1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
|
# vi: ts=4 expandtab
#
# Copyright (C) 2012 Canonical Ltd.
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
# Copyright (C) 2012 Yahoo! Inc.
#
# Author: Scott Moser <scott.moser@canonical.com>
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
# Author: Joshua Harlow <harlowja@yahoo-inc.com>
# Author: Ben Howard <ben.howard@canonical.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 3, as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from StringIO import StringIO
import abc
import grp
import os
import pwd
import re
from cloudinit import importer
from cloudinit import log as logging
from cloudinit import ssh_util
from cloudinit import util
# TODO(harlowja): Make this via config??
IFACE_ACTIONS = {
'up': ['ifup', '--all'],
'down': ['ifdown', '--all'],
}
LOG = logging.getLogger(__name__)
class Distro(object):
__metaclass__ = abc.ABCMeta
default_user = None
default_user_groups = None
def __init__(self, name, cfg, paths):
self._paths = paths
self._cfg = cfg
self.name = name
def add_default_user(self):
# Adds the distro user using the rules:
# - Password is same as username but is locked
# - nopasswd sudo access
user = self.get_default_user()
groups = self.get_default_user_groups()
if not user:
raise NotImplementedError("No Default user")
user_dict = {
'name': user,
'plain_text_passwd': user,
'home': "/home/%s" % user,
'shell': "/bin/bash",
'lock_passwd': True,
'gecos': "%s%s" % (user[0:1].upper(), user[1:]),
'sudo': "ALL=(ALL) NOPASSWD:ALL",
}
if groups:
user_dict['groups'] = groups
self.create_user(**user_dict)
LOG.info("Added default '%s' user with passwordless sudo", user)
@abc.abstractmethod
def install_packages(self, pkglist):
raise NotImplementedError()
@abc.abstractmethod
def _write_network(self, settings):
# In the future use the http://fedorahosted.org/netcf/
# to write this blob out in a distro format
raise NotImplementedError()
def get_option(self, opt_name, default=None):
return self._cfg.get(opt_name, default)
@abc.abstractmethod
def set_hostname(self, hostname):
raise NotImplementedError()
@abc.abstractmethod
def update_hostname(self, hostname, prev_hostname_fn):
raise NotImplementedError()
@abc.abstractmethod
def package_command(self, cmd, args=None):
raise NotImplementedError()
@abc.abstractmethod
def update_package_sources(self):
raise NotImplementedError()
def get_primary_arch(self):
arch = os.uname[4]
if arch in ("i386", "i486", "i586", "i686"):
return "i386"
return arch
def _get_arch_package_mirror_info(self, arch=None):
mirror_info = self.get_option("package_mirrors", None)
if arch == None:
arch = self.get_primary_arch()
return _get_arch_package_mirror_info(mirror_info, arch)
def get_package_mirror_info(self, arch=None,
availability_zone=None):
# this resolves the package_mirrors config option
# down to a single dict of {mirror_name: mirror_url}
arch_info = self._get_arch_package_mirror_info(arch)
return _get_package_mirror_info(availability_zone=availability_zone,
mirror_info=arch_info)
def apply_network(self, settings, bring_up=True):
# Write it out
self._write_network(settings)
# Now try to bring them up
if bring_up:
return self._interface_action('up')
return False
@abc.abstractmethod
def apply_locale(self, locale, out_fn=None):
raise NotImplementedError()
@abc.abstractmethod
def set_timezone(self, tz):
raise NotImplementedError()
def _get_localhost_ip(self):
return "127.0.0.1"
def update_etc_hosts(self, hostname, fqdn):
# Format defined at
# http://unixhelp.ed.ac.uk/CGI/man-cgi?hosts
header = "# Added by cloud-init"
real_header = "%s on %s" % (header, util.time_rfc2822())
local_ip = self._get_localhost_ip()
