Skip to content
Snippets Groups Projects
Commit ef57e8e7 authored by Dennis Ahrens's avatar Dennis Ahrens
Browse files

Fix #1 by using root to deploy code.

It removes the deployer user completely using salts user.abent
and group.absent states while changing the whole permissions to
fit root.
It should be safe to run this directly on existing deployments.
Tested locally with simple CLI and nginx/uwsgi setups.
parent 17dc1d42
No related branches found
No related tags found
No related merge requests found
...@@ -4,7 +4,7 @@ Deploy code! ...@@ -4,7 +4,7 @@ Deploy code!
## users ## users
The deployment runs as the user `deployer`, which has access to e.g. gitlab. The deployment runs as `root`, which has access to e.g. gitlab.
The formula is organized in projects. The formula is organized in projects.
```yaml ```yaml
...@@ -13,7 +13,7 @@ deploy: ...@@ -13,7 +13,7 @@ deploy:
project_name: {} project_name: {}
``` ```
For each project an additional user with the name `project_name` gets created, which is a member of the group `deployer`. For each project an additional user with the name `project_name` gets created.
This user should be used to run daemons. This user should be used to run daemons.
## states ## states
...@@ -147,7 +147,7 @@ The environment creation runs in the context of the project user. ...@@ -147,7 +147,7 @@ The environment creation runs in the context of the project user.
#### `deploy.projects.[...].user_groups` #### `deploy.projects.[...].user_groups`
Each project receives a user that should be used to run the project (if it is runnable somehow...). Each project receives a user that should be used to run the project (if it is runnable somehow...).
By default this user is member of the groups: `deployer`, `[project_name]` and `virtualenv`. By default this user is member of the groups: `[project_name]` and `virtualenv`.
With `user_groups` you can define additional groups the user should belojng to. With `user_groups` you can define additional groups the user should belojng to.
This is especially interesting for access to cert data. This is especially interesting for access to cert data.
If your run user needs to read a cert, you might add him into the corresponding group. If your run user needs to read a cert, you might add him into the corresponding group.
......
...@@ -3,20 +3,16 @@ ...@@ -3,20 +3,16 @@
deploy_static_directory: deploy_static_directory:
file.directory: file.directory:
- name: {{ deploy.config.static_directory }} - name: {{ deploy.config.static_directory }}
- user: deployer - user: root
- group: www-data - group: www-data
- mode: 2770 - mode: 2775
- require:
- user: deployer
deploy_sqlite_directory: deploy_sqlite_directory:
file.directory: file.directory:
- name: {{ deploy.config.sqlite_directory }} - name: {{ deploy.config.sqlite_directory }}
- user: deployer - user: root
- group: deployer - group: root
- mode: 2770 - mode: 2775
- require:
- user: deployer
{% for project_name, project_config in deploy.projects.items() if project_config.get('django', False) %} {% for project_name, project_config in deploy.projects.items() if project_config.get('django', False) %}
{% set dj_config = project_config.django %} {% set dj_config = project_config.django %}
...@@ -28,7 +24,7 @@ deploy_django_{{ project_name }}_settings: ...@@ -28,7 +24,7 @@ deploy_django_{{ project_name }}_settings:
- source: salt://deploy/tpl/django_settings.py - source: salt://deploy/tpl/django_settings.py
- template: jinja - template: jinja
- mode: 640 - mode: 640
- user: deployer - user: root
- group: {{ project_name }} - group: {{ project_name }}
- context: {{ dj_config|json }} - context: {{ dj_config|json }}
...@@ -44,7 +40,7 @@ deploy_django_{{ project_name }}_migrate: ...@@ -44,7 +40,7 @@ deploy_django_{{ project_name }}_migrate:
- runas: {{ project_name }} - runas: {{ project_name }}
- require: - require:
- file: deploy_django_{{ project_name }}_settings - file: deploy_django_{{ project_name }}_settings
- require_in: - require:
- cmd: fix_sqlite3_permissions - cmd: fix_sqlite3_permissions
{% endif %} {% endif %}
......
...@@ -12,13 +12,9 @@ deploy_packages: ...@@ -12,13 +12,9 @@ deploy_packages:
deploy_target_directory_exists: deploy_target_directory_exists:
file.directory: file.directory:
- name: {{ deploy.config.deploy_directory }} - name: {{ deploy.config.deploy_directory }}
- user: deployer - user: root
- group: deployer - group: root
- mode: 0770 - mode: 0755
- require:
- user: deployer
- group: deployer
{% for project_name, project_config in deploy.projects.items() if project_config.get('gitlab', False) %} {% for project_name, project_config in deploy.projects.items() if project_config.get('gitlab', False) %}
{% set repo_config = project_config.gitlab %} {% set repo_config = project_config.gitlab %}
...@@ -27,7 +23,7 @@ deploy_{{ project_name }}_clone_git: ...@@ -27,7 +23,7 @@ deploy_{{ project_name }}_clone_git:
git.latest: git.latest:
- name: {{ repo_config.url }} - name: {{ repo_config.url }}
- rev: {{ repo_config.rev }} - rev: {{ repo_config.rev }}
- user: deployer - user: root
- force_fetch: true - force_fetch: true
- force_reset: true # ignore local repos changed! - force_reset: true # ignore local repos changed!
