Changeset 2297 for trunk/host/credit-card
- Timestamp:
- Aug 16, 2012, 10:28:08 AM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/host/credit-card/host.py
r2269 r2297 11 11 HOST = socket.gethostname() 12 12 13 # XXX test server and wizard server 14 15 # UIDs (sketchy): 16 # signup 102 17 # fedora-ds 103 (sketchy, not true for b-b) 18 # logview 501 (really sketchy, since it's in the dynamic range) 13 PROD_GUESTS = frozenset([ 14 'bees-knees', 15 'cats-whiskers', 16 'busy-beaver', 17 'pancake-bunny', 18 'whole-enchilada', 19 'real-mccoy', 20 'old-faithful', 21 'better-mousetrap', 22 'shining-armor', 23 'golden-egg', 24 'miracle-cure', 25 'lucky-star', 26 ]) 27 WIZARD_GUESTS = frozenset([ 28 'not-backward', 29 ]) 30 31 COMMON_CREDS = {} 32 33 # Format here assumes that we always chmod $USER:$USER, 34 # but note the latter refers to group... 35 # 36 # Important: no leading slashes! 37 COMMON_CREDS['all'] = [ 38 ('root', 0o600, 'root/.bashrc'), 39 ('root', 0o600, 'root/.screenrc'), 40 ('root', 0o600, 'root/.ssh/authorized_keys'), 41 ('root', 0o600, 'root/.ssh/authorized_keys2'), 42 ('root', 0o600, 'root/.vimrc'), 43 ('root', 0o600, 'root/.k5login'), 44 ] 45 46 COMMON_CREDS['prod'] = [ 47 ('root', 0o600, 'root/.ldapvirc'), 48 ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), 49 ('root', 0o600, 'etc/ssh/ssh_host_key'), 50 ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), 51 ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'), 52 ('root', 0o600, 'etc/pki/tls/private/scripts.key'), 53 ('root', 0o600, 'etc/whoisd-password'), 54 ('afsagent', 0o600, 'etc/daemon.keytab'), 55 56 ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), 57 ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), 58 ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), 59 60 ('sql', 0o600, 'etc/sql-mit-edu.cfg.php'), # technically doesn't have to be secret anymore 61 ('sql', 0o600, 'etc/sql-password'), 62 ('signup', 0o600, 'etc/signup-ldap-pw'), 63 ('logview', 0o600, 'home/logview/.k5login'), # XXX user must be created in Kickstart 64 ] 65 66 # note that these are duplicates with 'prod', but the difference 67 # is that the files DIFFER between wizard and prod 68 COMMON_CREDS['wizard'] = [ 69 ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), 70 ('root', 0o600, 'etc/ssh/ssh_host_key'), 71 ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), 72 ('afsagent', 0o600, 'etc/daemon.keytab'), 73 74 ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), 75 ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), 76 ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), 77 ] 78 79 MACHINE_CREDS = {} 80 81 MACHINE_CREDS['all'] = [ 82 # XXX NEED TO CHECK THAT THE CONTENTS ARE SENSIBLE 83 ('root', 0o600, 'etc/krb5.keytab'), 84 ] 85 86 MACHINE_CREDS['prod'] = [ 87 ('fedora-ds', 0o600, 'etc/dirsrv/keytab'), 88 ] 89 90 MACHINE_CREDS['wizard'] = [] 19 91 20 92 # Works for passwd and group, but be careful! They're different things! … … 30 102 r[row[0]] = int(row[2]) 31 103 return r 32 33 # Format here assumes that we always chmod $USER:$USER ...34 # but note the latter refers to group...35 COMMON_CREDS = [36 ('root', 0o600, 'root/.bashrc'),37 ('root', 0o600, 'root/.screenrc'),38 ('root', 0o600, 'root/.ssh/authorized_keys'),39 ('root', 0o600, 'root/.ssh/authorized_keys2'),40 ('root', 0o600, 'root/.vimrc'),41 ('root', 0o600, 'root/.k5login'),42 # punted /root/.ssh/known_hosts43 44 # XXX user must be created in Kickstart45 ('logview', 0o600, 