Yuvipanda has submitted this change and it was merged. Change subject: tools: Set homedir permissions properly in kube-maintainusers ......................................................................
tools: Set homedir permissions properly in kube-maintainusers Otherwise if it created homedirs it was setting them to be readable and writeable only by root - Stops toolswatcher, remove all files related - Reduce runtime sleep from 5min to 1min - this puts a bit more load on the LDAP servers but is probably ok because we can stop toolswatcher Bug: T140460 Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559 --- M modules/role/manifests/labs/tools/services.pp M modules/toollabs/files/maintain-kubeusers D modules/toollabs/files/toolwatcher D modules/toollabs/files/toolwatcher.conf D modules/toollabs/manifests/toolwatcher.pp 5 files changed, 15 insertions(+), 83 deletions(-) Approvals: BryanDavis: Looks good to me, but someone else must approve Yuvipanda: Verified; Looks good to me, approved diff --git a/modules/role/manifests/labs/tools/services.pp b/modules/role/manifests/labs/tools/services.pp index 91803cf..cad62fb 100644 --- a/modules/role/manifests/labs/tools/services.pp +++ b/modules/role/manifests/labs/tools/services.pp @@ -37,10 +37,6 @@ active => ($::fqdn == $active_host), } - class { 'toollabs::toolwatcher': - active => ($::fqdn == $active_host) - } - class { 'toollabs::admin_web_updater': active => ($::fqdn == $active_host) } diff --git a/modules/toollabs/files/maintain-kubeusers b/modules/toollabs/files/maintain-kubeusers index 6ba6a47..8555d96 100755 --- a/modules/toollabs/files/maintain-kubeusers +++ b/modules/toollabs/files/maintain-kubeusers @@ -22,6 +22,7 @@ import random import time import csv +import stat TOOL_ALLOWED_RESOURCES = [ 'pods', @@ -201,7 +202,7 @@ def write_kubeconfig(user, master): """ - Write an appropriate .kube/config for given user to access given master + Write an appropriate .kube/config for given user to access given master. See http://kubernetes.io/docs/user-guide/kubeconfig-file/ for format """ @@ -232,7 +233,7 @@ } dirpath = os.path.join('/data', 'project', user.name, '.kube') path = os.path.join(dirpath, 'config') - os.makedirs(dirpath, exist_ok=True) + os.makedirs(dirpath, mode=0o775, exist_ok=False) f = os.open(path, os.O_CREAT | os.O_WRONLY | os.O_NOFOLLOW) try: os.write(f, json.dumps(config, indent=4, sort_keys=True).encode('utf-8')) @@ -245,6 +246,16 @@ raise finally: os.close(f) + + +def create_homedir(user): + """ + Create homedirs for new users + """ + homepath = os.path.join('/data', 'project', user.name) + os.makedirs(homepath, mode=0o775, exist_ok=False) + os.chmod(homepath, 0o775 | stat.I_SGID) + os.chown(homepath, int(user.id), int(user.id)) def create_namespace(user): @@ -285,7 +296,7 @@ argparser.add_argument('--project', help='Project name to fetch LDAP users from', default='tools') argparser.add_argument('--interval', help='Seconds between between runs', - default=300) + default=60) argparser.add_argument('--once', help='Run once and exit', action='store_true') argparser.add_argument('kube_master_url', help='Full URL of Kubernetes Master') @@ -325,6 +336,7 @@ for uid in new_tools: if uid in tools: tools[uid].token = generate_pass(64) + create_homedir(tools[uid]) write_kubeconfig(tools[uid], args.kube_master_url) create_namespace(tools[uid]) cur_users[uid] = tools[uid] diff --git a/modules/toollabs/files/toolwatcher b/modules/toollabs/files/toolwatcher deleted file mode 100755 index 35d0d50..0000000 --- a/modules/toollabs/files/toolwatcher +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# -# Copyright © 2013 Marc-André Pelletier <mpellet...@wikimedia.org> -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -cd /data/project -export HOME=/root -PREFIX=$(cat /etc/wmflabs-project) - -while true; do - # Iterate over all service groups of this project. - getent passwd | sed -ne "s/^$PREFIX\\.\([^:]\+\):.*\$/\\1/p;" | while read TOOL; do - # If the service group's home directory doesn't exist already, - # create it with a basic structure and especially set setgid - # on the directories so that files created are owned by the - # service group's group. - if [ ! -d "$TOOL" ]; then - logger -t toolwatcher "Creating tool $TOOL" - - mkdir -m u=rwx,g=rwsx,o=rx "$TOOL" "$TOOL/public_html" - chown -R "$PREFIX.$TOOL:$PREFIX.$TOOL" "$TOOL" - fi - done - - # Sleep for two minutes. - sleep 120 -done diff --git a/modules/toollabs/files/toolwatcher.conf b/modules/toollabs/files/toolwatcher.conf deleted file mode 100644 index 7995022..0000000 --- a/modules/toollabs/files/toolwatcher.conf +++ /dev/null @@ -1,8 +0,0 @@ -description "creates tool homes" - -start on runlevel [2345] -stop on runlevel [06] - -respawn - -exec /usr/local/sbin/toolwatcher diff --git a/modules/toollabs/manifests/toolwatcher.pp b/modules/toollabs/manifests/toolwatcher.pp deleted file mode 100644 index 9374773..0000000 --- a/modules/toollabs/manifests/toolwatcher.pp +++ /dev/null @@ -1,30 +0,0 @@ -# toollabs::toolwatcher sets up a host with a service that scans every -# two minutes for tool accounts whose home directory doesn't exist -# yet. For each such tool account, the toolwatcher creates the home -# directory with the subdirectory public_html owned by the tool -# account and its group and sets the permissions to g+srwx,o+rx. -class toollabs::toolwatcher( - $active, -) inherits toollabs { - file { '/usr/local/sbin/toolwatcher': - source => 'puppet:///modules/toollabs/toolwatcher', - owner => 'root', - group => 'root', - mode => '0555', - } - - file { '/etc/init/toolwatcher.conf': - ensure => file, - source => 'puppet:///modules/toollabs/toolwatcher.conf', - owner => 'root', - group => 'root', - mode => '0444', - require => File['/usr/local/sbin/toolwatcher'], - } - - service { 'toolwatcher': - ensure => ensure_service($active), - provider => 'upstart', - subscribe => File['/etc/init/toolwatcher.conf'], - } -} -- To view, visit https://gerrit.wikimedia.org/r/299133 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I23e06ea5de8115904e606b1580aa3f7391157559 Gerrit-PatchSet: 10 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Coren <m...@uberbox.org> Gerrit-Reviewer: Merlijn van Deen <valhall...@arctus.nl> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits