Compare commits

...

45 commits

Author SHA1 Message Date
Alexander Sieg
92432c5d9a cconn a transparent connection wrapper
cconn used the inventory system to dynamically connect to FreeBSD jail via
the host system and/or using sudo to get root access

This is more of a prove of concept then a finish idea.
2021-01-20 20:18:38 +01:00
Darko Poljak
92a50da487 Fix pycodestyle issues 2021-01-18 06:28:09 +01:00
Darko Poljak
6e9b13d949 ++changelog 2021-01-18 06:22:32 +01:00
878a65a8b7 Merge branch 'fix/type/__sshd_config/error-on-invalid' into 'master'
sshd config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug

See merge request ungleich-public/cdist!968
2021-01-18 06:22:02 +01:00
cce470b556 Merge branch 'bugfix/preos-debug' into 'master'
Fix debug parameter

Closes #849

See merge request ungleich-public/cdist!970
2021-01-18 06:17:36 +01:00
Nico Schottelius
f0e1b3b849 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2021-01-11 22:20:50 +01:00
Darko Poljak
c819548343 Fix debug parameter
-d was removed from cdist in favor of mulitple -v and -l parameters, but
-d was not removed from preos.

Resolve #849.
2021-01-11 09:51:52 +01:00
Dennis Camera
bd8ab8f26f [type/__sshd_config] Document "bug" in state explorer 2021-01-05 17:02:42 +01:00
Dennis Camera
8753b7eedf [type/__sshd_config] Make AuthenticationMethods and AuthorizedKeysFile singleton options
They were incorrectly treated as non-singleton options before.

cf. https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L2273
and https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L1899 resp.
2021-01-05 16:59:04 +01:00
Dennis Camera
766198912d [type/__sshd_config] Produce error if invalid config file is generated
Previously, cdist would silently swallow the error (no invalid config file was
generated).

Reason: `set -e` does not exit if a command in a sub-command group fails,
it merely returns with a non-zero exit status.

e.g. the following snippet does not abort the script if sshd -t returns with a
non-zero exit status:

    set -e
    cmp -s old new || {
        # check config file and update it
        sshd -t -f new \
        && cat new >old
    }

or compressed:

    set -e
    false || { false && true; }
    echo $?
    # prints 1
2021-01-05 15:50:21 +01:00
Darko Poljak
7cf85c4659 Release 6.9.4 2020-12-21 19:21:51 +01:00
Nico Schottelius
a10d43bc69 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2020-12-20 11:42:44 +01:00
Darko Poljak
4bae2863db ++changelog 2020-12-18 12:54:33 +01:00
3566901e1c Merge branch '__dot_file-dirmode' into 'master'
Added optional dirmode parameter to set the mode of (optional) the directory.

See merge request ungleich-public/cdist!966
2020-12-18 12:50:30 +01:00
Mark Verboom
8dc2c4207c Added optional dirmode parameter to set the mode of (optional) the directory. 2020-12-18 11:16:28 +01:00
Darko Poljak
71f2283117 ++changelog 2020-12-13 16:03:39 +01:00
f87da8150c Merge branch 'type/__debian_backports' into 'master'
__apt_backports type

See merge request ungleich-public/cdist!964
2020-12-13 16:03:31 +01:00
ae747ac021 Merge branch 'os_version-freebsd' into 'master'
[explorer/os_version] Improve FreeBSD support.

See merge request ungleich-public/cdist!965
2020-12-13 16:00:45 +01:00
27aca06fb8 __apt_backports: undo __apt_update_index call
Becuase it is already done by __apt_source.
2020-12-12 17:34:51 +01:00
fca35fc858 __apt_backports: fix explorer call
s/-/_/ because the explorers are following an other convention :-)
2020-12-12 17:29:58 +01:00
645734c629 [explorer/os_version] Improve FreeBSD support.
It looks like uname -r is not the most reliable way to get the target patch
level for the target system.

For more information see:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
2020-12-12 12:15:17 +01:00
fafa3d9ea5 __apt_backports: update index if required
This type now automatically calls the type __apt_update_index to update
the package index if something changed.
2020-12-12 10:00:23 +01:00
49aec0b5e4 __apt_backports: list supported OSes
The manpage now lists all OSes where this type supports backports.
2020-12-12 09:40:47 +01:00
c4d19a2319 __debian_backports -> __apt_backports; add wider os support
As discussed in the chat, this type now supports a broader list of OSes
which it supports backports for. Because of this, it was renamed to
something more generic. "apt" should fit in.
2020-12-12 09:36:17 +01:00
Nico Schottelius
69b8bc9af0 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2020-12-11 19:38:03 +01:00
Nico Schottelius
bc2948a8a5 ++scan stuff 2020-12-11 19:37:53 +01:00
0d96b31b56 __debian_backports: pass shellcheck for sourced file
Because the sourced explorer can't be detected by shellcheck, it will be
completely disabled. Changing the path to /etc/os-release isn't
deterministic either.

The shellcheck wiki page suggests to use `source=/dev/null` instead of
`disable=SC1090`, but it was choosen to completely avoid that check ..
2020-12-11 18:13:44 +01:00
a5169ad858 new type __debian_backports
This new type will setup the backports distribution for the current
Debian release.
2020-12-10 21:24:26 +01:00
Darko Poljak
a58f5ffa7f ++changelog 2020-12-08 19:36:44 +01:00
0546d6e476 Merge branch 'fix/__block/escape' into 'master'
__block: fix escaping in here-doc

Closes #838

See merge request ungleich-public/cdist!962
2020-12-08 19:36:45 +01:00
Darko Poljak
14c81d6c7e ++changelog 2020-12-08 07:16:26 +01:00
a1987fe410 Merge branch 'feature/__iptables_rule/ipv6' into 'master'
__iptables*: add IPv6 support

See merge request ungleich-public/cdist!959
2020-12-08 07:10:29 +01:00
c5ca4cd2e1 __block: securly quote via the quote function
Because the function already exists, it will be used for the file to be
changed, too. Therefor, no quotes are required for that value.

The prefix and suffix match was also improved: There is no regex check
any more (the regex did checked the whole line); instead it will do it
simple.
2020-12-07 19:59:05 +01:00
Darko Poljak
2966296173 ++changelog 2020-12-07 19:47:52 +01:00
226f665fb5 Merge branch 'imp-deprecation' into 'master'
Deal with deprecation of imp module.

See merge request ungleich-public/cdist!963
2020-12-07 19:48:08 +01:00
1c61989c03 Merge branch 'fix/type/__package_pkgng_freebsd/bootstrap' into 'master'
__package_pkgng_freebsd: Fix bootstrapping pkg(7)

See merge request ungleich-public/cdist!961
2020-12-07 19:42:21 +01:00
bed08c2c5c Deal with deprecation of imp module.
importlib has been a thing since Python 3.1, and imp has been deprecated since
3.4.

Insert random complaint here about not being able to use f-strings because they
were introduced in Python 3.6 and apparently we support Python 3.5 >,<.

Output diff before to after for ./bin/cdist-build-helper test (on heavy load):
```
1,2d0
< /usr/home/evilham/s/cdist/cdist/cdist/test/__main__.py:23: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
<   import imp
72c70
< ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.g87lx7c8/tmp.cdist.test.6ramsakx
---
> ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.aqdf6vjz/tmp.cdist.test.jgv3udel
76c74
< test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.mma5j8ln/tmp.cdist.test.3zg4by4d
---
> test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.t8d6ockr/tmp.cdist.test.uimxurg9
86c84
< test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test.uvid60ij/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
---
> test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test._cttcnrj/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
89c87
< test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.k1i2onpb/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
---
> test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.ukr7lrzd/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
272c270
< Ran 225 tests in 44.457s
---
> Ran 225 tests in 43.750s
```
2020-12-06 20:24:00 +01:00
3930f69456 __block: fix escaping in here-doc
This changes the here-document to do not interpret any shell-things. It
also single-quotes some more strings that are printed to code-remote.

Fixes #838
2020-12-06 16:45:58 +01:00
087be130fa __iptables_apply: shorten copyright header
Do we need all the copyright header or is this sufficient? The licence
is given for cdist, but not on the target host. But it should be clear
anyway.
2020-12-04 19:23:49 +01:00
Dennis Camera
2d19856840 [type/__package_pkgng_freebsd] Set ASSUME_ALWAYS_YES instead of -y 2020-12-04 18:26:03 +01:00
ba7d16a155 __iptables_*: correct manpage spelling 2020-12-04 17:57:55 +01:00
a1db5c3d0e __iptables*: Update manpages for execution order
To make some thinks clear if someone needs it ..
2020-12-02 18:22:31 +01:00
bee255c1ae __iptables_apply: man updates 2020-12-02 18:04:50 +01:00
f568462e49 __iptables_rule: fix shellcheck SC2235 2020-12-02 17:48:41 +01:00
84172550df __iptables*: add IPv6 support
Because it currently only support IPv4. To implement this, it falls back
to IPv4 for backward compatibilty, but now supports rules for IPv6 and
both protocols at the same time.
2020-11-30 20:35:19 +01:00
26 changed files with 615 additions and 49 deletions

