From: Peter Palfrader Date: Fri, 26 Apr 2013 12:25:47 +0000 (+0200) Subject: merge mirror and master authorized_keys and wrapper script X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=bf3691ae1a76a07158faf2acc34f68a59874ff9c merge mirror and master authorized_keys and wrapper script --- diff --git a/modules/roles/files/static-mirroring/static-master-ssh-wrap b/modules/roles/files/static-mirroring/static-master-ssh-wrap deleted file mode 100755 index 0fe7c737..00000000 --- a/modules/roles/files/static-mirroring/static-master-ssh-wrap +++ /dev/null @@ -1,151 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2009, 2010, 2012 Peter Palfrader -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -set -e -set -u - -MYLOGNAME="`basename "$0"`[$$]" -BASEDIR="/home/staticsync/static-master" -COMPONENTLIST=/etc/static-components.conf - -usage() { - echo "local Usage: $0 " - echo "via ssh orig command:" - echo " rsync " - echo " static-master-update-component " -} - -one_more_arg() { - if [ "$#" -lt 1 ]; then - usage >&2 - exit 1 - fi -} - -info() { - logger -p daemon.info -t "$MYLOGNAME" "$1" -} - -croak() { - logger -s -p daemon.warn -t "$MYLOGNAME" "$1" - exit 1 -} - -do_rsync() { - local remote_host="$1"; shift - local args="--server --sender -vlHtrze.iLsf --safe-links ." - - for component in $(awk -v this_host="$(hostname -f)" '$1 == this_host {print $2}' $COMPONENTLIST); do - if [ "$*" = "$args $component/-new-/" ] || [ "$*" = "$args ./$component/-new-/" ] ; then - local path="$BASEDIR/master/$component-current-push" - info "serving $remote_host with $path" - rsync $args "$path/." - return - elif [ "$*" = "$args $component/-live-/" ] || [ "$*" = "$args ./$component/-live-/" ] ; then - local path="$BASEDIR/master/$component-current-live" - info "host $remote_host wants $path, acquiring lock" - exec 200< "$path" - if ! flock -s -w 0 200; then - echo >&2 "Cannot acquire shared lock on $path - this should mean an update is already underway anyway." - exit 1 - fi - rsync $args "$path/." - return - fi - done - - info "NOT allowed for $remote_host: rsync $*" - echo >&2 "This rsync command ($@) not allowed." - exit 1 -} - -do_update_component() { - local remote_host="$1"; shift - - one_more_arg "$@" - component="$1" - shift - - hit="$( - awk -v this_host="$(hostname -f)" -v component="$component" -v host="$remote_host" ' - $1 == this_host && $2 == component { - if ($3 == host) { - print $4 - exit - } - split($5,extra,",") - for (i in extra) { - if (host == extra[i]) { - printf "%s:%s\n", $3, $4 - exit - } - } - exit - }' "$COMPONENTLIST" - )" - if [ -n "$hit" ]; then - exec static-master-update-component "$component" - echo >&2 "Exec failed" - croak "exec failed" - else - info "Not whitelisted: $remote_host update $component" - echo >&2 "Not whitelisted: $remote_host update $component" - exit 1 - fi -} - - -if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then - usage - exit 0 -fi - -one_more_arg "$@" -remote_host="$1" -shift - - -# check/parse remote command line -if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then - croak "Did not find SSH_ORIGINAL_COMMAND" -fi -set "dummy" ${SSH_ORIGINAL_COMMAND} -shift - -info "host $remote_host called with $*" - -one_more_arg "$@" -action="$1" -shift - -case "$action" in - rsync) - do_rsync "$remote_host" "$@" - ;; - static-master-update-component) - do_update_component "$remote_host" "$@" - ;; - *) - croak "Invalid operation '$action'" - ;; -esac diff --git a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap b/modules/roles/files/static-mirroring/static-mirror-ssh-wrap deleted file mode 100755 index ad03c08e..00000000 --- a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap +++ /dev/null @@ -1,144 +0,0 @@ -#!/bin/bash - -# This is a wrapper script for ssh access on Debian's static mirroring infrastructure. -# -# It limits the commands the master can run on static-mirroring mirrors (i.e. -# the things running apache) on one hand, and also on static-mirroring sources, -# that is the things that create the data. - -# Copyright (c) 2009, 2010, 2012 Peter Palfrader -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -set -e -set -u - -MYLOGNAME="`basename "$0"`[$$]" -COMPONENTLIST=/etc/static-components.conf - -usage() { - echo "local Usage: $0 " - echo "via ssh orig command:" - echo " mirror " - echo " rsync ..." - do_rsync "$remote_host" "$@" -} - -one_more_arg() { - if [ "$#" -lt 1 ]; then - usage >&2 - exit 1 - fi -} - -info() { - logger -p daemon.info -t "$MYLOGNAME" "$1" -} - -croak() { - logger -s -p daemon.warn -t "$MYLOGNAME" "$1" - exit 1 -} - -do_mirror() { - local basedir="$1"; shift - local remote_host="$1"; shift - one_more_arg "$@" - local component="$1"; shift - one_more_arg "$@" - local serial="$1"; shift - - masterhost="$(awk -v component="$component" '$2 == component {print $1; exit}' "$COMPONENTLIST")" - if [ -z "$masterhost" ]; then - croak "Did not find master for component $component." - elif [ "$masterhost" != "$remote_host" ]; then - croak "$remote_host is not master for $component." - else - info "Host $remote_host triggered a mirror run for $component, serial $serial" - exec /usr/local/bin/static-mirror-run "$basedir/mirrors/$component" "$remote_host:$component/-new-" "$serial" - echo >&2 "Exec failed" - croak "exec failed" - fi -} - -do_rsync() { - local remote_host="$1" - shift - - local allowed_rsyncs - allowed_rsyncs=() - - if [ -e "$COMPONENTLIST" ]; then - for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do - allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.") - done - fi - for cmd_idx in ${!allowed_rsyncs[*]}; do - allowed="${allowed_rsyncs[$cmd_idx]}" - if [ "$*" = "$allowed" ]; then - info "Running for host $remote_host: rsync $*" - exec rsync "$@" - echo >&2 "Exec failed" - exit 1 - fi - done - - info "NOT allowed for $remote_host: rsync $*" - echo >&2 "This rsync command ($*) not allowed." - exit 1 -} - - -if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then - usage - exit 0 -fi - -one_more_arg "$@" -basedir="$1" -shift - -one_more_arg "$@" -remote_host="$1" -shift - - -# check/parse remote command line -if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then - croak "Did not find SSH_ORIGINAL_COMMAND" -fi -set "dummy" ${SSH_ORIGINAL_COMMAND} -shift - -one_more_arg "$@" -action="$1" -shift - -case "$action" in - mirror) - do_mirror "$basedir" "$remote_host" "$@" - ;; - rsync) - do_rsync "$remote_host" "$@" - ;; - *) - croak "Invalid operation '$action'" - ;; -esac diff --git a/modules/roles/manifests/static_base.pp b/modules/roles/manifests/static_base.pp index e062a9e5..cd580cdb 100644 --- a/modules/roles/manifests/static_base.pp +++ b/modules/roles/manifests/static_base.pp @@ -9,4 +9,15 @@ class roles::static_base { file { '/etc/static-components.conf': source => 'puppet:///modules/roles/static-mirroring/static-components.conf', } + + file { '/etc/ssh/userkeys/staticsync': + content => template('roles/static-mirroring/static-authorized_keys.erb'), + } + + file { '/usr/local/bin/staticsync-ssh-wrap': + source => 'puppet:///modules/roles/static-mirroring/staticsync-ssh-wrap', + mode => '0555', + } + file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; } + file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; } } diff --git a/modules/roles/manifests/static_master.pp b/modules/roles/manifests/static_master.pp index 0816754d..73f74c83 100644 --- a/modules/roles/manifests/static_master.pp +++ b/modules/roles/manifests/static_master.pp @@ -2,17 +2,10 @@ class roles::static_master { include roles::static_base - file { '/etc/ssh/userkeys/staticsync': - content => template('roles/static-mirroring/static-master-authorized_keys.erb'), - } file { '/usr/local/bin/static-master-run': source => 'puppet:///modules/roles/static-mirroring/static-master-run', mode => '0555', } - file {'/usr/local/bin/static-master-ssh-wrap': - source => 'puppet:///modules/roles/static-mirroring/static-master-ssh-wrap', - mode => '0555', - } file { '/usr/local/bin/static-master-update-component': source => 'puppet:///modules/roles/static-mirroring/static-master-update-component', mode => '0555', diff --git a/modules/roles/manifests/static_source.pp b/modules/roles/manifests/static_source.pp index 81210e29..c4bc4407 100644 --- a/modules/roles/manifests/static_source.pp +++ b/modules/roles/manifests/static_source.pp @@ -1,14 +1,9 @@ class roles::static_source { + include roles::static_base - file { '/etc/ssh/userkeys/staticsync': - content => template('roles/static-mirroring/static-mirror-authorized_keys.erb'), - } + file { '/usr/local/bin/static-update-component': source => 'puppet:///modules/roles/static-mirroring/static-update-component', mode => '0555', } - file { '/usr/local/bin/static-mirror-ssh-wrap': - source => 'puppet:///modules/roles/static-mirroring/static-mirror-ssh-wrap', - mode => '0555', - } } diff --git a/modules/roles/templates/static-mirroring/static-master-authorized_keys.erb b/modules/roles/templates/static-mirroring/static-master-authorized_keys.erb deleted file mode 100644 index 6f04c69f..00000000 --- a/modules/roles/templates/static-mirroring/static-master-authorized_keys.erb +++ /dev/null @@ -1,46 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## - -<%= -def getstaticsynckey(host) - key = nil - begin - facts = YAML.load(File.open("/var/lib/puppet/yaml/facts/#{host}.yaml").read) - return facts.values['staticsync_key'] - rescue Exception => e - end - return key -end - -localinfo = scope.lookupvar('site::localinfo') -allnodeinfo = scope.lookupvar('site::allnodeinfo') - -mirrors = [] -localinfo.keys.sort.each do |node| - if localinfo[node]['static_mirror'] or localinfo[node]['static_source'] - key = getstaticsynckey(node) - mirrors << { 'node' => node, 'addr' => allnodeinfo[node]['ipHostNumber'], 'key' => key} - end -end - -mirrors << { 'node' => 'wagner.debian.org', 'addr' => allnodeinfo['wagner.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'} - -lines = [] -for m in mirrors: - lines << '# ' + m['node'] - if m['key'].nil? - lines << "# no key for node" - else - lines << "command=\"/usr/local/bin/static-master-ssh-wrap #{m['node']}\"," + - 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,' + - 'from="' + m['addr'].join(',') + '" ' + - m['key'] - end -end - -lines.join("\n") -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: -%> diff --git a/modules/roles/templates/static-mirroring/static-mirror-authorized_keys.erb b/modules/roles/templates/static-mirroring/static-mirror-authorized_keys.erb deleted file mode 100644 index 74bb7d59..00000000 --- a/modules/roles/templates/static-mirroring/static-mirror-authorized_keys.erb +++ /dev/null @@ -1,42 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## - -<%= -def getstaticsynckey(host) - key = nil - begin - facts = YAML.load(File.open("/var/lib/puppet/yaml/facts/#{host}.yaml").read) - return facts.values['staticsync_key'] - rescue Exception => e - end - return key -end - -masters = [] -scope.lookupvar('site::localinfo').keys.sort.each do |node| - if scope.lookupvar('site::localinfo')[node]['static_master'] - key = getstaticsynckey(node) - masters << { 'node' => node, 'addr' => scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'], 'key' => key} - end -end - - -lines = [] -for m in masters: - lines << '# ' + m['node'] - if m['key'].nil? - lines << "# no key for node" - else - lines << "command=\"/usr/local/bin/static-mirror-ssh-wrap /srv/static.debian.org #{m['node']}\"," + - 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,' + - 'from="' + m['addr'].join(',') + '" ' + - m['key'] - end -end - -lines.join("\n") -# vim:set et: -# vim:set sts=4 ts=4: -# vim:set shiftwidth=4: -%>