Mobrovac has uploaded a new change for review.
https://gerrit.wikimedia.org/r/279717
Change subject: scap::target: Allow scap's user to restart all services on a
node
......................................................................
scap::target: Allow scap's user to restart all services on a node
scap::target's set-up of sudo rules implicitly assumed that it would be
deploying only one service per node, so only one sudo::user resource was
being set. However, we have nodes where multiple services are
collocated, such as the SCA and SCB clusters. This patch allows the same
Scap deployment user to restart multiple services on the same machine.
Bug: T130948
Change-Id: Id13f35ec2cf4e32e4931ffdc9df69425d433aad8
---
M modules/scap/manifests/target.pp
1 file changed, 22 insertions(+), 12 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/17/279717/1
diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index 2586c15..5f74c23 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -1,11 +1,12 @@
-# == Define scap::target
+# == Define: scap::target
#
# Sets up a scap3 target for a deployment repository.
# This will include ths scap package and ferm fules,
# ensure that the $deploy_user has proper sudo rules
# and public key installed.
#
-# == Params
+# === Parameters
+#
# [*deploy_user*]
# user that will be used for deployments
#
@@ -87,22 +88,31 @@
# Allow deploy user user to sudo -u $user, and to sudo /usr/sbin/service
# if $service_name is defined.
#
+ # Two sets of privileges are defined: one for scap to able to sudo -u
$user,
+ # which should be defined only once per node, and another for restarting
+ # whichever services are being deployed.
+ #
# NOTE: sudo -u $user is currently needed by scap3.
# TODO: Remove this when it is no longer needed.
- $privileges = $service_name ? {
- undef => [
- "ALL=(${deploy_user}) NOPASSWD: ALL",
- ],
- default => [
- "ALL=(${deploy_user}) NOPASSWD: ALL",
- "ALL=(root) NOPASSWD: /usr/sbin/service ${service_name} *",
- ],
- }
if !defined(Sudo::User["scap_${deploy_user}"]) {
sudo::user { "scap_${deploy_user}":
user => $deploy_user,
- privileges => concat($privileges, $sudo_rules),
+ privileges => ["ALL=(${deploy_user}) NOPASSWD: ALL"],
+ }
+ }
+
+ $privileges = $service_name ? {
+ undef => $sudo_rules,
+ default => concat([
+ "ALL=(root) NOPASSWD: /usr/sbin/service ${service_name} *",
+ ], $sudo_rules),
+ }
+
+ if size($privileges) > 0 {
+ sudo::user { "scap_${deploy_user}_${service_name}":
+ user => $deploy_user,
+ privileges => $privileges,
}
}
--
To view, visit https://gerrit.wikimedia.org/r/279717
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id13f35ec2cf4e32e4931ffdc9df69425d433aad8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mobrovac <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
