From d766d64463c6bd7d55019c08440263773a8e8978 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Mon, 15 May 2023 15:57:37 -0400 Subject: [PATCH 1/8] Drop key for test.galaxyproject.org --- defaults/main.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 91377f0..100b5ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -158,7 +158,7 @@ galaxy_cvmfs_config_repo: client_options: [] # Defaults for galaxyproject.org repos galaxy_cvmfs_keys: - # This will become the key for all repos, currently cvmfs-config and singularity + # This will become the key for all repos, currently cvmfs-config, singularity, and test - path: /etc/cvmfs/keys/galaxyproject.org/galaxyproject.org.pub key: | -----BEGIN PUBLIC KEY----- @@ -170,17 +170,6 @@ galaxy_cvmfs_keys: mAG1ceyBFowj/r3iJTa+Jcif2uAmZxg+cHkZG5KzATykF82UH1ojUzREMMDcPJi2 dQIDAQAB -----END PUBLIC KEY----- - - path: /etc/cvmfs/keys/galaxyproject.org/test.galaxyproject.org.pub - key: | - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtfc5SSX9ALcrukWYcxkI - mkLhlkJa5tCP1oZNWFA7GfE4xQW2vcKE5qmbZqhYVfdiy+FHPnhWPJp577hekD2F - vMITbApdZ0265AjRC0+EKKxpMF8zZ0q71vCFxvdK0c3DtT/3LmqKrr2wimtJZjQN - UAZcQG2ykzeHzFZ46w74IO0o8Fv/w2XEbYI0QqbNFv+0hcp5SruFqaaLsRZdd6Bn - 3iSylgVRQ5b+h1LfB/EuEpSmH1sDozZ4tU0fpbrBSknK76aad1o/cvWY1X87ToUV - helU0HE2Rw/u9EqJDvPFTbUmad3MtspkqbG5Eo7lI+ktzbcD7UTsQ/7noIXIQ5dD - PwIDAQAB - -----END PUBLIC KEY----- - path: /etc/cvmfs/keys/galaxyproject.org/data.galaxyproject.org.pub key: | -----BEGIN PUBLIC KEY----- From 751f7656674a3780876097dce4ed732cc80b9923 Mon Sep 17 00:00:00 2001 From: Jonathan Laperle Date: Mon, 18 Sep 2023 18:48:12 -0400 Subject: [PATCH 2/8] uncomment cache_dir line in squid.conf template --- templates/localproxy_squid.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/localproxy_squid.conf.j2 b/templates/localproxy_squid.conf.j2 index 5e5628d..4bae88d 100644 --- a/templates/localproxy_squid.conf.j2 +++ b/templates/localproxy_squid.conf.j2 @@ -7,9 +7,9 @@ http_access allow all always_direct allow all -# {% if cvmfs_localproxy_cache_dir is defined %} -# cache_dir ufs {{ cvmfs_localproxy_cache_dir.dir }} {{ cvmfs_localproxy_cache_dir.size }} 16 256 -# {% endif %} +{% if cvmfs_localproxy_cache_dir is defined %} +cache_dir ufs {{ cvmfs_localproxy_cache_dir.dir }} {{ cvmfs_localproxy_cache_dir.size }} 16 256 +{% endif %} cache_mem {{ cvmfs_localproxy_cache_mem }} MB From cefc7d79d35217b9c7da3576e7dc56d29f15b3f6 