openstack/project-config
Code Issues Proposed changes

Zuul versions of sudo grep checks

Browse Source 
Old legacy jobs will continue to want tocheck that the test user isn't
using sudo if sudo has been disabled. Add a zuul version of the checker
script and update the sudo rules to allow the zuul user to run it.

Change-Id: I10720cdec309dc8418b6cf7e9badf9a04aa8e98e
This commit is contained in:
Clark Boylan
2017-09-28 14:15:18 -07:00
parent 98ee420cb8
commit a4331953bd
2 changed files with 67 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
jenkins/scripts/zuul-sudo-grep.sh Executable file
View File

@@ -0,0 +1,61 @@
#!/bin/bash
# Copyright 2012 Hewlett-Packard Development Company, L.P.
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Find out if zuul has attempted to run any sudo commands by checking
# the auth.log or secure log or messages files before and after a test run.
PATTERN="sudo.*zuul.*:.*\(incorrect password attempts\|command not allowed\)"
if [ -f /var/log/auth.log ]; then
OLDLOGFILE=/var/log/auth.log.1
LOGFILE=/var/log/auth.log
elif [ -f /var/log/secure ]; then
OLDLOGFILE=$( ls /var/log/secure-* | sort | tail -n1 )
LOGFILE=/var/log/secure
elif [ -f /var/log/messages ]; then
OLDLOGFILE=$( ls /var/log/messages-* | sort | tail -n1 )
LOGFILE=/var/log/messages
else
echo "*** Could not find auth.log/secure/messages log for sudo tracing"
exit 1
fi
case "$1" in
pre)
rm -fr /tmp/zuul-sudo-log
mkdir /tmp/zuul-sudo-log
if [ -f "$OLDLOGFILE" ]; then
stat -c %Y $OLDLOGFILE > /tmp/zuul-sudo-log/mtime-pre
else
echo "0" > /tmp/zuul-sudo-log/mtime-pre
fi
grep -h "$PATTERN" $LOGFILE > /tmp/zuul-sudo-log/pre
exit 0
;;
post)
if [ -f "$OLDLOGFILE" ]; then
stat -c %Y $OLDLOGFILE > /tmp/zuul-sudo-log/mtime-post
else
echo "0" > /tmp/zuul-sudo-log/mtime-post
fi
if ! diff /tmp/zuul-sudo-log/mtime-pre /tmp/zuul-sudo-log/mtime-post > /dev/null; then
echo "diff"
grep -h "$PATTERN" $OLDLOGFILE > /tmp/zuul-sudo-log/post
fi
grep -h "$PATTERN" $LOGFILE >> /tmp/zuul-sudo-log/post
diff /tmp/zuul-sudo-log/pre /tmp/zuul-sudo-log/post
;;
esac

7
nodepool/elements/zuul-worker/install.d/60-zuul-worker
View File

@@ -15,8 +15,13 @@ useradd -m zuul -g zuul -s /bin/bash
cat > /etc/sudoers.d/zuul << EOF cat > /etc/sudoers.d/zuul << EOF
zuul ALL=(ALL) NOPASSWD:ALL zuul ALL=(ALL) NOPASSWD:ALL
EOF EOF
chmod 0440 /etc/sudoers.d/zuul chmod 0440 /etc/sudoers.d/zuul
cat > /etc/sudoers.d/zuul-sudo-grep <<EOF
zuul ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/zuul-sudo-grep.sh
EOF
chmod 0440 /etc/sudoers.d/zuul-sudo-grep
visudo -c || die "Error setting zuul sudo!" visudo -c || die "Error setting zuul sudo!"
# this was copied from outside the chroot by extras.d # this was copied from outside the chroot by extras.d