Re: rawhide, /mnt/koji and /pub/fedora
On Fri, 2008-08-29 at 02:25 -0400, Jon Masters wrote: > Now I'm no Fedora sysadmin (and the infrastructure doesn't appear to be > publicly documented anywhere - beyond the basics) so it's likely that > the mounts in question simply don't do ACLs right or you'd have already > discussed it...but for the sake of mentioning it, you could just add an > additional ACL onto the /pub/fedora directory writeable by master. s/master/masher/ (too used to typing "Masters" when I start typing those letters) Jon. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: > We have another user, 'ftpsync' that has write access > to /pub/fedora/. Previously the rawhide script was ran as root, and > thus it was no problem to su ftpsync for the rsync calls. The masher > user does not possess the capability of doing this. Now I'm no Fedora sysadmin (and the infrastructure doesn't appear to be publicly documented anywhere - beyond the basics) so it's likely that the mounts in question simply don't do ACLs right or you'd have already discussed it...but for the sake of mentioning it, you could just add an additional ACL onto the /pub/fedora directory writeable by master. Jon. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 18:38 +0200, Till Maas wrote: > /bin/mail -s SUBJECT [EMAIL PROTECTED] -- -f [EMAIL PROTECTED] -F > "freeform from > part" Ah, that was the missing part. Thanks. I've tossed in git, will tag it once the current run is done. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 14:58 -0500, Mike McGrath wrote: > > Is changing the user that owns the files going to cause unnecessary rsync > > churn for mirrors? > > > > Only if we change the uid of ftpsync. If we change the uid of masher > we're good on the mirrors. I went the sudo route. I was able to narrow the command down considerably for safety. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 28 Aug 2008, Bill Nottingham wrote: > Jesse Keating ([EMAIL PROTECTED]) said: > > So I realized something last night. We created a user "masher" to have > > the ability to write to /mnt/koji/mash/ but not any of the other koji > > space. This is useful to prevent too much damage from a horribly wrong > > rawhide compose. To make things easier in the rawhide compose configs, > > we decided to run the cron/scripts as the masher user. This is also > > good because it means things run unprivileged. However I ran into a > > snag. We have another user, 'ftpsync' that has write access > > to /pub/fedora/. Previously the rawhide script was ran as root, and > > thus it was no problem to su ftpsync for the rsync calls. The masher > > user does not possess the capability of doing this. > > > > Since the ftpsync user is only really used to sync data onto the Fedora > > netapp, I propose that we collapse ftpsync and masher into one user > > (masher). It'll require minimal puppet changes, mostly just moving some > > cron jobs from ftpsync over to masher. It will require UID changes, > > either changing masher to the ftpsync UID (which breaks our new range we > > just setup), or chmodding some stuff on the Fedora netapp and changing > > what UID has write access there. > > > > For now, I'm syncing rawhide by hand. > > > > Comments? > > Is changing the user that owns the files going to cause unnecessary rsync > churn for mirrors? > Only if we change the uid of ftpsync. If we change the uid of masher we're good on the mirrors. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
Jesse Keating ([EMAIL PROTECTED]) said: > So I realized something last night. We created a user "masher" to have > the ability to write to /mnt/koji/mash/ but not any of the other koji > space. This is useful to prevent too much damage from a horribly wrong > rawhide compose. To make things easier in the rawhide compose configs, > we decided to run the cron/scripts as the masher user. This is also > good because it means things run unprivileged. However I ran into a > snag. We have another user, 'ftpsync' that has write access > to /pub/fedora/. Previously the rawhide script was ran as root, and > thus it was no problem to su ftpsync for the rsync calls. The masher > user does not possess the capability of doing this. > > Since the ftpsync user is only really used to sync data onto the Fedora > netapp, I propose that we collapse ftpsync and masher into one user > (masher). It'll require minimal puppet changes, mostly just moving some > cron jobs from ftpsync over to masher. It will require UID changes, > either changing masher to the ftpsync UID (which breaks our new range we > just setup), or chmodding some stuff on the Fedora netapp and changing > what UID has write access there. > > For now, I'm syncing rawhide by hand. > > Comments? Is changing the user that owns the files going to cause unnecessary rsync churn for mirrors? Bill ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
