From a0a8c2a45b5e20512e273dbec52595bb3bb1b1be Mon Sep 17 00:00:00 2001 From: Steffen Pingel Date: Sat, 24 Nov 2012 21:29:25 +0100 Subject: 394051: ensure that services are running as a non privileged user Change-Id: I074bc03ca10667bd729f877e773767f879833754 Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=394051 --- org.eclipse.mylyn.trac.releng/manifests/default.pp | 10 +- .../modules/trac/manifests/defaultsites.pp | 195 +++++++++++---------- .../modules/trac/manifests/init.pp | 2 + .../modules/trac/manifests/plugin.pp | 69 ++++---- .../modules/trac/manifests/service.pp | 19 ++ .../modules/trac/manifests/site.pp | 44 ++++- .../modules/trac/manifests/trac.pp | 29 ++- .../modules/trac/templates/service.json.erb | 15 +- 8 files changed, 237 insertions(+), 146 deletions(-) create mode 100644 org.eclipse.mylyn.trac.releng/modules/trac/manifests/service.pp diff --git a/org.eclipse.mylyn.trac.releng/manifests/default.pp b/org.eclipse.mylyn.trac.releng/manifests/default.pp index a7a45b933..2d7b49421 100644 --- a/org.eclipse.mylyn.trac.releng/manifests/default.pp +++ b/org.eclipse.mylyn.trac.releng/manifests/default.pp @@ -1,6 +1,14 @@ -Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] } +Exec { + path => ["/bin/", "/sbin/", "/usr/bin/", "/usr/sbin/"] } include "trac" +user { "tools": + ensure => present, + membership => minimum, + shell => "/bin/bash", + managehome => true, +} + trac::defaultsites { "trac": } diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/defaultsites.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/defaultsites.pp index 720b8de7e..68a17f887 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/defaultsites.pp +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/defaultsites.pp @@ -1,97 +1,102 @@ -define trac::defaultsites ( - $base = $trac::base, -) { - -include "trac" - -/* Defaults */ - -Trac::Trac { - base => $base, -} -Trac::Plugin { - base => $base, -} -Trac::Site { - base => $base, - version => "1.0", - require => Trac["1.0"], -} - -/* Instances */ - -trac::trac { "0.11.7": -} - -trac::trac { "0.12.4": -} - -trac::trac { "1.0": -} - -trac::trac { "trunk": -} - -/* Plugins */ - -trac::plugin { "accountmanagerplugin-0.11": - url => "http://trac-hacks.org/svn/accountmanagerplugin/0.11", - egg => "TracAccountManager", -} - -trac::plugin { "masterticketsplugin-0.11": - url => "http://trac-hacks.org/svn/masterticketsplugin/0.11", - egg => "TracMasterTickets", -} - -trac::plugin { "xmlrpcplugin-trunk": - url => "http://trac-hacks.org/svn/xmlrpcplugin/trunk", - egg => "TracXMLRPC", -} - -/* Sites */ - -trac::site { "trac-0.11": - version => "0.11.7", - require => Trac["0.11.7"], -} - -trac::site { "trac-0.12": - version => "0.12.4", - require => Trac["0.12.4"], -} - -trac::site { "trac-1.0": - version => "1.0", - require => Trac["1.0"], -} - -trac::site { "trac-allbasic": - allbasicauth => true, - envinfo => "AllBasicAuth", -} - -trac::site { "trac-cert": - certauth => true, - envinfo => "CertAuth", -} - -trac::site { "trac-digest": - digestauth => true, - envinfo => "DigestAuth", -} - -trac::site { "trac-form-auth": - accountmanagerplugin => "0.11", - envinfo => "FormAuth", -} - -trac::site { "trac-trunk": - version => "trunk", - require => Trac["trunk"], -} - -trac::site { "trac-test": -} +define trac::defaultsites ($base = $trac::base, $userOwner = $trac::userOwner, $userGroup = $trac::userGroup,) { + include "trac" + + /* Defaults */ + + Trac::Trac { + base => $base, + userOwner => $userOwner, + userGroup => $userGroup, + } + + Trac::Plugin { + base => $base, + userOwner => $userOwner, + userGroup => $userGroup, + } + + Trac::Site { + base => $base, + version => "1.0", + require => Trac["1.0"], + userOwner => $userOwner, + userGroup => $userGroup, + } + + /* Instances */ + + trac::trac { "0.11.7": + } + + trac::trac { "0.12.4": + } + + trac::trac { "1.0": + } + + trac::trac { "trunk": + } + + /* Plugins */ + + trac::plugin { "accountmanagerplugin-0.11": + url => "http://trac-hacks.org/svn/accountmanagerplugin/0.11", + egg => "TracAccountManager", + } + + trac::plugin { "masterticketsplugin-0.11": + url => "http://trac-hacks.org/svn/masterticketsplugin/0.11", + egg => "TracMasterTickets", + } + + trac::plugin { "xmlrpcplugin-trunk": + url => "http://trac-hacks.org/svn/xmlrpcplugin/trunk", + egg => "TracXMLRPC", + } + + /* Sites */ + + trac::site { "trac-0.11": + version => "0.11.7", + require => Trac["0.11.7"], + } + + trac::site { "trac-0.12": + version => "0.12.4", + require => Trac["0.12.4"], + } + + trac::site { "trac-1.0": + version => "1.0", + require => Trac["1.0"], + } + + trac::site { "trac-allbasic": + allbasicauth => true, + envinfo => "AllBasicAuth", + } + + trac::site { "trac-cert": + certauth => true, + envinfo => "CertAuth", + } + + trac::site { "trac-digest": + digestauth => true, + envinfo => "DigestAuth", + } + + trac::site { "trac-form-auth": + accountmanagerplugin => "0.11", + envinfo => "FormAuth", + } + + trac::site { "trac-trunk": + version => "trunk", + require => Trac["trunk"], + } + + trac::site { "trac-test": + } } \ No newline at end of file diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/init.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/init.pp index eb386de4e..136d1793b 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/init.pp +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/init.pp @@ -1,5 +1,7 @@ class trac { $base = "/home/tools/trac" + $userOwner = "tools" + $userGroup = "tools" /* Common requirements for all Trac instances */ diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/plugin.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/plugin.pp index 6b87829fb..e51e3edc6 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/plugin.pp +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/plugin.pp @@ -1,37 +1,42 @@ -define trac::plugin( - $plugin = "$title", - $egg, - $url, - $base = $trac::base, -) { - $srcbase = "$base/src/$plugin" - - include "trac" - - exec { "prepare $plugin": +define trac::plugin ( + $plugin = "$title", + $egg, + $url, + $base = $trac::base, + $userOwner = $trac::userOwner, + $userGroup = $trac::userGroup,) { + $srcbase = "$base/src/$plugin" + + include "trac" + + exec { "prepare $plugin": command => "mkdir -p $srcbase", creates => "$srcbase", + user => "$userOwner", require => Exec["prepare trac"] } - - exec { "svn checkout $plugin": - command => "svn checkout $url src", - cwd => "$srcbase", - creates => "$srcbase/src", - require => Exec["prepare $plugin"], - } - - exec { "setup $plugin": - command => "python setup.py bdist_egg", - cwd => "$srcbase/src", - creates => "$srcbase/src/dist", - require => Exec["svn checkout $plugin"], - } - - exec { "copy egg $plugin": - command => "cp $srcbase/src/dist/${egg}-*.egg $srcbase/src/dist/$egg.egg", - creates => "$srcbase/src/dist/$egg.egg", - require => Exec["setup $plugin"], - } - + + exec { "svn checkout $plugin": + command => "svn checkout $url src", + cwd => "$srcbase", + creates => "$srcbase/src", + user => "$userOwner", + require => Exec["prepare $plugin"], + } + + exec { "setup $plugin": + command => "python setup.py bdist_egg", + cwd => "$srcbase/src", + creates => "$srcbase/src/dist", + user => "$userOwner", + require => Exec["svn checkout $plugin"], + } + + exec { "copy egg $plugin": + command => "cp $srcbase/src/dist/${egg}-*.egg $srcbase/src/dist/$egg.egg", + creates => "$srcbase/src/dist/$egg.egg", + user => "$userOwner", + require => Exec["setup $plugin"], + } + } \ No newline at end of file diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/service.