Thcipriani has uploaded a new change for review. https://gerrit.wikimedia.org/r/232843
Change subject: Add servicedeploy user; Modifiy keyholder service ...................................................................... Add servicedeploy user; Modifiy keyholder service These are changes necessary servicedeploy to work inside beta. servicedeploy user --- Creates a servicedeploy user that will be used to execute remote commands on RESTBase nodes in the RESTBase remote deploy directory (`/srv/deployment/restbase/deploy`). This user is for RESTBase hosts To ensure that this new user has full control over the remote repository (currently deployed via trebuchet) the ownership of the remote directory is modified via a puppet exec. The exec call (as well as deployment via trebuchet) will be removed as the scap3 project progresses. servicedeploy group --- Creates a servicedeploy group which has access to the ssh-agent proxy containing the private key for the servicedeploy user on RESTBase hosts. This group is for tin. Keyholder service modifications --- For mediawiki deploy the current user for remote execution is mwdeploy and the current group for ssh-agent access is wikidev. To make sure that the new deploy user key is available only to servicedeploy group members, a second keyholder agent and proxy pair is necessary. This patch changes the keyholder::agent class to a keyholder::agent resource. NOTE: old keyholder files and sockets should be cleaned: sudo service keyholder-agent stop sudo service keyholder-proxy stop sudo rm /etc/init/keyholder-agent sudo rm /etc/init/keyholder-proxy sudo rm /run/keyholder/proxy.sock sudo rm /run/keyholder/agent.sock Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6 --- M hieradata/hosts/tin.yaml M manifests/role/deployment.pp M modules/admin/data/data.yaml M modules/beta/templates/pam-access.conf.erb D modules/keyholder/files/keyholder-agent.conf A modules/keyholder/manifests/agent.pp M modules/keyholder/manifests/init.pp A modules/keyholder/templates/keyholder-agent.conf.erb M modules/keyholder/templates/keyholder-proxy.conf.erb A modules/restbase/manifests/deploy.pp M modules/restbase/manifests/init.pp 11 files changed, 193 insertions(+), 91 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/43/232843/1 diff --git a/hieradata/hosts/tin.yaml b/hieradata/hosts/tin.yaml index 71b61c0..e7b376e 100644 --- a/hieradata/hosts/tin.yaml +++ b/hieradata/hosts/tin.yaml @@ -5,6 +5,7 @@ - codfw.wmnet admin::groups: - deployment + - servicedeploy - parsoid-admin - ocg-render-admins - wdqs-admins diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp index b962df9..75865c1 100644 --- a/manifests/role/deployment.pp +++ b/manifests/role/deployment.pp @@ -5,10 +5,6 @@ } class role::deployment::server( - # Source of the key, change this if not in production, with hiera. - # lint:ignore:puppet_url_without_modules - $key_source = 'puppet:///private/ssh/tin/mwdeploy_rsa', - # lint:endignore $apache_fqdn = $::fqdn, $deployment_group = 'wikidev', ) { @@ -59,11 +55,8 @@ remote_branch => 'readonly/master' } - class { '::keyholder': trusted_group => $deployment_group, } -> - class { '::keyholder::monitoring': } -> - keyholder::private_key { 'mwdeploy_rsa': - source => $key_source, - } + include role::deployment::mediawiki + include role::deployment::services file { '/srv/deployment': ensure => directory, @@ -142,6 +135,30 @@ } } +class role::deployment::mediawiki( + $keyholder_user = 'mwdeploy', + $keyholder_group = 'wikidev', +) { + require ::keyholder + require ::keyholder::monitoring + + keyholder::agent{ $keyholder_user: + trusted_group => $keyholder_group, + } +} + +class