Allow configure user and group for Consul service

This commit is contained in:
Denys Havrysh 2017-11-28 12:16:19 +02:00
parent 53250cd15b
commit 74f7fb4394
8 changed files with 54 additions and 21 deletions

View file

@ -21,8 +21,8 @@ consul-script-install-{{ loop.index }}:
- name: {{ script.name }} - name: {{ script.name }}
- template: jinja - template: jinja
- context: {{ script.get('context', {}) | yaml }} - context: {{ script.get('context', {}) | yaml }}
- user: consul - user: {{ consul.user }}
- group: consul - group: {{ consul.group }}
- mode: 0755 - mode: 0755
{% endfor %} {% endfor %}
@ -33,8 +33,8 @@ consul-script-config:
- watch_in: - watch_in:
- service: consul - service: consul
{% endif %} {% endif %}
- user: consul - user: {{ consul.user }}
- group: consul - group: {{ consul.group }}
- require: - require:
- user: consul - user: consul
- formatter: json - formatter: json

View file

@ -3,6 +3,10 @@ consul:
download_host: releases.hashicorp.com download_host: releases.hashicorp.com
service: false service: false
user: consul
group: consul
config: config:
server: false server: false
bind_addr: 0.0.0.0 bind_addr: 0.0.0.0

View file

@ -8,7 +8,8 @@ Environment="GOMAXPROCS=2" "PATH=/usr/local/bin:/usr/bin:/bin"
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillSignal=TERM KillSignal=TERM
User=consul User={{ user }}
Group={{ group }}
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -24,7 +24,6 @@
. /etc/rc.d/init.d/functions . /etc/rc.d/init.d/functions
prog="consul" prog="consul"
user="consul"
exec="/usr/local/bin/$prog" exec="/usr/local/bin/$prog"
pidfile="/var/run/$prog.pid" pidfile="/var/run/$prog.pid"
lockfile="/var/lock/subsys/$prog" lockfile="/var/lock/subsys/$prog"
@ -34,6 +33,9 @@ confdir="/etc/consul.d"
# pull in sysconfig settings # pull in sysconfig settings
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
user=${CONSUL_USER:-consul}
group=${CONSUL_GROUP:-consul}
export GOMAXPROCS=${GOMAXPROCS:-2} export GOMAXPROCS=${GOMAXPROCS:-2}
start() { start() {
@ -44,7 +46,7 @@ start() {
umask 077 umask 077
touch $logfile $pidfile touch $logfile $pidfile
chown $user:$user $logfile $pidfile chown "$user:$group" $logfile $pidfile
echo -n $"Starting $prog: " echo -n $"Starting $prog: "
@ -56,7 +58,7 @@ start() {
## owned by consul:consul, using -pid-file results in a permission error. ## owned by consul:consul, using -pid-file results in a permission error.
daemon \ daemon \
--pidfile=$pidfile \ --pidfile=$pidfile \
--user=consul \ --user="$user" \
" { $exec agent -config-dir=$confdir &>> $logfile & } ; echo \$! >| $pidfile " " { $exec agent -config-dir=$confdir &>> $logfile & } ; echo \$! >| $pidfile "
RETVAL=$? RETVAL=$?

View file

@ -6,8 +6,8 @@ stop on runlevel [!2345]
respawn respawn
script script
if [ -f "/etc/service/consul" ]; then if [ -f /etc/default/consul ]; then
. /etc/service/consul . /etc/default/consul
fi fi
# Make sure to use all our CPUs, because Consul can block a scheduler thread # Make sure to use all our CPUs, because Consul can block a scheduler thread
@ -16,7 +16,8 @@ script
# Get the public IP # Get the public IP
BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'` BIND=`ifconfig eth0 | grep "inet addr" | awk '{ print substr($2,6) }'`
exec start-stop-daemon --start -c consul \ exec start-stop-daemon --start \
--chuid ${CONSUL_USER:-consul}:${CONSUL_GROUP:-consul} \
--exec /usr/local/bin/consul agent -- \ --exec /usr/local/bin/consul agent -- \
-config-dir="/etc/consul.d" \ -config-dir="/etc/consul.d" \
${CONSUL_FLAGS} \ ${CONSUL_FLAGS} \

View file

@ -10,24 +10,25 @@ consul-bin-dir:
- makedirs: True - makedirs: True
# Create consul user # Create consul user
consul-user: consul-group:
group.present: group.present:
- name: consul - name: {{ consul.group }}
consul-user:
user.present: user.present:
- name: consul - name: {{ consul.user }}
- createhome: false - gid: {{ consul.group }}
- system: true - createhome: False
- groups: - system: True
- consul
- require: - require:
- group: consul - group: consul-group
# Create directories # Create directories
consul-config-dir: consul-config-dir:
file.directory: file.directory:
- name: /etc/consul.d - name: /etc/consul.d
- user: consul - user: {{ consul.user }}
- group: consul - group: {{ consul.group }}
consul-data-dir: consul-data-dir:
file.directory: file.directory:

View file

@ -1,10 +1,29 @@
{%- from slspath+"/map.jinja" import consul with context -%} {%- from slspath+"/map.jinja" import consul with context -%}
consul-init-env:
file.managed:
{%- if grains['os_family'] == 'Debian' %}
- name: /etc/default/consul
{%- else %}
- name: /etc/sysconfig/consul
- makedirs: True
{%- endif %}
- user: root
- group: root
- mode: 0644
- contents:
- CONSUL_USER={{ consul.user }}
- CONSUL_GROUP={{ consul.group }}
consul-init-file: consul-init-file:
file.managed: file.managed:
{%- if salt['test.provider']('service') == 'systemd' %} {%- if salt['test.provider']('service') == 'systemd' %}
- source: salt://{{ slspath }}/files/consul.service - source: salt://{{ slspath }}/files/consul.service
- name: /etc/systemd/system/consul.service - name: /etc/systemd/system/consul.service
- template: jinja
- context:
user: {{ consul.user }}
group: {{ consul.group }}
- mode: 0644 - mode: 0644
{%- elif salt['test.provider']('service') == 'upstart' %} {%- elif salt['test.provider']('service') == 'upstart' %}
- source: salt://{{ slspath }}/files/consul.upstart - source: salt://{{ slspath }}/files/consul.upstart
@ -23,6 +42,7 @@ consul-service:
- name: consul - name: consul
- enable: True - enable: True
- watch: - watch:
- file: consul-init-env
- file: consul-init-file - file: consul-init-file
{%- endif %} {%- endif %}

View file

@ -2,6 +2,10 @@ consul:
# Start Consul agent service and enable it at boot time # Start Consul agent service and enable it at boot time
service: True service: True
# Set user and group for Consul config files and running service
user: consul
group: consul
config: config:
server: True server: True
bind_addr: 0.0.0.0 bind_addr: 0.0.0.0