394051: ensure that services are running as a non privileged userrefs/changes/89/8789/2

use tools user Change-Id: Ic7c0356419d6d8c4844932e16b3bb82fdeb5923f Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=394051
author: Frank Becker 2012-11-23 00:13:48 (EST)
committer: Frank Becker 2012-11-23 00:13:48 (EST)
commit: a144ad36bdb9605fe6e30e5e9a16bf02fbb92763 (patch) (side-by-side diff)
tree: ae30d901f6b6ef6b83c506ca0915ffefa0e02003
parent: 62891d084328df711905bc105ac110aa0cf1deca (diff)
download: org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.zip
org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.tar.gz
org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.tar.bz2
4 files changed, 34 insertions, 6 deletions
diff --git a/org.eclipse.mylyn.hudson.releng/manifests/default.pp b/org.eclipse.mylyn.hudson.releng/manifests/default.pp
index 7c8b92e..a8b37fa 100644
--- a/org.eclipse.mylyn.hudson.releng/manifests/default.pp
+++ b/org.eclipse.mylyn.hudson.releng/manifests/default.pp
@@ -2,5 +2,12 @@ Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }
 
 include "hudson"
 
+user { "tools":
+        ensure => present,
+        membership => minimum,
+        shell => "/bin/bash",
+        managehome => 'true',
+}
+
 hudson::defaultsites { "hudson":
 }
diff --git a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/hudson.pp b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/hudson.pp
index 3bac25e..a854665 100644
--- a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/hudson.pp
+++ b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/hudson.pp
@@ -3,6 +3,8 @@ define hudson::hudson(
 	$type,
 	$qualifier = "",
 	$base = $hudson::base,
+	$userOwner = $hudson::userOwner,
+	$userGroup = $hudson::userGroup,
 ) {
 
   include "hudson"
@@ -10,6 +12,7 @@ define hudson::hudson(
 	exec { "prepare $version":
 		command => "mkdir -p $base/archive $base/conf.d",
 		creates => "$base/archive",
+		user => "$userOwner",
 		require => Exec["prepare hudson"],
 	}
 
@@ -32,8 +35,9 @@ define hudson::hudson(
 
 	exec { "download $version":
     command => "wget -O '$base/archive/${type}-$version.war' '$url'",
-	  creates => "$base/archive/${type}-$version.war",
-	  require => Exec["prepare $version"],
+      creates => "$base/archive/${type}-$version.war",
+      user => "$userOwner",
+      require => Exec["prepare $version"],
 	}
 
 }
diff --git a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/init.pp b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/init.pp
index cfd63d9..74d75f3 100644
--- a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/init.pp
+++ b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/init.pp
@@ -1,6 +1,8 @@
 class hudson {
 
   $base = "/home/tools/hudson"
+  $userOwner = "tools"
+  $userGroup = "tools"
 
   exec { "apt-get update":
     command => "apt-get update",
diff --git a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/site.pp b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/site.pp
index b7368c7..88c5d49 100644
--- a/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/site.pp
+++ b/org.eclipse.mylyn.hudson.releng/modules/hudson/manifests/site.pp
@@ -4,11 +4,13 @@ define hudson::site(
 	$data,
 	$port,
 	$version,
-  $allbasicauth = false,
-  $certauth = false,
-  $digestauth = false,
+    $allbasicauth = false,
+    $certauth = false,
+    $digestauth = false,
 	$base = $hudson::base,
 	$envinfo = "",
+	$userOwner = $hudson::userOwner,
+	$userGroup = $hudson::userGroup,
 ) { 
 	$envbase = "$base/$envid"
 	$conf = "$base/conf.d"
@@ -23,17 +25,23 @@ define hudson::site(
   file { "$envbase":
     source => "puppet:///modules/hudson/${data}",
     recurse => true,
+    owner   => "$userOwner",
+    group   => "$userGroup",
     require => Exec["stop $envid"],
   }
 
 	if $digestauth {
 		file { "$envbase/htpasswd.digest":
     	content => template('hudson/htpasswd.digest.erb'),
+        owner   => "$userOwner",
+        group   => "$userGroup",
 			require => File["$envbase"],
 		}
 	} else {
 		file { "$envbase/htpasswd":
 	    content => template('hudson/htpasswd.erb'),
+        owner   => "$userOwner",
+        group   => "$userGroup",
 			require => File["$envbase"],
 		}
 	}
@@ -46,17 +54,23 @@ define hudson::site(
   file { "$envbase/start.sh":
     content => template('hudson/start.sh.erb'),
     mode => 755,
+    owner   => "$userOwner",
+    group   => "$userGroup",
     require => File["$envbase"],
   }
 
   file { "$envbase/stop.sh":
     content => template('hudson/stop.sh.erb'),
     mode => 755,
+    owner   => "$userOwner",
+    group   => "$userGroup",
     require => File["$envbase"],
   }
 
   file { "$envbase/service.json":
     content => template('hudson/service.json.erb'),
+    owner   => "$userOwner",
+    group   => "$userGroup",
     require => File["$envbase"],
   }
 
@@ -64,7 +78,8 @@ define hudson::site(
     command => "$envbase/start.sh",
     cwd => "$envbase",
     require => File["$envbase/start.sh"],
-    creates => "$envbase/pid",
+    user   => "$userOwner",
+     creates => "$envbase/pid",
   }
 
   exec { "add $envbase to apache":
author	Frank Becker	2012-11-23 00:13:48 (EST)
committer	Frank Becker	2012-11-23 00:13:48 (EST)
commit	a144ad36bdb9605fe6e30e5e9a16bf02fbb92763 (patch) (side-by-side diff)
tree	ae30d901f6b6ef6b83c506ca0915ffefa0e02003
parent	62891d084328df711905bc105ac110aa0cf1deca (diff)
download	org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.zip org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.tar.gz org.eclipse.mylyn.builds-a144ad36bdb9605fe6e30e5e9a16bf02fbb92763.tar.bz2