Changeset 1179

Timestamp:

02/11/11 12:17:49 (2 years ago)

Author:

bruno

Message:

r4166@localhost: bruno | 2011-02-11 11:55:19 +0100

• Adds support for RM (Romte Machines) in addition to VE/VM
• Detail security aspects in pb, especially for RM setup with sudo (to be improved) in file SECURITY in pb-doc
• Use some full path names for commands to improve security with sudo (for RM). This should be externalized later on to support OS contexts.
• pb_get_port function now needs the ref to the pbos
• pb_get_sudocmds function added to provide the external list of commands called by sudo in osupd or osins
• Adds codenames for Debian 6.0 and Ubuntu 11.04

Location:

devel

Files:

• pb-doc/SECURITY (added)
• pb-modules/etc/pb.conf (modified) (4 diffs)
• pb/bin/pb (modified) (19 diffs)

devel/pb-modules/etc/pb.conf

@@ -205 +205 @@
 osupd du = sudo apt-get update; export DEBIAN_FRONTEND="noninteractive"; apt-get --quiet -y --force-yes dist-upgrade
 osupd gen = sudo emerge --update --deep world; sudo revdep-rebuild
-osupd rpm = sudo yum clean all; sudo yum -y update
-osupd md = sudo urpmi.update -a ; sudo urpmi --auto --auto-select
+osupd rpm = sudo /usr/bin/yum clean all; sudo /usr/bin/yum -y update
+osupd md = sudo /usr/bin/urpmi.update -a ; sudo /usr/sbin/urpmi --auto --auto-select
 osupd opensuse = sudo zypper -n update
 osupd sol = /bin/true
@@ -215 +215 @@
 osins du = sudo apt-get update ; sudo apt-get -y install 
 osins gen = sudo emerge 
-osins rpm = sudo yum clean all; sudo yum -y update ; sudo yum -y install 
+osins rpm = sudo /usr/bin/yum clean all; sudo /usr/bin/yum -y update ; sudo /usr/bin/yum -y install 
 osins rhel-2.1 = sudo up2date -y 
 osins rhel-3 = sudo up2date -y 
 osins rhel-4 = sudo up2date -y 
-osins md = sudo urpmi.update -a ; sudo urpmi --auto 
+osins md = sudo /usr/bin/urpmi.update -a ; sudo /usr/sbin/urpmi --auto 
 osins novell = export TERM=linux ; export PATH=\$PATH:/sbin:/usr/sbin ; sudo yast2 -i 
 osins opensuse-10.2 = sudo yes | zypper install
@@ -444 +444 @@
 oscodename debian-4.0 = etch
 oscodename debian-5.0 = lenny
+oscodename debian-6.0 = squeeze
 oscodename ubuntu-6.06 = dapper
 oscodename ubuntu-7.04 = feisty
@@ -453 +454 @@
 oscodename ubuntu-10.04 = lucid
 oscodename ubuntu-10.10 = maverick
+oscodename ubuntu-11.04 = natty
 
 # Commands needed on the underlying system

devel/pb/bin/pb

@@ -1505 +1505 @@
             ($pbver,$pbtag) = split(/-/,$vertag);
 
-            if (($cmt eq "Sources") || ($cmt =~ /V[EM]build/)) {
+            if (($cmt eq "Sources") || ($cmt =~ /(V[EM]|RM)build/)) {
                 $src = "$src $ENV{'PBDESTDIR'}/$pbpkg-$pbver.tar.gz $ENV{'PBDESTDIR'}/$pbpkg-$pbver.pbconf.tar.gz";
                 if ($cmd eq "") {
@@ -1769 +1769 @@
 
     # Useless for VE 
-    my $nport = pb_get_port($sshport->{$ENV{'PBPROJ'}},$cmt) if ($cmt !~ /^VE/);
+    my $nport = pb_get_port($sshport,$pbos,$cmt) if ($cmt !~ /^VE/);
 
     # Remove a potential $ENV{'HOME'} as tdir should be relative to pb's home
@@ -1782 +1782 @@
     # should use a hash instead...
     my ($shcmd,$cpcmd,$cptarget,$cp2target);
-    my ($odir,$over,$oarch);
     if ($cmt !~ /^VE/) {
         my $keyfile = pb_ssh_get(0);
@@ -1793 +1792 @@
     } else {
         my $tp = $vepath->{$ENV{'PBPROJ'}};
-        ($odir,$over,$oarch) = split(/-/,$v);
-        my $tpdir = "$tp/$odir/$over/$oarch";
+        my $tpdir = "$tp/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}";
         my ($ptr) = pb_conf_get("vetype");
         my $vetype = $ptr->{$ENV{'PBPROJ'}};
         if ($vetype eq "chroot") {
-            $shcmd = "sudo chroot $tpdir /bin/su - $mac -c ";
+            $shcmd = "sudo /usr/sbin/chroot $tpdir /bin/su - $mac -c ";
         } elsif ($vetype eq "schroot") {
             $shcmd = "schroot $tp -u $mac -- ";
         }
-        $cpcmd = "sudo cp -r ";
+        $cpcmd = "sudo /bin/cp -r ";
         # We need to get the home dir of the target account to deliver in the right place
         open(PASS,"$tpdir/etc/passwd") || die "Unable to open $tpdir/etc/passwd";
@@ -1859 +1857 @@
 
             $src =~ s/^ *//;
-            pb_mkdir_p("$ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
+            pb_mkdir_p("$ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
             # Change pgben to make the next send2target happy
             my $made = "";
@@ -1873 +1871 @@
             foreach my $p (split(/ +/,$src)) {
                 my $j = basename($p);
-                pb_system("$cpcmd $cp2target/$delim$p$delim $ENV{'PBBUILDDIR'}/$odir/$over/$oarch 2> /dev/null","Recovery of package $j in $ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
-                $made="$made $odir/$over/$oarch/$j"; # if (($pbos->{'type'} ne "rpm") || ($j !~ /.src.rpm$/));
+                pb_system("$cpcmd $cp2target/$delim$p$delim $ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'} 2> /dev/null","Recovery of package $j in $ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
+                $made="$made $pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}/$j"; # if (($pbos->{'type'} ne "rpm") || ($j !~ /.src.rpm$/));
             }
             print KEEP "$made\n";
@@ -1892 +1890 @@
             undef $pbaccount;
             pb_log(2,"Before sending pkgs, vmexist: $vmexist, vmpid: $vmpid\n");
-            pb_send2target("Packages",$odir."-".$over."-".$oarch,$vmexist,$vmpid);
-            pb_rm_rf("$ENV{'PBBUILDDIR'}/$odir/$over/$oarch");
+            pb_send2target("Packages",$pbos->{'name'}."-".$pbos->{'version'}."-".$pbos->{'arch'},$vmexist,$vmpid);
+            pb_rm_rf("$ENV{'PBBUILDDIR'}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}");
         }
     }
@@ -1936 +1934 @@
     }
     if (($cmt =~ /^VE/) && ($snapme != 0)) {
-        ($odir,$over,$oarch) = split(/-/,$v);
-        my $tpdir = "$vepath->{$ENV{'PBPROJ'}}/$odir/$over/$oarch";
-        pb_system("sudo tar cz -f $vepath->{$ENV{'PBPROJ'}}/$odir-$over-$oarch.tar.gz -C $tpdir .","Creating a snapshot of $tpdir");
+        my $tpdir = "$vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}";
+        pb_system("sudo tar cz -C $tpdir -f $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}.tar.gz .","Creating a snapshot of $tpdir");
     }
 }
@@ -2012 +2009 @@
     $v =~ s/,.*//;
 
+    my $pbos = pb_distro_get_context($v);
     my $arch = pb_get_arch();
 
@@ -2075 +2073 @@
             $ENV{'PBVMTMOUT'} = $vmtmout->{$ENV{'PBPROJ'}};
         }
-        my $nport = pb_get_port($vmport->{$ENV{'PBPROJ'}});
+        my $nport = pb_get_port($vmport,$pbos,$vtype);
     
         my $cmd;
@@ -2347 +2345 @@
 $date[1]++;
 my $upddate = strftime("%m%d%H%M%Y", @date);
-my $dateline = "sudo date $upddate";
+my $dateline = "sudo /bin/date $upddate";
 return($ntpline,$dateline);
 }
@@ -2409 +2407 @@
     # VE needs a good /proc
     if ($vtype eq "ve") {
-        print SCRIPT "sudo mount -t proc /proc /proc\n";
+        print SCRIPT "sudo /bin/mount -t proc /proc /proc\n";
     }
 
@@ -2459 +2457 @@
 
     if ($vtype eq "ve") {
-        print SCRIPT "sudo umount /proc\n";
+        print SCRIPT "sudo /bin/umount /proc\n";
     }
 
@@ -2711 +2709 @@
         my ($vmport,$vmntp);
         ($vmhost,$vmport,$vmntp) = pb_conf_get($vtype."host",$vtype."port",$vtype."ntp");
-        $nport = pb_get_port($vmport->{$ENV{'PBPROJ'}});
+        $nport = pb_get_port($vmport,$pbos,$vtype);
     
         # Skip that VM/RM if something went wrong
@@ -2795 +2793 @@
     }
 EOF
-    # TODO: Level of portability of these cmds ?
+    # TODO: Level of portability of these cmds ? Critical now for RM
     print SCRIPT << "EOF";
 pb_system("/usr/sbin/groupadd $pbac->{$ENV{'PBPROJ'}}","Adding group $pbac->{$ENV{'PBPROJ'}}");
@@ -2895 +2893 @@
 close(PBFILE);
 EOF
-    # TODO: To be refined for RM
     print SCRIPT << "EOF";
 # Some distro force requiretty at compile time, so disable here
 print PBOUT "Defaults:$pbac->{$ENV{'PBPROJ'}} !requiretty\n";
 print PBOUT "Defaults:root !requiretty\n";
-# This is needed in order to be able to halt the machine from the $pbac->{$ENV{'PBPROJ'}} account at least
+# Keep proxy configuration while using sudo
 print PBOUT "Defaults:$pbac->{$ENV{'PBPROJ'}} env_keep += \\\"http_proxy ftp_proxy\\\"\n";
+EOF
+    # Try to restrict security to what is really needed
+    if ($vtype =~ /^vm/) {
+        my $sudocmds = pb_get_sudocmds($pbos);
+        my $hpath = "/sbin";
+        # Solaris has halt elsewhere
+        if ($pbos->{'type'} eq "pkg") {
+            $hpath = "/usr/sbin";
+        }
+        print SCRIPT << "EOF";
+# This is needed in order to be able on VM to halt the machine from the $pbac->{$ENV{'PBPROJ'}} account at least
+# Build account $pbac->{$ENV{'PBPROJ'}} in VM also needs to setup date and install deps.
+# Nothing else should be needed
+print PBOUT "$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$hpath/halt\n";
+EOF
+        foreach my $c ($sudocmds) {
+            print SCRIPT "print PBOUT \"$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$c\n\"";
+        }
+    } elsif ($vtype =~ /^rm/) {
+        my $sudocmds = pb_get_sudocmds($pbos);
+        print SCRIPT << "EOF";
+# Build account $pbac->{$ENV{'PBPROJ'}} in RM only needs to setup date and install deps if needed each time
+EOF
+        foreach my $c ($sudocmds) {
+            print SCRIPT "print PBOUT \"$pbac->{$ENV{'PBPROJ'}}   localhost=NOPASSWD:$c\n\"";
+        }
+    } else {
+        print SCRIPT << "EOF";
+# Build account $pbac->{$ENV{'PBPROJ'}} for VE needs to do a lot in the host (and chroot), so allow without restriction for now
 print PBOUT "$pbac->{$ENV{'PBPROJ'}}   ALL=(ALL) NOPASSWD:ALL\n";
 EOF
+}
     print SCRIPT << 'EOF';
 close(PBOUT);
@@ -3126 +3153 @@
     # VE needs a good /proc
     if ($vtype eq "ve") {
-        print SCRIPT "sudo mount -t proc /proc /proc\n";
+        print SCRIPT "sudo /bin/mount -t proc /proc /proc\n";
     }
     print SCRIPT "$pbos->{'update'}\n";
     if ($vtype eq "ve") {
-        print SCRIPT "sudo umount /proc\n";
+        print SCRIPT "sudo /bin/umount /proc\n";
     }
     close(SCRIPT);
@@ -3596 +3623 @@
 
 my $port = shift;
+my $pbos = shift;
 my $cmt = shift;
+my $nport;
 
 die "No port passed in parameter. Report to dev team\n" if (not defined $port);
-pb_log(2,"pb_get_port with $port\n");
-my $nport = $port;
+# key is project on VM, but machine tuple for RM
+if ($cmt =~ /^RM/i) {
+    $nport = $port->{"$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}"};
+} else {
+    $nport = $port->{$ENV{'PBPROJ'}};
+}
+pb_log(2,"pb_get_port with $nport\n");
 # Maybe a port was given as parameter so overwrite
 $nport = "$pbport" if (defined $pbport);
 # Maybe in // mode so use the env var set up as an offset to the base port, except when called from send2target for Packages
-if ((not defined $cmt) || ($cmt ne "Packages")) {
+if ($cmt ne "Packages") {
     $nport += $ENV{'PBVMPORT'} if ((defined $pbparallel) && (defined $ENV{'PBVMPORT'}));
 }
@@ -3661 +3695 @@
 }
 
+sub pb_get_sudocmds { 
+        
+my $pbos = shift;
+my @sudocmds;
+
+foreach my $c (split(/;/,$pbos->{'update'}),split(/;/,$pbos->{'install'})) {
+    next if ($c !~ /^sudo/);
+    $c =~ s/^sudo[ \t]+//;
+    push @sudocmds,$c;
+}
+pb_log(2,"pb_get_sudcomds returns ".Dumper(@sudocmds)."\n");
+return(@sudocmds);
+}
+
 
 1;