gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'allow_external_account_management' into 'master' 

Allow external account management

Closes #737

See merge request !467
This commit is contained in:
Marin Jankovski 2015-09-15 13:22:06 +00:00
parent 8152bedac4 8ed1976a13
commit b7f5f2bea4
28 changed files with 405 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
doc/settings/configuration.md
View File

@ -113,7 +113,96 @@ web_server['gid'] = 1237
Run `sudo gitlab-ctl reconfigure` for the changes to take effect.
## Only start omnibus-gitlab services after a given filesystem is mounted
### Disable user and group account management
By default, omnibus-gitlab takes care of user and group accounts creation as well as keeping the accounts information updated.
This behaviour makes sense for most users but in certain environments user and group accounts are managed by other software, eg. LDAP.
In order to disable user and group accounts management, in `/etc/gitlab/gitlab.rb` set:
```ruby
manage_accounts['enable'] = false
```
*Warning* Omnibus-gitlab still expects users and groups to exist on the system where omnibus-gitlab package is installed.
By default, omnibus-gitlab package expects that following users exist:
```bash
# GitLab user (required)
git
# Web server user (required)
gitlab-www
# Redis user for GitLab or GitLab CI (only when using packaged Redis)
gitlab-redis
# Postgresql user (only when using packaged Postgresql)
gitlab-psql
# GitLab CI user (only when using GitLab CI)
gitlab-ci
# GitLab Mattermost user (only when using GitLab Mattermost)
mattermost
```
By default, omnibus-gitlab package expects that following groups exist:
```bash
# GitLab group (required)
git
# Web server group (required)
gitlab-www
# Redis group for GitLab or GitLab CI (only when using packaged Redis)
gitlab-redis
# Postgresql group (only when using packaged Postgresql)
gitlab-psql
# GitLab CI group (only when using GitLab CI)
gitlab-ci
# GitLab Mattermost group (only when using GitLab Mattermost)
mattermost
```
You can also use different user/group names but then you must specify user/group details in `/etc/gitlab/gitlab.rb`, eg.
```ruby
# Do not manage user/group accounts
manage_accounts['enable'] = false
# GitLab
user['username'] = "custom-gitlab"
user['group'] = "custom-gitlab"
user['shell'] = "/bin/sh"
user['home'] = "/var/opt/custom-gitlab"
# Web server
web_server['username'] = 'webserver-gitlab'
web_server['group'] = 'webserver-gitlab'
web_server['shell'] = '/bin/false'
web_server['home'] = '/var/opt/gitlab/webserver'
# Postgresql (not needed when using external Postgresql)
postgresql['username'] = "postgres-gitlab"
postgresql['shell'] = "/bin/sh"
postgresql['home'] = "/var/opt/postgres-gitlab"
# Redis (not needed when using external Redis)
redis['username'] = "redis-gitlab"
redis['shell'] = "/bin/false"
redis['home'] = "/var/opt/redis-gitlab"
# And so on for users/groups for GitLab CI GitLab Mattermost
```
## Only start Omnibus-GitLab services after a given filesystem is mounted
If you want to prevent omnibus-gitlab services (NGINX, Redis, Unicorn etc.)
from starting before a given filesystem is mounted, add the following to

9
files/gitlab-config-template/gitlab.rb.template
View File

@ -459,6 +459,15 @@ external_url 'GENERATED_EXTERNAL_URL'
# logrotate['enable'] = true
#############################
# Users and groups accounts #
#############################
## Should omnibus-gitlab package manage users and groups accounts.
## Only set if creating accounts manually
##
# manage_accounts['enable'] = true
#######
# Git #
#######

3
files/gitlab-cookbooks/gitlab/attributes/default.rb
View File

@ -24,7 +24,8 @@ default['gitlab']['omnibus-gitconfig']['system'] = {
"pack" => ["threads = 1"],
"receive" => ["fsckObjects = true"]
}
# Create users and groups needed for the package
default['gitlab']['manage-accounts']['enable'] = true
####
# The Git User that services run as

48
files/gitlab-cookbooks/gitlab/definitions/account.rb Normal file
View File

@ -0,0 +1,48 @@
#
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
define :account, action: nil, username: nil, uid: nil, ugid: nil, groupname: nil, gid: nil, shell: nil, home: nil, system: true, append_to_group: false, group_members: [], user_supports: {}, manage: nil do
manage = params[:manage]
groupname = params[:groupname]
username = params[:username]
if manage && groupname
group groupname do
gid params[:gid]
system params[:system]
if params[:append_to_group]
append true
members params[:group_members]
end
action params[:action]
end
end
if manage && username
user username do
shell params[:shell]
home params[:home]
uid params[:uid]
gid params[:ugid]
system params[:system]
supports params[:user_supports]
action params[:action]
end
end
end

24
files/gitlab-cookbooks/gitlab/definitions/redis_service.rb
View File

@ -20,19 +20,17 @@ define :redis_service, :socket_group => nil do
redis_dir = node['gitlab'][svc]['dir']
redis_log_dir = node['gitlab'][svc]['log_directory']
redis_user = node['gitlab']['redis']['username']
redis_user = AccountHelper.new(node).redis_user
group redis_user do
gid node['gitlab']['redis']['gid']
system true
end
user redis_user do
uid node['gitlab']['redis']['uid']
gid redis_user
system true
shell node['gitlab']['redis']['shell']
home node['gitlab']['redis']['home']
account "Redis user and group" do
username redis_user
uid node['gitlab'][svc]['uid']
ugid redis_user
groupname redis_user
gid node['gitlab'][svc]['gid']
shell node['gitlab'][svc]['shell']
home node['gitlab'][svc]['home']
manage node['gitlab']['manage-accounts']['enable']
end
directory redis_dir do
@ -50,7 +48,7 @@ define :redis_service, :socket_group => nil do
template redis_config do
source "redis.conf.erb"
owner node['gitlab']['redis']['username']
owner redis_user
mode "0644"
variables(node['gitlab'][svc].to_hash)
notifies :restart, "service[#{svc}]", :immediately if OmnibusHelper.should_notify?(svc)

2
files/gitlab-cookbooks/gitlab/definitions/unicorn_service.rb
View File

@ -42,7 +42,7 @@ define :unicorn_service, :rails_app => nil, :user => nil do
directory unicorn_socket_dir do
owner user
group node['gitlab']['web-server']['group']
group AccountHelper.new(node).web_server_group
mode '0750'
recursive true
end

105
files/gitlab-cookbooks/gitlab/libraries/account_helper.rb Normal file
View File

@ -0,0 +1,105 @@
#
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class AccountHelper
attr_reader :node
def initialize(node)
@node = node
end
def gitlab_user
node['gitlab']['user']['username']
end
def gitlab_group
node['gitlab']['user']['group']
end
def web_server_user
node['gitlab']['web-server']['username']
end
def web_server_group
node['gitlab']['web-server']['group']
end
def redis_user
node['gitlab']['redis']['username']
end
def redis_group
node['gitlab']['redis']['username']
end
def postgresgl_user
node['gitlab']['postgresql']['username']
end
def postgresgl_group
node['gitlab']['postgresql']['username']
end
def gitlab_ci_user
node['gitlab']['gitlab-ci']['username']
end
def gitlab_ci_group
node['gitlab']['gitlab-ci']['username']
end
def ci_redis_user
node['gitlab']['ci-redis']['username']
end
def ci_redis_group
node['gitlab']['ci-redis']['username']
end
def mattermost_user
node['gitlab']['mattermost']['username']
end
def mattermost_group
node['gitlab']['mattermost']['group']
end
def users
%W(
#{gitlab_user}
#{web_server_user}
#{redis_user}
#{postgresgl_user}
#{gitlab_ci_user}
#{ci_redis_user}
#{mattermost_user}
)
end
def groups
%W(
#{gitlab_group}
#{web_server_group}
#{redis_group}
#{postgresgl_group}
#{gitlab_ci_group}
#{ci_redis_group}
#{mattermost_group}
)
end
end

2
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
View File

@ -36,6 +36,7 @@ module Gitlab
bootstrap Mash.new
omnibus_gitconfig Mash.new
manage_accounts Mash.new
user Mash.new
postgresql Mash.new
redis Mash.new
@ -356,6 +357,7 @@ module Gitlab
[
"bootstrap",
"omnibus_gitconfig",
"manage_accounts",
"user",
"redis",
"ci_redis",

2
files/gitlab-cookbooks/gitlab/recipes/ci-redis.rb
View File

@ -17,5 +17,5 @@
#
redis_service 'ci-redis' do
socket_group node['gitlab']['gitlab-ci']['username']
socket_group AccountHelper.new(node).gitlab_ci_user
end

2
files/gitlab-cookbooks/gitlab/recipes/ci-sidekiq.rb
View File

@ -18,5 +18,5 @@
sidekiq_service 'ci-sidekiq' do
rails_app 'gitlab-ci'
user node['gitlab']['gitlab-ci']['username']
user AccountHelper.new(node).gitlab_ci_user
end

2
files/gitlab-cookbooks/gitlab/recipes/ci-unicorn.rb
View File

@ -18,5 +18,5 @@
unicorn_service 'ci-unicorn' do
rails_app 'gitlab-ci'
user node['gitlab']['gitlab-ci']['username']
user AccountHelper.new(node).gitlab_ci_user
end

2
files/gitlab-cookbooks/gitlab/recipes/cron.rb
View File

@ -24,6 +24,6 @@ end
cron 'gitlab-ci schedule builds' do
minute node['gitlab']['gitlab-ci']['schedule_builds_minute']
command '/opt/gitlab/bin/gitlab-ci-rake schedule_builds'
user node['gitlab']['gitlab-ci']['username']
user AccountHelper.new(node).gitlab_ci_user
action node['gitlab']['gitlab-ci']['enable'] ? :create : :delete
end

16
files/gitlab-cookbooks/gitlab/recipes/gitlab-ci.rb
View File

@ -27,20 +27,18 @@ gitlab_ci_tmp_dir = File.join(gitlab_ci_dir, "tmp")
gitlab_ci_log_dir = node['gitlab']['gitlab-ci']['log_directory']
gitlab_ci_builds_dir = node['gitlab']['gitlab-ci']['builds_directory']
gitlab_ci_user = node['gitlab']['gitlab-ci']['username']
gitlab_ci_user = AccountHelper.new(node).gitlab_ci_user
gitlab_app = "gitlab-ci"
group gitlab_ci_user do
gid node['gitlab']['gitlab-ci']['gid']
system true
end
user gitlab_ci_user do
account "GitLab CI user and group" do
username gitlab_ci_user
uid node['gitlab']['gitlab-ci']['uid']
gid gitlab_ci_user
system true
ugid gitlab_ci_user
groupname gitlab_ci_user
gid node['gitlab']['gitlab-ci']['gid']
shell node['gitlab']['gitlab-ci']['shell']
home gitlab_ci_home_dir
manage node['gitlab']['manage-accounts']['enable']
end
[

9
files/gitlab-cookbooks/gitlab/recipes/gitlab-git-http-server.rb
View File

@ -14,19 +14,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
working_dir = node['gitlab']['gitlab-git-http-server']['dir']
log_dir = node['gitlab']['gitlab-git-http-server']['log_dir']
directory working_dir do
owner node['gitlab']['user']['username']
group node['gitlab']['web-server']['username']
owner account_helper.gitlab_user
group account_helper.web_server_group
mode '0750'
recursive true
end
directory log_dir do
owner node['gitlab']['user']['username']
owner account_helper.gitlab_user
mode '0700'
recursive true
end

34
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
View File

@ -15,6 +15,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
gitlab_rails_source_dir = "/opt/gitlab/embedded/service/gitlab-rails"
gitlab_shell_source_dir = "/opt/gitlab/embedded/service/gitlab-shell"
@ -29,6 +30,9 @@ ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
known_hosts = File.join(ssh_dir, "known_hosts")
gitlab_app = "gitlab"
gitlab_user = account_helper.gitlab_user
gitlab_group = account_helper.gitlab_group
[
gitlab_rails_etc_dir,
gitlab_rails_static_etc_dir,
@ -39,21 +43,21 @@ gitlab_app = "gitlab"
gitlab_rails_log_dir
].compact.each do |dir_name|
directory dir_name do
owner node['gitlab']['user']['username']
owner gitlab_user
mode '0700'
recursive true
end
end
directory gitlab_rails_dir do
owner node['gitlab']['user']['username']
owner gitlab_user
mode '0755'
recursive true
end
directory gitlab_rails_public_uploads_dir do
owner node['gitlab']['user']['username']
group node['gitlab']['web-server']['group']
owner gitlab_user
group account_helper.web_server_group
mode '0750'
recursive true
end
@ -188,8 +192,8 @@ link File.join(gitlab_rails_source_dir, ".gitlab_shell_secret") do
end
directory node['gitlab']['gitlab-rails']['satellites_path'] do
owner node['gitlab']['user']['username']
group node['gitlab']['user']['group']
owner gitlab_user
group gitlab_group
mode "0750"
recursive true
end
@ -223,7 +227,7 @@ end
# Make schema.rb writable for when we run `rake db:migrate`
file "/opt/gitlab/embedded/service/gitlab-rails/db/schema.rb" do
owner node['gitlab']['user']['username']
owner gitlab_user
end
# Only run `rake db:migrate` when the gitlab-rails version has changed
@ -254,15 +258,15 @@ bitbucket_keys = node['gitlab']['gitlab-rails']['bitbucket']
unless bitbucket_keys.nil?
execute 'trust bitbucket.org fingerprint' do
command "echo '#{bitbucket_keys['known_hosts_key']}' >> #{known_hosts}"
user node['gitlab']['user']['username']
group node['gitlab']['user']['group']
user gitlab_user
group gitlab_group
not_if "grep '#{bitbucket_keys['known_hosts_key']}' #{known_hosts}"
end
file File.join(ssh_dir, 'bitbucket_rsa') do
content "#{bitbucket_keys['private_key']}\n"
owner node['gitlab']['user']['username']
group node['gitlab']['user']['group']
owner gitlab_user
group gitlab_group
mode 0600
end
@ -271,15 +275,15 @@ unless bitbucket_keys.nil?
execute 'manage config for bitbucket import key' do
command "echo '#{bitbucket_host_config}' >> #{ssh_config_file}"
user node['gitlab']['user']['username']
group node['gitlab']['user']['group']
user gitlab_user
group gitlab_group
not_if "grep 'IdentityFile ~/.ssh/bitbucket_rsa' #{ssh_config_file}"
end
file File.join(ssh_dir, 'bitbucket_rsa.pub') do
content "#{bitbucket_keys['public_key']}\n"
owner node['gitlab']['user']['username']
group node['gitlab']['user']['group']
owner gitlab_user
group gitlab_group
mode 0644
end
end

5
files/gitlab-cookbooks/gitlab/recipes/gitlab-shell.rb
View File

@ -15,9 +15,10 @@
## limitations under the License.
##
#
account_helper = AccountHelper.new(node)
git_user = node['gitlab']['user']['username']
git_group = node['gitlab']['user']['group']
git_user = account_helper.gitlab_user
git_group = account_helper.gitlab_group
gitlab_shell_dir = "/opt/gitlab/embedded/service/gitlab-shell"
gitlab_shell_var_dir = "/var/opt/gitlab/gitlab-shell"
repositories_path = node['gitlab']['gitlab-rails']['gitlab_shell_repos_path']

12
files/gitlab-cookbooks/gitlab/recipes/mattermost.rb
View File

@ -29,15 +29,13 @@ pg_user = gitlab['postgresql']['username']
###
# Create group and user that will be running mattermost
###
group mattermost_group do
system true
end
user mattermost_user do
account "Mattermost user and group" do
username mattermost_user
ugid mattermost_group
groupname mattermost_group
shell '/bin/sh'
home mattermost_home
gid mattermost_group
system true
manage node['gitlab']['manage-accounts']['enable']
end
###

3
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
View File

@ -15,6 +15,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
nginx_dir = node['gitlab']['nginx']['dir']
nginx_conf_dir = File.join(nginx_dir, "conf")
@ -28,7 +29,7 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory']
].each do |dir_name|
directory dir_name do
owner 'root'
group node['gitlab']['web-server']['group']
group account_helper.web_server_group
mode '0750'
recursive true
end

36
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
View File

@ -15,29 +15,28 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
postgresql_dir = node['gitlab']['postgresql']['dir']
postgresql_data_dir = node['gitlab']['postgresql']['data_dir']
postgresql_data_dir_symlink = File.join(postgresql_dir, "data")
postgresql_log_dir = node['gitlab']['postgresql']['log_directory']
postgresql_socket_dir = node['gitlab']['postgresql']['unix_socket_directory']
postgresql_user = node['gitlab']['postgresql']['username']
postgresql_user = account_helper.postgresgl_user
group postgresql_user do
account "Postgresql user and group" do
username postgresql_user
uid node['gitlab']['postgresql']['uid']
ugid postgresql_user
groupname postgresql_user
gid node['gitlab']['postgresql']['gid']
system true
end
user postgresql_user do
uid node['gitlab']['postgresql']['uid']
gid postgresql_user
system true
shell node['gitlab']['postgresql']['shell']
home node['gitlab']['postgresql']['home']
manage node['gitlab']['manage-accounts']['enable']
end
directory postgresql_dir do
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0755"
recursive true
end
@ -47,7 +46,7 @@ end
postgresql_log_dir
].each do |dir|
directory dir do
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0700"
recursive true
end
@ -59,7 +58,7 @@ link postgresql_data_dir_symlink do
end
file File.join(node['gitlab']['postgresql']['home'], ".profile") do
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0600"
content <<-EOH
PATH=#{node['gitlab']['postgresql']['user_path']}
@ -98,7 +97,7 @@ else
end
execute "/opt/gitlab/embedded/bin/initdb -D #{postgresql_data_dir} -E UTF8" do
user node['gitlab']['postgresql']['username']
user postgresql_user
not_if { File.exists?(File.join(postgresql_data_dir, "PG_VERSION")) }
end
@ -106,7 +105,7 @@ postgresql_config = File.join(postgresql_data_dir, "postgresql.conf")
template postgresql_config do
source "postgresql.conf.erb"
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0644"
variables(node['gitlab']['postgresql'].to_hash)
notifies :restart, 'service[postgresql]', :immediately if OmnibusHelper.should_notify?("postgresql")
@ -116,14 +115,14 @@ pg_hba_config = File.join(postgresql_data_dir, "pg_hba.conf")
template pg_hba_config do
source "pg_hba.conf.erb"
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0644"
variables(node['gitlab']['postgresql'].to_hash)
notifies :restart, 'service[postgresql]', :immediately if OmnibusHelper.should_notify?("postgresql")
end
template File.join(postgresql_data_dir, "pg_ident.conf") do
owner node['gitlab']['postgresql']['username']
owner postgresql_user
mode "0644"
variables(node['gitlab']['postgresql'].to_hash)
notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
@ -152,7 +151,6 @@ end
###
pg_helper = PgHelper.new(node)
pg_port = node['gitlab']['postgresql']['port']
pg_user = node['gitlab']['postgresql']['username']
bin_dir = "/opt/gitlab/embedded/bin"
database_name = node['gitlab']['gitlab-rails']['db_database']
ci_database_name = node['gitlab']['gitlab-ci']['db_database']
@ -169,7 +167,7 @@ end
databases.each do |rails_app, db_name, sql_user|
execute "create #{sql_user} database user" do
command "#{bin_dir}/psql --port #{pg_port} -h #{postgresql_socket_dir} -d template1 -c \"CREATE USER #{sql_user}\""
user pg_user
user postgresql_user
# Added retries to give the service time to start on slower systems
retries 20
not_if { !pg_helper.is_running? || pg_helper.user_exists?(sql_user) }
@ -177,7 +175,7 @@ databases.each do |rails_app, db_name, sql_user|
execute "create #{db_name} database" do
command "#{bin_dir}/createdb --port #{pg_port} -h #{postgresql_socket_dir} -O #{sql_user} #{db_name}"
user pg_user
user postgresql_user
not_if { !pg_helper.is_running? || pg_helper.database_exists?(db_name) }
retries 30
notifies :run, "execute[initialize #{rails_app} database]", :immediately

2
files/gitlab-cookbooks/gitlab/recipes/redis.rb
View File

@ -17,5 +17,5 @@
#
redis_service 'redis' do
socket_group node['gitlab']['user']['group']
socket_group AccountHelper.new(node).gitlab_group
end

31
files/gitlab-cookbooks/gitlab/recipes/clean.rb → files/gitlab-cookbooks/gitlab/recipes/remove_accounts.rb
View File

@ -1,5 +1,5 @@
#
# Copyright:: Copyright (c) 2014 GitLab B.V.
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
@ -15,30 +15,31 @@
# limitations under the License.
#
usernames = [
node['gitlab']['user']['username'],
node['gitlab']['postgresql']['username'],
node['gitlab']['web-server']['username'],
node['gitlab']['redis']['username']
]
Gitlab[:node] = node
if File.exists?("/etc/gitlab/gitlab.rb")
Gitlab.from_file("/etc/gitlab/gitlab.rb")
end
node.consume_attributes(Gitlab.generate_config(node['fqdn']))
groups = [
node['gitlab']['user']['group'],
node['gitlab']['web-server']['group'],
node['gitlab']['postgresql']['username'], # Group name is same as the username
node['gitlab']['redis']['username'] # Group name is same as the username
]
account_helper = AccountHelper.new(node)
usernames = account_helper.users
groups = account_helper.groups
usernames.each do |username|
user username do
account username do
username username
action :remove
manage node['gitlab']['manage-accounts']['enable']
end
end
groups.each do |group|
group group do
account group do
groupname group
action :remove
manage node['gitlab']['manage-accounts']['enable']
end
end

5
files/gitlab-cookbooks/gitlab/recipes/sidekiq.rb
View File

@ -15,15 +15,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
sidekiq_service 'sidekiq' do
rails_app 'gitlab-rails'
user node['gitlab']['user']['username']
user account_helper.gitlab_user
end
if node['gitlab']['gitlab-rails']['reply_by_email_enabled']
mailroom_service 'mailroom' do
rails_app 'gitlab-rails'
user node['gitlab']['user']['username']
user account_helper.gitlab_user
end
end

3
files/gitlab-cookbooks/gitlab/recipes/unicorn.rb
View File

@ -15,10 +15,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
unicorn_service 'unicorn' do
rails_app 'gitlab-rails'
user node['gitlab']['user']['username']
user account_helper.gitlab_user
end
if File.directory?("/etc/sysctl.d") && File.exists?("/etc/init.d/procps")

21
files/gitlab-cookbooks/gitlab/recipes/users.rb
View File

@ -15,28 +15,25 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
gitlab_username = node['gitlab']['user']['username']
gitlab_group = node['gitlab']['user']['group']
gitlab_username = account_helper.gitlab_user
gitlab_group = account_helper.gitlab_group
gitlab_home = node['gitlab']['user']['home']
directory gitlab_home do
recursive true
end
# Create the group for the GitLab user
group gitlab_group do
account "GitLab user and group" do
username gitlab_username
uid node['gitlab']['user']['uid']
ugid gitlab_group
groupname gitlab_group
gid node['gitlab']['user']['gid']
system true
end
# Create the GitLab user
user gitlab_username do
shell node['gitlab']['user']['shell']
home gitlab_home
uid node['gitlab']['user']['uid']
gid gitlab_group
system true
manage node['gitlab']['manage-accounts']['enable']
end
# Configure Git settings for the GitLab user

30
files/gitlab-cookbooks/gitlab/recipes/web-server.rb
View File

@ -15,28 +15,26 @@
# limitations under the License.
#
webserver_username = node['gitlab']['web-server']['username']
webserver_group = node['gitlab']['web-server']['group']
account_helper = AccountHelper.new(node)
webserver_username = account_helper.web_server_user
webserver_group = account_helper.web_server_group
external_webserver_users = node['gitlab']['web-server']['external_users']
# Create the group for the GitLab user
# If external webserver is used, add the external webserver user to
# GitLab webserver group
group webserver_group do
gid node['gitlab']['web-server']['gid']
system true
if external_webserver_users.any? && !node['gitlab']['nginx']['enable']
append true
members external_webserver_users
end
end
append_members = external_webserver_users.any? && !node['gitlab']['nginx']['enable']
# Create the webserver user
user webserver_username do
account "Webserver user and group" do
username webserver_username
uid node['gitlab']['web-server']['uid']
ugid webserver_group
groupname webserver_group
gid node['gitlab']['web-server']['gid']
shell node['gitlab']['web-server']['shell']
home node['gitlab']['web-server']['home']
uid node['gitlab']['web-server']['uid']
gid webserver_group
system true
supports manage_home: false
append_to_group append_members
group_members external_webserver_users
user_supports manage_home: false
manage node['gitlab']['manage-accounts']['enable']
end

2
files/gitlab-cookbooks/gitlab/templates/default/sv-mattermost-run.erb
View File

@ -1,4 +1,4 @@
#!/bin/sh
exec 2>&1
cd /opt/gitlab/embedded/service/mattermost
exec chpst -P -U mattermost -u mattermost /opt/gitlab/embedded/bin/mattermost -config /var/opt/gitlab/mattermost/config.json
exec chpst -P -U <%= node['gitlab']['mattermost']['username'] %> -u <%= node['gitlab']['mattermost']['username'] %> /opt/gitlab/embedded/bin/mattermost -config /var/opt/gitlab/mattermost/config.json

29
files/gitlab-ctl-commands/remove_accounts.rb Normal file
View File

@ -0,0 +1,29 @@
#
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
add_command "remove-accounts", "Delete *all* users and groups used by this package", 1 do
command = %W( chef-client
-z
-c #{base_path}/embedded/cookbooks/solo.rb
-o recipe[gitlab::remove_accounts]
)
status = run_command(command.join(" "))
remove_old_node_state
exit! 1 unless status.success?
end

10
files/gitlab-ctl-commands/remove_users.rb
View File

@ -1,10 +0,0 @@
add_command "remove_users", "Delete *all* users and groups used by gitlab", 2 do
command = %W( chef-solo
--config #{base_path}/embedded/cookbooks/solo.rb
-o recipe[gitlab::clean]
)
status = run_command(command.join(" "))
exit! 1 unless status.success?
end