Merge: set up worker-manager in .deb

9 files changed, 129 insertions, 13 deletions

diff --git a/debian/changelog b/debian/changelog
index 1743342..107a19f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 ick2 (0.13+git-1) UNRELEASED; urgency=medium
 
   * New upstream version.
+  * postinst: create user, group for worker-manager
 
  -- Lars Wirzenius <liw@liw.fi>  Mon, 16 Oct 2017 22:16:53 +0300
 
diff --git a/debian/control b/debian/control
index 1e20006..8b2cc60 100644
--- a/debian/control
+++ b/debian/control
@@ -25,7 +25,7 @@ Build-Depends: debhelper (>= 9~),
 Package: ick2
 Architecture: all
 Depends: ${python3:Depends}, ${misc:Depends},
-  python3-all,
+  python3,
   python3-bottle,
   python3-cliapp,
   python3-apifw,
diff --git a/debian/ick2.install b/debian/ick2.install
index 7a442c6..2535f43 100644
--- a/debian/ick2.install
+++ b/debian/ick2.install
@@ -1 +1,3 @@
 ick2.service lib/systemd/system
+ick2-worker-manager.service lib/systemd/system
+worker_manager.yaml etc/ick
diff --git a/debian/ick2.postinst b/debian/ick2.postinst
index c951569..028139b 100644
--- a/debian/ick2.postinst
+++ b/debian/ick2.postinst
@@ -16,20 +16,31 @@
 
 set -eu
 
-# Create a group and user for ick
-addgroup --system --force _ick
-adduser --system --disabled-login --disabled-password \
-        --gecos "Ick CI" --home /var/lib/ick \
+
+create_user()
+{
+    local name="$1"
+    local home="$2"
+    local logdir="$3"
+
+    addgroup --force "$name" || true
+    adduser --disabled-login --disabled-password \
+        --gecos "Ick CI" --home "$home" \
         --shell /bin/true --force \
-        _ick
+        --ingroup "$name" \
+        "$name" || true
+    install -d -m 0755 -o "$name" -g "$name" "$logdir"
+}
+
 
-# Create the log directory with the right ownership and permissions.
-install -d -m 0755 -o _ick -g _ick /var/log/ick
+# Create a group and user for ick controllerand worker-manager
+create_user _ick /var/lib/ick /var/log/ick
+create_user _ickwm /var/lib/ick/wm /var/log/ickwm
 
-# Create ick state dir
+# Create controller state dir
 install -d  -m 0755 -o _ick -g _ick /var/lib/ick/state
 
-# Create config dir.
+# Create controller config dir.
 install -d -m 0755 -o root -g root /etc/ick
 
 #DEBHELPER#
diff --git a/ick2-worker-manager.service b/ick2-worker-manager.service
new file mode 100644
index 0000000..9c2ad36
--- /dev/null
+++ b/ick2-worker-manager.service
@@ -0,0 +1,28 @@
+# Copyright 2017 Lars Wirzenius
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+[Unit]
+Description=ick2 worker manager
+After=network.target
+
+[Service]
+Type=simple
+User=_ickwm
+Group=_ickwm
+WorkingDirectory=/var/lib/ick/wm
+ExecStart=/usr/bin/worker_manager --config /etc/ick/worker_manager.yaml
+KillSignal=QUIT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/icktool b/icktool
index 3c8dec9..b47b851 100755
--- a/icktool
+++ b/icktool
@@ -41,7 +41,7 @@ class Icktool(cliapp.Application):
     _default_scopes = [
         'uapi_version_get',
         'uapi_work_post',
-    ] + scopes('projects') + scopes('work') + scopes('builds') + scopes('logs')
+    ] + scopes('projects') + scopes('workers') + scopes('work') + scopes('builds') + scopes('logs')
 
     def add_settings(self):
         self.settings.string(
diff --git a/setup.py b/setup.py
index d8721ed..7b0b30e 100644
--- a/setup.py
+++ b/setup.py
@@ -27,6 +27,6 @@ setup(
     url='http://liw.fi/ick/',
     py_modules=['ick_controller'],
     packages=['ick2'],
-    scripts=['create-token', 'start_ick', 'icktool'],
+    scripts=['create-token', 'start_ick', 'icktool', 'worker_manager'],
     data_files=[],
 )
diff --git a/worker_manager b/worker_manager
index f5492cb..1744874 100755
--- a/worker_manager
+++ b/worker_manager
@@ -20,7 +20,9 @@ import logging
 import sys
 import time
 
+import apifw
 import cliapp
+import Crypto.PublicKey.RSA
 import requests
 import urllib3
 
@@ -57,6 +59,18 @@ class WorkerManager(cliapp.Application):
             metavar='TOKEN',
         )
 
+        self.settings.string(
+            ['token-key'],
+            'get token signing private key from FILE',
+            metavar='FILE',
+        )
+
+        self.settings.string(
+            ['token-key-pub'],
+            'get token signing public key from FILE',
+            metavar='FILE',
+        )
+
         self.settings.integer(
             ['sleep'],
             'sleep for SECS seconds if there is no work currently',
@@ -97,11 +111,48 @@ class WorkerManager(cliapp.Application):
         return work
 
     def get_auth_headers(self):
-        token = self.settings['token']
+        token = self.get_token()
         return {
             'Authorization': 'Bearer {}'.format(token),
         }
 
+    def get_token(self):
+        token = self.settings['token']
+        token_key = self.settings['token-key']
+        token_key_pub = self.settings['token-key-pub']
+
+        if token:
+            return token
+        elif token_key and token_key_pub:
+            with open(token_key) as f1, open(token_key_pub) as f2:
+                key_text = f1.read()
+                pub_text = f2.read()
+                return self.create_token(key_text, pub_text)
+        sys.exit('No token and no way to create')
+
+    def create_token(self, key_text, pub_text):
+        iss = 'localhost'
+        aud = 'localhost'
+        scopes_list = [
+            'uapi_work_id_get',
+            'uapi_work_post',
+        ]
+
+        key = Crypto.PublicKey.RSA.importKey(key_text)
+        scopes = ' '.join(scopes_list)
+
+        now = time.time()
+        claims = {
+            'iss': iss,
+            'sub': 'subject-uuid',
+            'aud': aud,
+            'exp': now + 86400,
+            'scope': scopes,
+        }
+
+        token = apifw.create_token(claims, key)
+        return token.decode('ascii')
+
     def report_pretend_work(self, url, name, work):
         self.show_msg('Pretending to work: {!r}'.format(work))
         snippet_url = '{}/work/{}'.format(url, name)
diff --git a/worker_manager.yaml b/worker_manager.yaml
new file mode 100644
index 0000000..1279336
--- /dev/null
+++ b/worker_manager.yaml
@@ -0,0 +1,23 @@
+# Copyright 2017 Lars Wirzenius
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+config:
+  controller: https://127.0.0.1
+  name: worker1
+  log: /var/log/ickwm/worker_manager.log
+  log-level: debug
+  log-max: 10M
+  log-keep: 10
+  token-key: /etc/ick/token_key
+  token-key-pub: /etc/ick/token_key.pub