def create_jail_user(username):
""" Setup a jail user with the given username """
run_cmd("useradd -g jailusers -d /home/jailuser %s" % (username, ))
# Add rule to drop any network communication from this user
run_cmd("iptables -A OUTPUT -m owner --uid-owner %s -j DROP" %
(username, ))
# Create user specific chroot
chroot_dir = "/srv/chroot"
jail_dir = os.path.join(chroot_dir, username)
os.makedirs(os.path.join(jail_dir, "scratch"))
os.makedirs(os.path.join(jail_dir, "root"))
home_dir = os.path.join(jail_dir, "home/home/jailuser")
os.makedirs(home_dir)
run_cmd("chown %s:jailusers %s" % (username, home_dir))
run_cmd("chown :jailkeeper %s" % (jail_dir, ))
run_cmd("chmod g=rwx %s" % (jail_dir, ))
fs_line = "unionfs-fuse#%s=rw:%s=ro:%s=ro %s fuse cow,allow_other,noauto 0 0" % (
os.path.join(jail_dir, "scratch"), os.path.join(jail_dir, "home"),
os.path.join(chroot_dir, "aic-base"), os.path.join(jail_dir, "root"))
append_line("/etc/fstab", fs_line)
cfg_filename = os.path.join(TEMPLATE_DIR,
"chroot_configs/chroot.d/jailuser.template")
with open(cfg_filename, 'r') as cfg_file:
cfg = cfg_file.read()
schroot_filename = os.path.join("/etc/schroot/chroot.d", username)
with open(schroot_filename, 'w') as schroot_file:
schroot_file.write(cfg.format(jailname=username))
def main(argv=["worker_setup.py"]):
""" Completely set everything up from a fresh ec2 instance """
opts = get_options(argv)
opts.arch = 'i386'
with Environ("DEBIAN_FRONTEND", "noninteractive"):
if opts.update_system:
run_cmd("apt-get update")
run_cmd("apt-get upgrade -y")
if opts.install_required:
install_required_packages()
if opts.install_utilities:
install_utility_packages()
if opts.install_pkg_languages:
install_packaged_languages()
if opts.install_languages:
install_all_languages(opts)
if opts.install_jailguard:
install_jailguard(opts)
if opts.create_jails:
setup_base_chroot(opts)
if opts.packages_only:
return
setup_contest_files(opts)
if opts.create_jails:
setup_base_jail(opts)
setup_jailusers(opts)
start_script = os.path.join(opts.root_dir, "worker/start_worker.sh")
if opts.install_cronjob:
cron_file = "/etc/cron.d/ai-contest"
if not file_contains(cron_file, start_script):
append_line(cron_file, "@reboot %s %s"
% (opts.username, start_script,))
if opts.run_worker:
run_cmd("sudo -u %s %s" % (opts.username, start_script))
def create_jail_group(options):
""" Create user group for jail users and set limits on it """
if not file_contains("/etc/group", "^jailusers"):
run_cmd("groupadd jailusers")
run_cmd("groupadd jailkeeper")
run_cmd("usermod -a -G jailkeeper %s" % (options.username, ))
limits_conf = "/etc/security/limits.conf"
if not file_contains(limits_conf, "@jailusers"):
# limit jailuser processes to:
# 25 processes or system threads
append_line(limits_conf, "@jailusers hard nproc 25 # ai-contest")
# 20 minutes of cpu time
append_line(limits_conf, "@jailusers hard cpu 20 # ai-contest")
# slightly more than 1.5GB of ram
append_line(limits_conf, "@jailusers hard rss 1580000 # ai-contest")
if not file_contains("/etc/sudoers", "^%s.+jailusers" %
(options.username, )):
org_mode = os.stat("/etc/sudoers")[0]
os.chmod("/etc/sudoers", 0640)
append_line(
"/etc/sudoers",
"%s ALL = (%%jailusers) NOPASSWD: ALL" % (options.username, ))
append_line(
"/etc/sudoers",
"%s ALL = (ALL) NOPASSWD: /bin/mount, /bin/umount" %
(options.username, ))
os.chmod("/etc/sudoers", org_mode)
def create_jail_user(username):
""" Setup a jail user with the given username """
run_cmd("useradd -g jailusers -d /home/jailuser %s" % (username,))
# Add rule to drop any network communication from this user
run_cmd("iptables -A OUTPUT -m owner --uid-owner %s -j DROP" % (username,))
# Create user specific chroot
chroot_dir = "/srv/chroot"
jail_dir = os.path.join(chroot_dir, username)
os.makedirs(os.path.join(jail_dir, "scratch"))
os.makedirs(os.path.join(jail_dir, "root"))
home_dir = os.path.join(jail_dir, "home/home/jailuser")
os.makedirs(home_dir)
run_cmd("chown %s:jailusers %s" % (username, home_dir))
run_cmd("chown :jailkeeper %s" % (jail_dir,))
run_cmd("chmod g=rwx %s" % (jail_dir,))
fs_line = "unionfs-fuse#%s=rw:%s=ro:%s=ro %s fuse cow,allow_other,noauto 0 0" % (
os.path.join(jail_dir, "scratch"),
os.path.join(jail_dir, "home"),
os.path.join(chroot_dir, "aic-base"),
os.path.join(jail_dir, "root")
)
append_line("/etc/fstab", fs_line)
cfg_filename = os.path.join(TEMPLATE_DIR,
"chroot_configs/chroot.d/jailuser.template")
with open(cfg_filename, 'r') as cfg_file:
cfg = cfg_file.read()
schroot_filename = os.path.join("/etc/schroot/chroot.d", username)
with open(schroot_filename, 'w') as schroot_file:
schroot_file.write(cfg.format(jailname=username))
def create_jail_group(options):
""" Create user group for jail users and set limits on it """
if not file_contains("/etc/group", "^jailusers"):
run_cmd("groupadd jailusers")
run_cmd("groupadd jailkeeper")
run_cmd("usermod -a -G jailkeeper %s" % (options.username,))
limits_conf = "/etc/security/limits.conf"
if not file_contains(limits_conf, "@jailusers"):
# limit jailuser processes to:
# 25 processes or system threads
append_line(limits_conf, "@jailusers hard nproc 25 # ai-contest")
# 20 minutes of cpu time
append_line(limits_conf, "@jailusers hard cpu 20 # ai-contest")
# slightly more than 1.5GB of ram
append_line(limits_conf, "@jailusers hard rss 1580000 # ai-contest")
if not file_contains("/etc/sudoers",
"^%s.+jailusers" % (options.username,)):
org_mode = os.stat("/etc/sudoers")[0]
os.chmod("/etc/sudoers", 0640)
append_line("/etc/sudoers",
"%s ALL = (%%jailusers) NOPASSWD: ALL" % (options.username,))
append_line("/etc/sudoers",
"%s ALL = (ALL) NOPASSWD: /bin/mount, /bin/umount" % (
options.username,))
os.chmod("/etc/sudoers", org_mode)
def main(argv=["worker_setup.py"]):
""" Completely set everything up from a fresh ec2 instance """
opts = get_options(argv)
with Environ("DEBIAN_FRONTEND", "noninteractive"):
if opts.update_system:
run_cmd("apt-get update")
run_cmd("apt-get upgrade -y")
if opts.install_required:
install_required_packages()
if opts.install_utilities:
install_utility_packages()
if opts.install_languages:
install_all_languages()
if opts.packages_only:
return
setup_contest_files(opts)
if opts.create_jails:
setup_jailusers(opts)
start_script = os.path.join(opts.root_dir, opts.local_repo,
"worker/start_worker.sh")
if opts.install_cronjob:
cron_file = "/etc/cron.d/ai-contest"
if not file_contains(cron_file, start_script):
append_line(cron_file, "@reboot root %s" % (start_script,))
if opts.run_worker:
run_cmd(start_script)
def setup_jailusers(contest_root):
""" Create and configure the jail users """
worker_dir = os.path.join(contest_root, "aichallenge", "worker")
with CD(worker_dir):
run_cmd("python create_jail_users.py 32")
org_mode = os.stat("/etc/sudoers")[0]
os.chmod("/etc/sudoers", 0640)
append_line("/etc/sudoers", "contest ALL = (%jailusers) NOPASSWD: ALL")
os.chmod("/etc/sudoers", org_mode)
run_cmd("iptables-save > /etc/iptables.rules")
iptablesload_path = "/etc/network/if-pre-up.d/iptablesload"
if not os.path.exists(iptablesload_path):
with open(iptablesload_path, "w") as loadfile:
loadfile.write(IPTABLES_LOAD)
os.chmod(iptablesload_path, 0744)
def install_golang():
""" Install golang from a mercurial release """
RELEASE_TAG = "release.r56"
if os.path.exists("/usr/local/bin/godoc"):
return
pkg_list = ["bison", "ed", "gawk", "libc6-dev", "make",
"python-setuptools", "build-essential", "mercurial"]
install_apt_packages(pkg_list)
try:
os.makedirs("/usr/local/src")
except OSError:
pass
with CD("/usr/local/src"):
run_cmd("hg clone -r %s https://go.googlecode.com/hg/ go"
% (RELEASE_TAG,))
append_line("/root/.bashrc", "export GOROOT=/usr/local/src/go")
append_line("/root/.bashrc", "export GOBIN=/usr/local/bin")
with CD("/usr/local/src/go/src"):
run_cmd("export GOBIN=/usr/local/bin; ./all.bash")
