library/roles/d4s_user_services_perms: Add a series of task that configure a generic service to be managed by an unprivileged user.

2016-09-26 18:17:45 +02:00 · 2016-09-26 18:17:45 +02:00 · 4b5303dad5
parent 4f09f02336
commit 4b5303dad5
8 changed files with 70 additions and 9 deletions
--- a/d4s_user_services_perms/README.md
+++ b/d4s_user_services_perms/README.md
@ -1,12 +1,20 @@
-This role assumes that only one tomcat instance is defined and running on the system.
+Four different scenarios are covered.

-Important note: the variable 'http_port' needs to be defined earlier in the calling playbook.
+1. One smartgears tomcat instance, installed inside the user's home
+2. One or more tomcat instances, each instance installed inside its
+   user's home
+3. One service, not tomcat based, installed inside the user's home
+4. One service, installed inside the user's home, not managed by other
+   ansible playbooks (only the user is created)
+
+Important note: the variable 'http_port(s)' needs to be defined earlier in the calling playbook.

 What the role does:

- Install the sudoers config that permits the tomcat user to restart
-the service
- Install the script that allows the tomcat user to start and stop the
+- Installs the sudoers config that permits the user to restart the
+service
+- Installs the script that allows the user to start and stop the
 service without using the full path
- Install the README file that explains where the options files are
+- Installs the README file that explains where the options files are
 placed and how start/stop the service
+- The default open files limits are increased
--- a/d4s_user_services_perms/defaults/main.yml
+++ b/d4s_user_services_perms/defaults/main.yml
@ -3,6 +3,10 @@ d4science_user: gcube
 d4science_user_create_home: True
 d4science_user_home: '/home/{{ d4science_user }}'
 d4science_user_shell: /bin/bash
+d4s_service_node: False
+smartgears_node: False
+d4s_tomcat_node: False
+gcore_node: False

 d4science_sudoers_commands:
  - /etc/init.d/tomcat-instance-*
@ -11,6 +15,19 @@ d4science_tomcat_options_files:
  - '/etc/default/tomcat-instance-{{ item.0.http_port }}'
  - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'

+
+d4science_service_commands:
+  - /etc/init.d/*
+
+d4science_user_service_scripts:
+  - startservice
+  - stopservice
+
+d4science_service_start_command:
+
+d4science_service_stop_command:
+
+
 limits_nofile_value: 16000
 security_limits:
  - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
--- a/d4s_user_services_perms/tasks/d4s-service-node.yml
+++ b/d4s_user_services_perms/tasks/d4s-service-node.yml
@ -0,0 +1,18 @@
+---
+- block:
+    - name: Install the README file that explains where the options files are placed and how start/stop the service
+      template: src={{ item }}-service.j2 dest={{ d4science_user_home }}/{{ item }} mode=0444
+      with_items:
+        - 'README-service'
+
+    - name: Install the script that allows the d4science user to start and stop the service without using the full path
+      template: src={{ item }}.j2 dest=/home/{{ d4science_user }}/{{ item }} owner={{ d4science_user }} group={{ d4science_user }} mode=0755
+      with _items: '{{ d4science_user_service_scripts }}'
+
+    - name: Install the sudoers config that permits the tomcat user to restart the service
+      become: False
+      template: src=d4science-sudoers.j2 dest=/etc/sudoers.d/d4science-services owner=root group=root mode=0440
+
+  become: True
+  become_user: '{{ d4science_user }}'
+  tags: [ 'd4science', 'd4s_readme', 'sudo', 'startup_cmd' ]
--- a/d4s_user_services_perms/tasks/main.yml
+++ b/d4s_user_services_perms/tasks/main.yml
@ -1,8 +1,10 @@
 ---
 - include: d4s-smartgears-node.yml
-  when: smartgears_node is defined and smartgears_node
+  when: smartgears_node
 - include: d4s-tomcat-node.yml
-  when: d4s_tomcat_node is defined and d4s_tomcat_node
+  when: d4s_tomcat_node
+- include: d4s-service-node.yml
+  when: d4s_service_node
 - include: d4s-basic-node.yml
-  when: gcore_node is defined and gcore_node
+  when: gcore_node
 - include: security_limits.yml
--- a/d4s_user_services_perms/templates/README-service.j2
+++ b/d4s_user_services_perms/templates/README-service.j2
@ -0,0 +1,4 @@
+The commands that start and stop the service are:
+{% for cmd in d4science_user_service_scripts %}
+{{ d4science_user_home }}/{{ cmd }}
+{% endfor %}
--- a/d4s_user_services_perms/templates/d4science-sudoers.j2
+++ b/d4s_user_services_perms/templates/d4science-sudoers.j2
@ -0,0 +1,2 @@
+{{ d4science_user }}  ALL=(ALL) NOPASSWD:  {% for cmd in d4science_service_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}
+
--- a/d4s_user_services_perms/templates/startservice.j2
+++ b/d4s_user_services_perms/templates/startservice.j2
@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo {{ d4science_service_start_command }}
+
+exit $?
--- a/d4s_user_services_perms/templates/stopservice.j2
+++ b/d4s_user_services_perms/templates/stopservice.j2
@ -0,0 +1,5 @@
+#!/bin/bash
+
+sudo {{ d4science_service_stop_command }}
+
+exit $?
				`@ -0,0 +1,2 @@`
				`{{ d4science_user }} ALL=(ALL) NOPASSWD: {% for cmd in d4science_service_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}`