-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathproduction-v2.cfg
54 lines (50 loc) · 2.42 KB
/
production-v2.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# New style of deployments:
# - increased security through support for multiple users
# - deployments are now located at /apps/0x-plone-y
# - the groups "deploy" and "zope" make sure every user has the right access
# to the files
# - files are owned by the deploying user and the service user (zope) does not
# have write access to the source code and other files
# - files which are written by the service user (zope), such as the database,
# are owned by the zope group.
#
# Usage:
# This config file must be extended after extending the production.cfg.
# It is not a replacement for the production.cfg but an extension.
[buildout]
early-parts += fix-solr-permissions
parts += setpermissions
[deployment]
etc-directory = /apps/etc
[fix-solr-permissions]
recipe = plone.recipe.command
command =
sudo -u ${buildout:os-user} chmod -R --silent g+w ${buildout:directory}/parts/solr-instance/solr-webapp/webapp
update-command = ${:command}
[setpermissions]
# Make sure that the var directory is owned by the "zope" group in order to
# let the service user "zope" have write access.
recipe = plone.recipe.command
command =
chgrp --silent -R ${buildout:os-user} ${buildout:directory}/var
find ${buildout:directory}/var -maxdepth 1 -type d -exec chmod --silent 2770 {} \;
# Make sure supervisord is always started as "zope" user using sudo.
chmod --silent u-x,g-x ${buildout:directory}/bin/supervisord
# Make sure that other users can access the egg infos later.
chmod -R --silent g+rw,o+r /apps/eggs/*
# Make sure that other users can access the extends-cache later.
chmod -R --silent g+rw,o+r /apps/extends-cache/*
# Make sure that other users can access the downloads later.
chmod -R --silent g+rw,o+r /apps/downloads/*
chgrp -R --silent deploy /apps/downloads/*
# Make sure other deployers can change bin scripts.
chmod --silent g+rw ${buildout:directory}/bin/*
# Make sure other deployers can change parts.
chmod -R --silent g+rw ${buildout:directory}/parts/*
chgrp -R --silent deploy ${buildout:directory}/parts/*
# Make sure that "zope" have write access to solr-specific folders.
chgrp --silent -R ${buildout:os-user} ${buildout:directory}/parts/solr-instance/logs
chgrp --silent -R ${buildout:os-user} ${buildout:directory}/parts/solr-instance/solr-webapp
# Make sure that /apps/etc/**/* is group writeable.
chmod -R --silent g+rw,o+r /apps/etc/*
update-command = ${:command}