Changeset 1179


Ignore:
Timestamp:
Feb 11, 2011, 12:17:49 PM (9 years ago)
Author:
Bruno Cornec
Message:

r4166@localhost: bruno | 2011-02-11 11:55:19 +0100

  • Adds support for RM (Romte Machines) in addition to VE/VM
  • Detail security aspects in pb, especially for RM setup with sudo (to be improved) in file SECURITY in pb-doc
  • Use some full path names for commands to improve security with sudo (for RM). This should be externalized later on to support OS contexts.
  • pb_get_port function now needs the ref to the pbos
  • pb_get_sudocmds function added to provide the external list of commands called by sudo in osupd or osins
  • Adds codenames for Debian 6.0 and Ubuntu 11.04


Location:
devel
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • devel/pb-modules/etc/pb.conf

    r1177 r1179  
    205205osupd du = sudo apt-get update; export DEBIAN_FRONTEND="noninteractive"; apt-get --quiet -y --force-yes dist-upgrade
    206206osupd gen = sudo emerge --update --deep world; sudo revdep-rebuild
    207 osupd rpm = sudo yum clean all; sudo yum -y update
    208 osupd md = sudo urpmi.update -a ; sudo urpmi --auto --auto-select
     207osupd rpm = sudo /usr/bin/yum clean all; sudo /usr/bin/yum -y update
     208osupd md = sudo /usr/bin/urpmi.update -a ; sudo /usr/sbin/urpmi --auto --auto-select
    209209osupd opensuse = sudo zypper -n update
    210210osupd sol = /bin/true
     
    215215osins du = sudo apt-get update ; sudo apt-get -y install
    216216osins gen = sudo emerge
    217 osins rpm = sudo yum clean all; sudo yum -y update ; sudo yum -y install
     217osins rpm = sudo /usr/bin/yum clean all; sudo /usr/bin/yum -y update ; sudo /usr/bin/yum -y install
    218218osins rhel-2.1 = sudo up2date -y
    219219osins rhel-3 = sudo up2date -y
    220220osins rhel-4 = sudo up2date -y
    221 osins md = sudo urpmi.update -a ; sudo urpmi --auto
     221osins md = sudo /usr/bin/urpmi.update -a ; sudo /usr/sbin/urpmi --auto
    222222osins novell = export TERM=linux ; export PATH=\$PATH:/sbin:/usr/sbin ; sudo yast2 -i
    223223osins opensuse-10.2 = sudo yes | zypper install
     
    444444oscodename debian-4.0 = etch
    445445oscodename debian-5.0 = lenny
     446oscodename debian-6.0 = squeeze
    446447oscodename ubuntu-6.06 = dapper
    447448oscodename ubuntu-7.04 = feisty
     
    453454oscodename ubuntu-10.04 = lucid
    454455oscodename ubuntu-10.10 = maverick
     456oscodename ubuntu-11.04 = natty
    455457
    456458# Commands needed on the underlying system
  • devel/pb/bin/pb

    r1177 r1179  
    15051505            ($pbver,$pbtag) = split(/-/,$vertag);
    15061506
    1507             if (($cmt eq "Sources") || ($cmt =~ /V[EM]build/)) {
     1507            if (($cmt eq "Sources") || ($cmt =~ /(V[EM]|RM)build/)) {
    15081508                $src = "$src $ENV{'PBDESTDIR'}/$pbpkg-$pbver.tar.gz $ENV{'PBDESTDIR'}/$pbpkg-$pbver.pbconf.tar.gz";
    15091509                if ($cmd eq "") {
     
    17691769
    17701770    # Useless for VE
    1771     my $nport = pb_get_port($sshport->{$ENV{'PBPROJ'}},$cmt) if ($cmt !~ /^VE/);
     1771    my $nport = pb_get_port($sshport,$pbos,$cmt) if ($cmt !~ /^VE/);
    17721772
    17731773    # Remove a potential $ENV{'HOME'} as tdir should be relative to pb's home
     
    17821782    # should use a hash instead...
    17831783    my ($shcmd,$cpcmd,$cptarget,$cp2target);
    1784     my ($odir,$over,$oarch);
    17851784    if ($cmt !~ /^VE/) {
    17861785        my $keyfile = pb_ssh_get(0);
     
    17931792    } else {
    17941793        my $tp = $vepath->{$ENV{'PBPROJ'}};
    1795         ($odir,$over,$oarch) = split(/-/,$v);
    1796         my $tpdir = "$tp/$odir/$over/$oarch";
     1794        my $tpdir = "$tp/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}";
    17971795        my ($ptr) = pb_conf_get("vetype");
    17981796        my $vetype = $ptr->{$ENV{'PBPROJ'}};
    17991797        if ($vetype eq "chroot") {
    1800             $shcmd = "sudo chroot $tpdir /bin/su - $mac -c ";
     1798            $shcmd = "sudo /usr/sbin/chroot $tpdir /bin/su - $mac -c ";
    18011799        } elsif ($vetype eq "schroot") {
    18021800            $shcmd = "schroot $tp -u $mac -- ";
    18031801        }
    1804         $cpcmd = "sudo cp -r ";
     1802        $cpcmd = "sudo /bin/cp -r ";
    18051803        # We need to get the home dir of the target account to deliver in the right place
    18061804        open(PASS,"$tpdir/etc/passwd") || die "Unable to open $tpdir/etc/passwd";
     
    18591857
    18601858            $src =~ s/^ *//;
    1861             pb_mkdir_p("$ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
     1859            pb_mkdir_p("$ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
    18621860            # Change pgben to make the next send2target happy
    18631861            my $made = "";
     
    18731871            foreach my $p (split(/ +/,$src)) {
    18741872                my $j = basename($p);
    1875                 pb_system("$cpcmd $cp2target/$delim$p$delim $ENV{'PBBUILDDIR'}/$odir/$over/$oarch 2> /dev/null","Recovery of package $j in $ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
    1876                 $made="$made $odir/$over/$oarch/$j"; # if (($pbos->{'type'} ne "rpm") || ($j !~ /.src.rpm$/));
     1873                pb_system("$cpcmd $cp2target/$delim$p$delim $ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'} 2> /dev/null","Recovery of package $j in $ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
     1874                $made="$made $pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}/$j"; # if (($pbos->{'type'} ne "rpm") || ($j !~ /.src.rpm$/));
    18771875            }
    18781876            print KEEP "$made\n";
     
    18921890            undef $pbaccount;
    18931891            pb_log(2,"Before sending pkgs, vmexist: $vmexist, vmpid: $vmpid\n");
    1894             pb_send2target("Packages",$odir."-".$over."-".$oarch,$vmexist,$vmpid);
    1895             pb_rm_rf("$ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
     1892            pb_send2target("Packages",$pbos->{'name'}."-".$pbos->{'version'}."-".$pbos->{'arch'},$vmexist,$vmpid);
     1893            pb_rm_rf("$ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
    18961894        }
    18971895    }
     
    19361934    }
    19371935    if (($cmt =~ /^VE/) && ($snapme != 0)) {
    1938         ($odir,$over,$oarch) = split(/-/,$v);
    1939         my $tpdir = "$vepath->{$ENV{'PBPROJ'}}/$odir/$over/$oarch";
    1940         pb_system("sudo tar cz -f $vepath->{$ENV{'PBPROJ'}}/$odir-$over-$oarch.tar.gz -C $tpdir .","Creating a snapshot of $tpdir");
     1936        my $tpdir = "$vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}";
     1937        pb_system("sudo tar cz -C $tpdir -f $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}.tar.gz .","Creating a snapshot of $tpdir");
    19411938    }
    19421939}
     
    20122009    $v =~ s/,.*//;
    20132010
     2011    my $pbos = pb_distro_get_context($v);
    20142012    my $arch = pb_get_arch();
    20152013
     
    20752073            $ENV{'PBVMTMOUT'} = $vmtmout->{$ENV{'PBPROJ'}};
    20762074        }
    2077         my $nport = pb_get_port($vmport->{$ENV{'PBPROJ'}});
     2075        my $nport = pb_get_port($vmport,$pbos,$vtype);
    20782076   
    20792077        my $cmd;
     
    23472345$date[1]++;
    23482346my $upddate = strftime("%m%d%H%M%Y", @date);
    2349 my $dateline = "sudo date $upddate";
     2347my $dateline = "sudo /bin/date $upddate";
    23502348return($ntpline,$dateline);
    23512349}
     
    24092407    # VE needs a good /proc
    24102408    if ($vtype eq "ve") {
    2411         print SCRIPT "sudo mount -t proc /proc /proc\n";
     2409        print SCRIPT "sudo /bin/mount -t proc /proc /proc\n";
    24122410    }
    24132411
     
    24592457
    24602458    if ($vtype eq "ve") {
    2461         print SCRIPT "sudo umount /proc\n";
     2459        print SCRIPT "sudo /bin/umount /proc\n";
    24622460    }
    24632461
     
    27112709        my ($vmport,$vmntp);
    27122710        ($vmhost,$vmport,$vmntp) = pb_conf_get($vtype."host",$vtype."port",$vtype."ntp");
    2713         $nport = pb_get_port($vmport->{$ENV{'PBPROJ'}});
     2711        $nport = pb_get_port($vmport,$pbos,$vtype);
    27142712   
    27152713        # Skip that VM/RM if something went wrong
     
    27952793    }
    27962794EOF
    2797     # TODO: Level of portability of these cmds ?
     2795    # TODO: Level of portability of these cmds ? Critical now for RM
    27982796    print SCRIPT << "EOF";
    27992797pb_system("/usr/sbin/groupadd $pbac->{$ENV{'PBPROJ'}}","Adding group $pbac->{$ENV{'PBPROJ'}}");
     
    28952893close(PBFILE);
    28962894EOF
    2897     # TODO: To be refined for RM
    28982895    print SCRIPT << "EOF";
    28992896# Some distro force requiretty at compile time, so disable here
    29002897print PBOUT "Defaults:$pbac->{$ENV{'PBPROJ'}} !requiretty\n";
    29012898print PBOUT "Defaults:root !requiretty\n";
    2902 # This is needed in order to be able to halt the machine from the $pbac->{$ENV{'PBPROJ'}} account at least
     2899# Keep proxy configuration while using sudo
    29032900print PBOUT "Defaults:$pbac->{$ENV{'PBPROJ'}} env_keep += \\\"http_proxy ftp_proxy\\\"\n";
     2901EOF
     2902    # Try to restrict security to what is really needed
     2903    if ($vtype =~ /^vm/) {
     2904        my $sudocmds = pb_get_sudocmds($pbos);
     2905        my $hpath = "/sbin";
     2906        # Solaris has halt elsewhere
     2907        if ($pbos->{'type'} eq "pkg") {
     2908            $hpath = "/usr/sbin";
     2909        }
     2910        print SCRIPT << "EOF";
     2911# This is needed in order to be able on VM to halt the machine from the $pbac->{$ENV{'PBPROJ'}} account at least
     2912# Build account $pbac->{$ENV{'PBPROJ'}} in VM also needs to setup date and install deps.
     2913# Nothing else should be needed
     2914print PBOUT "$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$hpath/halt\n";
     2915EOF
     2916        foreach my $c ($sudocmds) {
     2917            print SCRIPT "print PBOUT \"$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$c\n\"";
     2918        }
     2919    } elsif ($vtype =~ /^rm/) {
     2920        my $sudocmds = pb_get_sudocmds($pbos);
     2921        print SCRIPT << "EOF";
     2922# Build account $pbac->{$ENV{'PBPROJ'}} in RM only needs to setup date and install deps if needed each time
     2923EOF
     2924        foreach my $c ($sudocmds) {
     2925            print SCRIPT "print PBOUT \"$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$c\n\"";
     2926        }
     2927    } else {
     2928        print SCRIPT << "EOF";
     2929# Build account $pbac->{$ENV{'PBPROJ'}} for VE needs to do a lot in the host (and chroot), so allow without restriction for now
    29042930print PBOUT "$pbac->{$ENV{'PBPROJ'}}   ALL=(ALL) NOPASSWD:ALL\n";
    29052931EOF
     2932}
    29062933    print SCRIPT << 'EOF';
    29072934close(PBOUT);
     
    31263153    # VE needs a good /proc
    31273154    if ($vtype eq "ve") {
    3128         print SCRIPT "sudo mount -t proc /proc /proc\n";
     3155        print SCRIPT "sudo /bin/mount -t proc /proc /proc\n";
    31293156    }
    31303157    print SCRIPT "$pbos->{'update'}\n";
    31313158    if ($vtype eq "ve") {
    3132         print SCRIPT "sudo umount /proc\n";
     3159        print SCRIPT "sudo /bin/umount /proc\n";
    31333160    }
    31343161    close(SCRIPT);
     
    35963623
    35973624my $port = shift;
     3625my $pbos = shift;
    35983626my $cmt = shift;
     3627my $nport;
    35993628
    36003629die "No port passed in parameter. Report to dev team\n" if (not defined $port);
    3601 pb_log(2,"pb_get_port with $port\n");
    3602 my $nport = $port;
     3630# key is project on VM, but machine tuple for RM
     3631if ($cmt =~ /^RM/i) {
     3632    $nport = $port->{"$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}"};
     3633} else {
     3634    $nport = $port->{$ENV{'PBPROJ'}};
     3635}
     3636pb_log(2,"pb_get_port with $nport\n");
    36033637# Maybe a port was given as parameter so overwrite
    36043638$nport = "$pbport" if (defined $pbport);
    36053639# Maybe in // mode so use the env var set up as an offset to the base port, except when called from send2target for Packages
    3606 if ((not defined $cmt) || ($cmt ne "Packages")) {
     3640if ($cmt ne "Packages") {
    36073641    $nport += $ENV{'PBVMPORT'} if ((defined $pbparallel) && (defined $ENV{'PBVMPORT'}));
    36083642}
     
    36613695}
    36623696
     3697sub pb_get_sudocmds {
     3698       
     3699my $pbos = shift;
     3700my @sudocmds;
     3701
     3702foreach my $c (split(/;/,$pbos->{'update'}),split(/;/,$pbos->{'install'})) {
     3703    next if ($c !~ /^sudo/);
     3704    $c =~ s/^sudo[ \t]+//;
     3705    push @sudocmds,$c;
     3706}
     3707pb_log(2,"pb_get_sudcomds returns ".Dumper(@sudocmds)."\n");
     3708return(@sudocmds);
     3709}
     3710
    36633711
    366437121;
Note: See TracChangeset for help on using the changeset viewer.