pyjuju

Merge lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection into lp:pyjuju

add-egress-zookeeper-protection
Merge into trunk

Proposed by Clint Byrum on 2012-09-21

Status:

Needs review

Proposed branch:

lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection

Merge into:

lp:pyjuju

Diff against target:

1150 lines (+496/-461)

18 files modified

juju/lib/tests/data/test_prestart (+10/-0)
juju/lib/tests/test_upstart.py (+14/-0)
juju/lib/upstart.py (+6/-1)
juju/providers/common/cloudinit.py (+43/-0)
juju/providers/common/tests/data/cloud_init_bootstrap (+33/-52)
juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers (+45/-52)
juju/providers/common/tests/data/cloud_init_branch (+34/-29)
juju/providers/common/tests/data/cloud_init_branch_trunk (+34/-29)
juju/providers/common/tests/data/cloud_init_distro (+30/-27)
juju/providers/common/tests/data/cloud_init_ppa (+30/-27)
juju/providers/common/tests/data/cloud_init_proposed (+30/-27)
juju/providers/ec2/tests/data/bootstrap_cloud_init (+33/-53)
juju/providers/ec2/tests/data/launch_cloud_init (+29/-27)
juju/providers/ec2/tests/data/launch_cloud_init_branch (+33/-29)
juju/providers/ec2/tests/data/launch_cloud_init_ppa (+29/-27)
juju/providers/orchestra/launch.py (+1/-1)
juju/providers/orchestra/tests/data/bootstrap_user_data (+33/-53)
juju/providers/orchestra/tests/data/launch_user_data (+29/-27)

To merge this branch:

bzr merge lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection

High

In Progress

Link a bug report

Reviewer	Review Type	Date Requested	Status
Juju Engineering		2012-09-21	Pending
Review via email: mp+125832@code.launchpad.net

Description of the change

protect zookeeper from non-root direct access

Adds pre-start capability to juju.lib.upstart. Also reformatted tests'
cloud-config data to be more readable.

https://codereview.appspot.com/6549051/

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-09-21:

Reviewers: mp+125832_code.launchpad.net,

Message:
Please take a look.

Description:
protect zookeeper from non-root direct access

Adds pre-start capability to juju.lib.upstart. Also reformatted tests'
cloud-config data to be more readable.

https://code.launchpad.net/~clint-fewbar/juju/add-egress-zookeeper-protection/+merge/125832

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/6549051/

Affected files:
   A [revision details]
   A juju/lib/tests/data/test_prestart
   M juju/lib/tests/test_upstart.py
   M juju/lib/upstart.py
   M juju/providers/common/cloudinit.py
   M juju/providers/common/tests/data/cloud_init_bootstrap
   M juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers
   M juju/providers/common/tests/data/cloud_init_branch
   M juju/providers/common/tests/data/cloud_init_branch_trunk
   M juju/providers/common/tests/data/cloud_init_distro
   M juju/providers/common/tests/data/cloud_init_ppa
   M juju/providers/common/tests/data/cloud_init_proposed
   M juju/providers/ec2/tests/data/bootstrap_cloud_init
   M juju/providers/ec2/tests/data/launch_cloud_init
   M juju/providers/ec2/tests/data/launch_cloud_init_branch
   M juju/providers/ec2/tests/data/launch_cloud_init_ppa
   M juju/providers/orchestra/launch.py
   M juju/providers/orchestra/tests/data/bootstrap_user_data
   M juju/providers/orchestra/tests/data/launch_user_data

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-09-27:

cool. i'll have to brush on my iptables syntax. does the impl here
support service restarts?

https://codereview.appspot.com/6549051/

Unmerged revisions

588. By Clint Byrum on 2012-09-21: special case localhost because it is needed for client<->zookeeper communication
587. By Clint Byrum on 2012-09-21: fixing test data to match new pre-start
586. By Clint Byrum on 2012-09-21: fix pre-start
585. By Clint Byrum on 2012-09-21: remove debugging aids from tests
584. By Clint Byrum on 2012-09-21: fixing upstart tests
583. By Clint Byrum on 2012-09-21: fixing EC2 tests
582. By Clint Byrum on 2012-09-21: fix orchestra launch tests
581. By Clint Byrum on 2012-09-21: fixing bootstrap user data
580. By Clint Byrum on 2012-09-21: Add iptables rule as pre-start for machine agent to prevent non-root access to ZK
579. By Clint Byrum on 2012-09-20: add prestart to juju.lib.upstart

