opendev/system-config
Code Issues Proposed changes

vos-release: have separate user

Browse Source 
I was trying to simplify things by having a restricted shell script
run by root.  However, our base-setup called my bluff as we also need
to setup sshd to allow remote root logins from specific addresses.

It's looking easier to create a new user, and give it sudo permissions
to run the vos release script.

Change-Id: If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5
This commit is contained in:
Ian Wienand 2019-11-21 11:53:45 +11:00
parent 3153f27c24
commit f57154f91b
5 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
playbooks/group_vars/afs.yaml
View File

@ -1,6 +1 @@
iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
# we allow a special key deployed on the mirror-update hosts to run a
# restricted script that runs "vos release" with localauth
# permissions, to avoid timeouts. See vos-release role.
bastion_key_exclusive: false

1
playbooks/remote_puppet_afs.yaml
View File

@ -13,6 +13,7 @@
- hosts: "mirror-update:!disabled" - hosts: "mirror-update:!disabled"
name: "Create key for remote vos release" name: "Create key for remote vos release"
tasks: tasks:
# Note done as root because all the update scripts run as root
- name: Create vos release keypair - name: Create vos release keypair
openssh_keypair: openssh_keypair:
path: /root/.ssh/id_vos_release path: /root/.ssh/id_vos_release

2
playbooks/roles/vos-release/files/vos_release.sh
View File

@ -12,6 +12,6 @@ if [[ $# != 3 || $1 != "vos" || $2 != "release" ]]; then
exit 1 exit 1
fi fi
vos release -v -localauth $3 sudo vos release -v -localauth $3

1
playbooks/roles/vos-release/files/vos_release.sudo Normal file
View File

@ -0,0 +1 @@
vos_release ALL = (ALL) NOPASSWD: /usr/bin/vos

20
playbooks/roles/vos-release/tasks/main.yaml
View File

@ -6,15 +6,29 @@
group: root group: root
mode: 0755 mode: 0755
- name: Ensure update key - name: Install sudo permissions
copy:
src: vos_release.sudo
dest: '/etc/sudoers.d'
owner: root
group: root
mode: 0440
- name: Create the vos_release user
user:
name: vos_release
comment: Remote user for "vos release"
shell: /usr/sbin/nologin
- name: Ensure update key exists
assert: assert:
that: that:
- hostvars[item]['vos_release_keypair'] is defined - hostvars[item]['vos_release_keypair'] is defined
with_inventory_hostnames: mirror-update with_inventory_hostnames: mirror-update
- name: Install vos release key - name: Install vos_release remote key
authorized_key: authorized_key:
user: 'root' user: vos_release
state: present state: present
key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}' key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}'
key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'