def setup_user_keys(keys, user, key_prefix, log=None): import pwd saved_umask = os.umask(077) pwent = pwd.getpwnam(user) ssh_dir = '%s/.ssh' % pwent.pw_dir if not os.path.exists(ssh_dir): os.mkdir(ssh_dir) os.chown(ssh_dir, pwent.pw_uid, pwent.pw_gid) try: ssh_cfg = parse_ssh_config() akeys = ssh_cfg.get("AuthorizedKeysFile", "%h/.ssh/authorized_keys") akeys = akeys.replace("%h", pwent.pw_dir) akeys = akeys.replace("%u", user) authorized_keys = akeys except Exception: authorized_keys = '%s/.ssh/authorized_keys' % pwent.pw_dir if log: util.logexc(log) key_entries = [] for k in keys: ke = AuthKeyEntry(k, def_opt=key_prefix) key_entries.append(ke) content = update_authorized_keys(authorized_keys, key_entries) util.write_file(authorized_keys, content, 0600) os.chown(authorized_keys, pwent.pw_uid, pwent.pw_gid) util.restorecon_if_possible(ssh_dir, recursive=True) os.umask(saved_umask)
def handle(_name, cfg, cloud, log, _args): # If there isn't a puppet key in the configuration don't do anything if 'puppet' not in cfg: return puppet_cfg = cfg['puppet'] # Start by installing the puppet package ... cc.install_packages(("puppet", )) # ... and then update the puppet configuration if 'conf' in puppet_cfg: # Add all sections from the conf object to puppet.conf puppet_conf_fh = open('/etc/puppet/puppet.conf', 'r') # Create object for reading puppet.conf values puppet_config = ConfigParser.ConfigParser() # Read puppet.conf values from original file in order to be able to # mix the rest up puppet_config.readfp( StringIO.StringIO(''.join(i.lstrip() for i in puppet_conf_fh.readlines()))) # Close original file, no longer needed puppet_conf_fh.close() for cfg_name, cfg in puppet_cfg['conf'].iteritems(): # ca_cert configuration is a special case # Dump the puppetmaster ca certificate in the correct place if cfg_name == 'ca_cert': # Puppet ssl sub-directory isn't created yet # Create it with the proper permissions and ownership os.makedirs('/var/lib/puppet/ssl') os.chmod('/var/lib/puppet/ssl', 0771) os.chown('/var/lib/puppet/ssl', pwd.getpwnam('puppet').pw_uid, 0) os.makedirs('/var/lib/puppet/ssl/certs/') os.chown('/var/lib/puppet/ssl/certs/', pwd.getpwnam('puppet').pw_uid, 0) ca_fh = open('/var/lib/puppet/ssl/certs/ca.pem', 'w') ca_fh.write(cfg) ca_fh.close() os.chown('/var/lib/puppet/ssl/certs/ca.pem', pwd.getpwnam('puppet').pw_uid, 0) util.restorecon_if_possible('/var/lib/puppet', recursive=True) else: #puppet_conf_fh.write("\n[%s]\n" % (cfg_name)) # If puppet.conf already has this section we don't want to # write it again if puppet_config.has_section(cfg_name) == False: puppet_config.add_section(cfg_name) # Iterate throug the config items, we'll use ConfigParser.set # to overwrite or create new items as needed for o, v in cfg.iteritems(): if o == 'certname': # Expand %f as the fqdn v = v.replace("%f", socket.getfqdn()) # Expand %i as the instance id v = v.replace("%i", cloud.datasource.get_instance_id()) # certname needs to be downcase v = v.lower() puppet_config.set(cfg_name, o, v) #puppet_conf_fh.write("%s=%s\n" % (o, v)) # We got all our config as wanted we'll rename # the previous puppet.conf and create our new one os.rename('/etc/puppet/puppet.conf', '/etc/puppet/puppet.conf.old') with open('/etc/puppet/puppet.conf', 'wb') as configfile: puppet_config.write(configfile) util.restorecon_if_possible('/etc/puppet/puppet.conf') # Set puppet to automatically start if os.path.exists('/etc/default/puppet'): subprocess.check_call([ 'sed', '-i', '-e', 's/^START=.*/START=yes/', '/etc/default/puppet' ]) elif os.path.exists('/bin/systemctl'): subprocess.check_call(['/bin/systemctl', 'enable', 'puppet.service']) elif os.path.exists('/sbin/chkconfig'): subprocess.check_call(['/sbin/chkconfig', 'puppet', 'on']) else: log.warn("Do not know how to enable puppet service on this system") # Start puppetd subprocess.check_call(['service', 'puppet', 'start'])
def handle(_name, cfg, cloud, log, _args): # remove the static keys from the pristine image if cfg.get("ssh_deletekeys", True): for f in glob.glob("/etc/ssh/ssh_host_*key*"): try: os.unlink(f) except: pass if "ssh_keys" in cfg: # if there are keys in cloud-config, use them key2file = { "rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600), "rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644), "dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600), "dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644), "ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600), "ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644), } for key, val in cfg["ssh_keys"].items(): if key in key2file: util.write_file(key2file[key][0], val, key2file[key][1]) priv2pub = {'rsa_private': 'rsa_public', 'dsa_private': 'dsa_public', 'ecdsa_private': 'ecdsa_public', } cmd = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"' for priv, pub in priv2pub.iteritems(): if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']: continue pair = (key2file[priv][0], key2file[pub][0]) subprocess.call(('sh', '-xc', cmd % pair)) log.debug("generated %s from %s" % pair) else: # if not, generate them for keytype in util.get_cfg_option_list_or_str(cfg, 'ssh_genkeytypes', ['rsa', 'dsa', 'ecdsa']): keyfile = '/etc/ssh/ssh_host_%s_key' % keytype if not os.path.exists(keyfile): subprocess.call(['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]) util.restorecon_if_possible('/etc/ssh', recursive=True) try: user = util.get_cfg_option_str(cfg, 'user') disable_root = util.get_cfg_option_bool(cfg, "disable_root", True) disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts", DISABLE_ROOT_OPTS) keys = cloud.get_public_ssh_keys() if "ssh_authorized_keys" in cfg: cfgkeys = cfg["ssh_authorized_keys"] keys.extend(cfgkeys) apply_credentials(keys, user, disable_root, disable_root_opts, log) except: util.logexc(log) log.warn("applying credentials failed!\n")
def handle(_name, cfg, cloud, log, _args): # If there isn't a puppet key in the configuration don't do anything if 'puppet' not in cfg: return puppet_cfg = cfg['puppet'] # Start by installing the puppet package ... cc.install_packages(("puppet",)) # ... and then update the puppet configuration if 'conf' in puppet_cfg: # Add all sections from the conf object to puppet.conf puppet_conf_fh = open('/etc/puppet/puppet.conf', 'r') # Create object for reading puppet.conf values puppet_config = ConfigParser.ConfigParser() # Read puppet.conf values from original file in order to be able to # mix the rest up puppet_config.readfp(StringIO.StringIO(''.join(i.lstrip() for i in puppet_conf_fh.readlines()))) # Close original file, no longer needed puppet_conf_fh.close() for cfg_name, cfg in puppet_cfg['conf'].iteritems(): # ca_cert configuration is a special case # Dump the puppetmaster ca certificate in the correct place if cfg_name == 'ca_cert': # Puppet ssl sub-directory isn't created yet # Create it with the proper permissions and ownership os.makedirs('/var/lib/puppet/ssl') os.chmod('/var/lib/puppet/ssl', 0771) os.chown('/var/lib/puppet/ssl', pwd.getpwnam('puppet').pw_uid, 0) os.makedirs('/var/lib/puppet/ssl/certs/') os.chown('/var/lib/puppet/ssl/certs/', pwd.getpwnam('puppet').pw_uid, 0) ca_fh = open('/var/lib/puppet/ssl/certs/ca.pem', 'w') ca_fh.write(cfg) ca_fh.close() os.chown('/var/lib/puppet/ssl/certs/ca.pem', pwd.getpwnam('puppet').pw_uid, 0) util.restorecon_if_possible('/var/lib/puppet', recursive=True) else: #puppet_conf_fh.write("\n[%s]\n" % (cfg_name)) # If puppet.conf already has this section we don't want to # write it again if puppet_config.has_section(cfg_name) == False: puppet_config.add_section(cfg_name) # Iterate throug the config items, we'll use ConfigParser.set # to overwrite or create new items as needed for o, v in cfg.iteritems(): if o == 'certname': # Expand %f as the fqdn v = v.replace("%f", socket.getfqdn()) # Expand %i as the instance id v = v.replace("%i", cloud.datasource.get_instance_id()) # certname needs to be downcase v = v.lower() puppet_config.set(cfg_name, o, v) #puppet_conf_fh.write("%s=%s\n" % (o, v)) # We got all our config as wanted we'll rename # the previous puppet.conf and create our new one os.rename('/etc/puppet/puppet.conf', '/etc/puppet/puppet.conf.old') with open('/etc/puppet/puppet.conf', 'wb') as configfile: puppet_config.write(configfile) util.restorecon_if_possible('/etc/puppet/puppet.conf') # Set puppet to automatically start if os.path.exists('/etc/default/puppet'): subprocess.check_call(['sed', '-i', '-e', 's/^START=.*/START=yes/', '/etc/default/puppet']) elif os.path.exists('/bin/systemctl'): subprocess.check_call(['/bin/systemctl', 'enable', 'puppet.service']) elif os.path.exists('/sbin/chkconfig'): subprocess.check_call(['/sbin/chkconfig', 'puppet', 'on']) else: log.warn("Do not know how to enable puppet service on this system") # Start puppetd subprocess.check_call(['service', 'puppet', 'start'])
def handle(_name, cfg, cloud, log, _args): # remove the static keys from the pristine image if cfg.get("ssh_deletekeys", True): for f in glob.glob("/etc/ssh/ssh_host_*key*"): try: os.unlink(f) except: pass if "ssh_keys" in cfg: # if there are keys in cloud-config, use them key2file = { "rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600), "rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644), "dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600), "dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644), "ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600), "ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644), } for key, val in cfg["ssh_keys"].items(): if key in key2file: util.write_file(key2file[key][0], val, key2file[key][1]) priv2pub = { 'rsa_private': 'rsa_public', 'dsa_private': 'dsa_public', 'ecdsa_private': 'ecdsa_public', } cmd = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"' for priv, pub in priv2pub.iteritems(): if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']: continue pair = (key2file[priv][0], key2file[pub][0]) subprocess.call(('sh', '-xc', cmd % pair)) log.debug("generated %s from %s" % pair) else: # if not, generate them for keytype in util.get_cfg_option_list_or_str( cfg, 'ssh_genkeytypes', ['rsa', 'dsa', 'ecdsa']): keyfile = '/etc/ssh/ssh_host_%s_key' % keytype if not os.path.exists(keyfile): subprocess.call( ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]) util.restorecon_if_possible('/etc/ssh', recursive=True) try: user = util.get_cfg_option_str(cfg, 'user') disable_root = util.get_cfg_option_bool(cfg, "disable_root", True) disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts", DISABLE_ROOT_OPTS) keys = cloud.get_public_ssh_keys() if "ssh_authorized_keys" in cfg: cfgkeys = cfg["ssh_authorized_keys"] keys.extend(cfgkeys) apply_credentials(keys, user, disable_root, disable_root_opts, log) except: util.logexc(log) log.warn("applying credentials failed!\n")