Juju Charms Collection
turnip package

Merge lp:~cjwatson/charms/trusty/turnip/separate-code-owner into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel

  1. Trusty Tahr (14.04)
  2. separate-code-owner
  3. Merge into devel
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 32
Merged at revision: 32
Proposed branch: lp:~cjwatson/charms/trusty/turnip/separate-code-owner
Merge into: lp:~canonical-launchpad-branches/charms/trusty/turnip/devel
Diff against target: 109 lines (+31/-8)
3 files modified
config.yaml (+8/-0)
hooks/actions.py (+15/-4)
hooks/services.py (+8/-4)
To merge this branch: bzr merge lp:~cjwatson/charms/trusty/turnip/separate-code-owner
Reviewer Review Type Date Requested Status
Kit Randel (community) code Approve
Review via email: mp+251451@code.launchpad.net

Commit message

Make the code be owned by a different user and group than runs the service.

Description of the change

Make the code be owned by a different user and group than runs the service.

This is required by Canonical IS policies for prodstack (https://wiki.canonical.com/InformationInfrastructure/IS/Policies/Prodstack#Separate_Users_for_Code_Owner_and_Code_Runner), and is a good idea anyway.

To post a comment you must log in.
Revision history for this message
Kit Randel (blr) wrote :

Well spotted Colin thanks, that is a sensible policy.

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'config.yaml'
--- config.yaml 2015-02-27 18:13:29 +0000
+++ config.yaml 2015-03-02 14:28:24 +0000
@@ -57,6 +57,14 @@
57 type: string57 type: string
58 default: '/srv/turnip'58 default: '/srv/turnip'
59 description: Root checkout/srv directory.59 description: Root checkout/srv directory.
60 code_user:
61 type: string
62 default: webops_deploy
63 description: The service's code will be owned by this user.
64 code_group:
65 type: string
66 default: webops_deploy
67 description: The service's code will be owned by this group.
60 user:68 user:
61 type: string69 type: string
62 default: turnip70 default: turnip
6371
=== modified file 'hooks/actions.py'
--- hooks/actions.py 2015-02-27 18:13:29 +0000
+++ hooks/actions.py 2015-03-02 14:28:24 +0000
@@ -1,4 +1,6 @@
1import grp
1import os2import os
3import pwd
2import subprocess4import subprocess
35
4from charmhelpers import fetch6from charmhelpers import fetch
@@ -15,6 +17,8 @@
15REQUIRED_PACKAGES = ['python-virtualenv', 'python-dev', 'python-pygit2']17REQUIRED_PACKAGES = ['python-virtualenv', 'python-dev', 'python-pygit2']
16APP = config['app_name']18APP = config['app_name']
17SRV_DIR = config['srv_dir']19SRV_DIR = config['srv_dir']
20CODE_USER = config['code_user']
21CODE_GROUP = config['code_group']
18USER = config['user']22USER = config['user']
19GROUP = config['group']23GROUP = config['group']
2024
@@ -31,13 +35,17 @@
31 log_dir = config['log_dir']35 log_dir = config['log_dir']
32 deploymgr_dir = os.path.join(os.sep, 'srv', 'deploymgr')36 deploymgr_dir = os.path.join(os.sep, 'srv', 'deploymgr')
3337
34 dirs = [data_dir, deploymgr_dir, log_dir, SRV_DIR]38 for dir in (deploymgr_dir, SRV_DIR):
35 for dir in dirs:39 host.mkdir(dir, owner=CODE_USER, group=CODE_GROUP, perms=0o775)
40 for dir in (data_dir, log_dir):
36 host.mkdir(dir, owner=USER, group=GROUP, perms=0o775)41 host.mkdir(dir, owner=USER, group=GROUP, perms=0o775)
3742
3843
39def create_users(service_name):44def create_users(service_name):
40 hookenv.log('Creating user and group for %s.' % service_name)45 hookenv.log('Creating users and groups for %s.' % service_name)
46 code_password = host.pwgen()
47 host.adduser(CODE_USER, code_password)
48 host.add_user_to_group(CODE_USER, CODE_GROUP)
41 password = host.pwgen()49 password = host.pwgen()
42 host.adduser(USER, password)50 host.adduser(USER, password)
43 host.add_user_to_group(USER, GROUP)51 host.add_user_to_group(USER, GROUP)
@@ -56,7 +64,10 @@
5664
57 # Unpack source65 # Unpack source
58 archive.extract_tarfile(archive_path, os.path.join(SRV_DIR))66 archive.extract_tarfile(archive_path, os.path.join(SRV_DIR))
59 host.chownr(os.path.dirname(SRV_DIR), USER, GROUP)67 os.chown(
68 SRV_DIR,
69 pwd.getpwnam(CODE_USER).pw_uid, grp.getgrnam(CODE_GROUP).gr_gid)
70 host.lchownr(SRV_DIR, CODE_USER, CODE_GROUP)
6071
6172
62def install_packages(service_name):73def install_packages(service_name):
6374
=== modified file 'hooks/services.py'
--- hooks/services.py 2015-03-02 11:45:31 +0000
+++ hooks/services.py 2015-03-02 14:28:24 +0000
@@ -10,7 +10,8 @@
10 return helpers.render_template(10 return helpers.render_template(
11 source='envs/{}.j2'.format(name),11 source='envs/{}.j2'.format(name),
12 target='{}/{}'.format(config['env_dir'], name),12 target='{}/{}'.format(config['env_dir'], name),
13 owner=config['user'])13 owner=config['code_user'],
14 group=config['code_group'])
1415
1516
16def manage():17def manage():
@@ -29,17 +30,20 @@
29 helpers.render_template(30 helpers.render_template(
30 source='turnip.conf.j2',31 source='turnip.conf.j2',
31 target='/etc/init/turnip.conf',32 target='/etc/init/turnip.conf',
32 owner=config['user'],33 owner=config['code_user'],
34 group=config['code_group'],
33 perms=0o644),35 perms=0o644),
34 helpers.render_template(36 helpers.render_template(
35 source='turnip-api.conf.j2',37 source='turnip-api.conf.j2',
36 target='/etc/init/turnip-api.conf',38 target='/etc/init/turnip-api.conf',
37 owner=config['user'],39 owner=config['code_user'],
40 group=config['code_group'],
38 perms=0o644),41 perms=0o644),
39 helpers.render_template(42 helpers.render_template(
40 source='turnip-app.j2',43 source='turnip-app.j2',
41 target='/srv/deploymgr/turnip-app',44 target='/srv/deploymgr/turnip-app',
42 owner=config['user'],45 owner=config['code_user'],
46 group=config['code_group'],
43 perms=0o755),47 perms=0o755),
44 render_env_template(config, 'REPO_STORE'),48 render_env_template(config, 'REPO_STORE'),
45 render_env_template(config, 'TURNIP_LOG_DIR'),49 render_env_template(config, 'TURNIP_LOG_DIR'),

Subscribers

People subscribed via source and target branches

to all changes: