '/etc/init/keyholder-proxy.conf':
- content => template('keyholder/keyholder-proxy.conf.erb'),
- owner => 'root',
- group => 'root',
- mode => '0444',
- notify => Service['keyholder-proxy'],
- }
-
- service { 'keyholder-proxy':
- ensure => running,
- provider => 'upstart',
- require => Service['keyholder-agent'],
- }
-
# The `keyholder` script provides a simplified command-line
# interface for managing the agent. See `keyholder --help`.
@@ -133,6 +82,8 @@
owner => 'root',
group => 'root',
mode => '0555',
- notify => Service['keyholder-proxy'],
+
+ # Not possible for more than one keyholder per box
+ # notify => Service['keyholder-proxy'],
}
}
diff --git a/modules/keyholder/templates/keyholder-agent.conf.erb
b/modules/keyholder/templates/keyholder-agent.conf.erb
new file mode 100644
index 0000000..d6fa923
--- /dev/null
+++ b/modules/keyholder/templates/keyholder-agent.conf.erb
@@ -0,0 +1,16 @@
+# keyholder-agent - Shared SSH-agent
+#
+# Runs the ssh-agent(1) instance that holds shared identities.
+
+description "Shared SSH agent"
+
+start on (local-filesystems and net-device-up IFACE!=lo)
+
+setgid keyholder
+setuid keyholder
+
+exec /usr/bin/ssh-agent -d -a <%= @agent_socket %>
+post-start exec [ -S <%= @agent_socket %> ] || sleep 1
+post-stop exec /bin/rm -f <%= @agent_socket %>
+
+# vim: set ft=upstart:
diff --git a/modules/keyholder/templates/keyholder-proxy.conf.erb
b/modules/keyholder/templates/keyholder-proxy.conf.erb
index 5271516..1a5fea0 100644
--- a/modules/keyholder/templates/keyholder-proxy.conf.erb
+++ b/modules/keyholder/templates/keyholder-proxy.conf.erb
@@ -14,8 +14,8 @@
umask 007
-pre-start exec /bin/rm -f /run/keyholder/proxy.sock
-exec /usr/local/bin/ssh-agent-proxy
-post-stop exec /bin/rm -f /run/keyholder/proxy.sock
+pre-start exec /bin/rm -f <%= @proxy_socket %>
+exec /usr/local/bin/ssh-agent-proxy --bind <%= @proxy_socket %> --connect <%=
@agent_socket %>
+post-stop exec /bin/rm -f <%= @proxy_socket %>
# vim: set ft=upstart:
diff --git a/modules/restbase/manifests/deploy.pp
b/modules/restbase/manifests/deploy.pp
new file mode 100644
index 0000000..a6a0a43
--- /dev/null
+++ b/modules/restbase/manifests/deploy.pp
@@ -0,0 +1,54 @@
+# == Class restbase::deploy
+#
+# Creates user and permissions for deploy user
+# on restbase hosts
+#
+# === Parameters
+#
+# [*public_key*]
+# This is the public_key for the servicedeploy user. The private part of this
+# key should reside in the private puppet repo for the environment. By
default
+# this public key is set to the servicedeploy user's public key for
production
+# private puppet—it should be overwritten using hiera in non-production
+# environements.
+
+class restbase::deploy(
+ $public_key = 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCyYzZqTbJTDI+oUvb0h0SKR6AaYosUAx18jNaJ4J2nhHwYSgtmgVOTtaxWvZO31f0d1miqC0QSjSi1f0D2IeFIQgm4jy6KaMZomRg9GthSYKm8rimc0s0CUHoq2rv7iWa4R1y2NCxWn6p6zPYsKIsRvT3+3QkZ0IJ0euuBMDUjQI6P51/NtpYR7Zhm2jq8QzHij4Xh2tyr9zEeKZAcZW1pMZ0zcWYgfBipDhiOL3GTdxYZJsVNuHxqnugixmVPR4Tzp5A441qwtQHEp7dJjMy7xKtW0Xd0yXHVYmF7k6BcHjE6d0VBxdE2uK9RPd+v/yhZ10DnJqGwsOhKD/dsSErjwOyRV5sPizjuFZE+r4eY+8ELTi8ra0GfKk/bnFuyaFrz6lZXw5iCjdT6QXorQlnOwUxt/lKhT9lRMM6j1/lKP/fheu0hE9OS4Y8e0Wa0wX418QqoDalfVCeIrhJSXpm0lVluzEiZ7AjnGBV/QNnll2NixgqU+pgK7qPKQLqDzoZNEDCV/rjvZgPLwCW+eoRiWQfbHgA0CtLsvMYpDk33tbbsDRsxW5xP+4jhXicLkgqNt4jk9o2OS04eFbByqKc6z1adZa80Y+RKNmcEj9TvY6okOfD4bOuvRM/ttwrW8XpxKhz+0wYrnTsU2rzURu9Q366PwG/Cq2/IRkWLSVdKAQ==
servicedeploy_prod',
+) {
+ $user = 'servicedeploy'
+
+ user { $user:
+ ensure => present,
+ shell => '/bin/bash',
+ home => '/var/lib/scap',
+ system => true,
+ managehome => true,
+ }
+
+ ssh::userkey { $user:
+ content => $public_key,
+ }
+
+ # Using trebuchet provider while scap service deployment is under
+ # development—chicken and egg things
+ #
+ # This should be removed once scap3 is in a final state
+ package { ['restbase/deploy', 'scap/scap']:
+ provider => 'trebuchet',
+ }
+
+ # Rather than futz with adding new functionality to allow a deployment
+ # user set per repository in trebuchet, I'm running an exec here
+ $dir = '/srv/deployment/restbase/deploy'
+ exec { 'chown servicedeploy':
+ command => "/bin/chown -R ${user} ${dir}",
+ unless => "/usr/bin/test $(/usr/bin/stat -c'%U' ${dir}) = ${user}"
+ }
+
+ sudo::user { $user:
+ privileges => [
+ 'ALL = (root) NOPASSWD: /usr/sbin/service restbase',
+ ]
+ }
+
+}
diff --git a/modules/restbase/manifests/init.pp
b/modules/restbase/manifests/init.pp
index c5cc5bd..3c3c138 100644
--- a/modules/restbase/manifests/init.pp
+++ b/modules/restbase/manifests/init.pp
@@ -58,11 +58,9 @@
$graphoid_uri = 'http://graphoid.svc.eqiad.wmnet:19000',
$mobileapps_uri = 'http://mobileapps.svc.eqiad.wmnet:8888',
) {
- ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] )
+ include restbase::deploy
- package { 'restbase/deploy':
- provider => 'trebuchet',
- }
+ ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] )
group { 'restbase':
ensure => present,
--
To view, visit https://gerrit.wikimedia.org/r/232843
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
