From nobody Thu May 15 20:13:20 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1508346751254161.91853631624542; Wed, 18 Oct 2017 10:12:31 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EF278C0587F7; Wed, 18 Oct 2017 17:12:29 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C9BBD8309B; Wed, 18 Oct 2017 17:12:29 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8AE5B180BACD; Wed, 18 Oct 2017 17:12:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v9IHC109011775 for ; Wed, 18 Oct 2017 13:12:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0256E5C89F; Wed, 18 Oct 2017 17:12:01 +0000 (UTC) Received: from inaba.usersys.redhat.com (unknown [10.40.205.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 413596A50A for ; Wed, 18 Oct 2017 17:12:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com EF278C0587F7 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: Andrea Bolognani To: libvir-list@redhat.com Date: Wed, 18 Oct 2017 19:11:48 +0200 Message-Id: <20171018171151.12789-4-abologna@redhat.com> In-Reply-To: <20171018171151.12789-1-abologna@redhat.com> References: <20171018171151.12789-1-abologna@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [libvirt-jenkins-ci PATCH v2 3/6] guests: Remove bootstrap phase X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 18 Oct 2017 17:12:30 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Having to bootstrap the guest as a separate phase is annoying and can be avoided by assuming the root password is well-known. This doesn't hurt security because we're going to be changing the root password with a user-provided one the first time Ansible is run; moreover, we only leave key-based SSH authentication enabled for the root user. Signed-off-by: Andrea Bolognani --- guests/bootstrap.yml | 15 --------------- guests/group_vars/all/main.yml | 5 +++++ guests/lcitool | 25 +++++++++++++++++++++++++ guests/site.yml | 8 ++++++++ guests/tasks/base.yml | 11 ++++++++++- 5 files changed, 48 insertions(+), 16 deletions(-) delete mode 100644 guests/bootstrap.yml diff --git a/guests/bootstrap.yml b/guests/bootstrap.yml deleted file mode 100644 index 544dd9d..0000000 --- a/guests/bootstrap.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- hosts: all - gather_facts: no - - tasks: - - # Bootstrap Ansible itself - - include: tasks/bootstrap.yml - -- hosts: all - - tasks: - - # Prepare the base environment - - include: tasks/base.yml diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml index 81b7d43..d24af59 100644 --- a/guests/group_vars/all/main.yml +++ b/guests/group_vars/all/main.yml @@ -1,6 +1,11 @@ --- ansible_user: root =20 +# This password is only used to access the guest the very first time +# Ansible is used: afterwards, the user's SSH key will have been installed +# in the guest and SSH password authentication will have been disabled +ansible_ssh_pass: root + jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave= -agent.jnlp =20 # Paths to various command. Can be overridden on a per-host basis diff --git a/guests/lcitool b/guests/lcitool index aaee5f9..10a72cf 100755 --- a/guests/lcitool +++ b/guests/lcitool @@ -12,6 +12,19 @@ die() { exit 1 } =20 +# hash_file PASS_FILE +# +# Generate a password hash from the contents of PASS_FILE. +hash_file() { + PASS_FILE=3D"$1" + + python2 -c " +import crypt +password =3D open('$PASS_FILE', 'r').read().strip() +print(crypt.crypt(password, + crypt.mksalt(crypt.METHOD_SHA512)))" +} + # ---------------------- # User-visible actions # ---------------------- @@ -44,11 +57,23 @@ do_prepare() { } =20 VAULT_PASS_FILE=3D"$CONFIG_DIR/vault-password" + ROOT_PASS_FILE=3D"$CONFIG_DIR/root-password" =20 # Make sure required passwords exist and are not invalid (empty) test -f "$VAULT_PASS_FILE" && test "$(cat "$VAULT_PASS_FILE")" || { die "$PROGRAM_NAME: $VAULT_PASS_FILE: Missing or invalid password" } + test -f "$ROOT_PASS_FILE" && test "$(cat "$ROOT_PASS_FILE")" || { + die "$PROGRAM_NAME: $ROOT_PASS_FILE: Missing or invalid password" + } + + ROOT_HASH_FILE=3D"$CONFIG_DIR/.root-password.hash" + + # Regenerate root password hash. Ansible expects passwords as hashes b= ut + # doesn't provide a built-in facility to generate one from plain text + hash_file "$ROOT_PASS_FILE" >"$ROOT_HASH_FILE" || { + die "$PROGRAM_NAME: Failure while hashing root password" + } =20 ansible-playbook \ --vault-password-file "$VAULT_PASS_FILE" \ diff --git a/guests/site.yml b/guests/site.yml index e6cf10d..9c75dcb 100644 --- a/guests/site.yml +++ b/guests/site.yml @@ -1,5 +1,13 @@ --- - hosts: all + gather_facts: no + + tasks: + + # Bootstrap Ansible itself + - include: tasks/bootstrap.yml + +- hosts: all =20 vars_files: - vars/mappings.yml diff --git a/guests/tasks/base.yml b/guests/tasks/base.yml index dd8d306..a9066e4 100644 --- a/guests/tasks/base.yml +++ b/guests/tasks/base.yml @@ -96,9 +96,10 @@ hostname: name: '{{ inventory_hostname }}' =20 -- name: Configure root shell +- name: Configure root password and shell user: name: root + password: '{{ lookup("file", lookup("env", "HOME") + "/.config/lcitool= /.root-password.hash") }}' shell: '{{ bash }}' =20 - name: Configure ssh access for the root user @@ -106,3 +107,11 @@ user: root key: '{{ lookup("file", lookup("env", "HOME") + "/.ssh/id_rsa.pub") }}' state: present + +- name: Disable password authentication for the root user + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#*\s*PermitRootLogin\s*.*$' + line: 'PermitRootLogin without-password' + state: present + backup: yes --=20 2.13.6 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list