Index: /trunk/host/credit-card/host.py =================================================================== --- /trunk/host/credit-card/host.py (revision 2296) +++ /trunk/host/credit-card/host.py (revision 2297) @@ -11,10 +11,82 @@ HOST = socket.gethostname() -# XXX test server and wizard server - -# UIDs (sketchy): -# signup 102 -# fedora-ds 103 (sketchy, not true for b-b) -# logview 501 (really sketchy, since it's in the dynamic range) +PROD_GUESTS = frozenset([ + 'bees-knees', + 'cats-whiskers', + 'busy-beaver', + 'pancake-bunny', + 'whole-enchilada', + 'real-mccoy', + 'old-faithful', + 'better-mousetrap', + 'shining-armor', + 'golden-egg', + 'miracle-cure', + 'lucky-star', + ]) +WIZARD_GUESTS = frozenset([ + 'not-backward', + ]) + +COMMON_CREDS = {} + +# Format here assumes that we always chmod $USER:$USER, +# but note the latter refers to group... +# +# Important: no leading slashes! +COMMON_CREDS['all'] = [ + ('root', 0o600, 'root/.bashrc'), + ('root', 0o600, 'root/.screenrc'), + ('root', 0o600, 'root/.ssh/authorized_keys'), + ('root', 0o600, 'root/.ssh/authorized_keys2'), + ('root', 0o600, 'root/.vimrc'), + ('root', 0o600, 'root/.k5login'), + ] + +COMMON_CREDS['prod'] = [ + ('root', 0o600, 'root/.ldapvirc'), + ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), + ('root', 0o600, 'etc/ssh/ssh_host_key'), + ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), + ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'), + ('root', 0o600, 'etc/pki/tls/private/scripts.key'), + ('root', 0o600, 'etc/whoisd-password'), + ('afsagent', 0o600, 'etc/daemon.keytab'), + + ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), + + ('sql', 0o600, 'etc/sql-mit-edu.cfg.php'), # technically doesn't have to be secret anymore + ('sql', 0o600, 'etc/sql-password'), + ('signup', 0o600, 'etc/signup-ldap-pw'), + ('logview', 0o600, 'home/logview/.k5login'), # XXX user must be created in Kickstart + ] + +# note that these are duplicates with 'prod', but the difference +# is that the files DIFFER between wizard and prod +COMMON_CREDS['wizard'] = [ + ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), + ('root', 0o600, 'etc/ssh/ssh_host_key'), + ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), + ('afsagent', 0o600, 'etc/daemon.keytab'), + + ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), + ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), + ] + +MACHINE_CREDS = {} + +MACHINE_CREDS['all'] = [ + # XXX NEED TO CHECK THAT THE CONTENTS ARE SENSIBLE + ('root', 0o600, 'etc/krb5.keytab'), + ] + +MACHINE_CREDS['prod'] = [ + ('fedora-ds', 0o600, 'etc/dirsrv/keytab'), + ] + +MACHINE_CREDS['wizard'] = [] # Works for passwd and group, but be careful! They're different things! @@ -30,44 +102,4 @@ r[row[0]] = int(row[2]) return r - -# Format here assumes that we always chmod $USER:$USER ... -# but note the latter refers to group... -COMMON_CREDS = [ - ('root', 0o600, 'root/.bashrc'), - ('root', 0o600, 'root/.screenrc'), - ('root', 0o600, 'root/.ssh/authorized_keys'), - ('root', 0o600, 'root/.ssh/authorized_keys2'), - ('root', 0o600, 'root/.vimrc'), - ('root', 0o600, 'root/.k5login'), - # punted /root/.ssh/known_hosts - - # XXX user must be created in Kickstart - ('logview', 0o600, 'home/logview/.k5login'), - ] - -COMMON_PROD_CREDS = [ # important: no leading slashes! - ('root', 0o600, 'root/.ldapvirc'), - ('root', 0o600, 'etc/ssh/ssh_host_dsa_key'), - ('root', 0o600, 'etc/ssh/ssh_host_key'), - ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), - ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'), - ('root', 0o600, 'etc/pki/tls/private/scripts.key'), - ('root', 0o600, 'etc/whoisd-password'), - ('afsagent', 0o600, 'etc/daemon.keytab'), - - ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), - ('root', 0o644, 'etc/ssh/ssh_host_key.pub'), - ('root', 0o644, 'etc/ssh/ssh_host_rsa_key.pub'), - - ('sql', 0o600, 'etc/sql-mit-edu.cfg.php'), # technically doesn't have to be secret anymore - ('sql', 0o600, 'etc/sql-password'), - ('signup', 0o600, 'etc/signup-ldap-pw'), - ] - -MACHINE_PROD_CREDS = [ - # XXX NEED TO CHECK THAT THESE ARE SENSIBLE - ('root', 0o600, 'etc/krb5.keytab'), - ('fedora-ds', 0o600, 'etc/dirsrv/keytab') - ] def drop_caches(): @@ -130,5 +162,5 @@ def main(): - usage = """usage: %prog [push|pull|pull-common] GUEST""" + usage = """usage: %prog [push|pull] [common|machine] GUEST""" parser = optparse.OptionParser(usage) @@ -136,5 +168,5 @@ # reasonable thing to always try parser.add_option('-t', '--types', dest="types", default="ext4,ext3", - help="filesystem type(s)") + help="filesystem type(s)") # same arg as 'mount' parser.add_option('--creds-dir', dest="creds_dir", default="/root/creds", help="directory to store/fetch credentials in") @@ -142,15 +174,23 @@ if not os.path.isdir(options.creds_dir): - raise Exception("/root/creds does not exist") # XXX STRING + raise Exception("%s does not exist" % options.creds_dir) # XXX check owned by root and appropriately chmodded os.umask(0o077) # overly restrictive - if len(args) != 2: + if len(args) != 3: parser.print_help() raise Exception("Wrong number of arguments") command = args[0] - guest = args[1] + files = args[1] + guest = args[2] + + if guest in PROD_GUESTS: + mode = 'prod' + elif guest in WIZARD_GUESTS: + mode = 'wizard' + else: + raise Exception("Unrecognized guest %s" % guest) with WithMount(guest, options.types) as tmp_mount: @@ -178,13 +218,21 @@ shutil.copyfile("%s/%s" % (tmp_mount, f), dest) + # XXX ideally we should check these *before* we mount, but Python + # makes that pretty annoying to do if command == "push": - push_files(COMMON_CREDS, 'common') - push_files(COMMON_PROD_CREDS, 'common') - push_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) + run = push_files elif command == "pull": - pull_files(MACHINE_PROD_CREDS, 'machine/%s' % guest) - elif command == "pull-common": - pull_files(COMMON_CREDS, 'common') - pull_files(COMMON_PROD_CREDS, 'common') + run = pull_files + else: + raise Exception("Unknown command %s, valid values are 'push' and 'pull'" % command) + + if files == 'common': + run(COMMON_CREDS['all'], 'all') + run(COMMON_CREDS[mode], mode) + elif files == 'machine': + run(MACHINE_CREDS['all'], 'machine/%s' % guest) + run(MACHINE_CREDS[mode], 'machine/%s' % guest) + else: + raise Exception("Unknown file set %s, valid values are 'common' and 'machine'" % files) if __name__ == "__main__":