Merge branch 'allow_external_account_management' into 'master'
Allow external account management Closes #737 See merge request !467
This commit is contained in:
commit
b7f5f2bea4
|
@ -113,7 +113,96 @@ web_server['gid'] = 1237
|
|||
|
||||
Run `sudo gitlab-ctl reconfigure` for the changes to take effect.
|
||||
|
||||
## Only start omnibus-gitlab services after a given filesystem is mounted
|
||||
### Disable user and group account management
|
||||
|
||||
By default, omnibus-gitlab takes care of user and group accounts creation as well as keeping the accounts information updated.
|
||||
This behaviour makes sense for most users but in certain environments user and group accounts are managed by other software, eg. LDAP.
|
||||
|
||||
In order to disable user and group accounts management, in `/etc/gitlab/gitlab.rb` set:
|
||||
|
||||
```ruby
|
||||
manage_accounts['enable'] = false
|
||||
```
|
||||
|
||||
*Warning* Omnibus-gitlab still expects users and groups to exist on the system where omnibus-gitlab package is installed.
|
||||
|
||||
By default, omnibus-gitlab package expects that following users exist:
|
||||
|
||||
|
||||
```bash
|
||||
# GitLab user (required)
|
||||
git
|
||||
|
||||
# Web server user (required)
|
||||
gitlab-www
|
||||
|
||||
# Redis user for GitLab or GitLab CI (only when using packaged Redis)
|
||||
gitlab-redis
|
||||
|
||||
# Postgresql user (only when using packaged Postgresql)
|
||||
gitlab-psql
|
||||
|
||||
# GitLab CI user (only when using GitLab CI)
|
||||
gitlab-ci
|
||||
|
||||
# GitLab Mattermost user (only when using GitLab Mattermost)
|
||||
mattermost
|
||||
```
|
||||
|
||||
By default, omnibus-gitlab package expects that following groups exist:
|
||||
|
||||
```bash
|
||||
# GitLab group (required)
|
||||
git
|
||||
|
||||
# Web server group (required)
|
||||
gitlab-www
|
||||
|
||||
# Redis group for GitLab or GitLab CI (only when using packaged Redis)
|
||||
gitlab-redis
|
||||
|
||||
# Postgresql group (only when using packaged Postgresql)
|
||||
gitlab-psql
|
||||
|
||||
# GitLab CI group (only when using GitLab CI)
|
||||
gitlab-ci
|
||||
|
||||
# GitLab Mattermost group (only when using GitLab Mattermost)
|
||||
mattermost
|
||||
```
|
||||
|
||||
You can also use different user/group names but then you must specify user/group details in `/etc/gitlab/gitlab.rb`, eg.
|
||||
|
||||
```ruby
|
||||
# Do not manage user/group accounts
|
||||
manage_accounts['enable'] = false
|
||||
|
||||
# GitLab
|
||||
user['username'] = "custom-gitlab"
|
||||
user['group'] = "custom-gitlab"
|
||||
user['shell'] = "/bin/sh"
|
||||
user['home'] = "/var/opt/custom-gitlab"
|
||||
|
||||
# Web server
|
||||
web_server['username'] = 'webserver-gitlab'
|
||||
web_server['group'] = 'webserver-gitlab'
|
||||
web_server['shell'] = '/bin/false'
|
||||
web_server['home'] = '/var/opt/gitlab/webserver'
|
||||
|
||||
# Postgresql (not needed when using external Postgresql)
|
||||
postgresql['username'] = "postgres-gitlab"
|
||||
postgresql['shell'] = "/bin/sh"
|
||||
postgresql['home'] = "/var/opt/postgres-gitlab"
|
||||
|
||||
# Redis (not needed when using external Redis)
|
||||
redis['username'] = "redis-gitlab"
|
||||
redis['shell'] = "/bin/false"
|
||||
redis['home'] = "/var/opt/redis-gitlab"
|
||||
|
||||
# And so on for users/groups for GitLab CI GitLab Mattermost
|
||||
```
|
||||
|
||||
## Only start Omnibus-GitLab services after a given filesystem is mounted
|
||||
|
||||
If you want to prevent omnibus-gitlab services (NGINX, Redis, Unicorn etc.)