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Beber

Benjamin Saller

Chuck Short

Clint Byrum

Gustavo Niemeyer

James Page

Jim Baker

John A Meinel

Jorge Castro

Kapil Thangavelu

Marius B. Kotsbak

liuxing

to status/vote changes:

Akapo

 === added file 'juju/lib/tests/data/test_prestart'
 --- juju/lib/tests/data/test_prestart	1970-01-01 00:00:00 +0000
 +++ juju/lib/tests/data/test_prestart	2012-09-21 23:19:20 +0000
@@ -0,0 +1,10 @@
++description "uninteresting service"
++author "Juju Team <juju@lists.ubuntu.com>"
++
++start on runlevel [2345]
++stop on runlevel [!2345]
++respawn
++
++
++pre-start exec /bin/true
++exec /bin/false >> /tmp/some-name.output 2>&1
 === modified file 'juju/lib/tests/test_upstart.py'
 --- juju/lib/tests/test_upstart.py	2012-01-27 16:12:47 +0000
 +++ juju/lib/tests/test_upstart.py	2012-09-21 23:19:20 +0000
@@ -183,6 +183,20 @@
          self.assert_conf("test_basic_install")
      @inlineCallbacks
++    def test_prestart(self):
++        """Check a simple UpstartService writes expected conf file"""
++        e = yield self.assertFailure(self.service.install(), ServiceError)
++        self.assertEquals(str(e), "Cannot render .conf: no description set")
++        self.service.set_description("uninteresting service")
++        e = yield self.assertFailure(self.service.install(), ServiceError)
++        self.assertEquals(str(e), "Cannot render .conf: no command set")
++        self.service.set_command("/bin/false")
++        self.service.set_prestart("pre-start exec /bin/true")
++        yield self.service.install()
++
++        self.assert_conf("test_prestart")
++
++    @inlineCallbacks
      def test_less_basic_install(self):
          """Check conf for a different UpstartService (which sets an env var)"""
          self.service.set_description("pew pew pew blam")
 === modified file 'juju/lib/upstart.py'
 --- juju/lib/upstart.py	2012-08-03 10:55:21 +0000
 +++ juju/lib/upstart.py	2012-09-21 23:19:20 +0000
@@ -19,7 +19,7 @@
  respawn
  %s
--
++%s
  exec %s >> %s 2>&1
  """
@@ -41,6 +41,7 @@
          self._use_sudo = use_sudo
          self._output_path = None
          self._description = None
++        self._prestart = ''
          self._environ = {}
          self._command = None
@@ -61,6 +62,9 @@
      def set_environ(self, environ):
          self._environ = environ
++    def set_prestart(self, prestart):
++        self._prestart = prestart
++
      def set_command(self, command):
          self._command = command
@@ -83,6 +87,7 @@
              self._description,
              "\n".join('env %s="%s"' % kv
                        for kv in sorted(self._environ.items())),
++            self._prestart,
              self._command,
              self.output_path)
 === modified file 'juju/providers/common/cloudinit.py'
 --- juju/providers/common/cloudinit.py	2012-09-10 03:20:20 +0000
 +++ juju/providers/common/cloudinit.py	2012-09-21 23:19:20 +0000
@@ -14,6 +14,24 @@
  BRANCH = "branch"
  PROPOSED = "proposed"
++_MACHINE_AGENT_PRESTART = """
++pre-start script
++    # Protects ZooKeeper from access by non-root users.
++%(deleteports)s
++    iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++    iptables -N juju-protect-zookeepers
++%(insertports)s
++%(hostlines)s
++end script
++"""
++
++_MACHINE_AGENT_HOST_IPTABLES = """    iptables -A juju-protect-zookeepers -d %s -m owner \! --uid-owner 0 -j DROP"""
++_MACHINE_AGENT_PORT_IPTABLES = """OUTPUT -p tcp --dport %s -j juju-protect-zookeepers"""
++_MACHINE_AGENT_DPORT_IPTABLES = """    if iptables -C %s ; then
++        iptables -D %s
++    fi"""
++_MACHINE_AGENT_IPORT_IPTABLES = '    iptables -I %s'
++
  def _branch_install_scripts(branch):
      return [
@@ -50,6 +68,31 @@
      service.set_description("Juju machine agent")
      service.set_environ(
          {"JUJU_MACHINE_ID": machine_id, "JUJU_ZOOKEEPER": zookeeper_hosts})
++
++    zk_hosts_list = zookeeper_hosts.split(',')
++    zk_with_port = [ x.split(':') for x in zk_hosts_list ]
++    host_lines = []
++    ports = set()
++    for zk in zk_with_port:
++        # Can't block localhost because of client<->zk tunnel.
++        if zk[0] == 'localhost':
++            continue
++        if len(zk) >= 2:
++            ports.add(zk[1])
++        host_lines.append(_MACHINE_AGENT_HOST_IPTABLES % (zk[0]))
++    # Only add if there is at least one host to protect
++    if len(host_lines):
++        del_port_lines = []
++        ins_port_lines = []
++        for port in ports:
++            rule = _MACHINE_AGENT_PORT_IPTABLES % (port)
++            del_port_lines.append(_MACHINE_AGENT_DPORT_IPTABLES % (rule, rule))
++            ins_port_lines.append(_MACHINE_AGENT_IPORT_IPTABLES % (rule))
++        service.set_prestart(_MACHINE_AGENT_PRESTART % {
++                                'deleteports': "\n".join(del_port_lines),
++                                'insertports': "\n".join(ins_port_lines),
++                                'hostlines':"\n".join(host_lines)})
++
      service.set_command(
          "python -m juju.agents.machine --nodaemon "
          "--logfile /var/log/juju/machine-agent.log "
 === modified file 'juju/providers/common/tests/data/cloud_init_bootstrap'
 --- juju/providers/common/tests/data/cloud_init_bootstrap	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_bootstrap	2012-09-21 23:19:20 +0000
@@ -6,56 +6,37 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    default-jre-headless, zookeeper, zookeeperd, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize
--    --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo=
--    --provider-type=dummy', 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf
--    <<EOF
--
--    description "Juju provisioning agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log
--    --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-provision-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - juju-admin initialize --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= --provider-type=dummy
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
++       - |
++            cat >> /etc/init/juju-provision-agent.conf <<EOF
++            description "Juju provisioning agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1
++            EOF
++       - /sbin/start juju-provision-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers'
 --- juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers	2012-09-21 23:19:20 +0000
@@ -6,56 +6,49 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    default-jre-headless, zookeeper, zookeeperd, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize
--    --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo=
--    --provider-type=dummy', 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf
--    <<EOF
--
--    description "Juju provisioning agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181"
--
--
--    exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log
--    --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-provision-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - juju-admin initialize --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= --provider-type=dummy
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
++       - |
++            cat >> /etc/init/juju-provision-agent.conf <<EOF
++            description "Juju provisioning agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181"
++
++            exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1
++            EOF
++       - /sbin/start juju-provision-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_branch'
 --- juju/providers/common/tests/data/cloud_init_branch	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_branch	2012-09-21 23:19:20 +0000
@@ -7,33 +7,38 @@
    machine-id: passport}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper]
--runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju,
--  'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:blah/juju/blah-blah juju', cd /usr/lib/juju/juju
--    && sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju,
--  'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo apt-get install -y python-txzookeeper
++       - sudo mkdir -p /usr/lib/juju
++       - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:blah/juju/blah-blah juju
++       - cd /usr/lib/juju/juju && sudo python setup.py develop
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_branch_trunk'
 --- juju/providers/common/tests/data/cloud_init_branch_trunk	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_branch_trunk	2012-09-21 23:19:20 +0000
@@ -7,33 +7,38 @@
    machine-id: passport}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper]
--runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju,
--  'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:juju juju', cd /usr/lib/juju/juju &&
--    sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju,
--  'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo apt-get install -y python-txzookeeper
++       - sudo mkdir -p /usr/lib/juju
++       - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:juju juju
++       - cd /usr/lib/juju/juju && sudo python setup.py develop
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_distro'
 --- juju/providers/common/tests/data/cloud_init_distro	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_distro	2012-09-21 23:19:20 +0000
@@ -6,31 +6,34 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf
--    <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_ppa'
 --- juju/providers/common/tests/data/cloud_init_ppa	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_ppa	2012-09-21 23:19:20 +0000
@@ -8,31 +8,34 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf
--    <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/common/tests/data/cloud_init_proposed'
 --- juju/providers/common/tests/data/cloud_init_proposed	2012-08-23 16:14:42 +0000
 +++ juju/providers/common/tests/data/cloud_init_proposed	2012-09-21 23:19:20 +0000
@@ -7,31 +7,34 @@
    machine-id: passport}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p
--    /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="passport"
--
--    env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="passport"
++            env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP
++                iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [chubb]
 === modified file 'juju/providers/ec2/tests/data/bootstrap_cloud_init'
 --- juju/providers/ec2/tests/data/bootstrap_cloud_init	2012-08-23 16:14:42 +0000
 +++ juju/providers/ec2/tests/data/bootstrap_cloud_init	2012-09-21 23:19:20 +0000
@@ -5,57 +5,37 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    default-jre-headless, zookeeper, zookeeperd, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize
--    --instance-id=$(curl http://169.254.169.254/1.0/meta-data/instance-id) --admin-identity=admin:JbJ6sDGV37EHzbG9FPvttk64cmg=
--    --constraints-data=e2NwdTogbnVsbCwgaW5zdGFuY2UtdHlwZTogbTEuc21hbGwsIG1lbTogbnVsbCwgcHJvdmlkZXItdHlwZTogZWMyLCB1YnVudHUtc2VyaWVzOiBzcGxlbmRpZH0K
--    --provider-type=ec2', 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="0"
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf
--    <<EOF
--
--    description "Juju provisioning agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log
--    --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-provision-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - juju-admin initialize --instance-id=$(curl http://169.254.169.254/1.0/meta-data/instance-id) --admin-identity=admin:JbJ6sDGV37EHzbG9FPvttk64cmg= --constraints-data=e2NwdTogbnVsbCwgaW5zdGFuY2UtdHlwZTogbTEuc21hbGwsIG1lbTogbnVsbCwgcHJvdmlkZXItdHlwZTogZWMyLCB1YnVudHUtc2VyaWVzOiBzcGxlbmRpZH0K --provider-type=ec2
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="0"
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
++       - |
++            cat >> /etc/init/juju-provision-agent.conf <<EOF
++            description "Juju provisioning agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1
++            EOF
++       - /sbin/start juju-provision-agent
  ssh_authorized_keys: [zebra]
 === modified file 'juju/providers/ec2/tests/data/launch_cloud_init'
 --- juju/providers/ec2/tests/data/launch_cloud_init	2012-08-23 16:14:42 +0000
 +++ juju/providers/ec2/tests/data/launch_cloud_init	2012-09-21 23:19:20 +0000
@@ -5,31 +5,33 @@
    machine-id: '1'}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p
--    /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="1"
--
--    env JUJU_ZOOKEEPER="es.example.internal:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="1"
++            env JUJU_ZOOKEEPER="es.example.internal:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [zebra]
 === modified file 'juju/providers/ec2/tests/data/launch_cloud_init_branch'
 --- juju/providers/ec2/tests/data/launch_cloud_init_branch	2012-08-23 16:14:42 +0000
 +++ juju/providers/ec2/tests/data/launch_cloud_init_branch	2012-09-21 23:19:20 +0000
@@ -7,33 +7,37 @@
    machine-id: '1'}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper]
--runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju,
--  'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:~wizard/juju-juicebar juju', cd /usr/lib/juju/juju
--    && sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju,
--  'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="1"
--
--    env JUJU_ZOOKEEPER="es.example.internal:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo apt-get install -y python-txzookeeper
++       - sudo mkdir -p /usr/lib/juju
++       - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:~wizard/juju-juicebar juju
++       - cd /usr/lib/juju/juju && sudo python setup.py develop
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="1"
++            env JUJU_ZOOKEEPER="es.example.internal:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [zebra]
 === modified file 'juju/providers/ec2/tests/data/launch_cloud_init_ppa'
 --- juju/providers/ec2/tests/data/launch_cloud_init_ppa	2012-08-23 16:14:42 +0000
 +++ juju/providers/ec2/tests/data/launch_cloud_init_ppa	2012-09-21 23:19:20 +0000
@@ -7,31 +7,33 @@
    machine-id: '1'}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p
--    /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="1"
--
--    env JUJU_ZOOKEEPER="es.example.internal:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="1"
++            env JUJU_ZOOKEEPER="es.example.internal:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [zebra]
 === modified file 'juju/providers/orchestra/launch.py'
 --- juju/providers/orchestra/launch.py	2012-04-12 01:01:57 +0000
 +++ juju/providers/orchestra/launch.py	2012-09-21 23:19:20 +0000
@@ -46,7 +46,7 @@
              info = yield cobbler.start_system(
                  instance_id, machine_id, series, cloud_init.render())
              returnValue([machine_from_dict(info)])
--        except Exception:
++        except Exception, e:
              log.exception(
                  "Failed to launch machine %s; attempting to revert.",
                  instance_id)
 === modified file 'juju/providers/orchestra/tests/data/bootstrap_user_data'
 --- juju/providers/orchestra/tests/data/bootstrap_user_data	2012-08-23 16:14:42 +0000
 +++ juju/providers/orchestra/tests/data/bootstrap_user_data	2012-09-21 23:19:20 +0000
@@ -5,57 +5,37 @@
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper,
    default-jre-headless, zookeeper, zookeeperd, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize
--    --instance-id=winston-uid --admin-identity=admin:qRBXC1ubEEUqRL6wcBhgmc9xkaY=
--    --constraints-data=e29yY2hlc3RyYS1jbGFzc2VzOiAnZm9vLGJhcicsIHByb3ZpZGVyLXR5cGU6IG9yY2hlc3RyYSwgdWJ1bnR1LXNlcmllczogYml6YXJyZX0K
--    --provider-type=orchestra', 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="0"
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf
--    <<EOF
--
--    description "Juju provisioning agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_ZOOKEEPER="localhost:2181"
--
--
--    exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log
--    --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-provision-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - juju-admin initialize --instance-id=winston-uid --admin-identity=admin:qRBXC1ubEEUqRL6wcBhgmc9xkaY= --constraints-data=e29yY2hlc3RyYS1jbGFzc2VzOiAnZm9vLGJhcicsIHByb3ZpZGVyLXR5cGU6IG9yY2hlc3RyYSwgdWJ1bnR1LXNlcmllczogYml6YXJyZX0K --provider-type=orchestra
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="0"
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
++       - |
++            cat >> /etc/init/juju-provision-agent.conf <<EOF
++            description "Juju provisioning agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_ZOOKEEPER="localhost:2181"
++
++            exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1
++            EOF
++       - /sbin/start juju-provision-agent
  ssh_authorized_keys: [this-is-a-public-key]
 === modified file 'juju/providers/orchestra/tests/data/launch_user_data'
 --- juju/providers/orchestra/tests/data/launch_user_data	2012-08-23 16:14:42 +0000
 +++ juju/providers/orchestra/tests/data/launch_user_data	2012-09-21 23:19:20 +0000
@@ -4,31 +4,33 @@
    machine-id: '42'}
  output: {all: '| tee -a /var/log/cloud-init-output.log'}
  packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju]
--runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p
--    /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF
--
--    description "Juju machine agent"
--
--    author "Juju Team <juju@lists.ubuntu.com>"
--
--
--    start on runlevel [2345]
--
--    stop on runlevel [!2345]
--
--    respawn
--
--
--    env JUJU_MACHINE_ID="42"
--
--    env JUJU_ZOOKEEPER="jennifer:2181"
--
--
--    exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log
--    --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output
--    2>&1
--
--    EOF
--
--    ', /sbin/start juju-machine-agent]
++runcmd:
++       - sudo mkdir -p /var/lib/juju
++       - sudo mkdir -p /var/log/juju
++       - |
++            cat >> /etc/init/juju-machine-agent.conf <<EOF
++            description "Juju machine agent"
++            author "Juju Team <juju@lists.ubuntu.com>"
++
++            start on runlevel [2345]
++            stop on runlevel [!2345]
++            respawn
++
++            env JUJU_MACHINE_ID="42"
++            env JUJU_ZOOKEEPER="jennifer:2181"
++
++            pre-start script
++                # Protects ZooKeeper from access by non-root users.
++                if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then
++                    iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                fi
++                iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || :
++                iptables -N juju-protect-zookeepers
++                iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers
++                iptables -A juju-protect-zookeepers -d jennifer -m owner \! --uid-owner 0 -j DROP
++            end script
++
++            exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1
++            EOF
++       - /sbin/start juju-machine-agent
  ssh_authorized_keys: [this-is-a-public-key]