starlingx
/
config
Code Issues Proposed changes

config: Convert wrsroot -> sysadmin 

This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.

Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: I9b08bf502a9dad279966b201999f65d06dbc5774
Story: 2004716
Task: 28747
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
Saul Wold 2019-05-09 13:13:31 -07:00
parent ed2d005df2
commit 8c30771d11
22 changed files with 80 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api-ref/source/api-ref-sysinv-v1-config.rst
View File

@ -10565,7 +10565,7 @@ badMediaType (415)
:header: "Parameter", "Style", "Type", "Description"
:widths: 20, 20, 20, 60
"Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename <div class=""example""><pre>file=@/home/wrsroot/server-with-key.pem </pre></div>"
"Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename <div class=""example""><pre>file=@/home/sysadmin/server-with-key.pem </pre></div>"
"passphrase (Optional)", "plain", "xsd:string", "The passphrase for the PEM file."
"mode (Optional)", "plain", "xsd:string", "This parameter specifies the type of System certificate. Possible values are: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl, tpm_mode, docker_registry, openstack, openstack_ca</emphasis>. Default: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl</emphasis>"

2
controllerconfig/controllerconfig/controllerconfig/common/constants.py
View File

@ -61,7 +61,7 @@ SERVICE_ENABLE_TIMEOUT = 180
MINIMUM_ROOT_DISK_SIZE = 500
MAXIMUM_CGCS_LV_SIZE = 500
LDAP_CONTROLLER_CONFIGURE_TIMEOUT = 30
WRSROOT_MAX_PASSWORD_AGE = 45 # 45 days
SYSADMIN_MAX_PASSWORD_AGE = 45 # 45 days
LAG_MODE_ACTIVE_BACKUP = "active-backup"
LAG_MODE_BALANCE_XOR = "balance-xor"

2
controllerconfig/controllerconfig/controllerconfig/common/validator.py
View File

@ -38,7 +38,7 @@ MIN_DATABASE_STORAGE = 20
MIN_IMAGE_STORAGE = 10
MIN_IMAGE_CONVERSIONS_VOLUME = 20
WRSROOT_PASSWD_NO_AGING = 99999
SYSADMIN_PASSWD_NO_AGING = 99999
# System mode
SYSTEM_MODE_DUPLEX = "duplex"

16
controllerconfig/controllerconfig/controllerconfig/configassistant.py
View File

@ -621,14 +621,14 @@ class ConfigAssistant():
self.next_lag_index += 1
return name
def get_wrsroot_sig(self):
""" Get signature for wrsroot user. """
def get_sysadmin_sig(self):
""" Get signature for sysadmin user. """
# NOTE (knasim): only compute the signature for the entries we're
# tracking and propagating {password, aging}. This is prevent
# config-outdated alarms for shadow fields that get modified
# and we don't track and propagate
re_line = re.compile(r'(wrsroot:.*?)\s')
re_line = re.compile(r'(sysadmin:.*?)\s')
with open('/etc/shadow') as shadow_file:
for line in shadow_file:
match = re_line.search(line)
@ -636,7 +636,7 @@ class ConfigAssistant():
# Isolate password(2nd field) and aging(5th field)
entry = match.group(1).split(':')
entrystr = entry[1] + ":" + entry[4]
self.wrsroot_sig = hashlib.md5(entrystr).hexdigest()
self.sysadmin_sig = hashlib.md5(entrystr).hexdigest()
self.passwd_hash = entry[1]
def input_system_mode_config(self):
@ -2904,8 +2904,8 @@ class ConfigAssistant():
self.add_password_for_validation('ADMIN_PASSWORD',
self.admin_password)
if config.has_option('cUSERS', 'WRSROOT_SIG'):
raise ConfigFail("The option WRSROOT_SIG is "
if config.has_option('cUSERS', 'SYSADMIN_SIG'):
raise ConfigFail("The option SYSADMIN_SIG is "
"no longer supported.")
# Licensing configuration
@ -2914,8 +2914,8 @@ class ConfigAssistant():
"no longer supported")
# Security configuration
if config.has_option('cSECURITY', 'CONFIG_WRSROOT_PW_AGE'):
raise ConfigFail("The option CONFIG_WRSROOT_PW_AGE is "
if config.has_option('cSECURITY', 'CONFIG_SYSADMIN_PW_AGE'):
raise ConfigFail("The option CONFIG_SYSADMIN_PW_AGE is "
"no longer supported.")
if config.has_option('cSECURITY', 'ENABLE_HTTPS'):
raise ConfigFail("The option ENABLE_HTTPS is "

4
controllerconfig/controllerconfig/controllerconfig/regionconfig.py
View File

@ -566,9 +566,9 @@ def show_help_subcloud():
def config_main(config_type=REGION_CONFIG):
allow_ssh = False
if config_type == REGION_CONFIG:
config_file = "/home/wrsroot/region_config"
config_file = "/home/sysadmin/region_config"
elif config_type == SUBCLOUD_CONFIG:
config_file = "/home/wrsroot/subcloud_config"
config_file = "/home/sysadmin/subcloud_config"
else:
raise ConfigFail("Invalid config_type: %s" % config_type)

2
controllerconfig/controllerconfig/controllerconfig/systemconfig.py
View File

@ -300,7 +300,7 @@ def main():
do_clone = False
do_non_interactive = False
do_provision = False
system_config_file = "/home/wrsroot/system_config"
system_config_file = "/home/sysadmin/system_config"
allow_ssh = False
# Disable completion as the default completer shows python commands

6
controllerconfig/controllerconfig/controllerconfig/tests/test_region_config.py
View File

@ -451,12 +451,12 @@ def _replace_in_file(filename, old, new):
fileinput.close()
@patch('controllerconfig.configassistant.ConfigAssistant.get_wrsroot_sig')
@patch('controllerconfig.configassistant.ConfigAssistant.get_sysadmin_sig')
def _test_region_config(tmpdir, inputfile, resultfile,
mock_get_wrsroot_sig):
mock_get_sysadmin_sig):
""" Test import and generation of answerfile """
mock_get_wrsroot_sig.return_value = None
mock_get_sysadmin_sig.return_value = None
# Create the path to the output file
outputfile = os.path.join(str(tmpdir), 'output')

2
puppet-manifests/src/hieradata/controller.yaml
View File

@ -109,7 +109,7 @@ platform::haproxy::params::global_options:
log:
- '127.0.0.1:514 local1 info'
user: 'haproxy'
group: 'wrs_protected'
group: 'sys_protected'
chroot: '/var/lib/haproxy'
pidfile: '/var/run/haproxy.pid'
maxconn: '4000'

2
puppet-manifests/src/hieradata/global.yaml
View File

@ -9,7 +9,7 @@ platform::params::controller_1_hostname: controller-1
platform::params::pxeboot_hostname: pxecontroller
platform::params::security_feature: nopti nospectre_v2
platform::amqp::auth_user: guest
platform::users::params::wrsroot_password_max_age: 45
platform::users::params::sysadmin_password_max_age: 45
# mtce
platform::mtce::params::sm_server_port: 2124

2
puppet-manifests/src/modules/openstack/manifests/horizon.pp
View File

@ -47,7 +47,7 @@ class openstack::horizon
user { 'www':
ensure => 'present',
shell => '/sbin/nologin',
groups => ['wrs_protected'],
groups => ['sys_protected'],
}
file { '/www/tmp':

2
puppet-manifests/src/modules/openstack/templates/lighttpd.conf.erb
View File

@ -202,7 +202,7 @@ server.chroot = "/www"
server.username = "www"
## change uid to <uid> (default: don't care)
server.groupname = "wrs_protected"
server.groupname = "sys_protected"
## defaults to /var/tmp
server.upload-dirs = ( "/tmp" )

