Fix non-ssl, abilliy to customize templates, and run with less privileges (but call r10k/mco via sudo) #170
Conversation
If enable_ssl is false, the script still tries to read the public/private_key_path, and completely fails if the files are missing or invalid. This fixes the script to NOT pass those parameters (or try to read the files) unless enable_ssl is true. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
It should be possible to run the webhook as an unprivileged user (eg nobody) and only invoke r10k/mco via sudo. sudoers examples: nobody ALL=(root) NOPASSWD: r10k deploy environment *, r10k deploy module * nobody ALL=(peadmin) NOPASSWD: mco r10k deploy *, mco r10k deploy_module * Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| @@ -152,10 +156,10 @@ class Server < Sinatra::Base | |||
| end | |||
| else | |||
| if $config['use_mcollective'] | |||
| command = "mco r10k deploy #{branch} >> #{$config['mco_logfile']} 2>&1 &" | |||
| command = "#{$command_prefix} mco r10k deploy #{branch} >> #{$config['mco_logfile']} 2>&1 &" | |||
There was a problem hiding this comment.
I am not super clear on why this is needed if you are running the script as the user, is the user case that you want to run the script as say root and then run r10k as non-root?
There was a problem hiding this comment.
I'm running webhook as non-root and sudoing to root for r10k. I modified all of the command calls for doing that. In the case of MCO, they'd run the webhook as nobody and sudo to puppet/peadmin for mco.
There was a problem hiding this comment.
After the template pull is in, I've got another branch ready for the Gentoo init script.
https://github.com/robbat2/r10k/commit/4dcba8212ead2fe3c829867e1fd8ecc6ce662c1f
Fix non-ssl, abilliy to customize templates, and run with less privileges (but call r10k/mco via sudo)
|
The trailing commas accidentally added in the new block broke the webhook. There is a fix in my other PR. |
No description provided.