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Tue, 21 May 2024 12:21:47 -0400 Subject: [PATCH 3/8] Ensure CVMFS_GEO_ACCOUNT_ID is also set when a GeoIP key is provided --- tasks/stratum1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/stratum1.yml b/tasks/stratum1.yml index 6a502ae..885c3ff 100644 --- a/tasks/stratum1.yml +++ b/tasks/stratum1.yml @@ -38,6 +38,7 @@ - name: Install GeoIP API key ansible.builtin.copy: content: | + CVMFS_GEO_ACCOUNT_ID="{{ cvmfs_geo_account_id }}" CVMFS_GEO_LICENSE_KEY="{{ cvmfs_geo_license_key }}" mode: 0400 dest: /etc/cvmfs/server.local From 4e085505468a01028fc07b89e6d07dd4add4c744 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Tue, 21 May 2024 12:28:30 -0400 Subject: [PATCH 4/8] Support running Stratum 1 without Squid --- defaults/main.yml | 4 +++- tasks/stratum1.yml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 91377f0..4858865 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,9 +18,11 @@ cvmfs_stratum1_http_ports: cvmfs_localproxy_http_ports: - 3128 -cvmfs_stratum1_apache_port: 8008 +cvmfs_stratum1_apache_port: "{{ cvmfs_stratum1_squid_enabled | ternary(8008, 80) }}" cvmfs_stratum1_cache_mem: 128 # MB +cvmfs_stratum1_squid_enabled: true + # Stratum 1 snapshot cron job timing, hash keys correspond to the cron module options: # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html # diff --git a/tasks/stratum1.yml b/tasks/stratum1.yml index 6a502ae..2dabf78 100644 --- a/tasks/stratum1.yml +++ b/tasks/stratum1.yml @@ -28,6 +28,7 @@ ansible.builtin.include_tasks: squid.yml vars: _cvmfs_squid_conf_src: "{{ cvmfs_squid_conf_src | default('stratum1_squid.conf.j2') }}" + when: cvmfs_stratum1_squid_enabled - name: Include firewall tasks ansible.builtin.include_tasks: firewall.yml From df12cba1c88bb7147c08e43f0f69510a5225a954 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Tue, 5 Nov 2024 09:40:36 -0500 Subject: [PATCH 5/8] Replace community.general.system.filesystem with community.general.filesystem --- tasks/stratumN.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/stratumN.yml b/tasks/stratumN.yml index 8d5918a..def47e0 100644 --- a/tasks/stratumN.yml +++ b/tasks/stratumN.yml @@ -1,6 +1,6 @@ --- - name: Create /srv filesystem - community.general.system.filesystem: + community.general.filesystem: dev: "{{ cvmfs_srv_device }}" force: false fstype: "{{ cvmfs_srv_fstype | default('ext4') }}" From 760be3c2e8cb0204fd368fdf15454da1571ee54a Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Tue, 5 Nov 2024 09:42:03 -0500 Subject: [PATCH 6/8] Drop sandbox and usegalaxy repo keys since they are now using the common master key --- defaults/main.yml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4858865..309363a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -205,28 +205,6 @@ galaxy_cvmfs_keys: torRYcoFZICTZqY9e/KsadHUeZnH3RvfMypH5oS1POzsFszoSxBhZIBkZbG3/f9Y OQIDAQAB -----END PUBLIC KEY----- - - path: /etc/cvmfs/keys/galaxyproject.org/sandbox.galaxyproject.org.pub - key: | - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jHnrwsxMUkMZDAj9GMt - WNCFFrNVejTTbyklk+52yyXgVgRWo1qN+5lh6W2UL/b2v9pOEzRVPZBQvNNwKo6P - e+5p2JBVJ5yv7tpegEnHaRYw6yoHlWLzeSfiu8/yNp2s3jzK52zdLE9rZu7KlXH3 - EiY2LbU8wa0oah8BlvqWoHlWm78IQbbgK3Q0KmsXpvpjjhYkRWh/TL7KRmwT0b+C - WDNbviUi62sBl1SWQ95kcsfqfviU94DKGWRWDYngnYRV5PZVLuUw8Egix6lW2Sj0 - l5LILRbaIyXiTsFqXfK1dtjAOmZMkX4wuBch13y9FhMCIRvBDWYQuyxugSC101Ur - YwIDAQAB - -----END PUBLIC KEY----- - - path: /etc/cvmfs/keys/galaxyproject.org/usegalaxy.galaxyproject.org.pub - key: | - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsqb8HIG5T/juOmVpByIE - UfboKj7S2LbnWCZdCAoA9EfQfsxi/p3iWu1j9/0iJjf4yKs+pI6mJL/t+txB9fM5 - EYdYJv/awH7W4A47e8/CR25HzoM9PjxbssRbHSGWLrDBPHUcyQh7gZGqJYdXIyeS - DrgPoftn04xuLQvmPWbi8Ng14c+Kn8947PxZ5hVOmApEd4gzkHI0qFfC7dTN/rTh - KdC5mWONdRmmSDM4OmgJl7wdzE5pUTA+H1GagESxG4Cm/7EN9ZnVgWdb/sgVTxHG - e3odhIy/hV82RHkaW456/jhd8tD8LHpY8jdM/rWvwrBgI7WntqSijOUe2a6uC7S1 - sQIDAQAB - -----END PUBLIC KEY----- galaxy_cvmfs_server_urls: - domain: galaxyproject.org From 50bdf55515808245433257e4395b96d6e3c0d016 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Mon, 2 Dec 2024 13:36:30 -0500 Subject: [PATCH 7/8] Add EL9 remount/wipecache binaries --- files/cvmfs_remount_sync.el_9 | Bin 0 -> 18240 bytes files/cvmfs_wipecache.el_9 | Bin 0 -> 17560 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100755 files/cvmfs_remount_sync.el_9 create mode 100755 files/cvmfs_wipecache.el_9 diff --git a/files/cvmfs_remount_sync.el_9 b/files/cvmfs_remount_sync.el_9 new file mode 100755 index 0000000000000000000000000000000000000000..9adc11a9997ed6d835a0646aad333042cab676a6 GIT binary patch literal 18240 zcmeHP3v3)$6@9zT$4L|K=2y}tYNjPYG2rzli7_rs$FbKLS59m4DM5TDWUB=nC@7TB<=!