Merge remote-tracking branch 'multiverse/main'

Merge pull request #55 from SUNET/patlu-fleetlock-lock-timeouts
fleetlock: configurable lock/unlock timeout
2024-07-05 10:59:29 +02:00 · 2024-07-04 13:07:34 +02:00 · 2024-07-03 14:13:22 +02:00 · 2024-07-03 13:27:52 +02:00 · 2024-07-03 11:36:21 +02:00 · 2023-11-17 15:03:47 +01:00
6 changed files with 77 additions and 9 deletions
--- a/global/overlay/usr/local/bin/run-cosmos
+++ b/global/overlay/usr/local/bin/run-cosmos
@ -67,14 +67,19 @@ fleetlock_lock() {
        # called.
        fleetlock_enable_unlock_service || return 1
        local fleetlock_group=""
        local optional_args=()
        # shellcheck source=/dev/null
        . $FLEETLOCK_CONFIG || return 1
        if [ -z "$fleetlock_group" ]; then
            echo "Unable to set fleetlock_group"
            return 1
        fi
        if [ -n "$fleetlock_lock_timeout" ]; then
            optional_args+=("--timeout")
            optional_args+=("$fleetlock_lock_timeout")
        fi
        echo "Getting fleetlock lock"
-        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock || return 1
+        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
    fi
    return 0
 }
@ -82,15 +87,20 @@ fleetlock_lock() {
 fleetlock_unlock() {
    if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
        local fleetlock_group=""
        local optional_args=()
        # shellcheck source=/dev/null
        . $FLEETLOCK_CONFIG || return 1
        if [ -z "$fleetlock_group" ]; then
            echo "Unable to set fleetlock_group"
            return 1
        fi
        if [ -n "$fleetlock_unlock_timeout" ]; then
            optional_args+=("--timeout")
            optional_args+=("$fleetlock_unlock_timeout")
        fi
        machine_is_healthy || return 1
        echo "Releasing fleetlock lock"
-        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock || return 1
+        $FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
    fi
    return 0
 }
--- a/global/overlay/usr/local/bin/sunet-fleetlock
+++ b/global/overlay/usr/local/bin/sunet-fleetlock
@ -97,7 +97,10 @@ def do_fleetlock_request(
                timeout=args.request_timeout,
                auth=("", config[args.lock_group]["password"]),
            )
-        except requests.exceptions.ConnectionError as e:
+        except (
            requests.exceptions.ConnectionError,
            requests.exceptions.ReadTimeout,
        ) as e:
            print(f"POST request failed: {e}")
            time.sleep(retry_sleep_delay)
            continue
--- a/global/post-tasks.d/010fix-ssh-perms
+++ b/global/post-tasks.d/010fix-ssh-perms
@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
    if test `stat -t /root/.ssh/authorized_keys | cut -d\  -f5` != 0; then
 	chown root.root /root/.ssh/authorized_keys
    fi
-    if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
+    if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
-	chmod 600 /root/.ssh/authorized_keys
+	chmod 440 /root/.ssh/authorized_keys
    fi
 fi
--- a/global/post-tasks.d/014set-cosmos-permissions
+++ b/global/post-tasks.d/014set-cosmos-permissions
@ -0,0 +1,24 @@
 #!/bin/sh
 #
 # Set Cosmos directory permissions so that
 # the files cannot be read by anyone but root,
 # since it's possible that the directory
 # can contain files that after applying the
 # overlay to / only should be read or writable
 # by root.
 set -e
 self=$(basename "$0")
 if ! test -d "$COSMOS_BASE"; then
    test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
    exit 0
 fi
 args=""
 if [ "x$COSMOS_VERBOSE" = "xy" ]; then
    args="-v"
 fi
 chown ${args} root:root "$COSMOS_BASE"
 chmod ${args} 750 "$COSMOS_BASE"
--- a/global/pre-tasks.d/014set-cosmos-permissions
+++ b/global/pre-tasks.d/014set-cosmos-permissions
@ -0,0 +1,24 @@
 #!/bin/sh
 #
 # Set Cosmos directory permissions so that
 # the files cannot be read by anyone but root,
 # since it's possible that the directory
 # can contain files that after applying the
 # overlay to / only should be read or writable
 # by root.
 set -e
 self=$(basename "$0")
 if ! test -d "$COSMOS_BASE"; then
    test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
    exit 0
 fi
 args=""
 if [ "x$COSMOS_VERBOSE" = "xy" ]; then
    args="-v"
 fi
 chown ${args} root:root "$COSMOS_BASE"
 chmod ${args} 750 "$COSMOS_BASE"
--- a/global/pre-tasks.d/015set-overlay-permissions
+++ b/global/pre-tasks.d/015set-overlay-permissions
@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
    exit 0
 fi
 if [ -d "$MODEL_OVERLAY/root" ]; then
 args=""
 if [ "x$COSMOS_VERBOSE" = "xy" ]; then
    args="-v"
 fi
 if [ -d "$MODEL_OVERLAY/root" ]; then
    chown ${args} root:root "$MODEL_OVERLAY"/root
    chmod ${args} 0700 "$MODEL_OVERLAY"/root
 fi
 if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
    chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
    chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
 fi
Author	SHA1	Message	Date
Patrik Lundin	ac83234433	Merge remote-tracking branch 'multiverse/main'	2024-07-05 10:59:29 +02:00
Patrik Lundin	770a5ca3cc	Merge pull request #55 from SUNET/patlu-fleetlock-lock-timeouts fleetlock: configurable lock/unlock timeout	2024-07-04 13:07:34 +02:00
Patrik Lundin	aa88795ee0	sunet-fleetlock: also handle ReadTimeout Turns out this was not caught by ConnectionError.	2024-07-03 14:13:22 +02:00
Patrik Lundin	01768129f0	fleetlock: configurable lock/unlock timeout While we already support setting a healthcheck timeout it probably makes sense to be able to control how long we wait for a fleetlock_lock() or fleetlock_unlock() call. This becomes important if only running cosmos once a night or something like that. In that case we you probably want to give a physical machine more than than 1 minute to complete a reboot etc. This can now be controlled by setting fleetlock_lock_timeout and fleetlock_unlock_timeout in /etc/run-cosmos-fleetlock-conf. Keep in mind that while it can make sense to increase the time for taking a lock, releasing a lock should always be fast (either you have it and release it, or you dont have it and it is a no-op) so setting a long unlock timeout should probably never be done. Since we also potentially wait the unlock timeout at boot (if the fleetlock server is broken etc) that is another reason to keep it short. The default 1m is probably OK for most uses.	2024-07-03 13:27:52 +02:00
Patrik Lundin	443611dd3f	Merge pull request #49 from SUNET/john-permissions-fix Enforce more strict permissions for files in Cosmos	2024-07-03 11:36:21 +02:00
John Van de Meulebrouck Brendgard	8d4ce2d1b7	Make sure that COSMOS_BASE is only readable by root since it's possible that the directory can contain files that after applying the overlay to / only should be read or writable by root.	2023-11-17 15:03:47 +01:00
John Van de Meulebrouck Brendgard	75e566ab61	Make sure that /root in overlay is owned by root as well as that /root/.ssh and its content is only owned and readable by root. This is redundant if the previous permissions were properly applied and no other changes have been made by the user or something else, but is added for good measure as a layered defense.	2023-11-17 14:58:51 +01:00
John Van de Meulebrouck Brendgard	ca353ed406	Set same permissions for /root/.ssh/authorized_keys in post-tasks.d/010fix-ssh-perms as is done by Puppet with sunet::ssh_keys.	2023-11-17 13:50:02 +01:00