Enable playbook-level sudo. have to enable ssh agent forwarding to work as root

ed9182c9 · Vik Paruchuri · a07e3d1d · ed9182c9 · ed9182c9 · ed9182c9
Commit ed9182c9 authored May 15, 2013 by Vik Paruchuri
Showing with 40 additions and 16 deletions

playbooks/mlapi_prod.yml
+1 -0

playbooks/mlapi_sandbox.yml
+1 -0

playbooks/mlapi_stage.yml
+1 -0

playbooks/roles/discern/tasks/main.yml
+6 -16

playbooks/roles/discern/templates/sudoers.j2
+31 -0

No files found.
--- a/playbooks/mlapi_prod.yml
+++ b/playbooks/mlapi_prod.yml
@@ -7,3 +7,4 @@
  roles:
    - common
    - discern
+  sudo: True
--- a/playbooks/mlapi_sandbox.yml
+++ b/playbooks/mlapi_sandbox.yml
@@ -7,3 +7,4 @@
  roles:
    - common
    - discern
+  sudo: True
--- a/playbooks/mlapi_stage.yml
+++ b/playbooks/mlapi_stage.yml
@@ -7,3 +7,4 @@
  roles:
    - common
    - discern
+  sudo: True
--- a/playbooks/roles/discern/tasks/main.yml
+++ b/playbooks/roles/discern/tasks/main.yml
 ---
+- name: update sudoers file with template
+  template: src=sudoers.j2 dest=/etc/sudoers.tmp
+
+- name: copy over sudoers file
+  shell: visudo -q -c -f /etc/sudoers.tmp && cp /etc/sudoers.tmp /etc/sudoers
+
 - name: stop all services
  service: name={{item}} state=stopped
-  sudo: True
  with_items:
    - celery
    - nginx
@@ -10,16 +15,13 @@
 #Upload config files for django (auth and env)
 - name: create discern application config env.json file
  template: src=env.json.j2 dest=$app_base_dir/env.json owner={{remote_user}} group=edx mode=0640
-  sudo: True

 - name: create discern auth file auth.json
  template: src=auth.json.j2 dest=$app_base_dir/auth.json owner={{remote_user}} group=edx mode=0640
-  sudo: True

 #Needed if using redis to prevent memory issues
 - name: change memory commit settings -- needed for redis
  command: sysctl vm.overcommit_memory=1
-  sudo: yes

 #Needed to pull repos from github, due to hanging on host add prompt otherwise
 - name: add github to the known hosts file
@@ -28,16 +30,13 @@
 - name: set permissions on $app_base_dir sgid for edx
  file: path=$app_base_dir owner={{remote_user}} group=edx mode=2775 state=directory
  file: path={{venv_dir}} owner={{remote_user}} group=edx mode=2775 state=directory
-  sudo: True

 - name: Install git so that we can clone repos
  apt: pkg=git install_recommends=yes state=present
-  sudo: True

 #Create directories for repos
 - name: create discern and ease directories and set permissions
  file: path={{item}} owner={{remote_user}} group=edx mode=2775 state=directory
-  sudo: True
  with_items:
   - ${discern_dir}
   - ${ease_dir}
@@ -52,7 +51,6 @@
 #Install system packages
 - name: install discern and ease apt packages
  command: xargs -a {{item}}/apt-packages.txt apt-get install -y
-  sudo: yes
  with_items:
    - ${discern_dir}
    - ${ease_dir}
@@ -79,7 +77,6 @@

 - name: set permissions on nltk data directory
  file: path={{nltk_data_dir}} owner={{remote_user}} group=edx mode=2775 state=directory
-  sudo: True

 #Run this instead of using the ansible module because the ansible module only support syncdb of these three, and does not
 #support virtualenvs as of this comment
@@ -89,33 +86,26 @@
    - syncdb
    - migrate
    - collectstatic
-  sudo: True

 #Have this separate from the other three because it doesn't take the noinput flag
 - name: django update_index for discern
  shell: ${venv_dir}/bin/python {{discern_dir}}/manage.py update_index --settings={{discern_settings}} --pythonpath={{discern_dir}}
-  sudo: True

 #Create the templates for upstart services
 - name: render celery service from template
  template: src=celery.conf.j2 dest=/etc/init/celery.conf
-  sudo: True

 - name: render discern service from template
  template: src=discern.conf.j2 dest=/etc/init/discern.conf
-  sudo: True

 - name: create nginx directory and set perms
  file: path=/etc/nginx/sites-available owner=root group=edx mode=2775 state=directory
-  sudo: True

 - name: render nginx sites available
  template: src=default.j2 dest=/etc/nginx/sites-available/default
-  sudo: True

 - name: start all services
  service: name={{item}} state=started
-  sudo: True
  with_items:
    - celery
    - nginx

--- a/playbooks/roles/discern/templates/sudoers.j2
+++ b/playbooks/roles/discern/templates/sudoers.j2
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Defaults        env_keep+="SSH_AUTH_SOCK"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Members of the admin group may gain root privileges
+%admin ALL=(ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d
\ No newline at end of file