Ori.livneh has submitted this change and it was merged. Change subject: Add deploy-service user ......................................................................
Add deploy-service user These are changes necessary for service deployment to work inside beta. deploy-service user --- Creates a deploy-service user that will be used to execute remote commands on RESTBase nodes in the RESTBase remote deploy directory (`/srv/deployment/restbase/deploy`). This user is for RESTBase hosts To ensure that this new user has full control over the remote repository (currently deployed via trebuchet) the ownership of the remote directory is modified via a puppet exec. The exec call (as well as deployment via trebuchet) will be removed as the scap3 project progresses. deploy-service group --- Creates a deploy-service group which has access to the ssh-agent proxy containing the private key for the servicedeploy user on RESTBase hosts. The private key is in the private puppet repository (commit 3c2da005f0749b). Its passphrase is in the password store (commit 93ceafd744c). This group is for tin. Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6 Bug: T109862 --- M hieradata/role/common/deployment/server.yaml M manifests/role/deployment.pp M modules/admin/data/data.yaml M modules/beta/templates/pam-access.conf.erb A modules/restbase/files/servicedeploy_rsa.pub A modules/restbase/manifests/deploy.pp M modules/restbase/manifests/init.pp 7 files changed, 86 insertions(+), 2 deletions(-) Approvals: Ori.livneh: Verified; Looks good to me, approved diff --git a/hieradata/role/common/deployment/server.yaml b/hieradata/role/common/deployment/server.yaml index eb26f28..2304440 100644 --- a/hieradata/role/common/deployment/server.yaml +++ b/hieradata/role/common/deployment/server.yaml @@ -1,5 +1,6 @@ admin::groups: - deployment + - deploy-service - parsoid-admin - ocg-render-admins - wdqs-admins diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp index c7263ce..3abe222 100644 --- a/manifests/role/deployment.pp +++ b/manifests/role/deployment.pp @@ -11,6 +11,7 @@ # Can't include this while scap is present on tin: # include misc::deployment::scripts include role::deployment::mediawiki + include role::deployment::services class { 'deployment::deployment_server': deployer_groups => [$deployment_group], @@ -149,6 +150,21 @@ } } +class role::deployment::services ( + $keyholder_user = 'deploy-service', + $keyholder_group = 'deploy-service', + $key_fingerprint = '6d:54:92:8b:39:10:f5:9b:84:40:36:ef:3c:9a:6d:d8', +) { + require ::keyholder + require ::keyholder::monitoring + + keyholder::agent { $keyholder_user: + trusted_group => $keyholder_group, + key_fingerprint => $key_fingerprint, + key_file => 'servicedeploy_rsa', + } +} + class role::deployment::test { package { 'test/testrepo': provider => 'trebuchet', diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index 0c009ca..cd7ae96 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -398,6 +398,11 @@ members: [krinkle] privileges: ['ALL = (ALL) NOPASSWD: ALL'] + deploy-service: + gid: 763 + description: Service deploy users + members: [eevans, gwicke, mobrovac, demon, twentyafterfour, thcipriani, dduvall] + privileges: [] users: rush: diff --git a/modules/beta/templates/pam-access.conf.erb b/modules/beta/templates/pam-access.conf.erb index a46decb..fa77641 100644 --- a/modules/beta/templates/pam-access.conf.erb +++ b/modules/beta/templates/pam-access.conf.erb @@ -3,5 +3,5 @@ # users except for members of the nova project # that this instance is a member of: -+ : mwdeploy : <%= @bastion_ip %> ++ : deploy-service mwdeploy : <%= @bastion_ip %> -:ALL EXCEPT (project-deployment-prep) root:ALL diff --git a/modules/restbase/files/servicedeploy_rsa.pub b/modules/restbase/files/servicedeploy_rsa.pub new file mode 100644 index 0000000..8b596e9 --- /dev/null +++ b/modules/restbase/files/servicedeploy_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvbV8H7VzyH+NZuCMakT/YYIZH8qyzi1VefDuidplENGZgnXf1whCASFKpgE/y2aZOhHOFQR4jg42dRMDbmEQQGWFm/0Ve4gjmdv87ZNIPdZiGKgWBPnt1+XaUdRc+RvTS9uJg67XhKA5mxyk4uj5wj9OZq65C1okQIC3FuowhZCTkdHryjrQ1JxrayAvI6gED2rALIgScqfvw+UwJ/guoS9XH/yb07SNcuHmF9H5nRTsAYzfvv71/rVTFFTyrnSBUNDIvXsHJjKTwD4SX3FsZPsQ0mK/Uu98YypLN+hsIEFF6q8YTxxab2T2kV59MI7XBJgQi+MptDezA2y2nqp0L servicedeploy_rsa diff --git a/modules/restbase/manifests/deploy.pp b/modules/restbase/manifests/deploy.pp new file mode 100644 index 0000000..5bd6748 --- /dev/null +++ b/modules/restbase/manifests/deploy.pp @@ -0,0 +1,55 @@ +# == Class restbase::deploy +# +# Creates user and permissions for deploy user +# on restbase hosts +# +# === Parameters +# +# [*public_key*] +# This is the public_key for the deploy-service user. The private part of this +# key should reside in the private puppet repo for the environment. By default +# this public key is set to the deploy-service user's public key for production +# private puppet—it should be overwritten using hiera in non-production +# environements. + +class restbase::deploy( + $public_key_file = 'puppet:///modules/restbase/servicedeploy_rsa.pub', +) { + $user = 'deploy-service' + + user { $user: + ensure => present, + shell => '/bin/bash', + home => '/var/lib/scap', + system => true, + managehome => true, + } + + ssh::userkey { $user: + source => $public_key_file, + } + + # Using trebuchet provider while scap service deployment is under + # development—chicken and egg things + # + # This should be removed once scap3 is in a final state + package { 'scap/scap': + provider => 'trebuchet', + } + + # Rather than futz with adding new functionality to allow a deployment + # user set per repository in trebuchet, I'm running an exec here + $dir = '/srv/deployment/restbase/deploy' + exec { 'chown deploy-service': + command => "/bin/chown -R ${user} ${dir}", + unless => "/usr/bin/test $(/usr/bin/stat -c'%U' ${dir}) = ${user}" + } + + sudo::user { $user: + privileges => [ + "ALL = ($user) NOPASSWD: ALL", + 'ALL = (root) NOPASSWD: /usr/sbin/service restbase restart', + ] + } + +} diff --git a/modules/restbase/manifests/init.pp b/modules/restbase/manifests/init.pp index b70d2f2..a0761cc 100644 --- a/modules/restbase/manifests/init.pp +++ b/modules/restbase/manifests/init.pp @@ -61,12 +61,18 @@ $graphoid_uri = 'http://graphoid.svc.eqiad.wmnet:19000', $mobileapps_uri = 'http://mobileapps.svc.eqiad.wmnet:8888', ) { - ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] ) + if $::realm == 'labs' { + include restbase::deploy + } package { 'restbase/deploy': provider => 'trebuchet', } + require_package('nodejs') + require_package('nodejs-legacy') + require_package('npm') + group { 'restbase': ensure => present, system => true, -- To view, visit https://gerrit.wikimedia.org/r/232843 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6 Gerrit-PatchSet: 13 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org> Gerrit-Reviewer: 20after4 <mmod...@wikimedia.org> Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Dduvall <dduv...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: GWicke <gwi...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: Mobrovac <mobro...@wikimedia.org> Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org> Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits