Commit 280ecf72 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis
Browse files

deploy: Use synnefo system user and group



In short make gunicorn and snf-dispatcher run as
synnefo:synnefo, and Archipelago as archipelago:synnefo.

This way the synnefo components that run as synnefo:synnefo
(Cyclades, Pithos, etc.) can access the backing storage only through
Archipelago (i.e. named pipes in /dev/shm/posixfd/) and not
directly.

Since we are using NFS we let archipelago user and synnefo group
with common uid and gid respectively across all nodes. The
Archipelago dir to be exported will be owned by archipelago:synnefo
and have group write permissions.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent de82a2ac
[ARCHIPELAGO]
# Switch peer processes to run as this user
USER=root
USER=archipelago
# Switch peer processes to run as this group
GROUP=root
GROUP=synnefo
# Enable blktap module. Possible values: True/False
BLKTAP_ENABLED=True
......
......@@ -4,8 +4,8 @@ CONFIG = {
'DJANGO_SETTINGS_MODULE': 'synnefo.settings',
},
'working_dir': '/etc/synnefo',
'user': 'www-data',
'group': 'www-data',
'user': 'synnefo',
'group': 'synnefo',
'args': (
'--bind=127.0.0.1:8080',
'--workers=8',
......
......@@ -4,8 +4,8 @@ CONFIG = {
'DJANGO_SETTINGS_MODULE': 'synnefo.settings',
},
'working_dir': '/etc/synnefo',
'user': 'www-data',
'group': 'archipelago',
'user': 'synnefo',
'group': 'synnefo',
'args': (
'--bind=127.0.0.1:8080',
'--workers=6',
......
......@@ -169,6 +169,20 @@ python /root/firefox_cert_override.py {0} {1}:443 >> {2}
# provides node, cluster, and setup related info.
class HW(base.Component):
@base.run_cmds
def prepare(self):
return [
# NOTE: This is needed because the NFS dir is owned by
# archipelago:synnefo and IDs must be common across nodes
"addgroup --system --gid 200 synnefo",
"adduser --system --uid 200 --gid 200 --no-create-home \
--gecos Synnefo synnefo",
"addgroup --system --gid 300 archipelago",
"adduser --system --uid 300 --gid 300 --no-create-home \
--gecos Archipelago archipelago",
]
@base.check_if_testing
def _configure(self):
r1 = {
......@@ -775,7 +789,6 @@ class GTools(base.Component):
def prepare(self):
return [
"sed -i 's/false/true/' /etc/default/snf-ganeti-eventd",
"chown -R root:archipelago /etc/synnefo/",
]
def _configure(self):
......@@ -873,12 +886,6 @@ class Gunicorn(base.Component):
"gunicorn",
]
@base.run_cmds
def prepare(self):
return [
"chown root:www-data /var/log/gunicorn",
]
def _configure(self):
r1 = {"HOST": self.node.fqdn}
return [
......@@ -899,6 +906,13 @@ class Common(base.Component):
"snf-branding",
]
@base.run_cmds
def prepare(self):
return [
"mkdir -p %s" % config.mail_dir,
"chmod 777 %s" % config.mail_dir,
]
def _configure(self):
r1 = {
"EMAIL_SUBJECT_PREFIX": self.node.hostname,
......@@ -910,10 +924,6 @@ class Common(base.Component):
("/etc/synnefo/common.conf", r1, {}),
]
@base.run_cmds
def initialize(self):
return ["mkdir -p {0}; chmod 777 {0}".format(config.mail_dir)]
@base.run_cmds
def restart(self):
return [
......@@ -1182,7 +1192,7 @@ class CMS(base.Component):
class Mount(base.Component):
REQUIRED_PACKAGES = [
"nfs-common"
"nfs-common",
]
@update_admin
......@@ -1204,9 +1214,6 @@ EOF
return [
"mkdir -p %s" % config.shared_dir,
"addgroup --gid 200 archipelago",
"adduser --system --no-create-home \
--gecos 'Archipelago user' --gid 200 archipelago",
fstab,
]
......@@ -1220,7 +1227,7 @@ EOF
class NFS(base.Component):
REQUIRED_PACKAGES = [
"rpcbind",
"nfs-kernel-server"
"nfs-kernel-server",
]
alias = constants.NFS
......@@ -1243,11 +1250,8 @@ class NFS(base.Component):
"mkdir -p %s" % config.images_dir,
"mkdir -p %s" % config.ganeti_dir,
"mkdir -p %s" % config.archip_dir,
"addgroup --gid 200 archipelago",
"adduser --system --no-create-home \
--gecos 'Archipelago user' --gid 200 archipelago",
"cd %s && mkdir {maps,blocks,locks}" % config.archip_dir,
"cd %s && chown archipelago:archipelago {maps,blocks,locks}" % \
"cd %s && chown archipelago:synnefo {maps,blocks,locks}" % \
config.archip_dir,
"cd %s && chmod 770 {maps,blocks,locks}" % config.archip_dir,
"cd %s && chmod g+s {maps,blocks,locks}" % config.archip_dir,
......@@ -1303,12 +1307,6 @@ class Pithos(base.Component):
"snf-manage service-export-pithos > %s" % f
]
@base.run_cmds
def prepare(self):
return [
"chown -R root:archipelago /etc/synnefo/",
]
def _configure(self):
r1 = {
"ACCOUNTS": self.ctx.astakos.cname,
......@@ -1456,7 +1454,6 @@ snf-manage network-create --subnet6={0} \
def prepare(self):
return [
"sed -i 's/false/true/' /etc/default/snf-dispatcher",
"chown -R root:archipelago /etc/synnefo/",
]
def _configure(self):
......@@ -1585,19 +1582,12 @@ class Admin(base.Component):
self.NS.update_ns()
self.DB.allow_db_access()
self.DB.restart()
@base.run_cmds
@update_admin
def prepare(self):
f = "/etc/synnefo/astakos.conf"
self.ASTAKOS.get(f, "/tmp/astakos.conf")
self.put("/tmp/astakos.conf", f)
f = "/etc/synnefo/cyclades.conf"
self.CYCLADES.get(f, "/tmp/cyclades.conf")
self.put("/tmp/cyclades.conf", f)
return [
"chown -R root:archipelago /etc/synnefo",
]
def _configure(self):
r1 = {
......@@ -1751,8 +1741,9 @@ class Stats(base.Component):
@base.run_cmds
def prepare(self):
return [
"mkdir -p /var/cache/snf-stats-app/",
"chown www-data:www-data /var/cache/snf-stats-app/",
"mkdir -p /var/cache/snf-stats-app",
"chmod g+ws /var/cache/snf-stats-app",
"chown synnefo:synnefo /var/cache/snf-stats-app",
]
def _configure(self):
......@@ -1819,7 +1810,7 @@ class Archip(base.Component):
@base.run_cmds
def restart(self):
return [
"archipelago restart"
"archipelago restart",
]
......@@ -1830,9 +1821,8 @@ class ArchipSynnefo(base.Component):
def prepare(self):
return [
"mkdir -p /etc/synnefo/gunicorn-hooks",
"chown -R root:archipelago /etc/synnefo",
"chown -R root:archipelago /var/log/gunicorn",
"chmod g+s /etc/synnefo/",
"chmod 750 /etc/synnefo/gunicorn-hooks",
"chmod g+s /etc/synnefo/gunicorn-hooks",
]
def _configure(self):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment