From bbeacf30d17e22d2c30e3a8632ac19df2721a68b Mon Sep 17 00:00:00 2001 From: David Shrewsbury Date: Tue, 2 Oct 2012 15:44:43 -0400 Subject: [PATCH] Use sudo for HAProxy config file manipulation. In a default, initial HAProxy installation on Ubuntu, the haproxy.cfg file is owned by root. So we need escalated permissions to be able to replace it with another config. --- README | 28 ++++++++++++++++++++++++-- libra/worker/drivers/haproxy/driver.py | 7 ++----- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/README b/README index b3055d2a..14c43a76 100644 --- a/README +++ b/README @@ -26,6 +26,20 @@ Installing the Worker $ python setup.py install +Edit /etc/sudoers +----------------- + +The worker needs to be able to run some commands as root without being +prompted for a password. It is suggested that you run the worker as +the `haproxy` user and `haproxy` group on Ubuntu systems. Then add the +following line to /etc/sudoers: + + %haproxy ALL = NOPASSWD: /usr/sbin/service, /bin/cp, /bin/mv + +The above lets everyone in the `haproxy` group run those three commands +as root without being prompted for a password. + + Running the Worker ------------------ @@ -38,8 +52,9 @@ Basic commands: # Getting help $ libra_worker -h - # Start up as a daemon - $ sudo libra_worker + # Start up as a daemon running as the `haproxy` user and + # connecting to the local Gearman job server. + $ sudo libra_worker --user haproxy --group haproxy --server 127.0.0.1:4730 # Start up with debugging output in non-daemon mode $ libra_worker --debug --nodaemon @@ -48,3 +63,12 @@ You can verify that the worker is running by using the sample Gearman client in the bin/ directory: $ bin/client.py + + +Configuration File +------------------ + +It can be easier to give options via a configuration file. See the sample +configuration file etc/sample_libra.cfg for an example and further +documentation. Use the -c/--config option to specify the configuration +file to read. diff --git a/libra/worker/drivers/haproxy/driver.py b/libra/worker/drivers/haproxy/driver.py index 0c9dd24e..acd1d19d 100644 --- a/libra/worker/drivers/haproxy/driver.py +++ b/libra/worker/drivers/haproxy/driver.py @@ -78,10 +78,8 @@ class HAProxyDriver(LoadBalancerDriver): fh.close() bkupcfg = self._config_file + '.BKUP' - # The user that the process is running as MUST have write access - # to the HAProxy configuration file. - copy_cmd = "/bin/cp %s %s" % (self._config_file, bkupcfg) - move_cmd = "/bin/mv %s %s" % (tmpfile, self._config_file) + copy_cmd = "/usr/bin/sudo /bin/cp %s %s" % (self._config_file, bkupcfg) + move_cmd = "/usr/bin/sudo /bin/mv %s %s" % (tmpfile, self._config_file) try: subprocess.check_output(copy_cmd.split(), stderr=subprocess.STDOUT) @@ -92,7 +90,6 @@ class HAProxyDriver(LoadBalancerDriver): def _restart(self): """ Restart the HAProxy service on the local machine. """ - # NOTE(shrews): This should be the only place we need sudo privs. cmd = '/usr/bin/sudo /usr/sbin/service haproxy restart' try: subprocess.check_output(cmd.split())