summaryrefslogtreecommitdiff
path: root/per-service
diff options
context:
space:
mode:
authorAndy Doan <andy.doan@linaro.org>2016-09-05 10:42:00 -0500
committerAndy Doan <andy.doan@linaro.org>2016-09-05 10:42:00 -0500
commite35a4b1c636830676fb4fe86d1d180ead705ae60 (patch)
tree7479fd72038aa7bbd1f28c0ad9845df444ab629b /per-service
parent6d31f332bb97682b2fd217d05ce0bddfa3918212 (diff)
downloadansible-playbooks-e35a4b1c636830676fb4fe86d1d180ead705ae60.tar.gz
Revert "git: remove use of suexec"
This reverts commit 2714daa7b1b3e89af209a66375e13c1a002d59b0. We can't run efficiently w/o suexec. dev-private-git needs to call gitolite as "git" in order to see what repos a user can read. All the addition calls to sudo make the service unusable.
Diffstat (limited to 'per-service')
-rw-r--r--per-service/git-servers/files/dev-private-git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/dev-private-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/git-ara-mdk.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/lhg-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/projectara-git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/projectara-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/roles/apache-conf/tasks/main.yml10
-rw-r--r--per-service/git-servers/roles/apache-website/tasks/main.yml19
-rw-r--r--per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi1
-rw-r--r--per-service/git-servers/roles/apache-website/templates/gitweb.cgi1
-rw-r--r--per-service/git-servers/roles/apache-website/templates/sudoers_gitweb2
-rw-r--r--per-service/git-servers/roles/gitweb/templates/gitweb.conf18
-rw-r--r--per-service/git-servers/roles/install-deps/tasks/main.yml11
14 files changed, 70 insertions, 13 deletions
diff --git a/per-service/git-servers/files/dev-private-git.linaro.org.conf b/per-service/git-servers/files/dev-private-git.linaro.org.conf
index b32b288..1a220ee 100644
--- a/per-service/git-servers/files/dev-private-git.linaro.org.conf
+++ b/per-service/git-servers/files/dev-private-git.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/dev-private-review.linaro.org.conf b/per-service/git-servers/files/dev-private-review.linaro.org.conf
index f3ae95a..ca58687 100644
--- a/per-service/git-servers/files/dev-private-review.linaro.org.conf
+++ b/per-service/git-servers/files/dev-private-review.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/git-ara-mdk.linaro.org.conf b/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
index dc30543..a9200ab 100644
--- a/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
+++ b/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAdmin webmaster@linaro.org
diff --git a/per-service/git-servers/files/git.linaro.org.conf b/per-service/git-servers/files/git.linaro.org.conf
index 28979e5..2f3d843 100644
--- a/per-service/git-servers/files/git.linaro.org.conf
+++ b/per-service/git-servers/files/git.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAlias {{ inventory_hostname }}
diff --git a/per-service/git-servers/files/lhg-review.linaro.org.conf b/per-service/git-servers/files/lhg-review.linaro.org.conf
index 8f30f2b..5a80a38 100644
--- a/per-service/git-servers/files/lhg-review.linaro.org.conf
+++ b/per-service/git-servers/files/lhg-review.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/projectara-git.linaro.org.conf b/per-service/git-servers/files/projectara-git.linaro.org.conf
index 6cb7d2e..6793c89 100644
--- a/per-service/git-servers/files/projectara-git.linaro.org.conf
+++ b/per-service/git-servers/files/projectara-git.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/projectara-review.linaro.org.conf b/per-service/git-servers/files/projectara-review.linaro.org.conf
index 90161aa..94b0984 100644
--- a/per-service/git-servers/files/projectara-review.linaro.org.conf
+++ b/per-service/git-servers/files/projectara-review.linaro.org.conf
@@ -2,6 +2,9 @@
ServerSignature Off
ServerTokens Prod
+Suexec On
+SuexecUserGroup {{ git_user }} {{ git_user }}
+
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/roles/apache-conf/tasks/main.yml b/per-service/git-servers/roles/apache-conf/tasks/main.yml
index 2831406..cfc1ac9 100644
--- a/per-service/git-servers/roles/apache-conf/tasks/main.yml
+++ b/per-service/git-servers/roles/apache-conf/tasks/main.yml
@@ -14,6 +14,16 @@
- install
- apache-conf
+- name: Enable git-main Apache modules
+ apache2_module: name={{ item }}
+ with_items:
+ - suexec
+ notify: restart-apache
+ when: hosttype in ["git-main", "git-slave"]
+ tags:
+ - install
+ - apache-conf
+
- name: Enable git-android Apache modules
apache2_module: name={{ item }}
with_items:
diff --git a/per-service/git-servers/roles/apache-website/tasks/main.yml b/per-service/git-servers/roles/apache-website/tasks/main.yml