2008/8/28 Jesse Keating <[EMAIL PROTECTED]> > On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: > > yeah, you can easily do that by invoking : /bin/mail -r From_adress > > hope that mailx is up to date ;) > > Looks like that's not working in EL5. Pitty. > hm... is installed rhel-5.2 working with mailx-8.1.1 on the box ? if so, that will imply to update it. This feature has been integrated from release 9.25 another way could be to add ~r From-adress in the header of the file content (should work for version =< 10.2 ). -- Xavier.t Lamien -- http://fedoraproject.org/wiki/XavierLamien GPG-Key ID: F3903DEB Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu August 28 2008, Jesse Keating wrote: > On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: > > yeah, you can easily do that by invoking : /bin/mail -r From_adress > > hope that mailx is up to date ;) > > Looks like that's not working in EL5. Pitty. This works for me on CentOS 5, after the "--" sendmail options can be used: /bin/mail -s SUBJECT [EMAIL PROTECTED] -- -f [EMAIL PROTECTED] -F "freeform from part" Regards, Till signature.asc Description: This is a digitally signed message part. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, Aug 28, 2008 at 11:27 AM, Seth Vidal <[EMAIL PROTECTED]> wrote: > On Thu, 2008-08-28 at 09:22 -0700, Jesse Keating wrote: >> On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: >> > yeah, you can easily do that by invoking : /bin/mail -r From_adress >> > hope that mailx is up to date ;) >> >> Looks like that's not working in EL5. Pitty. > > a simple python script to do that is easy enough. Looks like configs/system/sendmail-unicode.py is already out there... -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 09:22 -0700, Jesse Keating wrote: > On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: > > yeah, you can easily do that by invoking : /bin/mail -r From_adress > > hope that mailx is up to date ;) > > Looks like that's not working in EL5. Pitty. > a simple python script to do that is easy enough. -sv ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 08:52 +0200, Xavier Lamien wrote: > yeah, you can easily do that by invoking : /bin/mail -r From_adress > hope that mailx is up to date ;) Looks like that's not working in EL5. Pitty. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 11:57 +0200, Jeroen van Meeuwen wrote: > > You could configure sudoers to allow the masher user to only be able to > execute whatever it sudo's as the ftpsync user: > > masher hostname.domain.tld=(ftpsync) NOPASSWD: rsync $rsync_opts > foo. bar > > Does that narrow it down sufficiently? I think so. I'll play with this some today. -- Jesse Keating RHCE (http://jkeating.livejournal.com) Fedora Project (http://fedoraproject.org/wiki/JesseKeating) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) identi.ca (http://identi.ca/jkeating) signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 28 Aug 2008, Seth Vidal wrote: > On Thu, 2008-08-28 at 08:42 -0500, Mike McGrath wrote: > > On Wed, 27 Aug 2008, Jesse Keating wrote: > > > > > So I realized something last night. We created a user "masher" to have > > > the ability to write to /mnt/koji/mash/ but not any of the other koji > > > space. This is useful to prevent too much damage from a horribly wrong > > > rawhide compose. To make things easier in the rawhide compose configs, > > > we decided to run the cron/scripts as the masher user. This is also > > > good because it means things run unprivileged. However I ran into a > > > snag. We have another user, 'ftpsync' that has write access > > > to /pub/fedora/. Previously the rawhide script was ran as root, and > > > thus it was no problem to su ftpsync for the rsync calls. The masher > > > user does not possess the capability of doing this. > > > > > > Since the ftpsync user is only really used to sync data onto the Fedora > > > netapp, I propose that we collapse ftpsync and masher into one user > > > (masher). It'll require minimal puppet changes, mostly just moving some > > > cron jobs from ftpsync over to masher. It will require UID changes, > > > either changing masher to the ftpsync UID (which breaks our new range we > > > just setup), or chmodding some stuff on the Fedora netapp and changing > > > what UID has write access there. > > > > > > For now, I'm syncing rawhide by hand. > > > > > > Comments? > > > > Fine by me. ftpsync isn't really one of ours anyway :) > > > > it and masher are, however, names that need to get added to the banlist > in fas, I think. > Anyone care to think of a less manual way of doing this? -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 08:42 -0500, Mike McGrath wrote: > On Wed, 27 Aug 2008, Jesse Keating wrote: > > > So I realized something last night. We created a user "masher" to have > > the ability to write to /mnt/koji/mash/ but not any of the other koji > > space. This is useful to prevent too much damage from a horribly wrong > > rawhide compose. To make things easier in the rawhide compose configs, > > we decided to run the cron/scripts as the masher user. This is also > > good because it means things run unprivileged. However I ran into a > > snag. We have another user, 'ftpsync' that has write access > > to /pub/fedora/. Previously the rawhide script was ran as root, and > > thus it was no problem to su ftpsync for the rsync calls. The masher > > user does not possess the capability of doing this. > > > > Since the ftpsync user is only really used to sync data onto the Fedora > > netapp, I propose that we collapse ftpsync and masher into one user > > (masher). It'll require minimal puppet changes, mostly just moving some > > cron jobs from ftpsync over to masher. It will require UID changes, > > either changing masher to the ftpsync UID (which breaks our new range we > > just setup), or chmodding some stuff on the Fedora netapp and changing > > what UID has write access there. > > > > For now, I'm syncing rawhide by hand. > > > > Comments? > > Fine by me. ftpsync isn't really one of ours anyway :) > it and masher are, however, names that need to get added to the banlist in fas, I think. -sv ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 27 Aug 2008, Jesse Keating wrote: > So I realized something last night. We created a user "masher" to have > the ability to write to /mnt/koji/mash/ but not any of the other koji > space. This is useful to prevent too much damage from a horribly wrong > rawhide compose. To make things easier in the rawhide compose configs, > we decided to run the cron/scripts as the masher user. This is also > good because it means things run unprivileged. However I ran into a > snag. We have another user, 'ftpsync' that has write access > to /pub/fedora/. Previously the rawhide script was ran as root, and > thus it was no problem to su ftpsync for the rsync calls. The masher > user does not possess the capability of doing this. > > Since the ftpsync user is only really used to sync data onto the Fedora > netapp, I propose that we collapse ftpsync and masher into one user > (masher). It'll require minimal puppet changes, mostly just moving some > cron jobs from ftpsync over to masher. It will require UID changes, > either changing masher to the ftpsync UID (which breaks our new range we > just setup), or chmodding some stuff on the Fedora netapp and changing > what UID has write access there. > > For now, I'm syncing rawhide by hand. > > Comments? Fine by me. ftpsync isn't really one of ours anyway :) -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
Nigel Jones wrote: On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote: On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: Comments? One comment just made on IRC by G: f13: can't be allow masher to sudo to ftpsync and run a sync command? G = $me :) We would have to allow masher to sudo with no password in order to run the rsync command. I'm not sure how far we can narrow it down since the rsync source changes each day, only the dest (and other options) remain the same. Why not something like: sudo /usr/local/bin/rawhideftpsync.sh that runs: rsync ... Just a thought. You could configure sudoers to allow the masher user to only be able to execute whatever it sudo's as the ftpsync user: masher hostname.domain.tld=(ftpsync) NOPASSWD: rsync $rsync_opts foo. bar Does that narrow it down sufficiently? Kind regards, Jeroen van Meeuwen -kanarip ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
2008/8/28 Jesse Keating <[EMAIL PROTECTED]> > On Thu, 2008-08-28 at 16:55 +1200, Nigel Jones wrote: > > Why not something like: > > > > sudo /usr/local/bin/rawhideftpsync.sh > > that runs: rsync ... > > I think I'd rather not have yet another script to puppet manage and > such, so if we could just maybe allow rsync it might be fine. as nigel said, just allow masher to only sudo su - ftpsync from sudoer or to just rsync the specific dir I just noticed we're going to have to do the same to allow it to do mail > as the rawhide user (or somebody is going to have to tell me how to set > the From address to something else when calling /bin/mail). yeah, you can easily do that by invoking : /bin/mail -r From_adress hope that mailx is up to date ;) -- Xavier.t Lamien -- http://fedoraproject.org/wiki/XavierLamien GPG-Key ID: F3903DEB Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Thu, 2008-08-28 at 16:55 +1200, Nigel Jones wrote: > Why not something like: > > sudo /usr/local/bin/rawhideftpsync.sh > that runs: rsync ... I think I'd rather not have yet another script to puppet manage and such, so if we could just maybe allow rsync it might be fine. I just noticed we're going to have to do the same to allow it to do mail as the rawhide user (or somebody is going to have to tell me how to set the From address to something else when calling /bin/mail). -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote: > On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: > > Comments? > > One comment just made on IRC by G: > > f13: can't be allow masher to sudo to ftpsync and run a sync > command? > G = $me :) > We would have to allow masher to sudo with no password in order to run > the rsync command. I'm not sure how far we can narrow it down since the > rsync source changes each day, only the dest (and other options) remain > the same. Why not something like: sudo /usr/local/bin/rawhideftpsync.sh that runs: rsync ... Just a thought. > > ___ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- Nigel Jones <[EMAIL PROTECTED]> ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: rawhide, /mnt/koji and /pub/fedora
On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote: > Comments? One comment just made on IRC by G: f13: can't be allow masher to sudo to ftpsync and run a sync command? We would have to allow masher to sudo with no password in order to run the rsync command. I'm not sure how far we can narrow it down since the rsync source changes each day, only the dest (and other options) remain the same. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
rawhide, /mnt/koji and /pub/fedora
So I realized something last night. We created a user "masher" to have the ability to write to /mnt/koji/mash/ but not any of the other koji space. This is useful to prevent too much damage from a horribly wrong rawhide compose. To make things easier in the rawhide compose configs, we decided to run the cron/scripts as the masher user. This is also good because it means things run unprivileged. However I ran into a snag. We have another user, 'ftpsync' that has write access to /pub/fedora/. Previously the rawhide script was ran as root, and thus it was no problem to su ftpsync for the rsync calls. The masher user does not possess the capability of doing this. Since the ftpsync user is only really used to sync data onto the Fedora netapp, I propose that we collapse ftpsync and masher into one user (masher). It'll require minimal puppet changes, mostly just moving some cron jobs from ftpsync over to masher. It will require UID changes, either changing masher to the ftpsync UID (which breaks our new range we just setup), or chmodding some stuff on the Fedora netapp and changing what UID has write access there. For now, I'm syncing rawhide by hand. Comments? -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
