From 80111623d397eaa6a8ed2966b4d171b7dbc6e244 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrew=20Lee=20=28=E6=9D=8E=E5=81=A5=E7=A7=8B=29?=
<ajqlee@debian.org>
Date: Mon, 5 Dec 2016 16:36:33 +0800
Subject: [PATCH] Move log, tmp and config files out of /usr and creates links
instead.
---
debian/obs-api.dirs | 15 ++--
debian/obs-api.install | 1 -
debian/obs-api.links | 8 +-
debian/obs-api.postinst | 48 +++++------
debian/obs-server.install | 2 +-
debian/options.yml.example | 161 -------------------------------------
debian/rules | 17 ++--
7 files changed, 52 insertions(+), 200 deletions(-)
delete mode 100644 debian/options.yml.example
diff --git a/debian/obs-api.dirs b/debian/obs-api.dirs
index b102b3368c..8c4623c8f4 100644
--- a/debian/obs-api.dirs
+++ b/debian/obs-api.dirs
@@ -1,8 +1,7 @@
-/usr/share/obs
-/usr/share/obs/api
-/usr/share/obs/api/config
-/usr/share/obs/api/config/environments
-/usr/share/obs/api/config/initializers
-/usr/share/obs/api/files
-/usr/share/obs/overview
-/usr/share/obs/api/public/css
+/etc/obs/api/config
+/var/log/obs
+/var/cache/obs/tmp/cache
+/var/cache/obs/tmp/pids
+/var/cache/obs/tmp/sessions
+/var/cache/obs/tmp/sockets
+
diff --git a/debian/obs-api.install b/debian/obs-api.install
index 8a1802621e..e634904b3d 100644
--- a/debian/obs-api.install
+++ b/debian/obs-api.install
@@ -1,7 +1,6 @@
# Install all web and api parts. (Remove parts in rules file)
# install apidocs
# the html dir was not found in source.
-src/api /usr/share/obs/
docs/api/api/*.rng /usr/share/obs/docs/api/
docs/api/api/*.xsd /usr/share/obs/docs/api/
etc/logrotate.d/obs-api
diff --git a/debian/obs-api.links b/debian/obs-api.links
index 192cb101f7..dfa39ef117 100644
--- a/debian/obs-api.links
+++ b/debian/obs-api.links
@@ -1,3 +1,9 @@
-usr/share/obs/api/config /etc/obs/api/config
+etc/obs/api/config/options.yml /usr/share/obs/api/config/options.yml
+etc/obs/api/config/database.yml /usr/share/obs/api/config/database.yml
+etc/obs/api/config/production.sphinx.conf /usr/share/obs/api/config/production.sphinx.conf
+etc/obs/api/config/thinking_sphinx.yml /usr/share/obs/api/config/thinking_sphinx.yml
+etc/obs/api/config/secret.key /usr/share/obs/api/config/secret.key
usr/share/obs/docs/api /usr/share/obs/api/public/schema
usr/share/javascript/bootstrap/css/bootstrap.min.css /usr/share/obs/api/public/css/bootstrap.min.css
+var/log/obs /usr/share/obs/api/log
+var/cache/obs/tmp /usr/share/obs/api/tmp
diff --git a/debian/obs-api.postinst b/debian/obs-api.postinst
index 79e1ebc487..9e3737d8cf 100644
--- a/debian/obs-api.postinst
+++ b/debian/obs-api.postinst
@@ -1,21 +1,17 @@
#!/bin/sh -e
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/postinst.mysql
-dbc_generate_include=template:/etc/obs/api/config/database.yml
-dbc_generate_include_args="-o template_infile=/etc/obs/api/config/database.yml.example"
-dbc_generate_include_owner=www-data
-dbc_go obs-api $@
-
-chown www-data:root /etc/obs/api/config/environment.rb
-
-if [ ! -f /var/log/obs ] ; then
- ln -fs /usr/share/obs/api/log /var/log/obs
+# Config secret.key
+if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
+ rm -f /usr/share/obs/api/config/secret.key
fi
-if [ ! -f /var/cache/obs/tmp ] ; then
- mkdir -p /var/cache/obs
- ln -fs /usr/share/obs/api/tmp /var/cache/obs/tmp
+SECRET_KEY="/etc/obs/api/config/secret.key"
+if [ ! -e "$SECRET_KEY" ]; then
+ ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
+ ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi
+ chmod 0640 $SECRET_KEY
+ chown nobody:www-data $SECRET_KEY
+
# Generate log files
touch /var/log/obs/access.log
touch /var/log/obs/backend_access.log
@@ -27,21 +23,27 @@ fi
touch /var/log/obs/production.searchd.query.log
touch /var/log/obs/production.sphinx.pid
touch /var/log/obs/clockworkd.clock.output
- chown -R www-data:www-data /var/log/obs/ /var/cache/obs/tmp/
+
+# Config Database with dbconfig-common
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/postinst.mysql
+dbc_generate_include=template:/etc/obs/api/config/database.yml
+dbc_generate_include_args="-o template_infile=/usr/share/obs/api/config/database.yml.example"
+dbc_generate_include_owner=www-data
+dbc_go obs-api $@
+
+# Refine permissions for rails app.
+ chown www-data:root /usr/share/obs/api/config/environment.rb
+ chown -R www-data:www-data /var/log/obs/
+ chown -R www-data:www-data /var/cache/obs/tmp/
chown -R www-data:www-data /usr/share/obs/api/db
chown -R www-data:www-data /usr/share/obs/api/public
- chown www-data:www-data /usr/share/obs/api/config/production.sphinx.conf
+ chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown nobody:www-data /etc/obs/api/config/database.yml
chmod 660 /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log
-
-SECRET_KEY="/usr/share/obs/api/config/secret.key"
-if [ ! -e "$SECRET_KEY" ]; then
- ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
-fi
- chmod 0640 $SECRET_KEY
- chown nobody:www-data $SECRET_KEY
+ chown nobody:www-data /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
diff --git a/debian/obs-server.install b/debian/obs-server.install
index 83d3374db1..205ca34dd3 100644
--- a/debian/obs-server.install
+++ b/debian/obs-server.install
@@ -7,7 +7,7 @@ dist/sysconfig.obs-server /etc/default/
# Config files
etc/logrotate.d/obs-server
etc/slp.reg.d/
-usr/lib/obs/server/BSConfig.pm
+usr/lib/obs/server/BSConfig.pm /etc/obs/
usr/lib/obs/tests/appliance/
usr/sbin/obs_admin
diff --git a/debian/options.yml.example b/debian/options.yml.example
deleted file mode 100644
index 68151b0d97..0000000000
--- a/debian/options.yml.example
+++ /dev/null
@@ -1,161 +0,0 @@
-#
-# This file contains the default configuration of the Open Build Service API.
-#
-
-#read_only_hosts: [ "build.opensuse.org", "software.opensuse.org" ]
-
-# Make use of mod_xforward module in apache
-#use_xforward: true
-
-# Make use of http://blog.lighttpd.net/articles/2006/07/22/x-sendfiles-new-friend-x-rewrite.
-# Note that you need to enable the proxy-core option to allow this.
-#x_rewrite_host: localhost
-
-# Make use of X-Accel-Redirect for Nginx.
-# http://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote
-#use_nginx_redirect: /internal_redirect
-
-# Minimum count of rating votes a project/package needs to # be taken in account
-# for global statistics:
-min_votes_for_rating: 3
-
-# Set to true to verify XML reponses comply to the schema
-response_schema_validation: false
-
-# backend source server
-source_host: localhost
-source_port: 5352
-#source_protocol: https
-
-# api access to this instance
-frontend_host: localhost
-frontend_port: 443
-frontend_protocol: https
-# if your users access the hosts through a proxy (or just a different name, use this to
-# overwrite the settings for users)
-#external_frontend_host: api.opensuse.org
-#external_frontend_port: 443
-#external_frontend_protocol: https
-
-
-extended_backend_log: false
-
-# proxy_auth_mode can be :off, :on or :simulate
-proxy_auth_mode: :off
-
-# ATTENTION: If proxy_auth_mode'is :on, the frontend takes the user
-# name that is coming as headervalue X-username as a
-# valid user does no further authentication. So take care...
-proxy_auth_test_user: coolguy
-proxy_auth_test_email: coolguy@example.com
-
-# set this to enable auto cleanup requests after the given days
-auto_cleanup_after_days: 30
-
-#schema_location
-
-#version
-
-# if set to false, the API will only fake writes to backend (useful in testing)
-# global_write_through: true
-
-# see http://colszowka.heroku.com/2011/02/22/setting-up-your-custom-hoptoad-notifier-endpoint-for-free-using-errbit-on-heroku
-#errbit_api_key: api_key_of_your_app
-#errbit_host: installation.of.errbit.com
-
-##################
-# LDAP options
-##################
-
-ldap_mode: :off
-
-# LDAP Servers separated by ':'.
-# OVERRIDE with your company's ldap servers. Servers are picked randomly for
-# each connection to distribute load.
-ldap_servers: ldap1.mycompany.com:ldap2.mycompany.com
-
-# Max number of times to attempt to contact the LDAP servers
-ldap_max_attempts: 15
-
-# The attribute the user memberof is stored in
-ldap_user_memberof_attr: memberof
-
-# Perform the group_user search with the member attribute of group entry or memberof attribute of user entry
-# It depends on your ldap define
-# The attribute the group member is stored in
-ldap_group_member_attr: member
-
-# If you're using ldap_authenticate=:ldap then you should ensure that
-# ldaps is used to transfer the credentials over SSL or use the StartTLS extension
-ldap_ssl: :on
-
-# Use StartTLS extension of LDAP
-ldap_start_tls: :off
-
-# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS
-#ldap_port:
-# Authentication with Windows 2003 AD requires
-ldap_referrals: :off
-
-# OVERRIDE with your company's ldap search base for the users who will use OBS
-ldap_search_base: OU=Organizational Unit,DC=Domain Component
-# Sam Account Name is the login name for LDAP
-ldap_search_attr: sAMAccountName
-# The attribute the users name is stored in
-ldap_name_attr: cn
-# The attribute the users email is stored in
-ldap_mail_attr: mail
-# Credentials to use to search ldap for the username
-ldap_search_user: ""
-ldap_search_auth: ""
-
-# By default any LDAP user can be used to authenticate to the OBS
-# In some deployments this may be too broad and certain criteria should
-# be met; eg group membership
-#
-# To allow only users in a specific group uncomment this line:
-#ldap_user_filter: memberof=CN=group,OU=Groups,DC=Domain Component)
-#
-# Note this is joined to the normal selection like so:
-# (&(#{dap_search_attr}=#{login})#{ldap_user_filter})
-# giving an ldap search of:
-# (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component))
-#
-# Also note that openLDAP must be configured to use the memberOf overlay
-
-# ldap_authenticate says how the credentials are verified:
-# :ldap = attempt to bind to ldap as user using supplied credentials
-# :local = compare the credentials supplied with those in
-# LDAP using #{ldap_auth_attr} & #{ldap_auth_mech}
-# if :local is used then ldap_auth_mech can be
-# :md5
-# :cleartext
-ldap_authenticate: :ldap
-ldap_auth_mech: :md5
-# This is a string
-ldap_auth_attr: userPassword
-
-# Whether to update the user info to LDAP server, it does not take effect
-# when ldap_mode is not set.
-# Since adding new entry operation are more depend on your slapd db define, it might not
-# compatiable with all LDAP server settings, you can use other LDAP client tools for your specific usage
-ldap_update_support: :off
-# ObjectClass, used for adding new entry
-ldap_object_class: inetOrgPerson
-# Base dn for the new added entry
-ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
-# Does sn attribute required, it is a necessary attribute for most of people objectclass,
-# used for adding new entry
-ldap_sn_attr_required: :on
-
-# Whether to search group info from ldap, it does not take effect
-# when LDAP_GROUP_SUPPOR is not set.
-# Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly
-ldap_group_support: :off
-# OVERRIDE with your company's ldap search base for groups
-ldap_group_search_base: ou=OBSGROUPS,dc=EXAMPLE,dc=COM
-# The attribute the group name is stored in
-ldap_group_title_attr: cn
-# The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist
-ldap_group_objectclass_attr: groupOfNames
-
diff --git a/debian/rules b/debian/rules
index 1712be6432..2dbedc4654 100755
--- a/debian/rules
+++ b/debian/rules
@@ -27,6 +27,18 @@ override_dh_install:
dh_installdebconf
+ # Move config files under /etc/obs/api/config/. And links with dh_link.
+ mv debian/obs-api/usr/share/obs/api/config/options.yml \
+ debian/obs-api/etc/obs/api/config/
+ mv debian/obs-api/usr/share/obs/api/config/production.sphinx.conf \
+ debian/obs-api/etc/obs/api/config/
+ mv debian/obs-api/usr/share/obs/api/config/thinking_sphinx.yml \
+ debian/obs-api/etc/obs/api/config/
+
+ # Remove log and tmp and create links under /var with dh_link.
+ rm -rf debian/obs-api/usr/share/obs/api/log
+ rm -rf debian/obs-api/usr/share/obs/api/tmp
+
# Rename dh_install installed web service config files.
# (new default since OBS 2.3)
mkdir -p debian/obs-api/etc/apache2/sites-available/
@@ -42,10 +54,6 @@ override_dh_install:
mv debian/obs-server/etc/default/sysconfig.obs-server \
debian/obs-server/etc/default/obs-server
- # these config files must not be hard linked
- install debian/options.yml.example \
- debian/obs-api/usr/share/obs/api/config/options.yml
-
# turn duplicates into hard links
fdupes debian/obs-api/usr/share/obs/
@@ -53,7 +61,6 @@ override_dh_install:
find debian/obs-api -name '.gitignore' -type f | xargs rm -f
# fix permissions
- chmod a-x debian/obs-api/usr/share/obs/api/config/options.yml
chmod a-x debian/obs-api/usr/share/obs/api/script/update_bento.sh
chmod a-x debian/obs-api/usr/share/obs/api/Rakefile
# Clean up "extra" license
--
GitLab