+++ /dev/null
-#!/bin/bash
-
-# Copyright (c) 2009, 2010, 2012 Peter Palfrader
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-set -e
-set -u
-
-MYLOGNAME="`basename "$0"`[$$]"
-BASEDIR="/home/staticsync/static-master"
-COMPONENTLIST=/etc/static-components.conf
-
-usage() {
- echo "local Usage: $0 <host>"
- echo "via ssh orig command:"
- echo " rsync <stuff>"
- echo " static-master-update-component <component>"
-}
-
-one_more_arg() {
- if [ "$#" -lt 1 ]; then
- usage >&2
- exit 1
- fi
-}
-
-info() {
- logger -p daemon.info -t "$MYLOGNAME" "$1"
-}
-
-croak() {
- logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
- exit 1
-}
-
-do_rsync() {
- local remote_host="$1"; shift
- local args="--server --sender -vlHtrze.iLsf --safe-links ."
-
- for component in $(awk -v this_host="$(hostname -f)" '$1 == this_host {print $2}' $COMPONENTLIST); do
- if [ "$*" = "$args $component/-new-/" ] || [ "$*" = "$args ./$component/-new-/" ] ; then
- local path="$BASEDIR/master/$component-current-push"
- info "serving $remote_host with $path"
- rsync $args "$path/."
- return
- elif [ "$*" = "$args $component/-live-/" ] || [ "$*" = "$args ./$component/-live-/" ] ; then
- local path="$BASEDIR/master/$component-current-live"
- info "host $remote_host wants $path, acquiring lock"
- exec 200< "$path"
- if ! flock -s -w 0 200; then
- echo >&2 "Cannot acquire shared lock on $path - this should mean an update is already underway anyway."
- exit 1
- fi
- rsync $args "$path/."
- return
- fi
- done
-
- info "NOT allowed for $remote_host: rsync $*"
- echo >&2 "This rsync command ($@) not allowed."
- exit 1
-}
-
-do_update_component() {
- local remote_host="$1"; shift
-
- one_more_arg "$@"
- component="$1"
- shift
-
- hit="$(
- awk -v this_host="$(hostname -f)" -v component="$component" -v host="$remote_host" '
- $1 == this_host && $2 == component {
- if ($3 == host) {
- print $4
- exit
- }
- split($5,extra,",")
- for (i in extra) {
- if (host == extra[i]) {
- printf "%s:%s\n", $3, $4
- exit
- }
- }
- exit
- }' "$COMPONENTLIST"
- )"
- if [ -n "$hit" ]; then
- exec static-master-update-component "$component"
- echo >&2 "Exec failed"
- croak "exec failed"
- else
- info "Not whitelisted: $remote_host update $component"
- echo >&2 "Not whitelisted: $remote_host update $component"
- exit 1
- fi
-}
-
-
-if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
- usage
- exit 0
-fi
-
-one_more_arg "$@"
-remote_host="$1"
-shift
-
-
-# check/parse remote command line
-if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
- croak "Did not find SSH_ORIGINAL_COMMAND"
-fi
-set "dummy" ${SSH_ORIGINAL_COMMAND}
-shift
-
-info "host $remote_host called with $*"
-
-one_more_arg "$@"
-action="$1"
-shift
-
-case "$action" in
- rsync)
- do_rsync "$remote_host" "$@"
- ;;
- static-master-update-component)
- do_update_component "$remote_host" "$@"
- ;;
- *)
- croak "Invalid operation '$action'"
- ;;
-esac
+++ /dev/null
-#!/bin/bash
-
-# This is a wrapper script for ssh access on Debian's static mirroring infrastructure.
-#
-# It limits the commands the master can run on static-mirroring mirrors (i.e.
-# the things running apache) on one hand, and also on static-mirroring sources,
-# that is the things that create the data.
-
-# Copyright (c) 2009, 2010, 2012 Peter Palfrader
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-set -e
-set -u
-
-MYLOGNAME="`basename "$0"`[$$]"
-COMPONENTLIST=/etc/static-components.conf
-
-usage() {
- echo "local Usage: $0 <basedir> <host>"
- echo "via ssh orig command:"
- echo " mirror <component> <serial>"
- echo " rsync ..."
- do_rsync "$remote_host" "$@"
-}
-
-one_more_arg() {
- if [ "$#" -lt 1 ]; then
- usage >&2
- exit 1
- fi
-}
-
-info() {
- logger -p daemon.info -t "$MYLOGNAME" "$1"
-}
-
-croak() {
- logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
- exit 1
-}
-
-do_mirror() {
- local basedir="$1"; shift
- local remote_host="$1"; shift
- one_more_arg "$@"
- local component="$1"; shift
- one_more_arg "$@"
- local serial="$1"; shift
-
- masterhost="$(awk -v component="$component" '$2 == component {print $1; exit}' "$COMPONENTLIST")"
- if [ -z "$masterhost" ]; then
- croak "Did not find master for component $component."
- elif [ "$masterhost" != "$remote_host" ]; then
- croak "$remote_host is not master for $component."
- else
- info "Host $remote_host triggered a mirror run for $component, serial $serial"
- exec /usr/local/bin/static-mirror-run "$basedir/mirrors/$component" "$remote_host:$component/-new-" "$serial"
- echo >&2 "Exec failed"
- croak "exec failed"
- fi
-}
-
-do_rsync() {
- local remote_host="$1"
- shift
-
- local allowed_rsyncs
- allowed_rsyncs=()
-
- if [ -e "$COMPONENTLIST" ]; then
- for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do
- allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.")
- done
- fi
- for cmd_idx in ${!allowed_rsyncs[*]}; do
- allowed="${allowed_rsyncs[$cmd_idx]}"
- if [ "$*" = "$allowed" ]; then
- info "Running for host $remote_host: rsync $*"
- exec rsync "$@"
- echo >&2 "Exec failed"
- exit 1
- fi
- done
-
- info "NOT allowed for $remote_host: rsync $*"
- echo >&2 "This rsync command ($*) not allowed."
- exit 1
-}
-
-
-if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
- usage
- exit 0
-fi
-
-one_more_arg "$@"
-basedir="$1"
-shift
-
-one_more_arg "$@"
-remote_host="$1"
-shift
-
-
-# check/parse remote command line
-if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
- croak "Did not find SSH_ORIGINAL_COMMAND"
-fi
-set "dummy" ${SSH_ORIGINAL_COMMAND}
-shift
-
-one_more_arg "$@"
-action="$1"
-shift
-
-case "$action" in
- mirror)
- do_mirror "$basedir" "$remote_host" "$@"
- ;;
- rsync)
- do_rsync "$remote_host" "$@"
- ;;
- *)
- croak "Invalid operation '$action'"
- ;;
-esac
file { '/etc/static-components.conf':
source => 'puppet:///modules/roles/static-mirroring/static-components.conf',
}
+
+ file { '/etc/ssh/userkeys/staticsync':
+ content => template('roles/static-mirroring/static-authorized_keys.erb'),
+ }
+
+ file { '/usr/local/bin/staticsync-ssh-wrap':
+ source => 'puppet:///modules/roles/static-mirroring/staticsync-ssh-wrap',
+ mode => '0555',
+ }
+ file { '/usr/local/bin/static-mirror-ssh-wrap': ensure => absent; }
+ file { '/usr/local/bin/static-master-ssh-wrap': ensure => absent; }
}
include roles::static_base
- file { '/etc/ssh/userkeys/staticsync':
- content => template('roles/static-mirroring/static-master-authorized_keys.erb'),
- }
file { '/usr/local/bin/static-master-run':
source => 'puppet:///modules/roles/static-mirroring/static-master-run',
mode => '0555',
}
- file {'/usr/local/bin/static-master-ssh-wrap':
- source => 'puppet:///modules/roles/static-mirroring/static-master-ssh-wrap',
- mode => '0555',
- }
file { '/usr/local/bin/static-master-update-component':
source => 'puppet:///modules/roles/static-mirroring/static-master-update-component',
mode => '0555',
class roles::static_source {
+
include roles::static_base
- file { '/etc/ssh/userkeys/staticsync':
- content => template('roles/static-mirroring/static-mirror-authorized_keys.erb'),
- }
+
file { '/usr/local/bin/static-update-component':
source => 'puppet:///modules/roles/static-mirroring/static-update-component',
mode => '0555',
}
- file { '/usr/local/bin/static-mirror-ssh-wrap':
- source => 'puppet:///modules/roles/static-mirroring/static-mirror-ssh-wrap',
- mode => '0555',
- }
}
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-##
-
-<%=
-def getstaticsynckey(host)
- key = nil
- begin
- facts = YAML.load(File.open("/var/lib/puppet/yaml/facts/#{host}.yaml").read)
- return facts.values['staticsync_key']
- rescue Exception => e
- end
- return key
-end
-
-localinfo = scope.lookupvar('site::localinfo')
-allnodeinfo = scope.lookupvar('site::allnodeinfo')
-
-mirrors = []
-localinfo.keys.sort.each do |node|
- if localinfo[node]['static_mirror'] or localinfo[node]['static_source']
- key = getstaticsynckey(node)
- mirrors << { 'node' => node, 'addr' => allnodeinfo[node]['ipHostNumber'], 'key' => key}
- end
-end
-
-mirrors << { 'node' => 'wagner.debian.org', 'addr' => allnodeinfo['wagner.debian.org']['ipHostNumber'], 'key' => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXHFIkIhOC5iDa0d0IN5w6tUUL2T2iXCYcS2+dandE9f550OpKQ/evUZhw4EERNYDA3G7GV3jJzQR0j/KZWJUtDCichmqS94xJqXURmZVNeLXWY9x/N7CB1iG1Iblu6sgyTUrs7N6Wb0fUab3AXAi9KIXdwNLY622reR9T//bRULPVIl5VFpYtGBPT9n3wR7fLQ4ndEcUmEGcM4jRbpLmye4QGgJotuzeBWUpX+U648Yly6U7NlAJIWPUt7hEzMz2AC81SLhGCwTk6sb19n2dO6WN2ndynp8PLG1emtgd1/DaeaRyPcitoWgSoDNgKNk3zLIDtCdSYvFI8xXrm6cK3 staticsync@wagner'}
-
-lines = []
-for m in mirrors:
- lines << '# ' + m['node']
- if m['key'].nil?
- lines << "# no key for node"
- else
- lines << "command=\"/usr/local/bin/static-master-ssh-wrap #{m['node']}\"," +
- 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,' +
- 'from="' + m['addr'].join(',') + '" ' +
- m['key']
- end
-end
-
-lines.join("\n")
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
-%>
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-##
-
-<%=
-def getstaticsynckey(host)
- key = nil
- begin
- facts = YAML.load(File.open("/var/lib/puppet/yaml/facts/#{host}.yaml").read)
- return facts.values['staticsync_key']
- rescue Exception => e
- end
- return key
-end
-
-masters = []
-scope.lookupvar('site::localinfo').keys.sort.each do |node|
- if scope.lookupvar('site::localinfo')[node]['static_master']
- key = getstaticsynckey(node)
- masters << { 'node' => node, 'addr' => scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'], 'key' => key}
- end
-end
-
-
-lines = []
-for m in masters:
- lines << '# ' + m['node']
- if m['key'].nil?
- lines << "# no key for node"
- else
- lines << "command=\"/usr/local/bin/static-mirror-ssh-wrap /srv/static.debian.org #{m['node']}\"," +
- 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,' +
- 'from="' + m['addr'].join(',') + '" ' +
- m['key']
- end
-end
-
-lines.join("\n")
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
-%>
projects / mirror / dsa-puppet.git / commitdiff