diff --git a/cdist/conf/explorer/memory b/cdist/conf/explorer/memory index 63aba9c6..5ea15ada 100755 --- a/cdist/conf/explorer/memory +++ b/cdist/conf/explorer/memory @@ -1,9 +1,8 @@ -#!/bin/sh -e +#!/bin/sh # # 2014 Daniel Heule (hda at sfs.biz) # 2014 Thomas Oettli (otho at sfs.biz) # Copyright 2017, Philippe Gregoire -# 2020 Dennis Camera # # This file is part of cdist. # @@ -20,74 +19,24 @@ # You should have received a copy of the GNU General Public License # along with cdist. If not, see . # -# Returns the amount of memory physically installed in the system, or if that -# cannot be determined the amount available to the operating system kernel, -# in kibibytes (kiB). +# -str2bytes() { - awk -F' ' ' - $2 == "B" || !$2 { print $1 } - $2 == "kB" { print $1 * 1000 } - $2 == "MB" { print $1 * 1000 * 1000 } - $2 == "GB" { print $1 * 1000 * 1000 * 1000 } - $2 == "TB" { print $1 * 1000 * 1000 * 1000 * 1000 } - $2 == "kiB" { print $1 * 1024 } - $2 == "MiB" { print $1 * 1024 * 1024 } - $2 == "GiB" { print $1 * 1024 * 1024 * 1024 } - $2 == "TiB" { print $1 * 1024 * 1024 * 1024 * 1024 }' -} +# FIXME: other system types (not linux ...) -bytes2kib() { - set -- "$(cat)" - test "$1" -gt 0 && echo $(($1 / 1024)) -} +os=$("$__explorer/os") +case "$os" in + "macosx") + echo "$(sysctl -n hw.memsize)/1024" | bc + ;; + *"bsd") + PATH=$(getconf PATH) + echo "$(sysctl -n hw.physmem) / 1048576" | bc + ;; -case $(uname -s) -in - (Darwin) - sysctl -n hw.memsize | bytes2kib - ;; - (FreeBSD) - sysctl -n hw.realmem | bytes2kib - ;; - (NetBSD|OpenBSD) - # NOTE: This reports "usable" memory, not physically installed memory. - command -p sysctl -n hw.physmem | bytes2kib - ;; - (SunOS) - # Make sure that awk from xpg4 is used for the scripts to work - export PATH="/usr/xpg4/bin:${PATH}" - prtconf \ - | awk -F ': ' ' - $1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 } - /^$/ { exit }' \ - | str2bytes \ - | bytes2kib - ;; - (Linux) - if test -d /sys/devices/system/memory - then - # Use memory blocks if the architecture (e.g. x86, PPC64, s390) - # supports them (they denote physical memory) - num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online) - mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes) - - echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit - fi - if test -r /proc/meminfo - then - # Fall back to meminfo file on other architectures (e.g. ARM, MIPS, - # PowerPC) - # NOTE: This is "usable" memory, not physically installed memory. - awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \ - | str2bytes \ - | bytes2kib - fi - ;; - (*) - printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2 - printf "Please contribute an implementation for it if you can.\n" >&2 - exit 1 - ;; + *) + if [ -r /proc/meminfo ]; then + grep "MemTotal:" /proc/meminfo | awk '{print $2}' + fi + ;; esac diff --git a/cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh b/cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh deleted file mode 100644 index 81ea4856..00000000 --- a/cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh -e - -# It is expected that this defines hook_contents - -# Reasonable defaults -hook_source="${__object}/parameter/${hook}-hook" -hook_state="absent" -hook_contents_head="#!/bin/sh -e" -hook_contents_logic="" -hook_contents_tail="" - -# Backwards compatibility -# Remove this when renew-hook is removed -# Falling back to renew-hook if deploy-hook is not passed -if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then - hook_source="${__object}/parameter/renew-hook" -fi -if [ "${state}" = "present" ] && \ - [ -f "${hook_source}" ]; then - # This hook is to be installed, let's generate it with some - # safety boilerplate - # Since certbot runs all hooks for all renewal processes - # (at each state for deploy, pre, post), it is up to us to - # differentiate whether or not the hook must run - hook_state="present" - hook_contents_head="$(cat <> /dev/stderr - exit 1 - ;; - esac - - hook_contents_tail="$(cat < | Darko Poljak | Ľubomír Kučera -| Evilham - COPYING ------- -Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and +Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and Ľubomír Kučera. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/cdist/conf/type/__letsencrypt_cert/manifest b/cdist/conf/type/__letsencrypt_cert/manifest old mode 100644 new mode 100755 index 1df3574a..b4464366 --- a/cdist/conf/type/__letsencrypt_cert/manifest +++ b/cdist/conf/type/__letsencrypt_cert/manifest @@ -1,20 +1,18 @@ #!/bin/sh certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")" -state=$(cat "${__object}/parameter/state") -os="$(cat "${__global:?}/explorer/os")" if [ -z "${certbot_fullpath}" ]; then + os="$(cat "${__global:?}/explorer/os")" os_version="$(cat "${__global}/explorer/os_version")" - # Use this, very common value, as a default. It is OS-dependent - certbot_fullpath="/usr/bin/certbot" + case "$os" in - archlinux) - __package certbot - ;; - alpine) - __package certbot - ;; + archlinux) + __package certbot + ;; + alpine) + __package certbot + ;; debian) case "$os_version" in 8*) @@ -50,7 +48,9 @@ if [ -z "${certbot_fullpath}" ]; then exit 1 ;; esac - ;; + + certbot_fullpath=/usr/bin/certbot + ;; devuan) case "$os_version" in jessie) @@ -83,14 +83,17 @@ if [ -z "${certbot_fullpath}" ]; then exit 1 ;; esac + + certbot_fullpath=/usr/bin/certbot ;; freebsd) - __package py37-certbot - certbot_fullpath="/usr/local/bin/certbot" + __package py27-certbot + + certbot_fullpath=/usr/local/bin/certbot ;; ubuntu) - __package certbot - ;; + __package certbot + ;; *) echo "Unsupported os: $os" >&2 exit 1 @@ -98,61 +101,18 @@ if [ -z "${certbot_fullpath}" ]; then esac fi -# Other OS-dependent values that we want to set every time -LE_DIR="/etc/letsencrypt" -certbot_cronjob_state="absent" -case "$os" in - archlinux|alpine) - certbot_cronjob_state="present" - ;; - freebsd) - LE_DIR="/usr/local/etc/letsencrypt" - # FreeBSD uses periodic(8) instead of crontabs for this - __line "periodic.conf_weekly_certbot" \ - --file "/etc/periodic.conf" \ - --regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \ - --state "replace" \ - --line 'weekly_certbot_enable="YES"' - ;; - *) - ;; -esac +if [ -f "${__object}/parameter/automatic-renewal" ]; then + renew_hook_param="${__object}/parameter/renew-hook" + renew_hook="" + if [ -f "${renew_hook_param}" ]; then + while read -r hook; do + renew_hook="${renew_hook} --renew-hook \"${hook}\"" + done < "${renew_hook_param}" + fi -# This is only necessary in certain OS -__cron letsencrypt-certbot \ - --user root \ - --command "${certbot_fullpath} renew -q" \ - --hour 0 \ - --minute 47 \ - --state "${certbot_cronjob_state}" - -# Ensure hook directories -HOOKS_DIR="${LE_DIR}/renewal-hooks" -__directory "${LE_DIR}" --mode 0755 -require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755 - -if [ -f "${__object}/parameter/domain" ]; then - domains="$(sort "${__object}/parameter/domain")" -else - domains="${__object_id}" + __cron letsencrypt-certbot \ + --user root \ + --command "${certbot_fullpath} renew -q ${renew_hook}" \ + --hour 0 \ + --minute 47 fi - -# Install hooks as needed -for hook in deploy pre post; do - # Using something unique and specific to this object - hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh" - - # This defines hook_contents - # shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh - . "${__type}/files/gen_hook.sh" - - # Ensure hook directory exists - require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \ - --mode 0755 - require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \ - --mode 0555 \ - --source '-' \ - --state "${hook_state}" <. -# - - -nameparam="$__object/parameter/name" -if [ -f "$nameparam" ]; then - name=$(cat "$nameparam") -else - name="$__object_id" -fi - -pipparam="$__object/parameter/pip" -if [ -f "$pipparam" ]; then - pip=$(cat "$pipparam") -else - pip="$( "$__type_explorer/pip" )" -fi - - -if command -v "$pip" >/dev/null 2>&1; then - # assemble the path where pip stores all pip package info - "$pip" show "$name" \ - | awk -F': ' ' - $1 == "Name" {name=$2; gsub(/-/,"_",name); next} - $1 == "Version" {version=$2; next} - $1 == "Location" {location=$2; next} - END {if (version != "") printf "%s/%s-%s.dist-info", location, name, version}' -fi diff --git a/cdist/conf/type/__package_pip/explorer/extras b/cdist/conf/type/__package_pip/explorer/extras deleted file mode 100755 index bbdc17ab..00000000 --- a/cdist/conf/type/__package_pip/explorer/extras +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/sh -# -# 2021 Matthias Stecher (matthiasstecher at gmx.de) -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# -# -# Checks if the given extras are really installed or not. It will be -# done by querring all dependencies for that extra and return it as -# "to be installed" if no dependency was found. -# - - -distinfo_dir="$("$__type_explorer/distinfo-dir")" - -# check if we have something to check -if [ "$distinfo_dir" ] && [ -s "$__object/parameter/extra" ] -then - # save cause freezing is slow - mkdir "$__object/files" - pip_freeze="$__object/files/pip-freeze.tmp" - pip3 freeze > "$pip_freeze" - - # If all is set, it searches all available extras to separatly check them. - # It would work with just 'all' (cause dependencies are specified for - # 'all'), but will not update if one extra is already present. Side effect - # is that it will not use [all] but instead name all extras seperatly. - for extra in $(if grep -qFx all "$__object/parameter/extra"; - then awk -F': ' '$1 == "Provides-Extra" && $2 != "all"{print $2}' "$distinfo_dir/METADATA"; - else tr ',' '\n' < "$__object/parameter/extra"; - fi) - do - # create a grep BRE pattern to search all packages - # maybe a file full of patterns for -F could be written - grep_pattern="$( - awk -F'(: | ; )' -v check="$extra" ' - $1 == "Requires-Dist" { - split($2, r, " "); - sub("extra == ", "", $3); gsub("'"'"'", "", $3); - if($3 == check) print r[1] - }' "$distinfo_dir/METADATA" \ - | sed ':a; $!N; s/\n/\\|/; ta' - )" - - # echo the extra if no packages where found for it - # if there is no pattern, we don't need to search ;-) - # pip matches packages case-insensetive, we need to do that, too - if [ "$grep_pattern" ] && ! grep -qi "$grep_pattern" "$pip_freeze" - then - echo "$extra" - fi - done -fi diff --git a/cdist/conf/type/__package_pip/explorer/state b/cdist/conf/type/__package_pip/explorer/state old mode 100755 new mode 100644 diff --git a/cdist/conf/type/__package_pip/gencode-remote b/cdist/conf/type/__package_pip/gencode-remote index 9abe28bf..a1375c2d 100755 --- a/cdist/conf/type/__package_pip/gencode-remote +++ b/cdist/conf/type/__package_pip/gencode-remote @@ -2,7 +2,6 @@ # # 2012 Nico Schottelius (nico-cdist at schottelius.org) # 2016 Darko Poljak (darko.poljak at gmail.com) -# 2021 Matthias Stecher (matthiasstecher at gmx.de) # # This file is part of cdist. # @@ -26,10 +25,7 @@ state_is=$(cat "$__object/explorer/state") state_should="$(cat "$__object/parameter/state")" -# short circuit if state is the same and no extras to install -[ "$state_is" = "$state_should" ] && ! [ -s "$__object/explorer/extras" ] \ - && exit 0 - +[ "$state_is" = "$state_should" ] && exit 0 nameparam="$__object/parameter/name" if [ -f "$nameparam" ]; then @@ -60,14 +56,6 @@ fi case "$state_should" in present) - if [ -s "$__object/explorer/extras" ] - then - # all extras are passed to pip in a comma-separated list in the name - # sed loops through all input lines and add commas between them - extras="$(sed ':a; $!N; s/\n/,/; ta' "$__object/explorer/extras")" - name="${name}[${extras}]" - fi - if [ "$runas" ] then echo "su -c '$pip install -q $name' $runas" diff --git a/cdist/conf/type/__package_pip/man.rst b/cdist/conf/type/__package_pip/man.rst index 5a2bc673..234ceee2 100644 --- a/cdist/conf/type/__package_pip/man.rst +++ b/cdist/conf/type/__package_pip/man.rst @@ -22,16 +22,6 @@ OPTIONAL PARAMETERS name If supplied, use the name and not the object id as the package name. -extra - Extra optional dependencies which should be installed along the selected - package. Can be specified multiple times. Multiple extras can be passed - in one `--extra` as a comma-separated list. - - Extra optional dependencies will be installed even when the base package - is already installed. Notice that the type will not remove installed extras - that are not explicitly named for the type because pip does not offer a - management for orphaned packages and they may be used by other packages. - pip Instead of using pip from PATH, use the specific pip path. @@ -56,14 +46,6 @@ EXAMPLES # Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo __package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo - # Install package with optional dependencies - __package_pip mautrix-telegram --extra speedups --extra webp_convert --extra hq_thumbnails - # the extras can also be specified comma-separated - __package_pip mautrix-telegram --extra speedups,webp_convert,hq_thumbnails --extra postgres - - # or take all extras - __package_pip mautrix-telegram --extra all - SEE ALSO -------- @@ -72,13 +54,12 @@ SEE ALSO AUTHORS ------- -| Nico Schottelius -| Matthias Stecher +Nico Schottelius COPYING ------- -Copyright \(C) 2012 Nico Schottelius, 2021 Matthias Stecher. You can -redistribute it and/or modify it under the terms of the GNU General -Public License as published by the Free Software Foundation, either -version 3 of the License, or (at your option) any later version. +Copyright \(C) 2012 Nico Schottelius. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/cdist/conf/type/__package_pip/parameter/optional_multiple b/cdist/conf/type/__package_pip/parameter/optional_multiple deleted file mode 100644 index 0f228715..00000000 --- a/cdist/conf/type/__package_pip/parameter/optional_multiple +++ /dev/null @@ -1 +0,0 @@ -extra diff --git a/cdist/conf/type/__postgres_role/explorer/state b/cdist/conf/type/__postgres_role/explorer/state index 34069de9..c8e1fa9d 100755 --- a/cdist/conf/type/__postgres_role/explorer/state +++ b/cdist/conf/type/__postgres_role/explorer/state @@ -1,7 +1,6 @@ -#!/bin/sh -e +#!/bin/sh # # 2011 Steven Armstrong (steven-cdist at armstrong.cc) -# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # @@ -12,140 +11,32 @@ # # cdist is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with cdist. If not, see . # -case $("${__explorer:?}/os") +case "$("${__explorer}/os")" in - (netbsd) - postgres_user='pgsql' - ;; - (openbsd) - postgres_user='_postgresql' - ;; - (*) - postgres_user='postgres' - ;; + netbsd) + postgres_user='pgsql' + ;; + openbsd) + postgres_user='_postgresql' + ;; + *) + postgres_user='postgres' + ;; esac -rolename=${__object_id:?} +name="$__object_id" -psql_query() { - su -l "${postgres_user}" -c "$( - printf "psql -q -F '\034' -R '\036' -wAc '%s'" \ - "$(printf %s "$*" | sed "s/'/'\\\\''/g")" - )" -} - -password_check_login() ( - PGPASSWORD=$(cat "${__object:?}/parameter/password"; printf .) - PGPASSWORD=${PGPASSWORD%?.} - export PGPASSWORD - psql -q -w -h localhost -U "${rolename}" template1 -c '\q' >/dev/null 2>&1 -) - -role_properties=$( - psql_query "SELECT * FROM pg_roles WHERE rolname = '${rolename}'" \ - | awk ' - BEGIN { RS = "\036"; FS = "\034" } - /^\([0-9]+ rows?\)/ { exit } - NR == 1 { for (i = 1; i <= NF; i++) cols[i] = $i; next } - NR == 2 { for (i = 1; i <= NF; i++) printf "%s=%s\n", cols[i], $i } - ' -) - -if test -n "${role_properties}" +if test -n "$(su - "$postgres_user" -c "psql postgres -twAc \"SELECT 1 FROM pg_roles WHERE rolname='$name'\"")" then - # Check if the user's properties match the parameters - for prop in login createdb createrole superuser - do - bool_should=$(test -f "${__object:?}/parameter/${prop}" && echo 't' || echo 'f') - bool_is=$( - printf '%s\n' "${role_properties}" | - awk -F '=' -v key="${prop}" ' - BEGIN { - if (key == "login") - key = "canlogin" - else if (key == "superuser") - key = "super" - key = "rol" key - } - $1 == key { - sub(/^[^=]*=/, "") - print - } - ' - ) - - test "${bool_is}" = "${bool_should}" || { - state='different properties' - } - done - - # Check password - passwd_stored=$( - psql_query "SELECT rolpassword FROM pg_authid WHERE rolname = '${rolename}'" \ - | awk 'BEGIN { RS = "\036" } NR == 2' - printf . - ) - passwd_stored=${passwd_stored%?.} - - if test -f "${__object:?}/parameter/password" - then - passwd_should=$(cat "${__object:?}/parameter/password"; printf .) - fi - passwd_should=${passwd_should%?.} - - if test -z "${passwd_stored}" - then - test -z "${passwd_should}" || state="${state:-different} password" - elif expr "${passwd_stored}" : 'SCRAM-SHA-256\$.*$' >/dev/null - then - # SCRAM-SHA-256 "encrypted" password - # NOTE: There is currently no easy way to check SCRAM passwords without - # logging in - password_check_login || state="${state:-different} password" - elif expr "${passwd_stored}" : 'md5[0-9a-f]\{32\}$' >/dev/null - then - # MD5 "encrypted" password - if command -v md5sum >/dev/null 2>&1 - then - should_md5=$( - printf '%s%s' "${passwd_should}" "${rolename}" \ - | md5sum - | sed -e 's/[^0-9a-f]*$//') - elif command -v gmd5sum >/dev/null 2>&1 - then - should_md5=$( - printf '%s%s' "${passwd_should}" "${rolename}" \ - | gmd5sum - | sed -e 's/[^0-9a-f]*$//') - elif command -v openssl >/dev/null 2>&1 - then - should_md5=$( - printf '%s%s' "${passwd_should}" "${rolename}" \ - | openssl dgst -md5 | sed 's/^.* //') - fi - - if test -n "${should_md5}" - then - test "${passwd_stored}" = "md5${should_md5}" \ - || state="${state:-different} password" - else - password_check_login || state="${state:-different} password" - fi - else - # unencrypted password (unsupported since PostgreSQL 10) - test "${passwd_stored}" = "${passwd_should}" \ - || state="${state:-different} password" - fi - - test -n "${state}" || state='present' + echo 'present' else - state='absent' + echo 'absent' fi - -echo "${state}" diff --git a/cdist/conf/type/__postgres_role/gencode-remote b/cdist/conf/type/__postgres_role/gencode-remote index d7631fbd..282294c9 100755 --- a/cdist/conf/type/__postgres_role/gencode-remote +++ b/cdist/conf/type/__postgres_role/gencode-remote @@ -1,7 +1,6 @@ #!/bin/sh -e # # 2011 Steven Armstrong (steven-cdist at armstrong.cc) -# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # @@ -12,117 +11,55 @@ # # cdist is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with cdist. If not, see . # -quote() { - if test $# -gt 0 - then - printf '%s' "$*" - else - cat - - fi | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/" -} - -case $(cat "${__global:?}/explorer/os") +case "$(cat "${__global}/explorer/os")" in - (netbsd) - postgres_user='pgsql' - ;; - (openbsd) - postgres_user='_postgresql' - ;; - (*) - postgres_user='postgres' - ;; + netbsd) + postgres_user='pgsql' + ;; + openbsd) + postgres_user='_postgresql' + ;; + *) + postgres_user='postgres' + ;; esac -rolename=${__object_id:?} -state_is=$(cat "${__object:?}/explorer/state") -state_should=$(cat "${__object:?}/parameter/state") +name="$__object_id" +state_is="$(cat "$__object/explorer/state")" +state_should="$(cat "$__object/parameter/state")" -if test "${state_is}" = "${state_should}" -then - exit 0 -fi +[ "$state_is" = "$state_should" ] && exit 0 -psql_query() { - printf 'su -l %s -c %s\n' \ - "$(quote "${postgres_user}")" \ - "$(quote "psql postgres -q -w -c $(quote "$1")")" -} +case "$state_should" in + present) + if [ -f "$__object/parameter/password" ]; then + password="$(cat "$__object/parameter/password")" + fi + booleans="" + for boolean in login createdb createrole superuser; do + if [ ! -f "$__object/parameter/$boolean" ]; then + boolean="no${boolean}" + fi + upper=$(echo $boolean | tr '[:lower:]' '[:upper:]') + booleans="$booleans $upper" + done -psql_set_password() { - # NOTE: Always make sure that the password does not end up in psql_history! - # NOTE: Never set an empty string as the password, because they can be - # interpreted differently by different tooling. - if test -s "${__object:?}/parameter/password" - then - cat <<-EOF - exec 3< "\${__object:?}/parameter/password" - su -l '${postgres_user}' -c 'psql -q -w postgres' <<'SQL' - \set HISTFILE /dev/null - \set pw \`cat <&3\` - ALTER ROLE "${rolename}" WITH PASSWORD :'pw'; - SQL - exec 3<&- - EOF - else - psql_query "ALTER ROLE \"${rolename}\" WITH PASSWORD NULL;" - fi -} - -role_properties_should() { - _props= - for _prop in login createdb createrole superuser - do - _props="${_props}${_props:+ }$( - if test -f "${__object:?}/parameter/${_prop}" - then - echo "${_prop}" - else - echo "no${_prop}" - fi \ - | tr '[:lower:]' '[:upper:]')" - done - printf '%s\n' "${_props}" - unset _prop _props -} - -case ${state_should} -in - (present) - case ${state_is} - in - (absent) - psql_query "CREATE ROLE \"${rolename}\" WITH $(role_properties_should);" - psql_set_password - ;; - (different*) - if expr "${state_is}" : 'different.*properties' >/dev/null - then - psql_query "ALTER ROLE \"${rolename}\" WITH $(role_properties_should);" - fi - - if expr "${state_is}" : 'different.*password' >/dev/null - then - psql_set_password - fi - ;; - (*) - printf 'Invalid state reported by state explorer: %s\n' "${state_is}" >&2 - exit 1 - ;; - esac - ;; - (absent) - printf 'su -l %s -c %s\n' \ - "$(quote "${postgres_user}")" \ - "$(quote "dropuser $(quote "${rolename}")")" - ;; + [ -n "$password" ] && password="PASSWORD '$password'" + cat << EOF +su - '$postgres_user' -c "psql postgres -wc \"CREATE ROLE \\\\\"$name\\\\\" WITH $password $booleans;\"" +EOF + ;; + absent) + cat << EOF +su - '$postgres_user' -c "dropuser \"$name\"" +EOF + ;; esac diff --git a/cdist/conf/type/__pyvenv/man.rst b/cdist/conf/type/__pyvenv/man.rst index e2e4a1e6..8085ff12 100644 --- a/cdist/conf/type/__pyvenv/man.rst +++ b/cdist/conf/type/__pyvenv/man.rst @@ -61,7 +61,7 @@ EXAMPLES __pyvenv /home/foo/fooenv --pyvenv /usr/local/bin/pyvenv-3.4 # Create python virtualenv for user foo. - __pyvenv /home/foo/fooenv --group foo --owner foo + __pyvenv /home/foo/fooenv --group foo --user foo # Create python virtualenv with specific parameters. __pyvenv /home/services/djangoenv --venvparams "--copies --system-site-packages" diff --git a/cdist/conf/type/__ssh_authorized_key/explorer/entry b/cdist/conf/type/__ssh_authorized_key/explorer/entry index aca0f2b9..ccab0afc 100755 --- a/cdist/conf/type/__ssh_authorized_key/explorer/entry +++ b/cdist/conf/type/__ssh_authorized_key/explorer/entry @@ -25,7 +25,6 @@ type_and_key="$(tr ' ' '\n' < "$__object/parameter/key"| awk '/^(ssh|ecdsa)-[^ ] if [ -n "${type_and_key}" ] then file="$(cat "$__object/parameter/file")" - test -e "$file" || exit 0 # get any entries that match the type and key diff --git a/cdist/conf/type/__ssh_authorized_key/gencode-remote b/cdist/conf/type/__ssh_authorized_key/gencode-remote index 61c77fb9..f37aa565 100755 --- a/cdist/conf/type/__ssh_authorized_key/gencode-remote +++ b/cdist/conf/type/__ssh_authorized_key/gencode-remote @@ -37,9 +37,9 @@ tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX) # preserve ownership and permissions of existing file if [ -f "$file" ]; then cp -p "$file" "\$tmpfile" - grep -v -F -x '$line' '$file' >\$tmpfile fi -cat "\$tmpfile" >"$file" +grep -v -F -x '$line' '$file' > \$tmpfile || true +mv -f "\$tmpfile" "$file" DONE } diff --git a/cdist/conf/type/__sshd_config/files/update_sshd_config.awk b/cdist/conf/type/__sshd_config/files/update_sshd_config.awk index f7f30e87..d0bc2b4b 100644 --- a/cdist/conf/type/__sshd_config/files/update_sshd_config.awk +++ b/cdist/conf/type/__sshd_config/files/update_sshd_config.awk @@ -89,7 +89,7 @@ function strdelim(s) { return strdelim_internal(s, 1) } function strdelimw(s) { return strdelim_internal(s, 0) } function singleton_option(opt) { - return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/ + return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|authenticationmethods|authorizedkeysfile|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/ } function print_update() { diff --git a/cdist/conf/type/__sshd_config/gencode-remote b/cdist/conf/type/__sshd_config/gencode-remote index 275db4aa..0b44dfa7 100755 --- a/cdist/conf/type/__sshd_config/gencode-remote +++ b/cdist/conf/type/__sshd_config/gencode-remote @@ -91,8 +91,7 @@ awk $(drop_awk_comments "${__type:?}/files/update_sshd_config.awk") \\ cmp -s $(quote "${sshd_config_file}") $(quote "${sshd_config_file}.tmp") || { sshd -t -f $(quote "${sshd_config_file}.tmp") \\ - && cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}") \\ - || exit # stop if sshd_config file check fails + && cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}") } rm -f $(quote "${sshd_config_file}.tmp") EOF diff --git a/cdist/conf/type/__sshd_config/man.rst b/cdist/conf/type/__sshd_config/man.rst index c8e6b8ad..8b0069ac 100644 --- a/cdist/conf/type/__sshd_config/man.rst +++ b/cdist/conf/type/__sshd_config/man.rst @@ -79,10 +79,6 @@ BUGS - ``Include`` directives are ignored. - Config options are not added/removed to/from the config file if their value is the default value. -- | The explorer will incorrectly report ``absent`` if OpenSSH internally - transforms one value to another (e.g. ``permitrootlogin prohibit-password`` - is transformed to ``permitrootlogin without-password``). - | Workaround: Use the value that OpenSSH uses internally. AUTHORS diff --git a/cdist/conf/type/__sshd_config/manifest b/cdist/conf/type/__sshd_config/manifest index e37afebb..566bde90 100755 --- a/cdist/conf/type/__sshd_config/manifest +++ b/cdist/conf/type/__sshd_config/manifest @@ -39,14 +39,7 @@ in (freebsd|netbsd|openbsd) # whitelist ;; - (openbmc-phosphor) - # whitelist - # OpenBMC can be configured with dropbear and OpenSSH. - # If dropbear is used, the state explorer will already fail because it - # cannot find the sshd binary. - ;; (*) - : "${__type:?}" # make shellcheck happy printf 'Your operating system (%s) is currently not supported by this type (%s)\n' \ "${os}" "${__type##*/}" >&2 printf 'Please contribute an implementation for it if you can.\n' >&2 diff --git a/cdist/config.py b/cdist/config.py index 19d5bd70..e84f6f84 100644 --- a/cdist/config.py +++ b/cdist/config.py @@ -420,9 +420,6 @@ class Config: exec_path=sys.argv[0], save_output_streams=args.save_output_streams) - # Make __global state dir available to custom remote scripts. - os.environ['__global'] = local.base_path - remote = cdist.exec.remote.Remote( target_host=target_host, remote_exec=remote_exec, diff --git a/cdist/scan/scan.py b/cdist/scan/scan.py index b1d0e9e1..0ce4dff3 100644 --- a/cdist/scan/scan.py +++ b/cdist/scan/scan.py @@ -59,8 +59,6 @@ from scapy.all import * # Datetime overwrites scapy.all.datetime - needs to be imported AFTER import datetime -import cdist.config - log = logging.getLogger("scan") @@ -127,18 +125,6 @@ class Scanner(object): with open(fname, "w") as fd: fd.write(f"{now}\n") - def config(self): - """ - Configure a host - - - Assume we are only called if necessary - - However we need to ensure to not run in parallel - - Maybe keep dict storing per host processes - - Save the result - - Save the output -> probably aligned to config mode - - """ - def start(self): self.process = Process(target=self.scan) self.process.start() diff --git a/docs/changelog b/docs/changelog index 42a74d04..35953a88 100644 --- a/docs/changelog +++ b/docs/changelog @@ -1,20 +1,6 @@ Changelog --------- -next: - * Type __pyvenv: Fix user example in man page (Dennis Camera) - * Core: config: Make local state directory available to custom remotes (Steven Armstrong - * Type __ssh_authorized_key: grep only if file exists (Dennis Camera) - * Type __sshd_config: Whitelist OpenBMC (Dennis Camera) - -6.9.5: 2021-02-28 - * Core: preos: Fix passing cdist debug parameter (Darko Poljak) - * Type __sshd_config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug (Dennis Camera) - * Explorer memory: Fix result units; support Solaris (Dennis Camera) - * Type __postgres_role: Implement modification of roles (Dennis Camera) - * Type __letsencrypt_cert: Fix issues with hooks (Evil Ham) - * Type __package_pip: Add optional extra dependencies param (Matthias Stecher) - 6.9.4: 2020-12-21 * Type __package_pkgng_freebsd: Fix bootstrapping pkg (Dennis Camera) * Core: Deal with deprecated imp in unit tests (Evil Ham) diff --git a/docs/dev/logs/2020-10-29.org b/docs/dev/logs/2020-10-29.org index 03d6b3f4..4461be8c 100644 --- a/docs/dev/logs/2020-10-29.org +++ b/docs/dev/logs/2020-10-29.org @@ -54,12 +54,4 @@ VERBOSE: scan: Host fe80::f29f:c2ff:fe7c:275e is alive VERBOSE: scan: Host fe80::ba69:f4ff:fec5:8db7 is alive VERBOSE: scan: Host fe80::42b0:34ff:fe6f:f863 is alive VERBOSE: scan: Host fe80::21b:fcff:feee:f4bc is alive -** Better usage -> saving the env - sudo -E cdist scan -b -I wlan0 -vv -** TODO Implement actual configuration step - - Also serves as a nice PoC - - Might need to escape literal IPv6 addresses for scp -** TODO Define how to map link local address to something useful - - via reverse DNS? - - via link local in manifest? -** TODO define ignorehosts? +...