{T)R7RV`UR0%m}A=K+7OIVv&EmWb1 zEn*oUOW;tY1gUey^nBP6Fs&uM8lY&m5icZFJ#@3=gkZ`ZB1OA}q|&8BPf!6&Mbr_a z-BP?HUPM*ofLA36Nudx-S+884BGn);jy}_!R6nL}JB*Epk=<^xBYH2{9Vg0m$f8}8 z?4qR4^c)3(DaR9If=3(0v#mx24ta+v$Usu$SqQ(~VX`|+`b@h>pDC7s>A*8~@?R;h zkL*@m?c}rSYE@n^<#L#Ed2a+e8BfRTWzXEq`>DK2?I1Y*L_?HwV>;E}y0bBzY)Gdv zg^`Alw$_H$ow0m2)*>~~FDwJQ&E6XiiSU@1MvTHJ+hRTOD1Yq9KNPQe^N)Y@zB@BV zzIpiMnP0b0U%`1`nW%#a?b#*dQN{=I|7^mt*9Isb2TTdTF}6YaZ>fNHR=|5J;5Ssj zud9IXtbk)Ig8Y0{1^g?3D{%Nz7J#694phJs74Uadz*kkkPXn&N;ZF?!1o@%EZUAX%`n|I;ZcAPG{aCiG`R8^_69L{*pa#CD4 zKf6%2-G$RnjWlU;;pi);HW!X%a8g}3Kf_U`xo`+fIrX{lm1R_j!!G zF1*f#=UjNig^##!ZZi~*x$reE{kvWGIu~BOtVW<3focS*5vWF>8iD_O1pXAc>IH55 zxmxYm(qA{iFk)ib4wuep_O7dSq9*076W0L2ow=ywE#z^C zGbez@_%#2nr})&{wc>BI@u%ne4#u0Oo1f6mp1olmgk!^pVWR&0KrFK5JzydP>YrX< zr?koInju4Na_Os)y#AuS0YaStBMkM5(oAH_7}}jC3i=_bzv~6msee%`&THTL{q@?n zF4kzFGul%x+Up^M>nMZT(#$|)OV@%umOpmgH$W^3>ketfXJ&7OTAW$>89+jBJ3V!J zV8JveU(}ApFKWfJvyZ=6DxJc1o&7FcNsYUnn*m-cKDHh5)QXQB zmgGKc2dy|c1f;h(fvwbAoE!o2o@rZ&)W^pn_4}qG^@mPG>fiQoq~4s4)DNGF)E8zV z^|#NTooEA1Y|pb3Z-A>NEMYPZu1sM2X_FJ!tiWlKyAQRsV-t=CKS4)VlpWo|j*dUq z1XVeICSDS!qKYbJ5B(kUh|g=|x6g~hYfila!DW!uvs<9Pv)W|eI-uvZ;u)>@)7b|= zdt$n<1nffq&toYcbaI%59A-t~Nrrm?j(jyG~9_GKRf&7OMs3~Z_&mtrjM>anFh^MYT0Hu&;~o~ z_ zA2=Hy3kgr&QEf6l29Ab%is!yD4T_J>z)AWG)o^OK9P2W8i8sAsu8G0;Qt^3xUS+(jftbf z19?GfL)+_>0V9<*lcJC}2F-S5TV8pCW#+QGc`ZS%9knZnDH&tfRLqftX(sc^urZ>* zveTeFq+|z_Z7DLi#jrA|%wW5c$=b?5wvb7_R!L=!8tGKh$s}t@(J+W?Gl?ZOZp*I} zRF1R4wcwU$JZf0DR_plPm>)7MGwCpTDjO5q^4s!kOzUS0)|M%YQSzgi1Oy?pspeW0 zD86i1{|A`9BAqXl-U_q}Xb$KLKtB(3^Mz9ByFkAK^l6~G|5z$5f%y}zyJ8C6x?hAw zqM=Qzme)=Jj%y&B;dmJGeHAKnEsr9G)7|d@#%n@bQ3S``zb}>K!c|?gyKdtRk;`tW z9TV4IdF`urY`q4=Vj~8i8sAsu8G0pc;Yy%?PYj zrQhf1dv6@_W5RFkFyV5HOi@)5{wD1C^$vf9MBzl=DQ_Yk7xXY)=@3y%a-4r)V)>t6 zEM<{DQKKSpzR?DHVyTL({1zJNG|741`AY;L@waO@=fSkWA?0)V+dNg37|(X)iZviS zU*m7=UO|>^%N>2j&o6U$_WKCw@wawdKCH{h`aDGXup%dUjw?*NB!36VDVzTq;qS`* z4zyBxcN4vt=m629MBhvFexjcy`c}+~n^XrxE`^}`H88!(TTIxl|&FwpL%`L6F#QvMxtwIK0FDQeFgx^-| zxw+lQWU~FKOrUu0o7$U3b|hPxcC{KxEY_GG%_q%Vz7f9sZZ!H+4e-Lkj3vZ@zV;pB zKxcci=PnlSmzalgEctCS^l`vKYE{@+8Ki3?BpA zsYHWirn3n)@?nm#55)eA?;-GA!`_aqp&dqZdGALzwMmf9A(Al-(h=0gmlF-r;pfOD zdY%O79HFw7(X%Q@hx1|juj;U`n_j|a_BFIY#mK#Es)68cr017gxdz_7@%{`iUL$z_ zg%@8UZVSw3Y5Do-)n8VAZhG#vxuN6Vhr5dq9@bk>8zf$mX(TiUu`1$F@;n#%X z>cv+JB@nMG_eHOML~uKMap=j4>W1WXjaVaAT^)q46@7vDy7KRtJF^=2wcy_|FTOzp zJx6QA<>l|tz54JgL%&B}e505O#IF$d2IBnd>dpnfN9SK*KfYNUKcad-{9RfiE|feV zFuUOhfrR^;LJAttApHY?hee&>dzI7$?rK4Nitb^?hY06!2jh3ZMMx~v7yZL@4;-O@ z__%wN#60d+Aw21iINZpU8$9^`+edR>tDtQAeysBq;?LHS@HLof>Q_lH_pk;VOR z6W}4SxIZ)lzSdiuT=nKNP(lAz#KU!>kM1L0FQ}FJ3(rZpwg6>+0C3FT-@YFs zef)S4lYGYy^b>?XMfZ_h8vy)^GM;r}JK=IY0q`$KeYo(Y=?eH$74T;OUlZQAC=M3@ zSA2ORdl?Mq*M=AWj;ujEKwmT#^3DPg3<+^8r?>8eQBrcqu$`TKjm^!CFxo5sclP}y zEW0_Dg`G?=^3!c&Pymp(3-Iw|LM-fh((Pd#Hd|%PJZL7f`d~WSZ>064owf41Q5b<8 zTf@1u3F}y~reFHy9agC%}*M6bz?Y(JFN3VWUclUw#LH%II zp58cE_&1lSyaViIc74e`YGq~IE~cAF!!~#=(JR7w)6O)HAeT&;<*jNSiQLt;7=hht z9uW7-c>rh`@WR=RMjPdPa_??6J(fk~qZeRD9q*3wn!_eK-csik zB-79~FdR2*6HABTxt@c{>3V-YPwvRgdx;@4@lISorJZ=5TyR&O2cShv52ov||BhQ6 zH|7QIwv!!*_6T~+MJzu$Y#aSRZOfrUd<8oOO)Dp2a`rQrDa3LXtPNZCs0->Zq+p+H zDoIeso}LE0Wn!p4WaNiLEIFEiA{=U4j^wCmF*DGBu5xKx#IWm&m~D>0 zS@xWmm6d%fW)9IkGL!^c<{S&>W^pX|8ZtJ9Qwb}Nt~<mf2|B71BjxBmpo{jL~Ow&(fS zd9pu3id??G{ttj0?e~x#&)eGQ#TUOPLwgvdE{flSfT3TUzlf^9L4u(WCjU&t-~Jx~ z9k;zg_6pfcq0GrSG0gNcetQ}pDQg`4A5lNxEZC0uFZk?vUimz|807bztnc^#%Vf{- z=kcFV9E+7$IalKNGxSZkKoz#M#EZpFPiK`>u8jp7z=M%l{$BVfG~N z0jauMm4yFZf?uC`roRI12pk+{o*&o3eiKZr=Wq)=W=07 zxE-GdTZ|vu^SOuFc`b-d44fP_Wt%l zU3bEHA?C&Y^LYK#;1cj#81(B}@!*@Eqt O;0q8)*ZK^6toR4BheqxI literal 0 HcmV?d00001 diff --git a/files/cvmfs_wipecache.el_9 b/files/cvmfs_wipecache.el_9 new file mode 100755 index 0000000000000000000000000000000000000000..62c54dd1d50926473c07bc10e40ea001cc243a49 GIT binary patch literal 17560 zcmeHPU2GiH6+XKg6O#~oR5pppn8uOCE}pKA^s|Qc(NQ9~Deffl^hKXN`_=iE7G zJu{vJiYiq?bLE|L&v(yv?wvDtX6~Jt>#z3@55!|JkQ9gAK-!U{p&)k)aQbsfWvmO< zfB_n8f$I=ifj>i)kaTk*{}6WzL^iTr0wwWUDWjy}lQ$_1K%}&gB=MG#!C6;cZg5qR zkaTt8sUp^a_fOj3sl-b% zFUj^I7r8!>5>IL){kk}wT?qp<(p{;Mf=N?bfFSPy<~_jnBKz20B-KG_^mQlyaq1gk z-iW5$zzD}tGvCfXvRK9JhP^`|j z&31LRb#~~LlHRT?s9jVC^{K)A_d$Ff76{`os$+2@>s0=5?9sOtM^`=l_ODys+3?GE z-(T1A$fEe5I?09-@uf+mQ)j}Rj6GNUeD~?rm%xSAo1bf!bP1!JGm&>IxP$|W~69$Ke_V$|Xdb_@}p5M^{ z=Fp*iX5KE_6NQRnmk;ghohlXWL)IAjFwKeSQjwjTu4$;DL_dK?f{sNDkH+mNr9V|S z6|SeF)WO(~pZpGX%QzUQQ@XInP?Gv8#ZJ;i5AHp_mpr)i9pYT};48%m%2vZr8ewv7 z5TJQ*z62_}+dTMxbN(oDw22}RMIeem6oDuLQ3Rq0L=pJJMc|*!H@}}f{Ti;+xaTOwQaBAwt0(zInpPo?2QXGOxylQIt_K-SXBD&NT(t0 z8w;qD|IFWqPQ3h;?1@*i$6vcNa;QJEkU5`y>7{|S=x+TN(fplpy?M(w$tRHgxh3^f z_T=49qDA&(!{a3Gy6mjSrs|Z(re0sW(7a`yc;{H6y`}7Teu2dHE7=p5vM;=~C;P(X zL^k$f_T?+ijp*RtIK3tZjkOEo&0G4G_*DP=-5Ze$)phq}PrQEd81BW34J#3eefiv} zbK^^mqj-@0n~#$rMlpHfkq@#bs+XRl7Cld!i@&*2tNoO6KTB!`Jhurq&wmy-KT)N> z#nML?=2ks_H$oTBqNeck=agS{TB zC;}fZ0`z{%n;t66*f}dVX+!Sl^mxV0m5Sqq2}o5d<D|=g+qK#Z%H*Y5EsN4X`6ZO^p*)R}61^j(6gzehVzbHE<{MTvp2DXI^uCSWB`%XKi|Cip~iXGvuW4uJGOqBVDdGEzr$Gf zy#(|$B_E6TuDLEgj5QJvr6>YX1fmE;5r`rXMIeem6oDuLQ3Rq0e6k~8;7eFaNtW`> zB7O5n=>}JzfuVA1SU=778>M`=TfUifnNn>Moy%z+MoG%wy;3WYekNg%aKF(;Ilsan z737=61um!WS}C1!1*~S-%5ptR5%q5>4MRaP+oky^C7FN9H}v)^5Wu zmbYt}jJ{J(YwhXwj`W?GyR_R5+IcN&Ib6`zz8!iFcX!NW+BxsfSaNJV2csk1 zJ7Bc8I|ID~-Cfr(92o9y%Uq*;um^pN43W3~?lcreapP-4p;&ORLRAgtU7xJ@jPbK( zr;uwa+f${SkOG)X4uI6(=(z`dOgz}LHMYab)YoP_#>XVg=G$B*GR#KK=?&NLBj@=U zKHtOqoMAqF&_OB8<|!@{`EhNet(&jWW@+m)T&HT(H8u$hZYy73yk-e}HYV#Q{CEOn zeS{xh0S|}zX{cY{{Px#@T-W^g%KG)sk2gZtbt3`SgIsU?_NzdyTYh|X{rcv|@oLX; z_2X+m3&or2ebH~<4AO7>IQC@C@Ioq|fVK5?Al||Rw7`6*{W_?xr|}RHcr|b2`-}(1 zul3hM*mW)e8|vTd`|a^A!1oJ3-U{hZd?R#(;&S)%dZE<=a+eI^H$m4C!w1rRV+H)9 z<^xgLjlUR{NPpAVAd520eiZRIG=ZF}Y!0;Qgz&|{@ttH`#sy;kHO$0dX@9AGlpe=l zEF}KVB2NBgoI$pfeu2LjEI*E~ARgBKtL@iY%1;Y4-eO?RpThinfF`k!{?MRyWO+Yq zMLY(}`-6^ni@!Rh-GjImf*)1*^8Pb{coJHd^`9c*E%D{&k;C@Ee)tXLe|g39EPZV} z35}ZJD}0)8y0b7&&+94uK>6PYU4j1mEaENkCOF0YM4rDNBOH(K5ysWCdh~N%;mW0N z^C$KnJYW9Ge&imap3x)o?W_2S$HU{l9`UvD)@AL#1#!*S5?9$pe&Qk5J@v)|*BqsA zs6t~5v$F&5-uX$(aaV+;GMN;PLh66+da+#D$>=3qZiFKe)3GK1fr?Ybj|OwFv^2?d zrp+8JPO6|~zGO~JmBy?oGw+nj71OHDLasDDGi5t=UQdTxnBzFeFs*XgnltU9Q=WtI zvNdg+`Rera98x@*Ny8DJY2dXDHqA5#4)*NpH~aVZnYcQt@4@{&`-XZE#zCIhpXJhQ z-$5`3hY#%S88#0L42DLVkaeP1 z)o02jY=JZ9fySx@TzrV@;#{kqy+du(pL8;xv?`OJ=jV!8g)5!1TXNJcR|=(~Pcg9! zBV!SPb2C#8=+rMjckEf*Qg_0#k~$i?J;@ztGLKx*T!!0|T!!S)u{B-DVXYfkx?zese4#Y+d?d)y@BJ6Ufm^H45U zwvs1#EBJ>{-C|+BL9rsW)ENHHH{yU|0Z&&?@0YJ|B?SIApbvr`adP9SB~R5h|&HF zU)D8WNRc&wrnXBP;fwqi7J2#g`Bd8Fu&6r_p2#?oy?hz(rkNN#US#V{jR=r0X}^p& zJ3b(Nsh5rCe Ct)`Ly literal 0 HcmV?d00001 From 12fa3dfc1f28bff7e63921d92dd188f3ec00df6f Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Mon, 23 Dec 2024 16:02:35 -0600 Subject: [PATCH 8/8] Update the optional PolicyKit rule 1. To limit by service 2. To take a list of users in addition to a group 2. To optionally automatically use the `owner`s in `cvmfs_repositories` instead of a provided list --- defaults/main.yml | 13 +++++++++++++ tasks/stratum1.yml | 2 +- templates/01-manage-units.rules.j2 | 19 ++++++++++++++----- 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c8b2bff..b9f17b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -124,6 +124,19 @@ cvmfs_geoip_db_update_day: "{{ 28 | random(seed=inventory_hostname) }}" # 3. this points to a cert bundle that contains CA certs for your Stratum 0 (the default here is valid for EL). # cvmfs_x509_cert_bundle: /etc/pki/tls/cert.pem +# The role will deploy a PolicyKit rule that allows unprivileged users to manage the services in cvmfs_manage_units if +# either of the following two options are set. + +# Either a list of usernames, or set to a boolean true to automatically use the 'owner's in cvmfs_repositories +#cvmfs_manage_units_users: ... + +# A group name +#cvmfs_manage_units_group: ... + +# The list of units that can be managed by users in the above group +cvmfs_manage_units: + - squid.service + # # Galaxy-specific stuff follows # diff --git a/tasks/stratum1.yml b/tasks/stratum1.yml index 6c32852..f0b2838 100644 --- a/tasks/stratum1.yml +++ b/tasks/stratum1.yml @@ -129,4 +129,4 @@ src: 01-manage-units.rules.j2 dest: /etc/polkit-1/rules.d/01-manage-units.rules mode: 0644 - when: cvmfs_manage_units_group is defined + when: cvmfs_manage_units_users is defined or cvmfs_manage_units_group is defined diff --git a/templates/01-manage-units.rules.j2 b/templates/01-manage-units.rules.j2 index aafc7b8..f93c113 100644 --- a/templates/01-manage-units.rules.j2 +++ b/templates/01-manage-units.rules.j2 @@ -2,14 +2,23 @@ * This file is managed by Ansible. ALL CHANGES WILL BE OVERWRITTEN. */ -/* Allow users in the docker group to manage units. Way more control than we - * would like to give, but the "unit" and "verb" action variables (used with - * action.lookup()) were not added to systemd until 226, so unless RedHat - * backports them, we are SOL. - */ +// Allow CVMFS repo owners to manage related services polkit.addRule(function(action, subject) { + var allowedUnits = {{ cvmfs_manage_units | to_json }}; +{% if cvmfs_manage_units_users is defined and cvmfs_manage_units_users is true %} + var allowedUsers = {{ cvmfs_repositories | map(attribute='owner') | unique | to_json }}; +{% elif cvmfs_manage_units_users is defined %} + var allowedUsers = {{ cvmfs_manage_units_users | to_json }}; +{% endif %} if (action.id == "org.freedesktop.systemd1.manage-units" && + allowedUnits.includes(action.lookup("unit")) && +{% if cvmfs_manage_units_users is defined and cvmfs_manage_units_group is defined %} + (allowedUsers.includes(subject.user) || subject.isInGroup("{{ cvmfs_manage_units_group }}"))) { +{% elif cvmfs_manage_units_users is defined %} + allowedUsers.includes(subject.user)) { +{% elif cvmfs_manage_units_group is defined %} subject.isInGroup("{{ cvmfs_manage_units_group }}")) { +{% endif %} return polkit.Result.YES; } });