34
puppet-manifests/src/modules/platform/manifests/helm.pp
View File

@ -30,19 +30,19 @@ define platform::helm::repository (
}
$before_relationship = Exec['Stop lighttpd']
$require_relationship = [ User['wrsroot'], Exec["Generate index: ${repo_path}"] ]
$require_relationship = [ User['sysadmin'], Exec["Generate index: ${repo_path}"] ]
} else {
$before_relationship = undef
$require_relationship = User['wrsroot']
$require_relationship = User['sysadmin']
}
exec { "Adding StarlingX helm repo: ${name}":
before => $before_relationship,
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf' , 'HOME=/home/wrsroot'],
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf' , 'HOME=/home/sysadmin'],
command => "helm repo add ${name} http://127.0.0.1:${repo_port}/helm_charts/${name}",
logoutput => true,
user => 'wrsroot',
group => 'wrs',
user => 'sysadmin',
group => 'sys_protected',
require => $require_relationship
}
}
@ -62,12 +62,12 @@ class platform::helm::repositories
}
-> exec { 'Updating info of available charts locally from chart repo':
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
command => 'helm repo update',
logoutput => true,
user => 'wrsroot',
group => 'wrs',
require => User['wrsroot']
user => 'sysadmin',
group => 'sys_protected',
require => User['sysadmin']
}
}
@ -132,12 +132,12 @@ class platform::helm
}
-> exec { 'initialize helm':
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
command => "helm init --skip-refresh --service-account tiller --node-selectors \"node-role.kubernetes.io/master\"=\"\" --tiller-image=${gcr_registry}/kubernetes-helm/tiller:v2.13.1 --override spec.template.spec.hostNetwork=true", # lint:ignore:140chars
logoutput => true,
user => 'wrsroot',
group => 'wrs',
require => User['wrsroot']
user => 'sysadmin',
group => 'sys_protected',
require => User['sysadmin']
}
exec { "bind mount ${target_helm_repos_base_dir}":
@ -150,12 +150,12 @@ class platform::helm
Class['::platform::kubernetes::master']
-> exec { 'initialize helm':
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
command => 'helm init --skip-refresh --client-only',
logoutput => true,
user => 'wrsroot',
group => 'wrs',
require => User['wrsroot']
user => 'sysadmin',
group => 'sys_protected',
require => User['sysadmin']
}
}

4
puppet-manifests/src/modules/platform/manifests/kubernetes.pp
View File

@ -227,7 +227,7 @@ class platform::kubernetes::master::init
}
# Update ownership/permissions for file created by "kubeadm init".
# We want it readable by sysinv and wrsroot.
# We want it readable by sysinv and sysadmin.
-> file { '/etc/kubernetes/admin.conf':
ensure => file,
owner => 'root',
@ -382,7 +382,7 @@ class platform::kubernetes::master::init
}
# Update ownership/permissions for file created by "kubeadm init".
# We want it readable by sysinv and wrsroot.
# We want it readable by sysinv and sysadmin.
-> file { '/etc/kubernetes/admin.conf':
ensure => file,
owner => 'root',

4
puppet-manifests/src/modules/platform/manifests/ldap.pp
View File

@ -137,10 +137,10 @@ class platform::ldap::bootstrap
-> exec { 'create ldap protected group':
command => "ldapaddgroup ${::platform::params::protected_group_name} ${::platform::params::protected_group_id}"
}
-> exec { 'add admin to wrs protected group' :
-> exec { 'add admin to sys_protected protected group' :
command => "ldapaddusertogroup admin ${::platform::params::protected_group_name}",
}
-> exec { 'add operator to wrs protected group' :
-> exec { 'add operator to sys_protected protected group' :
command => "ldapaddusertogroup operator ${::platform::params::protected_group_name}",
}

4
puppet-manifests/src/modules/platform/manifests/params.pp
View File

@ -30,7 +30,9 @@ class platform::params (
$nfs_mount_options = "timeo=30,proto=${nfs_proto},vers=3,rsize=${nfs_rw_size},wsize=${nfs_rw_size}"
$protected_group_name = 'wrs_protected'
$sysadmin_user_name = 'sysadmin'
$sysadmin_user_dir = '/home/sysadmin'
$protected_group_name = 'sys_protected'
$protected_group_id = '345'
# PUPPET 4 treats custom facts as strings. We convert to int by adding zero.

2
puppet-manifests/src/modules/platform/manifests/sysinv.pp
View File

@ -28,7 +28,7 @@ class platform::sysinv
ensure => 'present',
comment => 'sysinv Daemons',
gid => '168',
groups => ['nobody', 'sysinv', 'wrs_protected'],
groups => ['nobody', 'sysinv', 'sys_protected'],
home => '/var/lib/sysinv',
password => '!!',
password_max_age => '-1',

42
puppet-manifests/src/modules/platform/manifests/users.pp
View File

@ -1,6 +1,6 @@
class platform::users::params (
$wrsroot_password = undef,
$wrsroot_password_max_age = undef,
$sysadmin_password = undef,
$sysadmin_password_max_age = undef,
) {}
@ -9,27 +9,23 @@ class platform::users
include ::platform::params
group { 'wrs':
# Create a 'sys_protected' group for sysadmin and all openstack services
# (including StarlingX services: sysinv, etc.).
group { $::platform::params::protected_group_name:
ensure => 'present',
gid => $::platform::params::protected_group_id,
}
# WRS: Create a 'wrs_protected' group for wrsroot and all openstack services
# (including TiS services: sysinv, etc.).
-> group { $::platform::params::protected_group_name:
ensure => 'present',
gid => $::platform::params::protected_group_id,
}
-> user { 'wrsroot':
-> user { 'sysadmin':
ensure => 'present',
groups => ['wrs', 'root', $::platform::params::protected_group_name],
home => '/home/wrsroot',
password => $wrsroot_password,
password_max_age => $wrsroot_password_max_age,
groups => ['root', $::platform::params::protected_group_name],
home => '/home/sysadmin',
password => $sysadmin_password,
password_max_age => $sysadmin_password_max_age,
shell => '/bin/sh',
}
# WRS: Keyring should only be executable by 'wrs_protected'.
# Keyring should only be executable by 'sys_protected'.
-> file { '/usr/bin/keyring':
owner => 'root',
group => $::platform::params::protected_group_name,
@ -43,20 +39,16 @@ class platform::users::bootstrap
include ::platform::params
group { 'wrs':
ensure => 'present',
}
-> group { $::platform::params::protected_group_name:
group { $::platform::params::protected_group_name:
ensure => 'present',
gid => $::platform::params::protected_group_id,
}
-> user { 'wrsroot':
-> user { 'sysadmin':
ensure => 'present',
groups => ['wrs', 'root', $::platform::params::protected_group_name],
home => '/home/wrsroot',
password_max_age => $wrsroot_password_max_age,
groups => ['root', $::platform::params::protected_group_name],
home => '/home/sysadmin',
password_max_age => $sysadmin_password_max_age,
shell => '/bin/sh',
}
}

6
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/user.py
View File

@ -37,7 +37,7 @@ from wsme import types as wtypes
LOG = log.getLogger(__name__)
IUSERS_ROOT_USERNAME = 'wrsroot'
IUSERS_ROOT_USERNAME = 'sysadmin'
class UserPatchType(types.JsonPatchType):
@ -300,11 +300,11 @@ class UserController(rest.RestController):
return User.convert_with_links(rpc_user)
except exception.HTTPNotFound:
msg = _("User wrsroot update failed: system %s user %s : patch %s"
msg = _("User sysadmin update failed: system %s user %s : patch %s"
% (isystem['systemname'], user, patch))
raise wsme.exc.ClientSideError(msg)
except exception.KeyError:
msg = _("Cannot retrieve shadow entry for wrsroot: system %s : patch %s"
msg = _("Cannot retrieve shadow entry for sysadmin: system %s : patch %s"
% (isystem['systemname'], patch))
raise wsme.exc.ClientSideError(msg)

6
sysinv/sysinv/sysinv/sysinv/common/constants.py
View File

@ -1185,10 +1185,10 @@ LLDP_FULL_AUDIT_COUNT = 6
FM_SUPPRESSED = 'suppressed'
FM_UNSUPPRESSED = 'unsuppressed'
# wrsroot password aging.
# sysadmin password aging.
# Setting aging to max defined value qualifies
# as "never" on certain Linux distros including WRL
WRSROOT_PASSWORD_NO_AGING = 99999
SYSADMIN_PASSWORD_NO_AGING = 99999
# SDN Controller
SDN_CONTROLLER_STATE_ENABLED = 'enabled'
@ -1298,7 +1298,7 @@ NETWORK_CONFIG_LOCK_FILE = os.path.join(
SYSINV_USERNAME = "sysinv"
SYSINV_GRPNAME = "sysinv"
SYSINV_WRS_GRPNAME = "wrs_protected"
SYSINV_SYSADMIN_GRPNAME = "sys_protected"
# This is the first report sysinv is sending to conductor since boot
SYSINV_AGENT_FIRST_REPORT = 'first_report'

12
sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py
View File

@ -272,9 +272,9 @@ class AppOperator(object):
if not os.path.isdir(app.path):
create_app_path(app.path)
# Temporarily change /scratch group ownership to wrs_protected
# Temporarily change /scratch group ownership to sys_protected
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
grp.getgrnam(constants.SYSINV_WRS_GRPNAME).gr_gid)
grp.getgrnam(constants.SYSINV_SYSADMIN_GRPNAME).gr_gid)
# Extract the tarfile as sysinv user
if not cutils.extract_tarfile(app.path, app.tarfile, demote_user=True):
@ -613,9 +613,9 @@ class AppOperator(object):
orig_uid, orig_gid = get_app_install_root_path_ownership()
helm_repo = self._get_helm_repo_from_metadata(app)
try:
# Temporarily change /scratch group ownership to wrs_protected
# Temporarily change /scratch group ownership to sys_protected
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
grp.getgrnam(constants.SYSINV_WRS_GRPNAME).gr_gid)
grp.getgrnam(constants.SYSINV_SYSADMIN_GRPNAME).gr_gid)
with open(os.devnull, "w") as fnull:
for chart in charts:
subprocess.check_call(['helm-upload', helm_repo, chart],
@ -1914,14 +1914,14 @@ class DockerHelper(object):
if not os.path.exists(ARMADA_HOST_LOG_LOCATION):
os.mkdir(ARMADA_HOST_LOG_LOCATION)
os.chmod(ARMADA_HOST_LOG_LOCATION, 0o755)
os.chown(ARMADA_HOST_LOG_LOCATION, 1000, grp.getgrnam("wrs").gr_gid)
os.chown(ARMADA_HOST_LOG_LOCATION, 1000, grp.getgrnam("sys_protected").gr_gid)
# First make kubernetes config accessible to Armada. This
# is a work around the permission issue in Armada container.
kube_config = os.path.join(constants.APP_SYNCED_DATA_PATH,
'admin.conf')
shutil.copy('/etc/kubernetes/admin.conf', kube_config)
os.chown(kube_config, 1000, grp.getgrnam("wrs").gr_gid)
os.chown(kube_config, 1000, grp.getgrnam("sys_protected").gr_gid)
overrides_dir = common.HELM_OVERRIDES_PATH
manifests_dir = constants.APP_SYNCED_DATA_PATH

6
sysinv/sysinv/sysinv/sysinv/helm/utils.py
View File

@ -1,4 +1,4 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# sim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
@ -32,12 +32,12 @@ def refresh_helm_repo_information():
"""
with open(os.devnull, "w") as fnull:
try:
subprocess.check_call(['sudo', '-u', 'wrsroot',
subprocess.check_call(['sudo', '-u', 'sysadmin',
'helm', 'repo', 'update'],
stdout=fnull, stderr=fnull)
except subprocess.CalledProcessError:
# Just log an error. Don't stop any callers from further execution.
LOG.error("Failed to update helm repo data for user wrsroot.")
LOG.error("Failed to update helm repo data for user sysadmin.")
def retrieve_helm_releases():

4
sysinv/sysinv/sysinv/sysinv/puppet/platform.py
View File

@ -235,9 +235,9 @@ class PlatformPuppet(base.BasePuppet):
def _get_user_config(self):
user = self.dbapi.iuser_get_one()
return {
'platform::users::params::wrsroot_password':
'platform::users::params::sysadmin_password':
user.passwd_hash,
'platform::users::params::wrsroot_password_max_age':
'platform::users::params::sysadmin_password_max_age':
user.passwd_expiry_days,
}