diff options
author | Lars Wirzenius <liw@liw.fi> | 2017-11-12 19:50:34 +0100 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2017-11-12 19:50:34 +0100 |
commit | 62f338c97749db4f84695baeb972b0bd5ab01d4c (patch) | |
tree | 3e4093fe8c136923b56652b7301b44167329780a | |
parent | 509ed4047a4013070dde5785bb33db092c8fbe04 (diff) | |
parent | 46fa95ce04ab2b523bf5583cb43de682dc38918b (diff) | |
download | ick2-62f338c97749db4f84695baeb972b0bd5ab01d4c.tar.gz |
Merge: set up worker-manager in .deb
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rw-r--r-- | debian/ick2.install | 2 | ||||
-rw-r--r-- | debian/ick2.postinst | 29 | ||||
-rw-r--r-- | ick2-worker-manager.service | 28 | ||||
-rwxr-xr-x | icktool | 2 | ||||
-rw-r--r-- | setup.py | 2 | ||||
-rwxr-xr-x | worker_manager | 53 | ||||
-rw-r--r-- | worker_manager.yaml | 23 |
9 files changed, 129 insertions, 13 deletions
diff --git a/debian/changelog b/debian/changelog index 1743342..107a19f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ ick2 (0.13+git-1) UNRELEASED; urgency=medium * New upstream version. + * postinst: create user, group for worker-manager -- Lars Wirzenius <liw@liw.fi> Mon, 16 Oct 2017 22:16:53 +0300 diff --git a/debian/control b/debian/control index 1e20006..8b2cc60 100644 --- a/debian/control +++ b/debian/control @@ -25,7 +25,7 @@ Build-Depends: debhelper (>= 9~), Package: ick2 Architecture: all Depends: ${python3:Depends}, ${misc:Depends}, - python3-all, + python3, python3-bottle, python3-cliapp, python3-apifw, diff --git a/debian/ick2.install b/debian/ick2.install index 7a442c6..2535f43 100644 --- a/debian/ick2.install +++ b/debian/ick2.install @@ -1 +1,3 @@ ick2.service lib/systemd/system +ick2-worker-manager.service lib/systemd/system +worker_manager.yaml etc/ick diff --git a/debian/ick2.postinst b/debian/ick2.postinst index c951569..028139b 100644 --- a/debian/ick2.postinst +++ b/debian/ick2.postinst @@ -16,20 +16,31 @@ set -eu -# Create a group and user for ick -addgroup --system --force _ick -adduser --system --disabled-login --disabled-password \ - --gecos "Ick CI" --home /var/lib/ick \ + +create_user() +{ + local name="$1" + local home="$2" + local logdir="$3" + + addgroup --force "$name" || true + adduser --disabled-login --disabled-password \ + --gecos "Ick CI" --home "$home" \ --shell /bin/true --force \ - _ick + --ingroup "$name" \ + "$name" || true + install -d -m 0755 -o "$name" -g "$name" "$logdir" +} + -# Create the log directory with the right ownership and permissions. -install -d -m 0755 -o _ick -g _ick /var/log/ick +# Create a group and user for ick controllerand worker-manager +create_user _ick /var/lib/ick /var/log/ick +create_user _ickwm /var/lib/ick/wm /var/log/ickwm -# Create ick state dir +# Create controller state dir install -d -m 0755 -o _ick -g _ick /var/lib/ick/state -# Create config dir. +# Create controller config dir. install -d -m 0755 -o root -g root /etc/ick #DEBHELPER# diff --git a/ick2-worker-manager.service b/ick2-worker-manager.service new file mode 100644 index 0000000..9c2ad36 --- /dev/null +++ b/ick2-worker-manager.service @@ -0,0 +1,28 @@ +# Copyright 2017 Lars Wirzenius +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +[Unit] +Description=ick2 worker manager +After=network.target + +[Service] +Type=simple +User=_ickwm +Group=_ickwm +WorkingDirectory=/var/lib/ick/wm +ExecStart=/usr/bin/worker_manager --config /etc/ick/worker_manager.yaml +KillSignal=QUIT + +[Install] +WantedBy=multi-user.target @@ -41,7 +41,7 @@ class Icktool(cliapp.Application): _default_scopes = [ 'uapi_version_get', 'uapi_work_post', - ] + scopes('projects') + scopes('work') + scopes('builds') + scopes('logs') + ] + scopes('projects') + scopes('workers') + scopes('work') + scopes('builds') + scopes('logs') def add_settings(self): self.settings.string( @@ -27,6 +27,6 @@ setup( url='http://liw.fi/ick/', py_modules=['ick_controller'], packages=['ick2'], - scripts=['create-token', 'start_ick', 'icktool'], + scripts=['create-token', 'start_ick', 'icktool', 'worker_manager'], data_files=[], ) diff --git a/worker_manager b/worker_manager index f5492cb..1744874 100755 --- a/worker_manager +++ b/worker_manager @@ -20,7 +20,9 @@ import logging import sys import time +import apifw import cliapp +import Crypto.PublicKey.RSA import requests import urllib3 @@ -57,6 +59,18 @@ class WorkerManager(cliapp.Application): metavar='TOKEN', ) + self.settings.string( + ['token-key'], + 'get token signing private key from FILE', + metavar='FILE', + ) + + self.settings.string( + ['token-key-pub'], + 'get token signing public key from FILE', + metavar='FILE', + ) + self.settings.integer( ['sleep'], 'sleep for SECS seconds if there is no work currently', @@ -97,11 +111,48 @@ class WorkerManager(cliapp.Application): return work def get_auth_headers(self): - token = self.settings['token'] + token = self.get_token() return { 'Authorization': 'Bearer {}'.format(token), } + def get_token(self): + token = self.settings['token'] + token_key = self.settings['token-key'] + token_key_pub = self.settings['token-key-pub'] + + if token: + return token + elif token_key and token_key_pub: + with open(token_key) as f1, open(token_key_pub) as f2: + key_text = f1.read() + pub_text = f2.read() + return self.create_token(key_text, pub_text) + sys.exit('No token and no way to create') + + def create_token(self, key_text, pub_text): + iss = 'localhost' + aud = 'localhost' + scopes_list = [ + 'uapi_work_id_get', + 'uapi_work_post', + ] + + key = Crypto.PublicKey.RSA.importKey(key_text) + scopes = ' '.join(scopes_list) + + now = time.time() + claims = { + 'iss': iss, + 'sub': 'subject-uuid', + 'aud': aud, + 'exp': now + 86400, + 'scope': scopes, + } + + token = apifw.create_token(claims, key) + return token.decode('ascii') + def report_pretend_work(self, url, name, work): self.show_msg('Pretending to work: {!r}'.format(work)) snippet_url = '{}/work/{}'.format(url, name) diff --git a/worker_manager.yaml b/worker_manager.yaml new file mode 100644 index 0000000..1279336 --- /dev/null +++ b/worker_manager.yaml @@ -0,0 +1,23 @@ +# Copyright 2017 Lars Wirzenius +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +config: + controller: https://127.0.0.1 + name: worker1 + log: /var/log/ickwm/worker_manager.log + log-level: debug + log-max: 10M + log-keep: 10 + token-key: /etc/ick/token_key + token-key-pub: /etc/ick/token_key.pub |