diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | cloudinit/config/cc_ssh.py | 2 | ||||
| -rw-r--r-- | cloudinit/config/cc_ssh_import_id.py | 71 | ||||
| -rw-r--r-- | cloudinit/config/cc_users_groups.py | 24 | ||||
| -rw-r--r-- | cloudinit/distros/__init__.py | 45 | ||||
| -rw-r--r-- | cloudinit/distros/ubuntu.py | 21 | ||||
| -rw-r--r-- | cloudinit/sources/DataSourceEc2.py | 2 | ||||
| -rw-r--r-- | config/cloud.cfg | 4 | ||||
| -rw-r--r-- | doc/examples/cloud-config-user-groups.txt | 90 | ||||
| -rw-r--r-- | systemd/cloud-config.service | 6 | ||||
| -rw-r--r-- | systemd/cloud-final.service | 6 | ||||
| -rw-r--r-- | systemd/cloud-init-local.service | 6 | ||||
| -rw-r--r-- | systemd/cloud-init.service | 6 |
13 files changed, 218 insertions, 66 deletions
@@ -1,4 +1,5 @@ 0.7.0: + - search only top level dns for 'instance-data' in DataSourceEc2 (LP: #1040200) - add support for config-drive-v2 (LP:#1037567) - support creating users, including the default user. [Ben Howard] (LP: #1028503) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 439c8eb8..0ded62ba 100644 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -107,7 +107,7 @@ def handle(_name, cfg, cloud, log, _args): user = cloud.distro.get_default_user() if 'users' in cfg: - user_zero = cfg['users'].keys()[0] + user_zero = cfg['users'][0] if user_zero != "default": user = user_zero diff --git a/cloudinit/config/cc_ssh_import_id.py b/cloudinit/config/cc_ssh_import_id.py index cd97b99b..08fb63c6 100644 --- a/cloudinit/config/cc_ssh_import_id.py +++ b/cloudinit/config/cc_ssh_import_id.py @@ -19,42 +19,83 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from cloudinit import util +import pwd # The ssh-import-id only seems to exist on ubuntu (for now) # https://launchpad.net/ssh-import-id distros = ['ubuntu'] -def handle(name, cfg, cloud, log, args): +def handle(_name, cfg, cloud, log, args): + + # import for "user: XXXXX" if len(args) != 0: user = args[0] ids = [] if len(args) > 1: ids = args[1:] - else: - user = cloud.distro.get_default_user() - if 'users' in cfg: - user_zero = cfg['users'].keys()[0] + import_ssh_ids(ids, user, log) + return + + # import for cloudinit created users + elist = [] + for user_cfg in cfg['users']: + user = None + import_ids = [] - if user_zero != "default": - user = user_zero + if isinstance(user_cfg, str) and user_cfg == "default": + user = cloud.distro.get_default_user() + if not user: + continue - ids = util.get_cfg_option_list(cfg, "ssh_import_id", []) + import_ids = util.get_cfg_option_list(cfg, "ssh_import_id", []) - if len(ids) == 0: - log.debug("Skipping module named %s, no ids found to import", name) - return + elif isinstance(user_cfg, dict): + user = None + import_ids = [] + + try: + user = user_cfg['name'] + import_ids = user_cfg['ssh_import_id'] + + if import_ids and isinstance(import_ids, str): + import_ids = str(import_ids).split(',') + + except: + log.debug("user %s is not configured for ssh_import" % user) + continue - if not user: - log.debug("Skipping module named %s, no user found to import", name) + if not len(import_ids): + continue + + try: + import_ssh_ids(import_ids, user, log) + except Exception as exc: + util.logexc(log, "ssh-import-id failed for: %s %s" % + (user, import_ids), exc) + elist.append(exc) + + if len(elist): + raise elist[0] + + +def import_ssh_ids(ids, user, log): + + if not (user and ids): + log.debug("empty user(%s) or ids(%s). not importing", user, ids) return + try: + _check = pwd.getpwnam(user) + except KeyError as exc: + raise exc + cmd = ["sudo", "-Hu", user, "ssh-import-id"] + ids log.debug("Importing ssh ids for user %s.", user) try: util.subp(cmd, capture=False) - except util.ProcessExecutionError as e: + except util.ProcessExecutionError as exc: util.logexc(log, "Failed to run command to import %s ssh ids", user) - raise e + raise exc diff --git a/cloudinit/config/cc_users_groups.py b/cloudinit/config/cc_users_groups.py index 1e241623..418f3330 100644 --- a/cloudinit/config/cc_users_groups.py +++ b/cloudinit/config/cc_users_groups.py @@ -38,19 +38,17 @@ def handle(name, cfg, cloud, log, _args): if 'users' in cfg: user_zero = None - for name, user_config in cfg['users'].iteritems(): - if not user_zero: - user_zero = name + for user_config in cfg['users']: # Handle the default user creation - if name == "default" and user_config: + if 'default' in user_config: log.info("Creating default user") # Create the default user if so defined try: cloud.distro.add_default_user() - if user_zero == name: + if not user_zero: user_zero = cloud.distro.get_default_user() except NotImplementedError: @@ -60,11 +58,21 @@ def handle(name, cfg, cloud, log, _args): log.warn("Distro has not implemented default user " "creation. No default user will be created") - else: + + elif isinstance(user_config, dict) and 'name' in user_config: + + name = user_config['name'] + if not user_zero: + user_zero = name + # Make options friendly for distro.create_user new_opts = {} if isinstance(user_config, dict): for opt in user_config: - new_opts[opt.replace('-', '')] = user_config[opt] + new_opts[opt.replace('-', '_')] = user_config[opt] + + cloud.distro.create_user(**new_opts) - cloud.distro.create_user(name, **new_opts) + else: + # create user with no configuration + cloud.distro.create_user(user_config) diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py index 686c6a9b..40c6aa4f 100644 --- a/cloudinit/distros/__init__.py +++ b/cloudinit/distros/__init__.py @@ -47,6 +47,7 @@ class Distro(object): __metaclass__ = abc.ABCMeta default_user = None + default_user_groups = None def __init__(self, name, cfg, paths): self._paths = paths @@ -59,16 +60,25 @@ class Distro(object): # - nopasswd sudo access user = self.get_default_user() + groups = self.get_default_user_groups() + if not user: raise NotImplementedError("No Default user") - self.create_user(user, - plain_text_passwd=user, - home="/home/%s" % user, - shell="/bin/bash", - lockpasswd=True, - gecos="%s%s" % (user[0:1].upper(), user[1:]), - sudo="ALL=(ALL) NOPASSWD:ALL") + user_dict = { + 'name': user, + 'plain_text_passwd': user, + 'home': "/home/%s" % user, + 'shell': "/bin/bash", + 'lock_passwd': True, + 'gecos': "%s%s" % (user[0:1].upper(), user[1:]), + 'sudo': "ALL=(ALL) NOPASSWD:ALL", + } + + if groups: + user_dict['groups'] = groups + + self.create_user(**user_dict) LOG.info("Added default '%s' user with passwordless sudo", user) @@ -204,6 +214,9 @@ class Distro(object): def get_default_user(self): return self.default_user + def get_default_user_groups(self): + return self.default_user_groups + def create_user(self, name, **kwargs): """ Creates users for the system using the GNU passwd tools. This @@ -220,7 +233,7 @@ class Distro(object): adduser_opts = { "gecos": '--comment', "homedir": '--home', - "primarygroup": '--gid', + "primary_group": '--gid', "groups": '--groups', "passwd": '--password', "shell": '--shell', @@ -229,10 +242,10 @@ class Distro(object): } adduser_opts_flags = { - "nousergroup": '--no-user-group', + "no_user_group": '--no-user-group', "system": '--system', - "nologinit": '--no-log-init', - "nocreatehome": "-M", + "no_log_init": '--no-log-init', + "no_create_home": "-M", } # Now check the value and create the command @@ -254,7 +267,7 @@ class Distro(object): # Default to creating home directory unless otherwise directed # Also, we do not create home directories for system users. - if "nocreatehome" not in kwargs and "system" not in kwargs: + if "no_create_home" not in kwargs and "system" not in kwargs: adduser_cmd.append('-m') # Create the user @@ -273,8 +286,8 @@ class Distro(object): self.set_passwd(name, kwargs['plain_text_passwd']) # Default locking down the account. - if ('lockpasswd' not in kwargs and - ('lockpasswd' in kwargs and kwargs['lockpasswd']) or + if ('lock_passwd' not in kwargs and + ('lock_passwd' in kwargs and kwargs['lock_passwd']) or 'system' not in kwargs): try: util.subp(['passwd', '--lock', name]) @@ -288,8 +301,8 @@ class Distro(object): self.write_sudo_rules(name, kwargs['sudo']) # Import SSH keys - if 'sshauthorizedkeys' in kwargs: - keys = set(kwargs['sshauthorizedkeys']) or [] + if 'ssh_authorized_keys' in kwargs: + keys = set(kwargs['ssh_authorized_keys']) or [] ssh_util.setup_user_keys(keys, name, None, self._paths) return True diff --git a/cloudinit/distros/ubuntu.py b/cloudinit/distros/ubuntu.py index 4b3f8572..5444cbc0 100644 --- a/cloudinit/distros/ubuntu.py +++ b/cloudinit/distros/ubuntu.py @@ -23,7 +23,6 @@ from cloudinit.distros import debian from cloudinit import log as logging -from cloudinit import util LOG = logging.getLogger(__name__) @@ -32,21 +31,5 @@ class Distro(debian.Distro): distro_name = 'ubuntu' default_user = 'ubuntu' - - def create_user(self, name, **kargs): - - if not super(Distro, self).create_user(name, **kargs): - return False - - if 'sshimportid' in kargs: - cmd = ["sudo", "-Hu", name, "ssh-import-id"] + kargs['sshimportid'] - LOG.debug("Importing ssh ids for user %s, post user creation." - % name) - - try: - util.subp(cmd, capture=True) - except util.ProcessExecutionError as e: - util.logexc(LOG, "Failed to import %s ssh ids", name) - raise e - - return True + default_user_groups = ("adm,admin,audio,cdrom,dialout,floppy,video," + "plugdev,dip,netdev,sudo") diff --git a/cloudinit/sources/DataSourceEc2.py b/cloudinit/sources/DataSourceEc2.py index 2a9a70f7..c7ad6d54 100644 --- a/cloudinit/sources/DataSourceEc2.py +++ b/cloudinit/sources/DataSourceEc2.py @@ -40,7 +40,7 @@ DEF_MD_VERSION = '2009-04-04' # Default metadata urls that will be used if none are provided # They will be checked for 'resolveability' and some of the # following may be discarded if they do not resolve -DEF_MD_URLS = [DEF_MD_URL, "http://instance-data:8773"] +DEF_MD_URLS = [DEF_MD_URL, "http://instance-data.:8773"] class DataSourceEc2(sources.DataSource): diff --git a/config/cloud.cfg b/config/cloud.cfg index 2744c940..d5079721 100644 --- a/config/cloud.cfg +++ b/config/cloud.cfg @@ -3,7 +3,7 @@ # Implement for Ubuntu only: create the default 'ubuntu' user users: - default: true + - default # If this is set, 'root' will not be able to ssh in and they # will get a message to login instead as the above $user (ubuntu) @@ -29,6 +29,7 @@ cloud_init_modules: - update_etc_hosts - ca-certs - rsyslog + - users-groups - ssh # The modules that run in the 'config' stage @@ -37,7 +38,6 @@ cloud_config_modules: # this can be used by upstart jobs for 'start on cloud-config'. - emit_upstart - mounts - - users-groups - ssh-import-id - locale - set-passwords diff --git a/doc/examples/cloud-config-user-groups.txt b/doc/examples/cloud-config-user-groups.txt new file mode 100644 index 00000000..d0b3e2ff --- /dev/null +++ b/doc/examples/cloud-config-user-groups.txt @@ -0,0 +1,90 @@ +# add groups to the system +# The following example adds the ubuntu group with members foo and bar and +# the group cloud-users. +groups: + - ubuntu: [foo,bar] + - cloud-users + +# add users to the system. Users are added after groups are added. +users: + - default + - name: foobar + gecos: Foo B. Bar + primary-group: foobar + groups: users + expiredate: 2012-09-01 + ssh-import-id: foobar + lock-passwd: false + passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/ + - name: barfoo + gecos: Bar B. Foo + sudo: ALL=(ALL) NOPASSWD:ALL + groups: users, admin + ssh-import-id: None + lock-passwd: true + ssh-authorized-keys: + - <ssh pub key 1> + - <ssh pub key 2> + - name: cloudy + gecos: Magic Cloud App Daemon User + inactive: true + system: true + +# Valid Values: +# name: The user's login name +# gecos: The user name's real name, i.e. "Bob B. Smith" +# homedir: Optional. Set to the local path you want to use. Defaults to +# /home/<username> +# primary-group: define the primary group. Defaults to a new group created +# named after the user. +# groups: Optional. Additional groups to add the user to. Defaults to none +# lock-passwd: Defaults to true. Lock the password to disable password login +# inactive: Create the user as inactive +# passwd: The hash -- not the password itself -- of the password you want +# to use for this user. You can generate a safe hash via: +# mkpasswd -m SHA-512 -s 4096 +# (the above command would create a password SHA512 password hash +# with 4096 salt rounds) +# +# Please note: while the use of a hashed password is better than +# plain text, the use of this feature is not ideal. Also, +# using a high number of salting rounds will help, but it should +# not be relied upon. +# +# To highlight this risk, running John the Ripper against the +# example hash above, with a readily available wordlist, revealed +# the true password in 12 seconds on a i7-2620QM. +# +# In other words, this feature is a potential security risk and is +# provided for your convenience only. If you do not fully trust the +# medium over which your cloud-config will be transmitted, then you +# should use SSH authentication only. +# +# You have thus been warned. +# no-create-home: When set to true, do not create home directory. +# no-user-group: When set to true, do not create a group named after the user. +# no-log-init: When set to true, do not initialize lastlog and faillog database. +# ssh-import-id: Optional. Import SSH ids +# ssh-authorized-key: Optional. Add key to user's ssh authorized keys file +# sudo: Defaults to none. Set to the sudo string you want to use, i.e. +# ALL=(ALL) NOPASSWD:ALL. To add multiple rules, use the following +# format. +# sudo: +# - ALL=(ALL) NOPASSWD:/bin/mysql +# - ALL=(ALL) ALL +# Note: Please double check your syntax and make sure it is valid. +# cloud-init does not parse/check the syntax of the sudo +# directive. +# system: Create the user as a system user. This means no home directory. +# +# Default user creation: Ubuntu Only +# Unless you define users, you will get a Ubuntu user on Ubuntu systems with the +# legacy permission (no password sudo, locked user, etc). If however, you want +# to have the ubuntu user in addition to other users, you need to instruct +# cloud-init that you also want the default user. To do this use the following +# syntax: +# users: +# default: True +# foobar: ... +# +# users[0] (the first user in users) overrides the user directive. diff --git a/systemd/cloud-config.service b/systemd/cloud-config.service index 696230f6..fc72fc48 100644 --- a/systemd/cloud-config.service +++ b/systemd/cloud-config.service @@ -6,8 +6,12 @@ Wants=network.target [Service] Type=oneshot -ExecStart=/usr/bin/cloud-init-cfg all config +ExecStart=/usr/bin/cloud-init modules --mode=config RemainAfterExit=yes +TimeoutSec=0 + +# Output needs to appear in instance console output +StandardOutput=tty [Install] WantedBy=multi-user.target diff --git a/systemd/cloud-final.service b/systemd/cloud-final.service index 23275ee5..f836eab6 100644 --- a/systemd/cloud-final.service +++ b/systemd/cloud-final.service @@ -6,8 +6,12 @@ Wants=network.target [Service] Type=oneshot -ExecStart=/usr/bin/cloud-init-cfg all final +ExecStart=/usr/bin/cloud-init modules --mode=final RemainAfterExit=yes +TimeoutSec=0 + +# Output needs to appear in instance console output +StandardOutput=tty [Install] WantedBy=multi-user.target diff --git a/systemd/cloud-init-local.service b/systemd/cloud-init-local.service index 2d57567f..6a551710 100644 --- a/systemd/cloud-init-local.service +++ b/systemd/cloud-init-local.service @@ -5,8 +5,12 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/bin/cloud-init start-local +ExecStart=/usr/bin/cloud-init init --local RemainAfterExit=yes +TimeoutSec=0 + +# Output needs to appear in instance console output +StandardOutput=tty [Install] WantedBy=multi-user.target diff --git a/systemd/cloud-init.service b/systemd/cloud-init.service index b8f6f49d..d4eb9fa5 100644 --- a/systemd/cloud-init.service +++ b/systemd/cloud-init.service @@ -6,8 +6,12 @@ Wants=local-fs.target cloud-init-local.service [Service] Type=oneshot -ExecStart=/usr/bin/cloud-init start +ExecStart=/usr/bin/cloud-init init RemainAfterExit=yes +TimeoutSec=0 + +# Output needs to appear in instance console output +StandardOutput=tty [Install] WantedBy=multi-user.target |