View file

@ -70,6 +70,11 @@ case "$("$__explorer/os")" in
macosx)
sw_vers -productVersion
;;
freebsd)
# Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
freebsd-version
;;
*bsd|solaris)
uname -r
;;

View file

@ -0,0 +1,104 @@
cdist-type__debian_backports(7)
===============================
NAME
----
cdist-type__apt_backports - Install backports
DESCRIPTION
-----------
This singleton type installs backports for the current OS release.
It aborts if backports are not supported for the specified OS or
no version codename could be fetched (like Debian unstable).
The package index will be automatically updated if required.
It supports backports from following OSes:
- Debian
- Devuan
- Ubuntu
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
Represents the state of the backports repository. ``present`` or
``absent``, defaults to ``present``.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
mirror
The mirror to fetch the backports from. Will defaults to the generic
mirror of the current OS.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
BOOLEAN PARAMETERS
------------------
None.
MESSAGES
--------
None.
EXAMPLES
--------
.. code-block:: sh
# setup the backports
__apt_backports
__apt_backports --state absent
__apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
# install a backports package
# currently for the buster release backports
require="__apt_backports" __package_apt wireguard \
--target-release buster-backports
ABORTS
------
Aborts if the detected os is not Debian.
Aborts if no distribuition codename could be detected. This is common for the
unstable distribution, but there is no backports repository for it already.
CAVEATS
-------
For Ubuntu, it setup all componenents for the backports repository: ``main``,
``restricted``, ``universe`` and ``multiverse``. The user may not want to
install proprietary packages, which will only be installed if the user
explicitly uses the backports target-release. The user may change this behavior
to install backports packages without the need of explicitly select it.
SEE ALSO
--------
`Official Debian Backports site <https://backports.debian.org/>`_
:strong:`cdist-type__apt_source`\ (7)
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,81 @@
#!/bin/sh -e
# __apt_backports/manifest
#
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Enables/disables backports repository. Utilises __apt_source for it.
#
# Get the distribution codename by /etc/os-release.
# is already executed in a subshell by string substitution
# lsb_release may not be given in all installations
codename_os_release() {
# shellcheck disable=SC1090
. "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME"
}
# detect backport distribution
os="$(cat "$__global/explorer/os")"
case "$os" in
debian)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.debian.org/debian/"
;;
devuan)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.devuan.org/merged"
;;
ubuntu)
dist="$( codename_os_release )"
components="main restricted universe multiverse"
mirror="http://archive.ubuntu.com/ubuntu"
;;
*)
printf "Backports for %s are not supported!\n" "$os" >&2
exit 1
;;
esac
# error if no codename given (e.g. on Debian unstable)
if [ -z "$dist" ]; then
printf "No backports for unkown version of distribution %s!\n" "$os" >&2
exit 1
fi
# parameters
state="$(cat "$__object/parameter/state")"
# mirror already set for the os, only override user-values
if [ -f "$__object/parameter/mirror" ]; then
mirror="$(cat "$__object/parameter/mirror")"
fi
# install the given backports repository
__apt_source "${dist}-backports" \
--state "$state" \
--distribution "${dist}-backports" \
--component "$components" \
--uri "$mirror"

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,2 @@
state
mirror

View file

@ -46,28 +46,29 @@ fi
remove_block() {
cat << DONE
tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file
if [ -f "$file" ]; then
cp -p "$file" "\$tmpfile"
if [ -f $quoted_file ]; then
cp -p $quoted_file "\$tmpfile"
fi
awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
{
if (match(\$0,prefix)) {
if (\$0 == prefix) {
triggered=1
}
if (triggered) {
if (match(\$0,suffix)) {
if (\$0 == suffix) {
triggered=0
}
} else {
print
}
}' "$file" > "\$tmpfile"
mv -f "\$tmpfile" "$file"
}' $quoted_file > "\$tmpfile"
mv -f "\$tmpfile" $quoted_file
DONE
}
quoted_file="$(quote "$file")"
case "$state_should" in
present)
if [ "$state_is" = "changed" ]; then
@ -77,7 +78,7 @@ case "$state_should" in
echo add >> "$__messages_out"
fi
cat << DONE
cat >> "$file" << ${__type##*/}_DONE
cat >> $quoted_file << '${__type##*/}_DONE'
$(cat "$block")
${__type##*/}_DONE
DONE

View file

@ -25,6 +25,9 @@ user
OPTIONAL PARAMETERS
-------------------
dirmode
forwarded to :strong:`__directory` type as mode
mode
forwarded to :strong:`__file` type

View file

@ -19,6 +19,7 @@ set -eu
user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")"
# Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not
@ -36,6 +37,7 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do
__directory "${home}/${dir}" \
--group "${primary_group}" \
--mode "${dirmode}" \
--owner "${user}"
done

View file

@ -0,0 +1 @@
0700

View file

@ -1,3 +1,4 @@
state
mode
source
dirmode

View file

@ -1,7 +1,4 @@
#!/bin/sh
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $remote_fs
@ -14,34 +11,72 @@
# and saves/restores previous status
### END INIT INFO
# Originally written by:
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is distributed with cdist and licenced under the
# GNU GPLv3+ WITHOUT ANY WARRANTY.
# Read files and execute the content with the given commands
#
# Arguments:
# 1: Directory
# 2..n: Commands which should be used to execute the file content
gothrough() {
cd "$1" || return
shift
# iterate through all rules and continue if it's not a file
for rule in *; do
[ -f "$rule" ] || continue
echo "Appling iptables rule $rule ..."
# execute it with all commands specificed
ruleparam="$(cat "$rule")"
for cmd in "$@"; do
# Command and Rule should be split.
# shellcheck disable=SC2046
command $cmd $ruleparam
done
done
}
# Shortcut for iptables command to do IPv4 and v6
# only applies to the "reset" target
iptables() {
command iptables "$@"
command ip6tables "$@"
}
basedir=/etc/iptables.d
status="${basedir}/.pre-start"
status4="${basedir}/.pre-start"
status6="${basedir}/.pre-start6"
case $1 in
start)
# Save status
iptables-save > "$status"
iptables-save > "$status4"
ip6tables-save > "$status6"
# Apply our ruleset
cd "$basedir" || exit
count="$(find . ! -name . -prune | wc -l)"
# Only do something if there are rules
if [ "$count" -ge 1 ]; then
for rule in *; do
echo "Applying iptables rule $rule ..."
# Rule should be split.
# shellcheck disable=SC2046
iptables $(cat "$rule")
done
fi
gothrough "$basedir" iptables
#gothrough "$basedir/v4" iptables # conflicts with $basedir
gothrough "$basedir/v6" ip6tables
gothrough "$basedir/all" iptables ip6tables
;;
stop)
# Restore from status before, if there is something to restore
if [ -f "$status" ]; then
iptables-restore < "$status"
if [ -f "$status4" ]; then
iptables-restore < "$status4"
fi
if [ -f "$status6" ]; then
ip6tables-restore < "$status6"
fi
;;
restart)

View file

@ -10,7 +10,24 @@ DESCRIPTION
-----------
This cdist type deploys an init script that triggers
the configured rules and also re-applies them on
configuration.
configuration. Rules are written from __iptables_rule
into the folder ``/etc/iptables.d/``.
It reads all rules from the base folder as rules for IPv4.
Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
the subfolder ``all/`` are applied to both rule tables. All
files contain the arguments for a single ``iptables`` and/or
``ip6tables`` command.
Rules are applied in the following order:
1. All IPv4 rules
2. All IPv6 rules
2. All rules that should be applied to both tables
The order of the rules that will be applied are definite
from the result the shell glob returns, which should be
alphabetical. If rules must be applied in a special order,
prefix them with a number like ``02-some-rule``.
REQUIRED PARAMETERS
@ -24,7 +41,7 @@ None
EXAMPLES
--------
None (__iptables_apply is used by __iptables_rule)
None (__iptables_apply is used by __iptables_rule automatically)
SEE ALSO
@ -35,11 +52,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -11,6 +11,10 @@ DESCRIPTION
This cdist type allows you to manage iptable rules
in a distribution independent manner.
See :strong:`cdist-type__iptables_apply`\ (7) for the
execution order of these rules. It will be executed
automaticly to apply all rules non-volaite.
REQUIRED PARAMETERS
-------------------
@ -25,6 +29,24 @@ state
'present' or 'absent', defaults to 'present'
BOOLEAN PARAMETERS
------------------
All rules without any of these parameters will be treated like ``--v4`` because
of backward compatibility.
v4
Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
threaten like ``--all``. Will be the default if nothing else is set.
v6
Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
threaten like ``--all``.
all
Set the rule for both IPv4 and IPv6. It will be saved separately from the
other rules.
EXAMPLES
--------
@ -48,6 +70,16 @@ EXAMPLES
--state absent
# IPv4-only rule for ICMPv4
__iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
# IPv6-only rule for ICMPv6
__iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
# doing something for the dual stack
__iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
__iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
SEE ALSO
--------
:strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@ -56,11 +88,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
@ -24,12 +25,36 @@ base_dir=/etc/iptables.d
name="$__object_id"
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/v4" ]; then
only_v4="yes"
# $specific_dir is $base_dir
fi
if [ -f "$__object/parameter/v6" ]; then
only_v6="yes"
specific_dir="$base_dir/v6"
fi
# If rules should be set for both protocols
if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
[ -f "$__object/parameter/all" ]; then
# all to a specific directory
specific_dir="$base_dir/all"
fi
# set rule directory based on if it's the base or subdirectory
rule_dir="${specific_dir:-$base_dir}"
################################################################################
# Basic setup
#
__directory "$base_dir" --state present
# sub-directory if required
if [ "$specific_dir" ]; then
require="__directory/$base_dir" __directory "$specific_dir" --state present
fi
# Have apply do the real job
require="$__object_name" __iptables_apply
@ -37,6 +62,15 @@ require="$__object_name" __iptables_apply
# The rule
#
require="__directory/$base_dir" __file "$base_dir/${name}" \
--source "$__object/parameter/rule" \
--state "$state"
for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
# defaults to absent except the directory that should contain the file
if [ "$rule_dir" = "$dir" ]; then
curr_state="$state"
else
curr_state="absent"
fi
require="__directory/$rule_dir" __file "$dir/$name" \
--source "$__object/parameter/rule" \
--state "$curr_state"
done

View file

@ -0,0 +1,3 @@
all
v4
v6

View file

@ -75,7 +75,7 @@ execcmd(){
esac
if [ -z "${pkg_bootstrapped}" ]; then
echo "pkg bootstrap -y >/dev/null 2>&1"
echo "ASSUME_ALWAYS_YES=yes pkg bootstrap >/dev/null 2>&1"
fi
echo "$_cmd >/dev/null 2>&1" # Silence the output of the command

View file

@ -89,7 +89,7 @@ function strdelim(s) { return strdelim_internal(s, 1) }
function strdelimw(s) { return strdelim_internal(s, 0) }
function singleton_option(opt) {
return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|authenticationmethods|authorizedkeysfile|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/
return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/
}
function print_update() {

View file

@ -91,7 +91,8 @@ awk $(drop_awk_comments "${__type:?}/files/update_sshd_config.awk") \\
cmp -s $(quote "${sshd_config_file}") $(quote "${sshd_config_file}.tmp") || {
sshd -t -f $(quote "${sshd_config_file}.tmp") \\
&& cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}")
&& cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}") \\
|| exit # stop if sshd_config file check fails
}
rm -f $(quote "${sshd_config_file}.tmp")
EOF

View file

@ -79,6 +79,10 @@ BUGS
- ``Include`` directives are ignored.
- Config options are not added/removed to/from the config file if their value is
the default value.
- | The explorer will incorrectly report ``absent`` if OpenSSH internally
transforms one value to another (e.g. ``permitrootlogin prohibit-password``
is transformed to ``permitrootlogin without-password``).
| Workaround: Use the value that OpenSSH uses internally.
AUTHORS

View file

@ -22,7 +22,7 @@ set -e
if [ "${debug}" ]
then
set -x
cdist_params="${cdist_params} -d"
cdist_params="${cdist_params} -l 3"
fi
bootstrap_dir="${target_dir}"

View file

@ -59,6 +59,8 @@ from scapy.all import *
# Datetime overwrites scapy.all.datetime - needs to be imported AFTER
import datetime
import cdist.config
log = logging.getLogger("scan")
@ -125,6 +127,18 @@ class Scanner(object):
with open(fname, "w") as fd:
fd.write(f"{now}\n")
def config(self):
"""
Configure a host
- Assume we are only called if necessary
- However we need to ensure to not run in parallel
- Maybe keep dict storing per host processes
- Save the result
- Save the output -> probably aligned to config mode
"""
def start(self):
self.process = Process(target=self.scan)
self.process.start()

View file

@ -20,7 +20,7 @@
#
#
import imp
import importlib
import os
import sys
import unittest
@ -37,8 +37,9 @@ for possible_test in os.listdir(base_dir):
suites = []
for test_module in test_modules:
module_parameters = imp.find_module(test_module, [base_dir])
module = imp.load_module("cdist.test." + test_module, *module_parameters)
module_spec = importlib.util.find_spec("cdist.test.{}".format(test_module))
module = importlib.util.module_from_spec(module_spec)
module_spec.loader.exec_module(module)
suite = unittest.defaultTestLoader.loadTestsFromModule(module)
# print("Got suite: " + suite.__str__())

View file

@ -1,6 +1,19 @@
Changelog
---------
next:
* Core: preos: Fix passing cdist debug parameter (Darko Poljak)
* Type __sshd_config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug (Dennis Camera)
6.9.4: 2020-12-21
* Type __package_pkgng_freebsd: Fix bootstrapping pkg (Dennis Camera)
* Core: Deal with deprecated imp in unit tests (Evil Ham)
* Type __iptables: Add IPv6 support (Matthias Stecher)
* Type __block: Fix escaping in here-doc (Matthias Stecher)
* Explorer os_version: Improve FreeBSD support (Evil Ham)
* New type: __apt_backports (Matthias Stecher)
* Type __dot_file: Add dirmode parameter (Mark Verboom)
6.9.3: 2020-12-04
* pip install: Add cdist.scan to packages in setup.py (Dennis Camera)

View file

@ -54,4 +54,12 @@ VERBOSE: scan: Host fe80::f29f:c2ff:fe7c:275e is alive
VERBOSE: scan: Host fe80::ba69:f4ff:fec5:8db7 is alive
VERBOSE: scan: Host fe80::42b0:34ff:fe6f:f863 is alive
VERBOSE: scan: Host fe80::21b:fcff:feee:f4bc is alive
...
** Better usage -> saving the env
sudo -E cdist scan -b -I wlan0 -vv
** TODO Implement actual configuration step
- Also serves as a nice PoC
- Might need to escape literal IPv6 addresses for scp
** TODO Define how to map link local address to something useful
- via reverse DNS?
- via link local in manifest?
** TODO define ignorehosts?

199
other/examples/remote/cconn/cconn Executable file
View file

@ -0,0 +1,199 @@
#!/bin/sh -ex
# Copyright (c) 2021 Alexander Sieg
# cconn is a transparent wrapper that allows seamless usage of sudo/rsync and
# FreeBSD jails, this makes it possible to configure a FreeBSD by just using
# the host system sshd.
# Configuration is done by throw the cdist invertory system.
#
#
# Installation:
#
# Simply set this script as remote_exec and remote_copy implementation in your
# cdist.cfg. You MUST always pass either copy or exec as the first parameter
# to this script
#
# remote_exec = path/to/cconn exec
# remote_copy = path/to/cconn copy
#
# As cconn uses the cdist inventory system for host specific configuration, it
# ether need to be executed from the directory the contains the inventory
# directory or be setting the INVENTORY environment variable to path were the
# inventory entries are kept.
#
# Usage:
#
# To setup a host to use some form of connection "bending" (e.g. sudo) you need
# to add a single __cconn_options tag to the host inventory file. Options are always a
# key value pair separated by a '='. All options are passed in a single tag and
# a separated by a space.
#
# __cconn_options options:
#
# NOTE: jail_host and iocage_jail can not be used at the same time and will
# lead to a error
#
# jail_host:
# hostname on which the FreeBSD jail resides on.
#
# iocage_host:
# Same as jail_host, but for jails managed by iocage(8)
#
# jail_name:
# By default cconn will use the __target_host as the FreeBSD jail name, set
# this option to override this name
#
# sudo_user:
# Username used to connect to the __target_host, all commands are then
# prefixed with sudo and copy operations are done with rsync
#
# For this work you need to be able to execute all command without password entry.
# sudoers(5)
# %wheel ALL=(ALL) NOPASSWD: ALL
#
#Examples:
#
# inventory/jail.example.com:
# some_other_tag
# __cconn_options jail_host=example.com sudo_user=ada
#
#TODO: add sudo_pass and sudo_passfile option to support use without NOPASSWD
#TODO: support SSH connection multiplexing. This requieres a patch to cdist, as
# we need path to the tmp dir.
log() {
# Uncomment this for debugging
echo "$@" | logger -t "cdist-cconn-$COMMAND"
:
}
COMMAND="$1"; shift
if [ -z "$INVENTORY" ]; then
INVENTORY="inventory"
fi
# shellcheck disable=SC2154
options="$(sed -n 's/^__cconn_options\(.*\)$/\1/p' "$INVENTORY/$__target_host" | cut -d' ' -f2-)"
tmpcmd=$*
for option in $options; do
# shellcheck disable=SC2046
set -- $(echo "$option" | tr '=' ' ')
key="$1"
value="$2"
case "$1" in
"jail_host")
JAIL_HOST="$value"
;;
"iocage_host")
IOCAGE_HOST="$value"
;;
"jail_name")
JAIL_NAME="$value"
;;
"sudo_user")
SUDO_USER="$value"
;;
*)
log "unknown option $key=$value found"
;;
esac
done
# shellcheck disable=SC2086
set -- $tmpcmd
if [ -n "$IOCAGE_HOST" ] && [ -n "$JAIL_HOST" ]; then
echo "WARING: jail_host and iocage_host can't be used at the same time"
log "WARING: jail_host and iocage_host can't be used at the same time"
exit 1
fi
TARGET_HOST="$__target_host"
SSH_USER="root"
if [ -n "$IOCAGE_HOST" ]; then
JAIL_HOST="$IOCAGE_HOST"
if [ -z "$JAIL_NAME" ]; then
JAIL_NAME="ioc-$(echo "$__target_host" | tr '.' '_')"
else
JAIL_NAME="ioc-$(echo "$JAIL_NAME" | tr '.' '_')"
fi
else
if [ -z "$JAIL_NAME" ]; then
JAIL_NAME="$TARGET_HOST"
fi
fi
if [ -n "$JAIL_HOST" ]; then
log "INSIDE_JAIL: TRUE"
TARGET_HOST="$JAIL_HOST"
WRAPPER="jexec $JAIL_NAME"
fi
if [ -n "$SUDO_USER" ]; then
log "SUDO_USER: $SUDO_USER"
WRAPPER="sudo -- $WRAPPER"
SSH_USER="$SUDO_USER"
fi
log "TARGET_HOST: $TARGET_HOST"
log "@:" "$@"
if [ -n "$JAIL_HOST" ]; then
log "IOCAGE_HOST: $IOCAGE_HOST"
log "JAIL_HOST: $JAIL_HOST"
log "JAIL_NAME: $JAIL_NAME"
log "WRAPPER: $WRAPPER"
fi
case "$COMMAND" in
"exec")
shift; # remove the jail host name from $@
ssh -o User="$SSH_USER" -q "$TARGET_HOST" "$WRAPPER $*"
;;
"copy")
if [ -n "$JAIL_HOST" ]; then
# jls(8) dosen't need root to print this information
jail_root=$(ssh -q "$TARGET_HOST" -- jls -j "$JAIL_NAME" path)
log "JAIL_ROOT: $jail_root"
fi
if [ -n "$JAIL_HOST" ]; then
set -- "$(echo "$@" | sed "s|$__target_host:|$JAIL_HOST:$jail_root|g")"
fi
if [ -n "$SUDO_USER" ]; then
# For rsync to do the right thing, the source has to end with "/" if it is
# a directory. The below preprocessor loop takes care of that.
# second last argument is the source
source_index=$(($#-1))
index=0
for arg in "$@"; do
if [ $index -eq 0 ]; then
# reset $@
set --
fi
index=$((index+=1))
if [ $index -eq $source_index ] && [ -d "$arg" ]; then
arg="${arg%/}/"
fi
set -- "$@" "$arg"
done
rsync --copy-links -e "ssh -o User=$SSH_USER" --rsync-path='sudo rsync' "$@"
else
#shellcheck disable=SC2068
scp -o "User=$SSH_USER" -q $@
fi
;;
*)
echo "unkown command - $COMMAND"
exit 1
;;
esac
log "----"