From: Bill Erickson Date: Mon, 24 Apr 2017 21:06:26 +0000 (-0400) Subject: Non-root remote_user X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=5333734ddb1f60c59366663355ec40076919cb9c;p=working%2Frandom.git Non-root remote_user Signed-off-by: Bill Erickson --- diff --git a/evergreen/apache.yml b/evergreen/apache.yml index d8b0adcf3..bf30aea82 100644 --- a/evergreen/apache.yml +++ b/evergreen/apache.yml @@ -1,56 +1,76 @@ # Apache - name: Stop apache2 + become: true service: name=apache2 state=stopped - name: Setup eg.conf + become: true copy: src: "{{repo_base}}/Evergreen/Open-ILS/examples/apache_24/eg_24.conf" dest: /etc/apache2/sites-available/eg.conf - name: Setup eg_vhost.conf + become: true copy: src: "{{repo_base}}/Evergreen/Open-ILS/examples/apache_24/eg_vhost_24.conf" dest: /etc/apache2/eg_vhost.conf - name: Setup eg_startup + become: true copy: src: "{{repo_base}}/Evergreen/Open-ILS/examples/apache/eg_startup" dest: /etc/apache2/ - name: Create SSL Certs directory + become: true file: path=/etc/apache2/ssl state=directory - name: Setup SSL Certs + become: true shell: > cd /etc/apache2/ssl && openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN={{domain_name}}" - name: Disable mpm_event + become: true shell: /usr/sbin/a2dismod mpm_event - name: Enable mpm_prefork + become: true shell: /usr/sbin/a2enmod mpm_prefork - name: Enable apache mod deflate + become: true shell: /usr/sbin/a2enmod deflate - name: Enable apache mod headers + become: true shell: /usr/sbin/a2enmod headers + become: true - name: Enable apache mod expires shell: /usr/sbin/a2enmod expires + become: true - name: Enable apache mod rewrite shell: /usr/sbin/a2enmod rewrite + become: true - name: Disable default site for apache shell: /usr/sbin/a2dissite 000-default + become: true - name: Enable eg.conf site for apache shell: /usr/sbin/a2ensite eg.conf + become: true - name: Change ownership of /var/lock/apache2 to opensrf file: path=/var/lock/apache2 owner=opensrf group=opensrf + become: true - name: Change run-user for apache to opensrf + become: true replace: dest: /etc/apache2/envvars regexp: 'www-data' replace: 'opensrf' - name: Set KeepAliveTimeout value + become: true replace: dest: /etc/apache2/apache2.conf regexp: 'KeepAliveTimeout .*' replace: 'KeepAliveTimeout 1' - name: Restarting Apache + become: true service: name=apache2 state=started - name: Restarting Websockets + become: true # service name=apache2ctl-websockets state=restarted FAILS shell: apache2ctl-websockets restart diff --git a/evergreen/database.yml b/evergreen/database.yml index b169a3466..1ea83ce47 100644 --- a/evergreen/database.yml +++ b/evergreen/database.yml @@ -1,8 +1,10 @@ - name: Install Postgres Prereqs + become: true apt: name={{item}} state=present with_items: - python-psycopg2 # required by postgresql_user - name: Install Postgres Dependencies + become: true shell: > cd {{repo_base}}/Evergreen && PERL_MM_USE_DEFAULT=1 make -f @@ -12,10 +14,13 @@ # equivalent of the postgres-server-{{os_build_target}} steps. - block: - name: Add Postgresql 9.6 Apt Repository + become: true shell: add-apt-repository "deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main" - name: Add Postgresql 9.6 Apt Repository Key + become: true shell: wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - - name: Install Postgresql 9.6 Server + become: true apt: update_cache: yes name: "{{item}}" @@ -27,6 +32,7 @@ - postgresql-server-dev-9.6 when: use_pg_96 - name: Start Postgres + become: true service: name=postgresql state=started - name: Create DB User become: true @@ -53,6 +59,7 @@ when: create_schema - block: - name: Install PGTAP + become: true apt: name=pgtap state=present - name: Create PGTAP Extension become: true diff --git a/evergreen/eg-build.yml b/evergreen/eg-build.yml index 465ec931f..4f4491e53 100644 --- a/evergreen/eg-build.yml +++ b/evergreen/eg-build.yml @@ -10,8 +10,9 @@ cd {{repo_base}}/Evergreen && PERL_MM_USE_DEFAULT=1 make -f Open-ILS/src/extras/Makefile.install {{os_build_target}} -- name: Set ownership of {{repo_base}} to opensrf - file: dest="{{repo_base}}" owner=opensrf group=opensrf recurse=yes +- name: Set ownership of {{repo_base}} to {{deploy_user}} + become: true + file: dest={{repo_base}} owner={{deploy_user}} group={{deploy_user}} recurse=yes - name: Build Evergreen become: true become_user: opensrf @@ -23,4 +24,5 @@ && ./configure --prefix={{eg_install_path}} --sysconfdir={{eg_install_path}}/conf && make - name: Set ownership of {{eg_install_path}} to opensrf - file: dest="{{eg_install_path}}" owner=opensrf group=opensrf recurse=yes + become: true + file: dest={{eg_install_path}} owner=opensrf group=opensrf recurse=yes diff --git a/evergreen/eg-install.yml b/evergreen/eg-install.yml index bd5579710..4ec3ae192 100644 --- a/evergreen/eg-install.yml +++ b/evergreen/eg-install.yml @@ -6,21 +6,29 @@ cd {{repo_base}}/Evergreen && make STAFF_CLIENT_STAMP_ID={{eg_stamp_id}} install - name: Create XUL Current Symlink + become: true + become_user: opensrf file: state: link src: "{{eg_install_path}}/var/web/xul/{{eg_stamp_id}}" dest: "{{eg_install_path}}/var/web/xul/current" - name: Create XUL Server Symlink + become: true + become_user: opensrf file: state: link src: "{{eg_install_path}}/var/web/xul/current/server" dest: "{{eg_install_path}}/var/web/xul/server" - name: Setup opensrf.xml config file + become: true + become_user: opensrf copy: src: "{{eg_install_path}}/conf/opensrf.xml.example" dest: "{{eg_install_path}}/conf/opensrf.xml" force: no - name: Setup opensrf_core.xml config file + become: true + become_user: opensrf copy: src: "{{eg_install_path}}/conf/opensrf_core.xml.example" dest: "{{eg_install_path}}/conf/opensrf_core.xml" @@ -32,16 +40,21 @@ src: /tmp/dojo-release-{{dojo_version}}.tar.gz dest: /tmp/ - name: Copy dojo source files into place + become: true + become_user: opensrf synchronize: src=/tmp/dojo-release-{{dojo_version}}/ dest={{eg_install_path}}/var/web/js/dojo/ - name: Set ownership of {{eg_install_path}} to opensrf + become: true file: dest={{eg_install_path}} owner=opensrf group=opensrf recurse=yes - name: Setup .srfsh.xml for opensrf user + become: true + become_user: opensrf copy: src={{eg_install_path}}/conf/srfsh.xml.example dest=/home/opensrf/.srfsh.xml force=no -- name: Set ownership of .srfsh.xml to opensrf - file: dest=/home/opensrf/.srfsh.xml owner=opensrf group=opensrf - name: Copy ldconfig + become: true copy: src: "{{playbook_dir}}/evergreen/evergreen.ld.conf" dest: /etc/ld.so.conf.d/evergreen.ld.conf - name: Run ldconfig + become: true shell: ldconfig diff --git a/evergreen/eg-translator.yml b/evergreen/eg-translator.yml index e75778774..cbbde60e9 100644 --- a/evergreen/eg-translator.yml +++ b/evergreen/eg-translator.yml @@ -1,14 +1,21 @@ - name: Install Evergreen Translator Prereqs + become: true shell: > cd {{repo_base}}/Evergreen && PERL_MM_USE_DEFAULT=1 make -f Open-ILS/src/extras/Makefile.install {{os_build_target}}-translator -- name: Set ownership of {{repo_base}} to opensrf - file: dest="{{repo_base}}" owner=opensrf group=opensrf recurse=yes +- name: Set ownership of {{repo_base}} to {{deploy_user}} + become: true + file: dest={{repo_base}} owner={{deploy_user}} group={{deploy_user}} recurse=yes - name: Install specified "{{ locale }}" locale(s) become: true - become_user: opensrf shell: > - cd {{repo_base}}/Evergreen/build/i18n + cd {{repo_base}}/Evergreen/build/i18n && make LOCALE="{{ item }}" install with_items: "{{ locale }}" +- name: Set ownership of {{repo_base}} to {{deploy_user}} + become: true + file: dest={{repo_base}} owner={{deploy_user}} group={{deploy_user}} recurse=yes +- name: Set ownership of {{eg_install_path}} to opensrf + become: true + file: dest={{eg_install_path}} owner=opensrf group=opensrf recurse=yes diff --git a/evergreen/eg-web.yml b/evergreen/eg-web.yml index 2a75acc20..f9017ae90 100644 --- a/evergreen/eg-web.yml +++ b/evergreen/eg-web.yml @@ -1,25 +1,24 @@ - name: Install Evergreen Web Prereqs + become: true shell: > cd {{repo_base}}/Evergreen && PERL_MM_USE_DEFAULT=1 make -f Open-ILS/src/extras/Makefile.install {{os_build_target}}-developer -- name: Set ownership of {{repo_base}} to opensrf - file: dest="{{repo_base}}" owner=opensrf group=opensrf recurse=yes +- name: Set ownership of {{repo_base}} to {{deploy_user}} + become: true + file: dest="{{repo_base}}" owner={{deploy_user}} group={{deploy_user}} recurse=yes - name: Install Grunt + become: true npm: name=grunt-cli global=true - name: Node Build become: true become_user: opensrf npm: path={{repo_base}}/Evergreen/Open-ILS/web/js/ui/default/staff - name: Grunt Build - become: true - become_user: opensrf shell: > cd {{repo_base}}/Evergreen/Open-ILS/web/js/ui/default/staff && grunt build - name: Grunt Test - become: true - become_user: opensrf shell: > cd {{repo_base}}/Evergreen/Open-ILS/web/js/ui/default/staff && grunt test diff --git a/evergreen/setup-translations.yml b/evergreen/setup-translations.yml index 3548911ef..6fc9552e4 100644 --- a/evergreen/setup-translations.yml +++ b/evergreen/setup-translations.yml @@ -1,5 +1,6 @@ # Apache translations - name: Assign variable for locale(s) for TPAC + become: true vars: eg_locale: "{{ item | lower | regex_replace('(\\w{2})-(\\w{2})', '\\1_\\2') }}" blockinfile: @@ -12,6 +13,7 @@ with_items: "{{ locale }}" when: locale is defined - name: Setup locale(s) for web staff client + become: true vars: staff_eg_locale: "{{ item | lower | regex_replace('(\\w{2})-(\\w{2})', '\\1_\\2') }}" blockinfile: diff --git a/extras/nginx.yml b/extras/nginx.yml index 47d9f558e..911ee878c 100644 --- a/extras/nginx.yml +++ b/extras/nginx.yml @@ -1,53 +1,67 @@ # Apache must be reconfigured before NGINX is installed # or the NGINX install will fail on conflicting ports - name: Change Apache ports.conf to listen 7080 + become: true replace: dest: /etc/apache2/ports.conf regexp: 'Listen 80' replace: 'Listen 7080' - name: Change Apache ports.conf to listen 7443 + become: true replace: dest: /etc/apache2/ports.conf regexp: 'Listen 443' replace: 'Listen 7443' - name: Change Evergreen eg.conf to listen 7080 + become: true replace: dest: /etc/apache2/sites-available/eg.conf regexp: ':80' replace: ':7080' - name: Change Evergreen eg.conf to listen 7443 + become: true replace: dest: /etc/apache2/sites-available/eg.conf regexp: ':443' replace: ':7443' - name: Restart Apache With New Ports + become: true service: name=apache2 state=restarted - name: Install Nginx Prereqs + become: true apt: name=nginx state=present - name: Install NGINX Configs + become: true copy: src: "{{repo_base}}/OpenSRF/examples/nginx/osrf-ws-http-proxy" dest: /etc/nginx/sites-available/osrf-ws-http-proxy - name: Link NGINX Configs + become: true file: state: link src: /etc/nginx/sites-available/osrf-ws-http-proxy dest: /etc/nginx/sites-enabled/osrf-ws-http-proxy - name: Remove Default NGINX Site + become: true file: state: absent dest: /etc/nginx/sites-available/default - name: Restart NGINX With New Config + become: true service: name=nginx state=restarted - name: Update OpenSRF WS JS Port + become: true + become_user: opensrf lineinfile: - dest: /openils/lib/javascript/opensrf_ws.js + dest: "{{eg_install_path}}/lib/javascript/opensrf_ws.js" regexp: '^var WEBSOCKET_PORT_SSL = 7682;' line: 'var WEBSOCKET_PORT_SSL = 443;' - name: Update OpenSRF WS JS Port (Shared) # This file is not currently used, but may be later. + become: true + become_user: opensrf lineinfile: - dest: /openils/lib/javascript/opensrf_ws_shared.js + dest: "{{eg_install_path}}/lib/javascript/opensrf_ws_shared.js" regexp: '^var WEBSOCKET_PORT_SSL = 7682;' line: 'var WEBSOCKET_PORT_SSL = 443;' diff --git a/extras/rsyslog.yml b/extras/rsyslog.yml index 5df065689..9286a86b1 100644 --- a/extras/rsyslog.yml +++ b/extras/rsyslog.yml @@ -1,22 +1,30 @@ - name: Configure Rsyslog + become: true when: use_rsyslog copy: src: "{{repo_base}}/Evergreen/Open-ILS/examples/evergreen-rsyslog.conf" dest: /etc/rsyslog.d/evergreen.conf - name: Restart Rsyslog + become: true when: use_rsyslog service: name=rsyslog state=restarted - name: Update opensrf_core.xml for rsyslog + become: true + become_user: opensrf replace: dest: "{{eg_install_path}}/conf/opensrf_core.xml" regexp: '\/(.*)\n.*' - name: Update opensrf_core.xml for rsyslog + become: true + become_user: opensrf replace: dest: "{{eg_install_path}}/conf/opensrf_core.xml" regexp: '-->.*\n(.*)' replace: '' - name: Update opensrf_core.xml for rsyslog + become: true + become_user: opensrf replace: dest: "{{eg_install_path}}/conf/opensrf_core.xml" regexp: '-->.*\n(.*)' diff --git a/extras/start.yml b/extras/start.yml index ba442fb35..9929658bf 100644 --- a/extras/start.yml +++ b/extras/start.yml @@ -12,5 +12,6 @@ environment: PATH: "{{ansible_env.PATH}}:{{eg_install_path}}/bin" shell: autogen.sh -- name: Reloading Apache +- name: Reloading Apache + become: true service: name=apache2 state=reloaded diff --git a/opensrf/ejabberd.yml b/opensrf/ejabberd.yml index e827721c8..b4f6f8735 100644 --- a/opensrf/ejabberd.yml +++ b/opensrf/ejabberd.yml @@ -1,9 +1,11 @@ - name: Copying Ejabberd Config + become: true copy: src: "{{playbook_dir}}/opensrf/ejabberd-config.yml" dest: /etc/ejabberd/ejabberd.yml mode: 0600 - name: Restarting Ejabberd + become: true service: name=ejabberd state=restarted - name: Wait a moment for Ejabberd pause: seconds=5 diff --git a/opensrf/opensrf.yml b/opensrf/opensrf.yml index 76da12ae7..3b031f138 100644 --- a/opensrf/opensrf.yml +++ b/opensrf/opensrf.yml @@ -10,11 +10,10 @@ cd {{repo_base}}/OpenSRF && PERL_MM_USE_DEFAULT=1 make -f src/extras/Makefile.install {{os_build_target}} -- name: Set ownership of {{repo_base}} to opensrf - file: dest="{{repo_base}}" owner=opensrf group=opensrf recurse=yes -- name: Build OpenSRF +- name: Set ownership of {{repo_base}} to {{deploy_user}} become: true - become_user: opensrf + file: dest="{{repo_base}}" owner={{deploy_user}} group={{deploy_user}} recurse=yes +- name: Build OpenSRF environment: PATH: "{{ansible_env.PATH}}:{{eg_install_path}}/bin" shell: > @@ -23,8 +22,10 @@ && ./configure --prefix={{eg_install_path}} --sysconfdir={{eg_install_path}}/conf && make - name: Install OpenSRF Files + become: true environment: PATH: "{{ansible_env.PATH}}:{{eg_install_path}}/bin" shell: cd {{repo_base}}/OpenSRF && make install - name: Set ownership of {{eg_install_path}} to opensrf + become: true file: dest="{{eg_install_path}}" owner=opensrf group=opensrf recurse=yes diff --git a/opensrf/setup.yml b/opensrf/setup.yml index 67ba956e7..131dc934f 100644 --- a/opensrf/setup.yml +++ b/opensrf/setup.yml @@ -1,15 +1,19 @@ - name: Install OpenSRF Pre-Prereqs + become: true apt: name=make state=present with_items: - make - git - name: Create opensrf user + become: true user: name: opensrf shell: /bin/bash # Environment changes added to ~/.bash_profile to ensure they are # loaded regardless of whether opensrf is used interactively. - name: Check export PATH for opensrf user profile + become: true + become_user: opensrf lineinfile: dest: /home/opensrf/.bash_profile create: yes @@ -19,16 +23,20 @@ regexp: '^export PATH=' line: 'export PATH="{{eg_install_path}}/bin:$PATH"' - name: Check LD_LIBRARY_PATH for opensrf user profile + become: true + become_user: opensrf lineinfile: dest: /home/opensrf/.bash_profile regexp: '^export LD_LIBRARY_PATH=' line: 'export LD_LIBRARY_PATH="{{eg_install_path}}/lib:/usr/local/lib:/usr/local/lib/dbd:$LD_LIBRARY_PATH"' - name: Check /etc/hosts file for public.{{domain_name}} + become: true lineinfile: dest: /etc/hosts regexp: '^127.0.1.2' line: '127.0.1.2 public.{{domain_name}}' - name: Check /etc/hosts file for private.{{domain_name}} + become: true lineinfile: dest: /etc/hosts regexp: '^127.0.1.3' diff --git a/opensrf/websockets.yml b/opensrf/websockets.yml index ac55a4c46..fa62dd72d 100644 --- a/opensrf/websockets.yml +++ b/opensrf/websockets.yml @@ -3,25 +3,29 @@ repo: "{{websockets_repository}}" dest: "/tmp/apache-websocket" - name: Install Websockets + become: true shell: cd /tmp/apache-websocket && apxs2 -i -a -c mod_websocket.c - name: register variable websocketsconf stat: path=/etc/apache2-websockets register: websocketsconf - block: - name: Create Websockets Instance + become: true shell: > sh /usr/share/doc/apache2/examples/setup-instance websockets && a2dismod websocket - name: Confirm websockets run user is opensrf + become: true lineinfile: state: present dest: /etc/apache2-websockets/envvars regexp: 'APACHE_RUN_USER' line: 'export APACHE_RUN_USER=opensrf' - name: Copy Example Websockets apache2.conf + become: true copy: src: "{{repo_base}}/OpenSRF/examples/apache_24/websockets/apache2.conf" dest: /etc/apache2-websockets/apache2.conf when: websocketsconf.stat.isdir is not defined -# NOTE: restarting websockets here fails because the SSL cert is not yet in place +# NOTE: restarting websockets here fails because the SSL cert is not yet in place diff --git a/playbook.yml b/playbook.yml index c884e5f79..ee72ef3d3 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,7 +4,7 @@ - hosts: '{{hosts}}' connection: local # Every command not explicitly run by opensrf/postgres requires root. - remote_user: root + remote_user: '{{deploy_user}}' become_method: sudo vars_files: - settings.yml diff --git a/settings.yml b/settings.yml index 74e74f371..cc2cc6949 100644 --- a/settings.yml +++ b/settings.yml @@ -1,5 +1,6 @@ --- hosts: '127.0.0.1' +deploy_user: opensrf repo_base: /home/opensrf os_build_target: ubuntu-xenial osrf_git_repository: git://git.evergreen-ils.org/OpenSRF.git