MAAS

Merge lp:~jtv/maas/pkg-import-as-maas into lp:~maas-maintainers/maas/packaging

  1. pkg-import-as-maas
  2. Merge into packaging
Proposed by Jeroen T. Vermeulen
Status: Merged
Approved by: Jeroen T. Vermeulen
Approved revision: no longer in the source branch.
Merged at revision: 273
Proposed branch: lp:~jtv/maas/pkg-import-as-maas
Merge into: lp:~maas-maintainers/maas/packaging
Diff against target: 23 lines (+5/-1)
2 files modified
debian/changelog (+4/-0)
debian/extras/99-maas-sudoers (+1/-1)
To merge this branch: bzr merge lp:~jtv/maas/pkg-import-as-maas
Reviewer Review Type Date Requested Status
Raphaël Badin (community) Approve
Review via email: mp+216983@code.launchpad.net

Commit message

Packaging changes: import boot resources from celery worker, as the maas user, instead of by running the script through sudo.

Description of the change

This does require two extra password-less sudo privileges for the maas user: to run tgt-admin (which manages iSCSI targets), and to run uec2roottar (which loop-mounts image files in order to extract their contents). As far as the codebase is concerned the maas user will no longer need sudo privileges to run the import script, but taking away privileges can be painful for users who may rely on them; so I kept that privilege.

Ownership of the files in /var/lib/maas/boot-resources needs to change, but a migration function in the main codebase takes care of that.

A new directory /var/lib/maas/gnupg is used for GPG state, owned by the maas user. I tried setting a full home directory for the maas user, but that didn't work: if the user already existed from a previous installation, and still had a process running, usermod refused to do the job. I figure it's hard to ensure that there won't be a maas process running (e.g. it might be a region controller on the same machine) but also, we don't really need a home directory for maas. All we really need is a place for GPG state to go.

I'm not sure I created this directory in the right way. Maybe /var/lib/maas/gnupg should simply be listed somewhere as a directory to be created on installation. Maybe it should be in maas-cluster-controller instead of maas-common. Advice welcome.

Jeroen

To post a comment you must log in.
Revision history for this message
Raphaël Badin (rvb) wrote :

[0]

18 + # Set up a "GPG home directory" for the maas user. This is where
19 + # GnuPG can store its state when verifying import boot resources.
20 + # We can't set a permanent home directory for the maas user, because
21 + # the user may already have been created by an older version of maas;
22 + # usermod won't set a home directory for a user that has processes
23 + # running, as may be the case for maas.
24 + mkdir -p /var/lib/maas/gnupg
25 + chown $user:$user /var/lib/maas/gnupg

We want to keep the post-inst scripts as minimal as possible… coulnd't this be part of the MAAS source code?

[1]

> Maybe it should be in maas-cluster-controller instead of maas-common.

If we need to keep this in the packaging, I think it should be in maas-cluster-controller indeed. AFAIK this is really something that belongs to the clusters.

[2]

You need a changelog entry for this.

review: Approve
Revision history for this message
Andres Rodriguez (andreserl) wrote :
Download full text (3.4 KiB)

Maybe it is better to have this in debian/maas-common.dirs
On Apr 24, 2014 4:05 AM, "Jeroen T. Vermeulen" <email address hidden> wrote:

> Jeroen T. Vermeulen has proposed merging lp:~jtv/maas/pkg-import-as-maas
> into lp:~maas-maintainers/maas/packaging.
>
> Commit message:
> Packaging changes: import boot resources from celery worker, as the maas
> user, instead of by running the script through sudo.
>
> Requested reviews:
> MAAS Maintainers (maas-maintainers)
>
> For more details, see:
> https://code.launchpad.net/~jtv/maas/pkg-import-as-maas/+merge/216983
>
> This does require two extra password-less sudo privileges for the maas
> user: to run tgt-admin (which manages iSCSI targets), and to run
> uec2roottar (which loop-mounts image files in order to extract their
> contents). As far as the codebase is concerned the maas user will no
> longer need sudo privileges to run the import script, but taking away
> privileges can be painful for users who may rely on them; so I kept that
> privilege.
>
> Ownership of the files in /var/lib/maas/boot-resources needs to change,
> but a migration function in the main codebase takes care of that.
>
> A new directory /var/lib/maas/gnupg is used for GPG state, owned by the
> maas user. I tried setting a full home directory for the maas user, but
> that didn't work: if the user already existed from a previous installation,
> and still had a process running, usermod refused to do the job. I figure
> it's hard to ensure that there won't be a maas process running (e.g. it
> might be a region controller on the same machine) but also, we don't really
> need a home directory for maas. All we really need is a place for GPG
> state to go.
>
> I'm not sure I created this directory in the right way. Maybe
> /var/lib/maas/gnupg should simply be listed somewhere as a directory to be
> created on installation. Maybe it should be in maas-cluster-controller
> instead of maas-common. Advice welcome.
>
>
> Jeroen
> --
> https://code.launchpad.net/~jtv/maas/pkg-import-as-maas/+merge/216983
> You are subscribed to branch lp:~maas-maintainers/maas/packaging.
>
> === modified file 'debian/extras/99-maas-sudoers'
> --- debian/extras/99-maas-sudoers 2012-11-21 10:24:48 +0000
> +++ debian/extras/99-maas-sudoers 2014-04-24 07:03:05 +0000
> @@ -1,3 +1,3 @@
> maas ALL= NOPASSWD: /usr/sbin/service maas-dhcp-server restart
> maas ALL= NOPASSWD: /usr/sbin/maas-provision
> -maas ALL= NOPASSWD: SETENV: /usr/sbin/maas-import-pxe-files
> +maas ALL= NOPASSWD: SETENV: /usr/sbin/maas-import-pxe-files,
> /usr/sbin/tgt-admin, /usr/bin/uec2roottar
>
> === modified file 'debian/maas-common.postinst'
> --- debian/maas-common.postinst 2013-03-19 21:35:18 +0000
> +++ debian/maas-common.postinst 2014-04-24 07:03:05 +0000
> @@ -7,6 +7,15 @@
> local group="maas"
> addgroup --quiet --system "$group" || true
> adduser --quiet --system --group --no-create-home "$user" || true
> +
> + # Set up a "GPG home directory" for the maas user. This is where
> + # GnuPG can store its state when verifying import boot resources.
> + # We can't set a permanent home directory for the maas user,
> because
...

Read more...

Revision history for this message
Jeroen T. Vermeulen (jtv) wrote :

Okay, I'm moving the creation of /var/lib/maas/gnupghome into the cluster migration code. Also, added a changelog entry. Thanks chaps!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2014-04-15 18:42:04 +0000
3+++ debian/changelog 2014-04-25 01:26:36 +0000
4@@ -2,6 +2,10 @@
5
6 * UNRELEASED
7
8+ [Jeroen Vermeulen]
9+ * debian/extras/99-maas-sudoers:
10+ - Let maas user import, including sudo tgt-admin and sudo uec2roottar.
11+
12 -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 15 Apr 2014 14:41:32 -0400
13
14 maas (1.5+bzr2252-0ubuntu1) trusty; urgency=medium
15
16=== modified file 'debian/extras/99-maas-sudoers'
17--- debian/extras/99-maas-sudoers 2012-11-21 10:24:48 +0000
18+++ debian/extras/99-maas-sudoers 2014-04-25 01:26:36 +0000
19@@ -1,3 +1,3 @@
20 maas ALL= NOPASSWD: /usr/sbin/service maas-dhcp-server restart
21 maas ALL= NOPASSWD: /usr/sbin/maas-provision
22-maas ALL= NOPASSWD: SETENV: /usr/sbin/maas-import-pxe-files
23+maas ALL= NOPASSWD: SETENV: /usr/sbin/maas-import-pxe-files, /usr/sbin/tgt-admin, /usr/bin/uec2roottar

Subscribers

People subscribed via source and target branches