__single_binary_service: add more features

- the type can now deploy single-binary services that are not downloaded (--url), but held in the cdist-controller instead (--local-source) - We can also specify the destination of the service's configuration file (--config-file-destination) - And the permissions of the service's working directory (--working-directory-permissions)
2025-04-26 18:49:54 +02:00 · 2025-04-26 18:49:54 +02:00 · 05f7711bb3
commit 05f7711bb3
parent 0f6b03b7c1
8 changed files with 103 additions and 38 deletions
--- a/type/__single_binary_service/man.rst
+++ b/type/__single_binary_service/man.rst
@ -29,13 +29,6 @@ the init system being used.

 REQUIRED PARAMETERS
 -------------------
-checksum
-    This will be passed verbatim to `__download(7)`.
-    Use something like `sha256:...`.
-
-url
-    This will be passed verbatim to `__download(7)`.
-
 version
    This type will use a thumbstone file with a "version" number to track
    whether or not a service must be updated.
@ -59,12 +52,29 @@ do-not-manage-user

 OPTIONAL PARAMETERS
 -------------------
+checksum
+    This will be passed verbatim to `__download(7)`.
+    Use something like `sha256:...`.
+    Required if using `--url`.
+
+config-file-destination
+    The remote path in which to locate the service's configuration.
+    Defaults to `ETC_DIR/${__object_id}.conf`.
+
 config-file-source
    If present, this file's contents will be placed under
    `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
    `--user` and `--group`.
    If `-` is passed, this type's `stdin` will be used.

+local-source
+    A file on the cdist controller that will be used instead of downloading
+    the binary.
+
+url
+    This will be passed verbatim to `__download(7)`.
+    When used, you must specify `--checksum` as well.
+
 user
    The user under which the service will run. Defaults to `root`.
    If this user is not `root` and `--do-not-manage-user` is not present,
@ -130,6 +140,10 @@ unpack-extension
 working-directory
    If set, the working directory with which the service will be started.

+working-directory-permissions
+    The permissions that will be set for the working directory.
+    Defaults to `0750`.
+

 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
--- a/type/__single_binary_service/manifest
+++ b/type/__single_binary_service/manifest
@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/sh -eu
 SERVICE_NAME="${__object_id}"

 OS="$(cat "${__global}/explorer/os")"
@ -32,7 +32,7 @@ case "${INIT}" in
 		service_command="sv %s ${SERVICE_NAME}"
 	;;
 	*)
-		echo "Init system ${INIT}' is currently not supported." >&2
+		echo "Init system '${INIT}' is currently not supported." >&2
 		exit 1
 	;;
 esac
@ -44,7 +44,7 @@ BIN_DIR="/usr/local/bin"
 __directory "${BIN_DIR}" \
 	--state "exists" \
 	--mode 0755
-export require="${require} __directory${BIN_DIR}"
+export require="${require:-} __directory${BIN_DIR}"

 STATE="$(cat "${__object}/parameter/state")"
 USER="$(cat "${__object}/parameter/user")"
@ -86,18 +86,30 @@ fi

 SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"

-WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
-if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
-	WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
-	WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
-fi
-
-DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
 CHECKSUM="$(cat "${__object}/parameter/checksum")"
 SHOULD_VERSION="$(cat "${__object}/parameter/version")"
+DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
+LOCAL_SOURCE="$(cat "${__object}/parameter/local-source")"
+if [ -z "${DOWNLOAD_URL}${LOCAL_SOURCE}" ]; then
+	cat >&1 <<-EOM
+	Exactly one of --url or --local-source must be specified.
+	EOM
+	exit 1
+fi
+if [ -n "${DOWNLOAD_URL}" ] && [ -z "${CHECKSUM}" ]; then
+	cat >&1 <<-EOM
+	You must specify --checksum when using --url.
+	EOM
+	exit 1
+fi
+if [ "${LOCAL_SOURCE}" = "-" ]; then
+	LOCAL_SOURCE="${__object}/stdin"
+fi

 # Create a user for the service if it is not root
 USER_HOME_DIR="/root"
+require_user_created=""
+service_require=""
 if [ "${USER}" != "root" ] && \
 		[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
 	if [ "${STATE}" = "absent" ]; then
@ -108,24 +120,45 @@ if [ "${USER}" != "root" ] && \
 	if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
 		USER_CREATE_HOME="--create-home"
 	fi
-	require="${require} ${user_require}" __user "${USER}" \
+	require="${require} ${user_require:-}" __user "${USER}" \
 		--system \
 		--state "${STATE}" \
 		--home "${USER_HOME_DIR}" \
 		--comment "cdist-managed service user" \
 		${USER_CREATE_HOME}
+	require_user_created="__user/${USER}"
 	# Track dependencies
-	service_require="${service_require} __user/${USER}"
+	service_require="${service_require} ${require_user_created}"
+fi
+
+# Adapt directory permissions when necessary
+WORKING_DIRECTORY_PERMISSIONS="$(cat "${__object}/parameter/working-directory-permissions")"
+WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
+if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
+	WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
+	WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
+	require="${require_user_created}" __directory \
+		"${WORKING_DIRECTORY_PATH}" --state present \
+		--mode "${WORKING_DIRECTORY_PERMISSIONS}" \
+		--owner "${USER}" --group "${GROUP}"
 fi

 # Place config file if necessary
-CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
+CONFIG_FILE_DEST="$(cat "${__object}/parameter/config-file-destination" 2>/dev/null || true)"
+if [ -z "${CONFIG_FILE_DEST}" ]; then
+	CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
+else
+	require="${require_user_created}" __directory \
+		"$(dirname "${WORKING_DIRECTORY_PATH}")" --state present \
+		--mode "${WORKING_DIRECTORY_PERMISSIONS}" \
+		--owner "${USER}" --group "${GROUP}"
+fi
 CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
 if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
 	CONFIG_FILE_SOURCE="${__object}/stdin"
 fi
 if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
-	require="${require} __user/${USER}" __file \
+	require="${require} ${require_user_created}" __file \
 		"${CONFIG_FILE_DEST}" \
 		--owner "${USER}" \
 		--group "${GROUP}" \
@ -164,7 +197,7 @@ Group=${GROUP}
 ExecStart=${SERVICE_EXEC}
 Restart=always
 EnvironmentFile=${SYSTEMD_ENV_FILE}
-${WORKING_DIRECTORY_SYSTEMD}
+${WORKING_DIRECTORY_SYSTEMD:-}

 [Install]
 WantedBy=multi-user.target
@ -261,15 +294,23 @@ EOF
 		UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
 		UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
 			2>/dev/null || true)"
-		# Download packed file
-		__download "${TMP_PATH}${UNPACK_EXTENSION}" \
-			--url "${DOWNLOAD_URL}" \
-			--download remote \
-			--sum "${CHECKSUM}"
+		# Place packed file
+		if [ -n "${DOWNLOAD_URL}" ]; then
+			__download "${TMP_PATH}${UNPACK_EXTENSION}" \
+				--url "${DOWNLOAD_URL}" \
+				--download remote \
+				--sum "${CHECKSUM}"
+			require_place_file="__download${TMP_PATH}${UNPACK_EXTENSION}"
+		else
+			# TODO: this doesn't use CHECKSUM
+			__file "${TMP_PATH}${UNPACK_EXTENSION}" \
+				--source "${LOCAL_SOURCE}"
+			require_place_file="__file${TMP_PATH}${UNPACK_EXTENSION}"
+		fi

 		# Unpack file and also perform service upgrade
 		# shellcheck disable=SC2086
-		require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
+		require="${require_place_file}" \
 			__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
 			${UNPACK_ARGS} \
 			--destination "${TMP_PATH}"
@ -277,14 +318,20 @@ EOF
 	else
 		# Create temp directory
 		__directory "${TMP_PATH}"
-		# Download binary directoy to the temp directory with the
-		# specified binary name
-		require="__directory${TMP_PATH}" __download \
-			"${TMP_PATH}/${BINARY}" \
-			--url "${DOWNLOAD_URL}" \
-			--download remote \
-			--sum "${CHECKSUM}"
-		version_bump_require="__download${TMP_PATH}/${BINARY}"
+		# Place in temp directory with the specified binary name
+		if [ -n "${DOWNLOAD_URL}" ]; then
+			require="__directory${TMP_PATH}" __download \
+				"${TMP_PATH}/${BINARY}" \
+				--url "${DOWNLOAD_URL}" \
+				--download remote \
+				--sum "${CHECKSUM}"
+			version_bump_require="__download${TMP_PATH}/${BINARY}"
+		else
+			require="__directory${TMP_PATH}" __file \
+				"${TMP_PATH}/${BINARY}" \
+				--source "${LOCAL_SOURCE}"
+			version_bump_require="__file${TMP_PATH}/${BINARY}"
+		fi
 	fi

 	# Perform update of cdist-managed version file
--- a/type/__single_binary_service/parameter/default/checksum
+++ b/type/__single_binary_service/parameter/default/checksum
--- a/type/__single_binary_service/parameter/default/local-source
+++ b/type/__single_binary_service/parameter/default/local-source
--- a/type/__single_binary_service/parameter/default/url
+++ b/type/__single_binary_service/parameter/default/url
--- a/type/__single_binary_service/parameter/default/working-directory-permissions
+++ b/type/__single_binary_service/parameter/default/working-directory-permissions
@ -0,0 +1 @@
+0750
--- a/type/__single_binary_service/parameter/optional
+++ b/type/__single_binary_service/parameter/optional
@ -1,14 +1,19 @@
+checksum
 config-file-source
+config-file-destination
 env
 user
 group
 state
 binary
+local-source
 service-args
 service-exec
 service-description
 service-definition
 unpack-extension
 unpack-args
+url
 user-home-dir
 working-directory
+working-directory-permissions
--- a/type/__single_binary_service/parameter/required
+++ b/type/__single_binary_service/parameter/required
@ -1,3 +1 @@
-url
-checksum
 version