[libvirt] [libvirt-jenkins-ci PATCH v2 3/6] guests: Remove bootstrap phase
Having to bootstrap the guest as a separate phase is annoying and
can be avoided by assuming the root password is well-known.
This doesn't hurt security because we're going to be changing the
root password with a user-provided one the first time Ansible is
run; moreover, we only leave key-based SSH authentication enabled
for the root user.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
guests/bootstrap.yml | 15 ---------------
guests/group_vars/all/main.yml | 5 +++++
guests/lcitool | 25 +++++++++++++++++++++++++
guests/site.yml | 8 ++++++++
guests/tasks/base.yml | 11 ++++++++++-
5 files changed, 48 insertions(+), 16 deletions(-)
delete mode 100644 guests/bootstrap.yml
diff --git a/guests/bootstrap.yml b/guests/bootstrap.yml
deleted file mode 100644
index 544dd9d..0000000
--- a/guests/bootstrap.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- hosts: all
- gather_facts: no
-
- tasks:
-
- # Bootstrap Ansible itself
- - include: tasks/bootstrap.yml
-
-- hosts: all
-
- tasks:
-
- # Prepare the base environment
- - include: tasks/base.yml
diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml
index 81b7d43..d24af59 100644
--- a/guests/group_vars/all/main.yml
+++ b/guests/group_vars/all/main.yml
@@ -1,6 +1,11 @@
---
ansible_user: root
+# This password is only used to access the guest the very first time
+# Ansible is used: afterwards, the user's SSH key will have been installed
+# in the guest and SSH password authentication will have been disabled
+ansible_ssh_pass: root
+
jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp
# Paths to various command. Can be overridden on a per-host basis
diff --git a/guests/lcitool b/guests/lcitool
index aaee5f9..10a72cf 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -12,6 +12,19 @@ die() {
exit 1
}
+# hash_file PASS_FILE
+#
+# Generate a password hash from the contents of PASS_FILE.
+hash_file() {
+ PASS_FILE="$1"
+
+ python2 -c "
+import crypt
+password = open('$PASS_FILE', 'r').read().strip()
+print(crypt.crypt(password,
+ crypt.mksalt(crypt.METHOD_SHA512)))"
+}
+
# ----------------------
# User-visible actions
# ----------------------
@@ -44,11 +57,23 @@ do_prepare() {
}
VAULT_PASS_FILE="$CONFIG_DIR/vault-password"
+ ROOT_PASS_FILE="$CONFIG_DIR/root-password"
# Make sure required passwords exist and are not invalid (empty)
test -f "$VAULT_PASS_FILE" && test "$(cat
"$VAULT_PASS_FILE")" || {
die "$PROGRAM_NAME: $VAULT_PASS_FILE: Missing or invalid password"
}
+ test -f "$ROOT_PASS_FILE" && test "$(cat
"$ROOT_PASS_FILE")" || {
+ die "$PROGRAM_NAME: $ROOT_PASS_FILE: Missing or invalid password"
+ }
+
+ ROOT_HASH_FILE="$CONFIG_DIR/.root-password.hash"
+
+ # Regenerate root password hash. Ansible expects passwords as hashes but
+ # doesn't provide a built-in facility to generate one from plain text
+ hash_file "$ROOT_PASS_FILE" >"$ROOT_HASH_FILE" || {
+ die "$PROGRAM_NAME: Failure while hashing root password"
+ }
ansible-playbook \
--vault-password-file "$VAULT_PASS_FILE" \
diff --git a/guests/site.yml b/guests/site.yml
index e6cf10d..9c75dcb 100644
--- a/guests/site.yml
+++ b/guests/site.yml
@@ -1,5 +1,13 @@
---
- hosts: all
+ gather_facts: no
+
+ tasks:
+
+ # Bootstrap Ansible itself
+ - include: tasks/bootstrap.yml
+
+- hosts: all
vars_files:
- vars/mappings.yml
diff --git a/guests/tasks/base.yml b/guests/tasks/base.yml
index dd8d306..a9066e4 100644
--- a/guests/tasks/base.yml
+++ b/guests/tasks/base.yml
@@ -96,9 +96,10 @@
hostname:
name: '{{ inventory_hostname }}'
-- name: Configure root shell
+- name: Configure root password and shell
user:
name: root
+ password: '{{ lookup("file", lookup("env", "HOME")
+ "/.config/lcitool/.root-password.hash") }}'
shell: '{{ bash }}'
- name: Configure ssh access for the root user
@@ -106,3 +107,11 @@
user: root
key: '{{ lookup("file", lookup("env", "HOME") +
"/.ssh/id_rsa.pub") }}'
state: present
+
+- name: Disable password authentication for the root user
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: '^#*\s*PermitRootLogin\s*.*$'
+ line: 'PermitRootLogin without-password'
+ state: present
+ backup: yes
--
2.13.6