config: Convert wrsroot -> sysadmin
This also changes the group wrs_protected to sys_protected to de-brand the user and group names. Depends-On: I887464a20fc17d66529caea03be2b445156f9426 Change-Id: I9b08bf502a9dad279966b201999f65d06dbc5774 Story: 2004716 Task: 28747 Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
parent
ed2d005df2
commit
8c30771d11
|
@ -10565,7 +10565,7 @@ badMediaType (415)
|
||||||
:header: "Parameter", "Style", "Type", "Description"
|
:header: "Parameter", "Style", "Type", "Description"
|
||||||
:widths: 20, 20, 20, 60
|
:widths: 20, 20, 20, 60
|
||||||
|
|
||||||
"Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename <div class=""example""><pre>file=@/home/wrsroot/server-with-key.pem </pre></div>"
|
"Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename <div class=""example""><pre>file=@/home/sysadmin/server-with-key.pem </pre></div>"
|
||||||
"passphrase (Optional)", "plain", "xsd:string", "The passphrase for the PEM file."
|
"passphrase (Optional)", "plain", "xsd:string", "The passphrase for the PEM file."
|
||||||
"mode (Optional)", "plain", "xsd:string", "This parameter specifies the type of System certificate. Possible values are: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl, tpm_mode, docker_registry, openstack, openstack_ca</emphasis>. Default: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl</emphasis>"
|
"mode (Optional)", "plain", "xsd:string", "This parameter specifies the type of System certificate. Possible values are: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl, tpm_mode, docker_registry, openstack, openstack_ca</emphasis>. Default: <emphasis xmlns=""http://docbook.org/ns/docbook"">ssl</emphasis>"
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,7 @@ SERVICE_ENABLE_TIMEOUT = 180
|
||||||
MINIMUM_ROOT_DISK_SIZE = 500
|
MINIMUM_ROOT_DISK_SIZE = 500
|
||||||
MAXIMUM_CGCS_LV_SIZE = 500
|
MAXIMUM_CGCS_LV_SIZE = 500
|
||||||
LDAP_CONTROLLER_CONFIGURE_TIMEOUT = 30
|
LDAP_CONTROLLER_CONFIGURE_TIMEOUT = 30
|
||||||
WRSROOT_MAX_PASSWORD_AGE = 45 # 45 days
|
SYSADMIN_MAX_PASSWORD_AGE = 45 # 45 days
|
||||||
|
|
||||||
LAG_MODE_ACTIVE_BACKUP = "active-backup"
|
LAG_MODE_ACTIVE_BACKUP = "active-backup"
|
||||||
LAG_MODE_BALANCE_XOR = "balance-xor"
|
LAG_MODE_BALANCE_XOR = "balance-xor"
|
||||||
|
|
|
@ -38,7 +38,7 @@ MIN_DATABASE_STORAGE = 20
|
||||||
MIN_IMAGE_STORAGE = 10
|
MIN_IMAGE_STORAGE = 10
|
||||||
MIN_IMAGE_CONVERSIONS_VOLUME = 20
|
MIN_IMAGE_CONVERSIONS_VOLUME = 20
|
||||||
|
|
||||||
WRSROOT_PASSWD_NO_AGING = 99999
|
SYSADMIN_PASSWD_NO_AGING = 99999
|
||||||
|
|
||||||
# System mode
|
# System mode
|
||||||
SYSTEM_MODE_DUPLEX = "duplex"
|
SYSTEM_MODE_DUPLEX = "duplex"
|
||||||
|
|
|
@ -621,14 +621,14 @@ class ConfigAssistant():
|
||||||
self.next_lag_index += 1
|
self.next_lag_index += 1
|
||||||
return name
|
return name
|
||||||
|
|
||||||
def get_wrsroot_sig(self):
|
def get_sysadmin_sig(self):
|
||||||
""" Get signature for wrsroot user. """
|
""" Get signature for sysadmin user. """
|
||||||
|
|
||||||
# NOTE (knasim): only compute the signature for the entries we're
|
# NOTE (knasim): only compute the signature for the entries we're
|
||||||
# tracking and propagating {password, aging}. This is prevent
|
# tracking and propagating {password, aging}. This is prevent
|
||||||
# config-outdated alarms for shadow fields that get modified
|
# config-outdated alarms for shadow fields that get modified
|
||||||
# and we don't track and propagate
|
