Filippo Giunchedi has submitted this change and it was merged.
Change subject: service::node: Prepare for scap3 config deploys
......................................................................
service::node: Prepare for scap3 config deploys
Up until now config files have been owned by root and were read-only.
However, Scap3 operates under the $deployment_user user on the target
machines and in order for it to install the correct config file, those
need to be owned by that user, not root. This commit allows Scap3 to do
so selectively only for services that specify deployment_config => true
in their manifests.
Note that this is a temporary hack in that once all of the services
start using Scap3 for config deploys it will go away.
Change-Id: If8ba2f0d950e441547f583cdfa2c30ce8b9384ae
---
M modules/service/manifests/node.pp
1 file changed, 35 insertions(+), 10 deletions(-)
Approvals:
Filippo Giunchedi: Verified; Looks good to me, approved
20after4: Looks good to me, but someone else must approve
diff --git a/modules/service/manifests/node.pp
b/modules/service/manifests/node.pp
index 9570a51..f39337a 100644
--- a/modules/service/manifests/node.pp
+++ b/modules/service/manifests/node.pp
@@ -77,7 +77,11 @@
#
# [*deployment_user*]
# The user that will own the service code. Only applicable when
-# $deployment ='scap3'. Default: $title
+# $deployment =='scap3'. Default: $title
+#
+# [*deployment_config*]
+# Whether Scap3 is used for deploying the config as well. Applicable only
when
+# $deployment == 'scap3'. Default: false
#
# === Examples
#
@@ -117,6 +121,7 @@
$init_restart = true,
$deployment = undef,
$deployment_user = 'deploy-service',
+ $deployment_config = false,
) {
case $deployment {
'scap3': {
@@ -194,20 +199,40 @@
}
# Configuration, directories
+ $conf_dir_gid = $deployment ? {
+ 'scap3' => $deployment_user,
+ default => 'root',
+ }
file { "/etc/${title}":
ensure => directory,
owner => 'root',
- group => 'root',
- mode => '0755',
+ group => $conf_dir_gid,
+ mode => '0775',
}
- file { "/etc/${title}/config.yaml":
- ensure => present,
- content => $complete_config,
- owner => 'root',
- group => 'root',
- mode => '0444',
- tag => "${title}::config",
+ if $deployment == 'scap3' and $deployment_config {
+ # NOTE: this is a work-around need to switch config file deployments
+ # to Scap3. The previous praxis was to make the config owned by root,
+ # but that is not possible with Scap3, as it installs a symlink under
+ # the $deployment_user user. chown'ing it will allow Scap3 to remove
+ # the file and install its symlink
+ $chown_user = "${deployment_user}:${deployment_user}"
+ $chown_target = "/etc/${title}/config.yaml"
+ exec { "chown ${chown_target}":
+ command => "/bin/chown ${chown_user} ${chown_target}",
+ # perform the chown only if root is the effective owner
+ onlyif => "/usr/bin/test -O ${chown_target}",
+ require => [User[$deployment_user], Group[$deployment_user]]
+ }
+ } else {
+ file { "/etc/${title}/config.yaml":
+ ensure => present,
+ content => $complete_config,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ tag => "${title}::config",
+ }
}
if $auto_refresh {
--
To view, visit https://gerrit.wikimedia.org/r/290490
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If8ba2f0d950e441547f583cdfa2c30ce8b9384ae
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mobrovac <[email protected]>
Gerrit-Reviewer: 20after4 <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Mobrovac <[email protected]>
Gerrit-Reviewer: Thcipriani <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