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/service.pp new file mode 100644 index 000000000..96b41c121 --- /dev/null +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/service.pp @@ -0,0 +1,19 @@ +define trac::service ( + $envid = "$title", + $version, + $envtype = "trac", + $envinfo = "", + $envmode = "XML-RPC", + $accessmode = "XML_RPC", + $base = $trac::base, + $userOwner = $trac::userOwner, + $userGroup = $trac::userGroup,) { + $envbase = "$base/var/$envid" + + file { "$envbase/service-$title.json": + content => template('trac/service.json.erb'), + require => File["$envbase"], + owner => "$userOwner", + group => "$userGroup", + } +} diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/site.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/site.pp index b9d9080a3..facacc75f 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/site.pp +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/site.pp @@ -9,8 +9,9 @@ define trac::site ( $digestauth = false, $base = $trac::base, $envtype = "trac", - $envinfo = "",) { - + $envinfo = "", + $userOwner = $trac::userOwner, + $userGroup = $trac::userGroup,) { $prefix = "$base/share/trac-$version" $envbase = "$base/var/$envid" $env = "$base/var/$envid/env" @@ -22,17 +23,20 @@ define trac::site ( command => "mkdir -p $base/bin $base/conf.d $base/src $base/var $envbase", creates => "$envbase", require => Exec["prepare trac"], + user => "$userOwner", } file { "$envbase": ensure => "directory", owner => "www-data", + group => "$userGroup", require => Exec["prepare $envbase"], } file { "$envbase/svn": ensure => "directory", owner => "www-data", + group => "$userGroup", require => File["$envbase"], } @@ -40,6 +44,7 @@ define trac::site ( command => "svnadmin create $envbase/svn", require => File["$envbase/svn"], creates => "$envbase/svn/format", + user => "www-data", } exec { "initenv $envid": @@ -80,22 +85,30 @@ define trac::site ( file { "$env/conf/trac.ini": content => template('trac/trac.ini.erb'), require => Exec["initenv $envid"], + owner => "www-data", + group => "$userGroup", } file { "$conf/$envid.conf": content => template('trac/trac.conf.erb'), require => Exec["prepare $envbase"], + owner => "$userOwner", + group => "$userGroup", } if $digestauth { file { "$envbase/htpasswd.digest": content => template('trac/htpasswd.digest.erb'), require => File["$envbase"], + owner => "$userOwner", + group => "$userGroup", } } else { file { "$envbase/htpasswd": content => template('trac/htpasswd.erb'), require => File["$envbase"], + owner => "$userOwner", + group => "$userGroup", } } @@ -103,12 +116,16 @@ define trac::site ( content => template('trac/trac.fcgi.erb'), mode => 755, require => File["$envbase"], + owner => "$userOwner", + group => "$userGroup", } if $xmlrpcplugin { file { "$env/plugins/TracXMLRPC.egg": source => "$base/src/xmlrpcplugin-$xmlrpcplugin/src/dist/TracXMLRPC.egg", require => Exec["initenv $envid"], + owner => "$userOwner", + group => "$userGroup", } exec { "add xmlrpc permissions $envid": @@ -125,14 +142,11 @@ define trac::site ( file { "$env/plugins/TracAccountManager.egg": source => "$base/src/accountmanagerplugin-$accountmanagerplugin/src/dist/TracAccountManager.egg", require => Exec["initenv $envid"], + owner => "$userOwner", + group => "$userGroup", } } - file { "$envbase/service.json": - content => template('trac/service.json.erb'), - require => File["$envbase"], - } - exec { "add $envbase to /etc/apache2/conf.d/trac.conf": command => "echo 'Include $base/conf.d/[^.#]*\n' >> /etc/apache2/conf.d/trac.conf", require => File["$conf/$envid.conf"], @@ -140,4 +154,20 @@ define trac::site ( onlyif => "grep -qe '^Include $base/conf.d' /etc/apache2/conf.d/trac.conf; test $? != 0" } + trac::service { "${envid}-xml-rpc": + envid => "$title", + version => "$version", + envinfo => "$envinfo", + envmode => "XML-RPC", + accessmode => "XML_RPC", + } + + trac::service { "${envid}-web": + envid => "$title", + version => "$version", + envinfo => "$envinfo", + envmode => "Web", + accessmode => "TRAC_0_9", + } + } diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/trac.pp b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/trac.pp index 56370224a..bef5b2ab3 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/manifests/trac.pp +++ b/org.eclipse.mylyn.trac.releng/modules/trac/manifests/trac.pp @@ -1,6 +1,8 @@ -/* Instance specific provisioning */ - -define trac::trac ($version = "$title", $base = $trac::base,) { +define trac::trac ( # + $version = "$title", + $base = $trac::base, + $userOwner = $trac::userOwner, + $userGroup = $trac::userGroup,) { $binbase = "$base/bin" $srcbase = "$base/src/trac-$version" $prefix = "$base/share/trac-$version" @@ -9,13 +11,16 @@ define trac::trac ($version = "$title", $base = $trac::base,) { exec { "prepare $version": command => "mkdir -p $binbase $srcbase $prefix", - creates => [ "$binbase", "$srcbase", "$prefix" ], - require => Exec["prepare trac"] + creates => ["$binbase", "$srcbase", "$prefix"], + require => Exec["prepare trac"], + user => "$userOwner", } file { "$srcbase": ensure => "directory", require => Exec["prepare $version"], + owner => "$userOwner", + group => "$userGroup", } if $version == "trunk" { @@ -24,24 +29,29 @@ define trac::trac ($version = "$title", $base = $trac::base,) { cwd => "$srcbase", creates => "$srcbase/Trac-$version", require => File["$srcbase"], + user => "$userOwner", } } else { exec { "download trac $version": command => "wget -O $srcbase/Trac-$version.tar.gz http://download.edgewall.org/trac/Trac-$version.tar.gz", creates => "$srcbase/Trac-$version.tar.gz", require => File["$srcbase"], + user => "$userOwner", } exec { "extract trac $version": command => "tar -C $srcbase -xzvf $srcbase/Trac-$version.tar.gz", require => Exec["download trac $version"], creates => "$srcbase/Trac-$version", + user => "$userOwner", } } file { "$srcbase/install.sh": source => "puppet:///modules/trac/install.sh", - mode => '755', + mode => 755, + owner => "$userOwner", + group => "$userGroup", } exec { "install $version": @@ -50,18 +60,23 @@ define trac::trac ($version = "$title", $base = $trac::base,) { logoutput => false, require => Exec["extract trac $version"], creates => "$prefix/lib/.provisioned", + user => "$userOwner", } file { "$binbase/trac-$version.cgi": content => template('trac/trac.cgi.erb'), require => Exec["prepare $version"], mode => 755, + owner => "$userOwner", + group => "$userGroup", } file { "$binbase/tracadmin-$version": content => template('trac/tracadmin.erb'), mode => 755, - require => Exec["prepare $version"] + require => Exec["prepare $version"], + owner => "$userOwner", + group => "$userGroup", } } \ No newline at end of file diff --git a/org.eclipse.mylyn.trac.releng/modules/trac/templates/service.json.erb b/org.eclipse.mylyn.trac.releng/modules/trac/templates/service.json.erb index 88c3301b2..dfff4a541 100644 --- a/org.eclipse.mylyn.trac.releng/modules/trac/templates/service.json.erb +++ b/org.eclipse.mylyn.trac.releng/modules/trac/templates/service.json.erb @@ -1,6 +1,13 @@ { -"type": "<%= envtype %>", -"url": "/<%= envid %>/", -"version": "<%= version %>", -"info": "<%= envinfo %>" + "type": "<%= envtype %>", + "url": "/<%= envid %>/", + "version": "<%= version %>", +<% if @envinfo == "" %> + "info": "<%= envmode %>", +<% else %> + "info": "<%= envinfo %>/<%= envmode %>", +<% end %> + "properties":{ + "version": "<%= accessmode %>" + } } -- cgit v1.2.3