switching forum to use supervisor, www-data perms for rbenv for forum

63f29122 · John Jarvis · 92a0e393 · 63f29122 · 63f29122 · 63f29122
Commit 63f29122 authored Oct 24, 2013 by John Jarvis
13 changed files
--- a/playbooks/roles/forum/defaults/main.yml
+++ b/playbooks/roles/forum/defaults/main.yml
@@ -6,6 +6,7 @@ forum_rbenv_dir: "{{ forum_app_dir }}"
 forum_rbenv_root: "{{ forum_app_dir }}/.rbenv"
 forum_rbenv_shims: "{{ forum_rbenv_root }}/shims"
 forum_rbenv_bin: "{{ forum_rbenv_root }}/bin"
+forum_supervisor_wrapper: "{{ forum_app_dir }}/forum-supervisor.sh"
 forum_gem_root: "{{ forum_rbenv_dir }}/.gem"
 forum_gem_bin: "{{ forum_gem_root }}/bin"
 forum_path: "{{ forum_code_dir }}/bin:{{ forum_rbenv_bin }}:{{ forum_rbenv_shims }}:{{ forum_gem_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -22,6 +23,7 @@ forum_environment:
  API_KEY: "{{ forum_api_key }}"
  SEARCH_SERVER: "{{ forum_elasticsearch_url }}"
  MONGOHQ_URL: "{{ forum_mongo_url }}"
+  HOME: "{{ forum_app_dir }}"

 forum_user: "forum"
 forum_ruby_version: "1.9.3-p448"

--- a/playbooks/roles/forum/handlers/main.yml
+++ b/playbooks/roles/forum/handlers/main.yml
 ---
-
 - name: forum | restart the forum service
-  service: name=cs_comments_service state=restarted
+  supervisorctl: >
+    name=forum
+    supervisorctl_path={{ supervisor_ctl }}
+    config={{ supervisor_cfg }}
+    state=restarted
--- a/playbooks/roles/forum/meta/main.yml
+++ b/playbooks/roles/forum/meta/main.yml
 ---
 dependencies:
  - role: rbenv
-    rbenv_user: "{{ forum_user }}"
+    # TODO: setting the rbenv ownership to
+    # the common_web_user is a workaround
+    rbenv_user: "{{ common_web_user }}"
    rbenv_dir: "{{ forum_app_dir }}"
    rbenv_ruby_version: "{{ forum_ruby_version }}"
--- a/playbooks/roles/forum/tasks/deploy.yml
+++ b/playbooks/roles/forum/tasks/deploy.yml
@@ -5,20 +5,35 @@
  tags:
  - deploy

+- name: forum | create the supervisor wrapper
+  template: >
+    src={{ forum_supervisor_wrapper|basename }}.j2
+    dest={{ forum_supervisor_wrapper }}
+    mode=0755
+  sudo_user: "{{ forum_user }}"
+  notify:
+    - forum | restart the forum service
+
+
 - name:  forum | git checkout forum repo into {{ forum_code_dir }}
  git: dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
  sudo_user: "{{ forum_user }}"
  tags:
  - deploy

+# TODO: This is done as the common_web_user
+# since the process owner needs write access
+# to the rbenv
 - name: forum | install comments service bundle
  shell: bundle install chdir={{ forum_code_dir }}
-  sudo_user: "{{ forum_user }}"
+  sudo_user: "{{ common_web_user }}"
  environment: "{{ forum_environment }}"
  tags:
  - deploy

 - name: forum | restart the forum service
-  service: name=cs_comments_service state=restarted
-  tags:
-  - deploy
+  supervisorctl: >
+    name=forum
+    supervisorctl_path={{ supervisor_ctl }}
+    config={{ supervisor_cfg }}
+    state=restarted
--- a/playbooks/roles/forum/tasks/main.yml
+++ b/playbooks/roles/forum/tasks/main.yml
@@ -41,23 +41,5 @@
  notify:
    - forum | restart the forum service

- name: forum | copy cs_comments_service SysVunit script
-  template: src=cs_comments_service.j2 dest=/etc/init.d/cs_comments_service owner=root group=root mode=750
-  notify:
-    - forum | restart the forum service
-  tags:
-  - forum
-  - install
-  when: ansible_distribution == 'Debian'
-
- name: forum | copy cs_comments_service upstart script
-  template: src=cs_comments_service.conf.j2 dest=/etc/init/cs_comments_service.conf owner=root group=root mode=644
-  notify:
-    - forum | restart the forum service
-  tags:
-  - forum
-  - install
-  when: ansible_distribution == 'Ubuntu'
-
 - include: deploy.yml
 - include: test.yml
--- a/playbooks/roles/forum/templates/forum_env.j2
+++ b/playbooks/roles/forum/templates/forum_env.j2
 # {{ ansible_managed }}
 {% for name,value in forum_environment.items() %}
-{% if value %}
+{%- if value %}
 export {{ name }}="{{ value }}"
-{% endif %}                 
+{%- endif %}                 
 {% endfor %}
 eval "$(rbenv init -)"
--- a/playbooks/roles/rbenv/defaults/main.yml
+++ b/playbooks/roles/rbenv/defaults/main.yml
@@ -17,7 +17,8 @@ rbenv_debian_pkgs:
  - libxslt1-dev
  - zlib1g-dev
 rbenv_environment:
-  RBENV_ROOT: $rbenv_root
-  GEM_ROOT: $rbenv_gem_root
-  GEM_HOME: $rbenv_gem_root
-  PATH: $rbenv_path
+  RBENV_ROOT: "{{ rbenv_root }}"
+  GEM_ROOT: "{{ rbenv_gem_root }}"
+  GEM_HOME: "{{ rbenv_gem_root }}"
+  PATH: "{{ rbenv_path }}"
+  HOME: "{{ rbenv_root }}"
--- a/playbooks/roles/rbenv/tasks/main.yml
+++ b/playbooks/roles/rbenv/tasks/main.yml
@@ -40,6 +40,7 @@
    home={{ rbenv_dir }}
    shell=/bin/false
    createhome=no
+  when: rbenv_user != common_web_user

 - name: rbenv | create rbenv dir if it does not exist
  file: >

--- a/playbooks/roles/supervisor/defaults/main.yml
+++ b/playbooks/roles/supervisor/defaults/main.yml
@@ -11,16 +11,17 @@
 # Defaults for role supervisor
 #
 ---
-
 supervisor_app_dir: "{{ app_dir }}/supervisor"
 supervisor_cfg_dir: "{{ supervisor_app_dir }}/conf.d"
 supervisor_data_dir: "{{ data_dir }}/supervisor"
 supervisor_venvs_dir: "{{ venvs_dir }}/supervisor"
 supervisor_venv_dir: "{{ supervisor_venvs_dir }}/supervisor"
 supervisor_venv_bin: "{{ supervisor_venv_dir }}/bin"
+supervisor_ctl: "{{ supervisor_venv_bin }}/supervisorctl"
+
 # by default supervisor runs as the web user
 # which by default is set to www-data in
 # the common role
-supervisor_user: "{{ common_web_user }}"
+supervisor_user: supervisor
 supervisor_log_dir: "{{ log_dir }}/supervisor"
 supervisor_cfg: "{{ supervisor_app_dir }}/supervisord.conf"
--- a/playbooks/roles/supervisor/tasks/main.yml
+++ b/playbooks/roles/supervisor/tasks/main.yml
@@ -29,32 +29,50 @@
 - fail: supervisor_servers is a required parameter for this role
  when: supervisor_servers is not defined

+- name: supervisor | create application user
+  user: >
+    name="{{ supervisor_user }}"
+    home="{{ supervisor_app_dir }}"
+    createhome=no
+    shell=/bin/false
+
 - name: supervisor | create supervisor directories
  file: >
    name={{ item }}
    state=directory
    owner={{ supervisor_user }}
-    group={{ supervisor_user }}
+    group={{ common_web_user }}
  with_items:
    - "{{ supervisor_app_dir }}"
    - "{{ supervisor_cfg_dir }}"
-    - "{{ superivsor_data_dir }}"
    - "{{ supervisor_venvs_dir }}"
+
+- name: supervisor | create supervisor directories
+  file: >
+    name={{ item }}
+    state=directory
+    owner={{ common_web_user }}
+    group={{ supervisor_user }}
+  with_items:
+    - "{{ supervisor_data_dir }}"
    - "{{ supervisor_log_dir }}"


 - name: supervisor | install supervisor in its venv
  pip: name=supervisor virtualenv="{{supervisor_venv_dir}}" state=present
+  sudo_user: "{{ supervisor_user }}"

 - name: supervisor | create supervisor upstart job
-  template: src=supervisor-upstart.conf.j2 dest={{ supervisor_cfg }}
+  template: src=supervisor-upstart.conf.j2 dest=/etc/init/supervisor.conf

 - name: supervisor | create supervisor master config
  template: src=supervisord.conf.j2 dest={{ supervisor_cfg }}
+  sudo_user: "{{ supervisor_user }}"

 - name: supervisor | create supervisor configs
  template: src={{ item }}.conf.j2 dest={{ supervisor_cfg_dir }}/{{ item }}.conf
  with_items: supervisor_servers
+  sudo_user: "{{ supervisor_user }}"

 - name: supervisor | ensure supervisor is started
  service: name=supervisor state=started
--- a/playbooks/roles/supervisor/templates/forum.conf.j2
+++ b/playbooks/roles/supervisor/templates/forum.conf.j2
 [program:forum]
-command={{ forum_rbenv_shims }}/ruby app.rb
+
+command={{ forum_supervisor_wrapper }}
 priority=999
 startsecs = 5
 redirect_stderr = True

--- a/playbooks/roles/supervisor/templates/supervisor-upstart.conf.j2
+++ b/playbooks/roles/supervisor/templates/supervisor-upstart.conf.j2
@@ -4,5 +4,5 @@ start on runlevel [2345]
 stop on runlevel [!2345]

 respawn
-setuid {{ supervisor_user }}
+setuid {{ common_web_user }}
 exec {{ supervisor_venv_dir }}/bin/supervisord --nodaemon --configuration {{ supervisor_cfg }}
--- a/playbooks/roles/supervisor/templates/supervisord.conf.j2
+++ b/playbooks/roles/supervisor/templates/supervisord.conf.j2
@@ -6,8 +6,8 @@ chmod=0700                       ; sockef file mode (default 0700)

 [supervisord]
 logfile={{ supervisor_log_dir }}/supervisord.log ; (main log file;default $CWD/supervisord.log)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
+pidfile={{ supervisor_data_dir }}/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+childlogdir={{ supervisor_log_dir }}            ; ('AUTO' child log dir, default $TEMP)

 ; the below section must remain in the config file for RPC
 ; (supervisorctl/web interface) to work, additional interfaces may be
@@ -16,7 +16,7 @@ childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEM
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

 [supervisorctl]
-serverurl=unix:///var/run//supervisor.sock ; use a unix:// URL  for a unix socket
+serverurl=unix://{{ supervisor_data_dir }}/supervisor.sock ; use a unix:// URL  for a unix socket

 ; The [include] section can just contain the "files" setting.  This
 ; setting can list multiple files (separated by whitespace or