|
||||
from starting before a given filesystem is mounted, add the following to
|
||||
|
|
|
@ -459,6 +459,15 @@ external_url 'GENERATED_EXTERNAL_URL'
|
|||
|
||||
# logrotate['enable'] = true
|
||||
|
||||
#############################
|
||||
# Users and groups accounts #
|
||||
#############################
|
||||
## Should omnibus-gitlab package manage users and groups accounts.
|
||||
## Only set if creating accounts manually
|
||||
##
|
||||
|
||||
# manage_accounts['enable'] = true
|
||||
|
||||
#######
|
||||
# Git #
|
||||
#######
|
||||
|
|
|
@ -24,7 +24,8 @@ default['gitlab']['omnibus-gitconfig']['system'] = {
|
|||
"pack" => ["threads = 1"],
|
||||
"receive" => ["fsckObjects = true"]
|
||||
}
|
||||
|
||||
# Create users and groups needed for the package
|
||||
default['gitlab']['manage-accounts']['enable'] = true
|
||||
|
||||
####
|
||||
# The Git User that services run as
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2015 GitLab B.V.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
define :account, action: nil, username: nil, uid: nil, ugid: nil, groupname: nil, gid: nil, shell: nil, home: nil, system: true, append_to_group: false, group_members: [], user_supports: {}, manage: nil do
|
||||
|
||||
manage = params[:manage]
|
||||
|
||||
groupname = params[:groupname]
|
||||
username = params[:username]
|
||||
|
||||
if manage && groupname
|
||||
group groupname do
|
||||
gid params[:gid]
|
||||
system params[:system]
|
||||
if params[:append_to_group]
|
||||
append true
|
||||
members params[:group_members]
|
||||
end
|
||||
action params[:action]
|
||||
end
|
||||
end
|
||||
|
||||
if manage && username
|
||||
user username do
|
||||
shell params[:shell]
|
||||
home params[:home]
|
||||
uid params[:uid]
|
||||
gid params[:ugid]
|
||||
system params[:system]
|
||||
supports params[:user_supports]
|
||||
action params[:action]
|
||||
end
|
||||
end
|
||||
end
|
|
@ -20,19 +20,17 @@ define :redis_service, :socket_group => nil do
|
|||
|
||||
redis_dir = node['gitlab'][svc]['dir']
|
||||
redis_log_dir = node['gitlab'][svc]['log_directory']
|
||||
redis_user = node['gitlab']['redis']['username']
|
||||
redis_user = AccountHelper.new(node).redis_user
|
||||
|
||||
group redis_user do
|
||||
gid node['gitlab']['redis']['gid']
|
||||
system true
|
||||
end
|
||||
|
||||
user redis_user do
|
||||
uid node['gitlab']['redis']['uid']
|
||||
gid redis_user
|
||||
system true
|
||||
shell node['gitlab']['redis']['shell']
|
||||
home node['gitlab']['redis']['home']
|
||||
account "Redis user and group" do
|
||||
username redis_user
|
||||
uid node['gitlab'][svc]['uid']
|
||||
ugid redis_user
|
||||
groupname redis_user
|
||||
gid node['gitlab'][svc]['gid']
|
||||
shell node['gitlab'][svc]['shell']
|
||||
home node['gitlab'][svc]['home']
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
directory redis_dir do
|
||||
|
@ -50,7 +48,7 @@ define :redis_service, :socket_group => nil do
|
|||
|
||||
template redis_config do
|
||||
source "redis.conf.erb"
|
||||
owner node['gitlab']['redis']['username']
|
||||
owner redis_user
|
||||
mode "0644"
|
||||
variables(node['gitlab'][svc].to_hash)
|
||||
notifies :restart, "service[#{svc}]", :immediately if OmnibusHelper.should_notify?(svc)
|
||||
|
|
|
@ -42,7 +42,7 @@ define :unicorn_service, :rails_app => nil, :user => nil do
|
|||
|
||||
directory unicorn_socket_dir do
|
||||
owner user
|
||||
group node['gitlab']['web-server']['group']
|
||||
group AccountHelper.new(node).web_server_group
|
||||
mode '0750'
|
||||
recursive true
|
||||
end
|
||||
|
|
|
@ -0,0 +1,105 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2015 GitLab B.V.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
class AccountHelper
|
||||
attr_reader :node
|
||||
|
||||
def initialize(node)
|
||||
@node = node
|
||||
end
|
||||
|
||||
def gitlab_user
|
||||
node['gitlab']['user']['username']
|
||||
end
|
||||
|
||||
def gitlab_group
|
||||
node['gitlab']['user']['group']
|
||||
end
|
||||
|
||||
def web_server_user
|
||||
node['gitlab']['web-server']['username']
|
||||
end
|
||||
|
||||
def web_server_group
|
||||
node['gitlab']['web-server']['group']
|
||||
end
|
||||
|
||||
def redis_user
|
||||
node['gitlab']['redis']['username']
|
||||
end
|
||||
|
||||
def redis_group
|
||||
node['gitlab']['redis']['username']
|
||||
end
|
||||
|
||||
def postgresgl_user
|
||||
node['gitlab']['postgresql']['username']
|
||||
end
|
||||
|
||||
def postgresgl_group
|
||||
node['gitlab']['postgresql']['username']
|
||||
end
|
||||
|
||||
def gitlab_ci_user
|
||||
node['gitlab']['gitlab-ci']['username']
|
||||
end
|
||||
|
||||
def gitlab_ci_group
|
||||
node['gitlab']['gitlab-ci']['username']
|
||||
end
|
||||
|
||||
def ci_redis_user
|
||||
node['gitlab']['ci-redis']['username']
|
||||
end
|
||||
|
||||
def ci_redis_group
|
||||
node['gitlab']['ci-redis']['username']
|
||||
end
|
||||
|
||||
def mattermost_user
|
||||
node['gitlab']['mattermost']['username']
|
||||
end
|
||||
|
||||
def mattermost_group
|
||||
node['gitlab']['mattermost']['group']
|
||||
end
|
||||
|
||||
def users
|
||||
%W(
|
||||
#{gitlab_user}
|
||||
#{web_server_user}
|
||||
#{redis_user}
|
||||
#{postgresgl_user}
|
||||
#{gitlab_ci_user}
|
||||
#{ci_redis_user}
|
||||
#{mattermost_user}
|
||||
)
|
||||
end
|
||||
|
||||
def groups
|
||||
%W(
|
||||
#{gitlab_group}
|
||||
#{web_server_group}
|
||||
#{redis_group}
|
||||
#{postgresgl_group}
|
||||
#{gitlab_ci_group}
|
||||
#{ci_redis_group}
|
||||
#{mattermost_group}
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
@ -36,6 +36,7 @@ module Gitlab
|
|||
|
||||
bootstrap Mash.new
|
||||
omnibus_gitconfig Mash.new
|
||||
manage_accounts Mash.new
|
||||
user Mash.new
|
||||
postgresql Mash.new
|
||||
redis Mash.new
|
||||
|
@ -356,6 +357,7 @@ module Gitlab
|
|||
[
|
||||
"bootstrap",
|
||||
"omnibus_gitconfig",
|
||||
"manage_accounts",
|
||||
"user",
|
||||
"redis",
|
||||
"ci_redis",
|
||||
|
|
|
@ -17,5 +17,5 @@
|
|||
#
|
||||
|
||||
redis_service 'ci-redis' do
|
||||
socket_group node['gitlab']['gitlab-ci']['username']
|
||||
socket_group AccountHelper.new(node).gitlab_ci_user
|
||||
end
|
||||
|
|
|
@ -18,5 +18,5 @@
|
|||
|
||||
sidekiq_service 'ci-sidekiq' do
|
||||
rails_app 'gitlab-ci'
|
||||
user node['gitlab']['gitlab-ci']['username']
|
||||
user AccountHelper.new(node).gitlab_ci_user
|
||||
end
|
||||
|
|
|
@ -18,5 +18,5 @@
|
|||
|
||||
unicorn_service 'ci-unicorn' do
|
||||
rails_app 'gitlab-ci'
|
||||
user node['gitlab']['gitlab-ci']['username']
|
||||
user AccountHelper.new(node).gitlab_ci_user
|
||||
end
|
||||
|
|
|
@ -24,6 +24,6 @@ end
|
|||
cron 'gitlab-ci schedule builds' do
|
||||
minute node['gitlab']['gitlab-ci']['schedule_builds_minute']
|
||||
command '/opt/gitlab/bin/gitlab-ci-rake schedule_builds'
|
||||
user node['gitlab']['gitlab-ci']['username']
|
||||
user AccountHelper.new(node).gitlab_ci_user
|
||||
action node['gitlab']['gitlab-ci']['enable'] ? :create : :delete
|
||||
end
|
||||
|
|
|
@ -27,20 +27,18 @@ gitlab_ci_tmp_dir = File.join(gitlab_ci_dir, "tmp")
|
|||
gitlab_ci_log_dir = node['gitlab']['gitlab-ci']['log_directory']
|
||||
gitlab_ci_builds_dir = node['gitlab']['gitlab-ci']['builds_directory']
|
||||
|
||||
gitlab_ci_user = node['gitlab']['gitlab-ci']['username']
|
||||
gitlab_ci_user = AccountHelper.new(node).gitlab_ci_user
|
||||
gitlab_app = "gitlab-ci"
|
||||
|
||||
group gitlab_ci_user do
|
||||
gid node['gitlab']['gitlab-ci']['gid']
|
||||
system true
|
||||
end
|
||||
|
||||
user gitlab_ci_user do
|
||||
account "GitLab CI user and group" do
|
||||
username gitlab_ci_user
|
||||
uid node['gitlab']['gitlab-ci']['uid']
|
||||
gid gitlab_ci_user
|
||||
system true
|
||||
ugid gitlab_ci_user
|
||||
groupname gitlab_ci_user
|
||||
gid node['gitlab']['gitlab-ci']['gid']
|
||||
shell node['gitlab']['gitlab-ci']['shell']
|
||||
home gitlab_ci_home_dir
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
[
|
||||
|
|
|
@ -14,19 +14,20 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
working_dir = node['gitlab']['gitlab-git-http-server']['dir']
|
||||
log_dir = node['gitlab']['gitlab-git-http-server']['log_dir']
|
||||
|
||||
directory working_dir do
|
||||
owner node['gitlab']['user']['username']
|
||||
group node['gitlab']['web-server']['username']
|
||||
owner account_helper.gitlab_user
|
||||
group account_helper.web_server_group
|
||||
mode '0750'
|
||||
recursive true
|
||||
end
|
||||
|
||||
|
||||
directory log_dir do
|
||||
owner node['gitlab']['user']['username']
|
||||
owner account_helper.gitlab_user
|
||||
mode '0700'
|
||||
recursive true
|
||||
end
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
gitlab_rails_source_dir = "/opt/gitlab/embedded/service/gitlab-rails"
|
||||
gitlab_shell_source_dir = "/opt/gitlab/embedded/service/gitlab-shell"
|
||||
|
@ -29,6 +30,9 @@ ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
|
|||
known_hosts = File.join(ssh_dir, "known_hosts")
|
||||
gitlab_app = "gitlab"
|
||||
|
||||
gitlab_user = account_helper.gitlab_user
|
||||
gitlab_group = account_helper.gitlab_group
|
||||
|
||||
[
|
||||
gitlab_rails_etc_dir,
|
||||
gitlab_rails_static_etc_dir,
|
||||
|
@ -39,21 +43,21 @@ gitlab_app = "gitlab"
|
|||
gitlab_rails_log_dir
|
||||
].compact.each do |dir_name|
|
||||
directory dir_name do
|
||||
owner node['gitlab']['user']['username']
|
||||
owner gitlab_user
|
||||
mode '0700'
|
||||
recursive true
|
||||
end
|
||||
end
|
||||
|
||||
directory gitlab_rails_dir do
|
||||
owner node['gitlab']['user']['username']
|
||||
owner gitlab_user
|
||||
mode '0755'
|
||||
recursive true
|
||||
end
|
||||
|
||||
directory gitlab_rails_public_uploads_dir do
|
||||
owner node['gitlab']['user']['username']
|
||||
group node['gitlab']['web-server']['group']
|
||||
owner gitlab_user
|
||||
group account_helper.web_server_group
|
||||
mode '0750'
|
||||
recursive true
|
||||
end
|
||||
|
@ -188,8 +192,8 @@ link File.join(gitlab_rails_source_dir, ".gitlab_shell_secret") do
|
|||
end
|
||||
|
||||
directory node['gitlab']['gitlab-rails']['satellites_path'] do
|
||||
owner node['gitlab']['user']['username']
|
||||
group node['gitlab']['user']['group']
|
||||
owner gitlab_user
|
||||
group gitlab_group
|
||||
mode "0750"
|
||||
recursive true
|
||||
end
|
||||
|
@ -223,7 +227,7 @@ end
|
|||
|
||||
# Make schema.rb writable for when we run `rake db:migrate`
|
||||
file "/opt/gitlab/embedded/service/gitlab-rails/db/schema.rb" do
|
||||
owner node['gitlab']['user']['username']
|
||||
owner gitlab_user
|
||||
end
|
||||
|
||||
# Only run `rake db:migrate` when the gitlab-rails version has changed
|
||||
|
@ -254,15 +258,15 @@ bitbucket_keys = node['gitlab']['gitlab-rails']['bitbucket']
|
|||
unless bitbucket_keys.nil?
|
||||
execute 'trust bitbucket.org fingerprint' do
|
||||
command "echo '#{bitbucket_keys['known_hosts_key']}' >> #{known_hosts}"
|
||||
user node['gitlab']['user']['username']
|
||||
group node['gitlab']['user']['group']
|
||||
user gitlab_user
|
||||
group gitlab_group
|
||||
not_if "grep '#{bitbucket_keys['known_hosts_key']}' #{known_hosts}"
|
||||
end
|
||||
|
||||
file File.join(ssh_dir, 'bitbucket_rsa') do
|
||||
content "#{bitbucket_keys['private_key']}\n"
|
||||
owner node['gitlab']['user']['username']
|
||||
group node['gitlab']['user']['group']
|
||||
owner gitlab_user
|
||||
group gitlab_group
|
||||
mode 0600
|
||||
end
|
||||
|
||||
|
@ -271,15 +275,15 @@ unless bitbucket_keys.nil?
|
|||
|
||||
execute 'manage config for bitbucket import key' do
|
||||
command "echo '#{bitbucket_host_config}' >> #{ssh_config_file}"
|
||||
user node['gitlab']['user']['username']
|
||||
group node['gitlab']['user']['group']
|
||||
user gitlab_user
|
||||
group gitlab_group
|
||||
not_if "grep 'IdentityFile ~/.ssh/bitbucket_rsa' #{ssh_config_file}"
|
||||
end
|
||||
|
||||
file File.join(ssh_dir, 'bitbucket_rsa.pub') do
|
||||
content "#{bitbucket_keys['public_key']}\n"
|
||||
owner node['gitlab']['user']['username']
|
||||
group node['gitlab']['user']['group']
|
||||
owner gitlab_user
|
||||
group gitlab_group
|
||||
mode 0644
|
||||
end
|
||||
end
|
||||
|
|
|
@ -15,9 +15,10 @@
|
|||
## limitations under the License.
|
||||
##
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
git_user = node['gitlab']['user']['username']
|
||||
git_group = node['gitlab']['user']['group']
|
||||
git_user = account_helper.gitlab_user
|
||||
git_group = account_helper.gitlab_group
|
||||
gitlab_shell_dir = "/opt/gitlab/embedded/service/gitlab-shell"
|
||||
gitlab_shell_var_dir = "/var/opt/gitlab/gitlab-shell"
|
||||
repositories_path = node['gitlab']['gitlab-rails']['gitlab_shell_repos_path']
|
||||
|
|
|
@ -29,15 +29,13 @@ pg_user = gitlab['postgresql']['username']
|
|||
###
|
||||
# Create group and user that will be running mattermost
|
||||
###
|
||||
group mattermost_group do
|
||||
system true
|
||||
end
|
||||
|
||||
user mattermost_user do
|
||||
account "Mattermost user and group" do
|
||||
username mattermost_user
|
||||
ugid mattermost_group
|
||||
groupname mattermost_group
|
||||
shell '/bin/sh'
|
||||
home mattermost_home
|
||||
gid mattermost_group
|
||||
system true
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
###
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
nginx_dir = node['gitlab']['nginx']['dir']
|
||||
nginx_conf_dir = File.join(nginx_dir, "conf")
|
||||
|
@ -28,7 +29,7 @@ nginx_log_dir = node['gitlab']['nginx']['log_directory']
|
|||
].each do |dir_name|
|
||||
directory dir_name do
|
||||
owner 'root'
|
||||
group node['gitlab']['web-server']['group']
|
||||
group account_helper.web_server_group
|
||||
mode '0750'
|
||||
recursive true
|
||||
end
|
||||
|
|
|
@ -15,29 +15,28 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
postgresql_dir = node['gitlab']['postgresql']['dir']
|
||||
postgresql_data_dir = node['gitlab']['postgresql']['data_dir']
|
||||
postgresql_data_dir_symlink = File.join(postgresql_dir, "data")
|
||||
postgresql_log_dir = node['gitlab']['postgresql']['log_directory']
|
||||
postgresql_socket_dir = node['gitlab']['postgresql']['unix_socket_directory']
|
||||
postgresql_user = node['gitlab']['postgresql']['username']
|
||||
postgresql_user = account_helper.postgresgl_user
|
||||
|
||||
group postgresql_user do
|
||||
account "Postgresql user and group" do
|
||||
username postgresql_user
|
||||
uid node['gitlab']['postgresql']['uid']
|
||||
ugid postgresql_user
|
||||
groupname postgresql_user
|
||||
gid node['gitlab']['postgresql']['gid']
|
||||
system true
|
||||
end
|
||||
|
||||
user postgresql_user do
|
||||
uid node['gitlab']['postgresql']['uid']
|
||||
gid postgresql_user
|
||||
system true
|
||||
shell node['gitlab']['postgresql']['shell']
|
||||
home node['gitlab']['postgresql']['home']
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
directory postgresql_dir do
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0755"
|
||||
recursive true
|
||||
end
|
||||
|
@ -47,7 +46,7 @@ end
|
|||
postgresql_log_dir
|
||||
].each do |dir|
|
||||
directory dir do
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0700"
|
||||
recursive true
|
||||
end
|
||||
|
@ -59,7 +58,7 @@ link postgresql_data_dir_symlink do
|
|||
end
|
||||
|
||||
file File.join(node['gitlab']['postgresql']['home'], ".profile") do
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0600"
|
||||
content <<-EOH
|
||||
PATH=#{node['gitlab']['postgresql']['user_path']}
|
||||
|
@ -98,7 +97,7 @@ else
|
|||
end
|
||||
|
||||
execute "/opt/gitlab/embedded/bin/initdb -D #{postgresql_data_dir} -E UTF8" do
|
||||
user node['gitlab']['postgresql']['username']
|
||||
user postgresql_user
|
||||
not_if { File.exists?(File.join(postgresql_data_dir, "PG_VERSION")) }
|
||||
end
|
||||
|
||||
|
@ -106,7 +105,7 @@ postgresql_config = File.join(postgresql_data_dir, "postgresql.conf")
|
|||
|
||||
template postgresql_config do
|
||||
source "postgresql.conf.erb"
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0644"
|
||||
variables(node['gitlab']['postgresql'].to_hash)
|
||||
notifies :restart, 'service[postgresql]', :immediately if OmnibusHelper.should_notify?("postgresql")
|
||||
|
@ -116,14 +115,14 @@ pg_hba_config = File.join(postgresql_data_dir, "pg_hba.conf")
|
|||
|
||||
template pg_hba_config do
|
||||
source "pg_hba.conf.erb"
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0644"
|
||||
variables(node['gitlab']['postgresql'].to_hash)
|
||||
notifies :restart, 'service[postgresql]', :immediately if OmnibusHelper.should_notify?("postgresql")
|
||||
end
|
||||
|
||||
template File.join(postgresql_data_dir, "pg_ident.conf") do
|
||||
owner node['gitlab']['postgresql']['username']
|
||||
owner postgresql_user
|
||||
mode "0644"
|
||||
variables(node['gitlab']['postgresql'].to_hash)
|
||||
notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
|
||||
|
@ -152,7 +151,6 @@ end
|
|||
###
|
||||
pg_helper = PgHelper.new(node)
|
||||
pg_port = node['gitlab']['postgresql']['port']
|
||||
pg_user = node['gitlab']['postgresql']['username']
|
||||
bin_dir = "/opt/gitlab/embedded/bin"
|
||||
database_name = node['gitlab']['gitlab-rails']['db_database']
|
||||
ci_database_name = node['gitlab']['gitlab-ci']['db_database']
|
||||
|
@ -169,7 +167,7 @@ end
|
|||
databases.each do |rails_app, db_name, sql_user|
|
||||
execute "create #{sql_user} database user" do
|
||||
command "#{bin_dir}/psql --port #{pg_port} -h #{postgresql_socket_dir} -d template1 -c \"CREATE USER #{sql_user}\""
|
||||
user pg_user
|
||||
user postgresql_user
|
||||
# Added retries to give the service time to start on slower systems
|
||||
retries 20
|
||||
not_if { !pg_helper.is_running? || pg_helper.user_exists?(sql_user) }
|
||||
|
@ -177,7 +175,7 @@ databases.each do |rails_app, db_name, sql_user|
|
|||
|
||||
execute "create #{db_name} database" do
|
||||
command "#{bin_dir}/createdb --port #{pg_port} -h #{postgresql_socket_dir} -O #{sql_user} #{db_name}"
|
||||
user pg_user
|
||||
user postgresql_user
|
||||
not_if { !pg_helper.is_running? || pg_helper.database_exists?(db_name) }
|
||||
retries 30
|
||||
notifies :run, "execute[initialize #{rails_app} database]", :immediately
|
||||
|
|
|
@ -17,5 +17,5 @@
|
|||
#
|
||||
|
||||
redis_service 'redis' do
|
||||
socket_group node['gitlab']['user']['group']
|
||||
socket_group AccountHelper.new(node).gitlab_group
|
||||
end
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2014 GitLab B.V.
|
||||
# Copyright:: Copyright (c) 2015 GitLab B.V.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
@ -15,30 +15,31 @@
|
|||
# limitations under the License.
|
||||
#
|
||||
|
||||
usernames = [
|
||||
node['gitlab']['user']['username'],
|
||||
node['gitlab']['postgresql']['username'],
|
||||
node['gitlab']['web-server']['username'],
|
||||
node['gitlab']['redis']['username']
|
||||
]
|
||||
Gitlab[:node] = node
|
||||
if File.exists?("/etc/gitlab/gitlab.rb")
|
||||
Gitlab.from_file("/etc/gitlab/gitlab.rb")
|
||||
end
|
||||
node.consume_attributes(Gitlab.generate_config(node['fqdn']))
|
||||
|
||||
groups = [
|
||||
node['gitlab']['user']['group'],
|
||||
node['gitlab']['web-server']['group'],
|
||||
node['gitlab']['postgresql']['username'], # Group name is same as the username
|
||||
node['gitlab']['redis']['username'] # Group name is same as the username
|
||||
]
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
usernames = account_helper.users
|
||||
|
||||
groups = account_helper.groups
|
||||
|
||||
usernames.each do |username|
|
||||
user username do
|
||||
account username do
|
||||
username username
|
||||
action :remove
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
end
|
||||
|
||||
groups.each do |group|
|
||||
group group do
|
||||
account group do
|
||||
groupname group
|
||||
action :remove
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
end
|
||||
|
|
@ -15,15 +15,16 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
sidekiq_service 'sidekiq' do
|
||||
rails_app 'gitlab-rails'
|
||||
user node['gitlab']['user']['username']
|
||||
user account_helper.gitlab_user
|
||||
end
|
||||
|
||||
if node['gitlab']['gitlab-rails']['reply_by_email_enabled']
|
||||
mailroom_service 'mailroom' do
|
||||
rails_app 'gitlab-rails'
|
||||
user node['gitlab']['user']['username']
|
||||
user account_helper.gitlab_user
|
||||
end
|
||||
end
|
||||
|
|
|
@ -15,10 +15,11 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
unicorn_service 'unicorn' do
|
||||
rails_app 'gitlab-rails'
|
||||
user node['gitlab']['user']['username']
|
||||
user account_helper.gitlab_user
|
||||
end
|
||||
|
||||
if File.directory?("/etc/sysctl.d") && File.exists?("/etc/init.d/procps")
|
||||
|
|
|
@ -15,28 +15,25 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
account_helper = AccountHelper.new(node)
|
||||
|
||||
gitlab_username = node['gitlab']['user']['username']
|
||||
gitlab_group = node['gitlab']['user']['group']
|
||||
gitlab_username = account_helper.gitlab_user
|
||||
gitlab_group = account_helper.gitlab_group
|
||||
gitlab_home = node['gitlab']['user']['home']
|
||||
|
||||
directory gitlab_home do
|
||||
recursive true
|
||||
end
|
||||
|
||||
# Create the group for the GitLab user
|
||||
group gitlab_group do
|
||||
account "GitLab user and group" do
|
||||
username gitlab_username
|
||||
uid node['gitlab']['user']['uid']
|
||||
ugid gitlab_group
|
||||
groupname gitlab_group
|
||||
gid node['gitlab']['user']['gid']
|
||||
system true
|
||||
end
|
||||
|
||||
# Create the GitLab user
|
||||
user gitlab_username do
|
||||
shell node['gitlab']['user']['shell']
|
||||
home gitlab_home
|
||||
uid node['gitlab']['user']['uid']
|
||||
gid gitlab_group
|
||||
system true
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
||||
# Configure Git settings for the GitLab user
|
||||
|
|
|
@ -15,28 +15,26 @@
|
|||
# limitations under the License.
|
||||
#
|
||||
|
||||
webserver_username = node['gitlab']['web-server']['username']
|
||||
webserver_group = node['gitlab']['web-server']['group']
|
||||
account_helper = AccountHelper.new(node)
|
||||
webserver_username = account_helper.web_server_user
|
||||
webserver_group = account_helper.web_server_group
|
||||
external_webserver_users = node['gitlab']['web-server']['external_users']
|
||||
|
||||
# Create the group for the GitLab user
|
||||
# If external webserver is used, add the external webserver user to
|
||||
# GitLab webserver group
|
||||
group webserver_group do
|
||||
gid node['gitlab']['web-server']['gid']
|
||||
system true
|
||||
if external_webserver_users.any? && !node['gitlab']['nginx']['enable']
|
||||
append true
|
||||
members external_webserver_users
|
||||
end
|
||||
end
|
||||
append_members = external_webserver_users.any? && !node['gitlab']['nginx']['enable']
|
||||
|
||||
# Create the webserver user
|
||||
user webserver_username do
|
||||
account "Webserver user and group" do
|
||||
username webserver_username
|
||||
uid node['gitlab']['web-server']['uid']
|
||||
ugid webserver_group
|
||||
groupname webserver_group
|
||||
gid node['gitlab']['web-server']['gid']
|
||||
shell node['gitlab']['web-server']['shell']
|
||||
home node['gitlab']['web-server']['home']
|
||||
uid node['gitlab']['web-server']['uid']
|
||||
gid webserver_group
|
||||
system true
|
||||
supports manage_home: false
|
||||
append_to_group append_members
|
||||
group_members external_webserver_users
|
||||
user_supports manage_home: false
|
||||
manage node['gitlab']['manage-accounts']['enable']
|
||||
end
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
exec 2>&1
|
||||
cd /opt/gitlab/embedded/service/mattermost
|
||||
exec chpst -P -U mattermost -u mattermost /opt/gitlab/embedded/bin/mattermost -config /var/opt/gitlab/mattermost/config.json
|
||||
exec chpst -P -U <%= node['gitlab']['mattermost']['username'] %> -u <%= node['gitlab']['mattermost']['username'] %> /opt/gitlab/embedded/bin/mattermost -config /var/opt/gitlab/mattermost/config.json
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
#
|
||||
# Copyright:: Copyright (c) 2015 GitLab B.V.
|
||||
# License:: Apache License, Version 2.0
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
add_command "remove-accounts", "Delete *all* users and groups used by this package", 1 do
|
||||
|
||||
command = %W( chef-client
|
||||
-z
|
||||
-c #{base_path}/embedded/cookbooks/solo.rb
|
||||
-o recipe[gitlab::remove_accounts]
|
||||
)
|
||||
|
||||
status = run_command(command.join(" "))
|
||||
remove_old_node_state
|
||||
exit! 1 unless status.success?
|
||||
end
|
|
@ -1,10 +0,0 @@
|
|||
add_command "remove_users", "Delete *all* users and groups used by gitlab", 2 do
|
||||
|
||||
command = %W( chef-solo
|
||||
--config #{base_path}/embedded/cookbooks/solo.rb
|
||||
-o recipe[gitlab::clean]
|
||||
)
|
||||
|
||||
status = run_command(command.join(" "))
|
||||
exit! 1 unless status.success?
|
||||
end
|
Loading…
Reference in New Issue