def create_jail_user(username): """ Setup a jail user with the given username """ run_cmd("useradd -g jailusers -d /home/jailuser %s" % (username, )) # Add rule to drop any network communication from this user run_cmd("iptables -A OUTPUT -m owner --uid-owner %s -j DROP" % (username, )) # Create user specific chroot chroot_dir = "/srv/chroot" jail_dir = os.path.join(chroot_dir, username) os.makedirs(os.path.join(jail_dir, "scratch")) os.makedirs(os.path.join(jail_dir, "root")) home_dir = os.path.join(jail_dir, "home/home/jailuser") os.makedirs(home_dir) run_cmd("chown %s:jailusers %s" % (username, home_dir)) run_cmd("chown :jailkeeper %s" % (jail_dir, )) run_cmd("chmod g=rwx %s" % (jail_dir, )) fs_line = "unionfs-fuse#%s=rw:%s=ro:%s=ro %s fuse cow,allow_other,noauto 0 0" % ( os.path.join(jail_dir, "scratch"), os.path.join(jail_dir, "home"), os.path.join(chroot_dir, "aic-base"), os.path.join(jail_dir, "root")) append_line("/etc/fstab", fs_line) cfg_filename = os.path.join(TEMPLATE_DIR, "chroot_configs/chroot.d/jailuser.template") with open(cfg_filename, 'r') as cfg_file: cfg = cfg_file.read() schroot_filename = os.path.join("/etc/schroot/chroot.d", username) with open(schroot_filename, 'w') as schroot_file: schroot_file.write(cfg.format(jailname=username))
def main(argv=["worker_setup.py"]): """ Completely set everything up from a fresh ec2 instance """ opts = get_options(argv) opts.arch = 'i386' with Environ("DEBIAN_FRONTEND", "noninteractive"): if opts.update_system: run_cmd("apt-get update") run_cmd("apt-get upgrade -y") if opts.install_required: install_required_packages() if opts.install_utilities: install_utility_packages() if opts.install_pkg_languages: install_packaged_languages() if opts.install_languages: install_all_languages(opts) if opts.install_jailguard: install_jailguard(opts) if opts.create_jails: setup_base_chroot(opts) if opts.packages_only: return setup_contest_files(opts) if opts.create_jails: setup_base_jail(opts) setup_jailusers(opts) start_script = os.path.join(opts.root_dir, "worker/start_worker.sh") if opts.install_cronjob: cron_file = "/etc/cron.d/ai-contest" if not file_contains(cron_file, start_script): append_line(cron_file, "@reboot %s %s" % (opts.username, start_script,)) if opts.run_worker: run_cmd("sudo -u %s %s" % (opts.username, start_script))
def create_jail_group(options): """ Create user group for jail users and set limits on it """ if not file_contains("/etc/group", "^jailusers"): run_cmd("groupadd jailusers") run_cmd("groupadd jailkeeper") run_cmd("usermod -a -G jailkeeper %s" % (options.username, )) limits_conf = "/etc/security/limits.conf" if not file_contains(limits_conf, "@jailusers"): # limit jailuser processes to: # 25 processes or system threads append_line(limits_conf, "@jailusers hard nproc 25 # ai-contest") # 20 minutes of cpu time append_line(limits_conf, "@jailusers hard cpu 20 # ai-contest") # slightly more than 1.5GB of ram append_line(limits_conf, "@jailusers hard rss 1580000 # ai-contest") if not file_contains("/etc/sudoers", "^%s.+jailusers" % (options.username, )): org_mode = os.stat("/etc/sudoers")[0] os.chmod("/etc/sudoers", 0640) append_line( "/etc/sudoers", "%s ALL = (%%jailusers) NOPASSWD: ALL" % (options.username, )) append_line( "/etc/sudoers", "%s ALL = (ALL) NOPASSWD: /bin/mount, /bin/umount" % (options.username, )) os.chmod("/etc/sudoers", org_mode)
def create_jail_user(username): """ Setup a jail user with the given username """ run_cmd("useradd -g jailusers -d /home/jailuser %s" % (username,)) # Add rule to drop any network communication from this user run_cmd("iptables -A OUTPUT -m owner --uid-owner %s -j DROP" % (username,)) # Create user specific chroot chroot_dir = "/srv/chroot" jail_dir = os.path.join(chroot_dir, username) os.makedirs(os.path.join(jail_dir, "scratch")) os.makedirs(os.path.join(jail_dir, "root")) home_dir = os.path.join(jail_dir, "home/home/jailuser") os.makedirs(home_dir) run_cmd("chown %s:jailusers %s" % (username, home_dir)) run_cmd("chown :jailkeeper %s" % (jail_dir,)) run_cmd("chmod g=rwx %s" % (jail_dir,)) fs_line = "unionfs-fuse#%s=rw:%s=ro:%s=ro %s fuse cow,allow_other,noauto 0 0" % ( os.path.join(jail_dir, "scratch"), os.path.join(jail_dir, "home"), os.path.join(chroot_dir, "aic-base"), os.path.join(jail_dir, "root") ) append_line("/etc/fstab", fs_line) cfg_filename = os.path.join(TEMPLATE_DIR, "chroot_configs/chroot.d/jailuser.template") with open(cfg_filename, 'r') as cfg_file: cfg = cfg_file.read() schroot_filename = os.path.join("/etc/schroot/chroot.d", username) with open(schroot_filename, 'w') as schroot_file: schroot_file.write(cfg.format(jailname=username))
def create_jail_group(options): """ Create user group for jail users and set limits on it """ if not file_contains("/etc/group", "^jailusers"): run_cmd("groupadd jailusers") run_cmd("groupadd jailkeeper") run_cmd("usermod -a -G jailkeeper %s" % (options.username,)) limits_conf = "/etc/security/limits.conf" if not file_contains(limits_conf, "@jailusers"): # limit jailuser processes to: # 25 processes or system threads append_line(limits_conf, "@jailusers hard nproc 25 # ai-contest") # 20 minutes of cpu time append_line(limits_conf, "@jailusers hard cpu 20 # ai-contest") # slightly more than 1.5GB of ram append_line(limits_conf, "@jailusers hard rss 1580000 # ai-contest") if not file_contains("/etc/sudoers", "^%s.+jailusers" % (options.username,)): org_mode = os.stat("/etc/sudoers")[0] os.chmod("/etc/sudoers", 0640) append_line("/etc/sudoers", "%s ALL = (%%jailusers) NOPASSWD: ALL" % (options.username,)) append_line("/etc/sudoers", "%s ALL = (ALL) NOPASSWD: /bin/mount, /bin/umount" % ( options.username,)) os.chmod("/etc/sudoers", org_mode)
def main(argv=["worker_setup.py"]): """ Completely set everything up from a fresh ec2 instance """ opts = get_options(argv) with Environ("DEBIAN_FRONTEND", "noninteractive"): if opts.update_system: run_cmd("apt-get update") run_cmd("apt-get upgrade -y") if opts.install_required: install_required_packages() if opts.install_utilities: install_utility_packages() if opts.install_languages: install_all_languages() if opts.packages_only: return setup_contest_files(opts) if opts.create_jails: setup_jailusers(opts) start_script = os.path.join(opts.root_dir, opts.local_repo, "worker/start_worker.sh") if opts.install_cronjob: cron_file = "/etc/cron.d/ai-contest" if not file_contains(cron_file, start_script): append_line(cron_file, "@reboot root %s" % (start_script,)) if opts.run_worker: run_cmd(start_script)
def setup_jailusers(contest_root): """ Create and configure the jail users """ worker_dir = os.path.join(contest_root, "aichallenge", "worker") with CD(worker_dir): run_cmd("python create_jail_users.py 32") org_mode = os.stat("/etc/sudoers")[0] os.chmod("/etc/sudoers", 0640) append_line("/etc/sudoers", "contest ALL = (%jailusers) NOPASSWD: ALL") os.chmod("/etc/sudoers", org_mode) run_cmd("iptables-save > /etc/iptables.rules") iptablesload_path = "/etc/network/if-pre-up.d/iptablesload" if not os.path.exists(iptablesload_path): with open(iptablesload_path, "w") as loadfile: loadfile.write(IPTABLES_LOAD) os.chmod(iptablesload_path, 0744)
def install_golang(): """ Install golang from a mercurial release """ RELEASE_TAG = "release.r56" if os.path.exists("/usr/local/bin/godoc"): return pkg_list = ["bison", "ed", "gawk", "libc6-dev", "make", "python-setuptools", "build-essential", "mercurial"] install_apt_packages(pkg_list) try: os.makedirs("/usr/local/src") except OSError: pass with CD("/usr/local/src"): run_cmd("hg clone -r %s https://go.googlecode.com/hg/ go" % (RELEASE_TAG,)) append_line("/root/.bashrc", "export GOROOT=/usr/local/src/go") append_line("/root/.bashrc", "export GOBIN=/usr/local/bin") with CD("/usr/local/src/go/src"): run_cmd("export GOBIN=/usr/local/bin; ./all.bash")