Introduction
For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.
The JS7 - Deployment Area is used for the following purposes:
- to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
- to hold the configuration files and optionally certificates for deployment of JS7 products,
- to hold the JS7 installations per JS7 release and product such as JOC Cockpit, Controller, Agent,
- to hold the archive of Deployment Packages per JS7 releases and target host,
The article explains
- how to manage ownership for the installation and configuration directories of JS7 products,
- how to manage permissions to set up JS7 products
Managing Ownership
When it comes to ownership of directories used by JS7 products users should consider:
- Separation of Directories
- The installation directory tree includes files that are executed to start and to stop JS7 products.
- The configuration directory tree includes files for which read access for the Run-time Account is required. In addition write access is required for example for log files in the directory tree.
- Separation of Accounts
- Deployment Account
- The account performs deployment, i.e. it transfers the tarballs created during JS7 - Deployment Packaging to the target host and extracts related tarballs.
- Home Owner Account
- The account owns the installation directory of the JS7 product.
- Data Owner Account
- The account owns the configuration directory of the JS7 product.
- Run-time Account
- The account runs the JS7 product's service.
- The account requires access to read and to execute files in the installation directory.
- The account requires access to read and to write files in the configuration directory.
- Deployment Account
Accounts are specified from the JS7 - Deployment Descriptor for all JS7 products like this:
| Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user | .installation.homeOwner | .installation.dataOwner | .installation.runUser |
In addition, users can make use of the .target.execPre and .target.execPost elements to specify one or more commands that will be executed on the target host before the Deployment Packages will be extracted and after extraction:
- To apply more than one command use of the
evalcommand is required. - The built-in functions StopService and StartService can be used to stop and to start the systemd service of the JS7 product.
Example for .target.ExecPre command
eval 'sudo mkdir -p /opt/sos-berlin.com/js7;sudo chown -R sos:sos /opt/sos-berlin.com/js7;sudo mkdir -p /var/sos-berlin.com/js7;sudo chown -R sos:sos /var/sos-berlin.com/js7;StopService'
Setting up ownership is straightforward if a single account is used, for example, a non-root account or root account, that deploys, owns and runs both the installation and configuration directories. For more complex scenarios see the following sections.
User Account Deployment and Ownership by User Account
This scenario applies if the Deployment Account that performs the installation of the JS7 product is the same as the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos" | .installation.dataOwner: "sos" | .installation.runUser: "sos" |
| Deployment Descriptor | .target.authentication.user: "sos" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the .target.authentication.user element with the value of the user account, for example sos.
The following prerequisites apply:
- The Deployment Account is the owner of the parent directory to which JS7 products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
Limited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 product is different from the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" |
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.homeOwner: "sos2" | (not specified) |
The following prerequisites apply:
- Users can limit
sudocapabilities- to the parent directory of the installation and configurations directories,
- to allow the commands:
mkdir,rm,chown,lnfor deployment. - to allow the commands
cp,systemctlwhen using the StartService and StopService functions.
- The Deployment Account is the owner of the parent directory to which JS7 products are installed.
- The directory tree includes the execute permission for any included sub-directories.
- No sticky bit is set for sub-directories in the directory tree.
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
- If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time Account.
Deployment will be performed like this:
- Any file system operations such as
mkdir,rm,chown,ln,tarwill be performed using the Deployment Account if existing read/write permissions allow to do so. Otherwisesudowill be used. - Ownership of the installation and configuration directories will be assigned the related user accounts.
Unlimited Use of sudo for Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 product is different from the Home Owner Account, Data Owner Account and Run-time Account. In addition use of sudo for any operation related to installation and configuration directories is enforced.
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account | Force sudo |
|---|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | .installation.runUser: "sos2" | .target.forceSudo: true |
| Deployment Descriptor | .target.authentication.user: "sos" | .installation.homeOwner: "sos1" | .installation.dataOwner: "sos2" | (not specified) | .target.forceSudo: true |
The following prerequisites apply:
- Home Owner Account and Data Owner Account can be the same or can be different.
- The Data Owner Account is the same as the Run-time Account.
- Should accounts be different then users have to manually adjust group permissions to allow the Run-time Account read/write access to the configuration directory.
- If no Run-time Account is specified then the Data Owner Account is assumed for the Run-time Account.
Deployment will be performed like this:
- Any file system operations such as
mkdir,rm,cbown,ln,tarare performed usingsudo. - Ownership of the installation and configuration directories is assigned the related Home Owner and Data Owner accounts.
Root Account Deployment and Ownership by Root Account
This scenario applies if the Deployment Account that performs the installation of the JS7 product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account.
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "root" | .installation.dataOwner: "root" | .installation.runUser: "root" |
| Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user element with the value root.
This scenario generally is not recommended as it
- requires direct root access by SSH connections to target host.
- operates the JS7 products from the root account which includes higher privileges than required.
Root Account Deployment and Ownership by individual User Accounts
This scenario applies if the Deployment Account that performs the installation of the JS7 product is root and is the same as the Home Owner Account, Data Owner Account and Run-time Account
| Example | Deployment Account | Home Owner Account | Data Owner Account | Run-time Account |
|---|---|---|---|---|
| Deployment Descriptor | .target.authentication.user: "root" | .installation.homeOwner: "sos" | .installation.dataOwner: "root" | .installation.runUser: "root" |
| Deployment Descriptor | .target.authentication.user: "root" | (not specified) | (not specified) | (not specified) |
For this scenario it is sufficient to specify the target.authentication.user element with the value root.
This scenario generally is not recommended as it
- requires direct root access by SSH connections to target host.
Resources
Overview
Content Tools