def dcos_telegraf_common() -> None:
# Use `chmod` to set directory mode, rather than `mkdir`s `mode` parameter.
# Unlike `mkdir`, `chmod` does not use umask, so we avoid the group-write
# permissions getting ignored by a typical 022 umask. We don't change the
# umask because that affects any created parent directories, that may then
# be unintentionally writable by non-owners. Also `mkdir` only sets mode
# on creation, so separate `chmod` ensures that the permissions are
# correct on each restart.
telegraf_run = utils.dcos_run_path / 'telegraf'
telegraf_run.mkdir(parents=True, exist_ok=True)
utils.chown(telegraf_run, user='******', group='dcos_telegraf')
telegraf_run.chmod(0o775)
# Migrate old containers dir to new location in case the cluster was upgraded.
legacy_containers_dir = Path(os.environ['LEGACY_CONTAINERS_DIR'])
telegraf_containers_dir = Path(os.environ['TELEGRAF_CONTAINERS_DIR'])
if not migrate_containers(legacy_containers_dir, telegraf_containers_dir):
telegraf_containers_dir.mkdir(parents=True, exist_ok=True)
telegraf_containers_dir.chmod(0o775)
utils.chown(telegraf_containers_dir, user='******', group='dcos_telegraf')
user_config_dir = Path(os.environ['TELEGRAF_USER_CONFIG_DIR'])
user_config_dir.mkdir(parents=True, exist_ok=True)
def dcos_cockroach(b, opts):
user = '******'
cockroach_run = utils.dcos_run_path / 'cockroach'
cockroach_run.mkdir(parents=True, exist_ok=True)
utils.chown(cockroach_run, user=user)
cockroach_run.chmod(0o700)
def _create_private_directory(path, owner):
"""
Create a directory which ``owner`` can create, modify and delete files in
but other non-root users cannot.
Args:
path (pathlib.Path): The path to the directory to create.
owner (str): The owner of the directory.
"""
path.mkdir(parents=True, exist_ok=True)
utils.chown(path, user=owner)
path.chmod(0o700)
def dcos_bouncer(b, opts):
rundir = utils.dcos_run_path / 'dcos-bouncer'
rundir.mkdir(parents=True, exist_ok=True)
utils.chown('/run/dcos/dcos-bouncer', user='******')
# Permissions are restricted to the dcos_bouncer user as this directory
# contains sensitive data. See
# https://jira.mesosphere.com/browse/DCOS-18350
# The ``bouncer_tmpdir`` directory path corresponds to the
# TMPDIR environment variable configured in the dcos-bouncer.service file.
user = '******'
bouncer_tmpdir = _known_exec_directory() / user
_create_private_directory(path=bouncer_tmpdir, owner=user)
def dcos_adminrouter(b, opts):
b.cluster_id()
# Require the IAM to already be up and running. The IAM contains logic for
# achieving consensus about a key pair, and exposes the public key
# information via its JWKS endpoint. Talk directly to the local IAM instance
# which is reachable via the local network interface.
r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks')
if r.status_code != 200:
log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text)
sys.exit(1)
jwks = r.json()
# The first key in the JSON Web Key Set corresponds to the current private
# key used for signing authentiction tokens.
key = jwks['keys'][0]
exponent_bytes = base64url_decode(key['e'].encode('ascii'))
exponent_int = bytes_to_number(exponent_bytes)
modulus_bytes = base64url_decode(key['n'].encode('ascii'))
modulus_int = bytes_to_number(modulus_bytes)
# Generate a `cryptography` public key object instance from these numbers.
public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
public_key = public_numbers.public_key(
backend=cryptography.hazmat.backends.default_backend())
# Serialize public key into the OpenSSL PEM public key format RFC 5280).
pubkey_pem_bytes = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
rundir = utils.dcos_run_path / 'dcos-adminrouter'
rundir.mkdir(parents=True, exist_ok=True)
pubkey_path = rundir / 'auth-token-verification-key'
utils.write_public_file(pubkey_path, pubkey_pem_bytes)
utils.chown(pubkey_path, user='******')