vos-release: have separate user

I was trying to simplify things by having a restricted shell script run by root. However, our base-setup called my bluff as we also need to setup sshd to allow remote root logins from specific addresses. It's looking easier to create a new user, and give it sudo permissions to run the vos release script. Change-Id: If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5
2019-11-21 11:53:45 +11:00 · 2019-11-21 11:53:45 +11:00 · f57154f91b
commit f57154f91b
parent 3153f27c24
5 changed files with 20 additions and 9 deletions
--- a/playbooks/group_vars/afs.yaml
+++ b/playbooks/group_vars/afs.yaml
@ -1,6 +1 @@
 iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
-
-# we allow a special key deployed on the mirror-update hosts to run a
-# restricted script that runs "vos release" with localauth
-# permissions, to avoid timeouts.  See vos-release role.
-bastion_key_exclusive: false
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/remote_puppet_afs.yaml
@ -13,6 +13,7 @@
 - hosts: "mirror-update:!disabled"
  name: "Create key for remote vos release"
  tasks:
+    # Note done as root because all the update scripts run as root
    - name: Create vos release keypair
      openssh_keypair:
        path: /root/.ssh/id_vos_release
--- a/playbooks/roles/vos-release/files/vos_release.sh
+++ b/playbooks/roles/vos-release/files/vos_release.sh
@ -12,6 +12,6 @@ if [[ $# != 3 || $1 != "vos" || $2 != "release" ]]; then
    exit 1
 fi

-vos release -v -localauth $3
+sudo vos release -v -localauth $3


--- a/playbooks/roles/vos-release/files/vos_release.sudo
+++ b/playbooks/roles/vos-release/files/vos_release.sudo
@ -0,0 +1 @@
+vos_release ALL = (ALL) NOPASSWD: /usr/bin/vos
--- a/playbooks/roles/vos-release/tasks/main.yaml
+++ b/playbooks/roles/vos-release/tasks/main.yaml
@ -6,15 +6,29 @@
    group: root
    mode: 0755

- name: Ensure update key
+- name: Install sudo permissions
+  copy:
+    src: vos_release.sudo
+    dest: '/etc/sudoers.d'
+    owner: root
+    group: root
+    mode: 0440
+
+- name: Create the vos_release user
+  user:
+    name: vos_release
+    comment: Remote user for "vos release"
+    shell: /usr/sbin/nologin
+
+- name: Ensure update key exists
  assert:
    that:
      - hostvars[item]['vos_release_keypair'] is defined
  with_inventory_hostnames: mirror-update

- name: Install vos release key
+- name: Install vos_release remote key
  authorized_key:
-    user: 'root'
+    user: vos_release
    state: present
    key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}'
    key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
				`@ -0,0 +1 @@`
				`vos_release ALL = (ALL) NOPASSWD: /usr/bin/vos`