Commit 280ecf72 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis
Browse files

deploy: Use synnefo system user and group



In short make gunicorn and snf-dispatcher run as
synnefo:synnefo, and Archipelago as archipelago:synnefo.

This way the synnefo components that run as synnefo:synnefo
(Cyclades, Pithos, etc.) can access the backing storage only through
Archipelago (i.e. named pipes in /dev/shm/posixfd/) and not
directly.

Since we are using NFS we let archipelago user and synnefo group
with common uid and gid respectively across all nodes. The
Archipelago dir to be exported will be owned by archipelago:synnefo
and have group write permissions.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent de82a2ac
[ARCHIPELAGO] [ARCHIPELAGO]
# Switch peer processes to run as this user # Switch peer processes to run as this user
USER=root USER=archipelago
# Switch peer processes to run as this group # Switch peer processes to run as this group
GROUP=root GROUP=synnefo
# Enable blktap module. Possible values: True/False # Enable blktap module. Possible values: True/False
BLKTAP_ENABLED=True BLKTAP_ENABLED=True
......
...@@ -4,8 +4,8 @@ CONFIG = { ...@@ -4,8 +4,8 @@ CONFIG = {
'DJANGO_SETTINGS_MODULE': 'synnefo.settings', 'DJANGO_SETTINGS_MODULE': 'synnefo.settings',
}, },
'working_dir': '/etc/synnefo', 'working_dir': '/etc/synnefo',
'user': 'www-data', 'user': 'synnefo',
'group': 'www-data', 'group': 'synnefo',
'args': ( 'args': (
'--bind=127.0.0.1:8080', '--bind=127.0.0.1:8080',
'--workers=8', '--workers=8',
......
...@@ -4,8 +4,8 @@ CONFIG = { ...@@ -4,8 +4,8 @@ CONFIG = {
'DJANGO_SETTINGS_MODULE': 'synnefo.settings', 'DJANGO_SETTINGS_MODULE': 'synnefo.settings',
}, },
'working_dir': '/etc/synnefo', 'working_dir': '/etc/synnefo',
'user': 'www-data', 'user': 'synnefo',
'group': 'archipelago', 'group': 'synnefo',
'args': ( 'args': (
'--bind=127.0.0.1:8080', '--bind=127.0.0.1:8080',
'--workers=6', '--workers=6',
......
...@@ -169,6 +169,20 @@ python /root/firefox_cert_override.py {0} {1}:443 >> {2} ...@@ -169,6 +169,20 @@ python /root/firefox_cert_override.py {0} {1}:443 >> {2}
# provides node, cluster, and setup related info. # provides node, cluster, and setup related info.
class HW(base.Component): class HW(base.Component):
@base.run_cmds
def prepare(self):
return [
# NOTE: This is needed because the NFS dir is owned by
# archipelago:synnefo and IDs must be common across nodes
"addgroup --system --gid 200 synnefo",
"adduser --system --uid 200 --gid 200 --no-create-home \
--gecos Synnefo synnefo",
"addgroup --system --gid 300 archipelago",
"adduser --system --uid 300 --gid 300 --no-create-home \
--gecos Archipelago archipelago",
]
@base.check_if_testing @base.check_if_testing
def _configure(self): def _configure(self):
r1 = { r1 = {
...@@ -775,7 +789,6 @@ class GTools(base.Component): ...@@ -775,7 +789,6 @@ class GTools(base.Component):
def prepare(self): def prepare(self):
return [ return [
"sed -i 's/false/true/' /etc/default/snf-ganeti-eventd", "sed -i 's/false/true/' /etc/default/snf-ganeti-eventd",
"chown -R root:archipelago /etc/synnefo/",
] ]
def _configure(self): def _configure(self):
...@@ -873,12 +886,6 @@ class Gunicorn(base.Component): ...@@ -873,12 +886,6 @@ class Gunicorn(base.Component):
"gunicorn", "gunicorn",
] ]
@base.run_cmds
def prepare(self):
return [
"chown root:www-data /var/log/gunicorn",
]
def _configure(self): def _configure(self):
r1 = {"HOST": self.node.fqdn} r1 = {"HOST": self.node.fqdn}
return [ return [
...@@ -899,6 +906,13 @@ class Common(base.Component): ...@@ -899,6 +906,13 @@ class Common(base.Component):
"snf-branding", "snf-branding",
] ]
@base.run_cmds
def prepare(self):
return [
"mkdir -p %s" % config.mail_dir,
"chmod 777 %s" % config.mail_dir,
]
def _configure(self): def _configure(self):
r1 = { r1 = {
"EMAIL_SUBJECT_PREFIX": self.node.hostname, "EMAIL_SUBJECT_PREFIX": self.node.hostname,
...@@ -910,10 +924,6 @@ class Common(base.Component): ...@@ -910,10 +924,6 @@ class Common(base.Component):
("/etc/synnefo/common.conf", r1, {}), ("/etc/synnefo/common.conf", r1, {}),
] ]
@base.run_cmds
def initialize(self):
return ["mkdir -p {0}; chmod 777 {0}".format(config.mail_dir)]
@base.run_cmds @base.run_cmds
def restart(self): def restart(self):
return [ return [
...@@ -1182,7 +1192,7 @@ class CMS(base.Component): ...@@ -1182,7 +1192,7 @@ class CMS(base.Component):
class Mount(base.Component): class Mount(base.Component):
REQUIRED_PACKAGES = [ REQUIRED_PACKAGES = [
