From d222d0cfdce6bfe86e140d46db458dd950be3b66 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 13 Jul 2015 17:54:21 +0200 Subject: [PATCH] dnet-mincyt: new VM to host the portal. Fixes to the apache virtualhosts generation tasks. library/roles/dnet_user_services_perms: New roles to configure the VM permissions in a way that allows playing with tomcat without been root. infrastructure-services: First bits of nagios configuration for the infrastructure services. --- dnet_user_services_perms/README.md | 3 ++ dnet_user_services_perms/defaults/main.yml | 6 ++++ dnet_user_services_perms/tasks/main.yml | 30 +++++++++++++++++++ .../templates/dnet-sudoers.j2 | 3 ++ haproxy/handlers/main.yml | 9 ++++++ iptables/handlers/main.yml | 4 --- iptables/tasks/main.yml | 5 +--- tomcat/defaults/main.yml | 1 + users/defaults/main.yml | 8 ++++- users/tasks/main.yml | 12 ++++++++ .../templates/varnish.service.systemd.j2 | 15 ++++++++++ 11 files changed, 87 insertions(+), 9 deletions(-) create mode 100644 dnet_user_services_perms/README.md create mode 100644 dnet_user_services_perms/defaults/main.yml create mode 100644 dnet_user_services_perms/tasks/main.yml create mode 100644 dnet_user_services_perms/templates/dnet-sudoers.j2 create mode 100644 haproxy/handlers/main.yml create mode 100644 varnish-cache/templates/varnish.service.systemd.j2 diff --git a/dnet_user_services_perms/README.md b/dnet_user_services_perms/README.md new file mode 100644 index 00000000..7c16a155 --- /dev/null +++ b/dnet_user_services_perms/README.md @@ -0,0 +1,3 @@ +This role sets acls that permit unprivileged users to: +- write inside a list of directories +- restart the tomcat instances diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml new file mode 100644 index 00000000..368374e9 --- /dev/null +++ b/dnet_user_services_perms/defaults/main.yml @@ -0,0 +1,6 @@ +--- +dnet_user: tomcat7 +dnet_group: dnet + +dnet_data_directories: + - /var/lib/dnet diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml new file mode 100644 index 00000000..f4251003 --- /dev/null +++ b/dnet_user_services_perms/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Add the all the users to the dnet group + user: name={{ item.login }} groups={{ dnet_group }} + with_items: users_system_users + tags: [ 'dnet', 'users' ] + +- name: Install the sudoers config that permits the dnet users to restart tomcat + template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440 + tags: [ 'tomcat', 'dnet', 'sudo', 'users' ] + +- name: Create the dnet data dirs + file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + with_items: +# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ] + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + with_items: +# - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ] + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/templates/dnet-sudoers.j2 b/dnet_user_services_perms/templates/dnet-sudoers.j2 new file mode 100644 index 00000000..d37971d0 --- /dev/null +++ b/dnet_user_services_perms/templates/dnet-sudoers.j2 @@ -0,0 +1,3 @@ +%{{ dnet_group }} ALL=(ALL) NOPASSWD: /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-* + + diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml new file mode 100644 index 00000000..59bf4330 --- /dev/null +++ b/haproxy/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart haproxy + service: name=haproxy state=restarted + when: haproxy_enabled + +- name: Reload haproxy + service: name=haproxy state=reloaded + when: haproxy_enabled + diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index d8346c34..44293ea7 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -1,10 +1,6 @@ --- - name: Start the iptables service service: name=iptables-persistent state=restarted enabled=yes - when: - - is_precise - - is_trusty - - is_debian7 notify: Restart fail2ban - name: Start the netfilter service diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index 5dc7ec66..d9e0ec7b 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -22,10 +22,7 @@ with_items: - rules.v4 - rules.v6 - when: - - is_precise - - is_trusty - - is_debian7 + when: ( is_precise ) or ( is_trusty ) or ( is_debian7 ) notify: Start the iptables service tags: - iptables diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml index e47af9da..d993e23f 100644 --- a/tomcat/defaults/main.yml +++ b/tomcat/defaults/main.yml @@ -31,6 +31,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}' tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}' tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}' tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps' +tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes' tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat' # JMX and debugging diff --git a/users/defaults/main.yml b/users/defaults/main.yml index df1595c3..1b25e043 100644 --- a/users/defaults/main.yml +++ b/users/defaults/main.yml @@ -1,8 +1,14 @@ --- +# +# This role adds users to a system +# The users can access if their ssh key is provided +# Users can have sudo privileges if the 'admin' property is 'true' +# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true' + users_sudoers_group: sudo users_sudoers_create_group: False users_sudoers_create_sudo_conf: False users_home_dir: /home #users_system_users: -# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}, createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'True' } +# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' } diff --git a/users/tasks/main.yml b/users/tasks/main.yml index 33c9149d..c270e78e 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -33,5 +33,17 @@ with_items: users_system_users when: - users_system_users is defined + - item.admin == 'True' tags: - users + +- name: ensure that the users can login with their ssh keys as root if we want ensure direct access + authorized_key: user=root key="{{ item.ssh_key }}" state=present + with_items: users_system_users + when: + - users_system_users is defined + - item.ssh_key is defined + - item.log_as_root == 'True' + tags: + - users + diff --git a/varnish-cache/templates/varnish.service.systemd.j2 b/varnish-cache/templates/varnish.service.systemd.j2 new file mode 100644 index 00000000..21f63cb0 --- /dev/null +++ b/varnish-cache/templates/varnish.service.systemd.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=Varnish HTTP accelerator +After=network.target + +[Service] +Type=forking +EnvironmentFile=-/etc/default/varnish +LimitNOFILE={{ varnish_n_files }} +LimitMEMLOCK={{ varnish_memlock }} +ExecStartPre=/usr/sbin/varnishd -C -f {{ varnish_vcl_conf }} +ExecStart=/usr/sbin/varnishd -u {{ varnish_user }} $DAEMON_OPTS +ExecReload=/usr/share/varnish/reload-vcl + +[Install] +WantedBy=multi-user.target