Hashar has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/337377 )
Change subject: jenkins: support umask via service default
......................................................................
jenkins: support umask via service default
We used to set the Jenkins process umask via a .daemonrc file. Upstream
has made the sysvinit and default file to support an UMASK parameter.
Drop /var/lib/jenkins/.daemonrc
Add a umask parameter to the default template
Set umask=0002 as the jenkins class default and explicitly set at the
role::ci::master level.
Also, make the service to depends on the default file.
Change-Id: Ic4a6240695ce7ae4d2f44d66fcfe2e4764da4c5e
---
M modules/jenkins/manifests/init.pp
M modules/jenkins/templates/etc/default/jenkins.sh.erb
M modules/role/manifests/ci/master.pp
3 files changed, 8 insertions(+), 14 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/77/337377/1
diff --git a/modules/jenkins/manifests/init.pp
b/modules/jenkins/manifests/init.pp
index 9978640..5029d3e 100644
--- a/modules/jenkins/manifests/init.pp
+++ b/modules/jenkins/manifests/init.pp
@@ -15,10 +15,14 @@
# [*service_enable*]
# Passed to Puppet Service['jenkins'] as 'enable'. Default: true.
#
+# [*umask*]
+# Control permission bits of files created by Jenkins. Passed to 'daemon'.
+# Default: '0002'
class jenkins(
$prefix,
$service_ensure = 'running',
$service_enable = true,
+ $umask = '0002'
)
{
require ::jenkins::user
@@ -40,18 +44,8 @@
require => Package['openjdk-7-jre-headless'],
}
-
- # Jenkins should write everything group writable so admins can interact
with
- # files easily, hence we need it to run with umask 0002.
- # The Jenkins software is daemonized in the init script using
- # /usr/bin/daemon which reset the umask value. Daemon accepts per user
- # configuration via the ~/.daemonrc, set the umask there.
file { '/var/lib/jenkins/.daemonrc':
- ensure => 'present',
- content => "jenkins umask=0002\n",
- owner => 'jenkins',
- group => 'jenkins',
- mode => '0644',
+ ensure => 'absent',
}
# Workaround for a Jenkins security issue.
@@ -80,8 +74,7 @@
ensure => $real_ensure,
enable => $service_enable,
hasrestart => true,
- # Better have umask properly set before starting
- require => File['/var/lib/jenkins/.daemonrc'],
+ require => File['/etc/default/jenkins'],
}
# nagios monitoring
diff --git a/modules/jenkins/templates/etc/default/jenkins.sh.erb
b/modules/jenkins/templates/etc/default/jenkins.sh.erb
index 78fcceb..e12ffd6 100644
--- a/modules/jenkins/templates/etc/default/jenkins.sh.erb
+++ b/modules/jenkins/templates/etc/default/jenkins.sh.erb
@@ -64,7 +64,7 @@
# If commented out, the value from the OS is inherited, which is normally
022 (as of Ubuntu 12.04,
# by default umask comes from pam_umask(8) and /etc/login.defs
-# UMASK=027
+UMASK=<%= @umask %>
# port for HTTP connector (default 8080; disable with -1)
HTTP_PORT=8080
diff --git a/modules/role/manifests/ci/master.pp
b/modules/role/manifests/ci/master.pp
index 6081a06..f2171df 100644
--- a/modules/role/manifests/ci/master.pp
+++ b/modules/role/manifests/ci/master.pp
@@ -26,6 +26,7 @@
# Load the Jenkins module, that setup a Jenkins master
class { '::jenkins':
prefix => $jenkins_prefix,
+ umask => '0002',
}
class { '::contint::proxy_jenkins':
prefix => $jenkins_prefix,
--
To view, visit https://gerrit.wikimedia.org/r/337377
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic4a6240695ce7ae4d2f44d66fcfe2e4764da4c5e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
