Tuesday, December 4th 2012
I get easily tired of doing the same thing over and over again, and will, wherever possible, script or automate it to make life easier for myself. This could be in the form of a lightweight webapp/REST api for stuff, or in this case, I used Jenkins.
So on one server, we sometimes need to reload apache. As we don't like developers randomly executing shells on live servers, it's better to just allow access to a few specific commands, in this case, a wrapper script on the target server's /usr/local/bin that just wraps "/etc/init.d/httpd restart" or "/etc/init.d/httpd reload".
In "/etc/sudoers" there's a Cmnd_Alias
Cmnd_Alias RESTARTER = /usr/local/bin/restart-httpd.sh, /usr/local/bin/reload-httpd.sh
restarter ALL=(ALL) NOPASSWD: RESTARTER
And the restarter user can access this without specifying a password.
The restarter user has a .ssh/authorized_keys file containing the jenkins user's ssh public key.
On the jenkins job, there's a Parameterized Build flag, called "ARE_YOU_SURE" which prevents the accidental restart (as No is the default option).
The sole build step is:
if [ "$ARE_YOU_SURE" = "Yes" ]; then
ssh -tt [email protected] sudo /usr/local/bin/restart-httpd.sh
echo "Aw, shucks"
If you build and click "No" in the parameter, it will echo "Aw, shucks" and exit. If you click yes, it will SSH to the remote server as the restarter user, and then execute the script.
If you don't specify ssh -tt, then you get pestered because the terminal it's trying to run sudo in isn't a TTY.
Ta Da! Jenkins as a job dispatch engine.
Tom can slam a revolving door.