diff options
| author | Ben Howard <ben.howard@canonical.com> | 2012-08-21 13:03:47 -0600 |
|---|---|---|
| committer | Ben Howard <ben.howard@canonical.com> | 2012-08-21 13:03:47 -0600 |
| commit | 3f4a556e59b127d2fb6ebb57a8a42f6a71248b59 (patch) | |
| tree | cec63a461ef1d09bd79a805365d5488b23e74e85 /cloudinit/distros | |
| parent | 8aa59086146062fc767349be086fe0c35bf9c477 (diff) | |
| download | vyos-cloud-init-3f4a556e59b127d2fb6ebb57a8a42f6a71248b59.tar.gz vyos-cloud-init-3f4a556e59b127d2fb6ebb57a8a42f6a71248b59.zip | |
Implemented MP feedback.
Diffstat (limited to 'cloudinit/distros')
| -rw-r--r-- | cloudinit/distros/__init__.py | 187 | ||||
| -rw-r--r-- | cloudinit/distros/ubuntu.py | 57 |
2 files changed, 209 insertions, 35 deletions
diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py index 8aec1199..776a2417 100644 --- a/cloudinit/distros/__init__.py +++ b/cloudinit/distros/__init__.py @@ -7,6 +7,7 @@ # Author: Scott Moser <scott.moser@canonical.com> # Author: Juerg Haefliger <juerg.haefliger@hp.com> # Author: Joshua Harlow <harlowja@yahoo-inc.com> +# Author: Ben Howard <ben.howard@canonical.com> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License version 3, as @@ -23,10 +24,13 @@ from StringIO import StringIO import abc - +import pwd +import grp +import os from cloudinit import importer from cloudinit import log as logging from cloudinit import util +from cloudinit import ssh_util # TODO: Make this via config?? IFACE_ACTIONS = { @@ -51,7 +55,7 @@ class Distro(object): raise NotImplementedError() @abc.abstractmethod - def get_default_username(self): + def get_default_user(self): raise NotImplementedError() @abc.abstractmethod @@ -158,6 +162,185 @@ class Distro(object): util.logexc(LOG, "Running interface command %s failed", cmd) return False + def isuser(self, name): + try: + if pwd.getpwnam(name): + return True + except KeyError: + return False + + def set_configured_user(self, name): + self.default_user = name + + def get_configured_user(self): + try: + return getattr(self, 'default_user') + except: + return None + + def create_user(self, name, **kwargs): + """ + Creates users for the system using the GNU passwd tools. This + will work on an GNU system. This should be overriden on + distros where useradd is not desirable or not available. + """ + + if self.isuser(name): + LOG.warn("User %s already exists, skipping." % name) + else: + LOG.debug("Creating name %s" % name) + + adduser_cmd = ['useradd', name] + x_adduser_cmd = adduser_cmd + + # Since we are creating users, we want to carefully validate the + # inputs. If something goes wrong, we can end up with a system + # that nobody can login to. + adduser_opts = { + "gecos": '--comment', + "homedir": '--home', + "primarygroup": '--gid', + "groups": '--groups', + "passwd": '--password', + "shell": '--shell', + "expiredate": '--expiredate', + "inactive": '--inactive', + } + + adduser_opts_flags = { + "nousergroup": '--no-user-group', + "system": '--system', + "nologinit": '--no-log-init', + "nocreatehome": "-M", + } + + # Now check the value and create the command + for option in kwargs: + value = kwargs[option] + if option in adduser_opts and value \ + and isinstance(value, str): + adduser_cmd.extend([adduser_opts[option], value]) + + # Redact the password field from the logs + if option != "password": + x_adduser_cmd.extend([adduser_opts[option], value]) + else: + x_adduser_cmd.extend([adduser_opts[option], 'REDACTED']) + + if option in adduser_opts_flags and value: + adduser_cmd.append(adduser_opts_flags[option]) + x_adduser_cmd.append(adduser_opts_flags[option]) + + # Default to creating home directory unless otherwise directed + # Also, we do not create home directories for system users. + if "nocreatehome" not in kwargs and "system" not in kwargs: + adduser_cmd.append('-m') + + # Create the user + try: + util.subp(adduser_cmd, logstring=x_adduser_cmd) + except Exception as e: + util.logexc(LOG, "Failed to create user %s due to error.", e) + return False + + # Set password if plain-text password provided + if 'plain_text_passwd' in kwargs and kwargs['plain_text_passwd']: + self.set_passwd(name, kwargs['plain_text_passwd']) + + # Default locking down the account. + if ('lockpasswd' not in kwargs and + ('lockpasswd' in kwargs and kwargs['lockpasswd']) or + 'system' not in kwargs): + try: + util.subp(['passwd', '--lock', name]) + except Exception as e: + util.logexc(LOG, ("Failed to disable password logins for" + "user %s" % name), e) + return False + + # Configure sudo access + if 'sudo' in kwargs: + self.write_sudo_rules(name, kwargs['sudo']) + + # Import SSH keys + if 'sshauthorizedkeys' in kwargs: + keys = set(kwargs['sshauthorizedkeys']) or [] + ssh_util.setup_user_keys(keys, name, None, self._paths) + + return True + + def set_passwd(self, user, passwd, hashed=False): + pass_string = '%s:%s' % (user, passwd) + cmd = ['chpasswd'] + + if hashed: + cmd.append('--encrypted') + + try: + util.subp(cmd, pass_string, logstring="chpasswd for %s" % user) + except Exception as e: + util.logexc(LOG, "Failed to set password for %s" % user) + return False + + return True + + def write_sudo_rules(self, + user, + rules, + sudo_file="/etc/sudoers.d/90-cloud-init-users", + ): + + content_header = "# user rules for %s" % user + content = "%s\n%s %s\n\n" % (content_header, user, rules) + + if isinstance(rules, list): + content = "%s\n" % content_header + for rule in rules: + content += "%s %s\n" % (user, rule) + content += "\n" + + if not os.path.exists(sudo_file): + util.write_file(sudo_file, content, 0644) + + else: + try: + with open(sudo_file, 'a') as f: + f.write(content) + f.close() + except IOError as e: + util.logexc(LOG, "Failed to write %s" % sudo_file, e) + + def isgroup(self, name): + try: + if grp.getgrpnam(name): + return True + except: + return False + + def create_group(self, name, members): + group_add_cmd = ['groupadd', name] + + # Check if group exists, and then add it doesn't + if self.isgroup(name): + LOG.warn("Skipping creation of existing group '%s'" % name) + else: + try: + util.subp(group_add_cmd) + LOG.info("Created new group %s" % name) + except Exception as e: + util.logexc("Failed to create group %s" % name, e) + + # Add members to the group, if so defined + if len(members) > 0: + for member in members: + if not self.isuser(member): + LOG.warn("Unable to add group member '%s' to group '%s'" + "; user does not exist." % (member, name)) + continue + + util.subp(['usermod', '-a', '-G', name, member]) + LOG.info("Added user '%s' to group '%s'" % (member, name)) + def fetch(name): locs = importer.find_module(name, diff --git a/cloudinit/distros/ubuntu.py b/cloudinit/distros/ubuntu.py index fbca5eb5..423fee73 100644 --- a/cloudinit/distros/ubuntu.py +++ b/cloudinit/distros/ubuntu.py @@ -27,7 +27,7 @@ from cloudinit import helpers from cloudinit import log as logging from cloudinit import util from cloudinit.settings import PER_INSTANCE - +import hashlib import pwd LOG = logging.getLogger(__name__) @@ -36,7 +36,7 @@ LOG = logging.getLogger(__name__) class Distro(debian.Distro): distro_name = 'ubuntu' - __default_user_name__ = 'ubuntu-test' + __default_user_name__ = 'ubuntu' def __init__(self, name, cfg, paths): distros.Distro.__init__(self, name, cfg, paths) @@ -45,7 +45,7 @@ class Distro(debian.Distro): # should only happen say once per instance...) self._runner = helpers.Runners(paths) - def get_default_username(self): + def get_default_user(self): return self.__default_user_name__ def add_default_user(self): @@ -53,39 +53,30 @@ class Distro(debian.Distro): # - Password is 'ubuntu', but is locked # - nopasswd sudo access + self.create_user(self.__default_user_name__, + plain_text_passwd=self.__default_user_name__, + home="/home/%s" % self.__default_user_name__, + shell="/bin/bash", + lockpasswd=True, + gecos="Ubuntu", + sudo="ALL=(ALL) NOPASSWD:ALL") - if self.__default_user_name__ in [x[0] for x in pwd.getpwall()]: - LOG.warn("'%s' user already exists, not creating it." % \ - self.__default_user_name__) - return - - try: - util.subp(['adduser', - '--shell', '/bin/bash', - '--home', '/home/%s' % self.__default_user_name__, - '--disabled-password', - '--gecos', 'Ubuntu', - self.__default_user_name__, - ]) + LOG.info("Added default 'ubuntu' user with passwordless sudo") - pass_string = '%(u)s:%(u)s' % {'u': self.__default_user_name__} - x_pass_string = '%(u)s:REDACTED' % {'u': self.__default_user_name__} - util.subp(['chpasswd'], pass_string, logstring=x_pass_string) - util.subp(['passwd', '-l', self.__default_user_name__]) + def create_user(self, name, **kargs): - ubuntu_sudoers=""" -# Added by cloud-init -# %(user)s user is default user in cloud-images. -# It needs passwordless sudo functionality. -%(user)s ALL=(ALL) NOPASSWD:ALL -""" % { 'user': self.__default_user_name__ } + if not super(Distro, self).create_user(name, **kargs): + return False - util.write_file('/etc/sudoers.d/90-cloud-init-ubuntu', - ubuntu_sudoers, - mode=0440) + if 'sshimportid' in kargs: + cmd = ["sudo", "-Hu", name, "ssh-import-id"] + kargs['sshimportid'] + LOG.debug("Importing ssh ids for user %s, post user creation." + % name) - LOG.info("Added default 'ubuntu' user with passwordless sudo") + try: + util.subp(cmd, capture=True) + except util.ProcessExecutionError as e: + util.logexc(LOG, "Failed to import %s ssh ids", name) + raise e - except Exception as e: - util.logexc(LOG, "Failed to create %s user\n%s" % - (self.__default_user_name__, e)) + return True |