forked from ungleich-public/cdist
Merge branch 'master' into type__rbenv
This commit is contained in:
commit
bcca8a637b
15 changed files with 120 additions and 29 deletions
|
@ -25,7 +25,7 @@ destination="/$__object_id"
|
|||
|
||||
os=$("$__explorer/os")
|
||||
case "$os" in
|
||||
"freebsd")
|
||||
"freebsd"|"openbsd")
|
||||
# FIXME: should be something like this based on man page, but can not test
|
||||
stat -f "type: %ST
|
||||
owner: %Du %Su
|
||||
|
|
|
@ -41,7 +41,7 @@ __iptables_rule established --rule "-A INPUT -m state --state RELATED,ESTABLISH
|
|||
|
||||
# Some service rules
|
||||
__iptables_rule http --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
||||
__iptables_rule ssh --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
||||
__iptables_rule ssh --rule "-A INPUT -p tcp --dport 22 -j ACCEPT"
|
||||
__iptables_rule https --rule "-A INPUT -p tcp --dport 443 -j ACCEPT"
|
||||
|
||||
# Ensure some rules are not present anymore
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||
# 2012 Nico Schottelius (nico-cdist at schottelius.org)
|
||||
# 2012-2014 Nico Schottelius (nico-cdist at schottelius.org)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
|
@ -42,12 +42,14 @@ cp -p "$file" "\$tmpfile"
|
|||
sed '/^$key\($delimiter\+\)/d' "$file" > "\$tmpfile"
|
||||
mv -f "\$tmpfile" "$file"
|
||||
DONE
|
||||
echo "remove" >> "$__messages_out"
|
||||
;;
|
||||
present)
|
||||
case "$state_is" in
|
||||
absent)
|
||||
# add new key and value
|
||||
printf 'echo "%s%s%s" >> "%s"' "$key" "$delimiter" "$value_escaped" "$file"
|
||||
echo "add" >> "$__messages_out"
|
||||
;;
|
||||
wrongvalue)
|
||||
# change exisiting value
|
||||
|
@ -58,6 +60,7 @@ cp -p "$file" "\$tmpfile"
|
|||
sed "s|^$key\($delimiter\+\).*|$key\\1$value_escaped|" "$file" > "\$tmpfile"
|
||||
mv -f "\$tmpfile" "$file"
|
||||
DONE
|
||||
echo "changevalue" >> "$__messages_out"
|
||||
;;
|
||||
*)
|
||||
echo "Unknown explorer state: $state_is" >&2
|
||||
|
|
|
@ -32,6 +32,15 @@ key::
|
|||
value::
|
||||
The value for the key. Optional if state=absent, required otherwise.
|
||||
|
||||
MESSAGES
|
||||
--------
|
||||
create::
|
||||
Added key and value
|
||||
change::
|
||||
Changed value of existing key
|
||||
remove::
|
||||
Removed existing key and value
|
||||
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
|
|
@ -50,8 +50,11 @@ fi
|
|||
|
||||
pkg_version="$(cat "$__object/explorer/pkg_version")"
|
||||
|
||||
# TODO: Shouldn't be hardcoded
|
||||
echo export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/$os_version/packages/$machine/
|
||||
if [ -f "$__object/parameter/pkg_path" ]; then
|
||||
pkg_path="$(cat "$__object/parameter/pkg_path")"
|
||||
else
|
||||
pkg_path="ftp://ftp.openbsd.org/pub/OpenBSD/$os_version/packages/$machine/"
|
||||
fi
|
||||
|
||||
if [ "$pkg_version" ]; then
|
||||
state_is="present"
|
||||
|
@ -65,6 +68,7 @@ case "$state_should" in
|
|||
present)
|
||||
# use this because pkg_add doesn't properly handle errors
|
||||
cat << eof
|
||||
export PKG_PATH="$pkg_path"
|
||||
status=\$(pkg_add "$pkgopts" "$name--$flavor")
|
||||
|
||||
# no error
|
||||
|
|
|
@ -29,6 +29,8 @@ flavor::
|
|||
state::
|
||||
Either "present" or "absent", defaults to "present"
|
||||
|
||||
pkg_path::
|
||||
Manually specify a PKG_PATH to add packages from.
|
||||
|
||||
EXAMPLES
|
||||
--------
|
||||
|
@ -45,6 +47,10 @@ __package_pkg_openbsd python --state present --name python2
|
|||
|
||||
# Remove obsolete package
|
||||
__package_pkg_openbsd puppet --state absent
|
||||
|
||||
# Add a package using a particular mirror
|
||||
__package_pkg_openbsd bash \
|
||||
--pkg_path http://openbsd.mirrorcatalogs.com/snapshots/packages/amd64
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
name
|
||||
flavor
|
||||
state
|
||||
pkg_path
|
||||
|
|
22
cdist/conf/type/__ssh_authorized_keys/explorer/group
Executable file
22
cdist/conf/type/__ssh_authorized_keys/explorer/group
Executable file
|
@ -0,0 +1,22 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# 2014 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
# cdist is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# cdist is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
gid="$("$__type_explorer/passwd" | cut -d':' -f 4)"
|
||||
getent group "$gid" || true
|
|
@ -40,9 +40,6 @@ state::
|
|||
file::
|
||||
an alternative destination file, defaults to ~$owner/.ssh/authorized_keys
|
||||
|
||||
comment::
|
||||
an optional comment
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
|
@ -67,12 +64,11 @@ __ssh_authorized_keys root \
|
|||
__ssh_authorized_keys user-name \
|
||||
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
||||
|
||||
# same as above, but with explicit owner, two keys and a comment
|
||||
# same as above, but with explicit owner and two keys
|
||||
__ssh_authorized_keys some-fancy-id \
|
||||
--owner user-name \
|
||||
--key "ssh-rsa AXYZAAB3NzaC1yc2..." \
|
||||
--key "ssh-rsa AZXYAAB3NzaC1yc2..." \
|
||||
--comment "allow the members of project foo to login"
|
||||
--key "ssh-rsa AZXYAAB3NzaC1yc2..."
|
||||
|
||||
# same as above, but authorized_keys file in non standard location
|
||||
__ssh_authorized_keys some-fancy-id \
|
||||
|
@ -97,5 +93,5 @@ SEE ALSO
|
|||
|
||||
COPYING
|
||||
-------
|
||||
Copyright \(C) 2012 Steven Armstrong. Free use of this software is
|
||||
Copyright \(C) 2012-2014 Steven Armstrong. Free use of this software is
|
||||
granted under the terms of the GNU General Public License version 3 (GPLv3).
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# 2012 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||
# 2012-2014 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||
# 2014 Nico Schottelius (nico-cdist at schottelius.org)
|
||||
#
|
||||
# This file is part of cdist.
|
||||
#
|
||||
|
@ -32,7 +33,7 @@ else
|
|||
fi
|
||||
|
||||
if [ ! -f "$__object/parameter/noparent" -o ! -f "$__object/parameter/nofile" ]; then
|
||||
group="$(cut -d':' -f 4 "$__object/explorer/passwd")"
|
||||
group="$(cut -d':' -f 1 "$__object/explorer/group")"
|
||||
if [ -z "$group" ]; then
|
||||
echo "Failed to get owners group from explorer." >&2
|
||||
exit 1
|
||||
|
@ -56,16 +57,31 @@ if [ ! -f "$__object/parameter/noparent" -o ! -f "$__object/parameter/nofile" ];
|
|||
fi
|
||||
fi
|
||||
|
||||
# Generate entry for inclusion in authorized_keys file
|
||||
(
|
||||
if [ -f "$__object/parameter/comment" ]; then
|
||||
echo "# $(cat "$__object/parameter/comment")"
|
||||
fi
|
||||
cat "$__object/parameter/key"
|
||||
) | \
|
||||
# Remove legacy blocks created by old versions of this type
|
||||
__block "$__object_name" \
|
||||
--file "$file" \
|
||||
--prefix "#cdist:$__object_name" \
|
||||
--suffix "#/cdist:$__object_name" \
|
||||
--state "$state" \
|
||||
--text -
|
||||
--state 'absent' \
|
||||
--text - << DONE
|
||||
remove legacy block
|
||||
DONE
|
||||
|
||||
_cksum() {
|
||||
echo "$1" | cksum | cut -d' ' -f 1
|
||||
}
|
||||
|
||||
while read key; do
|
||||
cksum_key="$(_cksum "$key")"
|
||||
line_id="${owner}-${cksum_key}"
|
||||
|
||||
set -- "$line_id"
|
||||
set -- "$@" --file "$file"
|
||||
set -- "$@" --regex ".*$key.*"
|
||||
if [ "$state" = 'present' ]; then
|
||||
set -- "$@" --line "$key"
|
||||
fi
|
||||
set -- "$@" --state "$state"
|
||||
# Ensure __line does not read stdin
|
||||
require="__block/$__object_name" __line "$@" < /dev/null
|
||||
done < "$__object/parameter/key"
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
owner
|
||||
state
|
||||
file
|
||||
comment
|
||||
|
|
|
@ -26,9 +26,10 @@ os="$($__explorer/os)"
|
|||
# Default to using shadow passwords
|
||||
database="shadow"
|
||||
|
||||
if [ "$os" = "freebsd" ]; then
|
||||
database="passwd"
|
||||
fi
|
||||
case "$os" in
|
||||
"freebsd"|"openbsd") database="passwd";;
|
||||
esac
|
||||
|
||||
|
||||
getent "$database" "$name" || true
|
||||
|
||||
|
|
|
@ -5,8 +5,15 @@ Changelog
|
|||
* Exception: No braces means author == Nico Schottelius
|
||||
|
||||
|
||||
3.0.10:
|
||||
next:
|
||||
* Type __file: Enhance OpenBSD Support (og)
|
||||
* Type __git: Pass onwer/group/mode values to __directory
|
||||
* Type __iptable_rule: Fix example documentation (Antoine Catton)
|
||||
* Type __key_value: Add messaging support
|
||||
* Type __package_pkg_openbsd: Allow to change PKG_PATH (og)
|
||||
* Type __ssh_authorized_keys: Allow managing existing keys (Steven Armstrong)
|
||||
* Type __user: Enhance OpenBSD Support (og)
|
||||
|
||||
|
||||
3.0.9: 2014-02-14
|
||||
* Core: Ignore order dependencies if override is set (Daniel Heule)
|
||||
|
@ -21,7 +28,6 @@ Changelog
|
|||
* Type __rvm_gemset: Use default parameters for state (Daniel Heule)
|
||||
* Type __rvm_ruby: Use default parameters for state (Daniel Heule)
|
||||
|
||||
|
||||
3.0.8: 2014-02-11
|
||||
* Core: Enhance object id verification (Daniel Heule)
|
||||
* Core: Add unit tests for dependencies based on execution order (Daniel Heule)
|
||||
|
|
|
@ -4,4 +4,14 @@
|
|||
implemented as a proof of concept at:
|
||||
https://github.com/asteven/cdist/tree/type-namespaces
|
||||
|
||||
|
||||
|
||||
Execute all global explorers only when needed #286
|
||||
|
||||
My intention is to create a brunch of global explorer which are of use in some cases and makes cdist more userfriendly. But now, all global explorers are allways executed, even the return value of the explorers is never used.
|
||||
|
||||
I think a possible approach can be to replace the result files with pipes, and on first read of the pipe, the explorer is executed by the core, all following read calls from the pipe are answered from the core with the result of the first real execute of the explorer.
|
||||
|
||||
So cdist can have an unlimited number of global explorers and only used explorers are executed on the target host, all other explorers laying around are simply ignored.
|
||||
|
||||
Also a possible approach would be to create a new explorer type (dynamic explorers) which are sitting in a different directory to (for example dynexploer) and only this ones are executed with the conditional approach explained above. So the overhead to create pipes and monitor it is only in place on explorers which are not interesting for everyone ...
|
||||
|
|
18
docs/dev/logs/2014-02-18.unauthenticated-packages
Normal file
18
docs/dev/logs/2014-02-18.unauthenticated-packages
Normal file
|
@ -0,0 +1,18 @@
|
|||
- we cannot install packages, which are not authenticated:
|
||||
|
||||
INFO: voicerepublic-staging.sky.ungleich.ch: Executing code for __package_apt/deb-multimedia-keyring
|
||||
Reading package lists...
|
||||
Building dependency tree...
|
||||
Reading state information...
|
||||
The following NEW packages will be installed:
|
||||
deb-multimedia-keyring
|
||||
0 upgraded, 1 newly installed, 0 to remove and 13 not upgraded.
|
||||
Need to get 14.4 kB of archives.
|
||||
After this operation, 46.1 kB of additional disk space will be used.
|
||||
WARNING: The following packages cannot be authenticated!
|
||||
deb-multimedia-keyring
|
||||
E: There are problems and -y was used without --force-yes
|
||||
ERROR: voicerepublic-staging.sky.ungleich.ch: Command failed: ssh -o User=root -q voicerepublic-staging.sky.ungleich.ch /bin/sh -e /var/lib/cdist/object/__package_apt/deb-multimedia-keyring/.cdist/code-remote
|
||||
INFO: cdist: Total processing time for 1 host(s): 72.07943892478943
|
||||
ERROR: cdist: Failed to configure the following hosts: voicerepublic-staging.sky.ungleich.ch
|
||||
|
Loading…
Reference in a new issue