Skip to content

ansible: tighten security and run as unprivileged UID #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ktdreyer wants to merge 8 commits into
base: main
Choose a base branch
from
Open

ansible: tighten security and run as unprivileged UID #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
148b50b
ansible: use stricter permissions on public cert
ktdreyer Nov 13, 2015
f5ab261
ansible: set key permissions
ktdreyer Nov 13, 2015
62b85de
ansible: reformat file module to multiple lines
ktdreyer Nov 13, 2015
2848246
ansible: explain file paths creation
ktdreyer Nov 13, 2015
abbad65
ansible: secure /etc/circus permissions
ktdreyer Nov 13, 2015
08922b7
ansible: secure app_home permissions
ktdreyer Nov 13, 2015
5c529ad
ansible: install nginx package in nginx.yml
ktdreyer Nov 13, 2015
e8a2a90
ansible: run application as "nginx" UID
ktdreyer Nov 13, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions deploy/playbooks/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@
repos_root: "/opt/repos"
branch: "master"
development_server: false
app_user: "nginx"
Copy link
Contributor

@alfredodeza alfredodeza Nov 16, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reads a bit odd, because the "app", as I understand it, is the Python application. And I don't think that the 'nginx' user should be the owner there, unless this implies just using the nginx user for everything related to the app: from logs to python code and static files?

Copy link
Contributor Author

@ktdreyer ktdreyer Nov 16, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could create an entirely new UID ("chacra" ?) What do you think?

Copy link
Contributor

@andrewschoen andrewschoen Nov 16, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to a "chacra" user. We'd just need to write the ansible to ensure the user exists as well.

1 change: 1 addition & 0 deletions deploy/playbooks/deploy_vagrant.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,4 @@
repos_root: "/opt/repos"
branch: "master"
development_server: true
app_user: "nginx"
Copy link
Contributor Author

@ktdreyer ktdreyer Nov 13, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tested this branch in a local VM :)

I do think we'll need to run some chown -R nginx:nginx commands as cleanup if we make this change in production, though, since there is existing data there that is already owned by "admin". Something like this should work:

chown -R nginx:nginx /opt/chacra/log /opt/binaries /opt/repos /var/log/circus/

21 changes: 18 additions & 3 deletions deploy/playbooks/roles/common/tasks/circus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---

- name: install circus in virtualenv
sudo: true
pip: name={{ item }} state=present virtualenv={{ app_home }}
with_items:
- circus
Expand All @@ -11,25 +12,39 @@
file:
path: /etc/circus
state: directory
owner: "{{ ansible_ssh_user }}"
owner: root
group: root
mode: 0755
recurse: yes
sudo: true

- name: ensure /var/log/circus exists
file:
path: /var/log/circus
state: directory
owner: "{{ ansible_ssh_user }}"
owner: "{{ app_user }}"
group: root
mode: 0755
recurse: yes
sudo: true

- name: ensure {{ app_home }}/log exists
file: path="{{ app_home }}/log" state=directory
sudo: true
file:
path: "{{ app_home }}/log"
state: directory
owner: "{{ app_user }}"
group: root
mode: 0755
recurse: yes

- name: install circus.conf init file
template:
src: circus.conf
dest: /etc/init/circus.conf
owner: root
group: root
mode: 0644
sudo: true
register: circus_service

Expand Down
43 changes: 30 additions & 13 deletions deploy/playbooks/roles/common/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,25 @@
---

- name: "ensure a home for {{ app_name }}"
sudo: yes
file: path={{ app_home }} owner={{ ansible_ssh_user }} group={{ ansible_ssh_user }} state=directory recurse=yes
register: app_home_created

- name: Update apt cache
apt:
update_cache: yes
sudo: yes

- include: nginx.yml
tags:
- nginx

- name: "ensure a home for {{ app_name }}"
sudo: yes
file:
path: "{{ app_home }}"
owner: root
group: root
mode: 0755
state: directory
recurse: yes
register: app_home_created

- name: install ssl system requirements
sudo: yes
apt: name={{ item }} state=present
Expand All @@ -26,36 +36,47 @@
- packages

- name: Create a virtualenv with latest pip.
sudo: true
pip: name=pip virtualenv={{ app_home }} extra_args='--upgrade'

- name: "pip+git install {{ app_name }} into virtualenv."
sudo: true
pip: name='git+https://github.com/ceph/chacra@{{ branch }}#egg=chacra' virtualenv={{ app_home }}
changed_when: False

- name: create the prod config file
action: template src=../templates/prod.py.j2 dest={{ app_home }}/src/{{ app_name }}/prod.py
sudo: true
template:
src: '../templates/prod.py.j2'
dest: "{{ app_home }}/src/{{ app_name }}/prod.py"

- name: create the prod api credentials file
sudo: true
template:
src: prod_api_creds.py.j2
dest: "{{ app_home }}/src/{{ app_name }}/prod_api_creds.py"
owner: root
group: "{{ app_user }}"
mode: 0640
when: (api_key is defined or api_user is defined) or
(app_home_created is defined and app_home_created|changed)

- name: install python requirements in virtualenv
sudo: true
pip:
requirements: "{{ app_home }}/src/{{ app_name }}/requirements.txt"
state: present
virtualenv: "{{ app_home }}"
notify: restart app

- name: ensure file paths are set properly
- name: ensure writable file paths are set properly
sudo: true
file:
path: "{{ item }}"
state: directory
owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}"
owner: "{{ app_user }}"
group: "{{ app_user }}"
mode: 0755
recurse: yes
with_items:
- "{{ binary_root }}"
Expand All @@ -69,10 +90,6 @@
tags:
- circus

- include: nginx.yml
tags:
- nginx

# nginx should be up and running by now, there is a bug with Ubuntu 14.04 and
# nginx where nginx is using the old init scripts and the 'service' command
# returns a zero exit code which ansible interprets as all being OK.
Expand Down
21 changes: 20 additions & 1 deletion deploy/playbooks/roles/common/tasks/nginx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,13 @@
---

- name: install nginx package
sudo: true
apt:
name: nginx
state: present
tags:
- packages

- name: ensure sites-available for nginx
file: path=/etc/nginx/sites-available state=directory
sudo: true
Expand Down Expand Up @@ -55,10 +64,20 @@
- name: make sure permissions are correct for crt
file:
path: /etc/ssl/certs/{{ ansible_fqdn }}-bundled.crt
mode: 0777
owner: root
group: root
mode: 0644
when: development_server
sudo: true

- name: make sure permissions are correct for key
file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root
group: root
mode: 0600
sudo: true

- name: ensure nginx is restarted
sudo: true
action: service name=nginx state=restarted
9 changes: 9 additions & 0 deletions deploy/playbooks/roles/common/tasks/postgresql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,27 @@
sudo: yes

- name: create the prod_db config file with the db password
sudo: yes
template:
src: ../templates/prod_db.py.j2
dest: "{{ app_home }}/src/{{ app_name }}/prod_db.py"
owner: root
group: "{{ app_user }}"
mode: 0640
notify:
- restart app
- restart celery
- restart celery beat

# this needs to be here because it needs the new db password
- name: create the prod alembic.ini file
sudo: yes
template:
src: ../templates/alembic-prod.ini.j2
dest: "{{ app_home }}/src/{{ app_name }}/alembic-prod.ini"
owner: root
group: "{{ app_user }}"
mode: 0640

- name: check if database for app needs populating
# this should be configurable/optional in the playbook
Expand All @@ -80,6 +88,7 @@
changed_when: "database_is_populated.rc != 0"

- name: populate the database for {{ app_name }}
sudo: yes
when: "database_is_populated.rc == 1"
command: "{{ app_home }}/bin/pecan populate {{ app_home }}/src/{{ app_name }}/prod.py"
environment:
Expand Down
2 changes: 1 addition & 1 deletion deploy/playbooks/roles/common/templates/circus.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
start on filesystem and net-device-up IFACE=lo
setuid {{ ansible_ssh_user }}
setuid {{ app_user }}
exec {{ app_home }}/bin/circusd /etc/circus/circus.ini
1 change: 0 additions & 1 deletion deploy/playbooks/roles/common/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ system_packages:
- postgresql-common
- postgresql-contrib
- python-psycopg2
- nginx
- vim
# needed for the ansible apt_repository module
- python-apt
Expand Down