forked from ISTI-ansible-roles/ansible-roles
library/roles/d4s_user_services_perms: Add a series of task that configure a generic service to be managed by an unprivileged user.
This commit is contained in:
Andrea Dell'Amico
parent
4f09f02336
commit
4b5303dad5
|
|
@ -1,12 +1,20 @@
|
||||||
This role assumes that only one tomcat instance is defined and running on the system.
|
Four different scenarios are covered.
|
||||||
|
|
||||||
Important note: the variable 'http_port' needs to be defined earlier in the calling playbook.
|
1. One smartgears tomcat instance, installed inside the user's home
|
||||||
|
2. One or more tomcat instances, each instance installed inside its
|
||||||
|
user's home
|
||||||
|
3. One service, not tomcat based, installed inside the user's home
|
||||||
|
4. One service, installed inside the user's home, not managed by other
|
||||||
|
ansible playbooks (only the user is created)
|
||||||
|
|
||||||
|
Important note: the variable 'http_port(s)' needs to be defined earlier in the calling playbook.
|
||||||
|
|
||||||
What the role does:
|
What the role does:
|
||||||
|
|
||||||
- Install the sudoers config that permits the tomcat user to restart
|
- Installs the sudoers config that permits the user to restart the
|
||||||
the service
|
service
|
||||||
- Install the script that allows the tomcat user to start and stop the
|
- Installs the script that allows the user to start and stop the
|
||||||
service without using the full path
|
service without using the full path
|
||||||
- Install the README file that explains where the options files are
|
- Installs the README file that explains where the options files are
|
||||||
placed and how start/stop the service
|
placed and how start/stop the service
|
||||||
|
- The default open files limits are increased
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,10 @@ d4science_user: gcube
|
||||||
d4science_user_create_home: True
|
d4science_user_create_home: True
|
||||||
d4science_user_home: '/home/{{ d4science_user }}'
|
d4science_user_home: '/home/{{ d4science_user }}'
|
||||||
d4science_user_shell: /bin/bash
|
d4science_user_shell: /bin/bash
|
||||||
|
d4s_service_node: False
|
||||||
|
smartgears_node: False
|
||||||
|
d4s_tomcat_node: False
|
||||||
|
gcore_node: False
|
||||||
|
|
||||||
d4science_sudoers_commands:
|
d4science_sudoers_commands:
|
||||||
- /etc/init.d/tomcat-instance-*
|
- /etc/init.d/tomcat-instance-*
|
||||||
|
|
@ -11,6 +15,19 @@ d4science_tomcat_options_files:
|
||||||
- '/etc/default/tomcat-instance-{{ item.0.http_port }}'
|
- '/etc/default/tomcat-instance-{{ item.0.http_port }}'
|
||||||
- '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'
|
- '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'
|
||||||
|
|
||||||
|
|
||||||
|
d4science_service_commands:
|
||||||
|
- /etc/init.d/*
|
||||||
|
|
||||||
|
d4science_user_service_scripts:
|
||||||
|
- startservice
|
||||||
|
- stopservice
|
||||||
|
|
||||||
|
d4science_service_start_command:
|
||||||
|
|
||||||
|
d4science_service_stop_command:
|
||||||
|
|
||||||
|
|
||||||
limits_nofile_value: 16000
|
limits_nofile_value: 16000
|
||||||
security_limits:
|
security_limits:
|
||||||
- { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
|
- { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the README file that explains where the options files are placed and how start/stop the service
|
||||||
|
template: src={{ item }}-service.j2 dest={{ d4science_user_home }}/{{ item }} mode=0444
|
||||||
|
with_items:
|
||||||
|
- 'README-service'
|
||||||
|
|
||||||
|
- name: Install the script that allows the d4science user to start and stop the service without using the full path
|
||||||
|
template: src={{ item }}.j2 dest=/home/{{ d4science_user }}/{{ item }} owner={{ d4science_user }} group={{ d4science_user }} mode=0755
|
||||||
|
with _items: '{{ d4science_user_service_scripts }}'
|
||||||
|
|
||||||
|
- name: Install the sudoers config that permits the tomcat user to restart the service
|
||||||
|
become: False
|
||||||
|
template: src=d4science-sudoers.j2 dest=/etc/sudoers.d/d4science-services owner=root group=root mode=0440
|
||||||
|
|
||||||
|
become: True
|
||||||
|
become_user: '{{ d4science_user }}'
|
||||||
|
tags: [ 'd4science', 'd4s_readme', 'sudo', 'startup_cmd' ]
|
||||||
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
- include: d4s-smartgears-node.yml
|
- include: d4s-smartgears-node.yml
|
||||||
when: smartgears_node is defined and smartgears_node
|
when: smartgears_node
|
||||||
- include: d4s-tomcat-node.yml
|
- include: d4s-tomcat-node.yml
|
||||||
when: d4s_tomcat_node is defined and d4s_tomcat_node
|
when: d4s_tomcat_node
|
||||||
|
- include: d4s-service-node.yml
|
||||||
|
when: d4s_service_node
|
||||||
- include: d4s-basic-node.yml
|
- include: d4s-basic-node.yml
|
||||||
when: gcore_node is defined and gcore_node
|
when: gcore_node
|
||||||
- include: security_limits.yml
|
- include: security_limits.yml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
The commands that start and stop the service are:
|
||||||
|
{% for cmd in d4science_user_service_scripts %}
|
||||||
|
{{ d4science_user_home }}/{{ cmd }}
|
||||||
|
{% endfor %}
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
{{ d4science_user }} ALL=(ALL) NOPASSWD: {% for cmd in d4science_service_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||||
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo {{ d4science_service_start_command }}
|
||||||
|
|
||||||
|
exit $?
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo {{ d4science_service_stop_command }}
|
||||||
|
|
||||||
|
exit $?
|
||||||
Loading…
Reference in New Issue