Page History
| Table of Contents |
|---|
Introduction
For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.
...
- to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
- to hold the configuration files and optionally certificates for deployment of JS7 componentsproducts,
- to hold the JS7 installations per JS7 release and component product such as JOC Cockpit, Controller, Agent,
- to hold the archive of Deployment Packages per JS7 releases and target host,
...
- how to manage ownership for the installation and configuration directories of JS7 componentsproducts,
- how to manage permissions to set up JS7 componentsproducts
Managing Ownership
When it comes to ownership of directories used by JS7 components products users should consider:
- Separation of Directories
- The installation directory tree includes files that are executed to start and to stop JS7 componentsproducts.
- The configuration directory tree includes files for which read access for the Run-time Account is required. In addition write access is required for example for log files in this the directory tree.
- User Separation of Accounts
- Deployment Account
- The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
- Home Owner Account
- The account owns the installation directory of the JS7 componentproduct.
- Data Owner Account
- The account owns the configuration directory of the JS7 componentproduct.
- Run-time Account
- The account runs the JS7 component product's service.
- The account requires access to read and to execute files in the installation directory.
- The account requires access to read and to write files in the configuration directory.
- Deployment Account
Accounts are specified from the JS7 - Deployment Descriptor for any all JS7 component products like this:
| Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | |
|---|---|---|---|---|
| Deployment Descriptor Element | .target.authentication.user | .installation.homeOwner | .installation.dataOwner | .installation.runUser |
In addition, users can make use of the .target.execPre and .target.execPost elements to specify one or more commands that will be executed on the target host before the Deployment Packages will be extracted and after extraction:
- To apply more than one command use of the
evalcommand is required. - The built-in functions StopService and StartService can be used to stop and to start the systemd service of the JS7 product.
| Code Block | ||||
|---|---|---|---|---|
| ||||
eval 'sudo mkdir -p /opt/sos-berlin.com/js7;sudo chown -R sos:sos /opt/sos-berlin.com/js7;sudo mkdir -p /var/sos-berlin.com/js7;sudo chown -R sos:sos /var/sos-berlin.com/js7;StopService' |
Setting up ownership is straightforward if a single account is used, for example, a non-root account or root account, that deploys, owns and runs both the installation and configuration directories. For more complex scenarios see the following sections.
...
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the same as the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos" | .installation.dataOwner: "sos" | .installation.runUser: "sos" |
| Deployment Descriptor | .target.authentication.user: "sos" | (not specified) | (not specified) | (not specified) |
...
- The Deployment Account is the owner of the parent directory to which JS7 components are products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
...
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is different from the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" |
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.homeOwner: "sos2" | (not specified) |
...
The following prerequisites apply:
- Users can limit
sudocapabilitiesUse ofsudocan be limited- to the parent directory of the installation and configurations directories,
- to allow the commands:
mkdir,rm,chown,lnfor deployment. - to allow the commands
cp,systemctlwhen using the StartService and StopService functions.
- The Deployment Account is the owner of the parent directory to which JS7 components products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
- If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time Account.
...
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the different from the Home Owner Account, Data Owner Account and Run-time Account. In addition use of sudo for any operation related to installation and configuration directories is enforced.
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | Force sudo |
|---|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" | .target.forceSudo: true |
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.homeOwnerdataOwner: "sos2" | (not specified) | .target.forceSudo: true |
...
- Any file system operations such as
mkdir,rm,cbown,ln,tarare performed usingsudo. - Ownership of the installation and configuration directories is assigned the related user Home Owner and Data Owner accounts.
Root Account Deployment and Ownership by Root Account
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account_.
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "root" | .installation.dataOwner: "root" | .installation.runUser: "root" |
| Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
...
- requires direct root access by SSH connections to target host.
- operates the JS7 components products from the root account which includes higher privileges than required.
...
This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account
...
Overview
Content Tools