Yuvipanda has submitted this change and it was merged.
Change subject: tools: Set homedir permissions properly in kube-maintainusers
......................................................................
tools: Set homedir permissions properly in kube-maintainusers
Otherwise if it created homedirs it was setting them to be
readable and writeable only by root
- Stops toolswatcher, remove all files related
- Reduce runtime sleep from 5min to 1min - this puts a
bit more load on the LDAP servers but is probably ok
because we can stop toolswatcher
Bug: T140460
Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559
---
M modules/role/manifests/labs/tools/services.pp
M modules/toollabs/files/maintain-kubeusers
D modules/toollabs/files/toolwatcher
D modules/toollabs/files/toolwatcher.conf
D modules/toollabs/manifests/toolwatcher.pp
5 files changed, 15 insertions(+), 83 deletions(-)
Approvals:
BryanDavis: Looks good to me, but someone else must approve
Yuvipanda: Verified; Looks good to me, approved
diff --git a/modules/role/manifests/labs/tools/services.pp
b/modules/role/manifests/labs/tools/services.pp
index 91803cf..cad62fb 100644
--- a/modules/role/manifests/labs/tools/services.pp
+++ b/modules/role/manifests/labs/tools/services.pp
@@ -37,10 +37,6 @@
active => ($::fqdn == $active_host),
}
- class { 'toollabs::toolwatcher':
- active => ($::fqdn == $active_host)
- }
-
class { 'toollabs::admin_web_updater':
active => ($::fqdn == $active_host)
}
diff --git a/modules/toollabs/files/maintain-kubeusers
b/modules/toollabs/files/maintain-kubeusers
index 6ba6a47..8555d96 100755
--- a/modules/toollabs/files/maintain-kubeusers
+++ b/modules/toollabs/files/maintain-kubeusers
@@ -22,6 +22,7 @@
import random
import time
import csv
+import stat
TOOL_ALLOWED_RESOURCES = [
'pods',
@@ -201,7 +202,7 @@
def write_kubeconfig(user, master):
"""
- Write an appropriate .kube/config for given user to access given master
+ Write an appropriate .kube/config for given user to access given master.
See http://kubernetes.io/docs/user-guide/kubeconfig-file/ for format
"""
@@ -232,7 +233,7 @@
}
dirpath = os.path.join('/data', 'project', user.name, '.kube')
path = os.path.join(dirpath, 'config')
- os.makedirs(dirpath, exist_ok=True)
+ os.makedirs(dirpath, mode=0o775, exist_ok=False)
f = os.open(path, os.O_CREAT | os.O_WRONLY | os.O_NOFOLLOW)
try:
os.write(f, json.dumps(config, indent=4,
sort_keys=True).encode('utf-8'))
@@ -245,6 +246,16 @@
raise
finally:
os.close(f)
+
+
+def create_homedir(user):
+ """
+ Create homedirs for new users
+ """
+ homepath = os.path.join('/data', 'project', user.name)
+ os.makedirs(homepath, mode=0o775, exist_ok=False)
+ os.chmod(homepath, 0o775 | stat.I_SGID)
+ os.chown(homepath, int(user.id), int(user.id))
def create_namespace(user):
@@ -285,7 +296,7 @@
argparser.add_argument('--project', help='Project name to fetch LDAP users
from',
default='tools')
argparser.add_argument('--interval', help='Seconds between between runs',
- default=300)
+ default=60)
argparser.add_argument('--once', help='Run once and exit',
action='store_true')
argparser.add_argument('kube_master_url', help='Full URL of Kubernetes
Master')
@@ -325,6 +336,7 @@
for uid in new_tools:
if uid in tools:
tools[uid].token = generate_pass(64)
+ create_homedir(tools[uid])
write_kubeconfig(tools[uid], args.kube_master_url)
create_namespace(tools[uid])
cur_users[uid] = tools[uid]
diff --git a/modules/toollabs/files/toolwatcher
b/modules/toollabs/files/toolwatcher
deleted file mode 100755
index 35d0d50..0000000
--- a/modules/toollabs/files/toolwatcher
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-#
-# Copyright © 2013 Marc-André Pelletier <mpellet...@wikimedia.org>
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-cd /data/project
-export HOME=/root
-PREFIX=$(cat /etc/wmflabs-project)
-
-while true; do
- # Iterate over all service groups of this project.
- getent passwd | sed -ne "s/^$PREFIX\\.\([^:]\+\):.*\$/\\1/p;" | while read
TOOL; do
- # If the service group's home directory doesn't exist already,
- # create it with a basic structure and especially set setgid
- # on the directories so that files created are owned by the
- # service group's group.
- if [ ! -d "$TOOL" ]; then
- logger -t toolwatcher "Creating tool $TOOL"
-
- mkdir -m u=rwx,g=rwsx,o=rx "$TOOL" "$TOOL/public_html"
- chown -R "$PREFIX.$TOOL:$PREFIX.$TOOL" "$TOOL"
- fi
- done
-
- # Sleep for two minutes.
- sleep 120
-done
diff --git a/modules/toollabs/files/toolwatcher.conf
b/modules/toollabs/files/toolwatcher.conf
deleted file mode 100644
index 7995022..0000000
--- a/modules/toollabs/files/toolwatcher.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-description "creates tool homes"
-
-start on runlevel [2345]
-stop on runlevel [06]
-
-respawn
-
-exec /usr/local/sbin/toolwatcher
diff --git a/modules/toollabs/manifests/toolwatcher.pp
b/modules/toollabs/manifests/toolwatcher.pp
deleted file mode 100644
index 9374773..0000000
--- a/modules/toollabs/manifests/toolwatcher.pp
+++ /dev/null
@@ -1,30 +0,0 @@
-# toollabs::toolwatcher sets up a host with a service that scans every
-# two minutes for tool accounts whose home directory doesn't exist
-# yet. For each such tool account, the toolwatcher creates the home
-# directory with the subdirectory public_html owned by the tool
-# account and its group and sets the permissions to g+srwx,o+rx.
-class toollabs::toolwatcher(
- $active,
-) inherits toollabs {
- file { '/usr/local/sbin/toolwatcher':
- source => 'puppet:///modules/toollabs/toolwatcher',
- owner => 'root',
- group => 'root',
- mode => '0555',
- }
-
- file { '/etc/init/toolwatcher.conf':
- ensure => file,
- source => 'puppet:///modules/toollabs/toolwatcher.conf',
- owner => 'root',
- group => 'root',
- mode => '0444',
- require => File['/usr/local/sbin/toolwatcher'],
- }
-
- service { 'toolwatcher':
- ensure => ensure_service($active),
- provider => 'upstart',
- subscribe => File['/etc/init/toolwatcher.conf'],
- }
-}
--
To view, visit https://gerrit.wikimedia.org/r/299133
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559
Gerrit-PatchSet: 10
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Coren <m...@uberbox.org>
Gerrit-Reviewer: Merlijn van Deen <valhall...@arctus.nl>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
