From 57ea45b2bc86895582de65928c555e6f0430b287 Mon Sep 17 00:00:00 2001 From: Marc Cluet Date: Mon, 25 Jul 2011 13:27:27 +0100 Subject: Added new feature include-once --- doc/examples/include-once.txt | 7 +++++++ doc/userdata.txt | 8 ++++++++ 2 files changed, 15 insertions(+) create mode 100644 doc/examples/include-once.txt (limited to 'doc') diff --git a/doc/examples/include-once.txt b/doc/examples/include-once.txt new file mode 100644 index 00000000..0cf74e5e --- /dev/null +++ b/doc/examples/include-once.txt @@ -0,0 +1,7 @@ +#include-once +# entries are one url per line. comment lines beginning with '#' are allowed +# urls are passed to urllib.urlopen, so the format must be supported there +# This entries will just be processed ONE TIME by cloud-init, any further +# iterations won't process this file +http://www.ubuntu.com/robots.txt +http://www.w3schools.com/html/lastpage.htm diff --git a/doc/userdata.txt b/doc/userdata.txt index 00c16b25..3af1e632 100644 --- a/doc/userdata.txt +++ b/doc/userdata.txt @@ -36,6 +36,14 @@ finds. However, certain types of user-data are handled specially. will be passed through this same set of rules. Ie, the content read from the URL can be gzipped, mime-multi-part, or plain text +* Include File Once + begins with #include-once or Content-Type: text/x-include-once-url + This content is a "include" file. The file contains a list of + urls, one per line. Each of the URLs will be read, and their content + will be passed through this same set of rules. Ie, the content + read from the URL can be gzipped, mime-multi-part, or plain text + This file will just be processed once by cloud-init + * Cloud Config Data begins with #cloud-config or Content-Type: text/cloud-config -- cgit v1.2.3 From f70bc5ddf301517863b48943cd3d8d6df5548c68 Mon Sep 17 00:00:00 2001 From: Marc Cluet Date: Mon, 25 Jul 2011 13:27:48 +0100 Subject: Added ssl cert support to mcollective --- cloudinit/CloudConfig/cc_mcollective.py | 21 ++++++++++++++++---- doc/examples/cloud-config-mcollective.txt | 33 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/cloudinit/CloudConfig/cc_mcollective.py b/cloudinit/CloudConfig/cc_mcollective.py index 9aae2d64..3b358302 100644 --- a/cloudinit/CloudConfig/cc_mcollective.py +++ b/cloudinit/CloudConfig/cc_mcollective.py @@ -50,10 +50,23 @@ def handle(name,cfg,cloud,log,args): # Read server.cfg values from original file in order to be able to mix the rest up mcollective_config.readfp(FakeSecHead(open('/etc/mcollective/server.cfg'))) for cfg_name, cfg in mcollective_cfg['conf'].iteritems(): - # Iterate throug the config items, we'll use ConfigParser.set - # to overwrite or create new items as needed - for o, v in cfg.iteritems(): - mcollective_config.set(cfg_name,o,v) + if cfg_name == 'public-cert': + publicrt_fh = open('/etc/mcollective/ssl/server-public.pem', 'w') + publicrt_fh.write(cfg) + publicrt_fh.close() + mcollective_config.set(cfg_name,'plugin.ssl_server_public','/etc/mcollective/ssl/server-public.pem') + mcollective_config.set(cfg_name,'securityprovider','ssl') + elif cfg_name == 'private-cert': + privcrt_fh = open('/etc/mcollective/ssl/server-private.pem', 'w') + privcrt_fh.write(cfg) + privcrt_fh.close() + mcollective_config.set(cfg_name,'plugin.ssl_server_private','/etc/mcollective/ssl/server-private.pem') + mcollective_config.set(cfg_name,'securityprovider','ssl') + else: + # Iterate throug the config items, we'll use ConfigParser.set + # to overwrite or create new items as needed + for o, v in cfg.iteritems(): + mcollective_config.set(cfg_name,o,v) # We got all our config as wanted we'll rename # the previous server.cfg and create our new one os.rename('/etc/mcollective/server.cfg','/etc/mcollective/server.cfg.old') diff --git a/doc/examples/cloud-config-mcollective.txt b/doc/examples/cloud-config-mcollective.txt index ca7ba03e..ddeaf0c6 100644 --- a/doc/examples/cloud-config-mcollective.txt +++ b/doc/examples/cloud-config-mcollective.txt @@ -13,3 +13,36 @@ mcollective: # plugin.stomp.host: dbhost conf: plugin.stomp.host: dbhost + # This will add ssl certs to mcollective + # WARNING WARNING WARNING + # Please remember cloud-init data is transmitted without encryption + # If you want security for this, please use include-once + SSL urls + public-cert: | + -----BEGIN CERTIFICATE----- + MIICCTCCAXKgAwIBAgIBATANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe + Fw0xMDAyMTUxNzI5MjFaFw0xNTAyMTQxNzI5MjFaMA0xCzAJBgNVBAMMAmNhMIGf + MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu7Q40sm47/E1Pf+r8AYb/V/FWGPgc + b014OmNoX7dgCxTDvps/h8Vw555PdAFsW5+QhsGr31IJNI3kSYprFQcYf7A8tNWu + 1MASW2CfaEiOEi9F1R3R4Qlz4ix+iNoHiUDTjazw/tZwEdxaQXQVLwgTGRwVa+aA + qbutJKi93MILLwIDAQABo3kwdzA4BglghkgBhvhCAQ0EKxYpUHVwcGV0IFJ1Ynkv + T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDwYDVR0TAQH/BAUwAwEB/zAd + BgNVHQ4EFgQUu4+jHB+GYE5Vxo+ol1OAhevspjAwCwYDVR0PBAQDAgEGMA0GCSqG + SIb3DQEBBQUAA4GBAH/rxlUIjwNb3n7TXJcDJ6MMHUlwjr03BDJXKb34Ulndkpaf + +GAlzPXWa7bO908M9I8RnPfvtKnteLbvgTK+h+zX1XCty+S2EQWk29i2AdoqOTxb + hppiGMp0tT5Havu4aceCXiy2crVcudj3NFciy8X66SoECemW9UYDCb9T5D0d + -----END CERTIFICATE----- + private-cert: | + -----BEGIN CERTIFICATE----- + MIICCTCCAXKgAwIBAgIBATANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDDAJjYTAe + Fw0xMDAyMTUxNzI5MjFaFw0xNTAyMTQxNzI5MjFaMA0xCzAJBgNVBAMMAmNhMIGf + MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu7Q40sm47/E1Pf+r8AYb/V/FWGPgc + b014OmNoX7dgCxTDvps/h8Vw555PdAFsW5+QhsGr31IJNI3kSYprFQcYf7A8tNWu + 1MASW2CfaEiOEi9F1R3R4Qlz4ix+iNoHiUDTjazw/tZwEdxaQXQVLwgTGRwVa+aA + qbutJKi93MILLwIDAQABo3kwdzA4BglghkgBhvhCAQ0EKxYpUHVwcGV0IFJ1Ynkv + T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDwYDVR0TAQH/BAUwAwEB/zAd + BgNVHQ4EFgQUu4+jHB+GYE5Vxo+ol1OAhevspjAwCwYDVR0PBAQDAgEGMA0GCSqG + SIb3DQEBBQUAA4GBAH/rxlUIjwNb3n7TXJcDJ6MMHUlwjr03BDJXKb34Ulndkpaf + +GAlzPXWa7bO908M9I8RnPfvtKnteLbvgTK+h+zX1XCty+S2EQWk29i2AdoqOTxb + hppiGMp0tT5Havu4aceCXiy2crVcudj3NFciy8X66SoECemW9UYDCb9T5D0d + -----END CERTIFICATE----- + -- cgit v1.2.3 From 149bfa0e4a2705bbe980a2335c5e7951e9b70925 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Tue, 26 Jul 2011 09:40:19 -0400 Subject: clarify warning text in mcollective config example --- doc/examples/cloud-config-mcollective.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/examples/cloud-config-mcollective.txt b/doc/examples/cloud-config-mcollective.txt index ddeaf0c6..67735682 100644 --- a/doc/examples/cloud-config-mcollective.txt +++ b/doc/examples/cloud-config-mcollective.txt @@ -15,7 +15,8 @@ mcollective: plugin.stomp.host: dbhost # This will add ssl certs to mcollective # WARNING WARNING WARNING - # Please remember cloud-init data is transmitted without encryption + # The ec2 metadata service is a network service, and thus is readable + # by non-root users on the system (ie: 'ec2metadata --user-data') # If you want security for this, please use include-once + SSL urls public-cert: | -----BEGIN CERTIFICATE----- -- cgit v1.2.3 From a6dce5ac548de073918d679503f447d265847066 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Tue, 26 Jul 2011 10:22:23 -0400 Subject: make 'include-once' really "download source once per-instance" Marc's implementation would only ever process the include-once urls a single time. This changes that to process them every time, with the second time coming from a file on disk rather than the url. You can then do expiring or one time use URLs in the include-once and have all function of if the content was there every time. The cached file is readable by root-only. --- cloudinit/UserDataHandler.py | 20 +++++++++++++------- doc/userdata.txt | 4 +++- 2 files changed, 16 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/cloudinit/UserDataHandler.py b/cloudinit/UserDataHandler.py index 4fd6ef28..4ac0e2cd 100644 --- a/cloudinit/UserDataHandler.py +++ b/cloudinit/UserDataHandler.py @@ -22,6 +22,7 @@ from email.mime.text import MIMEText from email.mime.base import MIMEBase from email import encoders import yaml +from cloudinit import util, get_ipath_cur starts_with_mappings={ '#include' : 'text/x-include-url', @@ -61,16 +62,21 @@ def do_include(str,parts): elif line.startswith("#include"): line = line[len("#include"):].lstrip() if line.startswith("#"): continue - if includeonce == True: - uniquestring = base64.encodestring(line).strip('\n') - includeonce_filename = "/var/lib/cloud/instance/.includeonce.%s" % uniquestring - if os.path.isfile(includeonce_filename): continue - includeonce_file = open(includeonce_filename,'w') - includeonce_file.close() + + # urls cannot not have leading or trailing white space + uniquestring = base64.encodestring(line).strip() + includeonce_filename = "%/urlcache/%s" % (get_ipath_cur("data"), uniquestring) try: - content = urllib.urlopen(line).read() + if includeonce and os.path.isfile(includeonce_filename): + with open(includeonce_filename, "r") as fp: + content = fp.read() + else: + content = urllib.urlopen(line).read() + if includeonce: + util.write_file(includeonce_filename, content, mode=0600) except Exception as e: log.debug(traceback.format_exc(e)) + process_includes(email.message_from_string(decomp_str(content)),parts) diff --git a/doc/userdata.txt b/doc/userdata.txt index 3af1e632..cc691ae6 100644 --- a/doc/userdata.txt +++ b/doc/userdata.txt @@ -42,7 +42,9 @@ finds. However, certain types of user-data are handled specially. urls, one per line. Each of the URLs will be read, and their content will be passed through this same set of rules. Ie, the content read from the URL can be gzipped, mime-multi-part, or plain text - This file will just be processed once by cloud-init + This file will just be downloaded only once per instance, and its + contents cached for subsequent boots. This allows you to pass in + one-time-use or expiring URLs. * Cloud Config Data begins with #cloud-config or Content-Type: text/cloud-config -- cgit v1.2.3