left4me: symlink privileged helpers to the checkout
/usr/local/libexec/left4me/* and /usr/local/sbin/left4me are now target-side symlinks into /opt/left4me/src/deploy/scripts/... Replaces the install_left4me_scripts copy-action. Part of 2026-05-15-deployment-responsibility-design.md migration step 4. Verified on ovh.left4me: helpers run via sudo from the web app context; gameserver lifecycle helper invocation succeeds.
This commit is contained in:
parent
05ec7c9bee
commit
ae4bfc8db3
SSH key fingerprint:
SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 50 additions and 23 deletions
|
|
@ -82,11 +82,11 @@ users = {
|
||||||
# (981 — formerly l4d2-sandbox — was collapsed into 980 on 2026-05-15;
|
# (981 — formerly l4d2-sandbox — was collapsed into 980 on 2026-05-15;
|
||||||
# see left4me/docs/superpowers/plans/2026-05-15-uid-collapse.md.)
|
# see left4me/docs/superpowers/plans/2026-05-15-uid-collapse.md.)
|
||||||
|
|
||||||
# Privileged helpers are installed by the `install_left4me_scripts`
|
# Privileged helpers are delivered via target-side symlinks (see the
|
||||||
# action (below) directly from the left4me git checkout at
|
# `symlinks` dict below) pointing into the left4me checkout at
|
||||||
# `/opt/left4me/src/scripts/{libexec,sbin}/` — no verbatim copy in this
|
# `/opt/left4me/src/deploy/scripts/{libexec,sbin}/`. No verbatim copy
|
||||||
# bundle's files/ tree. Sudoers (further below) lists the specific
|
# in this bundle's files/ tree. Sudoers (further below) lists the
|
||||||
# paths that left4me may invoke as root NOPASSWD.
|
# specific paths that left4me may invoke as root NOPASSWD.
|
||||||
|
|
||||||
files = {
|
files = {
|
||||||
'/etc/left4me/sandbox-resolv.conf': {
|
'/etc/left4me/sandbox-resolv.conf': {
|
||||||
|
|
@ -167,6 +167,39 @@ symlinks = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Helper script source paths (in left4me's checkout) → deployed-form paths.
|
||||||
|
# Each gets a symlink item merged into the symlinks dict above.
|
||||||
|
_LEFT4ME_LIBEXEC_SCRIPTS = (
|
||||||
|
'left4me-overlay',
|
||||||
|
'left4me-systemctl',
|
||||||
|
'left4me-journalctl',
|
||||||
|
'left4me-script-sandbox',
|
||||||
|
)
|
||||||
|
_LEFT4ME_SBIN_SCRIPTS = (
|
||||||
|
'left4me',
|
||||||
|
)
|
||||||
|
|
||||||
|
for _script in _LEFT4ME_LIBEXEC_SCRIPTS:
|
||||||
|
symlinks[f'/usr/local/libexec/left4me/{_script}'] = {
|
||||||
|
'target': f'/opt/left4me/src/deploy/scripts/libexec/{_script}',
|
||||||
|
'owner': 'root', 'group': 'root',
|
||||||
|
'needs': [
|
||||||
|
'directory:/usr/local/libexec/left4me',
|
||||||
|
'action:left4me_chmod_scripts',
|
||||||
|
'git_deploy:/opt/left4me/src',
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
for _script in _LEFT4ME_SBIN_SCRIPTS:
|
||||||
|
symlinks[f'/usr/local/sbin/{_script}'] = {
|
||||||
|
'target': f'/opt/left4me/src/deploy/scripts/sbin/{_script}',
|
||||||
|
'owner': 'root', 'group': 'root',
|
||||||
|
'needs': [
|
||||||
|
'action:left4me_chmod_scripts',
|
||||||
|
'git_deploy:/opt/left4me/src',
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
actions = {
|
actions = {
|
||||||
'left4me_sysctl_reload': {
|
'left4me_sysctl_reload': {
|
||||||
'command': 'sysctl --system >/dev/null',
|
'command': 'sysctl --system >/dev/null',
|
||||||
|
|
@ -264,10 +297,6 @@ git_deploy = {
|
||||||
# trigger off git_deploy is belt-and-braces in case the
|
# trigger off git_deploy is belt-and-braces in case the
|
||||||
# pip_install cascade is ever short-circuited.
|
# pip_install cascade is ever short-circuited.
|
||||||
'action:left4me_alembic_upgrade',
|
'action:left4me_alembic_upgrade',
|
||||||
# Privileged-helper scripts: reinstall from the new checkout
|
|
||||||
# into /usr/local/{libexec,sbin}/ as root-owned. No-op when
|
|
||||||
# the checkout didn't actually change (action is triggered).
|
|
||||||
'action:install_left4me_scripts',
|
|
||||||
# Reload systemd unit definitions whenever the checkout changes;
|
# Reload systemd unit definitions whenever the checkout changes;
|
||||||
# handles updates to hardening drop-in content without requiring
|
# handles updates to hardening drop-in content without requiring
|
||||||
# a symlink change.
|
# a symlink change.
|
||||||
|
|
@ -276,25 +305,23 @@ git_deploy = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
actions['install_left4me_scripts'] = {
|
actions['left4me_chmod_scripts'] = {
|
||||||
# Copy privileged scripts from the deployed left4me checkout into
|
# sudo invokes the helpers by absolute path under /usr/local/...;
|
||||||
# /usr/local/{libexec,sbin}/ as root:root 0755. Source of truth for
|
# those resolve to the checkout via the symlinks above. The target
|
||||||
# the file content is left4me's scripts/{libexec,sbin}/ tree (these
|
# files must be executable (mode 0755). git_deploy extracts with
|
||||||
# are application code, not deploy artifacts; left4me's deploy/ is
|
# the in-repo file modes; this action is belt-and-braces in case
|
||||||
# reference material only). The two install globs map source dirs
|
# any helper's repo mode regresses to 0644.
|
||||||
# 1:1 to deploy targets. Triggered only on git_deploy updates so a
|
|
||||||
# no-op apply doesn't re-copy.
|
|
||||||
'command': (
|
'command': (
|
||||||
'install -m 0755 -o root -g root -t /usr/local/libexec/left4me/ '
|
'chmod 0755 '
|
||||||
'/opt/left4me/src/scripts/libexec/*; '
|
'/opt/left4me/src/deploy/scripts/libexec/* '
|
||||||
'install -m 0755 -o root -g root -t /usr/local/sbin/ '
|
'/opt/left4me/src/deploy/scripts/sbin/*'
|
||||||
'/opt/left4me/src/scripts/sbin/*'
|
),
|
||||||
|
'unless': (
|
||||||
|
'! find /opt/left4me/src/deploy/scripts -type f \\! -perm 755 -print -quit 2>/dev/null | grep -q .'
|
||||||
),
|
),
|
||||||
'triggered': True,
|
|
||||||
'cascade_skip': False,
|
'cascade_skip': False,
|
||||||
'needs': [
|
'needs': [
|
||||||
'git_deploy:/opt/left4me/src',
|
'git_deploy:/opt/left4me/src',
|
||||||
'directory:/usr/local/libexec/left4me',
|
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue