The method by which scap restarts a service:
- ssh into machine as a defined ssh_user
- that user calls: sudo service [service_name] restart
This user needs a sudoers rule:
[user] ALL=(root) NOPASSWD: /usr/sbin/service [service_name] restart
The private key for this user would reside on the deployment host (e.g. tin.eqiad.wmnet) and only be accessible via keyholder. Keyholder only allows folks in certain user-groups to access certain keys.
Citoid deploy setup as a concrete example:
- Create citoid-deploy group on tin and add citoid deployers to that group
- Add citoid-deploy private key to keyholder on deployment host
- Put the public ssh key (the private half of which was made accessible to the citoid-deploy group in the previous step) in the authorized_keys file for the citoid user on the citoid deployment targets
- Add sudoers rule to deployment targets: citoid ALL=(root) NOPASSWD: /usr/sbin/service citoid restart
This different from the way that trebuchet allows you to restart a service where everyone in wikidev can publish to the deploy.restart runner (https://github.com/wikimedia/operations-puppet/blob/production/modules/role/manifests/deployment/server.pp#L120)