Soldato
Ok so I have a number of Spring Boot based micro services which I am to run/deploy on an RHEL 7 server. Each micro service has it's own local user it will run as and is split into directories such as
/app/services/appa
/app/services/appb
/app/services/appc
Each services local user corresponds to the service name, so you have users appa, appb, appc.
Each micro service start script clones a git repository for app config, grabbing the environment specific (dev, uat, prod) config and placing it in the respective service directory. It also curls the apps executable jar from Artifactory. The script then changes the permissions of all config/jars to 755 and changes the owner/group to that specific local user, then the JVM is launched using the relevant local user.
There is a 1:1 mapping between process and micro service.
Now in order to do the above the user who runs the script (infrastructure support team) must have sudo access. An example noddy script (start/stop scripts exist in the location of the service directory so /app/services/appa for example)
And given the processes are a 1:1 mapping between user and process the equivalent stop script would be as simple as
Now ISP are saying "you have a lot of sudos", given that the alternative is that they "sudo su - appa" prior to running the start script, I can't see the issue?
Also using my approach
/app/services/appa
/app/services/appb
/app/services/appc
Each services local user corresponds to the service name, so you have users appa, appb, appc.
Each micro service start script clones a git repository for app config, grabbing the environment specific (dev, uat, prod) config and placing it in the respective service directory. It also curls the apps executable jar from Artifactory. The script then changes the permissions of all config/jars to 755 and changes the owner/group to that specific local user, then the JVM is launched using the relevant local user.
There is a 1:1 mapping between process and micro service.
Now in order to do the above the user who runs the script (infrastructure support team) must have sudo access. An example noddy script (start/stop scripts exist in the location of the service directory so /app/services/appa for example)
Code:
USER=appa
sudo git clone http://somewhere/config.git
sudo mv -v config/$env/configa .
sudo rm -rf config
sudo curl http://somwhere/appa.jar -o appa.jar
sudo chmod 755 *
sudo chown appa:appa *
sudo -S su - $USER -c "java -jar appa.jar &"And given the processes are a 1:1 mapping between user and process the equivalent stop script would be as simple as
Code:
sudo pkill -u appaNow ISP are saying "you have a lot of sudos", given that the alternative is that they "sudo su - appa" prior to running the start script, I can't see the issue?
Also using my approach
- They don't need to know which user to switch to before running the script
- They don't have to switch back to their privileged account afterwards.
Last edited: