The developer is given key-based SSH access to the guest and
granted passwordless sudo privilege for maximum convenience.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
guests/group_vars/all/main.yml | 4 +++-
guests/host_vars/libvirt-freebsd-10/main.yml | 1 +
guests/host_vars/libvirt-freebsd-11/main.yml | 1 +
guests/lcitool | 9 ++++++++-
guests/site.yml | 5 +++++
guests/tasks/developer.yml | 21 +++++++++++++++++++++
6 files changed, 39 insertions(+), 2 deletions(-)
create mode 100644 guests/tasks/developer.yml
diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml
index d24af59..410077f 100644
--- a/guests/group_vars/all/main.yml
+++ b/guests/group_vars/all/main.yml
@@ -8,8 +8,10 @@ ansible_ssh_pass: root
jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp
-# Paths to various command. Can be overridden on a per-host basis
+# Paths to various commands and files that might be OS-dependent. Can
+# be overridden on a per-host basis
bash: /bin/bash
java: /usr/bin/java
make: /usr/bin/make
sudo: /usr/bin/sudo
+sudoers: /etc/sudoers
diff --git a/guests/host_vars/libvirt-freebsd-10/main.yml b/guests/host_vars/libvirt-freebsd-10/main.yml
index 80d16d6..4f33c53 100644
--- a/guests/host_vars/libvirt-freebsd-10/main.yml
+++ b/guests/host_vars/libvirt-freebsd-10/main.yml
@@ -5,6 +5,7 @@ bash: /usr/local/bin/bash
java: /usr/local/bin/java
make: /usr/local/bin/gmake
sudo: /usr/local/bin/sudo
+sudoers: /usr/local/etc/sudoers
projects:
- base
diff --git a/guests/host_vars/libvirt-freebsd-11/main.yml b/guests/host_vars/libvirt-freebsd-11/main.yml
index 80d16d6..4f33c53 100644
--- a/guests/host_vars/libvirt-freebsd-11/main.yml
+++ b/guests/host_vars/libvirt-freebsd-11/main.yml
@@ -5,6 +5,7 @@ bash: /usr/local/bin/bash
java: /usr/local/bin/java
make: /usr/local/bin/gmake
sudo: /usr/local/bin/sudo
+sudoers: /usr/local/etc/sudoers
projects:
- base
diff --git a/guests/lcitool b/guests/lcitool
index bf270f1..018640b 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -141,6 +141,8 @@ do_install()
die "$PROGRAM_NAME: $GUEST: Missing configuration, guest must be installed manually"
}
+ load_config
+
# Load configuration files. Values don't get overwritten after being
# set the first time, so loading the host-specific configuration before
# the group configuration ensures overrides work as expected
@@ -158,6 +160,11 @@ do_install()
*kickstart*|*ks*) EXTRA_ARGS="ks=file:/${INSTALL_CONFIG##*/}" ;;
esac
+ # Only configure autostart for the guest for the ci flavor
+ test "$FLAVOR" = ci && {
+ AUTOSTART="--autostart"
+ }
+
virt-install \
--name "$GUEST" \
--location "$INSTALL_URL" \
@@ -174,7 +181,7 @@ do_install()
--sound none \
--initrd-inject "$INSTALL_CONFIG" \
--extra-args "console=ttyS0 $EXTRA_ARGS" \
- --autostart \
+ $AUTOSTART \
--wait 0
}
diff --git a/guests/site.yml b/guests/site.yml
index 35e3220..76437bb 100644
--- a/guests/site.yml
+++ b/guests/site.yml
@@ -34,3 +34,8 @@
- projects is defined
# jenkins is a pseudo-project
- ( 'jenkins' in projects )
+
+ # Configure the developer account
+ - include: tasks/developer.yml
+ when:
+ - flavor == 'developer'
diff --git a/guests/tasks/developer.yml b/guests/tasks/developer.yml
new file mode 100644
index 0000000..1dad8fc
--- /dev/null
+++ b/guests/tasks/developer.yml
@@ -0,0 +1,21 @@
+---
+- name: Create developer user account
+ user:
+ name: developer
+ comment: Developer
+ password: $6$YEzeb0A3t7jn/IwW$oMPH0mpKPPeuABH3gKDom08rLccOKBm6CrXT/deBsdP77MjBHxwHQ5EJM0MAc/sOsGKCNX0zjYYjlXP.KNUmP0
+ shell: '{{ bash }}'
+
+- name: Configure ssh access for the developer
+ authorized_key:
+ user: developer
+ key: '{{ lookup("file", lookup("env", "HOME") + "/.ssh/id_rsa.pub") }}'
+ state: present
+
+- name: Grant passwordless sudo access to the developer
+ lineinfile:
+ path: '{{ sudoers }}'
+ line: 'developer ALL=(ALL) NOPASSWD: ALL'
+ state: present
+ backup: yes
+ validate: 'visudo -cf %s'
--
2.13.6
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Thu, Oct 19, 2017 at 05:36:30PM +0200, Andrea Bolognani wrote:
> The developer is given key-based SSH access to the guest and
> granted passwordless sudo privilege for maximum convenience.
>
> Signed-off-by: Andrea Bolognani <abologna@redhat.com>
> ---
> guests/group_vars/all/main.yml | 4 +++-
> guests/host_vars/libvirt-freebsd-10/main.yml | 1 +
> guests/host_vars/libvirt-freebsd-11/main.yml | 1 +
> guests/lcitool | 9 ++++++++-
> guests/site.yml | 5 +++++
> guests/tasks/developer.yml | 21 +++++++++++++++++++++
> 6 files changed, 39 insertions(+), 2 deletions(-)
> create mode 100644 guests/tasks/developer.yml
>
> diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml
> index d24af59..410077f 100644
> --- a/guests/group_vars/all/main.yml
> +++ b/guests/group_vars/all/main.yml
> @@ -8,8 +8,10 @@ ansible_ssh_pass: root
>
> jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp
>
> -# Paths to various command. Can be overridden on a per-host basis
> +# Paths to various commands and files that might be OS-dependent. Can
> +# be overridden on a per-host basis
> bash: /bin/bash
> java: /usr/bin/java
> make: /usr/bin/make
> sudo: /usr/bin/sudo
> +sudoers: /etc/sudoers
> diff --git a/guests/host_vars/libvirt-freebsd-10/main.yml b/guests/host_vars/libvirt-freebsd-10/main.yml
> index 80d16d6..4f33c53 100644
> --- a/guests/host_vars/libvirt-freebsd-10/main.yml
> +++ b/guests/host_vars/libvirt-freebsd-10/main.yml
> @@ -5,6 +5,7 @@ bash: /usr/local/bin/bash
> java: /usr/local/bin/java
> make: /usr/local/bin/gmake
> sudo: /usr/local/bin/sudo
> +sudoers: /usr/local/etc/sudoers
>
> projects:
> - base
> diff --git a/guests/host_vars/libvirt-freebsd-11/main.yml b/guests/host_vars/libvirt-freebsd-11/main.yml
> index 80d16d6..4f33c53 100644
> --- a/guests/host_vars/libvirt-freebsd-11/main.yml
> +++ b/guests/host_vars/libvirt-freebsd-11/main.yml
> @@ -5,6 +5,7 @@ bash: /usr/local/bin/bash
> java: /usr/local/bin/java
> make: /usr/local/bin/gmake
> sudo: /usr/local/bin/sudo
> +sudoers: /usr/local/etc/sudoers
>
> projects:
> - base
> diff --git a/guests/lcitool b/guests/lcitool
> index bf270f1..018640b 100755
> --- a/guests/lcitool
> +++ b/guests/lcitool
> @@ -141,6 +141,8 @@ do_install()
> die "$PROGRAM_NAME: $GUEST: Missing configuration, guest must be installed manually"
> }
>
> + load_config
> +
> # Load configuration files. Values don't get overwritten after being
> # set the first time, so loading the host-specific configuration before
> # the group configuration ensures overrides work as expected
> @@ -158,6 +160,11 @@ do_install()
> *kickstart*|*ks*) EXTRA_ARGS="ks=file:/${INSTALL_CONFIG##*/}" ;;
> esac
>
> + # Only configure autostart for the guest for the ci flavor
> + test "$FLAVOR" = ci && {
> + AUTOSTART="--autostart"
> + }
> +
> virt-install \
> --name "$GUEST" \
> --location "$INSTALL_URL" \
> @@ -174,7 +181,7 @@ do_install()
> --sound none \
> --initrd-inject "$INSTALL_CONFIG" \
> --extra-args "console=ttyS0 $EXTRA_ARGS" \
> - --autostart \
> + $AUTOSTART \
> --wait 0
> }
>
> diff --git a/guests/site.yml b/guests/site.yml
> index 35e3220..76437bb 100644
> --- a/guests/site.yml
> +++ b/guests/site.yml
> @@ -34,3 +34,8 @@
> - projects is defined
> # jenkins is a pseudo-project
> - ( 'jenkins' in projects )
> +
> + # Configure the developer account
> + - include: tasks/developer.yml
> + when:
> + - flavor == 'developer'
> diff --git a/guests/tasks/developer.yml b/guests/tasks/developer.yml
> new file mode 100644
> index 0000000..1dad8fc
> --- /dev/null
> +++ b/guests/tasks/developer.yml
> @@ -0,0 +1,21 @@
> +---
> +- name: Create developer user account
> + user:
> + name: developer
> + comment: Developer
> + password: $6$YEzeb0A3t7jn/IwW$oMPH0mpKPPeuABH3gKDom08rLccOKBm6CrXT/deBsdP77MjBHxwHQ5EJM0MAc/sOsGKCNX0zjYYjlXP.KNUmP0
How about using "test:test" account? "developer" is longer then "test"
if you need to type it or you don't want to configure your SSH config.
Is it possible to use plain password here? There is no need to
encrypt it.
Pavel
> + shell: '{{ bash }}'
> +
> +- name: Configure ssh access for the developer
> + authorized_key:
> + user: developer
> + key: '{{ lookup("file", lookup("env", "HOME") + "/.ssh/id_rsa.pub") }}'
> + state: present
> +
> +- name: Grant passwordless sudo access to the developer
> + lineinfile:
> + path: '{{ sudoers }}'
> + line: 'developer ALL=(ALL) NOPASSWD: ALL'
> + state: present
> + backup: yes
> + validate: 'visudo -cf %s'
> --
> 2.13.6
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, 2017-10-23 at 09:20 +0200, Pavel Hrdina wrote:
> > +- name: Create developer user account
> > + user:
> > + name: developer
> > + comment: Developer
>
> How about using "test:test" account? "developer" is longer then "test"
> if you need to type it or you don't want to configure your SSH config.
I expect people who use this more than once will have something like
Host libvirt-*
User developer
GSSAPIAuthentication no
StrictHostKeyChecking no
CheckHostIP no
UserKnownHostsFile /dev/null
in their ~/.ssh/config to avoid being bothered by SSH when they're
dealing with throwaway guests. It might actually be a good idea to
include this information in the README file.
I'd rather stick with 'developer', as I feel it's more appropriate
given the intended use case, but I'm not really adamant about it.
> > + password: $6$YEzeb0A3t7jn/IwW$oMPH0mpKPPeuABH3gKDom08rLccOKBm6CrXT/deBsdP77MjBHxwHQ5EJM0MAc/sOsGKCNX0zjYYjlXP.KNUmP0
>
> Is it possible to use plain password here? There is no need to
> encrypt it.
Unfortunately the 'user' Ansible module expects the encrypted
password :(
--
Andrea Bolognani / Red Hat / Virtualization
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Oct 23, 2017 at 10:09:42AM +0200, Andrea Bolognani wrote: > On Mon, 2017-10-23 at 09:20 +0200, Pavel Hrdina wrote: > > > +- name: Create developer user account > > > + user: > > > + name: developer > > > + comment: Developer > > > > How about using "test:test" account? "developer" is longer then "test" > > if you need to type it or you don't want to configure your SSH config. > > I expect people who use this more than once will have something like > > Host libvirt-* > User developer > GSSAPIAuthentication no > StrictHostKeyChecking no > CheckHostIP no > UserKnownHostsFile /dev/null > > in their ~/.ssh/config to avoid being bothered by SSH when they're > dealing with throwaway guests. It might actually be a good idea to > include this information in the README file. That would be helpful to document. > I'd rather stick with 'developer', as I feel it's more appropriate > given the intended use case, but I'm not really adamant about it. The only reason why I've suggested "test:test" is that someone may not prefer to put that into their ssh config. > > > + password: $6$YEzeb0A3t7jn/IwW$oMPH0mpKPPeuABH3gKDom08rLccOKBm6CrXT/deBsdP77MjBHxwHQ5EJM0MAc/sOsGKCNX0zjYYjlXP.KNUmP0 > > > > Is it possible to use plain password here? There is no need to > > encrypt it. > > Unfortunately the 'user' Ansible module expects the encrypted > password :( I was afraid of that. Pavel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2025 Red Hat, Inc.