Ori.livneh has submitted this change and it was merged.
Change subject: Add deploy-service user
......................................................................
Add deploy-service user
These are changes necessary for service deployment to work inside beta.
deploy-service user
---
Creates a deploy-service user that will be used to execute remote
commands on RESTBase nodes in the RESTBase remote deploy directory
(`/srv/deployment/restbase/deploy`).
This user is for RESTBase hosts
To ensure that this new user has full control over the remote repository
(currently deployed via trebuchet) the ownership of the remote directory
is modified via a puppet exec.
The exec call (as well as deployment via trebuchet) will
be removed as the scap3 project progresses.
deploy-service group
---
Creates a deploy-service group which has access to the ssh-agent proxy
containing the private key for the servicedeploy user on RESTBase hosts.
The private key is in the private puppet repository (commit 3c2da005f0749b).
Its passphrase is in the password store (commit 93ceafd744c).
This group is for tin.
Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6
Bug: T109862
---
M hieradata/role/common/deployment/server.yaml
M manifests/role/deployment.pp
M modules/admin/data/data.yaml
M modules/beta/templates/pam-access.conf.erb
A modules/restbase/files/servicedeploy_rsa.pub
A modules/restbase/manifests/deploy.pp
M modules/restbase/manifests/init.pp
7 files changed, 86 insertions(+), 2 deletions(-)
Approvals:
Ori.livneh: Verified; Looks good to me, approved
diff --git a/hieradata/role/common/deployment/server.yaml
b/hieradata/role/common/deployment/server.yaml
index eb26f28..2304440 100644
--- a/hieradata/role/common/deployment/server.yaml
+++ b/hieradata/role/common/deployment/server.yaml
@@ -1,5 +1,6 @@
admin::groups:
- deployment
+ - deploy-service
- parsoid-admin
- ocg-render-admins
- wdqs-admins
diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp
index c7263ce..3abe222 100644
--- a/manifests/role/deployment.pp
+++ b/manifests/role/deployment.pp
@@ -11,6 +11,7 @@
# Can't include this while scap is present on tin:
# include misc::deployment::scripts
include role::deployment::mediawiki
+ include role::deployment::services
class { 'deployment::deployment_server':
deployer_groups => [$deployment_group],
@@ -149,6 +150,21 @@
}
}
+class role::deployment::services (
+ $keyholder_user = 'deploy-service',
+ $keyholder_group = 'deploy-service',
+ $key_fingerprint = '6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8',
+) {
+ require ::keyholder
+ require ::keyholder::monitoring
+
+ keyholder::agent { $keyholder_user:
+ trusted_group => $keyholder_group,
+ key_fingerprint => $key_fingerprint,
+ key_file => 'servicedeploy_rsa',
+ }
+}
+
class role::deployment::test {
package { 'test/testrepo':
provider => 'trebuchet',
diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 0c009ca..cd7ae96 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -398,6 +398,11 @@
members: [krinkle]
privileges: ['ALL = (ALL) NOPASSWD: ALL']
+ deploy-service:
+ gid: 763
+ description: Service deploy users
+ members: [eevans, gwicke, mobrovac, demon, twentyafterfour, thcipriani,
dduvall]
+ privileges: []
users:
rush:
diff --git a/modules/beta/templates/pam-access.conf.erb
b/modules/beta/templates/pam-access.conf.erb
index a46decb..fa77641 100644
--- a/modules/beta/templates/pam-access.conf.erb
+++ b/modules/beta/templates/pam-access.conf.erb
@@ -3,5 +3,5 @@
# users except for members of the nova project
# that this instance is a member of:
-+ : mwdeploy : <%= @bastion_ip %>
++ : deploy-service mwdeploy : <%= @bastion_ip %>
-:ALL EXCEPT (project-deployment-prep) root:ALL
diff --git a/modules/restbase/files/servicedeploy_rsa.pub
b/modules/restbase/files/servicedeploy_rsa.pub
new file mode 100644
index 0000000..8b596e9
--- /dev/null
+++ b/modules/restbase/files/servicedeploy_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvbV8H7VzyH+NZuCMakT/YYIZH8qyzi1VefDuidplENGZgnXf1whCASFKpgE/y2aZOhHOFQR4jg42dRMDbmEQQGWFm/0Ve4gjmdv87ZNIPdZiGKgWBPnt1+XaUdRc+RvTS9uJg67XhKA5mxyk4uj5wj9OZq65C1okQIC3FuowhZCTkdHryjrQ1JxrayAvI6gED2rALIgScqfvw+UwJ/guoS9XH/yb07SNcuHmF9H5nRTsAYzfvv71/rVTFFTyrnSBUNDIvXsHJjKTwD4SX3FsZPsQ0mK/Uu98YypLN+hsIEFF6q8YTxxab2T2kV59MI7XBJgQi+MptDezA2y2nqp0L
servicedeploy_rsa
diff --git a/modules/restbase/manifests/deploy.pp
b/modules/restbase/manifests/deploy.pp
new file mode 100644
index 0000000..5bd6748
--- /dev/null
+++ b/modules/restbase/manifests/deploy.pp
@@ -0,0 +1,55 @@
+# == Class restbase::deploy
+#
+# Creates user and permissions for deploy user
+# on restbase hosts
+#
+# === Parameters
+#
+# [*public_key*]
+# This is the public_key for the deploy-service user. The private part of
this
+# key should reside in the private puppet repo for the environment. By
default
+# this public key is set to the deploy-service user's public key for
production
+# private puppet—it should be overwritten using hiera in non-production
+# environements.
+
+class restbase::deploy(
+ $public_key_file = 'puppet:///modules/restbase/servicedeploy_rsa.pub',
+) {
+ $user = 'deploy-service'
+
+ user { $user:
+ ensure => present,
+ shell => '/bin/bash',
+ home => '/var/lib/scap',
+ system => true,
+ managehome => true,
+ }
+
+ ssh::userkey { $user:
+ source => $public_key_file,
+ }
+
+ # Using trebuchet provider while scap service deployment is under
+ # development—chicken and egg things
+ #
+ # This should be removed once scap3 is in a final state
+ package { 'scap/scap':
+ provider => 'trebuchet',
+ }
+
+ # Rather than futz with adding new functionality to allow a deployment
+ # user set per repository in trebuchet, I'm running an exec here
+ $dir = '/srv/deployment/restbase/deploy'
+ exec { 'chown deploy-service':
+ command => "/bin/chown -R ${user} ${dir}",
+ unless => "/usr/bin/test $(/usr/bin/stat -c'%U' ${dir}) = ${user}"
+ }
+
+ sudo::user { $user:
+ privileges => [
+ "ALL = ($user) NOPASSWD: ALL",
+ 'ALL = (root) NOPASSWD: /usr/sbin/service restbase restart',
+ ]
+ }
+
+}
diff --git a/modules/restbase/manifests/init.pp
b/modules/restbase/manifests/init.pp
index b70d2f2..a0761cc 100644
--- a/modules/restbase/manifests/init.pp
+++ b/modules/restbase/manifests/init.pp
@@ -61,12 +61,18 @@
$graphoid_uri = 'http://graphoid.svc.eqiad.wmnet:19000',
$mobileapps_uri = 'http://mobileapps.svc.eqiad.wmnet:8888',
) {
- ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] )
+ if $::realm == 'labs' {
+ include restbase::deploy
+ }
package { 'restbase/deploy':
provider => 'trebuchet',
}
+ require_package('nodejs')
+ require_package('nodejs-legacy')
+ require_package('npm')
+
group { 'restbase':
ensure => present,
system => true,
--
To view, visit https://gerrit.wikimedia.org/r/232843
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6
Gerrit-PatchSet: 13
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Dduvall <dduv...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: GWicke <gwi...@wikimedia.org>
Gerrit-Reviewer: Hashar <has...@free.fr>
Gerrit-Reviewer: Mobrovac <mobro...@wikimedia.org>
Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