role::deployment::services ( + $keyholder_user = 'servicedeploy', + $keyholder_group = 'servicedeploy', +) { + require ::keyholder + require ::keyholder::monitoring + + keyholder::agent{ $keyholder_user: + trusted_group => $keyholder_group, + } +} + class role::deployment::test { package { 'test/testrepo': provider => 'trebuchet', diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index d08cf5b..324fbaa 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -364,6 +364,12 @@ gid: 760 description: users who can login on fluorine and read mediawiki logs members: [tjones] + servicedeploy: + gid: 761 + description: Service deploy users + members: [eevans, gwicke, mobrovac, demon, twentyafterfour, thcipriani, dduvall] + privileges: [] + users: rush: ensure: present diff --git a/modules/beta/templates/pam-access.conf.erb b/modules/beta/templates/pam-access.conf.erb index a46decb..78d1ed6 100644 --- a/modules/beta/templates/pam-access.conf.erb +++ b/modules/beta/templates/pam-access.conf.erb @@ -3,5 +3,5 @@ # users except for members of the nova project # that this instance is a member of: -+ : mwdeploy : <%= @bastion_ip %> ++ : servicedeploy mwdeploy : <%= @bastion_ip %> -:ALL EXCEPT (project-deployment-prep) root:ALL diff --git a/modules/keyholder/files/keyholder-agent.conf b/modules/keyholder/files/keyholder-agent.conf deleted file mode 100644 index 21a57ba..0000000 --- a/modules/keyholder/files/keyholder-agent.conf +++ /dev/null @@ -1,16 +0,0 @@ -# keyholder-agent - Shared SSH-agent -# -# Runs the ssh-agent(1) instance that holds shared identities. - -description "Shared SSH agent" - -start on (local-filesystems and net-device-up IFACE!=lo) - -setgid keyholder -setuid keyholder - -exec /usr/bin/ssh-agent -d -a /run/keyholder/agent.sock -post-start exec [ -S /run/keyholder/agent.sock ] || sleep 1 -post-stop exec /bin/rm -f /run/keyholder/agent.sock - -# vim: set ft=upstart: diff --git a/modules/keyholder/manifests/agent.pp b/modules/keyholder/manifests/agent.pp new file mode 100644 index 0000000..660768d --- /dev/null +++ b/modules/keyholder/manifests/agent.pp @@ -0,0 +1,75 @@ +# == keyholder::agent +# +# Resource for creating keyholder agents on a node +# +# === Parameters +# +# [*name*] +# Used for service names, socket names, and default key name +# +# [*key_file*] +# The name of the key file stored in puppet private +# Should exist prior to running a defined resource +# +# [*trusted_group*] +# The name or GID of the trusted user group with which the agent +# should be shared. It is the caller's responsibility to ensure +# the group exists. +# +# === Examples +# +# keyholder::agent { 'mwdeploy': +# trusted_group => 'wikidev', +# require => Group['wikidev'], +# } +# +define keyholder::agent( + $trusted_group, + $key_file = "${name}_rsa", +) { + + $agent_socket = "/run/keyholder/agent-${name}.sock" + $proxy_socket = "/run/keyholder/proxy-${name}.sock" + + # The `keyholder-agent` service is responsible for running + # the ssh-agent instance that will hold shared key(s). + + file { "/etc/init/keyholder-${name}-agent.conf": + content => template('keyholder/keyholder-agent.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => Service["keyholder-${name}-agent"], + } + + service { "keyholder-${name}-agent": + ensure => running, + provider => 'upstart', + require => File['/run/keyholder'], + } + + + # The `keyholder-proxy` service runs the filtering ssh-agent proxy + # that acts as an intermediary between users in the trusted group + # and the backend ssh-agent that holds the shared key(s). + + file { "/etc/init/keyholder-${name}-proxy.conf": + content => template('keyholder/keyholder-proxy.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + notify => Service["keyholder-${name}-proxy"], + } + + service { "keyholder-${name}-proxy": + ensure => running, + provider => 'upstart', + require => Service["keyholder-${name}-agent"], + } + + # lint:ignore:puppet_url_without_modules + keyholder::private_key { $key_file: + source => "puppet:///private/ssh/tin/${key_file}", + } + # lint:endignore +} diff --git a/modules/keyholder/manifests/init.pp b/modules/keyholder/manifests/init.pp index 3db511f..f4caa4d 100644 --- a/modules/keyholder/manifests/init.pp +++ b/modules/keyholder/manifests/init.pp @@ -26,27 +26,12 @@ # # $ SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh remote-host ... # -# === Parameters -# -# [*trusted_group*] -# The name or GID of the trusted user group with which the agent -# should be shared. It is the caller's responsibility to ensure -# the group exists. -# -# === Examples -# -# class { 'keyholder': -# trusted_group => 'wikidev', -# require => Group['wikidev'], -# } -# + # === Bugs # -# It is currently only possible to have a single agent / proxy pair -# (shared with just one group) on a particular node. +# It is currently only possible to share an agent with a single group # -class keyholder( $trusted_group ) { - +class keyholder { require_package('python3') group { 'keyholder': @@ -84,46 +69,10 @@ owner => 'root', group => 'root', mode => '0555', - notify => Service['keyholder-agent'], + + # Not possible for more than one keyholder per box + # notify => Service['keyholder-agent'], } - - - # The `keyholder-agent` service is responsible for running - # the ssh-agent instance that will hold shared key(s). - - file { '/etc/init/keyholder-agent.conf': - source => 'puppet:///modules/keyholder/keyholder-agent.conf', - owner => 'root', - group => 'root', - mode => '0444', - notify => Service['keyholder-agent'], - } - - service { 'keyholder-agent': - ensure => running, - provider => 'upstart', - require => File['/run/keyholder'], - } - - - # The `keyholder-proxy` service runs the filtering ssh-agent proxy - # that acts as an intermediary between users in the trusted group - # and the backend ssh-agent that holds the shared key(s). - - file { '/etc/init/keyholder-proxy.conf': - content => template('keyholder/keyholder-proxy.conf.erb'), - owner => 'root', - group => 'root', - mode => '0444', - notify => Service['keyholder-proxy'], - } - - service { 'keyholder-proxy': - ensure => running, - provider => 'upstart', - require => Service['keyholder-agent'], - } - # The `keyholder` script provides a simplified command-line # interface for managing the agent. See `keyholder --help`. @@ -133,6 +82,8 @@ owner => 'root', group => 'root', mode => '0555', - notify => Service['keyholder-proxy'], + + # Not possible for more than one keyholder per box + # notify => Service['keyholder-proxy'], } } diff --git a/modules/keyholder/templates/keyholder-agent.conf.erb b/modules/keyholder/templates/keyholder-agent.conf.erb new file mode 100644 index 0000000..d6fa923 --- /dev/null +++ b/modules/keyholder/templates/keyholder-agent.conf.erb @@ -0,0 +1,16 @@ +# keyholder-agent - Shared SSH-agent +# +# Runs the ssh-agent(1) instance that holds shared identities. + +description "Shared SSH agent" + +start on (local-filesystems and net-device-up IFACE!=lo) + +setgid keyholder +setuid keyholder + +exec /usr/bin/ssh-agent -d -a <%= @agent_socket %> +post-start exec [ -S <%= @agent_socket %> ] || sleep 1 +post-stop exec /bin/rm -f <%= @agent_socket %> + +# vim: set ft=upstart: diff --git a/modules/keyholder/templates/keyholder-proxy.conf.erb b/modules/keyholder/templates/keyholder-proxy.conf.erb index 5271516..1a5fea0 100644 --- a/modules/keyholder/templates/keyholder-proxy.conf.erb +++ b/modules/keyholder/templates/keyholder-proxy.conf.erb @@ -14,8 +14,8 @@ umask 007 -pre-start exec /bin/rm -f /run/keyholder/proxy.sock -exec /usr/local/bin/ssh-agent-proxy -post-stop exec /bin/rm -f /run/keyholder/proxy.sock +pre-start exec /bin/rm -f <%= @proxy_socket %> +exec /usr/local/bin/ssh-agent-proxy --bind <%= @proxy_socket %> --connect <%= @agent_socket %> +post-stop exec /bin/rm -f <%= @proxy_socket %> # vim: set ft=upstart: diff --git a/modules/restbase/manifests/deploy.pp b/modules/restbase/manifests/deploy.pp new file mode 100644 index 0000000..a6a0a43 --- /dev/null +++ b/modules/restbase/manifests/deploy.pp @@ -0,0 +1,54 @@ +# == Class restbase::deploy +# +# Creates user and permissions for deploy user +# on restbase hosts +# +# === Parameters +# +# [*public_key*] +# This is the public_key for the servicedeploy user. The private part of this +# key should reside in the private puppet repo for the environment. By default +# this public key is set to the servicedeploy user's public key for production +# private puppet—it should be overwritten using hiera in non-production +# environements. + +class restbase::deploy( + $public_key = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyYzZqTbJTDI+oUvb0h0SKR6AaYosUAx18jNaJ4J2nhHwYSgtmgVOTtaxWvZO31f0d1miqC0QSjSi1f0D2IeFIQgm4jy6KaMZomRg9GthSYKm8rimc0s0CUHoq2rv7iWa4R1y2NCxWn6p6zPYsKIsRvT3+3QkZ0IJ0euuBMDUjQI6P51/NtpYR7Zhm2jq8QzHij4Xh2tyr9zEeKZAcZW1pMZ0zcWYgfBipDhiOL3GTdxYZJsVNuHxqnugixmVPR4Tzp5A441qwtQHEp7dJjMy7xKtW0Xd0yXHVYmF7k6BcHjE6d0VBxdE2uK9RPd+v/yhZ10DnJqGwsOhKD/dsSErjwOyRV5sPizjuFZE+r4eY+8ELTi8ra0GfKk/bnFuyaFrz6lZXw5iCjdT6QXorQlnOwUxt/lKhT9lRMM6j1/lKP/fheu0hE9OS4Y8e0Wa0wX418QqoDalfVCeIrhJSXpm0lVluzEiZ7AjnGBV/QNnll2NixgqU+pgK7qPKQLqDzoZNEDCV/rjvZgPLwCW+eoRiWQfbHgA0CtLsvMYpDk33tbbsDRsxW5xP+4jhXicLkgqNt4jk9o2OS04eFbByqKc6z1adZa80Y+RKNmcEj9TvY6okOfD4bOuvRM/ttwrW8XpxKhz+0wYrnTsU2rzURu9Q366PwG/Cq2/IRkWLSVdKAQ== servicedeploy_prod', +) { + $user = 'servicedeploy' + + user { $user: + ensure => present, + shell => '/bin/bash', + home => '/var/lib/scap', + system => true, + managehome => true, + } + + ssh::userkey { $user: + content => $public_key, + } + + # Using trebuchet provider while scap service deployment is under + # development—chicken and egg things + # + # This should be removed once scap3 is in a final state + package { ['restbase/deploy', 'scap/scap']: + provider => 'trebuchet', + } + + # Rather than futz with adding new functionality to allow a deployment + # user set per repository in trebuchet, I'm running an exec here + $dir = '/srv/deployment/restbase/deploy' + exec { 'chown servicedeploy': + command => "/bin/chown -R ${user} ${dir}", + unless => "/usr/bin/test $(/usr/bin/stat -c'%U' ${dir}) = ${user}" + } + + sudo::user { $user: + privileges => [ + 'ALL = (root) NOPASSWD: /usr/sbin/service restbase', + ] + } + +} diff --git a/modules/restbase/manifests/init.pp b/modules/restbase/manifests/init.pp index c5cc5bd..3c3c138 100644 --- a/modules/restbase/manifests/init.pp +++ b/modules/restbase/manifests/init.pp @@ -58,11 +58,9 @@ $graphoid_uri = 'http://graphoid.svc.eqiad.wmnet:19000', $mobileapps_uri = 'http://mobileapps.svc.eqiad.wmnet:8888', ) { - ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] ) + include restbase::deploy - package { 'restbase/deploy': - provider => 'trebuchet', - } + ensure_packages( ['nodejs', 'nodejs-legacy', 'npm'] ) group { 'restbase': ensure => present, -- To view, visit https://gerrit.wikimedia.org/r/232843 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0a1da64658b4a9df4bb57897c890da105dba95d6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits