Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRODENG-2744 Fixes for RBC sudo issues #513

Closed
wants to merge 4 commits into from
Closed

PRODENG-2744 Fixes for RBC sudo issues #513

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f56d156
PRODENG-2744 Custom path for installer.sh script in remote hosts
pgedara Oct 27, 2024
8c24549
PRODENG-2744 Remove rhel 7 repository
pgedara Oct 31, 2024
76e2489
PRODENG-2744 Use explicit binary path for docker
pgedara Oct 31, 2024
a8a03c8
PRODENG-2744 Tooling scripts to test whitelising of shell commands
pgedara Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions pkg/configurer/enterpriselinux/el.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,6 @@ func (c Configurer) InstallMCR(h os.Host, scriptPath string, engineConfig common
log.Infof("%s: appears to be an AWS EC2 instance, installed rh-amazon-rhui-client", h)
}

if h.Exec("sh -c 'yum-config-manager --enable rhel-7-server-rhui-extras-rpms && yum makecache fast'", exec.Sudo(h)) == nil {
log.Infof("%s: enabled rhel-7-server-rhui-extras-rpms repository", h)
}

if err := c.LinuxConfigurer.InstallMCR(h, scriptPath, engineConfig); err != nil {
return fmt.Errorf("failed to install MCR: %w", err)
}
Expand Down
19 changes: 15 additions & 4 deletions pkg/configurer/linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,21 @@ func (c LinuxConfigurer) MCRConfigPath() string {

// InstallMCR install MCR on Linux.
func (c LinuxConfigurer) InstallMCR(h os.Host, scriptPath string, engineConfig common.MCRConfig) error {
pwd := c.riglinux.Pwd(h)
base := path.Base(scriptPath)
installer := pwd + "/" + base
err := h.Upload(scriptPath, installer)

installScriptDir := engineConfig.InstallScriptRemoteDirLinux
if installScriptDir == "" {
installScriptDir = c.riglinux.Pwd(h)
}

_, err := h.ExecOutput(fmt.Sprintf("mkdir -p %s", installScriptDir))
if err != nil {
return fmt.Errorf("failed to create directory %s: %w", installScriptDir, err)
}

installer := path.Join(installScriptDir, base)

err = h.Upload(scriptPath, installer)
if err != nil {
log.Errorf("failed: %s", err.Error())
return fmt.Errorf("upload %s to %s: %w", scriptPath, installer, err)
Expand Down Expand Up @@ -112,7 +123,7 @@ func (c LinuxConfigurer) ResolveInternalIP(h os.Host, privateInterface, publicIP
// DockerCommandf accepts a printf-like template string and arguments
// and builds a command string for running the docker cli on the host.
func (c LinuxConfigurer) DockerCommandf(template string, args ...interface{}) string {
return fmt.Sprintf("docker %s", fmt.Sprintf(template, args...))
return fmt.Sprintf("/usr/bin/docker %s", fmt.Sprintf(template, args...))
}

// ValidateLocalhost returns an error if "localhost" is not a local address.
Expand Down
19 changes: 10 additions & 9 deletions pkg/product/common/api/mcr_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,16 @@ type DockerDaemonConfig struct {

// MCRConfig holds the Mirantis Container Runtime installation specific options.
type MCRConfig struct {
Version string `yaml:"version"`
RepoURL string `yaml:"repoURL,omitempty"`
InstallURLLinux string `yaml:"installURLLinux,omitempty"`
InstallURLWindows string `yaml:"installURLWindows,omitempty"`
Channel string `yaml:"channel,omitempty"`
Prune bool `yaml:"prune,omitempty"`
ForceUpgrade bool `yaml:"forceUpgrade,omitempty"`
SwarmInstallFlags Flags `yaml:"swarmInstallFlags,omitempty,flow"`
SwarmUpdateCommands []string `yaml:"swarmUpdateCommands,omitempty,flow"`
Version string `yaml:"version"`
RepoURL string `yaml:"repoURL,omitempty"`
InstallURLLinux string `yaml:"installURLLinux,omitempty"`
InstallScriptRemoteDirLinux string `yaml:"installScriptRemoteDirLinux,omitempty"`
InstallURLWindows string `yaml:"installURLWindows,omitempty"`
Channel string `yaml:"channel,omitempty"`
Prune bool `yaml:"prune,omitempty"`
ForceUpgrade bool `yaml:"forceUpgrade,omitempty"`
SwarmInstallFlags Flags `yaml:"swarmInstallFlags,omitempty,flow"`
SwarmUpdateCommands []string `yaml:"swarmUpdateCommands,omitempty,flow"`

Metadata *MCRMetadata `yaml:"-"`
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/product/mke/api/host.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ func (h *Host) IsLocal() bool {

// IsSudoCommand is a particluar string command supposed to use Sudo.
func (h *Host) IsSudoCommand(cmd string) bool {
if h.SudoDocker && strings.HasPrefix(cmd, "docker") {
if h.SudoDocker && (strings.HasPrefix(cmd, "docker") || strings.HasPrefix(cmd, "/usr/bin/docker")) {
return true
}
return false
Expand Down
61 changes: 61 additions & 0 deletions prepare.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# How to use this script:
# 1. Modify the value of SSH_FLAGS to have the right ssh key path
# 2. Take copy of the sudoers file and name it as 50-launchpad(Or anything suitable so that it does not override the existing sudoers files)
# 3. Make the changes you want to test in the copy of the sudoers file and run this script.


HOSTS="$(yq -r ".spec.hosts[].ssh.address" ./launchpad.yaml)"

SSH_USER=rocky
SSH_FLAGS="-i examples/tf-aws/launchpad/ssh-keys/jn-PRODENG-2744-common.pem -o StrictHostKeyChecking=no"

# --- helpers ---

ssh() {
local host=$1
shift;
local run=$@

echo "ssh $SSH_FLAGS $SSH_USER@$host -- $run"
#ssh $SSH_FLAGS $USER@$host -- "$run"
}

scp() {
local host=$1
shift;
local file=$@

echo "scp $SSH_FLAGS $file $SSH_USER@$host:~/$file"
#scp $SSH_FLAGS $USER@$host $file $file
}

# --- handlers ___

sudo_prepareuser() {
host=$1

ssh $host "sudo useradd launchpad"
ssh $host "sudo cp -R /home/rocky/.ssh /home/launchpad/"
ssh $host "sudo chown -R launchpad:launchpad /home/launchpad"
}

sudo_sudowhitelist() {
host=$1

scp $host 50-launchpad
ssh $host "sudo chown root:root ./50-launchpad"
ssh $host "sudo mv ./50-launchpad /etc/sudoers.d/"
}

# --- fix all hosts ---

set +x

for host in $HOSTS
do
#echo "#-- HOST: $host"
ssh $host whoami

sudo_prepareuser $host
sudo_sudowhitelist $host
done
68 changes: 68 additions & 0 deletions sudoers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
User_Alias CANLAUNCHPAD = launchpad

CANLAUNCHPAD ALL = (root) NOPASSWD: /bin/ps
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/*
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /home/launchpad/installerLinux*
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/installerLinux*
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rpm -qa
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/netstat
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/journalctl
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop docker
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start docker
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl restart docker
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl status
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop containerd
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start containerd
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl cat *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat /etc/docker/daemon.json
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -rvf /var/run/docker.sock
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm /app/docker/swarm/worker/tasks.db
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker_gwbridge
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker0
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sysctl -w net.ipv4.conf.all.rp_filter=1
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/sysctl.d/99-app.conf
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/docker/daemon.json
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/pkill -9 containerd-shim
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/df
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/lsof
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ulimit -a
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/strace
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop appitrs
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start appitrs
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/daemon.json *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/yum install -y *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum-config-manager *'
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'rpm -qa *'
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'echo *'
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum install *'
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl enable docker
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker version
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/install *
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/launchpad/installerLinux*
CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/mkdir -p -- /tmp/launchpad


User_Alias CANINSTALLMCR = launchpad

CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/rpm -qa
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum install *
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum list *
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerurl
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerosversion
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --add-repo *
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --disable docker-ee-*
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --enable docker-ee-*
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum upgrade *
CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum downgrade *
Loading