Packaging: change permissions/ownership of config dir

When generating the rpm and dep package we now set proper group (elasticsearch) and permissions (750) to the conf dir (default /etc/elasticsearch). Same for the scripts subdirectory.

Expanded the assert_file bash function to also optionally check the group of files, so we can actually test that the group was set correctly.

Relates to #11016
Closes #14017
This commit is contained in:
javanna 2015-10-08 10:43:38 +02:00 committed by Luca Cavanna
parent ef3172c8b0
commit 648cc6defa
4 changed files with 55 additions and 22 deletions

View File

@ -120,6 +120,19 @@
<group>root</group> <group>root</group>
</mapper> </mapper>
</data> </data>
<!-- create the conf dir manually so it gets proper permissions -->
<data>
<type>template</type>
<paths>
<path>${packaging.elasticsearch.conf.dir}</path>
</paths>
<mapper>
<type>perm</type>
<filemode>750</filemode>
<user>root</user>
<group>elasticsearch</group>
</mapper>
</data>
<!-- Add configuration files --> <!-- Add configuration files -->
<data> <data>
<src>${project.basedir}/../src/main/resources/config</src> <src>${project.basedir}/../src/main/resources/config</src>
@ -128,8 +141,9 @@
<mapper> <mapper>
<type>perm</type> <type>perm</type>
<prefix>${packaging.elasticsearch.conf.dir}</prefix> <prefix>${packaging.elasticsearch.conf.dir}</prefix>
<filemode>750</filemode>
<user>root</user> <user>root</user>
<group>root</group> <group>elasticsearch</group>
</mapper> </mapper>
</data> </data>
<data> <data>
@ -137,6 +151,12 @@
<paths> <paths>
<path>${packaging.elasticsearch.conf.dir}/scripts</path> <path>${packaging.elasticsearch.conf.dir}/scripts</path>
</paths> </paths>
<mapper>
<type>perm</type>
<filemode>750</filemode>
<user>root</user>
<group>elasticsearch</group>
</mapper>
</data> </data>
<!-- Add environment vars file --> <!-- Add environment vars file -->
<data> <data>

View File

@ -142,10 +142,14 @@
that creates the conf.dir.--> that creates the conf.dir.-->
<directory>${packaging.elasticsearch.conf.dir}</directory> <directory>${packaging.elasticsearch.conf.dir}</directory>
<configuration>noreplace</configuration> <configuration>noreplace</configuration>
<groupname>elasticsearch</groupname>
<filemode>750</filemode>
</mapping> </mapping>
<mapping> <mapping>
<directory>${packaging.elasticsearch.conf.dir}/</directory> <directory>${packaging.elasticsearch.conf.dir}/</directory>
<configuration>noreplace</configuration> <configuration>noreplace</configuration>
<groupname>elasticsearch</groupname>
<filemode>750</filemode>
<sources> <sources>
<source> <source>
<location>${project.basedir}/../src/main/resources/config/</location> <location>${project.basedir}/../src/main/resources/config/</location>
@ -158,6 +162,8 @@
<mapping> <mapping>
<directory>${packaging.elasticsearch.conf.dir}/scripts</directory> <directory>${packaging.elasticsearch.conf.dir}/scripts</directory>
<configuration>noreplace</configuration> <configuration>noreplace</configuration>
<groupname>elasticsearch</groupname>
<filemode>750</filemode>
</mapping> </mapping>
<!-- Add environment vars file --> <!-- Add environment vars file -->
<mapping> <mapping>

View File

@ -72,38 +72,39 @@ verify_package_installation() {
getent group elasticsearch getent group elasticsearch
assert_file "$ESHOME" d root 755 assert_file "$ESHOME" d root root 755
assert_file "$ESHOME/bin" d root 755 assert_file "$ESHOME/bin" d root root 755
assert_file "$ESHOME/lib" d root 755 assert_file "$ESHOME/lib" d root root 755
assert_file "$ESCONFIG" d root 755 assert_file "$ESCONFIG" d root elasticsearch 750
assert_file "$ESCONFIG/elasticsearch.yml" f root 644 assert_file "$ESCONFIG/elasticsearch.yml" f root elasticsearch 750
assert_file "$ESCONFIG/logging.yml" f root 644 assert_file "$ESCONFIG/logging.yml" f root elasticsearch 750
assert_file "$ESDATA" d elasticsearch 755 assert_file "$ESSCRIPTS" d root elasticsearch 750
assert_file "$ESLOG" d elasticsearch 755 assert_file "$ESDATA" d elasticsearch elasticsearch 755
assert_file "$ESPLUGINS" d elasticsearch 755 assert_file "$ESLOG" d elasticsearch elasticsearch 755
assert_file "$ESPIDDIR" d elasticsearch 755 assert_file "$ESPLUGINS" d elasticsearch elasticsearch 755
assert_file "$ESHOME/NOTICE.txt" f root 644 assert_file "$ESPIDDIR" d elasticsearch elasticsearch 755
assert_file "$ESHOME/README.textile" f root 644 assert_file "$ESHOME/NOTICE.txt" f root root 644
assert_file "$ESHOME/README.textile" f root root 644
if is_dpkg; then if is_dpkg; then
# Env file # Env file
assert_file "/etc/default/elasticsearch" f root 644 assert_file "/etc/default/elasticsearch" f root root 644
# Doc files # Doc files
assert_file "/usr/share/doc/elasticsearch" d root 755 assert_file "/usr/share/doc/elasticsearch" d root root 755
assert_file "/usr/share/doc/elasticsearch/copyright" f root 644 assert_file "/usr/share/doc/elasticsearch/copyright" f root root 644
fi fi
if is_rpm; then if is_rpm; then
# Env file # Env file
assert_file "/etc/sysconfig/elasticsearch" f root 644 assert_file "/etc/sysconfig/elasticsearch" f root root 644
# License file # License file
assert_file "/usr/share/elasticsearch/LICENSE.txt" f root 644 assert_file "/usr/share/elasticsearch/LICENSE.txt" f root root 644
fi fi
if is_systemd; then if is_systemd; then
assert_file "/usr/lib/systemd/system/elasticsearch.service" f root 644 assert_file "/usr/lib/systemd/system/elasticsearch.service" f root root 644
assert_file "/usr/lib/tmpfiles.d/elasticsearch.conf" f root 644 assert_file "/usr/lib/tmpfiles.d/elasticsearch.conf" f root root 644
assert_file "/usr/lib/sysctl.d/elasticsearch.conf" f root 644 assert_file "/usr/lib/sysctl.d/elasticsearch.conf" f root root 644
fi fi
} }

View File

@ -150,7 +150,8 @@ assert_file() {
local file="$1" local file="$1"
local type=$2 local type=$2
local user=$3 local user=$3
local privileges=$4 local group=$4
local privileges=$5
assert_file_exist "$file" assert_file_exist "$file"
@ -167,6 +168,11 @@ assert_file() {
[ "$realuser" = "$user" ] [ "$realuser" = "$user" ]
fi fi
if [ "x$group" != "x" ]; then
realgroup=$(find "$file" -maxdepth 0 -printf "%g")
[ "$realgroup" = "$group" ]
fi
if [ "x$privileges" != "x" ]; then if [ "x$privileges" != "x" ]; then
realprivileges=$(find "$file" -maxdepth 0 -printf "%m") realprivileges=$(find "$file" -maxdepth 0 -printf "%m")
[ "$realprivileges" = "$privileges" ] [ "$realprivileges" = "$privileges" ]