hosts_line = "%s\t%s %s" % (local_ip, fqdn, hostname)
new_etchosts = StringIO()
need_write = False
need_change = True
hosts_ro_fn = self._paths.join(True, "/etc/hosts")
for line in util.load_file(hosts_ro_fn).splitlines():
if line.strip().startswith(header):
continue
if not line.strip() or line.strip().startswith("#"):
new_etchosts.write("%s\n" % (line))
continue
split_line = [s.strip() for s in line.split()]
if len(split_line) < 2:
new_etchosts.write("%s\n" % (line))
continue
(ip, hosts) = split_line[0], split_line[1:]
if ip == local_ip:
if sorted([hostname, fqdn]) == sorted(hosts):
need_change = False
if need_change:
line = "%s\n%s" % (real_header, hosts_line)
need_change = False
need_write = True
new_etchosts.write("%s\n" % (line))
if need_change:
new_etchosts.write("%s\n%s\n" % (real_header, hosts_line))
need_write = True
if need_write:
contents = new_etchosts.getvalue()
util.write_file(self._paths.join(False, "/etc/hosts"),
contents, mode=0644)
def _interface_action(self, action):
if action not in IFACE_ACTIONS:
raise NotImplementedError("Unknown interface action %s" % (action))
cmd = IFACE_ACTIONS[action]
try:
LOG.debug("Attempting to run %s interface action using command %s",
action, cmd)
(_out, err) = util.subp(cmd)
if len(err):
LOG.warn("Running %s resulted in stderr output: %s", cmd, err)
return True
except util.ProcessExecutionError:
util.logexc(LOG, "Running interface command %s failed", cmd)
return False
def isuser(self, name):
try:
if pwd.getpwnam(name):
return True
except KeyError:
return False
def get_default_user(self):
return self.default_user
def get_default_user_groups(self):
return self.default_user_groups
def create_user(self, name, **kwargs):
"""
Creates users for the system using the GNU passwd tools. This
will work on an GNU system. This should be overriden on
distros where useradd is not desirable or not available.
"""
adduser_cmd = ['useradd', name]
x_adduser_cmd = ['useradd', name]
# Since we are creating users, we want to carefully validate the
# inputs. If something goes wrong, we can end up with a system
# that nobody can login to.
adduser_opts = {
"gecos": '--comment',
"homedir": '--home',
"primary_group": '--gid',
"groups": '--groups',
"passwd": '--password',
"shell": '--shell',
"expiredate": '--expiredate',
"inactive": '--inactive',
"selinux_user": '--selinux-user',
}
adduser_opts_flags = {
"no_user_group": '--no-user-group',
"system": '--system',
"no_log_init": '--no-log-init',
"no_create_home": "-M",
}
# Now check the value and create the command
for option in kwargs:
value = kwargs[option]
if option in adduser_opts and value \
and isinstance(value, str):
adduser_cmd.extend([adduser_opts[option], value])
# Redact the password field from the logs
if option != "password":
x_adduser_cmd.extend([adduser_opts[option], value])
else:
x_adduser_cmd.extend([adduser_opts[option], 'REDACTED'])
elif option in adduser_opts_flags and value:
adduser_cmd.append(adduser_opts_flags[option])
x_adduser_cmd.append(adduser_opts_flags[option])
# Default to creating home directory unless otherwise directed
# Also, we do not create home directories for system users.
if "no_create_home" not in kwargs and "system" not in kwargs:
adduser_cmd.append('-m')
# Create the user
if self.isuser(name):
LOG.warn("User %s already exists, skipping." % name)
else:
LOG.debug("Creating name %s" % name)
try:
util.subp(adduser_cmd, logstring=x_adduser_cmd)
except Exception as e:
util.logexc(LOG, "Failed to create user %s due to error.", e)
raise e
# Set password if plain-text password provided
if 'plain_text_passwd' in kwargs and kwargs['plain_text_passwd']:
self.set_passwd(name, kwargs['plain_text_passwd'])
# Default locking down the account.
if ('lock_passwd' not in kwargs and
('lock_passwd' in kwargs and kwargs['lock_passwd']) or
'system' not in kwargs):
try:
util.subp(['passwd', '--lock', name])
except Exception as e:
util.logexc(LOG, ("Failed to disable password logins for"
"user %s" % name), e)
raise e
# Configure sudo access
if 'sudo' in kwargs:
self.write_sudo_rules(name, kwargs['sudo'])
# Import SSH keys
if 'ssh_authorized_keys' in kwargs:
keys = set(kwargs['ssh_authorized_keys']) or []
ssh_util.setup_user_keys(keys, name, None, self._paths)
return True
def set_passwd(self, user, passwd, hashed=False):
pass_string = '%s:%s' % (user, passwd)
cmd = ['chpasswd']
if hashed:
cmd.append('--encrypted')
try:
util.subp(cmd, pass_string, logstring="chpasswd for %s" % user)
except Exception as e:
util.logexc(LOG, "Failed to set password for %s" % user)
raise e
return True
def write_sudo_rules(self,
user,
rules,
sudo_file="/etc/sudoers.d/90-cloud-init-users",
):
content_header = "# user rules for %s" % user
content = "%s\n%s %s\n\n" % (content_header, user, rules)
if isinstance(rules, list):
content = "%s\n" % content_header
for rule in rules:
content += "%s %s\n" % (user, rule)
content += "\n"
if not os.path.exists(sudo_file):
util.write_file(sudo_file, content, 0440)
else:
try:
with open(sudo_file, 'a') as f:
f.write(content)
except IOError as e:
util.logexc(LOG, "Failed to write %s" % sudo_file, e)
raise e
def isgroup(self, name):
try:
if grp.getgrnam(name):
return True
except:
return False
def create_group(self, name, members):
group_add_cmd = ['groupadd', name]
# Check if group exists, and then add it doesn't
if self.isgroup(name):
LOG.warn("Skipping creation of existing group '%s'" % name)
else:
try:
util.subp(group_add_cmd)
LOG.info("Created new group %s" % name)
except Exception as e:
util.logexc("Failed to create group %s" % name, e)
# Add members to the group, if so defined
if len(members) > 0:
for member in members:
if not self.isuser(member):
LOG.warn("Unable to add group member '%s' to group '%s'"
"; user does not exist." % (member, name))
continue
util.subp(['usermod', '-a', '-G', name, member])
LOG.info("Added user '%s' to group '%s'" % (member, name))
def _get_package_mirror_info(mirror_info, availability_zone=None,
mirror_filter=util.search_for_mirror):
# given a arch specific 'mirror_info' entry (from package_mirrors)
# search through the 'search' entries, and fallback appropriately
# return a dict with only {name: mirror} entries.
ec2_az_re = ("^[a-z][a-z]-(%s)-[1-9][0-9]*[a-z]$" %
"north|northeast|east|southeast|south|southwest|west|northwest")
subst = {}
if availability_zone:
subst['availability_zone'] = availability_zone
if availability_zone and re.match(ec2_az_re, availability_zone):
subst['ec2_region'] = "%s" % availability_zone[0:-1]
results = {}
for (name, mirror) in mirror_info.get('failsafe', {}).iteritems():
results[name] = mirror
for (name, searchlist) in mirror_info.get('search', {}).iteritems():
mirrors = []
for tmpl in searchlist:
try:
mirrors.append(tmpl % subst)
except KeyError:
pass
found = mirror_filter(mirrors)
if found:
results[name] = found
LOG.debug("filtered distro mirror info: %s" % results)
return results
def _get_arch_package_mirror_info(package_mirrors, arch):
# pull out the specific arch from a 'package_mirrors' config option
default = None
for item in package_mirrors:
arches = item.get("arches")
if arch in arches:
return item
if "default" in arches:
default = item
return default
def fetch(name):
locs = importer.find_module(name,
['', __name__],
['Distro'])
if not locs:
raise ImportError("No distribution found for distro %s"
% (name))
mod = importer.import_module(locs[0])
cls = getattr(mod, 'Distro')
return cls
|