Page History
Table of Contents |
---|
Introduction
For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.
...
- to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
- to hold the configuration files and optionally certificates for deployment of JS7 componentsproducts,
- to hold the JS7 installations per JS7 release and component product such as JOC Cockpit, Controller, Agent,
- to hold the archive of Deployment Packages per JS7 releases and target host,
...
- how to manage ownership for the installation and configuration directories of JS7 components.products,
- how to manage permissions to set up JS7 componentsproducts
Managing Ownership
When it comes to ownership of directories used by JS7 components products users should consider:
- Separation of Directories
- The installation directory tree includes files that are executed to start and to stop a JS7 componentproducts.
- The configuration directory tree includes files for which read access for the Run-time Account is required. In addition write access is required for example for log files in this the directory tree.
- Separation of Accounts
- Deployment Account
- The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
- Home Owner Account
- The account owns the installation directory of the JS7 componentproduct.
- Data Owner Account
- The account owns the configuration directory of the JS7 componentproduct.
- Run-time Account
- The account runs the JS7 component product's service.
- The account requires access to read and to execute files in the installation directory.
- The account requires access to read and to write files in the configuration directory.
- Deployment Account
Accounts are specified from the JS7 - Deployment Descriptor for any all JS7 component products like this:
Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | |
---|---|---|---|---|
Deployment Descriptor Element | .target.authentication.user | .installation.homeOwner | .installation.dataOwner | .installation.runUser |
In addition, users can make use of the .target.execPre
and .target.execPost
elements to specify one or more commands that will be executed on the target host before the Deployment Packages will be extracted and after extraction:
- To apply more than one command use of the
eval
command is required. - The built-in functions StopService and StartService can be used to stop and to start the systemd service of the JS7 product.
Code Block | ||||
---|---|---|---|---|
| ||||
eval 'sudo mkdir -p /opt/sos-berlin.com/js7;sudo chown -R sos:sos /opt/sos-berlin.com/js7;sudo mkdir -p /var/sos-berlin.com/js7;sudo chown -R sos:sos /var/sos-berlin.com/js7;StopService' |
Setting up ownership is straightforward if a single account is used, for example, a non-root account or root account, that deploys, owns and runs both the installation and configuration directories. For more complex scenarios see the following sections.
User Account Deployment and Ownership by User Account
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the same as the Home Owner Account, Data Owner Account and Run-time Account
Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
---|---|---|---|---|
Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos" | .installation.dataOwner: "sos" | .installation.runUser: "sos" |
Deployment Descriptor | .target.authentication.user: "sos" | (not specified) | (not specified) | (not specified) |
...
For this scenario it is sufficient to specify the .target.authentication.user
element with the value of the user account, for example sos
.
...
- The Deployment Account is the owner of the parent directory to which JS7 components are products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
Limited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the different from the Home Owner Account, Data Owner Account and Run-time Account
Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
---|---|---|---|---|
Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" |
Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.homeOwner: "sos2" | (not specified) |
...
The following prerequisites apply:
- Users can limit
sudo
capabilitiesUse ofsudo
is limited- to the parent directory of the installation and configurations directories,
- to allow the commands:
mkdir
,rm
,chown
,ln
for deployment. - to allow the commands
cp
,systemctl
when using the StartService and StopService functions.
- The Deployment Account is the owner of the parent directory to which JS7 components products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
- If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time accountAccount.
Deployment will be performed like this:
- Any file system operations such as
mkdir
,rm
,chown
,ln
,tar
will be performed using the Deployment Account if existing read/write permissions allow to do so. Otherwisesudo
will be used. - Ownership of the installation and configuration directories will be assigned the related user accounts.
Unlimited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the different from the Home Owner Account, Data Owner Account and Run-time Account. In addition use of sudo
for any operation related to installation and configuration directories is enforced.
Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | Force sudo |
---|---|---|---|---|---|
Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" | .target.forceSudo: true |
Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation. |
dataOwner: "sos2" | (not specified) | .target.forceSudo: true |
The following prerequisites apply:
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have to manually adjust group permissions to allow the the Run-time Account read/write access to the configuration directory.
- If not no Run-time Account is specified then the Data Owner Account is automatically assumed for the Run-time accountAccount.
Deployment will be performed like this:
- Any file system operations such as
mkdir
,rm
,cbown
,ln
,tar
are performed usingsudo
. - Ownership of the installation and configuration directories is assigned the related user Home Owner and Data Owner accounts.
Root Account Deployment and Ownership by Root Account
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root
and is the same as the Home Owner Account, Data Owner Account and Run-time Account_.
Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
---|---|---|---|---|
Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "root" | .installation.dataOwner: "root" | .installation.runUser: "root" |
Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user
element with the value root
.
This scenario generally is not recommended as it
- allows requires direct root access by SSH connections to target host.
- operates the JS7 component products from the root account which includes higher privileges than required.
Root Account Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root
and is the same as the Home Owner Account, Data Owner Account and Run-time Account
Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
---|---|---|---|---|
Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "sos" | .installation.dataOwner: "root" | .installation.runUser: "root" |
Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user
element with the value root
.
This scenario generally is not recommended as it
- allows requires direct root access by SSH connections to target host.
Resources
...