sandbox-ora: Create dedicated user & virtualenv for xqueue

Since xqueue has its own set of dependencies, using a dedicated
virtualenv allows to avoid potential dependencies conflicts when
several services are installed on the same instance.

playbooks/edx_sandbox.yml

@@ -35,6 +35,10 @@
       rbenv_user_home: "{{ forum_home }}"
       rbenv_ruby_version: "{{ forum_ruby_version }}"
     - forum
+    - role: virtualenv
+      virtualenv_user: "{{ xqueue_user }}"
+      virtualenv_user_home: "{{ xqueue_user_home }}"
+      virtualenv_name: "{{ xqueue_user }}"
     - { role: "xqueue", update_users: True }
     - role: virtualenv
       virtualenv_user: "{{ ora_user }}"

playbooks/roles/xqueue/tasks/deploy.yml

@@ -20,7 +20,7 @@
 
 # Do Post Checkout Tasks.
 - name: xqueue | create xqueue code dir
-  file: path={{xqueue_code_dir}} state=directory owner=www-data group=www-data mode=755
+  file: path={{xqueue_code_dir}} state=directory owner={{ xqueue_user }} group={{ xqueue_user }} mode=755
   tags:
   - xqueue
   - deploy
@@ -30,29 +30,29 @@
 # portions of the deploy needs to be incorporated here.
 
 - name: xqueue | sets permissions on xqueue code dir and contents
-  file: path={{xqueue_code_dir}} state=directory owner=www-data group=www-data recurse=yes
+  file: path={{xqueue_code_dir}} state=directory owner={{ xqueue_user }} group={{ xqueue_user }} recurse=yes
   # Post Checkout tasks will get run as handlers when the {{ xqueue_code_dir }} is ready.
   # Look at the handlers/main.yml in this role for a description of the tasks stated below.
   tags:
   - xqueue
   - deploy
 
-# Install the python pre requirements into {{ venv_dir }}
+# Install the python pre requirements into {{ xqueue_venv_dir }}
 - name : install python pre-requirements
-  pip: requirements="{{xqueue_pre_requirements_file}}" virtualenv="{{venv_dir}}" state=present
+  pip: requirements="{{xqueue_pre_requirements_file}}" virtualenv="{{xqueue_venv_dir}}" state=present
   tags:
   - xqueue
   - deploy
 
-# Install the python post requirements into {{ venv_dir }}
+# Install the python post requirements into {{ xqueue_venv_dir }}
 - name : install python post-requirements
-  pip: requirements="{{xqueue_post_requirements_file}}" virtualenv="{{venv_dir}}" state=present
+  pip: requirements="{{xqueue_post_requirements_file}}" virtualenv="{{xqueue_venv_dir}}" state=present
   tags:
   - xqueue
   - deploy
 
 - name: xqueue | syncdb and migrate
-  shell: sudo -u www-data SERVICE_VARIANT=xqueue /opt/edx/bin/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_settings --pythonpath=/opt/wwc/xqueue
+  shell: sudo -u {{ xqueue_user }} SERVICE_VARIANT=xqueue {{ xqueue_venv_dir }}/bin/django-admin.py syncdb --migrate --noinput --settings=xqueue.aws_settings --pythonpath=/opt/wwc/xqueue
   when: migrate_db is defined and migrate_db|lower == "yes"
   tags:
   - xqueue
@@ -60,7 +60,7 @@
   - deploy
 
 - name: xqueue | create users
-  shell: sudo -u www-data SERVICE_VARIANT=xqueue /opt/edx/bin/django-admin.py update_users --settings=xqueue.aws_settings --pythonpath=/opt/wwc/xqueue
+  shell: sudo -u {{ xqueue_user }} SERVICE_VARIANT=xqueue {{ xqueue_venv_dir }}/bin/django-admin.py update_users --settings=xqueue.aws_settings --pythonpath=/opt/wwc/xqueue
   when: update_users is defined
   tags:
   - xqueue

playbooks/roles/xqueue/tasks/main.yml

@@ -3,11 +3,6 @@
 #  - common/tasks/main.yml
 #  - nginx/tasks/main.yml
 ---
-- name: xqueue | Change permissions on datadir
-  file: path={{app_base_dir}}/data state=directory owner=www-data group=www-data
-  tags:
-  - xqueue
-
 # Check out xqueue repo to {{xqueue_code_dir}}
 - name: xqueue | install git and its recommends
   apt: pkg=git state=present install_recommends=yes 
@@ -32,7 +27,7 @@
     encoding=utf8
 
 - name: xqueue | create xqueue application config
-  template: src=xqueue.env.json.j2 dest={{app_base_dir}}/xqueue.env.json mode=0640 owner=www-data group=adm
+  template: src=xqueue.env.json.j2 dest={{app_base_dir}}/xqueue.env.json mode=0640 owner={{ xqueue_user }} group=adm
   notify:
   - xqueue | restart xqueue
   - xqueue | restart xqueue consumer
@@ -40,7 +35,7 @@
   - xqueue
 
 - name: xqueue | create xqueue auth file
-  template: src=xqueue.auth.json.j2 dest={{app_base_dir}}/xqueue.auth.json mode=0640 owner=www-data group=adm
+  template: src=xqueue.auth.json.j2 dest={{app_base_dir}}/xqueue.auth.json mode=0640 owner={{ xqueue_user }} group=adm
   notify:
   - xqueue | restart xqueue
   - xqueue | restart xqueue consumer

playbooks/roles/xqueue/templates/xqueue.conf.j2

@@ -19,6 +19,6 @@ env SERVICE_VARIANT="xqueue"
 
 
 chdir {{ xqueue_code_dir }}
-setuid www-data
+setuid {{ xqueue_user }}
 
-exec {{ venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=300 --pythonpath={{ xqueue_code_dir }} xqueue.wsgi
+exec {{ xqueue_venv_dir }}/bin/gunicorn --preload -b 127.0.0.1:$PORT -w $WORKERS --timeout=300 --pythonpath={{ xqueue_code_dir }} xqueue.wsgi

playbooks/roles/xqueue/templates/xqueue_consumer.conf.j2

@@ -13,6 +13,6 @@ env LANG=en_US.UTF-8
 env WORKERS_PER_QUEUE={{xqueue_env_config.XQUEUE_WORKERS_PER_QUEUE}}
 env SERVICE_VARIANT="xqueue"
 chdir {{xqueue_code_dir}}
-setuid www-data
+setuid {{ xqueue_user }}
 
-exec {{venv_dir}}/bin/django-admin.py run_consumer --pythonpath={{xqueue_code_dir}} --settings=xqueue.aws_settings $WORKERS_PER_QUEUE
+exec {{xqueue_venv_dir}}/bin/django-admin.py run_consumer --pythonpath={{xqueue_code_dir}} --settings=xqueue.aws_settings $WORKERS_PER_QUEUE

playbooks/roles/xqueue/vars/main.yml

@@ -10,6 +10,10 @@ xqueue_code_dir: "{{ app_base_dir }}/xqueue"
 xqueue_nginx_port: 18040
 xqueue_gunicorn_port: 8040
 
+xqueue_user: "xqueue"
+xqueue_user_home: "/opt/xqueue"
+xqueue_venv_dir: "{{ xqueue_user_home }}/virtualenvs/{{ xqueue_user }}"
+
 xqueue_env_config:
   'XQUEUES':
     # push queue