Rush has submitted this change and it was merged.
Change subject: make scap::target use the scap3 package provider
......................................................................
make scap::target use the scap3 package provider
This also updates eventbus to pass manage_user=>false
Refs T113072
Bug: T127215
Change-Id: I223a9fff2d48a3372ca14e56ae94087a6530f9ee
---
M modules/role/manifests/eventbus/eventbus.pp
M modules/scap/manifests/target.pp
2 files changed, 38 insertions(+), 55 deletions(-)
Approvals:
Rush: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/role/manifests/eventbus/eventbus.pp
b/modules/role/manifests/eventbus/eventbus.pp
index 9f2fe93..e7146c2 100644
--- a/modules/role/manifests/eventbus/eventbus.pp
+++ b/modules/role/manifests/eventbus/eventbus.pp
@@ -22,6 +22,7 @@
public_key_source =>
"puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}",
deploy_path => $eventlogging_path,
service_name => 'eventlogging-service-eventbus',
+ manage_user => false,
}
file { '/etc/eventbus':
diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index 477e77a..5f1b696 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -3,12 +3,7 @@
# Sets up a scap3 target for a deployment repository.
# This will include ths scap package and ferm fules,
# ensure that the $deploy_user has proper sudo rules
-# and public key installed, and that the $deploy_path
-# is set up with proper permissions.
-#
-# NOTE: This define will not manage $deploy_user for you. You must
-# ensure that this is done somewhere else in puppet first, e.g.
-# user { 'my_deploy_user': ... }
+# and public key installed.
#
# == Params
# [*deploy_user*]
@@ -22,9 +17,13 @@
# service name that should be allowed to be restarted via sudo by
# deploy_user. Default: undef.
#
-# [*deploy_path*]
-# Path at which scap3 will deploy.
-# Default: /srv/deployment/$title
+# [*package_name*]
+# the name of the scap3 deployment package Default: $title
+#
+# [*manage_user*]
+# Specify whether to create a User resource for the $deploy_user.
+# This should be set to false if you have defined the user elsewhere.
+# Default: true
#
# Usage:
#
@@ -36,25 +35,48 @@
# scap::target { 'eventlogging/eventlogging':
# deploy_user => 'eventlogging',
# public_key_source =>
"puppet:///modules/eventlogging/deployment/eventlogging_rsa.pub.${::realm}",
-# deploy_path => '/srv/i/am/special/eventlogging/eventlogging'
# }
#
define scap::target(
$deploy_user,
$public_key_source,
$service_name = undef,
- $deploy_path = "/srv/deployment/${title}",
+ $package_name = $title,
+ $manage_user = true,
) {
- User[$deploy_user] -> Scap::Target[$title]
-
# Include scap3 package and ssh ferm rules.
include scap
include scap::ferm
+ if $manage_user {
+ user { $deploy_user:
+ ensure => present,
+ shell => '/bin/bash',
+ home => '/var/lib/scap',
+ system => true,
+ managehome => true,
+ }
+ } else {
+ User[$deploy_user] -> Scap::Target[$title]
+ }
+
+ package { $package_name:
+ install_options => [{ owner => $deploy_user}],
+ provider => 'scap3',
+ require => [Package['scap'], User[$deploy_user]],
+ }
+
+ if !defined(Ssh::Userkey[$deploy_user]) {
+ ssh::userkey { $deploy_user:
+ source => $public_key_source,
+ }
+ }
+
# Allow deploy user user to sudo -u $user, and to sudo /usr/sbin/service
# if $service_name is defined.
- # sudo -u $user is currently needed by scap3. TODO: Remove this
- # when it is no longer needed.
+ #
+ # NOTE: sudo -u $user is currently needed by scap3.
+ # TODO: Remove this when it is no longer needed.
$privileges = $service_name ? {
undef => [
"ALL=(${deploy_user}) NOPASSWD: ALL",
@@ -71,44 +93,4 @@
}
}
- if !defined(Ssh::Userkey[$deploy_user]) {
- ssh::userkey { $deploy_user:
- source => $public_key_source,
- }
- }
-
- # $parent_dir needs to be writable by deploy user in order
- # for scap to be able to create the -cache directories it needs.
- # This in case you are deploying a repository with
- # a '/' in the name, e.g. eventlogging/eventlogging. This makes
- # sure that /srv/deployment/eventlogging is writable by
- # scap.
- #
- # TODO: if scap3 -cache directory location becomes configurable,
- # change this.
- # (dirname() stdlib puppet function not available???)
- #
- # NOTE: We have to manage the parent directory this way,
- # instead of the scap3 -cache directory directly, to account
- # for the case where a scap3 git_repo is somethign like
- # repo/repo/deploy. We don't know how deep the hierarchy goes,
- # but we do know that we will need to be able to write to
- # repo/repo as well as repo/repo/deploy.
- $parent_dir = inline_template('<%= File.dirname(@deploy_path) %>')
- if !defined(File[$parent_dir]) {
- file { $parent_dir:
- ensure => 'directory',
- owner => $deploy_user,
- mode => '0775',
- }
- }
-
- file { $deploy_path:
- # scap3 will symlink during deployments.
- ensure => 'present',
- owner => $deploy_user,
- mode => '0775',
- # Set permissions recursively.
- recurse => true,
- }
}
--
To view, visit https://gerrit.wikimedia.org/r/269560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I223a9fff2d48a3372ca14e56ae94087a6530f9ee
Gerrit-PatchSet: 14
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: 20after4 <[email protected]>
Gerrit-Reviewer: 20after4 <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: Thcipriani <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
