From 262479dfe04e8342843df8851eaef61caaa95f5a Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Tue, 26 Jan 2010 13:19:49 -0500 Subject: add cloud config support for apt_sources This includes support for - signing key import via 'keyid' and 'keyserver' or 'key' - ppa:* support (provided by 'add-apt-repository') now there is a dependency on python-software-properties --- ec2init/CloudConfig.py | 78 +++++++++++++++++++++++++++++++++----------------- ec2init/util.py | 27 +++++++++++++++++ 2 files changed, 79 insertions(+), 26 deletions(-) (limited to 'ec2init') diff --git a/ec2init/CloudConfig.py b/ec2init/CloudConfig.py index bb19aa72..84b00fd8 100644 --- a/ec2init/CloudConfig.py +++ b/ec2init/CloudConfig.py @@ -85,30 +85,6 @@ class CloudConfig(): else: return ec2Key - def add_ppa(self): - #value = self.cfg['apt_sources'] - for ent in self.cfg['apt_sources']: - ppa = ent['source'] - where = ppa.find('ppa:') - if where != -1: - return ppa - - def add_custom_repo(self): - sources = [] - value = self.cfg['apt_sources'] - for ent in self.cfg['apt_sources']: - if ent.has_key('keyserver'): - keyserver = ent['keyserver'] - if ent.has_key('keyid'): - keyid = ent['keyid'] - if ent.has_key('filename'): - filename = ent['filename'] - source = ent['source'] - if source.startswith("deb"): - sources.append(source) - - return (keyserver,sources,keyid,filename) - def handle(self, name, args): handler = None freq = None @@ -123,12 +99,19 @@ class CloudConfig(): update = util.get_cfg_option_bool(self.cfg, 'apt_update', False) upgrade = util.get_cfg_option_bool(self.cfg, 'apt_upgrade', False) + + # process 'apt_sources' + if self.cfg.has_key('apt_sources'): + errors = add_sources(self.cfg['apt_sources']) + for e in errors: + warn("Source Error: %s\n" % ':'.join(e)) + pkglist = [] if 'packages' in self.cfg: if isinstance(self.cfg['packages'],list): pkglist = self.cfg['packages'] else: pkglist.append(self.cfg['packages']) - + if update or upgrade or pkglist: #retcode = subprocess.call(list) subprocess.Popen(['apt-get', 'update']).communicate() @@ -148,7 +131,6 @@ class CloudConfig(): def h_disable_ec2_metadata(self,name,args): if util.get_cfg_option_bool(self.cfg, "disable_ec2_metadata", False): - #fwall="iptables -A OUTPUT -p tcp --dport 80 --destination 169.254.169.254 -j REJECT" fwall="route add -host 169.254.169.254 reject" subprocess.call(fwall.split(' ')) @@ -245,3 +227,47 @@ def send_ssh_keys_to_console(): def warn(str): sys.stderr.write("Warning:%s\n" % str) +# srclist is a list of dictionaries, +# each entry must have: 'source' +# may have: key, ( keyid and keyserver) +def add_sources(srclist): + elst = [] + + for ent in srclist: + if not ent.has_key('source'): + elst.append([ "", "missing source" ]) + continue + + source=ent['source'] + if source.startswith("ppa:"): + try: util.subp(["add-apt-repository",source]) + except: + elst.append([source, "add-apt-repository failed"]) + continue + + if not ent.has_key('filename'): + ent['filename']='cloud_config_sources.list' + + if not ent['filename'].startswith("/"): + ent['filename'] = "%s/%s" % \ + ("/etc/apt/sources.list.d/", ent['filename']) + + if ( ent.has_key('keyid') and not ent.has_key('key') ): + ks = "keyserver.ubuntu.com" + if ent.has_key('keyserver'): ks = ent['keyserver'] + try: + ent['key'] = util.getkeybyid(ent['keyid'], ks) + except: + elst.append([source,"failed to get key from %s" % ks]) + continue + + if ent.has_key('key'): + try: util.subp(('apt-key', 'add', '-'), ent['key']) + except: + elst.append([source, "failed add key"]) + + try: util.write_file(ent['filename'], source + "\n") + except: + elst.append([source, "failed write to file %s" % ent['filename']]) + + return(elst) diff --git a/ec2init/util.py b/ec2init/util.py index 0737f117..ece5755a 100644 --- a/ec2init/util.py +++ b/ec2init/util.py @@ -1,6 +1,7 @@ import yaml import os import errno +import subprocess def read_conf(fname): stream = file(fname) @@ -42,3 +43,29 @@ def write_file(file,content,mode=0644): f.close() os.chmod(file,mode) +# get keyid from keyserver +def getkeybyid(keyid,keyserver): + shcmd=""" + k=${1} ks=${2}; + exec 2>/dev/null + [ -n "$k" ] || exit 1; + armour=$(gpg --list-keys --armour "${k}") + if [ -z "${armour}" ]; then + gpg --keyserver ${ks} --recv $k >/dev/null && + armour=$(gpg --export --armour "${k}") && + gpg --batch --yes --delete-keys "${k}" + fi + [ -n "${armour}" ] && echo "${armour}" + """ + args=['sh', '-c', shcmd, "export-gpg-keyid", keyid, keyserver] + return(subp(args)[0]) + +def subp(args, input=None): + s_in = None + if input is not None: + s_in = subprocess.PIPE + sp = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=s_in) + out,err = sp.communicate(input) + if sp.returncode is not 0: + raise subprocess.CalledProcessError(sp.returncode,args) + return(out,err) -- cgit v1.2.3