From 4b5303dad5d09447b0b7f0592b14ac608328bc0d Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 26 Sep 2016 18:17:45 +0200 Subject: [PATCH] library/roles/d4s_user_services_perms: Add a series of task that configure a generic service to be managed by an unprivileged user. --- d4s_user_services_perms/README.md | 20 +++++++++++++------ d4s_user_services_perms/defaults/main.yml | 17 ++++++++++++++++ .../tasks/d4s-service-node.yml | 18 +++++++++++++++++ d4s_user_services_perms/tasks/main.yml | 8 +++++--- .../templates/README-service.j2 | 4 ++++ .../templates/d4science-sudoers.j2 | 2 ++ .../templates/startservice.j2 | 5 +++++ .../templates/stopservice.j2 | 5 +++++ 8 files changed, 70 insertions(+), 9 deletions(-) create mode 100644 d4s_user_services_perms/tasks/d4s-service-node.yml create mode 100644 d4s_user_services_perms/templates/README-service.j2 create mode 100644 d4s_user_services_perms/templates/d4science-sudoers.j2 create mode 100644 d4s_user_services_perms/templates/startservice.j2 create mode 100644 d4s_user_services_perms/templates/stopservice.j2 diff --git a/d4s_user_services_perms/README.md b/d4s_user_services_perms/README.md index 17649040..e5196064 100644 --- a/d4s_user_services_perms/README.md +++ b/d4s_user_services_perms/README.md @@ -1,12 +1,20 @@ -This role assumes that only one tomcat instance is defined and running on the system. +Four different scenarios are covered. -Important note: the variable 'http_port' needs to be defined earlier in the calling playbook. +1. One smartgears tomcat instance, installed inside the user's home +2. One or more tomcat instances, each instance installed inside its + user's home +3. One service, not tomcat based, installed inside the user's home +4. One service, installed inside the user's home, not managed by other + ansible playbooks (only the user is created) + +Important note: the variable 'http_port(s)' needs to be defined earlier in the calling playbook. What the role does: -- Install the sudoers config that permits the tomcat user to restart -the service -- Install the script that allows the tomcat user to start and stop the +- Installs the sudoers config that permits the user to restart the +service +- Installs the script that allows the user to start and stop the service without using the full path -- Install the README file that explains where the options files are +- Installs the README file that explains where the options files are placed and how start/stop the service +- The default open files limits are increased diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml index 128037dc..fbe3330a 100644 --- a/d4s_user_services_perms/defaults/main.yml +++ b/d4s_user_services_perms/defaults/main.yml @@ -3,6 +3,10 @@ d4science_user: gcube d4science_user_create_home: True d4science_user_home: '/home/{{ d4science_user }}' d4science_user_shell: /bin/bash +d4s_service_node: False +smartgears_node: False +d4s_tomcat_node: False +gcore_node: False d4science_sudoers_commands: - /etc/init.d/tomcat-instance-* @@ -11,6 +15,19 @@ d4science_tomcat_options_files: - '/etc/default/tomcat-instance-{{ item.0.http_port }}' - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local' + +d4science_service_commands: + - /etc/init.d/* + +d4science_user_service_scripts: + - startservice + - stopservice + +d4science_service_start_command: + +d4science_service_stop_command: + + limits_nofile_value: 16000 security_limits: - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' } diff --git a/d4s_user_services_perms/tasks/d4s-service-node.yml b/d4s_user_services_perms/tasks/d4s-service-node.yml new file mode 100644 index 00000000..acb8045d --- /dev/null +++ b/d4s_user_services_perms/tasks/d4s-service-node.yml @@ -0,0 +1,18 @@ +--- +- block: + - name: Install the README file that explains where the options files are placed and how start/stop the service + template: src={{ item }}-service.j2 dest={{ d4science_user_home }}/{{ item }} mode=0444 + with_items: + - 'README-service' + + - name: Install the script that allows the d4science user to start and stop the service without using the full path + template: src={{ item }}.j2 dest=/home/{{ d4science_user }}/{{ item }} owner={{ d4science_user }} group={{ d4science_user }} mode=0755 + with _items: '{{ d4science_user_service_scripts }}' + + - name: Install the sudoers config that permits the tomcat user to restart the service + become: False + template: src=d4science-sudoers.j2 dest=/etc/sudoers.d/d4science-services owner=root group=root mode=0440 + + become: True + become_user: '{{ d4science_user }}' + tags: [ 'd4science', 'd4s_readme', 'sudo', 'startup_cmd' ] diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml index 6e97633d..cf555365 100644 --- a/d4s_user_services_perms/tasks/main.yml +++ b/d4s_user_services_perms/tasks/main.yml @@ -1,8 +1,10 @@ --- - include: d4s-smartgears-node.yml - when: smartgears_node is defined and smartgears_node + when: smartgears_node - include: d4s-tomcat-node.yml - when: d4s_tomcat_node is defined and d4s_tomcat_node + when: d4s_tomcat_node +- include: d4s-service-node.yml + when: d4s_service_node - include: d4s-basic-node.yml - when: gcore_node is defined and gcore_node + when: gcore_node - include: security_limits.yml diff --git a/d4s_user_services_perms/templates/README-service.j2 b/d4s_user_services_perms/templates/README-service.j2 new file mode 100644 index 00000000..a10a9a83 --- /dev/null +++ b/d4s_user_services_perms/templates/README-service.j2 @@ -0,0 +1,4 @@ +The commands that start and stop the service are: +{% for cmd in d4science_user_service_scripts %} +{{ d4science_user_home }}/{{ cmd }} +{% endfor %} diff --git a/d4s_user_services_perms/templates/d4science-sudoers.j2 b/d4s_user_services_perms/templates/d4science-sudoers.j2 new file mode 100644 index 00000000..3662d7e0 --- /dev/null +++ b/d4s_user_services_perms/templates/d4science-sudoers.j2 @@ -0,0 +1,2 @@ +{{ d4science_user }} ALL=(ALL) NOPASSWD: {% for cmd in d4science_service_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %} + diff --git a/d4s_user_services_perms/templates/startservice.j2 b/d4s_user_services_perms/templates/startservice.j2 new file mode 100644 index 00000000..d49bf239 --- /dev/null +++ b/d4s_user_services_perms/templates/startservice.j2 @@ -0,0 +1,5 @@ +#!/bin/bash + +sudo {{ d4science_service_start_command }} + +exit $? diff --git a/d4s_user_services_perms/templates/stopservice.j2 b/d4s_user_services_perms/templates/stopservice.j2 new file mode 100644 index 00000000..a4d82397 --- /dev/null +++ b/d4s_user_services_perms/templates/stopservice.j2 @@ -0,0 +1,5 @@ +#!/bin/bash + +sudo {{ d4science_service_stop_command }} + +exit $?