Filippo Giunchedi has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/404945 )

Change subject: scap: require sudo rules to be in place before deploy
......................................................................


scap: require sudo rules to be in place before deploy

For services requiring a config reload, the sudo rules might not be there yet
on the first puppet run.

Note that since puppet 4 ordering in the manifest matters, thus reorder the
resources.

Bug: T185189
Change-Id: I6c0276c7aa0ae1ca2596c114c419b65c645276ac
---
M modules/scap/manifests/target.pp
1 file changed, 31 insertions(+), 29 deletions(-)

Approvals:
  Giuseppe Lavagetto: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Filippo Giunchedi: Looks good to me, approved



diff --git a/modules/scap/manifests/target.pp b/modules/scap/manifests/target.pp
index 1b0769b..256eec5 100644
--- a/modules/scap/manifests/target.pp
+++ b/modules/scap/manifests/target.pp
@@ -110,35 +110,6 @@
         }
     }
 
-    package { $package_name:
-        install_options => [{
-                  owner => $deploy_user}],
-        provider        => 'scap3',
-        require         => [Package['scap'], User[$deploy_user]],
-    }
-
-    # XXX: Temporary work-around for switching services from Trebuchet to Scap3
-    # The Scap3 provider doesn't touch the target dir if it's already a git 
repo
-    # which means that even after switching the provider we end up with the
-    # wrong user (root) owning it. Therefore, as a temporary measure we chown
-    # the target dir's parent so that the subsequent invocation of deploy-local
-    # is able to create the needed dirs and symlinks
-    $chown_user = "${deploy_user}:${deploy_user}"
-    $name_array = split($package_name, '/')
-    $pkg_root = inline_template(
-        '<%= @name_array[0,@name_array.size - 1].join("/") %>'
-    )
-    $chown_target = "/srv/deployment/${pkg_root}"
-    $exec_name = "chown ${chown_target} for ${deploy_user}"
-    if !defined(Exec[$exec_name]) {
-        exec { $exec_name:
-            command => "/bin/chown -R ${chown_user} ${chown_target}",
-            # perform the chown only if root is the effective owner
-            onlyif  => "/usr/bin/test -O /srv/deployment/${package_name}",
-            require => [User[$deploy_user], Group[$deploy_user]]
-        }
-    }
-
     # Allow deploy user user to sudo -u $user, and to sudo /usr/sbin/service
     # if $service_name is defined.
     #
@@ -173,4 +144,35 @@
         }
     }
 
+    # Have scap actually deploy the source, restart the service if needed, etc
+    # Assume $deploy_user already has sudo permissions because of the block 
above.
+    package { $package_name:
+        install_options => [{
+                  owner => $deploy_user}],
+        provider        => 'scap3',
+        require         => [Package['scap'], User[$deploy_user]],
+    }
+
+    # XXX: Temporary work-around for switching services from Trebuchet to Scap3
+    # The Scap3 provider doesn't touch the target dir if it's already a git 
repo
+    # which means that even after switching the provider we end up with the
+    # wrong user (root) owning it. Therefore, as a temporary measure we chown
+    # the target dir's parent so that the subsequent invocation of deploy-local
+    # is able to create the needed dirs and symlinks
+    $chown_user = "${deploy_user}:${deploy_user}"
+    $name_array = split($package_name, '/')
+    $pkg_root = inline_template(
+        '<%= @name_array[0,@name_array.size - 1].join("/") %>'
+    )
+    $chown_target = "/srv/deployment/${pkg_root}"
+    $exec_name = "chown ${chown_target} for ${deploy_user}"
+    if !defined(Exec[$exec_name]) {
+        exec { $exec_name:
+            command => "/bin/chown -R ${chown_user} ${chown_target}",
+            # perform the chown only if root is the effective owner
+            onlyif  => "/usr/bin/test -O /srv/deployment/${package_name}",
+            require => [User[$deploy_user], Group[$deploy_user]]
+        }
+    }
+
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/404945
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I6c0276c7aa0ae1ca2596c114c419b65c645276ac
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to