From aa357fc19fe33a30bf563c2ce24a859359c797f4 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 2 Jul 2019 17:14:28 +1000 Subject: [PATCH] mirror-update: update keytab testing Keytabs are slightly longer than what is being tested; upto 100 bytes or so. This means the encoded data breaks over lines, which means you need to be more careful about quoting. Update the testing to a longer keytab (100 bytes of random data) and fix up the quoting. Also enable no_logging to avoid putting key material into the logs. Change-Id: I73c391a2ebd2c962dc9a422f9d44265160210852 --- playbooks/roles/mirror-update/tasks/main.yaml | 4 ++-- playbooks/roles/mirror-update/tasks/rsync.yaml | 4 ++-- .../mirror-update01.opendev.org.yaml.j2 | 18 ++++++++++++------ testinfra/test_mirror-update.py | 2 +- 4 files changed, 17 insertions(+), 11 deletions(-) diff --git a/playbooks/roles/mirror-update/tasks/main.yaml b/playbooks/roles/mirror-update/tasks/main.yaml index 7e124d453f..0d8dfb2248 100644 --- a/playbooks/roles/mirror-update/tasks/main.yaml +++ b/playbooks/roles/mirror-update/tasks/main.yaml @@ -9,10 +9,10 @@ # "real" binary data like a keytab. See issues like: # https://github.com/ansible/ansible/issues/20150 - name: Install afsadmin keytab - shell: 'echo {{ mirror_update_keytab_afsadmin }} | base64 -d > /etc/afsadmin.keytab' + shell: 'echo "{{ mirror_update_keytab_afsadmin }}" | base64 -d > /etc/afsadmin.keytab' args: creates: /etc/afsadmin.keytab -#no_log: True + no_log: True - name: Ensure permissions on afsadmin keytab file: diff --git a/playbooks/roles/mirror-update/tasks/rsync.yaml b/playbooks/roles/mirror-update/tasks/rsync.yaml index d53ecce229..e66b7d0d84 100644 --- a/playbooks/roles/mirror-update/tasks/rsync.yaml +++ b/playbooks/roles/mirror-update/tasks/rsync.yaml @@ -18,11 +18,11 @@ - yum-puppetlabs - name: Copy keytab files in place - shell: 'echo {{ lookup("vars", "mirror_update_keytab_" + item) }} | base64 -d > /etc/{{ item }}.keytab' + shell: 'echo "{{ lookup("vars", "mirror_update_keytab_" + item) }}" | base64 -d > /etc/{{ item }}.keytab' args: creates: '/etc/{{ item }}.keytab' loop: '{{ rsync_update_scripts }}' -# no_log: True + no_log: True - name: Ensure keytab permissions file: diff --git a/playbooks/zuul/templates/host_vars/mirror-update01.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/mirror-update01.opendev.org.yaml.j2 index 8b5bfd472f..c54cb3860e 100644 --- a/playbooks/zuul/templates/host_vars/mirror-update01.opendev.org.yaml.j2 +++ b/playbooks/zuul/templates/host_vars/mirror-update01.opendev.org.yaml.j2 @@ -1,12 +1,18 @@ mirror_update_keytab_afsadmin: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== mirror_update_keytab_centos: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== mirror_update_keytab_epel: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== mirror_update_keytab_fedora: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== mirror_update_keytab_opensuse: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== mirror_update_keytab_yum-puppetlabs: |- - AQIDBAUGBwgJEBESExQVFm9wZW5kZXYub3JnIHNhbXBsZSBrZXl0YWIWFRQTEhEQCQgHBgUEAwIB + aEkRPhZllm2F2y71Zgf3X9NjyHT7/sS8bd/vXt9oG1PKkUmpeBXprFnrxzMuKiupHwwTa09w5LuB + blLvBOC8W5Miz1u6TkRe+/jLQurLpzYHwk3bJCJ6s3WwPKDej54TDVgrVQ== diff --git a/testinfra/test_mirror-update.py b/testinfra/test_mirror-update.py index 9eb762dfa0..d37cbe37b9 100644 --- a/testinfra/test_mirror-update.py +++ b/testinfra/test_mirror-update.py @@ -16,7 +16,7 @@ testinfra_hosts = ['mirror-update01.opendev.org'] # Manually calculated from the "secret" value in the test host vars -KEYTAB_SHA256 = '8f4e9384338ffa41b927ed3c15463512384cb7268693a7c60c1e1254f690b7d0' +KEYTAB_SHA256 = '88d4ac38ad3da024913843d8917d5be89ceac4abef7b977718f2c3f1db3ccde4' def test_tools(host): f = host.file('/usr/bin/k5start')