From 4b2dfd8f90304f318dfb418333fd38d653391537 Mon Sep 17 00:00:00 2001 From: Steve Smith Date: Tue, 9 Jul 2019 16:15:45 +1000 Subject: [PATCH 1/3] DCD-418: Limit permissions on the systemd unit and move DB params to the environment. --- roles/product_startup/molecule/default/tests/test_default.py | 3 +++ roles/product_startup/tasks/main.yml | 3 +++ roles/synchrony_config/tasks/main.yml | 2 +- roles/synchrony_config/templates/atl.synchrony.j2 | 5 +++-- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/product_startup/molecule/default/tests/test_default.py b/roles/product_startup/molecule/default/tests/test_default.py index f01d546..3beccfe 100644 --- a/roles/product_startup/molecule/default/tests/test_default.py +++ b/roles/product_startup/molecule/default/tests/test_default.py @@ -9,3 +9,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def test_service_file(host): f = host.file('/etc/systemd/system/jira-software.service') assert f.contains("^ExecStart=/opt/atlassian/jira-software/current/bin/start-jira.sh -fg$") + assert f.user == 'root' + assert f.user == 'root' + assert f.mode == 0o0640 diff --git a/roles/product_startup/tasks/main.yml b/roles/product_startup/tasks/main.yml index 4922627..706bee3 100644 --- a/roles/product_startup/tasks/main.yml +++ b/roles/product_startup/tasks/main.yml @@ -4,6 +4,9 @@ template: src: "product.service.j2" dest: "/etc/systemd/system/{{ atl_systemd_service_name }}" + owner: root + group: root + mode: 0640 notify: - Enable Product - Restart Product diff --git a/roles/synchrony_config/tasks/main.yml b/roles/synchrony_config/tasks/main.yml index 330fe6d..966e84f 100644 --- a/roles/synchrony_config/tasks/main.yml +++ b/roles/synchrony_config/tasks/main.yml @@ -12,4 +12,4 @@ src: "atl.synchrony.j2" dest: "/etc/atl.synchrony" group: "{{ atl_product_user }}" - mode: "0640" + mode: "0640" diff --git a/roles/synchrony_config/templates/atl.synchrony.j2 b/roles/synchrony_config/templates/atl.synchrony.j2 index 96c7ae2..e340fa3 100644 --- a/roles/synchrony_config/templates/atl.synchrony.j2 +++ b/roles/synchrony_config/templates/atl.synchrony.j2 @@ -9,11 +9,12 @@ ATL_SYNCHRONY_JAR_PATH="{{ atl_product_installation_current }}/confluence/WEB-IN AWS_EC2_PRIVATE_IP="{{ atl_local_ipv4 }}" _RUNJAVA="{{ atl_product_installation_current }}/jre/bin/java" +SYNCHRONY_DATABASE_USERNAME="{{ atl_jdbc_user }}" +SYNCHRONY_DATABASE_PASSWORD="{{ atl_jdbc_password }}" + ATL_SYNCHRONY_JVM_PROPERTIES="{{ atl_synchrony_stack_space }} {{ atl_synchrony_memory }} \ -Dsynchrony.cluster.impl=hazelcast-btf \ -Dsynchrony.database.url={{ atl_jdbc_url }} \ - -Dsynchrony.database.username={{ atl_jdbc_user }} \ - -Dsynchrony.database.password={{ atl_jdbc_password }} \ -Dsynchrony.bind={{ atl_local_ipv4 }} \ -Dsynchrony.cluster.bind={{ atl_local_ipv4 }} \ -Dcluster.interfaces={{ atl_local_ipv4 }} \ From 82d94c3a5bdda9eaf9b956135b445b22f49f3586 Mon Sep 17 00:00:00 2001 From: Steve Smith Date: Wed, 10 Jul 2019 09:21:28 +1000 Subject: [PATCH 2/3] DCD-418: Move JWT keys to environment vars. --- roles/synchrony_config/files/start-synchrony | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/synchrony_config/files/start-synchrony b/roles/synchrony_config/files/start-synchrony index 5029e66..e52555d 100755 --- a/roles/synchrony_config/files/start-synchrony +++ b/roles/synchrony_config/files/start-synchrony @@ -55,9 +55,11 @@ function waitForConfluenceConfigInSharedHome() { waitForConfluenceConfigInSharedHome +# Additional settings are in /etc/atl.synchrony +export SYNCHRONY_JWT_PRIVATE_KEY +export SYNCHRONY_JWT_PUBLIC_KEY + exec ${_RUNJAVA} \ -classpath ${SYNCHRONY_CLASSPATH} \ ${ATL_SYNCHRONY_JVM_PROPERTIES} \ - -Djwt.private.key=${SYNCHRONY_JWT_PRIVATE_KEY} \ - -Djwt.public.key=${SYNCHRONY_JWT_PUBLIC_KEY} \ synchrony.core sql From 5dc978afb0698f5934d51189582a860784e92247 Mon Sep 17 00:00:00 2001 From: Steve Smith Date: Wed, 10 Jul 2019 16:52:18 +1000 Subject: [PATCH 3/3] DCD-418: Fix test. --- roles/product_startup/molecule/default/tests/test_default.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/product_startup/molecule/default/tests/test_default.py b/roles/product_startup/molecule/default/tests/test_default.py index 3beccfe..8210664 100644 --- a/roles/product_startup/molecule/default/tests/test_default.py +++ b/roles/product_startup/molecule/default/tests/test_default.py @@ -10,5 +10,5 @@ def test_service_file(host): f = host.file('/etc/systemd/system/jira-software.service') assert f.contains("^ExecStart=/opt/atlassian/jira-software/current/bin/start-jira.sh -fg$") assert f.user == 'root' - assert f.user == 'root' + assert f.group == 'root' assert f.mode == 0o0640