[MediaWiki-commits] [Gerrit] Stop changing git::clone shared permissions unconditionally - change (operations/puppet)

Mon, 22 Sep 2014 16:20:50 -0700 

BryanDavis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/162160

Change subject: Stop changing git::clone shared permissions unconditionally
......................................................................

Stop changing git::clone shared permissions unconditionally

The inline comments on the file permissions changes indicate that the
intent was to correct the permissions on clones where the "shared => true"
flag was not initial supplied. The actual implementation includes notify
parameters to ensure this is done, but since the exec resources lacked
the "refreshonly => true" they were evaluated on each puppet run. With
labs_vagrant, this results in a lot of puppet log spam as files are
added in directories under the initial git clone.

Additionally, correct a permissions change bug that stripped all
"others" permissions while applying the recursive permissions changes.
This also causes problems for usage in labs_vagrant where the "others"
permissions are used to allow apache to read files.

The back story on this feature is that Ori and I were trying to get
puppet to manage a clone of mediawiki/tools/scap that had initially been
cloned as root only and needed to be updateable by a non-root (me). Scap
has since be changed to deploy via Trebuchet so I think at this point
the labs_vagrant role is the only user of the shared clone logic.

Change-Id: I86883ec708b104c8d5d267672b4c1a24453ea21b
---
M modules/git/manifests/clone.pp
1 file changed, 19 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/162160/1

diff --git a/modules/git/manifests/clone.pp b/modules/git/manifests/clone.pp
index 3853af5..44d58c0 100644
--- a/modules/git/manifests/clone.pp
+++ b/modules/git/manifests/clone.pp
@@ -140,8 +140,8 @@
             }
 
             if ( $shared ) {
-                # Changing an existing git repository to be shared by a group 
is ugly,
-                # but here's how you do it without causing log churn.
+                # Changing an existing git repository to be shared by a group
+                # is ugly, but here's how you do it without causing log churn.
                 exec { "git_clone_${title}_configure_shared_repository":
                     command => 'git config --local core.sharedRepository 
group',
                     unless  => 'test $(git config --local 
core.sharedRepository) = group',
@@ -151,26 +151,29 @@
                 }
 
                 exec { "git_clone_${title}_set_group_owner":
-                    command => "chgrp -R '${group}' '${directory}'",
-                    onlyif  => "find '${directory}' ! -group '${group}' -print 
-quit | grep ''",
-                    cwd     => $directory,
-                    require => 
Exec["git_clone_${title}_configure_shared_repository"],
-                    notify  => Exec["git_clone_${title}_group_writable"],
+                    command     => "chgrp -R '${group}' '${directory}'",
+                    refreshonly => true,
+                    onlyif      => "find '${directory}' ! -group '${group}' 
-print -quit | grep ''",
+                    cwd         => $directory,
+                    require     => 
Exec["git_clone_${title}_configure_shared_repository"],
+                    notify      => Exec["git_clone_${title}_group_writable"],
                 }
 
                 exec { "git_clone_${title}_group_writable":
-                    command => "find '${directory}' ! -perm -g=wX,o= -exec 
chmod g+wX,o= '{}' ';'",
-                    onlyif  => "find '${directory}' ! -perm -g=wX,o= -print 
-quit | grep ''",
-                    cwd     => $directory,
-                    require => Exec["git_clone_${title}_set_group_owner"],
-                    notify  => Exec["git_clone_${title}_sgid_bit"],
+                    command     => "find '${directory}' ! -perm -g=wX -exec 
chmod g+wX '{}' ';'",
+                    refreshonly => true,
+                    onlyif      => "find '${directory}' ! -perm -g=wX -print 
-quit | grep ''",
+                    cwd         => $directory,
+                    require     => Exec["git_clone_${title}_set_group_owner"],
+                    notify      => Exec["git_clone_${title}_sgid_bit"],
                 }
 
                 exec { "git_clone_${title}_sgid_bit":
-                    command => "find '${directory}' -mindepth 1 -type d -and ! 
-perm -g+s -exec chmod g+s '{}' ';'",
-                    onlyif  => "find '${directory}' -mindepth 1 -type d -and ! 
-perm -g+s -print -quit | grep ''",
-                    cwd     => $directory,
-                    require => Exec["git_clone_${title}_group_writable"],
+                    command     => "find '${directory}' -mindepth 1 -type d 
-and ! -perm -g+s -exec chmod g+s '{}' ';'",
+                    refreshonly => true,
+                    onlyif      => "find '${directory}' -mindepth 1 -type d 
-and ! -perm -g+s -print -quit | grep ''",
+                    cwd         => $directory,
+                    require     => Exec["git_clone_${title}_group_writable"],
                 }
             }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/162160
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I86883ec708b104c8d5d267672b4c1a24453ea21b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to