updating xserver role for refactor

7f0f76c2 · John Jarvis · 57afc315 · 7f0f76c2 · 57afc315 · 7f0f76c2
Commit 7f0f76c2 authored Oct 24, 2013 by John Jarvis
6 changed files
--- a/playbooks/roles/xserver/defaults/main.yml
+++ b/playbooks/roles/xserver/defaults/main.yml
@@ -14,26 +14,34 @@ XSERVER_SYSLOG_SERVER: ''
 # source repo
 XSERVER_GRADER_CHECKOUT: False

+xserver_app_dir: "{{ app_dir }}/xserver"
+xserver_code_dir: "{{ xserver_app_dir }}/xserver"
+xserver_data_dir: "{{ data_dir }}/xserver"
+xserver_venv_dir: "{{ venvs_dir }}/xserver"
+xserver_venv_sandbox_dir: "{{ xserver_venv_dir }}-sandbox"
+xserver_venv_bin: "{{ xserver_venv_dir }}/bin"
+xserver_user: "xserver"
+xserver_sandbox_user: "xserver-sandbox"
+xserver_log_dir: "{{ log_dir }}/xserver"
+
 xserver_env_config:
  RUN_URL: $XSERVER_RUN_URL
  GRADER_ROOT: $XSERVER_GRADER_ROOT
  LOGGING_ENV: $XSERVER_LOGGING_ENV
-  LOG_DIR: "{{ data_dir }}/logs/xserver"
+  LOG_DIR: "{{ xserver_log_dir }}"
  SYSLOG_SERVER: $XSERVER_SYSLOG_SERVER
-  SANDBOX_PYTHON: '/opt/edx_apparmor_sandbox/bin/python'
+  SANDBOX_PYTHON: '{{ xserver_venv_sandbox_dir }}/bin/python'

 xserver_git_identity_path: "{{ secure_dir }}/files/git-identity"
-xserver_code_dir: "{{ app_dir }}/xserver"
 xserver_source_repo: "git://github.com/edx/xserver.git"
 # This should probably be overridden in the playbook or groupvars
 # with the default pointing to the head of master.
 xserver_version: HEAD

-xserver_grader_dir: "{{ app_dir }}/data/content-mit-600x~2012_Fall"
+xserver_grader_dir: "{{ xserver_data_dir }}/data/content-mit-600x~2012_Fall"
 xserver_grader_source: "git@github.com:/MITx/6.00x.git"
 xserver_grader_version: HEAD

-xserver_sandbox_venv_dir: "{{ venv_dir }}_apparmor_sandbox"

 xserver_requirements_file: "{{ xserver_code_dir }}/requirements.txt"

@@ -50,3 +58,4 @@ xserver_debian_pkgs:
  - libxml2-utils
  - libxslt1-dev
  - python-dev
+  - apparmor-utils
--- a/playbooks/roles/xserver/files/sandbox.conf
+++ b/playbooks/roles/xserver/files/sandbox.conf
-sandbox       hard   core  0
-sandbox       hard   data  100000
-sandbox       hard   fsize 10000
-sandbox       hard   memlock 10000
-sandbox       hard   nofile 20
-sandbox       hard   rss    10000
-sandbox       hard   stack  100000
-sandbox       hard   cpu    0
-sandbox       hard   nproc  8
-sandbox       hard   as     32000
-sandbox       hard   maxlogins  1
-sandbox       hard   priority  19
-sandbox       hard   locks     4
-sandbox       hard   sigpending  100
-sandbox       hard   msgqueue  100000
-sandbox       hard   nice     19
--- a/playbooks/roles/xserver/tasks/deploy.yml
+++ b/playbooks/roles/xserver/tasks/deploy.yml
@@ -5,21 +5,25 @@

 - name: xserver | checkout code
  git: dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+  sudo_user: "{{ xserver_user }}"
  tags:
  - deploy

 - name: xserver | install requirements
-  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{venv_dir}}" state=present
+  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{ xserver_venv_dir }}" state=present
+  sudo_user: "{{ xserver_user }}"
  tags:
  - deploy

 - name: xserver | install sandbox requirements
-  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{xserver_sandbox_venv_dir}}" state=present
+  pip: requirements="{{xserver_requirements_file}}" virtualenv="{{xserver_venv_sandbox_dir}}" state=present
+  sudo_user: "{{ xserver_user }}"
  tags:
  - deploy

 - name: xserver | create xserver application config
-  template: src=xserver.env.json.j2 dest={{app_dir}}/env.json mode=640 owner=www-data group=adm
+  template: src=xserver.env.json.j2 dest={{ xserver_app_dir }}/env.json mode=640 owner=www-data group=adm
+  sudo_user: "{{ xserver_user }}"
  tags:
  - deploy

@@ -29,10 +33,11 @@
  - deploy

 - name: xserver | checkout grader code
-  git: dest={{xserver_grader_dir}} repo={{xserver_grader_source}} version={{xserver_grader_version}}
+  git: dest={{ xserver_grader_dir }} repo={{ xserver_grader_source }} version={{ xserver_grader_version }}
  environment:
    GIT_SSH: /tmp/git_ssh.sh
  when: XSERVER_GRADER_CHECKOUT
+  sudo_user: "{{ xserver_user }}"
  tags:
  - deploy


--- a/playbooks/roles/xserver/tasks/main.yml
+++ b/playbooks/roles/xserver/tasks/main.yml
@@ -3,21 +3,33 @@
 # access to the edX 6.00x repo which is not public
 ---

- name: xserver | ensure sandbox group exists
-  group: name=sandbox
+- name: xserver | create application user
+  user: >
+    name="{{ xserver_user }}"
+    home="{{ xserver_app_dir }}"
+    createhome=no
+    shell=/bin/false

- name: xserver | ensure sandbox user exists
-  user: name=sandbox group=sandbox
+- name: xserver | create application sandbox user
+  user: >
+    name="{{ xserver_sandbox_user }}"
+    createhome=no
+    shell=/bin/false

- name: xserver | create sandbox python directory
-  file: path={{ xserver_sandbox_venv_dir }} owner=ubuntu group=adm mode=2775 state=directory
+
+- name: xserver | create xserver app and data dir
+  file: >
+    path="{{ item }}"
+    state=directory
+    owner="{{ xserver_user }}"
+    group="{{ common_web_group }}"
+  with_items:
+    - "{{ xserver_app_dir }}"
+    - "{{ xserver_data_dir }}"

 - name: xserver | create sandbox sudoers file
  template: src=99-sandbox.j2 dest=/etc/sudoers.d/99-sandbox owner=root group=root mode=0440

- name: xserver | create sandbox python
-  command: /usr/local/bin/virtualenv {{ xserver_sandbox_venv_dir }} --distribute creates={{ xserver_sandbox_venv_dir }}/bin/activate
-
 # Make sure this line is in the common-session file.
 - name: xserver | ensure pam-limits module is loaded
  lineinfile:
@@ -26,13 +38,14 @@
    line="session required pam_limits.so"

 - name: xserver | set sandbox limits
-  copy: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
+  template: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
  first_available_file:
-  - "{{ secure_dir }}/sandbox.conf"
-  - "sandbox.conf"
+  - "{{ secure_dir }}/sandbox.conf.j2"
+  - "sandbox.conf.j2"

- name: xserver | ensure apparmor package
-  apt: pkg=apparmor-utils state=present
+- name: xserver | install system dependencies of xserver
+  apt: pkg={{ item }} state=present
+  with_items: xserver_debian_pkgs

 - name: xserver | load python-sandbox apparmor profile
  template: src={{ item }} dest=/etc/apparmor.d/edx_apparmor_sandbox
@@ -46,10 +59,6 @@
 - name: xserver | setup upstart script
  template: src=xserver.conf.j2 dest=/etc/init/xserver.conf owner=root group=root

- name: xserver | install system dependencies of xserver
-  apt: pkg={{ item }} state=present
-  with_items: xserver_debian_pkgs
-
 - name: xserver | upload ssh script
  copy: src=git_ssh.sh dest=/tmp/git_ssh.sh force=yes owner=root group=adm mode=750


--- a/playbooks/roles/xserver/templates/99-sandbox.j2
+++ b/playbooks/roles/xserver/templates/99-sandbox.j2
-www-data ALL=(sandbox) NOPASSWD:{{xserver_sandbox_venv_dir}}/bin/python
+www-data ALL=({{ xserver_sandbox_user }}) NOPASSWD:{{xserver_sandbox_venv_dir}}/bin/python
--- a/playbooks/roles/xserver/templates/sandbox.conf.j2
+++ b/playbooks/roles/xserver/templates/sandbox.conf.j2
+{{ xserver_sandbox_user }}       hard   core  0
+{{ xserver_sandbox_user }}       hard   data  100000
+{{ xserver_sandbox_user }}       hard   fsize 10000
+{{ xserver_sandbox_user }}       hard   memlock 10000
+{{ xserver_sandbox_user }}       hard   nofile 20
+{{ xserver_sandbox_user }}       hard   rss    10000
+{{ xserver_sandbox_user }}       hard   stack  100000
+{{ xserver_sandbox_user }}       hard   cpu    0
+{{ xserver_sandbox_user }}       hard   nproc  8
+{{ xserver_sandbox_user }}       hard   as     32000
+{{ xserver_sandbox_user }}       hard   maxlogins  1
+{{ xserver_sandbox_user }}       hard   priority  19
+{{ xserver_sandbox_user }}       hard   locks     4
+{{ xserver_sandbox_user }}       hard   sigpending  100
+{{ xserver_sandbox_user }}       hard   msgqueue  100000
+{{ xserver_sandbox_user }}       hard   nice     19