index 2dacffe..680e4cb 100644
--- a/per-service/git-servers/roles/apache-website/tasks/main.yml
+++ b/per-service/git-servers/roles/apache-website/tasks/main.yml
@@ -2,19 +2,25 @@
- name: Create Apache root dir
file: state=directory
+ group={{ git_user }}
+ owner={{ git_user }}
+ mode=0755
path={{ apache_root }}/{{ git_host }}
- group=root owner=root mode=0755
-- name: Install Apache git-http-backend script
+- name: Install Apache git-http-backend suexec script
template: src=git-http-backend.cgi
dest={{ apache_root }}/{{ git_host }}/git-http-backend.cgi
- owner=root group=root mode=0550
+ owner={{ git_user }}
+ group={{ git_user }}
+ mode=0550
when: hosttype in ["git-main", "git-slave"] and server_access == "public"
-- name: Install Apache gitweb script
+- name: Install Apache gitweb suexec script
template: src=gitweb.cgi
dest={{ apache_root }}/{{ git_host }}/gitweb.cgi
- owner=root group=root mode=0550
+ owner={{ git_user }}
+ group={{ git_user }}
+ mode=0550
when: hosttype in ["git-main", "git-slave"]
- name: Copy robots.txt file
@@ -27,6 +33,3 @@
- name: Apply caching patch to gitweb
patch: src=gitweb.diff dest=/usr/share/gitweb/gitweb.cgi backup=yes
when: hosttype in ["git-main", "git-slave"] and server_access == "public"
-
-- name: Add sudoers entry for gitolite-can-read
- template: src=sudoers_gitweb dest=/etc/sudoers.d/gitweb mode=0440
diff --git a/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi b/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
index 7480307..b84afb5 100644
--- a/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
+++ b/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
@@ -1,5 +1,6 @@
#!/bin/sh
# {{ MANAGED_HEADER }}
+# suexec wrapper for git-http-backend
export GIT_PROJECT_ROOT={{ repo_root }}
{% if server_access == "public" %}
diff --git a/per-service/git-servers/roles/apache-website/templates/gitweb.cgi b/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
index e102ae2..b109411 100644
--- a/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
+++ b/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
@@ -1,5 +1,6 @@
#!/bin/sh
# {{ MANAGED_HEADER }}
+# suexec wrapper for gitweb.cgi
export GIT_PROJECT_ROOT={{ repo_root }}
{% if server_access == "public" %}
diff --git a/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb b/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb
deleted file mode 100644
index cbd4fe6..0000000
--- a/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb
+++ /dev/null
@@ -1,2 +0,0 @@
-# MANAGED BY ANSIBLE
-www-data ALL=NOPASSWD: {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/gitolite-can-read
diff --git a/per-service/git-servers/roles/gitweb/templates/gitweb.conf b/per-service/git-servers/roles/gitweb/templates/gitweb.conf
index 69eaeab..2326d2f 100644
--- a/per-service/git-servers/roles/gitweb/templates/gitweb.conf
+++ b/per-service/git-servers/roles/gitweb/templates/gitweb.conf
@@ -51,16 +51,28 @@ $omit_owner = 1;
$projects_list_description_width = 100;
{% if server_access == "private" %}
-# Get the user name. If nothing found, default to "gitweb", so make sure
+BEGIN {
+ $ENV{HOME} = "/home/{{ git_user }}";
+ $ENV{GL_BINDIR} = "/home/{{ git_user }}/gitolite/src";
+ $ENV{GL_LIBDIR} = "/home/{{ git_user }}/gitolite/src/lib";
+};
+# Pull in gitolite's perl API module. Among other things, this also sets the
+# GL_REPO_BASE environment variable.
+use lib $ENV{GL_LIBDIR};
+use Gitolite::Easy;
+
+# Now get the user name. If nothing found, default to "gitweb", so make sure
# gitweb does not have access to sensible data.
my ($user_name, $rest) = split('; ', $cgi->remote_user, 2);
-$user_name = $user_name || "gitweb";
+$ENV{GL_USER} = $user_name || "gitweb";
$export_auth_hook = sub {
my $repo = shift;
# gitweb passes us the full repo path; we need to strip the beginning and
# the end to get the repo name as it is specified in gitolite conf
return unless $repo =~ s/^\Q$projectroot\E\/?(.+)\.git$/$1/;
- return 0 == system("sudo", "-u", "git", "/srv/linaro-git-tools/gitolite-tools/gitolite-can-read", $user_name, $repo);
+
+ # call Easy.pm's 'can_read' function
+ return can_read($repo);
};
{% endif %}
diff --git a/per-service/git-servers/roles/install-deps/tasks/main.yml b/per-service/git-servers/roles/install-deps/tasks/main.yml
index 0a78aa0..8002381 100644
--- a/per-service/git-servers/roles/install-deps/tasks/main.yml
+++ b/per-service/git-servers/roles/install-deps/tasks/main.yml
@@ -26,3 +26,14 @@
- git
- install
- update
+
+- name: Install main git special OS dependencies
+ apt: name={{ item }}
+ with_items:
+ - apache2-suexec-custom
+ when: hosttype in ["git-main", "git-slave"]
+ tags:
+ - deps
+ - git
+ - install
+ - update