summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrank Becker2012-11-21 14:33:29 (EST)
committer Frank Becker2012-11-21 14:33:29 (EST)
commita33434de28d2d6e4c62f173357e97443199e19bf (patch)
tree6c12cad8a5e7c710ea187c44f953e26058f52db6
parent16b7963b8627cac4e80e75409d3f9a2cb32c2af6 (diff)
downloadorg.eclipse.mylyn.reviews-a33434de28d2d6e4c62f173357e97443199e19bf.zip
org.eclipse.mylyn.reviews-a33434de28d2d6e4c62f173357e97443199e19bf.tar.gz
org.eclipse.mylyn.reviews-a33434de28d2d6e4c62f173357e97443199e19bf.tar.bz2
394051: ensure that services are running as a non privileged userrefs/changes/92/8792/1
Change-Id: I3f061c6ceae6fa74ebc6e69a86c4187de0e8bcd0 Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=394051
-rw-r--r--org.eclipse.mylyn.gerrit.releng/manifests/default.pp7
-rw-r--r--org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/defaultsites.pp2
-rw-r--r--org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/gerrit.pp24
-rw-r--r--org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/init.pp24
-rw-r--r--org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/site.pp19
5 files changed, 58 insertions, 18 deletions
diff --git a/org.eclipse.mylyn.gerrit.releng/manifests/default.pp b/org.eclipse.mylyn.gerrit.releng/manifests/default.pp
index ba6f9b7..ea76dea 100644
--- a/org.eclipse.mylyn.gerrit.releng/manifests/default.pp
+++ b/org.eclipse.mylyn.gerrit.releng/manifests/default.pp
@@ -1,4 +1,11 @@
Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }
+
+ user { "tools":
+ ensure => present,
+ membership => minimum,
+ shell => "/bin/bash",
+ managehome => 'true',
+}
include apache
diff --git a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/defaultsites.pp b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/defaultsites.pp
index 831ba56..b371c11 100644
--- a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/defaultsites.pp
+++ b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/defaultsites.pp
@@ -1,4 +1,6 @@
define gerrit::defaultsites {
+ $userOwner = "tools"
+ $userGroup = "tools"
exec { "apt-get update":
command => "apt-get update",
diff --git a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/gerrit.pp b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/gerrit.pp
new file mode 100644
index 0000000..3743d76
--- /dev/null
+++ b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/gerrit.pp
@@ -0,0 +1,24 @@
+define gerrit::gerrit(
+ $version = "$title",
+ $base = "/home/tools/gerrit",
+ $postfix = "",
+) {
+
+ include "gerrit"
+
+ Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }
+
+ exec { "prepare $version":
+ command => "mkdir -p $base/archive $base/conf.d",
+ user => "$gerrit::userOwner",
+ creates => "$base/archive",
+ }
+
+ exec { "download gerrit $version":
+ command => "wget -O $base/archive/gerrit-$version.war https://gerrit.googlecode.com/files/gerrit${postfix}-${version}.war",
+ creates => "$base/archive/gerrit-$version.war",
+ user => "$gerrit::userOwner",
+ require => Exec["prepare $version"],
+ }
+
+} \ No newline at end of file
diff --git a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/init.pp b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/init.pp
index efa23a0..910e6aa 100644
--- a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/init.pp
+++ b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/init.pp
@@ -1,19 +1,7 @@
-define gerrit(
- $version = "$title",
- $base = "/home/tools/gerrit",
- $postfix = "",
-) {
- Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }
-
- exec { "prepare $version":
- command => "mkdir -p $base/archive $base/conf.d",
- creates => "$base/archive",
- }
-
- exec { "download gerrit $version":
- command => "wget -O $base/archive/gerrit-$version.war https://gerrit.googlecode.com/files/gerrit${postfix}-${version}.war",
- creates => "$base/archive/gerrit-$version.war",
- require => Exec["prepare $version"],
- }
-
+class gerrit {
+
+ $base = "/home/tools/gerrit"
+ $userOwner = "tools"
+ $userGroup = "tools"
+
} \ No newline at end of file
diff --git a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/site.pp b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/site.pp
index 19191bb..3d0f77e 100644
--- a/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/site.pp
+++ b/org.eclipse.mylyn.gerrit.releng/modules/gerrit/manifests/site.pp
@@ -17,12 +17,14 @@ define gerrit::site(
exec { "stop $envid":
command => "/bin/sh -c '(cd $envbase && $envbase/bin/gerrit.sh stop)'",
require => Gerrit["$version"],
+ user => "$gerrit::userOwner",
onlyif => "test -x $envbase/bin/gerrit.sh && $envbase/bin/gerrit.sh check | grep -q 'Gerrit running'",
}
exec { "configure $envid":
command => "java -jar $base/archive/gerrit-$version.war init --batch --site-path $envbase --no-auto-start",
require => Exec["stop $envid"],
+ user => "$gerrit::userOwner",
creates => "$envbase",
}
@@ -33,50 +35,66 @@ define gerrit::site(
file { "$envbase":
ensure => "directory",
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => Exec["configure $envid"]
}
file { "$conf/$envid.conf":
content => template('gerrit/gerrit.conf.erb'),
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
notify => Service["apache2"],
}
if $digestauth {
file { "$envbase/htpasswd.digest":
content => template('gerrit/htpasswd.digest.erb'),
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => File["$envbase"],
}
} else {
file { "$envbase/htpasswd":
content => template('gerrit/htpasswd.erb'),
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => File["$envbase"],
}
}
file { "$envbase/admin.id_rsa":
source => "puppet:///modules/gerrit/admin.id_rsa",
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => File["$envbase"],
}
file { "$envbase/setup.sql":
source => "puppet:///modules/gerrit/setup.sql",
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => File["$envbase"],
}
file { "$envbase/service.json":
content => template('gerrit/service.json.erb'),
+ owner => "$gerrit::userOwner",
+ group => "$gerrit::userGroup",
require => File["$envbase"],
}
exec { "create admin user for $envid":
command => "java -jar bin/gerrit.war gsql < $envbase/setup.sql",
cwd => "$envbase",
+ user => "$gerrit::userOwner",
require => [ Exec["configure $envid"], File["$envbase/setup.sql"], File["$envbase/admin.id_rsa"], ],
}
exec { "start $envid":
command => "$envbase/bin/gerrit.sh start",
cwd => "$envbase",
+ user => "$gerrit::userOwner",
require => [ Exec["create admin user for $envid"], File["$envbase/etc/gerrit.config"] ],
creates => "$envbase/log/gerrit.pid",
}
@@ -85,6 +103,7 @@ define gerrit::site(
exec { "create project for $envid":
command => "$ssh gerrit create-project --name org.eclipse.mylyn.test --empty-commit",
+# user => "$gerrit::userOwner",
require => Exec["start $envid"],
creates => "$envbase/git/org.eclipse.mylyn.test.git"
}