Commit 3a9cca82 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis
Browse files

deploy: Do not run archipelago as root



Since 0.4~rc2, archipelago creates archipelago user and group
upon package installation. In order not to run as root we
have to:

 - chown and chmod /srv/archip dirs and file
 - let gunicorn run as www-data.archipelago
 - chown /etc/synnefo and /var/log/gunicorn

Additionally archipelago introduces an new dir to store locks.
Create this dir on the nfs node.

NOTE: In case of a multinode setup using NFS as archipelago
backend, the archipelago user must have a common group id across
all nodes. Currently snf-deploy does not take that into account
since it practically setups a single node installation.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 11a4dde1
......@@ -78,7 +78,7 @@ portno_end=1000
log_level=3
nr_ops=64
nr_threads=64
archip_dir=/srv/archip/blocks
archip_dir=%ARCHIP_DIR%/blocks
fdcache=512
direct=False
......@@ -89,7 +89,8 @@ portno_end=1002
log_level=3
nr_ops=64
nr_threads=64
archip_dir=/srv/archip/maps
archip_dir=%ARCHIP_DIR%/maps
lock_dir=%ARCHIP_DIR%/locks
fdcache=512
direct=False
......
......@@ -4,8 +4,8 @@ CONFIG = {
'DJANGO_SETTINGS_MODULE': 'synnefo.settings',
},
'working_dir': '/etc/synnefo',
'user': 'root',
'group': 'root',
'user': 'www-data',
'group': 'archipelago',
'args': (
'--bind=127.0.0.1:8080',
'--workers=6',
......
......@@ -858,7 +858,7 @@ class Gunicorn(base.Component):
@base.run_cmds
def prepare(self):
return [
"chown root.www-data /var/log/gunicorn",
"chown root:www-data /var/log/gunicorn",
]
def _configure(self):
......@@ -1221,11 +1221,15 @@ class NFS(base.Component):
"mkdir -p %s" % config.shared_dir,
"mkdir -p %s" % config.images_dir,
"mkdir -p %s" % config.ganeti_dir,
"mkdir -p %s" % config.archip_dir,
"mkdir -p %s/data" % config.pithos_dir,
"mkdir -p %s/blocks" % config.archip_dir,
"mkdir -p %s/maps" % config.archip_dir,
"chown www-data.www-data %s/data" % config.pithos_dir,
"chmod g+ws %s/data" % config.pithos_dir,
"cd %s && mkdir {maps,blocks,locks}" % config.archip_dir,
"cd %s && chown archipelago:archipelago {maps,blocks,locks}" % \
config.archip_dir,
"cd %s && chmod 770 {maps,blocks,locks}" % config.archip_dir,
"cd %s && chmod g+s {maps,blocks,locks}" % config.archip_dir,
]
@base.run_cmds
......@@ -1775,7 +1779,10 @@ class Archip(base.Component):
return ["mkdir -p /etc/archipelago"]
def _configure(self):
r1 = {"SEGMENT_SIZE": config.segment_size}
r1 = {
"SEGMENT_SIZE": config.segment_size,
"ARCHIP_DIR": config.archip_dir,
}
return [
("/etc/archipelago/archipelago.conf", r1, {})
]
......@@ -1792,7 +1799,12 @@ class ArchipSynnefo(base.Component):
@base.run_cmds
def prepare(self):
return ["mkdir -p /etc/synnefo/gunicorn-hooks"]
return [
"mkdir -p /etc/synnefo/gunicorn-hooks",
"chown -R root:archipelago /etc/synnefo",
"chown -R root:archipelago /var/log/gunicorn",
"chmod g+s /etc/synnefo/",
]
def _configure(self):
r1 = {"HOST": self.node.fqdn}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment