Merge lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection into lp:pyjuju
- add-egress-zookeeper-protection
- Merge into trunk
Proposed by
Clint Byrum
Status: | Needs review |
---|---|
Proposed branch: | lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection |
Merge into: | lp:pyjuju |
Diff against target: |
1150 lines (+496/-461) 18 files modified
juju/lib/tests/data/test_prestart (+10/-0) juju/lib/tests/test_upstart.py (+14/-0) juju/lib/upstart.py (+6/-1) juju/providers/common/cloudinit.py (+43/-0) juju/providers/common/tests/data/cloud_init_bootstrap (+33/-52) juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers (+45/-52) juju/providers/common/tests/data/cloud_init_branch (+34/-29) juju/providers/common/tests/data/cloud_init_branch_trunk (+34/-29) juju/providers/common/tests/data/cloud_init_distro (+30/-27) juju/providers/common/tests/data/cloud_init_ppa (+30/-27) juju/providers/common/tests/data/cloud_init_proposed (+30/-27) juju/providers/ec2/tests/data/bootstrap_cloud_init (+33/-53) juju/providers/ec2/tests/data/launch_cloud_init (+29/-27) juju/providers/ec2/tests/data/launch_cloud_init_branch (+33/-29) juju/providers/ec2/tests/data/launch_cloud_init_ppa (+29/-27) juju/providers/orchestra/launch.py (+1/-1) juju/providers/orchestra/tests/data/bootstrap_user_data (+33/-53) juju/providers/orchestra/tests/data/launch_user_data (+29/-27) |
To merge this branch: | bzr merge lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Juju Engineering | Pending | ||
Review via email: mp+125832@code.launchpad.net |
Commit message
Description of the change
protect zookeeper from non-root direct access
Adds pre-start capability to juju.lib.upstart. Also reformatted tests'
cloud-config data to be more readable.
To post a comment you must log in.
Revision history for this message
Kapil Thangavelu (hazmat) wrote : | # |
cool. i'll have to brush on my iptables syntax. does the impl here
support service restarts?
Unmerged revisions
- 588. By Clint Byrum
-
special case localhost because it is needed for client<->zookeeper communication
- 587. By Clint Byrum
-
fixing test data to match new pre-start
- 586. By Clint Byrum
-
fix pre-start
- 585. By Clint Byrum
-
remove debugging aids from tests
- 584. By Clint Byrum
-
fixing upstart tests
- 583. By Clint Byrum
-
fixing EC2 tests
- 582. By Clint Byrum
-
fix orchestra launch tests
- 581. By Clint Byrum
-
fixing bootstrap user data
- 580. By Clint Byrum
-
Add iptables rule as pre-start for machine agent to prevent non-root access to ZK
- 579. By Clint Byrum
-
add prestart to juju.lib.upstart
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === added file 'juju/lib/tests/data/test_prestart' |
2 | --- juju/lib/tests/data/test_prestart 1970-01-01 00:00:00 +0000 |
3 | +++ juju/lib/tests/data/test_prestart 2012-09-21 23:19:20 +0000 |
4 | @@ -0,0 +1,10 @@ |
5 | +description "uninteresting service" |
6 | +author "Juju Team <juju@lists.ubuntu.com>" |
7 | + |
8 | +start on runlevel [2345] |
9 | +stop on runlevel [!2345] |
10 | +respawn |
11 | + |
12 | + |
13 | +pre-start exec /bin/true |
14 | +exec /bin/false >> /tmp/some-name.output 2>&1 |
15 | |
16 | === modified file 'juju/lib/tests/test_upstart.py' |
17 | --- juju/lib/tests/test_upstart.py 2012-01-27 16:12:47 +0000 |
18 | +++ juju/lib/tests/test_upstart.py 2012-09-21 23:19:20 +0000 |
19 | @@ -183,6 +183,20 @@ |
20 | self.assert_conf("test_basic_install") |
21 | |
22 | @inlineCallbacks |
23 | + def test_prestart(self): |
24 | + """Check a simple UpstartService writes expected conf file""" |
25 | + e = yield self.assertFailure(self.service.install(), ServiceError) |
26 | + self.assertEquals(str(e), "Cannot render .conf: no description set") |
27 | + self.service.set_description("uninteresting service") |
28 | + e = yield self.assertFailure(self.service.install(), ServiceError) |
29 | + self.assertEquals(str(e), "Cannot render .conf: no command set") |
30 | + self.service.set_command("/bin/false") |
31 | + self.service.set_prestart("pre-start exec /bin/true") |
32 | + yield self.service.install() |
33 | + |
34 | + self.assert_conf("test_prestart") |
35 | + |
36 | + @inlineCallbacks |
37 | def test_less_basic_install(self): |
38 | """Check conf for a different UpstartService (which sets an env var)""" |
39 | self.service.set_description("pew pew pew blam") |
40 | |
41 | === modified file 'juju/lib/upstart.py' |
42 | --- juju/lib/upstart.py 2012-08-03 10:55:21 +0000 |
43 | +++ juju/lib/upstart.py 2012-09-21 23:19:20 +0000 |
44 | @@ -19,7 +19,7 @@ |
45 | respawn |
46 | |
47 | %s |
48 | - |
49 | +%s |
50 | exec %s >> %s 2>&1 |
51 | """ |
52 | |
53 | @@ -41,6 +41,7 @@ |
54 | self._use_sudo = use_sudo |
55 | self._output_path = None |
56 | self._description = None |
57 | + self._prestart = '' |
58 | self._environ = {} |
59 | self._command = None |
60 | |
61 | @@ -61,6 +62,9 @@ |
62 | def set_environ(self, environ): |
63 | self._environ = environ |
64 | |
65 | + def set_prestart(self, prestart): |
66 | + self._prestart = prestart |
67 | + |
68 | def set_command(self, command): |
69 | self._command = command |
70 | |
71 | @@ -83,6 +87,7 @@ |
72 | self._description, |
73 | "\n".join('env %s="%s"' % kv |
74 | for kv in sorted(self._environ.items())), |
75 | + self._prestart, |
76 | self._command, |
77 | self.output_path) |
78 | |
79 | |
80 | === modified file 'juju/providers/common/cloudinit.py' |
81 | --- juju/providers/common/cloudinit.py 2012-09-10 03:20:20 +0000 |
82 | +++ juju/providers/common/cloudinit.py 2012-09-21 23:19:20 +0000 |
83 | @@ -14,6 +14,24 @@ |
84 | BRANCH = "branch" |
85 | PROPOSED = "proposed" |
86 | |
87 | +_MACHINE_AGENT_PRESTART = """ |
88 | +pre-start script |
89 | + # Protects ZooKeeper from access by non-root users. |
90 | +%(deleteports)s |
91 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
92 | + iptables -N juju-protect-zookeepers |
93 | +%(insertports)s |
94 | +%(hostlines)s |
95 | +end script |
96 | +""" |
97 | + |
98 | +_MACHINE_AGENT_HOST_IPTABLES = """ iptables -A juju-protect-zookeepers -d %s -m owner \! --uid-owner 0 -j DROP""" |
99 | +_MACHINE_AGENT_PORT_IPTABLES = """OUTPUT -p tcp --dport %s -j juju-protect-zookeepers""" |
100 | +_MACHINE_AGENT_DPORT_IPTABLES = """ if iptables -C %s ; then |
101 | + iptables -D %s |
102 | + fi""" |
103 | +_MACHINE_AGENT_IPORT_IPTABLES = ' iptables -I %s' |
104 | + |
105 | |
106 | def _branch_install_scripts(branch): |
107 | return [ |
108 | @@ -50,6 +68,31 @@ |
109 | service.set_description("Juju machine agent") |
110 | service.set_environ( |
111 | {"JUJU_MACHINE_ID": machine_id, "JUJU_ZOOKEEPER": zookeeper_hosts}) |
112 | + |
113 | + zk_hosts_list = zookeeper_hosts.split(',') |
114 | + zk_with_port = [ x.split(':') for x in zk_hosts_list ] |
115 | + host_lines = [] |
116 | + ports = set() |
117 | + for zk in zk_with_port: |
118 | + # Can't block localhost because of client<->zk tunnel. |
119 | + if zk[0] == 'localhost': |
120 | + continue |
121 | + if len(zk) >= 2: |
122 | + ports.add(zk[1]) |
123 | + host_lines.append(_MACHINE_AGENT_HOST_IPTABLES % (zk[0])) |
124 | + # Only add if there is at least one host to protect |
125 | + if len(host_lines): |
126 | + del_port_lines = [] |
127 | + ins_port_lines = [] |
128 | + for port in ports: |
129 | + rule = _MACHINE_AGENT_PORT_IPTABLES % (port) |
130 | + del_port_lines.append(_MACHINE_AGENT_DPORT_IPTABLES % (rule, rule)) |
131 | + ins_port_lines.append(_MACHINE_AGENT_IPORT_IPTABLES % (rule)) |
132 | + service.set_prestart(_MACHINE_AGENT_PRESTART % { |
133 | + 'deleteports': "\n".join(del_port_lines), |
134 | + 'insertports': "\n".join(ins_port_lines), |
135 | + 'hostlines':"\n".join(host_lines)}) |
136 | + |
137 | service.set_command( |
138 | "python -m juju.agents.machine --nodaemon " |
139 | "--logfile /var/log/juju/machine-agent.log " |
140 | |
141 | === modified file 'juju/providers/common/tests/data/cloud_init_bootstrap' |
142 | --- juju/providers/common/tests/data/cloud_init_bootstrap 2012-08-23 16:14:42 +0000 |
143 | +++ juju/providers/common/tests/data/cloud_init_bootstrap 2012-09-21 23:19:20 +0000 |
144 | @@ -6,56 +6,37 @@ |
145 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
146 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
147 | default-jre-headless, zookeeper, zookeeperd, juju] |
148 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize |
149 | - --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= |
150 | - --provider-type=dummy', 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
151 | - |
152 | - description "Juju machine agent" |
153 | - |
154 | - author "Juju Team <juju@lists.ubuntu.com>" |
155 | - |
156 | - |
157 | - start on runlevel [2345] |
158 | - |
159 | - stop on runlevel [!2345] |
160 | - |
161 | - respawn |
162 | - |
163 | - |
164 | - env JUJU_MACHINE_ID="passport" |
165 | - |
166 | - env JUJU_ZOOKEEPER="localhost:2181" |
167 | - |
168 | - |
169 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
170 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
171 | - 2>&1 |
172 | - |
173 | - EOF |
174 | - |
175 | - ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf |
176 | - <<EOF |
177 | - |
178 | - description "Juju provisioning agent" |
179 | - |
180 | - author "Juju Team <juju@lists.ubuntu.com>" |
181 | - |
182 | - |
183 | - start on runlevel [2345] |
184 | - |
185 | - stop on runlevel [!2345] |
186 | - |
187 | - respawn |
188 | - |
189 | - |
190 | - env JUJU_ZOOKEEPER="localhost:2181" |
191 | - |
192 | - |
193 | - exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log |
194 | - --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output |
195 | - 2>&1 |
196 | - |
197 | - EOF |
198 | - |
199 | - ', /sbin/start juju-provision-agent] |
200 | +runcmd: |
201 | + - sudo mkdir -p /var/lib/juju |
202 | + - sudo mkdir -p /var/log/juju |
203 | + - juju-admin initialize --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= --provider-type=dummy |
204 | + - | |
205 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
206 | + description "Juju machine agent" |
207 | + author "Juju Team <juju@lists.ubuntu.com>" |
208 | + |
209 | + start on runlevel [2345] |
210 | + stop on runlevel [!2345] |
211 | + respawn |
212 | + |
213 | + env JUJU_MACHINE_ID="passport" |
214 | + env JUJU_ZOOKEEPER="localhost:2181" |
215 | + |
216 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
217 | + EOF |
218 | + - /sbin/start juju-machine-agent |
219 | + - | |
220 | + cat >> /etc/init/juju-provision-agent.conf <<EOF |
221 | + description "Juju provisioning agent" |
222 | + author "Juju Team <juju@lists.ubuntu.com>" |
223 | + |
224 | + start on runlevel [2345] |
225 | + stop on runlevel [!2345] |
226 | + respawn |
227 | + |
228 | + env JUJU_ZOOKEEPER="localhost:2181" |
229 | + |
230 | + exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1 |
231 | + EOF |
232 | + - /sbin/start juju-provision-agent |
233 | ssh_authorized_keys: [chubb] |
234 | |
235 | === modified file 'juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers' |
236 | --- juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers 2012-08-23 16:14:42 +0000 |
237 | +++ juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers 2012-09-21 23:19:20 +0000 |
238 | @@ -6,56 +6,49 @@ |
239 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
240 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
241 | default-jre-headless, zookeeper, zookeeperd, juju] |
242 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize |
243 | - --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= |
244 | - --provider-type=dummy', 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
245 | - |
246 | - description "Juju machine agent" |
247 | - |
248 | - author "Juju Team <juju@lists.ubuntu.com>" |
249 | - |
250 | - |
251 | - start on runlevel [2345] |
252 | - |
253 | - stop on runlevel [!2345] |
254 | - |
255 | - respawn |
256 | - |
257 | - |
258 | - env JUJU_MACHINE_ID="passport" |
259 | - |
260 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181" |
261 | - |
262 | - |
263 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
264 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
265 | - 2>&1 |
266 | - |
267 | - EOF |
268 | - |
269 | - ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf |
270 | - <<EOF |
271 | - |
272 | - description "Juju provisioning agent" |
273 | - |
274 | - author "Juju Team <juju@lists.ubuntu.com>" |
275 | - |
276 | - |
277 | - start on runlevel [2345] |
278 | - |
279 | - stop on runlevel [!2345] |
280 | - |
281 | - respawn |
282 | - |
283 | - |
284 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181" |
285 | - |
286 | - |
287 | - exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log |
288 | - --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output |
289 | - 2>&1 |
290 | - |
291 | - EOF |
292 | - |
293 | - ', /sbin/start juju-provision-agent] |
294 | +runcmd: |
295 | + - sudo mkdir -p /var/lib/juju |
296 | + - sudo mkdir -p /var/log/juju |
297 | + - juju-admin initialize --instance-id=token --admin-identity=admin:19vlzY4Vc3q4Ew5OsCwKYqrq1HI= --constraints-data=e2NwdTogJzIwJywgcHJvdmlkZXItdHlwZTogZHVtbXksIHVidW50dS1zZXJpZXM6IGFzdG9uaXNoaW5nfQo= --provider-type=dummy |
298 | + - | |
299 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
300 | + description "Juju machine agent" |
301 | + author "Juju Team <juju@lists.ubuntu.com>" |
302 | + |
303 | + start on runlevel [2345] |
304 | + stop on runlevel [!2345] |
305 | + respawn |
306 | + |
307 | + env JUJU_MACHINE_ID="passport" |
308 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181" |
309 | + |
310 | + pre-start script |
311 | + # Protects ZooKeeper from access by non-root users. |
312 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
313 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
314 | + fi |
315 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
316 | + iptables -N juju-protect-zookeepers |
317 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
318 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
319 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
320 | + end script |
321 | + |
322 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
323 | + EOF |
324 | + - /sbin/start juju-machine-agent |
325 | + - | |
326 | + cat >> /etc/init/juju-provision-agent.conf <<EOF |
327 | + description "Juju provisioning agent" |
328 | + author "Juju Team <juju@lists.ubuntu.com>" |
329 | + |
330 | + start on runlevel [2345] |
331 | + stop on runlevel [!2345] |
332 | + respawn |
333 | + |
334 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181,localhost:2181" |
335 | + |
336 | + exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1 |
337 | + EOF |
338 | + - /sbin/start juju-provision-agent |
339 | ssh_authorized_keys: [chubb] |
340 | |
341 | === modified file 'juju/providers/common/tests/data/cloud_init_branch' |
342 | --- juju/providers/common/tests/data/cloud_init_branch 2012-08-23 16:14:42 +0000 |
343 | +++ juju/providers/common/tests/data/cloud_init_branch 2012-09-21 23:19:20 +0000 |
344 | @@ -7,33 +7,38 @@ |
345 | machine-id: passport} |
346 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
347 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper] |
348 | -runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju, |
349 | - 'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:blah/juju/blah-blah juju', cd /usr/lib/juju/juju |
350 | - && sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, |
351 | - 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
352 | - |
353 | - description "Juju machine agent" |
354 | - |
355 | - author "Juju Team <juju@lists.ubuntu.com>" |
356 | - |
357 | - |
358 | - start on runlevel [2345] |
359 | - |
360 | - stop on runlevel [!2345] |
361 | - |
362 | - respawn |
363 | - |
364 | - |
365 | - env JUJU_MACHINE_ID="passport" |
366 | - |
367 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
368 | - |
369 | - |
370 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
371 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
372 | - 2>&1 |
373 | - |
374 | - EOF |
375 | - |
376 | - ', /sbin/start juju-machine-agent] |
377 | +runcmd: |
378 | + - sudo apt-get install -y python-txzookeeper |
379 | + - sudo mkdir -p /usr/lib/juju |
380 | + - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:blah/juju/blah-blah juju |
381 | + - cd /usr/lib/juju/juju && sudo python setup.py develop |
382 | + - sudo mkdir -p /var/lib/juju |
383 | + - sudo mkdir -p /var/log/juju |
384 | + - | |
385 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
386 | + description "Juju machine agent" |
387 | + author "Juju Team <juju@lists.ubuntu.com>" |
388 | + |
389 | + start on runlevel [2345] |
390 | + stop on runlevel [!2345] |
391 | + respawn |
392 | + |
393 | + env JUJU_MACHINE_ID="passport" |
394 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
395 | + |
396 | + pre-start script |
397 | + # Protects ZooKeeper from access by non-root users. |
398 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
399 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
400 | + fi |
401 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
402 | + iptables -N juju-protect-zookeepers |
403 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
404 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
405 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
406 | + end script |
407 | + |
408 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
409 | + EOF |
410 | + - /sbin/start juju-machine-agent |
411 | ssh_authorized_keys: [chubb] |
412 | |
413 | === modified file 'juju/providers/common/tests/data/cloud_init_branch_trunk' |
414 | --- juju/providers/common/tests/data/cloud_init_branch_trunk 2012-08-23 16:14:42 +0000 |
415 | +++ juju/providers/common/tests/data/cloud_init_branch_trunk 2012-09-21 23:19:20 +0000 |
416 | @@ -7,33 +7,38 @@ |
417 | machine-id: passport} |
418 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
419 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper] |
420 | -runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju, |
421 | - 'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:juju juju', cd /usr/lib/juju/juju && |
422 | - sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, |
423 | - 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
424 | - |
425 | - description "Juju machine agent" |
426 | - |
427 | - author "Juju Team <juju@lists.ubuntu.com>" |
428 | - |
429 | - |
430 | - start on runlevel [2345] |
431 | - |
432 | - stop on runlevel [!2345] |
433 | - |
434 | - respawn |
435 | - |
436 | - |
437 | - env JUJU_MACHINE_ID="passport" |
438 | - |
439 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
440 | - |
441 | - |
442 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
443 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
444 | - 2>&1 |
445 | - |
446 | - EOF |
447 | - |
448 | - ', /sbin/start juju-machine-agent] |
449 | +runcmd: |
450 | + - sudo apt-get install -y python-txzookeeper |
451 | + - sudo mkdir -p /usr/lib/juju |
452 | + - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:juju juju |
453 | + - cd /usr/lib/juju/juju && sudo python setup.py develop |
454 | + - sudo mkdir -p /var/lib/juju |
455 | + - sudo mkdir -p /var/log/juju |
456 | + - | |
457 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
458 | + description "Juju machine agent" |
459 | + author "Juju Team <juju@lists.ubuntu.com>" |
460 | + |
461 | + start on runlevel [2345] |
462 | + stop on runlevel [!2345] |
463 | + respawn |
464 | + |
465 | + env JUJU_MACHINE_ID="passport" |
466 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
467 | + |
468 | + pre-start script |
469 | + # Protects ZooKeeper from access by non-root users. |
470 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
471 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
472 | + fi |
473 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
474 | + iptables -N juju-protect-zookeepers |
475 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
476 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
477 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
478 | + end script |
479 | + |
480 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
481 | + EOF |
482 | + - /sbin/start juju-machine-agent |
483 | ssh_authorized_keys: [chubb] |
484 | |
485 | === modified file 'juju/providers/common/tests/data/cloud_init_distro' |
486 | --- juju/providers/common/tests/data/cloud_init_distro 2012-08-23 16:14:42 +0000 |
487 | +++ juju/providers/common/tests/data/cloud_init_distro 2012-09-21 23:19:20 +0000 |
488 | @@ -6,31 +6,34 @@ |
489 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
490 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
491 | juju] |
492 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf |
493 | - <<EOF |
494 | - |
495 | - description "Juju machine agent" |
496 | - |
497 | - author "Juju Team <juju@lists.ubuntu.com>" |
498 | - |
499 | - |
500 | - start on runlevel [2345] |
501 | - |
502 | - stop on runlevel [!2345] |
503 | - |
504 | - respawn |
505 | - |
506 | - |
507 | - env JUJU_MACHINE_ID="passport" |
508 | - |
509 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
510 | - |
511 | - |
512 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
513 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
514 | - 2>&1 |
515 | - |
516 | - EOF |
517 | - |
518 | - ', /sbin/start juju-machine-agent] |
519 | +runcmd: |
520 | + - sudo mkdir -p /var/lib/juju |
521 | + - sudo mkdir -p /var/log/juju |
522 | + - | |
523 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
524 | + description "Juju machine agent" |
525 | + author "Juju Team <juju@lists.ubuntu.com>" |
526 | + |
527 | + start on runlevel [2345] |
528 | + stop on runlevel [!2345] |
529 | + respawn |
530 | + |
531 | + env JUJU_MACHINE_ID="passport" |
532 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
533 | + |
534 | + pre-start script |
535 | + # Protects ZooKeeper from access by non-root users. |
536 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
537 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
538 | + fi |
539 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
540 | + iptables -N juju-protect-zookeepers |
541 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
542 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
543 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
544 | + end script |
545 | + |
546 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
547 | + EOF |
548 | + - /sbin/start juju-machine-agent |
549 | ssh_authorized_keys: [chubb] |
550 | |
551 | === modified file 'juju/providers/common/tests/data/cloud_init_ppa' |
552 | --- juju/providers/common/tests/data/cloud_init_ppa 2012-08-23 16:14:42 +0000 |
553 | +++ juju/providers/common/tests/data/cloud_init_ppa 2012-09-21 23:19:20 +0000 |
554 | @@ -8,31 +8,34 @@ |
555 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
556 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
557 | juju] |
558 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf |
559 | - <<EOF |
560 | - |
561 | - description "Juju machine agent" |
562 | - |
563 | - author "Juju Team <juju@lists.ubuntu.com>" |
564 | - |
565 | - |
566 | - start on runlevel [2345] |
567 | - |
568 | - stop on runlevel [!2345] |
569 | - |
570 | - respawn |
571 | - |
572 | - |
573 | - env JUJU_MACHINE_ID="passport" |
574 | - |
575 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
576 | - |
577 | - |
578 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
579 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
580 | - 2>&1 |
581 | - |
582 | - EOF |
583 | - |
584 | - ', /sbin/start juju-machine-agent] |
585 | +runcmd: |
586 | + - sudo mkdir -p /var/lib/juju |
587 | + - sudo mkdir -p /var/log/juju |
588 | + - | |
589 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
590 | + description "Juju machine agent" |
591 | + author "Juju Team <juju@lists.ubuntu.com>" |
592 | + |
593 | + start on runlevel [2345] |
594 | + stop on runlevel [!2345] |
595 | + respawn |
596 | + |
597 | + env JUJU_MACHINE_ID="passport" |
598 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
599 | + |
600 | + pre-start script |
601 | + # Protects ZooKeeper from access by non-root users. |
602 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
603 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
604 | + fi |
605 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
606 | + iptables -N juju-protect-zookeepers |
607 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
608 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
609 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
610 | + end script |
611 | + |
612 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
613 | + EOF |
614 | + - /sbin/start juju-machine-agent |
615 | ssh_authorized_keys: [chubb] |
616 | |
617 | === modified file 'juju/providers/common/tests/data/cloud_init_proposed' |
618 | --- juju/providers/common/tests/data/cloud_init_proposed 2012-08-23 16:14:42 +0000 |
619 | +++ juju/providers/common/tests/data/cloud_init_proposed 2012-09-21 23:19:20 +0000 |
620 | @@ -7,31 +7,34 @@ |
621 | machine-id: passport} |
622 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
623 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju] |
624 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p |
625 | - /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
626 | - |
627 | - description "Juju machine agent" |
628 | - |
629 | - author "Juju Team <juju@lists.ubuntu.com>" |
630 | - |
631 | - |
632 | - start on runlevel [2345] |
633 | - |
634 | - stop on runlevel [!2345] |
635 | - |
636 | - respawn |
637 | - |
638 | - |
639 | - env JUJU_MACHINE_ID="passport" |
640 | - |
641 | - env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
642 | - |
643 | - |
644 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
645 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
646 | - 2>&1 |
647 | - |
648 | - EOF |
649 | - |
650 | - ', /sbin/start juju-machine-agent] |
651 | +runcmd: |
652 | + - sudo mkdir -p /var/lib/juju |
653 | + - sudo mkdir -p /var/log/juju |
654 | + - | |
655 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
656 | + description "Juju machine agent" |
657 | + author "Juju Team <juju@lists.ubuntu.com>" |
658 | + |
659 | + start on runlevel [2345] |
660 | + stop on runlevel [!2345] |
661 | + respawn |
662 | + |
663 | + env JUJU_MACHINE_ID="passport" |
664 | + env JUJU_ZOOKEEPER="cotswold:2181,longleat:2181" |
665 | + |
666 | + pre-start script |
667 | + # Protects ZooKeeper from access by non-root users. |
668 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
669 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
670 | + fi |
671 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
672 | + iptables -N juju-protect-zookeepers |
673 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
674 | + iptables -A juju-protect-zookeepers -d cotswold -m owner \! --uid-owner 0 -j DROP |
675 | + iptables -A juju-protect-zookeepers -d longleat -m owner \! --uid-owner 0 -j DROP |
676 | + end script |
677 | + |
678 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
679 | + EOF |
680 | + - /sbin/start juju-machine-agent |
681 | ssh_authorized_keys: [chubb] |
682 | |
683 | === modified file 'juju/providers/ec2/tests/data/bootstrap_cloud_init' |
684 | --- juju/providers/ec2/tests/data/bootstrap_cloud_init 2012-08-23 16:14:42 +0000 |
685 | +++ juju/providers/ec2/tests/data/bootstrap_cloud_init 2012-09-21 23:19:20 +0000 |
686 | @@ -5,57 +5,37 @@ |
687 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
688 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
689 | default-jre-headless, zookeeper, zookeeperd, juju] |
690 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize |
691 | - --instance-id=$(curl http://169.254.169.254/1.0/meta-data/instance-id) --admin-identity=admin:JbJ6sDGV37EHzbG9FPvttk64cmg= |
692 | - --constraints-data=e2NwdTogbnVsbCwgaW5zdGFuY2UtdHlwZTogbTEuc21hbGwsIG1lbTogbnVsbCwgcHJvdmlkZXItdHlwZTogZWMyLCB1YnVudHUtc2VyaWVzOiBzcGxlbmRpZH0K |
693 | - --provider-type=ec2', 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
694 | - |
695 | - description "Juju machine agent" |
696 | - |
697 | - author "Juju Team <juju@lists.ubuntu.com>" |
698 | - |
699 | - |
700 | - start on runlevel [2345] |
701 | - |
702 | - stop on runlevel [!2345] |
703 | - |
704 | - respawn |
705 | - |
706 | - |
707 | - env JUJU_MACHINE_ID="0" |
708 | - |
709 | - env JUJU_ZOOKEEPER="localhost:2181" |
710 | - |
711 | - |
712 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
713 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
714 | - 2>&1 |
715 | - |
716 | - EOF |
717 | - |
718 | - ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf |
719 | - <<EOF |
720 | - |
721 | - description "Juju provisioning agent" |
722 | - |
723 | - author "Juju Team <juju@lists.ubuntu.com>" |
724 | - |
725 | - |
726 | - start on runlevel [2345] |
727 | - |
728 | - stop on runlevel [!2345] |
729 | - |
730 | - respawn |
731 | - |
732 | - |
733 | - env JUJU_ZOOKEEPER="localhost:2181" |
734 | - |
735 | - |
736 | - exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log |
737 | - --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output |
738 | - 2>&1 |
739 | - |
740 | - EOF |
741 | - |
742 | - ', /sbin/start juju-provision-agent] |
743 | +runcmd: |
744 | + - sudo mkdir -p /var/lib/juju |
745 | + - sudo mkdir -p /var/log/juju |
746 | + - juju-admin initialize --instance-id=$(curl http://169.254.169.254/1.0/meta-data/instance-id) --admin-identity=admin:JbJ6sDGV37EHzbG9FPvttk64cmg= --constraints-data=e2NwdTogbnVsbCwgaW5zdGFuY2UtdHlwZTogbTEuc21hbGwsIG1lbTogbnVsbCwgcHJvdmlkZXItdHlwZTogZWMyLCB1YnVudHUtc2VyaWVzOiBzcGxlbmRpZH0K --provider-type=ec2 |
747 | + - | |
748 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
749 | + description "Juju machine agent" |
750 | + author "Juju Team <juju@lists.ubuntu.com>" |
751 | + |
752 | + start on runlevel [2345] |
753 | + stop on runlevel [!2345] |
754 | + respawn |
755 | + |
756 | + env JUJU_MACHINE_ID="0" |
757 | + env JUJU_ZOOKEEPER="localhost:2181" |
758 | + |
759 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
760 | + EOF |
761 | + - /sbin/start juju-machine-agent |
762 | + - | |
763 | + cat >> /etc/init/juju-provision-agent.conf <<EOF |
764 | + description "Juju provisioning agent" |
765 | + author "Juju Team <juju@lists.ubuntu.com>" |
766 | + |
767 | + start on runlevel [2345] |
768 | + stop on runlevel [!2345] |
769 | + respawn |
770 | + |
771 | + env JUJU_ZOOKEEPER="localhost:2181" |
772 | + |
773 | + exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1 |
774 | + EOF |
775 | + - /sbin/start juju-provision-agent |
776 | ssh_authorized_keys: [zebra] |
777 | |
778 | === modified file 'juju/providers/ec2/tests/data/launch_cloud_init' |
779 | --- juju/providers/ec2/tests/data/launch_cloud_init 2012-08-23 16:14:42 +0000 |
780 | +++ juju/providers/ec2/tests/data/launch_cloud_init 2012-09-21 23:19:20 +0000 |
781 | @@ -5,31 +5,33 @@ |
782 | machine-id: '1'} |
783 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
784 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju] |
785 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p |
786 | - /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
787 | - |
788 | - description "Juju machine agent" |
789 | - |
790 | - author "Juju Team <juju@lists.ubuntu.com>" |
791 | - |
792 | - |
793 | - start on runlevel [2345] |
794 | - |
795 | - stop on runlevel [!2345] |
796 | - |
797 | - respawn |
798 | - |
799 | - |
800 | - env JUJU_MACHINE_ID="1" |
801 | - |
802 | - env JUJU_ZOOKEEPER="es.example.internal:2181" |
803 | - |
804 | - |
805 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
806 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
807 | - 2>&1 |
808 | - |
809 | - EOF |
810 | - |
811 | - ', /sbin/start juju-machine-agent] |
812 | +runcmd: |
813 | + - sudo mkdir -p /var/lib/juju |
814 | + - sudo mkdir -p /var/log/juju |
815 | + - | |
816 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
817 | + description "Juju machine agent" |
818 | + author "Juju Team <juju@lists.ubuntu.com>" |
819 | + |
820 | + start on runlevel [2345] |
821 | + stop on runlevel [!2345] |
822 | + respawn |
823 | + |
824 | + env JUJU_MACHINE_ID="1" |
825 | + env JUJU_ZOOKEEPER="es.example.internal:2181" |
826 | + |
827 | + pre-start script |
828 | + # Protects ZooKeeper from access by non-root users. |
829 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
830 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
831 | + fi |
832 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
833 | + iptables -N juju-protect-zookeepers |
834 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
835 | + iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP |
836 | + end script |
837 | + |
838 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
839 | + EOF |
840 | + - /sbin/start juju-machine-agent |
841 | ssh_authorized_keys: [zebra] |
842 | |
843 | === modified file 'juju/providers/ec2/tests/data/launch_cloud_init_branch' |
844 | --- juju/providers/ec2/tests/data/launch_cloud_init_branch 2012-08-23 16:14:42 +0000 |
845 | +++ juju/providers/ec2/tests/data/launch_cloud_init_branch 2012-09-21 23:19:20 +0000 |
846 | @@ -7,33 +7,37 @@ |
847 | machine-id: '1'} |
848 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
849 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper] |
850 | -runcmd: [sudo apt-get install -y python-txzookeeper, sudo mkdir -p /usr/lib/juju, |
851 | - 'cd /usr/lib/juju && sudo /usr/bin/bzr co lp:~wizard/juju-juicebar juju', cd /usr/lib/juju/juju |
852 | - && sudo python setup.py develop, sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, |
853 | - 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
854 | - |
855 | - description "Juju machine agent" |
856 | - |
857 | - author "Juju Team <juju@lists.ubuntu.com>" |
858 | - |
859 | - |
860 | - start on runlevel [2345] |
861 | - |
862 | - stop on runlevel [!2345] |
863 | - |
864 | - respawn |
865 | - |
866 | - |
867 | - env JUJU_MACHINE_ID="1" |
868 | - |
869 | - env JUJU_ZOOKEEPER="es.example.internal:2181" |
870 | - |
871 | - |
872 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
873 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
874 | - 2>&1 |
875 | - |
876 | - EOF |
877 | - |
878 | - ', /sbin/start juju-machine-agent] |
879 | +runcmd: |
880 | + - sudo apt-get install -y python-txzookeeper |
881 | + - sudo mkdir -p /usr/lib/juju |
882 | + - cd /usr/lib/juju && sudo /usr/bin/bzr co lp:~wizard/juju-juicebar juju |
883 | + - cd /usr/lib/juju/juju && sudo python setup.py develop |
884 | + - sudo mkdir -p /var/lib/juju |
885 | + - sudo mkdir -p /var/log/juju |
886 | + - | |
887 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
888 | + description "Juju machine agent" |
889 | + author "Juju Team <juju@lists.ubuntu.com>" |
890 | + |
891 | + start on runlevel [2345] |
892 | + stop on runlevel [!2345] |
893 | + respawn |
894 | + |
895 | + env JUJU_MACHINE_ID="1" |
896 | + env JUJU_ZOOKEEPER="es.example.internal:2181" |
897 | + |
898 | + pre-start script |
899 | + # Protects ZooKeeper from access by non-root users. |
900 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
901 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
902 | + fi |
903 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
904 | + iptables -N juju-protect-zookeepers |
905 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
906 | + iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP |
907 | + end script |
908 | + |
909 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
910 | + EOF |
911 | + - /sbin/start juju-machine-agent |
912 | ssh_authorized_keys: [zebra] |
913 | |
914 | === modified file 'juju/providers/ec2/tests/data/launch_cloud_init_ppa' |
915 | --- juju/providers/ec2/tests/data/launch_cloud_init_ppa 2012-08-23 16:14:42 +0000 |
916 | +++ juju/providers/ec2/tests/data/launch_cloud_init_ppa 2012-09-21 23:19:20 +0000 |
917 | @@ -7,31 +7,33 @@ |
918 | machine-id: '1'} |
919 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
920 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju] |
921 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p |
922 | - /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
923 | - |
924 | - description "Juju machine agent" |
925 | - |
926 | - author "Juju Team <juju@lists.ubuntu.com>" |
927 | - |
928 | - |
929 | - start on runlevel [2345] |
930 | - |
931 | - stop on runlevel [!2345] |
932 | - |
933 | - respawn |
934 | - |
935 | - |
936 | - env JUJU_MACHINE_ID="1" |
937 | - |
938 | - env JUJU_ZOOKEEPER="es.example.internal:2181" |
939 | - |
940 | - |
941 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
942 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
943 | - 2>&1 |
944 | - |
945 | - EOF |
946 | - |
947 | - ', /sbin/start juju-machine-agent] |
948 | +runcmd: |
949 | + - sudo mkdir -p /var/lib/juju |
950 | + - sudo mkdir -p /var/log/juju |
951 | + - | |
952 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
953 | + description "Juju machine agent" |
954 | + author "Juju Team <juju@lists.ubuntu.com>" |
955 | + |
956 | + start on runlevel [2345] |
957 | + stop on runlevel [!2345] |
958 | + respawn |
959 | + |
960 | + env JUJU_MACHINE_ID="1" |
961 | + env JUJU_ZOOKEEPER="es.example.internal:2181" |
962 | + |
963 | + pre-start script |
964 | + # Protects ZooKeeper from access by non-root users. |
965 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
966 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
967 | + fi |
968 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
969 | + iptables -N juju-protect-zookeepers |
970 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
971 | + iptables -A juju-protect-zookeepers -d es.example.internal -m owner \! --uid-owner 0 -j DROP |
972 | + end script |
973 | + |
974 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
975 | + EOF |
976 | + - /sbin/start juju-machine-agent |
977 | ssh_authorized_keys: [zebra] |
978 | |
979 | === modified file 'juju/providers/orchestra/launch.py' |
980 | --- juju/providers/orchestra/launch.py 2012-04-12 01:01:57 +0000 |
981 | +++ juju/providers/orchestra/launch.py 2012-09-21 23:19:20 +0000 |
982 | @@ -46,7 +46,7 @@ |
983 | info = yield cobbler.start_system( |
984 | instance_id, machine_id, series, cloud_init.render()) |
985 | returnValue([machine_from_dict(info)]) |
986 | - except Exception: |
987 | + except Exception, e: |
988 | log.exception( |
989 | "Failed to launch machine %s; attempting to revert.", |
990 | instance_id) |
991 | |
992 | === modified file 'juju/providers/orchestra/tests/data/bootstrap_user_data' |
993 | --- juju/providers/orchestra/tests/data/bootstrap_user_data 2012-08-23 16:14:42 +0000 |
994 | +++ juju/providers/orchestra/tests/data/bootstrap_user_data 2012-09-21 23:19:20 +0000 |
995 | @@ -5,57 +5,37 @@ |
996 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
997 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, |
998 | default-jre-headless, zookeeper, zookeeperd, juju] |
999 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p /var/log/juju, 'juju-admin initialize |
1000 | - --instance-id=winston-uid --admin-identity=admin:qRBXC1ubEEUqRL6wcBhgmc9xkaY= |
1001 | - --constraints-data=e29yY2hlc3RyYS1jbGFzc2VzOiAnZm9vLGJhcicsIHByb3ZpZGVyLXR5cGU6IG9yY2hlc3RyYSwgdWJ1bnR1LXNlcmllczogYml6YXJyZX0K |
1002 | - --provider-type=orchestra', 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
1003 | - |
1004 | - description "Juju machine agent" |
1005 | - |
1006 | - author "Juju Team <juju@lists.ubuntu.com>" |
1007 | - |
1008 | - |
1009 | - start on runlevel [2345] |
1010 | - |
1011 | - stop on runlevel [!2345] |
1012 | - |
1013 | - respawn |
1014 | - |
1015 | - |
1016 | - env JUJU_MACHINE_ID="0" |
1017 | - |
1018 | - env JUJU_ZOOKEEPER="localhost:2181" |
1019 | - |
1020 | - |
1021 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
1022 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
1023 | - 2>&1 |
1024 | - |
1025 | - EOF |
1026 | - |
1027 | - ', /sbin/start juju-machine-agent, 'cat >> /etc/init/juju-provision-agent.conf |
1028 | - <<EOF |
1029 | - |
1030 | - description "Juju provisioning agent" |
1031 | - |
1032 | - author "Juju Team <juju@lists.ubuntu.com>" |
1033 | - |
1034 | - |
1035 | - start on runlevel [2345] |
1036 | - |
1037 | - stop on runlevel [!2345] |
1038 | - |
1039 | - respawn |
1040 | - |
1041 | - |
1042 | - env JUJU_ZOOKEEPER="localhost:2181" |
1043 | - |
1044 | - |
1045 | - exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log |
1046 | - --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output |
1047 | - 2>&1 |
1048 | - |
1049 | - EOF |
1050 | - |
1051 | - ', /sbin/start juju-provision-agent] |
1052 | +runcmd: |
1053 | + - sudo mkdir -p /var/lib/juju |
1054 | + - sudo mkdir -p /var/log/juju |
1055 | + - juju-admin initialize --instance-id=winston-uid --admin-identity=admin:qRBXC1ubEEUqRL6wcBhgmc9xkaY= --constraints-data=e29yY2hlc3RyYS1jbGFzc2VzOiAnZm9vLGJhcicsIHByb3ZpZGVyLXR5cGU6IG9yY2hlc3RyYSwgdWJ1bnR1LXNlcmllczogYml6YXJyZX0K --provider-type=orchestra |
1056 | + - | |
1057 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
1058 | + description "Juju machine agent" |
1059 | + author "Juju Team <juju@lists.ubuntu.com>" |
1060 | + |
1061 | + start on runlevel [2345] |
1062 | + stop on runlevel [!2345] |
1063 | + respawn |
1064 | + |
1065 | + env JUJU_MACHINE_ID="0" |
1066 | + env JUJU_ZOOKEEPER="localhost:2181" |
1067 | + |
1068 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
1069 | + EOF |
1070 | + - /sbin/start juju-machine-agent |
1071 | + - | |
1072 | + cat >> /etc/init/juju-provision-agent.conf <<EOF |
1073 | + description "Juju provisioning agent" |
1074 | + author "Juju Team <juju@lists.ubuntu.com>" |
1075 | + |
1076 | + start on runlevel [2345] |
1077 | + stop on runlevel [!2345] |
1078 | + respawn |
1079 | + |
1080 | + env JUJU_ZOOKEEPER="localhost:2181" |
1081 | + |
1082 | + exec python -m juju.agents.provision --nodaemon --logfile /var/log/juju/provision-agent.log --session-file /var/run/juju/provision-agent.zksession >> /tmp/juju-provision-agent.output 2>&1 |
1083 | + EOF |
1084 | + - /sbin/start juju-provision-agent |
1085 | ssh_authorized_keys: [this-is-a-public-key] |
1086 | |
1087 | === modified file 'juju/providers/orchestra/tests/data/launch_user_data' |
1088 | --- juju/providers/orchestra/tests/data/launch_user_data 2012-08-23 16:14:42 +0000 |
1089 | +++ juju/providers/orchestra/tests/data/launch_user_data 2012-09-21 23:19:20 +0000 |
1090 | @@ -4,31 +4,33 @@ |
1091 | machine-id: '42'} |
1092 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
1093 | packages: [bzr, byobu, tmux, python-setuptools, python-twisted, python-txaws, python-zookeeper, juju] |
1094 | -runcmd: [sudo mkdir -p /var/lib/juju, sudo mkdir -p |
1095 | - /var/log/juju, 'cat >> /etc/init/juju-machine-agent.conf <<EOF |
1096 | - |
1097 | - description "Juju machine agent" |
1098 | - |
1099 | - author "Juju Team <juju@lists.ubuntu.com>" |
1100 | - |
1101 | - |
1102 | - start on runlevel [2345] |
1103 | - |
1104 | - stop on runlevel [!2345] |
1105 | - |
1106 | - respawn |
1107 | - |
1108 | - |
1109 | - env JUJU_MACHINE_ID="42" |
1110 | - |
1111 | - env JUJU_ZOOKEEPER="jennifer:2181" |
1112 | - |
1113 | - |
1114 | - exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log |
1115 | - --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output |
1116 | - 2>&1 |
1117 | - |
1118 | - EOF |
1119 | - |
1120 | - ', /sbin/start juju-machine-agent] |
1121 | +runcmd: |
1122 | + - sudo mkdir -p /var/lib/juju |
1123 | + - sudo mkdir -p /var/log/juju |
1124 | + - | |
1125 | + cat >> /etc/init/juju-machine-agent.conf <<EOF |
1126 | + description "Juju machine agent" |
1127 | + author "Juju Team <juju@lists.ubuntu.com>" |
1128 | + |
1129 | + start on runlevel [2345] |
1130 | + stop on runlevel [!2345] |
1131 | + respawn |
1132 | + |
1133 | + env JUJU_MACHINE_ID="42" |
1134 | + env JUJU_ZOOKEEPER="jennifer:2181" |
1135 | + |
1136 | + pre-start script |
1137 | + # Protects ZooKeeper from access by non-root users. |
1138 | + if iptables -C OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers ; then |
1139 | + iptables -D OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
1140 | + fi |
1141 | + iptables -F juju-protect-zookeepers && iptables -X juju-protect-zookeepers || : |
1142 | + iptables -N juju-protect-zookeepers |
1143 | + iptables -I OUTPUT -p tcp --dport 2181 -j juju-protect-zookeepers |
1144 | + iptables -A juju-protect-zookeepers -d jennifer -m owner \! --uid-owner 0 -j DROP |
1145 | + end script |
1146 | + |
1147 | + exec python -m juju.agents.machine --nodaemon --logfile /var/log/juju/machine-agent.log --session-file /var/run/juju/machine-agent.zksession >> /tmp/juju-machine-agent.output 2>&1 |
1148 | + EOF |
1149 | + - /sbin/start juju-machine-agent |
1150 | ssh_authorized_keys: [this-is-a-public-key] |
Reviewers: mp+125832_ code.launchpad. net,
Message:
Please take a look.
Description:
protect zookeeper from non-root direct access
Adds pre-start capability to juju.lib.upstart. Also reformatted tests'
cloud-config data to be more readable.
https:/ /code.launchpad .net/~clint- fewbar/ juju/add- egress- zookeeper- protection/ +merge/ 125832
(do not edit description out of merge proposal)
Please review this at https:/ /codereview. appspot. com/6549051/
Affected files: tests/data/ test_prestart tests/test_ upstart. py common/ cloudinit. py common/ tests/data/ cloud_init_ bootstrap common/ tests/data/ cloud_init_ bootstrap_ zookeepers common/ tests/data/ cloud_init_ branch common/ tests/data/ cloud_init_ branch_ trunk common/ tests/data/ cloud_init_ distro common/ tests/data/ cloud_init_ ppa common/ tests/data/ cloud_init_ proposed ec2/tests/ data/bootstrap_ cloud_init ec2/tests/ data/launch_ cloud_init ec2/tests/ data/launch_ cloud_init_ branch ec2/tests/ data/launch_ cloud_init_ ppa orchestra/ launch. py orchestra/ tests/data/ bootstrap_ user_data orchestra/ tests/data/ launch_ user_data
A [revision details]
A juju/lib/
M juju/lib/
M juju/lib/upstart.py
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/
M juju/providers/