'home/logview/.k5login'),46 ]47 48 COMMON_PROD_CREDS = [ # important: no leading slashes!49 ('root', 0o600, 'root/.ldapvirc'),50 ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'),51 ('root', 0o600, 'etc/ssh/ssh_host_key'),52 ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'),53 ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'),54 ('root', 0o600, 'etc/pki/tls/private/scripts.key'),55 ('root', 0o600, 'etc/whoisd-password'),56 ('afsagent', 0o600, 'etc/daemon.keytab'),57 58 ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'),59 ('root', 0o644, 'etc/ssh/ssh_host_key.pub'),60 ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'),61 62 ('sql', 0o600, 'etc/sql-mit-edu.cfg.php'), # technically doesn't have to be secret anymore63 ('sql', 0o600, 'etc/sql-password'),64 ('signup', 0o600, 'etc/signup-ldap-pw'),65 ]66 67 MACHINE_PROD_CREDS = [68 # XXX NEED TO CHECK THAT THESE ARE SENSIBLE69 ('root', 0o600, 'etc/krb5.keytab'),70 ('fedora-ds', 0o600, 'etc/dirsrv/keytab')71 ]72 104 73 105 def drop_caches(): … … 130 162 131 163 def main(): 132 usage = """usage: %prog [push|pull |pull-common] GUEST"""164 usage = """usage: %prog [push|pull] [common|machine] GUEST""" 133 165 134 166 parser = optparse.OptionParser(usage) … … 136 168 # reasonable thing to always try 137 169 parser.add_option('-t', '--types', dest="types", default="ext4,ext3", 138 help="filesystem type(s)") 170 help="filesystem type(s)") # same arg as 'mount' 139 171 parser.add_option('--creds-dir', dest="creds_dir", default="/root/creds", 140 172 help="directory to store/fetch credentials in") … … 142 174 143 175 if not os.path.isdir(options.creds_dir): 144 raise Exception(" /root/creds does not exist") # XXX STRING176 raise Exception("%s does not exist" % options.creds_dir) 145 177 # XXX check owned by root and appropriately chmodded 146 178 147 179 os.umask(0o077) # overly restrictive 148 180 149 if len(args) != 2:181 if len(args) != 3: 150 182 parser.print_help() 151 183 raise Exception("Wrong number of arguments") 152 184 153 185 command = args[0] 154 guest = args[1] 186 files = args[1] 187 guest = args[2] 188 189 if guest in PROD_GUESTS: 190 mode = 'prod' 191 elif guest in WIZARD_GUESTS: 192 mode = 'wizard' 193 else: 194 raise Exception("Unrecognized guest %s" % guest) 155 195 156 196 with WithMount(guest, options.types) as tmp_mount: … … 178 218 shutil.copyfile("%s/%s" % (tmp_mount, f), dest) 179 219 220 # XXX ideally we should check these *before* we mount, but Python 221 # makes that pretty annoying to do 180 222 if command == "push": 181 push_files(COMMON_CREDS, 'common') 182 push_files(COMMON_PROD_CREDS, 'common') 183 push_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) 223 run = push_files 184 224 elif command == "pull": 185 pull_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) 186 elif command == "pull-common": 187 pull_files(COMMON_CREDS, 'common') 188 pull_files(COMMON_PROD_CREDS, 'common') 225 run = pull_files 226 else: 227 raise Exception("Unknown command %s, valid values are 'push' and 'pull'" % command) 228 229 if files == 'common': 230 run(COMMON_CREDS['all'], 'all') 231 run(COMMON_CREDS[mode], mode) 232 elif files == 'machine': 233 run(MACHINE_CREDS['all'], 'machine/%s' % guest) 234 run(MACHINE_CREDS[mode], 'machine/%s' % guest) 235 else: 236 raise Exception("Unknown file set %s, valid values are 'common' and 'machine'" % files) 189 237 190 238 if __name__ == "__main__":
Note: See TracChangeset
for help on using the changeset viewer.