Page History

...

When it comes to ownership of directories used by JS7 components users should consider:

• Separation of Directories
  • The installation directory tree includes files that are executed to start and to stop JS7 components.
  • The configuration directory tree includes files for which read access for the Run-time Account is required. In addition write access is required for example for log files in this the directory tree.
• User Separation of Accounts
  • • Deployment Account
      • The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
    • Home Owner Account
      • The account owns the installation directory of the JS7 component.
    • Data Owner Account
      • The account owns the configuration directory of the JS7 component.
    • Run-time Account
      • The account runs the JS7 component service.
      • The account requires access to read and to execute files in the installation directory.
      • The account requires access to read and to write files in the configuration directory.

Accounts are specified from the JS7 - Deployment Descriptor for any all JS7 component like this:

In addition, users can make use of the .target.execPre and  .target.execPost elements to specify one or more commands that will be executed on the target host before the Deployment Packages will be extracted and after extraction:

• To apply more than one command use of the eval command is required.
• The built-in functions StopService and StartService can be used to stop and to start the systemd service of the JS7 component.
  
  

eval 'sudo mkdir -p /opt/sos-berlin.com/js7;sudo chown -R sos:sos /opt/sos-berlin.com/js7;sudo mkdir -p /var/sos-berlin.com/js7;sudo chown -R sos:sos /var/sos-berlin.com/js7;StopService'

Setting up ownership is straightforward if a single account is used, for example, a non-root account or root account, that deploys, owns and runs both the installation and configuration directories. For more complex scenarios see the following sections.

...

...

...

The following prerequisites apply:

• Users can limit sudo capabilitiesUse of sudo can be limited
  • to the parent directory of the installation and configurations directories,
  • to the commands: mkdir, rm, chown, ln.
• The Deployment Account is the owner of the parent directory to which JS7 components are installed.
• The directory tree includes the execute permission for any included sub-directories.
• No sticky bit is set for sub-directories in the directory tree.
• Home Owner Account and Data Owner Account can be the same or can be different.
• The Data Owner Account is the same as the Run-time Account.
  • Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
  • If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time Account.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component is the different from the Home Owner Account, Data Owner Account and Run-time Account. In addition use of sudo for any operation related to installation and configuration directories is enforced.

...

• Any file system operations such as mkdir, rm, cbown, ln, tar are performed using sudo.
• Ownership of the installation and configuration directories is assigned the related user Home Owner and Data Owner accounts.

Root Account Deployment and Ownership by Root Account

This scenario applies if the Deployment Account that performs the installation of the JS7 component is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account_.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account

...