You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2014/09/22 21:44:02 UTC
[03/50] git commit: updated refs/heads/master to 1290e10
CLOUDSTACK-7143: cleanup configure_login.sh code
Had to change various things to make this code re-entrant. In particular,
the sed-based manipulation of /etc/sudoers is gone and replaced with a
simpler, minimal (but compatible) sudoers file.
Remove the sshd_config tuning since sshd_config is overwritten when we
apply the cloud_scripts overlay (from build.sh).
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3f8c31b0
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3f8c31b0
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3f8c31b0
Branch: refs/heads/master
Commit: 3f8c31b0da89e630b27b26d495ad1babbf57678a
Parents: e86121d
Author: Leo Simons <ls...@schubergphilis.com>
Authored: Mon Jul 21 11:10:59 2014 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Mon Sep 22 21:31:35 2014 +0200
----------------------------------------------------------------------
.../systemvmtemplate/configure_login.sh | 72 ++++++++++++++------
1 file changed, 51 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3f8c31b0/tools/appliance/definitions/systemvmtemplate/configure_login.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvmtemplate/configure_login.sh b/tools/appliance/definitions/systemvmtemplate/configure_login.sh
index 413d485..680b08a 100644
--- a/tools/appliance/definitions/systemvmtemplate/configure_login.sh
+++ b/tools/appliance/definitions/systemvmtemplate/configure_login.sh
@@ -1,26 +1,49 @@
-setup_accounts() {
- # Setup sudo to allow no-password sudo for "admin"
- groupadd -r admin
- # Create a 'cloud' user if it's not there
- id cloud
- if [[ $? -ne 0 ]]
- then
- useradd -G admin cloud
- else
- usermod -a -G admin cloud
- fi
- echo "root:$ROOTPW" | chpasswd
- echo "cloud:`openssl rand -base64 32`" | chpasswd
- sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
- sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
- # Disable password based authentication via ssh, this will take effect on next reboot
- sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
- # Secure ~/.ssh
+#!/bin/bash
+
+set -e
+set -x
+
+function add_admin_group() {
+ groupadd -f -r admin
+}
+
+function configure_cloud_user() {
+ usermod -a -G admin cloud
mkdir -p /home/cloud/.ssh
chmod 700 /home/cloud/.ssh
+ echo "cloud:`openssl rand -base64 32`" | chpasswd
+}
+
+function configure_sudoers() {
+ cat >/etc/sudoers <<END
+Defaults env_reset
+Defaults exempt_group=admin
+Defaults mail_badpass
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+root ALL=(ALL:ALL) ALL
+%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount
+
+#includedir /etc/sudoers.d
+END
+ echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud
}
-fix_inittab() {
+# sshd_config is overwritten from cloud_scripts
+#function configure_sshd() {
+# grep "UseDNS no" /etc/ssh/sshd_config && \
+# grep "PasswordAuthentication no" /etc/ssh/sshd_config && \
+# return
+# # Tweak sshd to prevent DNS resolution (speed up logins)
+# echo 'UseDNS no' >> /etc/ssh/sshd_config
+#
+# # Require ssh keys for login
+# sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
+#}
+
+function configure_inittab() {
+ grep "vc:2345:respawn:/sbin/getty" /etc/inittab && return
+
# Fix inittab
cat >> /etc/inittab << EOF
@@ -28,5 +51,12 @@ vc:2345:respawn:/sbin/getty 38400 hvc0
EOF
}
-setup_accounts
-fix_inittab
+function configure_login() {
+ add_admin_group
+ configure_cloud_user
+ configure_sudoers
+ # configure_sshd
+ configure_inittab
+}
+
+return 2>/dev/null || configure_login