switch to a grokmirror unpriv user for mirroring

2017-10-16 19:56:35 +00:00 · 2017-10-16 19:56:35 +00:00 · f57b9808a4
commit f57b9808a4
parent 49b6cf6973
6 changed files with 15 additions and 7 deletions
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@ -76,9 +76,9 @@ ipa_sync_certfile = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'

 # Usernames that are unavailable for fas allocation
 {% if env == "staging" %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
 {% else %}
-username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
+username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
 {% endif %}
 email_domain_blacklist = "{{ fas_blocked_emails }}"

--- a/roles/grokmirror_mirror/tasks/main.yml
+++ b/roles/grokmirror_mirror/tasks/main.yml
@ -8,8 +8,16 @@
  tags:
  - grokmirror-mirror

+- name: create grokmirror user to own mirrored file and run scripts
+  user: name=grokmirror
+
 - name: create directory to mirror repos to
-  file: dest={{grokmirror_topdir}} mode=0755 state=directory
+  file: dest={{grokmirror_topdir}} mode=0755 state=directory owner=grokmirror
+  tags:
+  - grokmirror-mirror
+
+- name: create directory to mirror site to
+  file: dest={{grokmirror_topdir}}/src.fedoraproject.org mode=0755 state=directory owner=grokmirror
  tags:
  - grokmirror-mirror

--- a/roles/grokmirror_mirror/templates/fsck.conf
+++ b/roles/grokmirror_mirror/templates/fsck.conf
@ -9,7 +9,7 @@ toplevel = {{ grokmirror_topdir }}/src.fedoraproject.org
 #
 # Where do we put the logs?
 #log = /var/log/mirror/kernelorg-fsck.log
-log = /var/log/grokmirror/src.fedoraproject.org-fsck.log
+log = {{ grokmirror_topdir }}/src.fedoraproject.org/src.fedoraproject.org-fsck.log
 #
 # Log level can be "info" or "debug"
 #loglevel = info
--- a/roles/grokmirror_mirror/templates/grokfsck.cron
+++ b/roles/grokmirror_mirror/templates/grokfsck.cron
@ -1 +1 @@
-#00 02 * * * root /usr/bin/grok-fsck -c {{ grokmirror_topdir }}/fsck.conf
+#00 02 * * * grokmirror /usr/bin/grok-fsck -c {{ grokmirror_topdir }}/fsck.conf
--- a/roles/grokmirror_mirror/templates/grokmirror.cron
+++ b/roles/grokmirror_mirror/templates/grokmirror.cron
@ -1 +1 @@
-#* * * * * root /usr/bin/grok-pull -p -c {{ grokmirror_topdir }}/repos.conf
+#* * * * * grokmirror /usr/bin/grok-pull -p -c {{ grokmirror_topdir }}/repos.conf
--- a/roles/grokmirror_mirror/templates/repos.conf
+++ b/roles/grokmirror_mirror/templates/repos.conf
@ -70,7 +70,7 @@ default_owner = Grokmirror User
 #
 # Where do we put the logs?
 #log = /var/log/mirror/kernelorg.log
-log = /var/log/grokmirror/src.fedoraproject.org.log
+log = {{ grokmirror_topdir }}/src.fedoraproject.org/src.fedoraproject.org.log
 #
 # Log level can be "info" or "debug"
 #loglevel = info