Beispiel #1
0
def dcos_telegraf_common() -> None:
    # Use `chmod` to set directory mode, rather than `mkdir`s `mode` parameter.
    # Unlike `mkdir`, `chmod` does not use umask, so we avoid the group-write
    # permissions getting ignored by a typical 022 umask.  We don't change the
    # umask because that affects any created parent directories, that may then
    # be unintentionally writable by non-owners.  Also `mkdir` only sets mode
    # on creation, so separate `chmod` ensures that the permissions are
    # correct on each restart.

    telegraf_run = utils.dcos_run_path / 'telegraf'
    telegraf_run.mkdir(parents=True, exist_ok=True)
    utils.chown(telegraf_run, user='******', group='dcos_telegraf')
    telegraf_run.chmod(0o775)

    # Migrate old containers dir to new location in case the cluster was upgraded.
    legacy_containers_dir = Path(os.environ['LEGACY_CONTAINERS_DIR'])
    telegraf_containers_dir = Path(os.environ['TELEGRAF_CONTAINERS_DIR'])

    if not migrate_containers(legacy_containers_dir, telegraf_containers_dir):
        telegraf_containers_dir.mkdir(parents=True, exist_ok=True)
        telegraf_containers_dir.chmod(0o775)
    utils.chown(telegraf_containers_dir, user='******', group='dcos_telegraf')

    user_config_dir = Path(os.environ['TELEGRAF_USER_CONFIG_DIR'])
    user_config_dir.mkdir(parents=True, exist_ok=True)
Beispiel #2
0
def dcos_cockroach(b, opts):
    user = '******'

    cockroach_run = utils.dcos_run_path / 'cockroach'
    cockroach_run.mkdir(parents=True, exist_ok=True)
    utils.chown(cockroach_run, user=user)
    cockroach_run.chmod(0o700)
Beispiel #3
0
def _create_private_directory(path, owner):
    """
    Create a directory which ``owner`` can create, modify and delete files in
    but other non-root users cannot.

    Args:
        path (pathlib.Path): The path to the directory to create.
        owner (str): The owner of the directory.
    """
    path.mkdir(parents=True, exist_ok=True)
    utils.chown(path, user=owner)
    path.chmod(0o700)
Beispiel #4
0
def dcos_bouncer(b, opts):
    rundir = utils.dcos_run_path / 'dcos-bouncer'
    rundir.mkdir(parents=True, exist_ok=True)
    utils.chown('/run/dcos/dcos-bouncer', user='******')
    # Permissions are restricted to the dcos_bouncer user as this directory
    # contains sensitive data.  See
    # https://jira.mesosphere.com/browse/DCOS-18350

    # The ``bouncer_tmpdir`` directory path corresponds to the
    # TMPDIR environment variable configured in the dcos-bouncer.service file.
    user = '******'
    bouncer_tmpdir = _known_exec_directory() / user
    _create_private_directory(path=bouncer_tmpdir, owner=user)
Beispiel #5
0
def dcos_adminrouter(b, opts):
    b.cluster_id()

    # Require the IAM to already be up and running. The IAM contains logic for
    # achieving consensus about a key pair, and exposes the public key
    # information via its JWKS endpoint. Talk directly to the local IAM instance
    # which is reachable via the local network interface.
    r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks')

    if r.status_code != 200:
        log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text)
        sys.exit(1)

    jwks = r.json()

    # The first key in the JSON Web Key Set corresponds to the current private
    # key used for signing authentiction tokens.
    key = jwks['keys'][0]

    exponent_bytes = base64url_decode(key['e'].encode('ascii'))
    exponent_int = bytes_to_number(exponent_bytes)
    modulus_bytes = base64url_decode(key['n'].encode('ascii'))
    modulus_int = bytes_to_number(modulus_bytes)
    # Generate a `cryptography` public key object instance from these numbers.
    public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
    public_key = public_numbers.public_key(
        backend=cryptography.hazmat.backends.default_backend())

    # Serialize public key into the OpenSSL PEM public key format RFC 5280).
    pubkey_pem_bytes = public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo)

    rundir = utils.dcos_run_path / 'dcos-adminrouter'
    rundir.mkdir(parents=True, exist_ok=True)
    pubkey_path = rundir / 'auth-token-verification-key'
    utils.write_public_file(pubkey_path, pubkey_pem_bytes)
    utils.chown(pubkey_path, user='******')