"nfs-common" "nfs-common",
] ]
@update_admin @update_admin
...@@ -1204,9 +1214,6 @@ EOF ...@@ -1204,9 +1214,6 @@ EOF
return [ return [
"mkdir -p %s" % config.shared_dir, "mkdir -p %s" % config.shared_dir,
"addgroup --gid 200 archipelago",
"adduser --system --no-create-home \
--gecos 'Archipelago user' --gid 200 archipelago",
fstab, fstab,
] ]
...@@ -1220,7 +1227,7 @@ EOF ...@@ -1220,7 +1227,7 @@ EOF
class NFS(base.Component): class NFS(base.Component):
REQUIRED_PACKAGES = [ REQUIRED_PACKAGES = [
"rpcbind", "rpcbind",
"nfs-kernel-server" "nfs-kernel-server",
] ]
alias = constants.NFS alias = constants.NFS
...@@ -1243,11 +1250,8 @@ class NFS(base.Component): ...@@ -1243,11 +1250,8 @@ class NFS(base.Component):
"mkdir -p %s" % config.images_dir, "mkdir -p %s" % config.images_dir,
"mkdir -p %s" % config.ganeti_dir, "mkdir -p %s" % config.ganeti_dir,
"mkdir -p %s" % config.archip_dir, "mkdir -p %s" % config.archip_dir,
"addgroup --gid 200 archipelago",
"adduser --system --no-create-home \
--gecos 'Archipelago user' --gid 200 archipelago",
"cd %s && mkdir {maps,blocks,locks}" % config.archip_dir, "cd %s && mkdir {maps,blocks,locks}" % config.archip_dir,
"cd %s && chown archipelago:archipelago {maps,blocks,locks}" % \ "cd %s && chown archipelago:synnefo {maps,blocks,locks}" % \
config.archip_dir, config.archip_dir,
"cd %s && chmod 770 {maps,blocks,locks}" % config.archip_dir, "cd %s && chmod 770 {maps,blocks,locks}" % config.archip_dir,
"cd %s && chmod g+s {maps,blocks,locks}" % config.archip_dir, "cd %s && chmod g+s {maps,blocks,locks}" % config.archip_dir,
...@@ -1303,12 +1307,6 @@ class Pithos(base.Component): ...@@ -1303,12 +1307,6 @@ class Pithos(base.Component):
"snf-manage service-export-pithos > %s" % f "snf-manage service-export-pithos > %s" % f
] ]
@base.run_cmds
def prepare(self):
return [
"chown -R root:archipelago /etc/synnefo/",
]
def _configure(self): def _configure(self):
r1 = { r1 = {
"ACCOUNTS": self.ctx.astakos.cname, "ACCOUNTS": self.ctx.astakos.cname,
...@@ -1456,7 +1454,6 @@ snf-manage network-create --subnet6={0} \ ...@@ -1456,7 +1454,6 @@ snf-manage network-create --subnet6={0} \
def prepare(self): def prepare(self):
return [ return [
"sed -i 's/false/true/' /etc/default/snf-dispatcher", "sed -i 's/false/true/' /etc/default/snf-dispatcher",
"chown -R root:archipelago /etc/synnefo/",
] ]
def _configure(self): def _configure(self):
...@@ -1585,19 +1582,12 @@ class Admin(base.Component): ...@@ -1585,19 +1582,12 @@ class Admin(base.Component):
self.NS.update_ns() self.NS.update_ns()
self.DB.allow_db_access() self.DB.allow_db_access()
self.DB.restart() self.DB.restart()
@base.run_cmds
@update_admin
def prepare(self):
f = "/etc/synnefo/astakos.conf" f = "/etc/synnefo/astakos.conf"
self.ASTAKOS.get(f, "/tmp/astakos.conf") self.ASTAKOS.get(f, "/tmp/astakos.conf")
self.put("/tmp/astakos.conf", f) self.put("/tmp/astakos.conf", f)
f = "/etc/synnefo/cyclades.conf" f = "/etc/synnefo/cyclades.conf"
self.CYCLADES.get(f, "/tmp/cyclades.conf") self.CYCLADES.get(f, "/tmp/cyclades.conf")
self.put("/tmp/cyclades.conf", f) self.put("/tmp/cyclades.conf", f)
return [
"chown -R root:archipelago /etc/synnefo",
]
def _configure(self): def _configure(self):
r1 = { r1 = {
...@@ -1751,8 +1741,9 @@ class Stats(base.Component): ...@@ -1751,8 +1741,9 @@ class Stats(base.Component):
@base.run_cmds @base.run_cmds
def prepare(self): def prepare(self):
return [ return [
"mkdir -p /var/cache/snf-stats-app/", "mkdir -p /var/cache/snf-stats-app",
"chown www-data:www-data /var/cache/snf-stats-app/", "chmod g+ws /var/cache/snf-stats-app",
"chown synnefo:synnefo /var/cache/snf-stats-app",
] ]
def _configure(self): def _configure(self):
...@@ -1819,7 +1810,7 @@ class Archip(base.Component): ...@@ -1819,7 +1810,7 @@ class Archip(base.Component):
@base.run_cmds @base.run_cmds
def restart(self): def restart(self):
return [ return [
"archipelago restart" "archipelago restart",
] ]
...@@ -1830,9 +1821,8 @@ class ArchipSynnefo(base.Component): ...@@ -1830,9 +1821,8 @@ class ArchipSynnefo(base.Component):
def prepare(self): def prepare(self):
return [ return [
"mkdir -p /etc/synnefo/gunicorn-hooks", "mkdir -p /etc/synnefo/gunicorn-hooks",
"chown -R root:archipelago /etc/synnefo", "chmod 750 /etc/synnefo/gunicorn-hooks",
"chown -R root:archipelago /var/log/gunicorn", "chmod g+s /etc/synnefo/gunicorn-hooks",
"chmod g+s /etc/synnefo/",
] ]
def _configure(self): def _configure(self):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment