Add a fas-client setup task. Add a common-scripts task. Setup arm-releng/arm-qa groups to use them.

2013-04-12 17:44:53 +00:00 · 2013-04-12 17:44:53 +00:00 · 89e3c725e4
commit 89e3c725e4
parent 9259cadfc5
11 changed files with 366 additions and 0 deletions
--- a/files/common-scripts/lock-wrapper.sh
+++ b/files/common-scripts/lock-wrapper.sh
@ -0,0 +1,41 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 [name] [script]"
+    exit 1;
+fi
+
+NAME=$1
+SCRIPT=$2
+
+LOCKDIR="/var/tmp/$NAME"
+PIDFILE="$LOCKDIR/pid"
+
+function cleanup {
+    rm -rf "$LOCKDIR"
+}
+
+RESTORE_UMASK=$(umask -p)
+umask 0077
+if ! mkdir "$LOCKDIR"; then
+    echo "$LOCKDIR already exists"
+    PID=$(cat "$PIDFILE")
+    if [ -n "$PID" ] && /bin/ps $PID > /dev/null
+    then
+        echo "$PID is still running"
+        /bin/ps -o user,pid,start,time,comm $PID
+        exit 1;
+    else
+        echo "$LOCKDIR exists but $PID is dead"
+        echo "Removing lockdir and re-running"
+        /bin/rm -rf $LOCKDIR
+        mkdir $LOCKDIR || exit
+    fi
+fi
+
+trap cleanup EXIT SIGQUIT SIGHUP SIGTERM
+echo $$ > "$PIDFILE"
+
+$RESTORE_UMASK
+eval "$SCRIPT"
+
--- a/files/common-scripts/nag-once
+++ b/files/common-scripts/nag-once
@ -0,0 +1,108 @@
+#!/usr/bin/python -tt
+# nag once
+# take stdin and arguments: commandid time-to-ignore-same-output
+# if we encounter any kind of error just output whatever we're given
+# and prepend our own errors
+# so we don't hurt things any worse :)
+# copyright (c) 2011 Red Hat, inc
+# gpl v2 blah blah
+# skvidal - skvidal@fedoraproject.org 
+
+import tempfile
+import sys
+import time
+import os
+import stat
+import glob
+
+
+def translate_tti(tti):
+    # translate 1w, 2d, 3d, 1m, 2h, 55m etc to seconds here
+    
+    if tti is None:
+        return None
+        
+    seconds_per_unit = {"s": 1, "m": 60, "h": 3600, "d": 86400, "w": 604800,}
+    if tti.isdigit():# just seconds
+        return int(tti) 
+    return int(tti[:-1]) * seconds_per_unit[tti[-1]]
+
+    
+
+def get_cmdid_dir(cmdid):
+    """return a path to a valid and safe cachedir"""
+    tmpdir="/var/tmp"
+    prefix = "nag-once:" + cmdid + "#"
+    dirpath = '%s/%s*' % (tmpdir, prefix)
+    cachedirs = sorted(glob.glob(dirpath))
+    for thisdir in cachedirs:
+        stats = os.lstat(thisdir)
+        if stat.S_ISDIR(stats[0]) and stat.S_IMODE(stats[0]) == 448 and stats[4] == os.getuid():
+            return thisdir
+
+    # make the dir (tempfile.mkdtemp())
+    cachedir = tempfile.mkdtemp(prefix=prefix, dir=tmpdir)
+    return cachedir
+
+
+    
+def main():
+    
+    if len(sys.argv) < 2:
+        raise Exception("Usage: nag-once cmdid [time-to-ignore]")
+    
+    cmdid = sys.argv[1]
+    # go through and remove stupid shit from cmdid
+    cmdid = cmdid.replace('/', '')
+    cmdid = cmdid.replace('#', '')
+    cmdid = cmdid.replace('..', '')
+    cmdid = cmdid.replace(';', '')
+    cmdid = cmdid.replace('|', '')
+    cmdid = cmdid.replace('&', '')
+    cmdid = cmdid.replace('\\', '')
+
+    now = time.time()
+    tti = None
+    if len(sys.argv) > 2:
+        tti = sys.argv[2]
+    
+    tti = translate_tti(tti)
+    
+    # make up or find our tempdir
+    mydir = get_cmdid_dir(cmdid)
+
+    old_output = None
+    old_date = 0
+    if os.path.exists(mydir + '/output'):
+        old_output = open(mydir + '/output').read()
+        old_date = os.lstat(mydir + '/output')[stat.ST_MTIME]
+            
+    # take from stdin
+    # 
+    theinput = sys.stdin.read()
+    try:
+        # at this point we have to handle any outputs more ourself b/c we've just read
+        # out of sys.stdin :(
+        
+        if theinput != old_output or (tti and now - old_date > tti):
+            if theinput.strip(): # if there is nothing here, don't output and don't drop a \n on the end of it
+                 print theinput,
+            fo = open(mydir + '/output', 'w')
+            fo.write(theinput)
+            fo.flush()
+            fo.close()
+        
+        
+    except Exception, e:
+        print >> sys.stderr, e
+        print >> sys.stderr, theinput
+
+if __name__ == '__main__':
+    try:
+        main()
+    except Exception, e:
+        print >> sys.stderr, e
+        if not sys.stdin.isatty():
+            print >> sys.stderr, sys.stdin.read()
+
+
--- a/files/fas-client/fas-client.cron
+++ b/files/fas-client/fas-client.cron
@ -0,0 +1 @@
+*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
--- a/files/fas-client/fas.conf.j2
+++ b/files/fas-client/fas.conf.j2
@ -0,0 +1,102 @@
+[global]
+; url - Location to fas server
+url = https://admin.fedoraproject.org/accounts/
+
+; temp - Location to generate files while user creation process is happening
+temp = /var/db
+
+{% if ansible_domain == 'qa.fedoraproject.org' %}
+; Eventually, no box should use systems user to fasClient.  systems has access
+; to password hashes.  But password hashes are needed for sudo unless the box
+; uses pam_url
+; login - username to contact fas
+login = systems
+
+; password - password for login name
+password = {{ systemsUserPassword }}
+{% else %}
+; login - username to contact fas
+login = {{ fedorathirdpartyUser }}
+
+; password - password for login name
+password = {{ fedorathirdpartyPassword }}
+{% endif %}
+; prefix - install to a location other than /
+prefix = /
+
+; modefile - Location of a file containing saved home directory modes
+modefile = /var/lib/fas/client_dir_perms
+
+; cla_group - Group for CLA requirements
+cla_group = cla_done
+
+[host]
+; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
+; so if someone is in all 3, the client behaves the same as if they were just
+; in 'groups'
+
+; groups that should have a shell account on this system.
+{% if fas_client_groups %}
+groups = {{ fas_client_groups }}
+{% else %}
+groups = "sysadmin-main"
+{% endif %}
+
+; groups that should have a restricted account on this system.
+; restricted accounts use the restricted_shell value in [users]
+restricted_groups =
+
+; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
+; need to disable password based logins in order for this value to have any
+; security meaning.  Group types can be placed here as well, for example
+; @hg,@git,@svn
+{% if fas_client_ssh_groups %}
+ssh_restricted_groups = {{ fas_client_ssh_groups }}
+{% else %}
+ssh_restricted_groups = 
+{% endif %}
+
+; aliases_template: Gets prepended to the aliases file when it is generated by
+; fasClient
+aliases_template = /etc/aliases.template
+
+[users]
+; default shell given to people in [host] groups
+shell = /bin/bash
+
+; home - the location for fas user home dirs
+home = /home/fedora
+
+; home_backup_dir - Location home dirs should get moved to when a user is
+; deleted this location should be tmpwatched
+home_backup_dir = /home/fedora.bak
+
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine.
+; setting this value to "/usr/bin/cvs server" would do this.
+{% if fas_client_restricted_app %}
+ssh_restricted_app = {{ fas_client_restricted_app }}
+{% else %}
+ssh_restricted_app = 
+{% endif %}
+
+; ssh_admin_app - This is the path to an app that an admin is allowed to use.
+{% if fas_client_admin_app %}
+ssh_admin_app = {{ fas_client_admin_app }}
+{% else %}
+ssh_admin_app = 
+{% endif %}
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
+restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
--- a/inventory/group_vars/arm-qa
+++ b/inventory/group_vars/arm-qa
@ -0,0 +1 @@
+fas_client_groups: "sysadmin-main,sysadmin-qa"
--- a/inventory/group_vars/arm-releng
+++ b/inventory/group_vars/arm-releng
@ -0,0 +1 @@
+fas_client_groups: "sysadmin-main,sysadmin-releng"
--- a/inventory/inventory
+++ b/inventory/inventory
@ -1,3 +1,11 @@
+[arm-releng]
+arm03-releng01.arm.fedoraproject.org
+arm03-releng02.arm.fedoraproject.org
+arm03-releng03.arm.fedoraproject.org
+arm03-releng04.arm.fedoraproject.org
+
+[arm-qa]
+arm03-builder05.arm.fedoraproject.org

 [buildvm]
 buildvm-01.phx2.fedoraproject.org
--- a/playbooks/groups/arm-qa.yml
+++ b/playbooks/groups/arm-qa.yml
@ -0,0 +1,17 @@
+
+- name: Setup arm-qa hosts
+  hosts: arm-qa
+  user: root
+  gather_facts: False
+  tags:
+   - arm-qa
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+
+  tasks:
+  # This group uses fas_client for user management
+  - include: $tasks/fas_client.yml
+  # This group includes our common scripts
+  - include: $tasks/common_scripts.yml
--- a/playbooks/groups/arm-releng.yml
+++ b/playbooks/groups/arm-releng.yml
@ -0,0 +1,17 @@
+
+- name: Setup arm-releng hosts
+  hosts: arm-releng
+  user: root
+  gather_facts: False
+  tags:
+   - arm-releng
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+
+  tasks:
+  # This group uses fas_client for user management
+  - include: $tasks/fas_client.yml
+  # This group includes our common scripts
+  - include: $tasks/common_scripts.yml
--- a/tasks/common_scripts.yml
+++ b/tasks/common_scripts.yml
@ -0,0 +1,11 @@
+---
+#
+# This task installs some common scripts to /usr/local/bin
+# scripts are under $files/common-scripts
+#
+
+- name: Install common scripts
+  action: copy src=$item dest=/usr/local/bin/
+  with_fileglob: $files/common-scripts/*
+  tags:
+  - config
--- a/tasks/fas_client.yml
+++ b/tasks/fas_client.yml
@ -0,0 +1,59 @@
+---
+#
+# This task sets up fasClient on a machine. 
+# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
+#
+
+#
+# fas-clients is in the infrastructure repo. 
+# nss_db is needed to store user/group info.
+#
+- name: install package needed for fas-client
+  action: yum state=installed name=$item
+  with_items:
+  - fas-clients
+  tags:
+  - packages
+
+- name: install nss_db on rhel hosts only
+  action: yum state=installed name=nss_db
+  only_if: "'${ansible_distribution}' == 'RedHat'"
+  tags:
+  - packages
+
+#
+# fasClients needs a valid /etc/fas.conf. 
+# There's vars used in this template: 
+#
+# fas_client_groups = "sysadmin-main"
+# fas_client_restricted_app = ""
+# fas_client_admin_app = ""
+# fas_client_ssh_groups = ""
+#
+# if desired, set them on a per host/group basis. 
+#
+# Currently the default template is used, but could be modified on a host basis. 
+#
+- name: setup /etc/fas.conf for client use
+  action: template src=$item dest=/etc/fas.conf owner=root mode=600
+  with_first_found:
+  - $files/fas-client/${ansible_fqdn}.fas.conf.j2
+  - $files/fas-client/${ansible_hostname}.fas.conf.j2
+  - $files/fas-client/${ansible_hostname}.fas.conf.j2
+  - $files/fas-client/fas.conf.j2
+  tags:
+  - config
+
+#
+# setup /etc/cron.d/ file to run sync every 10min
+# TODO: use cron module when it's fixed
+#
+#- name: fas_client cron job
+#  cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i"
+#  tags:
+#  - config
+#
+ - name: fas_client cron job
+   action: copy src=$files/fas-client/fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=700
+   tags:
+   - config
				`@ -0,0 +1 @@`
				`/10 * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i \| /usr/local/bin/nag-once fassync 1d 2>&1"`
				`@ -0,0 +1 @@`
				`fas_client_groups: "sysadmin-main,sysadmin-qa"`