Re: rawhide, /mnt/koji and /pub/fedora
Nigel Jones wrote: On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote: On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: Comments? One comment just made on IRC by G: G f13: can't be allow masher to sudo to ftpsync and run a sync command? G = $me :) We would have to allow masher to sudo with no password in order to run the rsync command. I'm not sure how far we can narrow it down since the rsync source changes each day, only the dest (and other options) remain the same. Why not something like: sudo /usr/local/bin/rawhideftpsync.sh random bit that runs: rsync ...normal path.random bit ... Just a thought. You could configure sudoers to allow the masher user to only be able to execute whatever it sudo's as the ftpsync user: masher hostname.domain.tld=(ftpsync) NOPASSWD: rsync $rsync_opts foo.wildcardmatch-source bar Does that narrow it down sufficiently? Kind regards, Jeroen van Meeuwen -kanarip ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 27 Aug 2008, Jesse Keating wrote: So I realized something last night. We created a user masher to have the ability to write to /mnt/koji/mash/ but not any of the other koji space. This is useful to prevent too much damage from a horribly wrong rawhide compose. To make things easier in the rawhide compose configs, we decided to run the cron/scripts as the masher user. This is also good because it means things run unprivileged. However I ran into a snag. We have another user, 'ftpsync' that has write access to /pub/fedora/. Previously the rawhide script was ran as root, and thus it was no problem to su ftpsync for the rsync calls. The masher user does not possess the capability of doing this. Since the ftpsync user is only really used to sync data onto the Fedora netapp, I propose that we collapse ftpsync and masher into one user (masher). It'll require minimal puppet changes, mostly just moving some cron jobs from ftpsync over to masher. It will require UID changes, either changing masher to the ftpsync UID (which breaks our new range we just setup), or chmodding some stuff on the Fedora netapp and changing what UID has write access there. For now, I'm syncing rawhide by hand. Comments? Fine by me. ftpsync isn't really one of ours anyway :) -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 08:42 -0500, Mike McGrath wrote: On Wed, 27 Aug 2008, Jesse Keating wrote: So I realized something last night. We created a user masher to have the ability to write to /mnt/koji/mash/ but not any of the other koji space. This is useful to prevent too much damage from a horribly wrong rawhide compose. To make things easier in the rawhide compose configs, we decided to run the cron/scripts as the masher user. This is also good because it means things run unprivileged. However I ran into a snag. We have another user, 'ftpsync' that has write access to /pub/fedora/. Previously the rawhide script was ran as root, and thus it was no problem to su ftpsync for the rsync calls. The masher user does not possess the capability of doing this. Since the ftpsync user is only really used to sync data onto the Fedora netapp, I propose that we collapse ftpsync and masher into one user (masher). It'll require minimal puppet changes, mostly just moving some cron jobs from ftpsync over to masher. It will require UID changes, either changing masher to the ftpsync UID (which breaks our new range we just setup), or chmodding some stuff on the Fedora netapp and changing what UID has write access there. For now, I'm syncing rawhide by hand. Comments? Fine by me. ftpsync isn't really one of ours anyway :) it and masher are, however, names that need to get added to the banlist in fas, I think. -sv ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 11:57 +0200, Jeroen van Meeuwen wrote: You could configure sudoers to allow the masher user to only be able to execute whatever it sudo's as the ftpsync user: masher hostname.domain.tld=(ftpsync) NOPASSWD: rsync $rsync_opts foo.wildcardmatch-source bar Does that narrow it down sufficiently? I think so. I'll play with this some today. -- Jesse Keating RHCE (http://jkeating.livejournal.com) Fedora Project (http://fedoraproject.org/wiki/JesseKeating) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) identi.ca (http://identi.ca/jkeating) signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 09:22 -0700, Jesse Keating wrote: On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. a simple python script to do that is easy enough. -sv ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, Aug 28, 2008 at 11:27 AM, Seth Vidal [EMAIL PROTECTED] wrote: On Thu, 2008-08-28 at 09:22 -0700, Jesse Keating wrote: On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. a simple python script to do that is easy enough. Looks like configs/system/sendmail-unicode.py is already out there... -- Jeff Ollie You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe. -- Marcus to Franklin in Babylon 5: A Late Delivery from Avalon ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu August 28 2008, Jesse Keating wrote: On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. This works for me on CentOS 5, after the -- sendmail options can be used: /bin/mail -s SUBJECT [EMAIL PROTECTED] -- -f [EMAIL PROTECTED] -F freeform from part Regards, Till signature.asc Description: This is a digitally signed message part. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
2008/8/28 Jesse Keating [EMAIL PROTECTED] On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. hm... is installed rhel-5.2 working with mailx-8.1.1 on the box ? if so, that will imply to update it. This feature has been integrated from release 9.25 another way could be to add ~r From-adress in the header of the file content (should work for version = 10.2 ). -- Xavier.t Lamien -- http://fedoraproject.org/wiki/XavierLamien GPG-Key ID: F3903DEB Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
Jesse Keating ([EMAIL PROTECTED]) said: So I realized something last night. We created a user masher to have the ability to write to /mnt/koji/mash/ but not any of the other koji space. This is useful to prevent too much damage from a horribly wrong rawhide compose. To make things easier in the rawhide compose configs, we decided to run the cron/scripts as the masher user. This is also good because it means things run unprivileged. However I ran into a snag. We have another user, 'ftpsync' that has write access to /pub/fedora/. Previously the rawhide script was ran as root, and thus it was no problem to su ftpsync for the rsync calls. The masher user does not possess the capability of doing this. Since the ftpsync user is only really used to sync data onto the Fedora netapp, I propose that we collapse ftpsync and masher into one user (masher). It'll require minimal puppet changes, mostly just moving some cron jobs from ftpsync over to masher. It will require UID changes, either changing masher to the ftpsync UID (which breaks our new range we just setup), or chmodding some stuff on the Fedora netapp and changing what UID has write access there. For now, I'm syncing rawhide by hand. Comments? Is changing the user that owns the files going to cause unnecessary rsync churn for mirrors? Bill ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 28 Aug 2008, Bill Nottingham wrote: Jesse Keating ([EMAIL PROTECTED]) said: So I realized something last night. We created a user masher to have the ability to write to /mnt/koji/mash/ but not any of the other koji space. This is useful to prevent too much damage from a horribly wrong rawhide compose. To make things easier in the rawhide compose configs, we decided to run the cron/scripts as the masher user. This is also good because it means things run unprivileged. However I ran into a snag. We have another user, 'ftpsync' that has write access to /pub/fedora/. Previously the rawhide script was ran as root, and thus it was no problem to su ftpsync for the rsync calls. The masher user does not possess the capability of doing this. Since the ftpsync user is only really used to sync data onto the Fedora netapp, I propose that we collapse ftpsync and masher into one user (masher). It'll require minimal puppet changes, mostly just moving some cron jobs from ftpsync over to masher. It will require UID changes, either changing masher to the ftpsync UID (which breaks our new range we just setup), or chmodding some stuff on the Fedora netapp and changing what UID has write access there. For now, I'm syncing rawhide by hand. Comments? Is changing the user that owns the files going to cause unnecessary rsync churn for mirrors? Only if we change the uid of ftpsync. If we change the uid of masher we're good on the mirrors. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: Comments? One comment just made on IRC by G: G f13: can't be allow masher to sudo to ftpsync and run a sync command? We would have to allow masher to sudo with no password in order to run the rsync command. I'm not sure how far we can narrow it down since the rsync source changes each day, only the dest (and other options) remain the same. -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote: On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: Comments? One comment just made on IRC by G: G f13: can't be allow masher to sudo to ftpsync and run a sync command? G = $me :) We would have to allow masher to sudo with no password in order to run the rsync command. I'm not sure how far we can narrow it down since the rsync source changes each day, only the dest (and other options) remain the same. Why not something like: sudo /usr/local/bin/rawhideftpsync.sh random bit that runs: rsync ...normal path.random bit ... Just a thought. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- Nigel Jones [EMAIL PROTECTED] ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 16:55 +1200, Nigel Jones wrote: Why not something like: sudo /usr/local/bin/rawhideftpsync.sh random bit that runs: rsync ...normal path.random bit ... I think I'd rather not have yet another script to puppet manage and such, so if we could just maybe allow rsync it might be fine. I just noticed we're going to have to do the same to allow it to do mail as the rawhide user (or somebody is going to have to tell me how to set the From address to something else when calling /bin/mail). -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list