sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'multiverse/main'

Browse source
This commit is contained in:
Patrik Lundin 2024-07-05 10:59:29 +02:00
commit ac83234433
Signed by: patlu
GPG key ID: A0A812BA2249F294
6 changed files with 77 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
global/overlay/usr/local/bin/run-cosmos
View file

@ -67,14 +67,19 @@ fleetlock_lock() {
# called. # called.
fleetlock_enable_unlock_service || return 1 fleetlock_enable_unlock_service || return 1
local fleetlock_group="" local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null # shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1 . $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group" echo "Unable to set fleetlock_group"
return 1 return 1
fi fi
if [ -n "$fleetlock_lock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_lock_timeout")
fi
echo "Getting fleetlock lock" echo "Getting fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock || return 1 $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
fi fi
return 0 return 0
} }
@ -82,15 +87,20 @@ fleetlock_lock() {
fleetlock_unlock() { fleetlock_unlock() {
if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
local fleetlock_group="" local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null # shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1 . $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group" echo "Unable to set fleetlock_group"
return 1 return 1
fi fi
if [ -n "$fleetlock_unlock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_unlock_timeout")
fi
machine_is_healthy || return 1 machine_is_healthy || return 1
echo "Releasing fleetlock lock" echo "Releasing fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock || return 1 $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
fi fi
return 0 return 0
} }

5
global/overlay/usr/local/bin/sunet-fleetlock
View file

@ -97,7 +97,10 @@ def do_fleetlock_request(
timeout=args.request_timeout, timeout=args.request_timeout,
auth=("", config[args.lock_group]["password"]), auth=("", config[args.lock_group]["password"]),
) )
except requests.exceptions.ConnectionError as e: except (
requests.exceptions.ConnectionError,
requests.exceptions.ReadTimeout,
) as e:
print(f"POST request failed: {e}") print(f"POST request failed: {e}")
time.sleep(retry_sleep_delay) time.sleep(retry_sleep_delay)
continue continue

4
global/post-tasks.d/010fix-ssh-perms
View file

@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
chown root.root /root/.ssh/authorized_keys chown root.root /root/.ssh/authorized_keys
fi fi
if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
chmod 600 /root/.ssh/authorized_keys chmod 440 /root/.ssh/authorized_keys
fi fi
fi fi

24
global/post-tasks.d/014set-cosmos-permissions Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

24
global/pre-tasks.d/014set-cosmos-permissions Executable file
View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

15
global/pre-tasks.d/015set-overlay-permissions
View file

@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
exit 0 exit 0
fi fi
if [ -d "$MODEL_OVERLAY/root" ]; then args=""
args="" if [ "x$COSMOS_VERBOSE" = "xy" ]; then
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v" args="-v"
fi fi
if [ -d "$MODEL_OVERLAY/root" ]; then
chown ${args} root:root "$MODEL_OVERLAY"/root
chmod ${args} 0700 "$MODEL_OVERLAY"/root chmod ${args} 0700 "$MODEL_OVERLAY"/root
fi fi
if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
fi