Drive/drive-ops
7
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Drive:5d88e663795e3d8d83fd8fb298411f0612549779
Branches Tags
Drive:main
..
compare: Drive:028ba3d60872c4147953082f8da08a0a8c3762be
Branches Tags
Drive:main

13 commits
5d88e66379 ... 028ba3d608

Author SHA1 Message Date
Patrik Holmqvist 028ba3d608
Merge pull request #56 from SUNET/pahol-fix-noble-eyaml 
patch for broken eyaml in ubuntu24.04.
 2024-09-10 13:16:19 +02:00
Patrik Holmqvist 7941e3f970
Merge the 2 patch functions to 1. 2024-09-09 17:29:31 +02:00
Patrik Holmqvist fac9a556ba
Patch for broken eyaml in ubuntu24.04. 2024-09-09 16:52:38 +02:00
Patrik Lundin 770a5ca3cc
Merge pull request #55 from SUNET/patlu-fleetlock-lock-timeouts 
fleetlock: configurable lock/unlock timeout
 2024-07-04 13:07:34 +02:00
Patrik Lundin aa88795ee0
sunet-fleetlock: also handle ReadTimeout 
Turns out this was not caught by ConnectionError.
 2024-07-03 14:13:22 +02:00
Patrik Lundin 01768129f0
fleetlock: configurable lock/unlock timeout 
While we already support setting a healthcheck timeout it probably
makes sense to be able to control how long we wait for a
fleetlock_lock() or fleetlock_unlock() call. This becomes important if
only running cosmos once a night or something like that. In that case we
you probably want to give a physical machine more than than 1 minute to
complete a reboot etc.

This can now be controlled by setting fleetlock_lock_timeout and
fleetlock_unlock_timeout in /etc/run-cosmos-fleetlock-conf. Keep in mind
that while it can make sense to increase the time for taking a lock,
releasing a lock should always be fast (either you have it and release
it, or you dont have it and it is a no-op) so setting a long unlock
timeout should probably never be done.

Since we also potentially wait the unlock timeout at boot (if the
fleetlock server is broken etc) that is another reason to keep it
short. The default 1m is probably OK for most uses.
 2024-07-03 13:27:52 +02:00
Patrik Lundin 443611dd3f
Merge pull request #49 from SUNET/john-permissions-fix 
Enforce more strict permissions for files in Cosmos
 2024-07-03 11:36:21 +02:00
Johan Wassberg 5518048d79
Merge pull request #54 from SUNET/pahol-ubuntu24 
Ubuntu-24 fixes
 2024-06-19 15:07:17 +02:00
Patrik Holmqvist 4231b4ac1d
Migrate from legacy fact 
This did not work on modern puppet in ubuntu24:
Warning: Interpolation failed with '::lsbdistcodename', but compilation continuing;
New syntax inspiration from:
https://www.puppet.com/docs/puppet/8/hiera_config_yaml_5#configuring_hiera
 2024-06-19 14:07:13 +02:00
Patrik Holmqvist bc9d1dc960
Use upstream puppet modules for ubuntu24+. 
This is how we do it in modern debian so it
makes sense to do it on modern ubuntu as well.
 2024-06-19 14:02:24 +02:00
John Van de Meulebrouck Brendgard 8d4ce2d1b7
Make sure that COSMOS_BASE is only readable 
by root since it's possible that the directory
can contain files that after applying the
overlay to / only should be read or writable
by root.
 2023-11-17 15:03:47 +01:00
John Van de Meulebrouck Brendgard 75e566ab61
Make sure that /root in overlay is owned by root 
as well as that /root/.ssh and its content is
only owned and readable by root. This is redundant
if the previous permissions were properly applied
and no other changes have been made by the user
or something else, but is added for good measure
as a layered defense.
 2023-11-17 14:58:51 +01:00
John Van de Meulebrouck Brendgard ca353ed406
Set same permissions for /root/.ssh/authorized_keys 
in post-tasks.d/010fix-ssh-perms as is done by
Puppet with sunet::ssh_keys.
 2023-11-17 13:50:02 +01:00
9 changed files with 112 additions and 11 deletions
Show stats Expand all files Collapse all files

33
edit-secrets
View file

@ -67,6 +67,39 @@ function patch_broken_eyaml {
next if @@plugins.include? spec next if @@plugins.include? spec
dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" } dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" }
EOF
fi
fi
fi
#
# Ubuntu 24.04 (noble) has a hiera-eyaml version that is incompatible with ruby 3.2+ (default in ubuntu24).
# This is fixed in hiera-eyaml version 3.3.0: https://github.com/voxpupuli/hiera-eyaml/pull/340/files
# https://github.com/voxpupuli/hiera-eyaml/blob/master/CHANGELOG.md
# But there is no modern version of hiera-eyaml packaged in debian or ubuntu.
# https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#filedirexists-removed
#
. /etc/os-release
if [ "${VERSION_CODENAME}" == "noble" ]; then
plugins_file="/usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb"
if [ -f $plugins_file ]; then
# We only want to try patching the file if it is the known broken version
bad_sum="59c6eb910ab2eb44f8c75aeaa79bff097038feb673b5c6bdccde23d9b2a393e2"
sum=$(sha256sum $plugins_file | awk '{print $1}')
if [ "$sum" == "$bad_sum" ]; then
patch --fuzz=0 --directory=/ --strip=0 <<'EOF'
--- /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb.orig 2022-06-11 16:30:10.000000000 +0000
+++ /usr/share/rubygems-integration/all/gems/hiera-eyaml-3.3.0/lib/hiera/backend/eyaml/subcommands/edit.rb 2024-09-09 14:13:19.306342025 +0000
@@ -59,7 +59,7 @@
Optimist::die "You must specify an eyaml file" if ARGV.empty?
options[:source] = :eyaml
options[:eyaml] = ARGV.shift
- if File.exists? options[:eyaml]
+ if File.exist? options[:eyaml]
begin
options[:input_data] = File.read options[:eyaml]
rescue
EOF EOF
fi fi
fi fi

2
global/overlay/etc/puppet/hiera.yaml
View file

@ -21,7 +21,7 @@ hierarchy:
pkcs7_public_key: /etc/hiera/eyaml/public_certkey.pkcs7.pem pkcs7_public_key: /etc/hiera/eyaml/public_certkey.pkcs7.pem
- name: "Overrides per distribution" - name: "Overrides per distribution"
path: "dist_%{::lsbdistcodename}_override.yaml" path: "dist_%{facts.os.distro.codename}_override.yaml"
- name: "Data common to whole environment" - name: "Data common to whole environment"
path: "common.yaml" path: "common.yaml"

14
global/overlay/usr/local/bin/run-cosmos
View file

@ -67,14 +67,19 @@ fleetlock_lock() {
# called. # called.
fleetlock_enable_unlock_service || return 1 fleetlock_enable_unlock_service || return 1
local fleetlock_group="" local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null # shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1 . $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group" echo "Unable to set fleetlock_group"
return 1 return 1
fi fi
if [ -n "$fleetlock_lock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_lock_timeout")
fi
echo "Getting fleetlock lock" echo "Getting fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock || return 1 $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
fi fi
return 0 return 0
} }
@ -82,15 +87,20 @@ fleetlock_lock() {
fleetlock_unlock() { fleetlock_unlock() {
if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
local fleetlock_group="" local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null # shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1 . $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group" echo "Unable to set fleetlock_group"
return 1 return 1
fi fi
if [ -n "$fleetlock_unlock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_unlock_timeout")
fi
machine_is_healthy || return 1 machine_is_healthy || return 1
echo "Releasing fleetlock lock" echo "Releasing fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock || return 1 $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
fi fi
return 0 return 0
} }

5
global/overlay/usr/local/bin/sunet-fleetlock
View file

@ -97,7 +97,10 @@ def do_fleetlock_request(
timeout=args.request_timeout, timeout=args.request_timeout,
auth=("", config[args.lock_group]["password"]), auth=("", config[args.lock_group]["password"]),
) )
except requests.exceptions.ConnectionError as e: except (
requests.exceptions.ConnectionError,
requests.exceptions.ReadTimeout,
) as e:
print(f"POST request failed: {e}") print(f"POST request failed: {e}")
time.sleep(retry_sleep_delay) time.sleep(retry_sleep_delay)
continue continue

4
global/post-tasks.d/010fix-ssh-perms
View file

@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
chown root.root /root/.ssh/authorized_keys chown root.root /root/.ssh/authorized_keys
fi fi
if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
chmod 600 /root/.ssh/authorized_keys chmod 440 /root/.ssh/authorized_keys
fi fi
fi fi

24
global/post-tasks.d/014set-cosmos-permissions Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

24
global/pre-tasks.d/014set-cosmos-permissions Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

9
global/pre-tasks.d/015set-overlay-permissions
View file

@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
exit 0 exit 0
fi fi
if [ -d "$MODEL_OVERLAY/root" ]; then
args="" args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v" args="-v"
fi fi
if [ -d "$MODEL_OVERLAY/root" ]; then
chown ${args} root:root "$MODEL_OVERLAY"/root
chmod ${args} 0700 "$MODEL_OVERLAY"/root chmod ${args} 0700 "$MODEL_OVERLAY"/root
fi fi
if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
fi

2
global/pre-tasks.d/030puppet
View file

@ -13,7 +13,7 @@ if ! test -f "${stamp}" -a -f /usr/bin/puppet; then
. /etc/os-release . /etc/os-release
# Note: in posix shell, string comparison is done with a single = # Note: in posix shell, string comparison is done with a single =
if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ]; then if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ] || ([ "${ID}" = "ubuntu" ] && $(dpkg --compare-versions ${VERSION_ID} ge 24.04)) ; then
apt-get -y install \ apt-get -y install \
cron \ cron \
puppet-module-camptocamp-augeas \ puppet-module-camptocamp-augeas \