From f57154f91bcb1b81b45c7ae2cbc6232252486963 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Thu, 21 Nov 2019 11:53:45 +1100 Subject: [PATCH] vos-release: have separate user I was trying to simplify things by having a restricted shell script run by root. However, our base-setup called my bluff as we also need to setup sshd to allow remote root logins from specific addresses. It's looking easier to create a new user, and give it sudo permissions to run the vos release script. Change-Id: If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5 --- playbooks/group_vars/afs.yaml | 5 ----- playbooks/remote_puppet_afs.yaml | 1 + .../roles/vos-release/files/vos_release.sh | 2 +- .../roles/vos-release/files/vos_release.sudo | 1 + playbooks/roles/vos-release/tasks/main.yaml | 20 ++++++++++++++++--- 5 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 playbooks/roles/vos-release/files/vos_release.sudo diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml index d6fa5c665f..2314190b2e 100644 --- a/playbooks/group_vars/afs.yaml +++ b/playbooks/group_vars/afs.yaml @@ -1,6 +1 @@ iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] - -# we allow a special key deployed on the mirror-update hosts to run a -# restricted script that runs "vos release" with localauth -# permissions, to avoid timeouts. See vos-release role. -bastion_key_exclusive: false \ No newline at end of file diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/remote_puppet_afs.yaml index dc45e87606..75de5463ee 100644 --- a/playbooks/remote_puppet_afs.yaml +++ b/playbooks/remote_puppet_afs.yaml @@ -13,6 +13,7 @@ - hosts: "mirror-update:!disabled" name: "Create key for remote vos release" tasks: + # Note done as root because all the update scripts run as root - name: Create vos release keypair openssh_keypair: path: /root/.ssh/id_vos_release diff --git a/playbooks/roles/vos-release/files/vos_release.sh b/playbooks/roles/vos-release/files/vos_release.sh index c2f2101b99..7f749275ce 100755 --- a/playbooks/roles/vos-release/files/vos_release.sh +++ b/playbooks/roles/vos-release/files/vos_release.sh @@ -12,6 +12,6 @@ if [[ $# != 3 || $1 != "vos" || $2 != "release" ]]; then exit 1 fi -vos release -v -localauth $3 +sudo vos release -v -localauth $3 diff --git a/playbooks/roles/vos-release/files/vos_release.sudo b/playbooks/roles/vos-release/files/vos_release.sudo new file mode 100644 index 0000000000..7a2f3ced56 --- /dev/null +++ b/playbooks/roles/vos-release/files/vos_release.sudo @@ -0,0 +1 @@ +vos_release ALL = (ALL) NOPASSWD: /usr/bin/vos \ No newline at end of file diff --git a/playbooks/roles/vos-release/tasks/main.yaml b/playbooks/roles/vos-release/tasks/main.yaml index cb38a5fa5c..5b846ee395 100644 --- a/playbooks/roles/vos-release/tasks/main.yaml +++ b/playbooks/roles/vos-release/tasks/main.yaml @@ -6,15 +6,29 @@ group: root mode: 0755 -- name: Ensure update key +- name: Install sudo permissions + copy: + src: vos_release.sudo + dest: '/etc/sudoers.d' + owner: root + group: root + mode: 0440 + +- name: Create the vos_release user + user: + name: vos_release + comment: Remote user for "vos release" + shell: /usr/sbin/nologin + +- name: Ensure update key exists assert: that: - hostvars[item]['vos_release_keypair'] is defined with_inventory_hostnames: mirror-update -- name: Install vos release key +- name: Install vos_release remote key authorized_key: - user: 'root' + user: vos_release state: present key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}' key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'