Ori.livneh has uploaded a new change for review.
https://gerrit.wikimedia.org/r/133945
Change subject: Consolidate mediawiki::users::* into a single class
......................................................................
Consolidate mediawiki::users::* into a single class
* Collapse mediawiki::users::{mwdeploy,l10nupdate,sudo} into a single class.
* Move l10nupdate's authorized_keys to a file
* Use native user / group rather than systemuser.
Change-Id: I44df6e7f9706ff565eae3334e4d1574001df06dc
---
M manifests/misc/statistics.pp
M manifests/openstack.pp
A modules/mediawiki/files/authorized_keys.l10nupdate
M modules/mediawiki/manifests/init.pp
M modules/mediawiki/manifests/sync.pp
A modules/mediawiki/manifests/users.pp
D modules/mediawiki/manifests/users/l10nupdate.pp
D modules/mediawiki/manifests/users/mwdeploy.pp
D modules/mediawiki/manifests/users/sudo.pp
9 files changed, 132 insertions(+), 144 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/45/133945/1
diff --git a/manifests/misc/statistics.pp b/manifests/misc/statistics.pp
index 7f9de05..c83a833 100644
--- a/manifests/misc/statistics.pp
+++ b/manifests/misc/statistics.pp
@@ -139,7 +139,6 @@
# RT 2162
class misc::statistics::mediawiki {
include misc::statistics::base
- require mediawiki::users::mwdeploy
$statistics_mediawiki_directory =
"${misc::statistics::base::working_path}/mediawiki/core"
diff --git a/manifests/openstack.pp b/manifests/openstack.pp
index 70ceefd..743a197 100644
--- a/manifests/openstack.pp
+++ b/manifests/openstack.pp
@@ -373,7 +373,7 @@
}
class openstack::openstack-manager($openstack_version="folsom", $novaconfig,
$certificate) {
- require mediawiki::users::mwdeploy
+ # require mediawiki::users::mwdeploy -- temp. removed for ::mediawiki
refactor -- OL
if !defined(Class["webserver::php5"]) {
class {'webserver::php5': ssl => true; }
diff --git a/modules/mediawiki/files/authorized_keys.l10nupdate
b/modules/mediawiki/files/authorized_keys.l10nupdate
new file mode 100644
index 0000000..ff21ea4
--- /dev/null
+++ b/modules/mediawiki/files/authorized_keys.l10nupdate
@@ -0,0 +1 @@
+ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzcA/wB0uoU+XgiYN/scGczrAGuN99O8L7m8TviqxgX9s+RexhPtn8FHss1GKi8oxVO1V+ssABVb2q0fGza4wqrHOlZadcFEGjQhZ4IIfUwKUo78mKhQsUyTd5RYMR0KlcjB4UyWSDX5tFHK6FE7/tySNTX7Tihau7KZ9R0Ax//KySCG0skKyI1BK4Ufb82S8wohrktBO6W7lag0O2urh9dKI0gM8EuP666DGnaNBFzycKLPqLaURCeCdB6IiogLHiR21dyeHIIAN0zD6SUyTGH2ZNlZkX05hcFUEWcsWE49+Ve/rdfu1wWTDnourH/Xm3IBkhVGqskB+yp3Jkz2D3Q==
l10nupdate@fenari
\ No newline at end of file
diff --git a/modules/mediawiki/manifests/init.pp
b/modules/mediawiki/manifests/init.pp
index 1c4fd93..c4aa836 100644
--- a/modules/mediawiki/manifests/init.pp
+++ b/modules/mediawiki/manifests/init.pp
@@ -1,29 +1,8 @@
class mediawiki {
- include ::mediawiki::users::mwdeploy
- include ::mediawiki::users::l10nupdate
- include ::mediawiki::users::sudo
+ include ::mediawiki::users
include ::mediawiki::sync
include ::mediawiki::cgroup
include ::mediawiki::packages
-
- # The name, gid, home, and shell of the apache user are set to conform
- # with the postinst script of the wikimedia-task-appserver package, which
- # provisioned it historically. These values can and should be modernized.
-
- group { 'apache':
- ensure => present,
- gid => 48,
- system => true,
- }
-
- user { 'apache':
- ensure => present,
- gid => 48,
- shell => '/sbin/nologin',
- home => '/var/www',
- system => true,
- managehome => false,
- }
class { '::twemproxy':
default_file => 'puppet:///modules/mediawiki/twemproxy.default',
diff --git a/modules/mediawiki/manifests/sync.pp
b/modules/mediawiki/manifests/sync.pp
index 6dcd29a..7a65258 100644
--- a/modules/mediawiki/manifests/sync.pp
+++ b/modules/mediawiki/manifests/sync.pp
@@ -1,56 +1,53 @@
# mediawiki syncing class
class mediawiki::sync {
- include misc::deployment::vars
+ include misc::deployment::vars
+ include mediawiki::users
- include mediawiki::users::l10nupdate
- include mediawiki::users::mwdeploy
- include mediawiki::users::sudo
+ deployment::target { 'scap': }
- deployment::target { 'scap': }
+ file { '/usr/local/bin/mwversionsinuse':
+ ensure => link,
+ target => '/srv/deployment/scap/scap/bin/mwversionsinuse',
+ }
+ file { '/usr/local/bin/scap-rebuild-cdbs':
+ ensure => link,
+ target => '/srv/deployment/scap/scap/bin/scap-rebuild-cdbs',
+ }
+ file { '/usr/local/bin/scap-recompile':
+ ensure => link,
+ target => '/srv/deployment/scap/scap/bin/scap-recompile',
+ }
+ file { '/usr/local/bin/sync-common':
+ ensure => link,
+ target => '/srv/deployment/scap/scap/bin/sync-common',
+ }
+ file { '/usr/local/bin/refreshCdbJsonFiles':
+ ensure => link,
+ target => '/srv/deployment/scap/scap/bin/refreshCdbJsonFiles',
+ }
- file { '/usr/local/bin/mwversionsinuse':
- ensure => link,
- target => '/srv/deployment/scap/scap/bin/mwversionsinuse',
- }
- file { '/usr/local/bin/scap-rebuild-cdbs':
- ensure => link,
- target => '/srv/deployment/scap/scap/bin/scap-rebuild-cdbs',
- }
- file { '/usr/local/bin/scap-recompile':
- ensure => link,
- target => '/srv/deployment/scap/scap/bin/scap-recompile',
- }
- file { '/usr/local/bin/sync-common':
- ensure => link,
- target => '/srv/deployment/scap/scap/bin/sync-common',
- }
- file { '/usr/local/bin/refreshCdbJsonFiles':
- ensure => link,
- target => '/srv/deployment/scap/scap/bin/refreshCdbJsonFiles',
- }
+ exec { 'mw-sync':
+ command => '/usr/local/bin/sync-common',
+ require => File['/usr/local/bin/sync-common'],
+ cwd => '/tmp',
+ user => root,
+ group => root,
+ path => '/usr/local/bin:/usr/bin:/usr/sbin',
+ refreshonly => true,
+ timeout => 600,
+ logoutput => on_failure;
+ }
- exec { 'mw-sync':
- command => '/usr/local/bin/sync-common',
- require => File['/usr/local/bin/sync-common'],
- cwd => '/tmp',
- user => root,
- group => root,
- path => '/usr/local/bin:/usr/bin:/usr/sbin',
- refreshonly => true,
- timeout => 600,
- logoutput => on_failure;
- }
-
- exec { 'mw-sync-rebuild-cdbs':
- command => '/usr/local/bin/scap-rebuild-cdbs',
- cwd => '/tmp',
- user => 'mwdeploy',
- group => 'mwdeploy',
- path => '/usr/local/bin:/usr/bin:/usr/sbin',
- refreshonly => true,
- timeout => 600,
- logoutput => on_failure,
- require => File['/usr/local/bin/scap-rebuild-cdbs'],
- subscribe => Exec['mw-sync'],
- }
+ exec { 'mw-sync-rebuild-cdbs':
+ command => '/usr/local/bin/scap-rebuild-cdbs',
+ cwd => '/tmp',
+ user => 'mwdeploy',
+ group => 'mwdeploy',
+ path => '/usr/local/bin:/usr/bin:/usr/sbin',
+ refreshonly => true,
+ timeout => 600,
+ logoutput => on_failure,
+ require => File['/usr/local/bin/scap-rebuild-cdbs'],
+ subscribe => Exec['mw-sync'],
+ }
}
diff --git a/modules/mediawiki/manifests/users.pp
b/modules/mediawiki/manifests/users.pp
new file mode 100644
index 0000000..c0a0295
--- /dev/null
+++ b/modules/mediawiki/manifests/users.pp
@@ -0,0 +1,83 @@
+class mediawiki::users {
+ # apache
+
+ # The name, gid, home, and shell of the apache user are set to conform
+ # with the postinst script of the wikimedia-task-appserver package, which
+ # provisioned it historically. These values can and should be modernized.
+
+ group { 'apache':
+ ensure => present,
+ gid => 48,
+ system => true,
+ }
+
+ user { 'apache':
+ ensure => present,
+ gid => 48,
+ shell => '/sbin/nologin',
+ home => '/var/www',
+ system => true,
+ managehome => false,
+ }
+
+ # mwdeploy
+
+ group { 'mwdeploy':
+ ensure => present,
+ system => true,
+ }
+
+ user { 'mwdeploy':
+ ensure => present,
+ shell => '/bin/false',
+ home => '/var/lib/mwdeploy',
+ system => true,
+ managehome => true,
+ }
+
+
+ # l10nupdate
+
+ group { 'l10nupdate':
+ ensure => present,
+ gid => 10002,
+ }
+
+ user { 'l10nupdate':
+ ensure => present,
+ gid => 10002,
+ shell => '/bin/bash',
+ home => '/home/l10nupdate',
+ managehome => true,
+ }
+
+ file { '/home/l10nupdate/.ssh':
+ ensure => directory,
+ owner => 'l10nupdate',
+ group => 'l10nupdate',
+ mode => '0500',
+ }
+
+ file { '/home/l10nupdate/.ssh/authorized_keys':
+ owner => 'l10nupdate',
+ group => 'l10nupdate',
+ mode => '0400',
+ source => 'puppet:///modules/mediawiki/authorized_keys.l10nupdate',
+ }
+
+ sudo_group { 'wikidev_deploy':
+ group => 'wikidev',
+ privileges => [
+ 'ALL = (apache,mwdeploy,l10nupdate) NOPASSWD: ALL',
+ 'ALL = (root) NOPASSWD: /sbin/restart twemproxy',
+ 'ALL = (root) NOPASSWD: /sbin/start twemproxy'
+ ],
+ }
+
+ sudo_user { 'l10nupdate':
+ require => User['l10nupdate', 'mwdeploy'],
+ privileges => [
+ 'ALL = (mwdeploy) NOPASSWD: ALL',
+ ],
+ }
+}
diff --git a/modules/mediawiki/manifests/users/l10nupdate.pp
b/modules/mediawiki/manifests/users/l10nupdate.pp
deleted file mode 100644
index 95be984..0000000
--- a/modules/mediawiki/manifests/users/l10nupdate.pp
+++ /dev/null
@@ -1,40 +0,0 @@
-# mediawiki l10nupdate user
-class mediawiki::users::l10nupdate {
- ## l10nupdate user
- $authorized_key = 'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzcA/wB0uoU+XgiYN/scGczrAGuN99O8L7m8TviqxgX9s+RexhPtn8FHss1GKi8oxVO1V+ssABVb2q0fGza4wqrHOlZadcFEGjQhZ4IIfUwKUo78mKhQsUyTd5RYMR0KlcjB4UyWSDX5tFHK6FE7/tySNTX7Tihau7KZ9R0Ax//KySCG0skKyI1BK4Ufb82S8wohrktBO6W7lag0O2urh9dKI0gM8EuP666DGnaNBFzycKLPqLaURCeCdB6IiogLHiR21dyeHIIAN0zD6SUyTGH2ZNlZkX05hcFUEWcsWE49+Ve/rdfu1wWTDnourH/Xm3IBkhVGqskB+yp3Jkz2D3Q==
l10nupdate@fenari'
-
- # On labs l10nupdate user and group are already in LDAP
- if $::realm != 'labs' {
- require groups::l10nupdate
-
- generic::systemuser { 'l10nupdate':
- name => 'l10nupdate',
- home => '/home/l10nupdate',
- default_group => 10002,
- shell => '/bin/bash',
- before => File['/home/l10nupdate/.ssh'],
- }
- } else {
- file { '/home/l10nupdate':
- owner => 'l10nupdate',
- group => 'l10nupdate',
- mode => '0750',
- ensure => directory,
- before => File['/home/l10nupdate/.ssh'],
- }
- }
-
- file {
- '/home/l10nupdate/.ssh':
- owner => 'l10nupdate',
- group => 'l10nupdate',
- mode => '0500',
- ensure => directory;
- '/home/l10nupdate/.ssh/authorized_keys':
- require => File['/home/l10nupdate/.ssh'],
- owner => 'l10nupdate',
- group => 'l10nupdate',
- mode => '0400',
- content => $authorized_key;
- }
-}
diff --git a/modules/mediawiki/manifests/users/mwdeploy.pp
b/modules/mediawiki/manifests/users/mwdeploy.pp
deleted file mode 100644
index c36691d..0000000
--- a/modules/mediawiki/manifests/users/mwdeploy.pp
+++ /dev/null
@@ -1,17 +0,0 @@
-# mediawiki base mw deploy user
-class mediawiki::users::mwdeploy {
-
- ## mwdeploy user
- if $::realm != 'labs' {
- generic::systemuser { 'mwdeploy': name => 'mwdeploy' }
- } else {
- # User created in LDAP
- file { '/var/lib/mwdeploy':
- ensure => directory,
- owner => 'mwdeploy',
- group => 'mwdeploy',
- mode => '0755',
- }
- }
-
-}
diff --git a/modules/mediawiki/manifests/users/sudo.pp
b/modules/mediawiki/manifests/users/sudo.pp
deleted file mode 100644
index 402b0fe..0000000
--- a/modules/mediawiki/manifests/users/sudo.pp
+++ /dev/null
@@ -1,14 +0,0 @@
-# sudo rules for mw deployment
-class mediawiki::users::sudo {
-
- require mediawiki::users::l10nupdate
-
- ## sudo definitions
- sudo_group {"wikidev_deploy":
- privileges => ['ALL = (apache,mwdeploy,l10nupdate) NOPASSWD:
ALL',
- 'ALL = (root) NOPASSWD: /sbin/restart twemproxy',
- 'ALL = (root) NOPASSWD: /sbin/start twemproxy'],
- group => "wikidev"
- }
- sudo_user { "l10nupdate": privileges => ['ALL = (mwdeploy) NOPASSWD:
ALL'] }
-}
--
To view, visit https://gerrit.wikimedia.org/r/133945
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I44df6e7f9706ff565eae3334e4d1574001df06dc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <o...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
