yellow team mailing list archive
-
yellow team
-
Mailing list archive
-
Message #01121
[Merge] lp:~bac/lp-tarmac-configs/add-launchpad-members into lp:lp-tarmac-configs
Brad Crittenden has proposed merging lp:~bac/lp-tarmac-configs/add-launchpad-members into lp:lp-tarmac-configs.
Requested reviews:
Yellow Squad (yellow)
For more details, see:
https://code.launchpad.net/~bac/lp-tarmac-configs/add-launchpad-members/+merge/122877
The goal of this branch was to have all members of ~launchpad be authorized to ssh into lp-tarmac.no-ip.org and administer the machine. If it goes wild, anyone can kill it using 'poweroff'.
Rather than add everyone individually, a helper script was added that knows how to find all participants in a team and then add their ssh keys to both the 'ubuntu' and 'tarmac' user accounts.
--
https://code.launchpad.net/~bac/lp-tarmac-configs/add-launchpad-members/+merge/122877
Your team Yellow Squad is requested to review the proposed merge of lp:~bac/lp-tarmac-configs/add-launchpad-members into lp:lp-tarmac-configs.
=== modified file 'README'
--- README 2012-06-27 19:01:19 +0000
+++ README 2012-09-05 13:48:28 +0000
@@ -22,6 +22,12 @@
branch on Launchpad that the bot user will be able to read. This
will allow the auto-updating to work
+ * apt-get install fabric
+
+ * Follow the instructions to set up access to Canonistack. They can
+ be found at:
+ https://wiki.canonical.com/InformationInfrastructure/IS/CanonicalOpenstack
+
To create new instance on the Canonistack running tarmac, do the following:
$ source ~/.canonistack/novarc
=== added file 'import_ssh_keys.py'
--- import_ssh_keys.py 1970-01-01 00:00:00 +0000
+++ import_ssh_keys.py 2012-09-05 13:48:28 +0000
@@ -0,0 +1,98 @@
+#!/usr/bin/python
+
+import argparse
+import os.path
+import subprocess
+import sys
+
+from launchpadlib.launchpad import Launchpad
+from shelltoolbox import run
+
+
+def get_lp_instance(credentials_file):
+ program_name = "import_ssh_ids"
+ system_name = "production"
+ if credentials_file and os.path.exists(credentials_file):
+ lp = Launchpad.login_with(
+ program_name, system_name, credentials_file=credentials_file)
+ else:
+ lp = Launchpad.login_anonymously(program_name, system_name)
+ return lp
+
+
+def get_lp_people(lp, lp_ids):
+ """Given a set of Launchpad ids, return all of the people represented.
+
+ If an id in the list is a team, then all of the participants in that team
+ are returned. A participant is any member of that team or any sub-team.
+ The p.participants method also returns the team in the list, so those are
+ filtered out.
+
+ The set returned only contains individuals.
+ """
+ people = set()
+ for _id in lp_ids:
+ try:
+ person_or_team = lp.people[_id]
+ except KeyError:
+ print "Invalid Launchpad id:", _id
+ continue
+ if person_or_team.is_team:
+ people.update(
+ p for p in person_or_team.participants
+ if not p.is_team)
+ else:
+ people.add(person_or_team)
+ return people
+
+
+def import_keys(people, path):
+ pgm = '/usr/bin/ssh-import-id'
+ names = [p.name for p in people]
+ this_dir = os.path.dirname(path)
+ for name in list(names):
+ sentry = os.path.join(this_dir, '_' + name)
+ if os.path.exists(sentry):
+ names.remove(name)
+ else:
+ with open(sentry, 'w'):
+ # Touch the file.
+ pass
+ if len(names) > 0:
+ try:
+ run(pgm, '-o', path, *names)
+ except subprocess.CalledProcessError as e:
+ print e.output
+ raise
+ # Touch a file that the puppet recipe depends on.
+ marker = os.path.join(this_dir, "_keys_imported")
+ with open(marker, 'w'):
+ # Touch the marker file.
+ pass
+
+
+def main():
+ parser = argparse.ArgumentParser(
+ "Add SSH keys for people and teams in Launchpad to "
+ "$HOME/.ssh/authorized_keys. If a team is given then all members of "
+ "that team are added, including sub-teams.")
+ parser.add_argument(
+ '--credentials',
+ help=("The credentials file to use with Launchpadlib. "
+ "It must already exist and will not be created."))
+ parser.add_argument(
+ 'ids', nargs='+',
+ help="Launchpad ids for people or teams")
+ parser.add_argument(
+ '-a', '--authorized-keys-path', default="~/.ssh/authorized_keys",
+ help="File where imported keys are to be appended")
+ args = parser.parse_args()
+
+ lp = get_lp_instance(args.credentials)
+ lp_people = get_lp_people(lp, args.ids)
+ import_keys(lp_people, args.authorized_keys_path)
+ return 0
+
+
+if __name__ == '__main__':
+ sys.exit(main())
=== modified file 'tarmac.pp'
--- tarmac.pp 2012-09-03 19:13:07 +0000
+++ tarmac.pp 2012-09-05 13:48:28 +0000
@@ -1,15 +1,15 @@
-define ssh_import_lp_id($user) {
- exec { "ssh-import for $title and $user":
+define ssh_import_lp_id($username = $title, $users) {
+ exec { "import-ssh-keys-for-$username":
# 2>&1 is to be able to see errors when executing puppet script,
# as normally, stderr is lost
- command => "ssh-import-id $title 2>&1 && touch /home/$user/.ssh/_$title",
- user => "$user",
- path => "/bin:/usr/bin",
- environment => ["HOME=/home/$user"],
+ command => "import_ssh_keys.py --credentials=credentials -a /home/$username/.ssh/authorized_keys $users 2>&1",
+ user => "$username",
+ path => "/bin:/usr/bin:/home/ubuntu",
+ environment => ["HOME=/home/$username"],
logoutput => "on_failure",
# Quick way to assess if the command was run or not.
- creates => "/home/$user/.ssh/_$title",
- require => File["/home/$user/.ssh"],
+ creates => "/home/$username/.ssh/_keys_imported",
+ require => Package["python-shelltoolbox"],
}
}
@@ -302,6 +302,10 @@
include autoupdate
include ddclient
# CHANGEME, put the LP ids of the people you want to be able to login as the tarmac user here.
- $users = ["benji", "bac", "frankban", "gary", "teknico"]
- ssh_import_lp_id { $users: user => "tarmac" }
+ # Due to the way Puppet joins lists, the entries must end with a
+ # space to avoid them all being crammed together, e.g.
+ # $users = ["launchpad ", "yellow ", "bac"]
+ $users = ["launchpad "]
+ ssh_import_lp_id { "tarmac": users => $users }
+ ssh_import_lp_id { "ubuntu": users => $users }
}
Follow ups
