Tim Landscheidt has uploaded a new change for review. https://gerrit.wikimedia.org/r/267832
Change subject: Tools: Outfactor the configuration for outgoing HBA connections ...................................................................... Tools: Outfactor the configuration for outgoing HBA connections Currently, the configuration for bastion hosts to enable outgoing ssh connections with host-based authentication is maintained as a file resource in three different classes, toollabs::bastion, toollabs::cronrunner and toollabs::submit. This makes it impossible to apply more than one of those classes to the same instance. In addition, the puppetization of the ssh client configuration as a whole is confusing with regard to what parameters are set intentionally and what is just copied and pasted. This change outfactors the configuration for outgoing host-based authentication to a new class toollabs::hba::client so that it can be used by multiple classes on the same instance, and it accomplishes the configuration by the use of file_line resources. Change-Id: I7c90928981c9bd71f5de061ad9aafb1b887a9890 --- D modules/toollabs/files/submithost-ssh_config M modules/toollabs/manifests/bastion.pp M modules/toollabs/manifests/cronrunner.pp A modules/toollabs/manifests/hba/client.pp M modules/toollabs/manifests/submit.pp 5 files changed, 31 insertions(+), 92 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/32/267832/1 diff --git a/modules/toollabs/files/submithost-ssh_config b/modules/toollabs/files/submithost-ssh_config deleted file mode 100644 index cf234e1..0000000 --- a/modules/toollabs/files/submithost-ssh_config +++ /dev/null @@ -1,57 +0,0 @@ -# This file is managed by puppet! - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Host * -# ForwardAgent no -# ForwardX11 no -# ForwardX11Trusted yes -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# GSSAPIKeyExchange no -# GSSAPITrustDNS no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com - SendEnv LANG LC_* - HashKnownHosts yes - GSSAPIAuthentication yes - GSSAPIDelegateCredentials no - -# Enable accessing other hosts with host-based authentication. -HostbasedAuthentication yes -EnableSSHKeysign yes diff --git a/modules/toollabs/manifests/bastion.pp b/modules/toollabs/manifests/bastion.pp index 73e002c..1489ba1 100644 --- a/modules/toollabs/manifests/bastion.pp +++ b/modules/toollabs/manifests/bastion.pp @@ -11,19 +11,11 @@ # Sample Usage: # class toollabs::bastion inherits toollabs { - - include gridengine::submit_host, - gridengine::admin_host, - toollabs::exec_environ, - toollabs::dev_environ - - file { '/etc/ssh/ssh_config': - ensure => file, - mode => '0444', - owner => 'root', - group => 'root', - source => 'puppet:///modules/toollabs/submithost-ssh_config', - } + include gridengine::admin_host + include gridengine::submit_host + include toollabs::dev_environ + include toollabs::exec_environ + include toollabs::hba::client # webservice-new command package { 'toollabs-webservice': diff --git a/modules/toollabs/manifests/cronrunner.pp b/modules/toollabs/manifests/cronrunner.pp index 8a468d3..1547be6 100644 --- a/modules/toollabs/manifests/cronrunner.pp +++ b/modules/toollabs/manifests/cronrunner.pp @@ -1,7 +1,8 @@ class toollabs::cronrunner { - include gridengine::submit_host, - toollabs::hba, - toollabs + include gridengine::submit_host + include toollabs + include toollabs::hba + include toollabs::hba::client # We need to include exec environment here since the current # version of jsub checks the local environment to find the full @@ -10,14 +11,6 @@ # nodes. This is kind of terrible, so we need to fix that eventually. # Until then... include toollabs::exec_environ - - file { '/etc/ssh/ssh_config': - ensure => file, - mode => '0444', - owner => 'root', - group => 'root', - source => 'puppet:///modules/toollabs/submithost-ssh_config', - } motd::script { 'submithost-banner': ensure => present, diff --git a/modules/toollabs/manifests/hba/client.pp b/modules/toollabs/manifests/hba/client.pp new file mode 100644 index 0000000..45dc985 --- /dev/null +++ b/modules/toollabs/manifests/hba/client.pp @@ -0,0 +1,19 @@ +# Class: toollabs::hba::client +# +# This class configures an instance to enable outgoing ssh connections +# with host-based authentication. +class toollabs::hba::client { + file_line { 'ssh_config_hostbasedauthentication': + ensure => present, + path => '/etc/ssh/ssh_config', + line => 'HostbasedAuthentication yes', + match => '^ *HostbasedAuthentication\b', + } + + file_line { 'ssh_config_enablesshkeysign': + ensure => present, + path => '/etc/ssh/ssh_config', + line => 'EnableSSHKeysign yes', + match => '^ *EnableSSHKeysign\b', + } +} diff --git a/modules/toollabs/manifests/submit.pp b/modules/toollabs/manifests/submit.pp index 3aa3748..dd8b0db 100644 --- a/modules/toollabs/manifests/submit.pp +++ b/modules/toollabs/manifests/submit.pp @@ -13,17 +13,9 @@ # Sample Usage: # class toollabs::submit inherits toollabs { - - include gridengine::submit_host, - toollabs::hba - - file { '/etc/ssh/ssh_config': - ensure => file, - mode => '0444', - owner => 'root', - group => 'root', - source => 'puppet:///modules/toollabs/submithost-ssh_config', - } + include gridengine::submit_host + include toollabs::hba + include toollabs::hba::client motd::script { 'submithost-banner': ensure => present, -- To view, visit https://gerrit.wikimedia.org/r/267832 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7c90928981c9bd71f5de061ad9aafb1b887a9890 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits