From 77a07ffca10bdcf23b424c5d6d08739ad3541e55 Mon Sep 17 00:00:00 2001 From: mhuin Date: Fri, 19 Jan 2018 16:31:49 +0100 Subject: [PATCH] role: Inject public keys in case of failure Add a role that injects given public keys on a build's node set if the build fails. This is intended to be used with zuul's `autohold` command so that privileged users can SSH into the node set without having to use Zuul's ansible user's private key. Change-Id: I963e82f32a99cacea663792049cb39453e776ece --- roles/add-authorized-keys/README.rst | 36 +++++++++++++++++++++++ roles/add-authorized-keys/tasks/main.yaml | 7 +++++ 2 files changed, 43 insertions(+) create mode 100644 roles/add-authorized-keys/README.rst create mode 100644 roles/add-authorized-keys/tasks/main.yaml diff --git a/roles/add-authorized-keys/README.rst b/roles/add-authorized-keys/README.rst new file mode 100644 index 000000000..77ba74e3e --- /dev/null +++ b/roles/add-authorized-keys/README.rst @@ -0,0 +1,36 @@ +Install SSH public key(s) on all hosts + +This role is intended to be run at the end of a failed job for which the build +node set will be held with zuul's `autohold` command. + +It copies the public key(s) into the authorized_keys file of every host in the +inventory, allowing privileged users to access the node set for debugging or +post-mortem analysis. + +Add this stanza at the end of your project's base post playbook to activate this +functionality: + +.. code-block:: yaml + + - hosts: all + roles: + - role: add-authorized-keys + public_keys: + - public_key: ssh-rsa AAAAB... venkman@parapsy.columbia.edu + - public_key: ssh-rsa AAAAB... spengler@parapsy.columbia.edu + when: not zuul_success | bool + +.. caution:: + Including this role earlier in any playbook may allow the keys' owners to + tamper with the execution of the jobs. It is strongly advised against doing + so. + +**Role Variables** + +.. zuul:rolevar:: ssh_public_keys + + A list of keys to inject. + + .. zuul:rolevar:: public_key + + A public key to inject into authorized_keys, or a URL to a public key. diff --git a/roles/add-authorized-keys/tasks/main.yaml b/roles/add-authorized-keys/tasks/main.yaml new file mode 100644 index 000000000..3abe0fc2b --- /dev/null +++ b/roles/add-authorized-keys/tasks/main.yaml @@ -0,0 +1,7 @@ +- name: Enable access via build key on all nodes + authorized_key: + user: "{{ ansible_ssh_user }}" + state: present + key: "{{ item.public_key }}" + with_items: + - "{{ public_keys }}"