- target: {{ project_config.path }} - target: {{ project_config.path }}
...@@ -37,7 +33,7 @@ deploy_{{ project_name }}_clone_git: ...@@ -37,7 +33,7 @@ deploy_{{ project_name }}_clone_git:
deploy_{{ project_name }}_clone_directory_permissions: deploy_{{ project_name }}_clone_directory_permissions:
file.directory: file.directory:
- name: {{ project_config.path }} - name: {{ project_config.path }}
- user: deployer - user: root
- group: {{ project_name }} - group: {{ project_name }}
{% if repo_config.get('keep_chmod_from_repo', False) %} {% if repo_config.get('keep_chmod_from_repo', False) %}
{% else %} {% else %}
...@@ -50,7 +46,6 @@ deploy_{{ project_name }}_clone_directory_permissions: ...@@ -50,7 +46,6 @@ deploy_{{ project_name }}_clone_directory_permissions:
- mode - mode
- require: - require:
- git: deploy_{{ project_name }}_clone_git - git: deploy_{{ project_name }}_clone_git
- sls: deploy.user
{% if repo_config.get('after_clone_command', False) %} {% if repo_config.get('after_clone_command', False) %}
deploy_{{ project_name }}_run_after_clone_command: deploy_{{ project_name }}_run_after_clone_command:
......
{% from "deploy/map.jinja" import deploy with context %} {% from "deploy/map.jinja" import deploy with context %}
deployer: deployer:
group.present: user.absent: []
- system: True group.absent: []
user.present:
- groups:
- deployer
/home/deployer/.ssh/known_hosts: /root/.ssh/known_hosts:
file.managed: file.managed:
- source: salt://deploy/tpl/ssh/known_hosts - source: salt://deploy/tpl/ssh/known_hosts
- user: deployer - user: root
- group: deployer - group: root
- makedirs: True - makedirs: True
- require:
- user: deployer
/home/deployer/.ssh/config: /root/.ssh/config:
file.managed: file.managed:
- source: salt://deploy/tpl/ssh/config - source: salt://deploy/tpl/ssh/config
- user: deployer - user: root
- group: deployer - group: root
- makedirs: True - makedirs: True
- require:
- user: deployer
deploy_key: deploy_key:
file.managed: file.managed:
- name: /home/deployer/.ssh/deploy_key - name: /root/.ssh/deploy_key
- contents_pillar: deploy:config:key - contents_pillar: deploy:config:key
- mode: 600 - mode: 600
- user: deployer - user: root
- group: deployer - group: root
- makedirs: True - makedirs: True
{% for project_name, project_config in deploy.projects.items() %} {% for project_name, project_config in deploy.projects.items() %}
{% set config_user_groups = project_config.get('user_groups', []) %} {% set config_user_groups = project_config.get('user_groups', []) %}
{% set default_user_groups = [project_name, 'deployer'] %} {% set default_user_groups = [project_name] %}
{% set user_groups = config_user_groups + default_user_groups %} {% set user_groups = config_user_groups + default_user_groups %}
{{ project_name }}: {{ project_name }}:
......
...@@ -20,11 +20,10 @@ deploy_provision_virtualenv_group_with_members: ...@@ -20,11 +20,10 @@ deploy_provision_virtualenv_group_with_members:
deploy_venv_directory: deploy_venv_directory:
file.directory: file.directory:
- name: {{ deploy.config.venv_directory }} - name: {{ deploy.config.venv_directory }}
- user: deployer - user: root
- group: virtualenv - group: virtualenv
- mode: 2770 - mode: 2770
- require: - require:
- user: deployer
- group: virtualenv - group: virtualenv
{% for project_name, project_config in deploy.projects.items() if project_config.get('venv', False) %} {% for project_name, project_config in deploy.projects.items() if project_config.get('venv', False) %}
...@@ -34,7 +33,7 @@ create_{{ project_name }}_venv: ...@@ -34,7 +33,7 @@ create_{{ project_name }}_venv:
cmd.run: cmd.run:
- name: python3 -m venv {{ venv_config.path }} - name: python3 -m venv {{ venv_config.path }}
- onlyif: test ! -e {{ venv_config.path }} - onlyif: test ! -e {{ venv_config.path }}
- runas: deployer - runas: root
- require: - require:
- file: deploy_venv_directory - file: deploy_venv_directory
- pkg: deploy_venv_pkgs - pkg: deploy_venv_pkgs
...@@ -42,7 +41,7 @@ create_{{ project_name }}_venv: ...@@ -42,7 +41,7 @@ create_{{ project_name }}_venv:
upgrade_pip_in_{{ project_name }}_venv: upgrade_pip_in_{{ project_name }}_venv:
cmd.run: cmd.run:
- name: {{ venv_config.path }}/bin/pip install --upgrade pip - name: {{ venv_config.path }}/bin/pip install --upgrade pip
- runas: deployer - runas: root
- env: - env:
LANG: en_US.UTF-8 LANG: en_US.UTF-8
LC_CTYPE: en_US.UTF-8 LC_CTYPE: en_US.UTF-8
...@@ -55,7 +54,7 @@ upgrade_pip_in_{{ project_name }}_venv: ...@@ -55,7 +54,7 @@ upgrade_pip_in_{{ project_name }}_venv:
install_requirements_in_{{ project_name }}_venv: install_requirements_in_{{ project_name }}_venv:
cmd.run: cmd.run:
- name: {{ venv_config.path }}/bin/pip install --upgrade -r {{ venv_config.requirements }} - name: {{ venv_config.path }}/bin/pip install --upgrade -r {{ venv_config.requirements }}
- runas: deployer - runas: root
- env: - env:
LANG: en_US.UTF-8 LANG: en_US.UTF-8
LC_CTYPE: en_US.UTF-8 LC_CTYPE: en_US.UTF-8
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment