Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

major code cleanup #8

Merged
merged 2 commits into from
Jun 25, 2018
Merged

major code cleanup #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
288ea2a
major cleanup
paulfantom Jun 25, 2018
915f820
binary files should be owned by root
paulfantom Jun 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions tasks/client.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
---

- name: download minio client
get_url:
url: "{{ minio_client_download_url }}"
dest: "{{ minio_client_bin }}"
owner: "{{ minio_user }}"
group: "{{ minio_group }}"
owner: "root"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was done as a kind of "security measure".
Just not to download binaries from the internet as "root".
But I am not sure it still makes sense.
Thoughts?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It isn't good to run any binary as a user who can edit this binary. We have a sane default for minio_client_download_url which is an official source, and we are using HTTPS so there shouldn't be any problem with tampering the file while transmitting to server.
I would also consider downloading binary once to local machine, validating checksum and then propagating it to target hosts. This increases security and reduces needed network bandwidth when used with more than 1 target. We are doing the same with most of the roles in @cloudalchemy :)

group: "root"
mode: 0755
26 changes: 7 additions & 19 deletions tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,19 @@
---

- name: include os-specific variables
include_vars: "{{ ansible_os_family }}.yml"

# add the python sni support to legacy python installations
- include: python_sni.yml
when: ansible_os_family == 'Debian'
and ansible_python_version is version_compare('2.6.0', '>=')
and ansible_python_version is version_compare('2.7.9', '<')
- name: add the python sni support to legacy python installations
include: python_sni.yml
when:
- ansible_os_family == 'Debian'
- ansible_python_version is version_compare('2.6.0', '>=')
- ansible_python_version is version_compare('2.7.9', '<')

# install additional ansible dependencies
- name: install ansible support packages
package:
name: "{{ item }}"
state: present
with_items: "{{ ansible_support_packages }}"

- name: create minio group
group:
name: "{{ minio_group }}"
state: present

- name: create minio user
user:
name: "{{ minio_user }}"
group: "{{ minio_group }}"
shell: /bin/bash
with_items: "{{ minio_ansible_support_packages }}"

- include: server.yml
when: minio_install_server
Expand Down
12 changes: 6 additions & 6 deletions tasks/python_sni.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
---

# with_indexed_items is required as a workaround for this issue:
# https://github.com/ansible/ansible-modules-core/issues/1178
- name: install python-pip
package:
name: "{{ item.1 }}"
name: "{{ item }}"
state: present
with_indexed_items: "{{ python_pip_packages }}"
with_items: "{{ python_pip_packages }}"

- name: install the Python SNI support packages
package:
Expand All @@ -21,4 +18,7 @@
pip:
name: "{{ item }}"
state: present
with_items: "{{ python_sni_pip_dependencies }}"
with_items:
- pyopenssl
- ndg-httpsclient
- pyasn1
18 changes: 14 additions & 4 deletions tasks/server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
---
- name: create minio group
group:
name: "{{ minio_group }}"
state: present

- name: create minio user
user:
name: "{{ minio_user }}"
group: "{{ minio_group }}"
shell: /bin/bash

- name: create data storage directories
file:
Expand All @@ -14,8 +24,8 @@
get_url:
url: "{{ minio_server_download_url }}"
dest: "{{ minio_server_bin }}"
owner: "{{ minio_user }}"
group: "{{ minio_group }}"
owner: "root"
group: "root"
mode: 0755

- name: generate the minio server envfile
Expand All @@ -27,13 +37,13 @@
- name: create the minio server systemd config
template:
src: minio.service.j2
dest: "{{ systemd_units_dir }}/minio.service"
dest: "/etc/systemd/system/minio.service"
when: ansible_service_mgr == "systemd"

- name: create the minio server init.d config
template:
src: minio.init.j2
dest: "{{ initd_conf_dir }}/minio"
dest: "/etc/init.d/minio"
mode: 0750
when: ansible_service_mgr != "systemd"

Expand Down
6 changes: 1 addition & 5 deletions vars/Debian.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
---

# systemd unit files location
systemd_units_dir: /lib/systemd/system

# packages providing python-pip
python_pip_packages:
- python-pip
Expand All @@ -14,5 +10,5 @@ python_sni_support_packages:
- libffi-dev

# extra packages needed by ansible to correctly configure the system
ansible_support_packages:
minio_ansible_support_packages:
- ca-certificates
6 changes: 1 addition & 5 deletions vars/RedHat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
---

# systemd unit files location
systemd_units_dir: /etc/systemd/system

# packages providing python-pip
python_pip_packages:
- epel-release
Expand All @@ -12,4 +8,4 @@ python_pip_packages:
python_sni_support_packages: [ ]

# extra packages needed by ansible to correctly configure the system
ansible_support_packages: [ ]
minio_ansible_support_packages: [ ]
9 changes: 0 additions & 9 deletions vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,3 @@
# Minio and MC download urls
minio_server_download_url: https://dl.minio.io/server/minio/release/linux-amd64/minio
minio_client_download_url: https://dl.minio.io/client/mc/release/linux-amd64/mc

# default init scripts location
initd_conf_dir: /etc/init.d

# python pip packages required to support SNI certificates
python_sni_pip_dependencies:
- pyopenssl
- ndg-httpsclient
- pyasn1