JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.

...

  • to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
  • to hold the configuration files and optionally certificates for deployment of JS7 componentsproducts,
  • to hold the JS7 installations per JS7 release and component product such as JOC Cockpit, Controller, Agent,
  • to hold the archive of Deployment Packages per JS7 releases and target host,

...

  • how to manage ownership for the installation and configuration directories of JS7 componentsproducts,
  • how to manage permissions to set up JS7 componentsproducts

Managing Ownership

When it comes to ownership of directories used by JS7 components products users should consider:

  • Separation of Directories
    • The installation directory tree includes files that are executed to start and to stop JS7 componentsproducts.
    • The configuration directory tree includes files for which read access for the Run-time Account is required. In addition write access is required for example for log files in the directory tree.
  • Separation of Accounts
      • Deployment Account
        • The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
      • Home Owner Account
        • The account owns the installation directory of the JS7 componentproduct.
      • Data Owner Account
        • The account owns the configuration directory of the JS7 componentproduct.
      • Run-time Account
        • The account runs the JS7 component product's service.
        • The account requires access to read and to execute files in the installation directory.
        • The account requires access to read and to write files in the configuration directory.

Accounts are specified from the JS7 - Deployment Descriptor for all JS7 component products like this:


Deployment AccountHome Owner AccountData Owner AccountRun-time Account
Deployment Descriptor Element.target.authentication.user.installation.homeOwner.installation.dataOwner.installation.runUser

...

  • To apply more than one command use of the eval command is required.
  • The built-in functions StopService and StartService can be used to stop and to start the systemd service of the JS7 componentproduct.

Code Block
languagebash
titleExample for .target.ExecPre command
eval 'sudo mkdir -p /opt/sos-berlin.com/js7;sudo chown -R sos:sos /opt/sos-berlin.com/js7;sudo mkdir -p /var/sos-berlin.com/js7;sudo chown -R sos:sos /var/sos-berlin.com/js7;StopService'

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component product is the same as the Home Owner Account, Data Owner Account and Run-time Account

...

  • The Deployment Account is the owner of the parent directory to which JS7 components are products are installed.
  • The directory tree includes the execute permission for any included sub-directories.
  • No sticky bit is set for sub-directories in the directory tree.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component product is different from the Home Owner Account, Data Owner Account and Run-time Account

...

  • Users can limit sudo capabilities
    • to the parent directory of the installation and configurations directories,
    • to allow the commands: mkdir, rm, chown, ln for deployment.
    • to allow the commands cp, systemctl when using the StartService and StopService functions.
  • The Deployment Account is the owner of the parent directory to which JS7 components products are installed.
  • The directory tree includes the execute permission for any included sub-directories.
  • No sticky bit is set for sub-directories in the directory tree.
  • Home Owner Account and Data Owner Account can be the same or can be different.
  • The Data Owner Account is the same as the Run-time Account.
    • Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
    • If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time Account.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component product is different from the Home Owner Account, Data Owner Account and Run-time Account. In addition use of sudo for any operation related to installation and configuration directories is enforced.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account.

...

  • requires direct root access by SSH connections to target host.
  • operates the JS7 components products from the root account which includes higher privileges than required.

...

This scenario applies if the Deployment Account that performs the installation of the JS7 component product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account

...