def _setup_selinux_for_keys(fs, sshdir):
"""Get selinux guests to ensure correct context on injected keys."""
if not fs.has_file(os.path.join("etc", "selinux")):
return
rclocal = os.path.join('etc', 'rc.local')
rc_d = os.path.join('etc', 'rc.d')
if not fs.has_file(rclocal) and fs.has_file(rc_d):
rclocal = os.path.join(rc_d, 'rc.local')
# Note some systems end rc.local with "exit 0"
# and so to append there you'd need something like:
# utils.execute('sed', '-i', '${/^exit 0$/d}' rclocal, run_as_root=True)
restorecon = [
'\n',
'# Added by Nova to ensure injected ssh keys have the right context\n',
'restorecon -RF %s 2>/dev/null || :\n' % sshdir,
]
if not fs.has_file(rclocal):
restorecon.insert(0, '#!/bin/sh')
_inject_file_into_fs(fs, rclocal, ''.join(restorecon), append=True)
fs.set_permissions(rclocal, 0o700)
def _inject_key_into_fs(key, fs):
"""Add the given public ssh key to root's authorized_keys.
key is an ssh key string.
fs is the path to the base of the filesystem into which to inject the key.
"""
LOG.debug("Inject key fs=%(fs)s key=%(key)s", {'fs': fs, 'key': key})
sshdir = os.path.join('root', '.ssh')
fs.make_path(sshdir)
fs.set_ownership(sshdir, "root", "root")
fs.set_permissions(sshdir, 0o700)
keyfile = os.path.join(sshdir, 'authorized_keys')
key_data = ''.join([
'\n',
'# The following ssh key was injected by Nova',
'\n',
key.strip(),
'\n',
])
_inject_file_into_fs(fs, keyfile, key_data, append=True)
fs.set_permissions(keyfile, 0o600)
_setup_selinux_for_keys(fs, sshdir)
def _inject_key_into_fs(key, fs):
"""Add the given public ssh key to root's authorized_keys.
key is an ssh key string.
fs is the path to the base of the filesystem into which to inject the key.
"""
LOG.debug("Inject key fs=%(fs)s key=%(key)s", {'fs': fs, 'key': key})
sshdir = os.path.join('root', '.ssh')
fs.make_path(sshdir)
fs.set_ownership(sshdir, "root", "root")
fs.set_permissions(sshdir, 0o700)
keyfile = os.path.join(sshdir, 'authorized_keys')
key_data = ''.join([
'\n',
'# The following ssh key was injected by Nova',
'\n',
key.strip(),
'\n',
])
_inject_file_into_fs(fs, keyfile, key_data, append=True)
fs.set_permissions(keyfile, 0o600)
_setup_selinux_for_keys(fs, sshdir)
def _setup_selinux_for_keys(fs, sshdir):
"""Get selinux guests to ensure correct context on injected keys."""
if not fs.has_file(os.path.join("etc", "selinux")):
return
rclocal = os.path.join('etc', 'rc.local')
rc_d = os.path.join('etc', 'rc.d')
if not fs.has_file(rclocal) and fs.has_file(rc_d):
rclocal = os.path.join(rc_d, 'rc.local')
# Note some systems end rc.local with "exit 0"
# and so to append there you'd need something like:
# utils.execute('sed', '-i', '${/^exit 0$/d}' rclocal, run_as_root=True)
restorecon = [
'\n',
'# Added by Nova to ensure injected ssh keys have the right context\n',
'restorecon -RF %s 2>/dev/null || :\n' % sshdir,
]
if not fs.has_file(rclocal):
restorecon.insert(0, '#!/bin/sh')
_inject_file_into_fs(fs, rclocal, ''.join(restorecon), append=True)
fs.set_permissions(rclocal, 0o700)
def _inject_files_into_fs(files, fs):
for (path, contents) in files:
# NOTE(wangpan): Ensure the parent dir of injecting file exists
parent_dir = os.path.dirname(path)
if (len(parent_dir) > 0 and parent_dir != "/"
and not fs.has_file(parent_dir)):
fs.make_path(parent_dir)
fs.set_ownership(parent_dir, "root", "root")
fs.set_permissions(parent_dir, 0o744)
_inject_file_into_fs(fs, path, contents)
def _inject_files_into_fs(files, fs):
for (path, contents) in files:
# NOTE(wangpan): Ensure the parent dir of injecting file exists
parent_dir = os.path.dirname(path)
if (len(parent_dir) > 0 and parent_dir != "/"
and not fs.has_file(parent_dir)):
fs.make_path(parent_dir)
fs.set_ownership(parent_dir, "root", "root")
fs.set_permissions(parent_dir, 0o744)
_inject_file_into_fs(fs, path, contents)
def _inject_net_into_fs(net, fs):
"""Inject /etc/network/interfaces into the filesystem rooted at fs.
net is the contents of /etc/network/interfaces.
"""
LOG.debug("Inject key fs=%(fs)s net=%(net)s", {'fs': fs, 'net': net})
netdir = os.path.join('etc', 'network')
fs.make_path(netdir)
fs.set_ownership(netdir, "root", "root")
fs.set_permissions(netdir, 0o744)
netfile = os.path.join('etc', 'network', 'interfaces')
_inject_file_into_fs(fs, netfile, net)
def _inject_net_into_fs(net, fs):
"""Inject /etc/network/interfaces into the filesystem rooted at fs.
net is the contents of /etc/network/interfaces.
"""
LOG.debug("Inject key fs=%(fs)s net=%(net)s", {'fs': fs, 'net': net})
netdir = os.path.join('etc', 'network')
fs.make_path(netdir)
fs.set_ownership(netdir, "root", "root")
fs.set_permissions(netdir, 0o744)
netfile = os.path.join('etc', 'network', 'interfaces')
_inject_file_into_fs(fs, netfile, net)