# and we don't track and propagate
|
||||||
re_line = re.compile(r'(wrsroot:.*?)\s')
|
re_line = re.compile(r'(sysadmin:.*?)\s')
|
||||||
with open('/etc/shadow') as shadow_file:
|
with open('/etc/shadow') as shadow_file:
|
||||||
for line in shadow_file:
|
for line in shadow_file:
|
||||||
match = re_line.search(line)
|
match = re_line.search(line)
|
||||||
|
@ -636,7 +636,7 @@ class ConfigAssistant():
|
||||||
# Isolate password(2nd field) and aging(5th field)
|
# Isolate password(2nd field) and aging(5th field)
|
||||||
entry = match.group(1).split(':')
|
entry = match.group(1).split(':')
|
||||||
entrystr = entry[1] + ":" + entry[4]
|
entrystr = entry[1] + ":" + entry[4]
|
||||||
self.wrsroot_sig = hashlib.md5(entrystr).hexdigest()
|
self.sysadmin_sig = hashlib.md5(entrystr).hexdigest()
|
||||||
self.passwd_hash = entry[1]
|
self.passwd_hash = entry[1]
|
||||||
|
|
||||||
def input_system_mode_config(self):
|
def input_system_mode_config(self):
|
||||||
|
@ -2904,8 +2904,8 @@ class ConfigAssistant():
|
||||||
self.add_password_for_validation('ADMIN_PASSWORD',
|
self.add_password_for_validation('ADMIN_PASSWORD',
|
||||||
self.admin_password)
|
self.admin_password)
|
||||||
|
|
||||||
if config.has_option('cUSERS', 'WRSROOT_SIG'):
|
if config.has_option('cUSERS', 'SYSADMIN_SIG'):
|
||||||
raise ConfigFail("The option WRSROOT_SIG is "
|
raise ConfigFail("The option SYSADMIN_SIG is "
|
||||||
"no longer supported.")
|
"no longer supported.")
|
||||||
|
|
||||||
# Licensing configuration
|
# Licensing configuration
|
||||||
|
@ -2914,8 +2914,8 @@ class ConfigAssistant():
|
||||||
"no longer supported")
|
"no longer supported")
|
||||||
|
|
||||||
# Security configuration
|
# Security configuration
|
||||||
if config.has_option('cSECURITY', 'CONFIG_WRSROOT_PW_AGE'):
|
if config.has_option('cSECURITY', 'CONFIG_SYSADMIN_PW_AGE'):
|
||||||
raise ConfigFail("The option CONFIG_WRSROOT_PW_AGE is "
|
raise ConfigFail("The option CONFIG_SYSADMIN_PW_AGE is "
|
||||||
"no longer supported.")
|
"no longer supported.")
|
||||||
if config.has_option('cSECURITY', 'ENABLE_HTTPS'):
|
if config.has_option('cSECURITY', 'ENABLE_HTTPS'):
|
||||||
raise ConfigFail("The option ENABLE_HTTPS is "
|
raise ConfigFail("The option ENABLE_HTTPS is "
|
||||||
|
|
|
@ -566,9 +566,9 @@ def show_help_subcloud():
|
||||||
def config_main(config_type=REGION_CONFIG):
|
def config_main(config_type=REGION_CONFIG):
|
||||||
allow_ssh = False
|
allow_ssh = False
|
||||||
if config_type == REGION_CONFIG:
|
if config_type == REGION_CONFIG:
|
||||||
config_file = "/home/wrsroot/region_config"
|
config_file = "/home/sysadmin/region_config"
|
||||||
elif config_type == SUBCLOUD_CONFIG:
|
elif config_type == SUBCLOUD_CONFIG:
|
||||||
config_file = "/home/wrsroot/subcloud_config"
|
config_file = "/home/sysadmin/subcloud_config"
|
||||||
else:
|
else:
|
||||||
raise ConfigFail("Invalid config_type: %s" % config_type)
|
raise ConfigFail("Invalid config_type: %s" % config_type)
|
||||||
|
|
||||||
|
|
|
@ -300,7 +300,7 @@ def main():
|
||||||
do_clone = False
|
do_clone = False
|
||||||
do_non_interactive = False
|
do_non_interactive = False
|
||||||
do_provision = False
|
do_provision = False
|
||||||
system_config_file = "/home/wrsroot/system_config"
|
system_config_file = "/home/sysadmin/system_config"
|
||||||
allow_ssh = False
|
allow_ssh = False
|
||||||
|
|
||||||
# Disable completion as the default completer shows python commands
|
# Disable completion as the default completer shows python commands
|
||||||
|
|
|
@ -451,12 +451,12 @@ def _replace_in_file(filename, old, new):
|
||||||
fileinput.close()
|
fileinput.close()
|
||||||
|
|
||||||
|
|
||||||
@patch('controllerconfig.configassistant.ConfigAssistant.get_wrsroot_sig')
|
@patch('controllerconfig.configassistant.ConfigAssistant.get_sysadmin_sig')
|
||||||
def _test_region_config(tmpdir, inputfile, resultfile,
|
def _test_region_config(tmpdir, inputfile, resultfile,
|
||||||
mock_get_wrsroot_sig):
|
mock_get_sysadmin_sig):
|
||||||
""" Test import and generation of answerfile """
|
""" Test import and generation of answerfile """
|
||||||
|
|
||||||
mock_get_wrsroot_sig.return_value = None
|
mock_get_sysadmin_sig.return_value = None
|
||||||
|
|
||||||
# Create the path to the output file
|
# Create the path to the output file
|
||||||
outputfile = os.path.join(str(tmpdir), 'output')
|
outputfile = os.path.join(str(tmpdir), 'output')
|
||||||
|
|
|
@ -109,7 +109,7 @@ platform::haproxy::params::global_options:
|
||||||
log:
|
log:
|
||||||
- '127.0.0.1:514 local1 info'
|
- '127.0.0.1:514 local1 info'
|
||||||
user: 'haproxy'
|
user: 'haproxy'
|
||||||
group: 'wrs_protected'
|
group: 'sys_protected'
|
||||||
chroot: '/var/lib/haproxy'
|
chroot: '/var/lib/haproxy'
|
||||||
pidfile: '/var/run/haproxy.pid'
|
pidfile: '/var/run/haproxy.pid'
|
||||||
maxconn: '4000'
|
maxconn: '4000'
|
||||||
|
|
|
@ -9,7 +9,7 @@ platform::params::controller_1_hostname: controller-1
|
||||||
platform::params::pxeboot_hostname: pxecontroller
|
platform::params::pxeboot_hostname: pxecontroller
|
||||||
platform::params::security_feature: nopti nospectre_v2
|
platform::params::security_feature: nopti nospectre_v2
|
||||||
platform::amqp::auth_user: guest
|
platform::amqp::auth_user: guest
|
||||||
platform::users::params::wrsroot_password_max_age: 45
|
platform::users::params::sysadmin_password_max_age: 45
|
||||||
|
|
||||||
# mtce
|
# mtce
|
||||||
platform::mtce::params::sm_server_port: 2124
|
platform::mtce::params::sm_server_port: 2124
|
||||||
|
|
|
@ -47,7 +47,7 @@ class openstack::horizon
|
||||||
user { 'www':
|
user { 'www':
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
shell => '/sbin/nologin',
|
shell => '/sbin/nologin',
|
||||||
groups => ['wrs_protected'],
|
groups => ['sys_protected'],
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/www/tmp':
|
file { '/www/tmp':
|
||||||
|
|
|
@ -202,7 +202,7 @@ server.chroot = "/www"
|
||||||
server.username = "www"
|
server.username = "www"
|
||||||
|
|
||||||
## change uid to <uid> (default: don't care)
|
## change uid to <uid> (default: don't care)
|
||||||
server.groupname = "wrs_protected"
|
server.groupname = "sys_protected"
|
||||||
|
|
||||||
## defaults to /var/tmp
|
## defaults to /var/tmp
|
||||||
server.upload-dirs = ( "/tmp" )
|
server.upload-dirs = ( "/tmp" )
|
||||||
|
|
|
@ -30,19 +30,19 @@ define platform::helm::repository (
|
||||||
}
|
}
|
||||||
|
|
||||||
$before_relationship = Exec['Stop lighttpd']
|
$before_relationship = Exec['Stop lighttpd']
|
||||||
$require_relationship = [ User['wrsroot'], Exec["Generate index: ${repo_path}"] ]
|
$require_relationship = [ User['sysadmin'], Exec["Generate index: ${repo_path}"] ]
|
||||||
} else {
|
} else {
|
||||||
$before_relationship = undef
|
$before_relationship = undef
|
||||||
$require_relationship = User['wrsroot']
|
$require_relationship = User['sysadmin']
|
||||||
}
|
}
|
||||||
|
|
||||||
exec { "Adding StarlingX helm repo: ${name}":
|
exec { "Adding StarlingX helm repo: ${name}":
|
||||||
before => $before_relationship,
|
before => $before_relationship,
|
||||||
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf' , 'HOME=/home/wrsroot'],
|
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf' , 'HOME=/home/sysadmin'],
|
||||||
command => "helm repo add ${name} http://127.0.0.1:${repo_port}/helm_charts/${name}",
|
command => "helm repo add ${name} http://127.0.0.1:${repo_port}/helm_charts/${name}",
|
||||||
logoutput => true,
|
logoutput => true,
|
||||||
user => 'wrsroot',
|
user => 'sysadmin',
|
||||||
group => 'wrs',
|
group => 'sys_protected',
|
||||||
require => $require_relationship
|
require => $require_relationship
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -62,12 +62,12 @@ class platform::helm::repositories
|
||||||
}
|
}
|
||||||
|
|
||||||
-> exec { 'Updating info of available charts locally from chart repo':
|
-> exec { 'Updating info of available charts locally from chart repo':
|
||||||
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
|
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
|
||||||
command => 'helm repo update',
|
command => 'helm repo update',
|
||||||
logoutput => true,
|
logoutput => true,
|
||||||
user => 'wrsroot',
|
user => 'sysadmin',
|
||||||
group => 'wrs',
|
group => 'sys_protected',
|
||||||
require => User['wrsroot']
|
require => User['sysadmin']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -132,12 +132,12 @@ class platform::helm
|
||||||
}
|
}
|
||||||
|
|
||||||
-> exec { 'initialize helm':
|
-> exec { 'initialize helm':
|
||||||
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
|
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
|
||||||
command => "helm init --skip-refresh --service-account tiller --node-selectors \"node-role.kubernetes.io/master\"=\"\" --tiller-image=${gcr_registry}/kubernetes-helm/tiller:v2.13.1 --override spec.template.spec.hostNetwork=true", # lint:ignore:140chars
|
command => "helm init --skip-refresh --service-account tiller --node-selectors \"node-role.kubernetes.io/master\"=\"\" --tiller-image=${gcr_registry}/kubernetes-helm/tiller:v2.13.1 --override spec.template.spec.hostNetwork=true", # lint:ignore:140chars
|
||||||
logoutput => true,
|
logoutput => true,
|
||||||
user => 'wrsroot',
|
user => 'sysadmin',
|
||||||
group => 'wrs',
|
group => 'sys_protected',
|
||||||
require => User['wrsroot']
|
require => User['sysadmin']
|
||||||
}
|
}
|
||||||
|
|
||||||
exec { "bind mount ${target_helm_repos_base_dir}":
|
exec { "bind mount ${target_helm_repos_base_dir}":
|
||||||
|
@ -150,12 +150,12 @@ class platform::helm
|
||||||
Class['::platform::kubernetes::master']
|
Class['::platform::kubernetes::master']
|
||||||
|
|
||||||
-> exec { 'initialize helm':
|
-> exec { 'initialize helm':
|
||||||
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/wrsroot' ],
|
environment => [ 'KUBECONFIG=/etc/kubernetes/admin.conf', 'HOME=/home/sysadmin' ],
|
||||||
command => 'helm init --skip-refresh --client-only',
|
command => 'helm init --skip-refresh --client-only',
|
||||||
logoutput => true,
|
logoutput => true,
|
||||||
user => 'wrsroot',
|
user => 'sysadmin',
|
||||||
group => 'wrs',
|
group => 'sys_protected',
|
||||||
require => User['wrsroot']
|
require => User['sysadmin']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -227,7 +227,7 @@ class platform::kubernetes::master::init
|
||||||
}
|
}
|
||||||
|
|
||||||
# Update ownership/permissions for file created by "kubeadm init".
|
# Update ownership/permissions for file created by "kubeadm init".
|
||||||
# We want it readable by sysinv and wrsroot.
|
# We want it readable by sysinv and sysadmin.
|
||||||
-> file { '/etc/kubernetes/admin.conf':
|
-> file { '/etc/kubernetes/admin.conf':
|
||||||
ensure => file,
|
ensure => file,
|
||||||
owner => 'root',
|
owner => 'root',
|
||||||
|
@ -382,7 +382,7 @@ class platform::kubernetes::master::init
|
||||||
}
|
}
|
||||||
|
|
||||||
# Update ownership/permissions for file created by "kubeadm init".
|
# Update ownership/permissions for file created by "kubeadm init".
|
||||||
# We want it readable by sysinv and wrsroot.
|
# We want it readable by sysinv and sysadmin.
|
||||||
-> file { '/etc/kubernetes/admin.conf':
|
-> file { '/etc/kubernetes/admin.conf':
|
||||||
ensure => file,
|
ensure => file,
|
||||||
owner => 'root',
|
owner => 'root',
|
||||||
|
|
|
@ -137,10 +137,10 @@ class platform::ldap::bootstrap
|
||||||
-> exec { 'create ldap protected group':
|
-> exec { 'create ldap protected group':
|
||||||
command => "ldapaddgroup ${::platform::params::protected_group_name} ${::platform::params::protected_group_id}"
|
command => "ldapaddgroup ${::platform::params::protected_group_name} ${::platform::params::protected_group_id}"
|
||||||
}
|
}
|
||||||
-> exec { 'add admin to wrs protected group' :
|
-> exec { 'add admin to sys_protected protected group' :
|
||||||
command => "ldapaddusertogroup admin ${::platform::params::protected_group_name}",
|
command => "ldapaddusertogroup admin ${::platform::params::protected_group_name}",
|
||||||
}
|
}
|
||||||
-> exec { 'add operator to wrs protected group' :
|
-> exec { 'add operator to sys_protected protected group' :
|
||||||
command => "ldapaddusertogroup operator ${::platform::params::protected_group_name}",
|
command => "ldapaddusertogroup operator ${::platform::params::protected_group_name}",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,9 @@ class platform::params (
|
||||||
|
|
||||||
$nfs_mount_options = "timeo=30,proto=${nfs_proto},vers=3,rsize=${nfs_rw_size},wsize=${nfs_rw_size}"
|
$nfs_mount_options = "timeo=30,proto=${nfs_proto},vers=3,rsize=${nfs_rw_size},wsize=${nfs_rw_size}"
|
||||||
|
|
||||||
$protected_group_name = 'wrs_protected'
|
$sysadmin_user_name = 'sysadmin'
|
||||||
|
$sysadmin_user_dir = '/home/sysadmin'
|
||||||
|
$protected_group_name = 'sys_protected'
|
||||||
$protected_group_id = '345'
|
$protected_group_id = '345'
|
||||||
|
|
||||||
# PUPPET 4 treats custom facts as strings. We convert to int by adding zero.
|
# PUPPET 4 treats custom facts as strings. We convert to int by adding zero.
|
||||||
|
|
|
@ -28,7 +28,7 @@ class platform::sysinv
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
comment => 'sysinv Daemons',
|
comment => 'sysinv Daemons',
|
||||||
gid => '168',
|
gid => '168',
|
||||||
groups => ['nobody', 'sysinv', 'wrs_protected'],
|
groups => ['nobody', 'sysinv', 'sys_protected'],
|
||||||
home => '/var/lib/sysinv',
|
home => '/var/lib/sysinv',
|
||||||
password => '!!',
|
password => '!!',
|
||||||
password_max_age => '-1',
|
password_max_age => '-1',
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
class platform::users::params (
|
class platform::users::params (
|
||||||
$wrsroot_password = undef,
|
$sysadmin_password = undef,
|
||||||
$wrsroot_password_max_age = undef,
|
$sysadmin_password_max_age = undef,
|
||||||
) {}
|
) {}
|
||||||
|
|
||||||
|
|
||||||
|
@ -9,27 +9,23 @@ class platform::users
|
||||||
|
|
||||||
include ::platform::params
|
include ::platform::params
|
||||||
|
|
||||||
group { 'wrs':
|
# Create a 'sys_protected' group for sysadmin and all openstack services
|
||||||
|
# (including StarlingX services: sysinv, etc.).
|
||||||
|
group { $::platform::params::protected_group_name:
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
|
gid => $::platform::params::protected_group_id,
|
||||||
}
|
}
|
||||||
|
|
||||||
# WRS: Create a 'wrs_protected' group for wrsroot and all openstack services
|
-> user { 'sysadmin':
|
||||||
# (including TiS services: sysinv, etc.).
|
|
||||||
-> group { $::platform::params::protected_group_name:
|
|
||||||
ensure => 'present',
|
|
||||||
gid => $::platform::params::protected_group_id,
|
|
||||||
}
|
|
||||||
|
|
||||||
-> user { 'wrsroot':
|
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
groups => ['wrs', 'root', $::platform::params::protected_group_name],
|
groups => ['root', $::platform::params::protected_group_name],
|
||||||
home => '/home/wrsroot',
|
home => '/home/sysadmin',
|
||||||
password => $wrsroot_password,
|
password => $sysadmin_password,
|
||||||
password_max_age => $wrsroot_password_max_age,
|
password_max_age => $sysadmin_password_max_age,
|
||||||
shell => '/bin/sh',
|
shell => '/bin/sh',
|
||||||
}
|
}
|
||||||
|
|
||||||
# WRS: Keyring should only be executable by 'wrs_protected'.
|
# Keyring should only be executable by 'sys_protected'.
|
||||||
-> file { '/usr/bin/keyring':
|
-> file { '/usr/bin/keyring':
|
||||||
owner => 'root',
|
owner => 'root',
|
||||||
group => $::platform::params::protected_group_name,
|
group => $::platform::params::protected_group_name,
|
||||||
|
@ -43,20 +39,16 @@ class platform::users::bootstrap
|
||||||
|
|
||||||
include ::platform::params
|
include ::platform::params
|
||||||
|
|
||||||
group { 'wrs':
|
group { $::platform::params::protected_group_name:
|
||||||
ensure => 'present',
|
|
||||||
}
|
|
||||||
|
|
||||||
-> group { $::platform::params::protected_group_name:
|
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
gid => $::platform::params::protected_group_id,
|
gid => $::platform::params::protected_group_id,
|
||||||
}
|
}
|
||||||
|
|
||||||
-> user { 'wrsroot':
|
-> user { 'sysadmin':
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
groups => ['wrs', 'root', $::platform::params::protected_group_name],
|
groups => ['root', $::platform::params::protected_group_name],
|
||||||
home => '/home/wrsroot',
|
home => '/home/sysadmin',
|
||||||
password_max_age => $wrsroot_password_max_age,
|
password_max_age => $sysadmin_password_max_age,
|
||||||
shell => '/bin/sh',
|
shell => '/bin/sh',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,7 +37,7 @@ from wsme import types as wtypes
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
IUSERS_ROOT_USERNAME = 'wrsroot'
|
IUSERS_ROOT_USERNAME = 'sysadmin'
|
||||||
|
|
||||||
|
|
||||||
class UserPatchType(types.JsonPatchType):
|
class UserPatchType(types.JsonPatchType):
|
||||||
|
@ -300,11 +300,11 @@ class UserController(rest.RestController):
|
||||||
return User.convert_with_links(rpc_user)
|
return User.convert_with_links(rpc_user)
|
||||||
|
|
||||||
except exception.HTTPNotFound:
|
except exception.HTTPNotFound:
|
||||||
msg = _("User wrsroot update failed: system %s user %s : patch %s"
|
msg = _("User sysadmin update failed: system %s user %s : patch %s"
|
||||||
% (isystem['systemname'], user, patch))
|
% (isystem['systemname'], user, patch))
|
||||||
raise wsme.exc.ClientSideError(msg)
|
raise wsme.exc.ClientSideError(msg)
|
||||||
except exception.KeyError:
|
except exception.KeyError:
|
||||||
msg = _("Cannot retrieve shadow entry for wrsroot: system %s : patch %s"
|
msg = _("Cannot retrieve shadow entry for sysadmin: system %s : patch %s"
|
||||||
% (isystem['systemname'], patch))
|
% (isystem['systemname'], patch))
|
||||||
raise wsme.exc.ClientSideError(msg)
|
raise wsme.exc.ClientSideError(msg)
|
||||||
|
|
||||||
|
|
|
@ -1185,10 +1185,10 @@ LLDP_FULL_AUDIT_COUNT = 6
|
||||||
FM_SUPPRESSED = 'suppressed'
|
FM_SUPPRESSED = 'suppressed'
|
||||||
FM_UNSUPPRESSED = 'unsuppressed'
|
FM_UNSUPPRESSED = 'unsuppressed'
|
||||||
|
|
||||||
# wrsroot password aging.
|
# sysadmin password aging.
|
||||||
# Setting aging to max defined value qualifies
|
# Setting aging to max defined value qualifies
|
||||||
# as "never" on certain Linux distros including WRL
|
# as "never" on certain Linux distros including WRL
|
||||||
WRSROOT_PASSWORD_NO_AGING = 99999
|
SYSADMIN_PASSWORD_NO_AGING = 99999
|
||||||
|
|
||||||
# SDN Controller
|
# SDN Controller
|
||||||
SDN_CONTROLLER_STATE_ENABLED = 'enabled'
|
SDN_CONTROLLER_STATE_ENABLED = 'enabled'
|
||||||
|
@ -1298,7 +1298,7 @@ NETWORK_CONFIG_LOCK_FILE = os.path.join(
|
||||||
|
|
||||||
SYSINV_USERNAME = "sysinv"
|
SYSINV_USERNAME = "sysinv"
|
||||||
SYSINV_GRPNAME = "sysinv"
|
SYSINV_GRPNAME = "sysinv"
|
||||||
SYSINV_WRS_GRPNAME = "wrs_protected"
|
SYSINV_SYSADMIN_GRPNAME = "sys_protected"
|
||||||
|
|
||||||
# This is the first report sysinv is sending to conductor since boot
|
# This is the first report sysinv is sending to conductor since boot
|
||||||
SYSINV_AGENT_FIRST_REPORT = 'first_report'
|
SYSINV_AGENT_FIRST_REPORT = 'first_report'
|
||||||
|
|
|
@ -272,9 +272,9 @@ class AppOperator(object):
|
||||||
if not os.path.isdir(app.path):
|
if not os.path.isdir(app.path):
|
||||||
create_app_path(app.path)
|
create_app_path(app.path)
|
||||||
|
|
||||||
# Temporarily change /scratch group ownership to wrs_protected
|
# Temporarily change /scratch group ownership to sys_protected
|
||||||
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
|
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
|
||||||
grp.getgrnam(constants.SYSINV_WRS_GRPNAME).gr_gid)
|
grp.getgrnam(constants.SYSINV_SYSADMIN_GRPNAME).gr_gid)
|
||||||
|
|
||||||
# Extract the tarfile as sysinv user
|
# Extract the tarfile as sysinv user
|
||||||
if not cutils.extract_tarfile(app.path, app.tarfile, demote_user=True):
|
if not cutils.extract_tarfile(app.path, app.tarfile, demote_user=True):
|
||||||
|
@ -613,9 +613,9 @@ class AppOperator(object):
|
||||||
orig_uid, orig_gid = get_app_install_root_path_ownership()
|
orig_uid, orig_gid = get_app_install_root_path_ownership()
|
||||||
helm_repo = self._get_helm_repo_from_metadata(app)
|
helm_repo = self._get_helm_repo_from_metadata(app)
|
||||||
try:
|
try:
|
||||||
# Temporarily change /scratch group ownership to wrs_protected
|
# Temporarily change /scratch group ownership to sys_protected
|
||||||
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
|
os.chown(constants.APP_INSTALL_ROOT_PATH, orig_uid,
|
||||||
grp.getgrnam(constants.SYSINV_WRS_GRPNAME).gr_gid)
|
grp.getgrnam(constants.SYSINV_SYSADMIN_GRPNAME).gr_gid)
|
||||||
with open(os.devnull, "w") as fnull:
|
with open(os.devnull, "w") as fnull:
|
||||||
for chart in charts:
|
for chart in charts:
|
||||||
subprocess.check_call(['helm-upload', helm_repo, chart],
|
subprocess.check_call(['helm-upload', helm_repo, chart],
|
||||||
|
@ -1914,14 +1914,14 @@ class DockerHelper(object):
|
||||||
if not os.path.exists(ARMADA_HOST_LOG_LOCATION):
|
if not os.path.exists(ARMADA_HOST_LOG_LOCATION):
|
||||||
os.mkdir(ARMADA_HOST_LOG_LOCATION)
|
os.mkdir(ARMADA_HOST_LOG_LOCATION)
|
||||||
os.chmod(ARMADA_HOST_LOG_LOCATION, 0o755)
|
os.chmod(ARMADA_HOST_LOG_LOCATION, 0o755)
|
||||||
os.chown(ARMADA_HOST_LOG_LOCATION, 1000, grp.getgrnam("wrs").gr_gid)
|
os.chown(ARMADA_HOST_LOG_LOCATION, 1000, grp.getgrnam("sys_protected").gr_gid)
|
||||||
|
|
||||||
# First make kubernetes config accessible to Armada. This
|
# First make kubernetes config accessible to Armada. This
|
||||||
# is a work around the permission issue in Armada container.
|
# is a work around the permission issue in Armada container.
|
||||||
kube_config = os.path.join(constants.APP_SYNCED_DATA_PATH,
|
kube_config = os.path.join(constants.APP_SYNCED_DATA_PATH,
|
||||||
'admin.conf')
|
'admin.conf')
|
||||||
shutil.copy('/etc/kubernetes/admin.conf', kube_config)
|
shutil.copy('/etc/kubernetes/admin.conf', kube_config)
|
||||||
os.chown(kube_config, 1000, grp.getgrnam("wrs").gr_gid)
|
os.chown(kube_config, 1000, grp.getgrnam("sys_protected").gr_gid)
|
||||||
|
|
||||||
overrides_dir = common.HELM_OVERRIDES_PATH
|
overrides_dir = common.HELM_OVERRIDES_PATH
|
||||||
manifests_dir = constants.APP_SYNCED_DATA_PATH
|
manifests_dir = constants.APP_SYNCED_DATA_PATH
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
# sim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
#
|
#
|
||||||
# Copyright (c) 2019 Wind River Systems, Inc.
|
# Copyright (c) 2019 Wind River Systems, Inc.
|
||||||
#
|
#
|
||||||
|
@ -32,12 +32,12 @@ def refresh_helm_repo_information():
|
||||||
"""
|
"""
|
||||||
with open(os.devnull, "w") as fnull:
|
with open(os.devnull, "w") as fnull:
|
||||||
try:
|
try:
|
||||||
subprocess.check_call(['sudo', '-u', 'wrsroot',
|
subprocess.check_call(['sudo', '-u', 'sysadmin',
|
||||||
'helm', 'repo', 'update'],
|
'helm', 'repo', 'update'],
|
||||||
stdout=fnull, stderr=fnull)
|
stdout=fnull, stderr=fnull)
|
||||||
except subprocess.CalledProcessError:
|
except subprocess.CalledProcessError:
|
||||||
# Just log an error. Don't stop any callers from further execution.
|
# Just log an error. Don't stop any callers from further execution.
|
||||||
LOG.error("Failed to update helm repo data for user wrsroot.")
|
LOG.error("Failed to update helm repo data for user sysadmin.")
|
||||||
|
|
||||||
|
|
||||||
def retrieve_helm_releases():
|
def retrieve_helm_releases():
|
||||||
|
|
|
@ -235,9 +235,9 @@ class PlatformPuppet(base.BasePuppet):
|
||||||
def _get_user_config(self):
|
def _get_user_config(self):
|
||||||
user = self.dbapi.iuser_get_one()
|
user = self.dbapi.iuser_get_one()
|
||||||
return {
|
return {
|
||||||
'platform::users::params::wrsroot_password':
|
'platform::users::params::sysadmin_password':
|
||||||
user.passwd_hash,
|
user.passwd_hash,
|
||||||
'platform::users::params::wrsroot_password_max_age':
|
'platform::users::params::sysadmin_password_max_age':
|
||||||
user.passwd_expiry_days,
|
user.passwd_expiry_days,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue