Mobrovac has uploaded a new change for review.
https://gerrit.wikimedia.org/r/290490
Change subject: service::node: Prepare for scap3 config deploys
......................................................................
service::node: Prepare for scap3 config deploys
Up until now config files have been owned by root and were read-only.
However, Scap3 operates under the $deployment_user user on the target
machines and in order for it to install the correct config file, those
need to be owned by that user, not root. This commit allows Scap3 to do
so selectively only for services that specify deployment_config => true
in their manifests.
Note that this is a temporary hack in that once all of the services
start using Scap3 for config deploys it will go away.
Change-Id: If8ba2f0d950e441547f583cdfa2c30ce8b9384ae
---
M modules/service/manifests/node.pp
1 file changed, 31 insertions(+), 10 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/90/290490/1
diff --git a/modules/service/manifests/node.pp
b/modules/service/manifests/node.pp
index 9570a51..e37bba2 100644
--- a/modules/service/manifests/node.pp
+++ b/modules/service/manifests/node.pp
@@ -77,7 +77,11 @@
#
# [*deployment_user*]
# The user that will own the service code. Only applicable when
-# $deployment ='scap3'. Default: $title
+# $deployment =='scap3'. Default: $title
+#
+# [*deployment_config*]
+# Whether Scap3 is used for deploying the config as well. Applicable only
when
+# $deployment == 'scap3'. Default: false
#
# === Examples
#
@@ -117,6 +121,7 @@
$init_restart = true,
$deployment = undef,
$deployment_user = 'deploy-service',
+ $deployment_config = false,
) {
case $deployment {
'scap3': {
@@ -197,17 +202,33 @@
file { "/etc/${title}":
ensure => directory,
owner => 'root',
- group => 'root',
- mode => '0755',
+ group => $deployment_user,
+ mode => '0775',
}
- file { "/etc/${title}/config.yaml":
- ensure => present,
- content => $complete_config,
- owner => 'root',
- group => 'root',
- mode => '0444',
- tag => "${title}::config",
+ if $deployment == 'scap3' and $deployment_config {
+ # NOTE: this is a work-around need to switch config file deployments
+ # to Scap3. The previous praxis was to make the config owned by root,
+ # but that is not possible with Scap3, as it installs a symlink under
+ # the $deployment_user user. chown'ing it will allow Scap3 to remove
+ # the file and install its symlink
+ $chown_user = "${deployment_user}:${deployment_user}"
+ $chown_target = "/etc/${title}/config.yaml"
+ exec { "chown ${chown_target}":
+ command => "/bin/chown ${chown_user} ${chown_target}",
+ # perform the chown only if root is the effective owner
+ onlyif => "/usr/bin/test -O ${chown_target}",
+ require => [User[$deployment_user], Group[$deployment_user]]
+ }
+ } else {
+ file { "/etc/${title}/config.yaml":
+ ensure => present,
+ content => $complete_config,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ tag => "${title}::config",
+ }
}
if $auto_refresh {
--
To view, visit https://gerrit.wikimedia.org/r/290490
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If8ba2f0d950e441547f583cdfa2c30ce8b9384ae
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mobrovac <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
