Compare commits

..

8 commits

Author SHA1 Message Date
Patrik Lundin ac83234433
Merge remote-tracking branch 'multiverse/main' 2024-07-05 10:59:29 +02:00
Patrik Lundin 770a5ca3cc
Merge pull request #55 from SUNET/patlu-fleetlock-lock-timeouts
fleetlock: configurable lock/unlock timeout
2024-07-04 13:07:34 +02:00
Patrik Lundin aa88795ee0
sunet-fleetlock: also handle ReadTimeout
Turns out this was not caught by ConnectionError.
2024-07-03 14:13:22 +02:00
Patrik Lundin 01768129f0
fleetlock: configurable lock/unlock timeout
While we already support setting a healthcheck timeout it probably
makes sense to be able to control how long we wait for a
fleetlock_lock() or fleetlock_unlock() call. This becomes important if
only running cosmos once a night or something like that. In that case we
you probably want to give a physical machine more than than 1 minute to
complete a reboot etc.

This can now be controlled by setting fleetlock_lock_timeout and
fleetlock_unlock_timeout in /etc/run-cosmos-fleetlock-conf. Keep in mind
that while it can make sense to increase the time for taking a lock,
releasing a lock should always be fast (either you have it and release
it, or you dont have it and it is a no-op) so setting a long unlock
timeout should probably never be done.

Since we also potentially wait the unlock timeout at boot (if the
fleetlock server is broken etc) that is another reason to keep it
short. The default 1m is probably OK for most uses.
2024-07-03 13:27:52 +02:00
Patrik Lundin 443611dd3f
Merge pull request #49 from SUNET/john-permissions-fix
Enforce more strict permissions for files in Cosmos
2024-07-03 11:36:21 +02:00
John Van de Meulebrouck Brendgard 8d4ce2d1b7
Make sure that COSMOS_BASE is only readable
by root since it's possible that the directory
can contain files that after applying the
overlay to / only should be read or writable
by root.
2023-11-17 15:03:47 +01:00
John Van de Meulebrouck Brendgard 75e566ab61
Make sure that /root in overlay is owned by root
as well as that /root/.ssh and its content is
only owned and readable by root. This is redundant
if the previous permissions were properly applied
and no other changes have been made by the user
or something else, but is added for good measure
as a layered defense.
2023-11-17 14:58:51 +01:00
John Van de Meulebrouck Brendgard ca353ed406
Set same permissions for /root/.ssh/authorized_keys
in post-tasks.d/010fix-ssh-perms as is done by
Puppet with sunet::ssh_keys.
2023-11-17 13:50:02 +01:00
6 changed files with 77 additions and 9 deletions

View file

@ -67,14 +67,19 @@ fleetlock_lock() {
# called.
fleetlock_enable_unlock_service || return 1
local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group"
return 1
fi
if [ -n "$fleetlock_lock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_lock_timeout")
fi
echo "Getting fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock || return 1
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
fi
return 0
}
@ -82,15 +87,20 @@ fleetlock_lock() {
fleetlock_unlock() {
if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
local fleetlock_group=""
local optional_args=()
# shellcheck source=/dev/null
. $FLEETLOCK_CONFIG || return 1
if [ -z "$fleetlock_group" ]; then
echo "Unable to set fleetlock_group"
return 1
fi
if [ -n "$fleetlock_unlock_timeout" ]; then
optional_args+=("--timeout")
optional_args+=("$fleetlock_unlock_timeout")
fi
machine_is_healthy || return 1
echo "Releasing fleetlock lock"
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock || return 1
$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
fi
return 0
}

View file

@ -97,7 +97,10 @@ def do_fleetlock_request(
timeout=args.request_timeout,
auth=("", config[args.lock_group]["password"]),
)
except requests.exceptions.ConnectionError as e:
except (
requests.exceptions.ConnectionError,
requests.exceptions.ReadTimeout,
) as e:
print(f"POST request failed: {e}")
time.sleep(retry_sleep_delay)
continue

View file

@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
chown root.root /root/.ssh/authorized_keys
fi
if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
chmod 600 /root/.ssh/authorized_keys
if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
chmod 440 /root/.ssh/authorized_keys
fi
fi

View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

View file

@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.
set -e
self=$(basename "$0")
if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"

View file

@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
exit 0
fi
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
if [ -d "$MODEL_OVERLAY/root" ]; then
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$MODEL_OVERLAY"/root
chmod ${args} 0700 "$MODEL_OVERLAY"/root
fi
if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
fi