def _initialize_bcfg2(server):
"""Install bcfg2 client and run for the first time.
"""
if server.distro == 'ubuntu':
local('apt-get install -y gamin python-gamin python-genshi bcfg2')
elif server.distro == 'centos':
local('yum -y install bcfg2 gamin gamin-python python-genshi ' + \
'python-ssl python-lxml libxslt')
template = pantheon.get_template('bcfg2.conf')
bcfg2_conf = pantheon.build_template(template, {"bcfg2_host": server.bcfg2_host})
with open('/etc/bcfg2.conf', 'w') as f:
f.write(bcfg2_conf)
# We use our own key/certs.
local('rm -f /etc/bcfg2.key bcfg2.crt')
# Run bcfg2
local('/usr/sbin/bcfg2 -vqed', capture=False)
def _initialize_bcfg2(server):
"""Install bcfg2 client and run for the first time.
"""
if server.distro == 'ubuntu':
local('apt-get install -y gamin python-gamin python-genshi bcfg2')
elif server.distro == 'centos':
local('yum -y install bcfg2 gamin gamin-python python-genshi ' + \
'python-ssl python-lxml libxslt')
template = pantheon.get_template('bcfg2.conf')
bcfg2_conf = pantheon.build_template(template,
{"bcfg2_host": server.bcfg2_host})
with open('/etc/bcfg2.conf', 'w') as f:
f.write(bcfg2_conf)
# We use our own key/certs.
local('rm -f /etc/bcfg2.key bcfg2.crt')
# Run bcfg2
local('/usr/sbin/bcfg2 -vqed', capture=False)
def configure_permissions(base_domain="example.com", require_group=None, server_host=None):
log = logger.logging.getLogger("pantheon.permissions.configure")
log.info("Initialized permissions configuration.")
try:
server = pantheon.PantheonServer()
if not server_host:
server_host = "auth." + base_domain
ldap_domain = _ldap_domain_to_ldap(base_domain)
values = {"ldap_domain": ldap_domain, "server_host": server_host}
template = pantheon.get_template("ldap-auth-config.preseed.cfg")
ldap_auth_conf = pantheon.build_template(template, values)
with tempfile.NamedTemporaryFile() as temp_file:
temp_file.write(ldap_auth_conf)
temp_file.seek(0)
local("sudo debconf-set-selections " + temp_file.name)
# /etc/ldap/ldap.conf
template = pantheon.get_template("openldap.ldap.conf")
openldap_conf = pantheon.build_template(template, values)
with open("/etc/ldap/ldap.conf", "w") as f:
f.write(openldap_conf)
# /etc/ldap.conf
template = pantheon.get_template("pam.ldap.conf")
ldap_conf = pantheon.build_template(template, values)
with open("/etc/ldap.conf", "w") as f:
f.write(ldap_conf)
# Restrict by group
allow = ["root", "sudo", "hermes"]
if require_group:
allow.append(require_group)
with open("/etc/ssh/sshd_config", "a") as f:
f.write("\nAllowGroups %s\n" % (" ".join(allow)))
f.write("UseLPK yes\n")
f.write("LpkLdapConf /etc/ldap.conf\n")
local("auth-client-config -t nss -p lac_ldap")
with open("/etc/sudoers.d/002_pantheon_users", "w") as f:
f.write("# This file was generated by PANTHEON.\n")
f.write("# PLEASE DO NOT EDIT THIS FILE DIRECTLY.\n#\n")
f.write("# Additional sudoer directives can be added in: " + "/etc/sudoers.d/003_pantheon_extra\n")
f.write("\n%" + "%s ALL=(ALL) ALL" % require_group)
local("chmod 0440 /etc/sudoers.d/002_pantheon_users")
# Add LDAP user to www-data, and ssl-cert groups.
ssl_group = "ssl-cert"
local("usermod -aG %s,%s %s" % (server.web_group, ssl_group, require_group))
# Use sed because usermod may fail if the user does not already exist.
# local('sudo sed -i "s/' + ssl_group + ':x:[0-9]*:/\\0' + require_group + ',/g" /etc/group')
# Restart after ldap is configured so openssh-lpk doesn't choke.
local("/etc/init.d/ssh restart")
# Write the group to a file for later reference.
server.set_ldap_group(require_group)
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/git/projects" % (require_group, require_group))
local("chmod -R g+w /var/git/projects")
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/www" % (require_group, require_group))
local("chmod -R g+w /var/www")
# Set ACLs
set_acl_groupwritability(require_group, "/var/www")
set_acl_groupwritability(require_group, "/var/git/projects")
except:
log.exception("Permission configuration unsuccessful.")
raise
else:
log.info("Permissions configuration successful.")
ygg._api_request("POST", "/sites/self/legacy-phone-home?phase=configure_permissions")
def configure_permissions(base_domain = "example.com",
require_group = None,
server_host = None):
try:
server = pantheon.PantheonServer()
if not server_host:
server_host = "auth." + base_domain
ldap_domain = _ldap_domain_to_ldap(base_domain)
values = {'ldap_domain':ldap_domain,'server_host':server_host}
template = pantheon.get_template('ldap-auth-config.preseed.cfg')
ldap_auth_conf = pantheon.build_template(template, values)
with tempfile.NamedTemporaryFile() as temp_file:
temp_file.write(ldap_auth_conf)
temp_file.seek(0)
local("sudo debconf-set-selections " + temp_file.name)
# /etc/ldap/ldap.conf
template = pantheon.get_template('openldap.ldap.conf')
openldap_conf = pantheon.build_template(template, values)
with open('/etc/ldap/ldap.conf', 'w') as f:
f.write(openldap_conf)
# /etc/ldap.conf
template = pantheon.get_template('pam.ldap.conf')
ldap_conf = pantheon.build_template(template, values)
with open('/etc/ldap.conf', 'w') as f:
f.write(ldap_conf)
# Restrict by group
allow = ['root', 'sudo', 'hermes']
if require_group:
allow.append(require_group)
with open('/etc/ssh/sshd_config', 'a') as f:
f.write('\nAllowGroups %s\n' % (' '.join(allow)))
f.write('UseLPK yes\n')
f.write('LpkLdapConf /etc/ldap.conf\n')
local("auth-client-config -t nss -p lac_ldap")
with open('/etc/sudoers.d/002_pantheon_users', 'w') as f:
f.write("# This file was generated by PANTHEON.\n")
f.write("# PLEASE DO NOT EDIT THIS FILE DIRECTLY.\n#\n")
f.write("# Additional sudoer directives can be added in: " + \
"/etc/sudoers.d/003_pantheon_extra\n")
f.write("\n%" + '%s ALL=(ALL) ALL' % require_group)
local('chmod 0440 /etc/sudoers.d/002_pantheon_users')
# Add LDAP user to www-data, and ssl-cert groups.
ssl_group = "ssl-cert"
local('usermod -aG %s,%s %s' % (server.web_group, ssl_group, require_group))
# Use sed because usermod may fail if the user does not already exist.
#local('sudo sed -i "s/' + ssl_group + ':x:[0-9]*:/\\0' + require_group + ',/g" /etc/group')
# Restart after ldap is configured so openssh-lpk doesn't choke.
local("/etc/init.d/ssh restart")
# Write the group to a file for later reference.
server.set_ldap_group(require_group)
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/git/projects" % (require_group, require_group))
local("chmod -R g+w /var/git/projects")
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/www" % (require_group, require_group))
local("chmod -R g+w /var/www")
# Set ACLs
set_acl_groupwritability(require_group, '/var/www')
set_acl_groupwritability(require_group, '/var/git/projects')
except:
jenkinstools.junit_error(traceback.format_exc(), 'ConfigPermissions')
raise
else:
jenkinstools.junit_pass('Configuration completed.', 'ConfigurePermissions')
def configure_permissions(base_domain="example.com",
require_group=None,
server_host=None):
try:
server = pantheon.PantheonServer()
if not server_host:
server_host = "auth." + base_domain
ldap_domain = _ldap_domain_to_ldap(base_domain)
values = {'ldap_domain': ldap_domain, 'server_host': server_host}
template = pantheon.get_template('ldap-auth-config.preseed.cfg')
ldap_auth_conf = pantheon.build_template(template, values)
with tempfile.NamedTemporaryFile() as temp_file:
temp_file.write(ldap_auth_conf)
temp_file.seek(0)
local("sudo debconf-set-selections " + temp_file.name)
# /etc/ldap/ldap.conf
template = pantheon.get_template('openldap.ldap.conf')
openldap_conf = pantheon.build_template(template, values)
with open('/etc/ldap/ldap.conf', 'w') as f:
f.write(openldap_conf)
# /etc/ldap.conf
template = pantheon.get_template('pam.ldap.conf')
ldap_conf = pantheon.build_template(template, values)
with open('/etc/ldap.conf', 'w') as f:
f.write(ldap_conf)
# Restrict by group
allow = ['root', 'sudo', 'hermes']
if require_group:
allow.append(require_group)
with open('/etc/ssh/sshd_config', 'a') as f:
f.write('\nAllowGroups %s\n' % (' '.join(allow)))
f.write('UseLPK yes\n')
f.write('LpkLdapConf /etc/ldap.conf\n')
local("auth-client-config -t nss -p lac_ldap")
with open('/etc/sudoers.d/002_pantheon_users', 'w') as f:
f.write("# This file was generated by PANTHEON.\n")
f.write("# PLEASE DO NOT EDIT THIS FILE DIRECTLY.\n#\n")
f.write("# Additional sudoer directives can be added in: " + \
"/etc/sudoers.d/003_pantheon_extra\n")
f.write("\n%" + '%s ALL=(ALL) ALL' % require_group)
local('chmod 0440 /etc/sudoers.d/002_pantheon_users')
# Add LDAP user to www-data, and ssl-cert groups.
ssl_group = "ssl-cert"
local('usermod -aG %s,%s %s' %
(server.web_group, ssl_group, require_group))
# Use sed because usermod may fail if the user does not already exist.
#local('sudo sed -i "s/' + ssl_group + ':x:[0-9]*:/\\0' + require_group + ',/g" /etc/group')
# Restart after ldap is configured so openssh-lpk doesn't choke.
local("/etc/init.d/ssh restart")
# Write the group to a file for later reference.
server.set_ldap_group(require_group)
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/git/projects" %
(require_group, require_group))
local("chmod -R g+w /var/git/projects")
# Make the git repo and www directories writable by the group
local("chown -R %s:%s /var/www" % (require_group, require_group))
local("chmod -R g+w /var/www")
# Set ACLs
set_acl_groupwritability(require_group, '/var/www')
set_acl_groupwritability(require_group, '/var/git/projects')
except:
jenkinstools.junit_error(traceback.format_exc(), 'ConfigPermissions')
raise
else:
jenkinstools.junit_pass('Configuration completed.',
'ConfigurePermissions')
