tatu/files/user-cloud-config
Pino de Candia 3a5a9fbe03 Devstack fixes; configurable API address for VMs; documentation refresh.
Change-Id: I1438d8c954f76f15afae33c92473b846d40ebe3d
Signed-off-by: Pino de Candia <giuseppe.decandia@gmail.com>
2018-03-09 16:52:36 +00:00

121 lines
5.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#cloud-config
mounts:
- [ /dev/disk/by-label/config-2, /mnt/config ]
write_files:
- path: /root/tatu-setup-ssh.sh
permissions: '0700'
owner: root:root
content: |
#!/bin/bash
# Name: tatu-setup-ssh.sh
#
# Purpose: Fetch a SSH host cert from Tatu and configure SSH to use certs.
metadata=$(cat /mnt/config/openstack/latest/meta_data.json)
auth_id=$(echo $metadata | grep -Po 'project_id": "\K[^"]*')
if [ -z $auth_id ]; then
echo Failed to extract the project ID from metadata
exit 1
fi
echo auth_id=$auth_id
host_id=$(echo $metadata | grep -Po 'uuid": "\K[^"]*')
echo host_id=$host_id
vendordata=$(cat /mnt/config/openstack/latest/vendor_data2.json)
token=$(echo $vendordata | grep -Po '"token": "\K[^"]*')
if [ -z $token ]; then
echo Failed to extract the Tatu token ID from vendordata
exit 1
fi
echo token=$token
ca_user=$(echo $vendordata | grep -Po '"auth_pub_key_user": "\K[^"]*')
echo ca_user=$ca_user
echo $ca_user > /etc/ssh/ca_user.pub
#root_principals=$(echo $vendordata | grep -Po '"root_principals": "\K[^"]*')
#echo root_principals=$root_principals
users=$(echo $vendordata | grep -Po '"users": "\K[^"]*')
echo users=$users
sudoers=$(echo $vendordata | grep -Po '"sudoers": "\K[^"]*')
echo sudoers=$sudoers
ssh_port=$(echo $vendordata | grep -Po '"ssh_port": \K[^,]*')
echo ssh_port=$ssh_port
host_pub_key=$(cat /etc/ssh/ssh_host_rsa_key.pub)
echo host public key is $host_pub_key
data=$(echo {\"token_id\": \"$token\", \"host_id\": \"$host_id\", \"pub_key\": \"$host_pub_key\"})
echo $data > /tmp/tatu_cert_request.json
api=$(echo $vendordata | grep -Po '"api_endpoint": \K[^"]*')
url=$api/noauth/hostcerts
echo Posting Host Certificate request to Tatu API at $url
response=$(curl -s -w "%{http_code}" -d "@/tmp/tatu_cert_request.json" -X POST $url)
code=${response##*\}}
if [ "$code" != "200" ]; then
echo Curl to Tatu API failed with code $code
exit 1
fi
echo Tatu response is $response
cert=$(echo $response | grep -Po 'cert": "\K[^"]*')
cert=${cert%%\\n} # TODO: fix the trailing \n on the server side.
echo $cert > /etc/ssh/ssh_host_rsa_key-cert.pub
mkdir -p /etc/ssh/auth_principals
#root_principals_file=/etc/ssh/auth_principals/root
#> $root_principals_file
#for i in ${root_principals//,/ }
#do
# echo $i >> $root_principals_file
#done
for i in ${users//,/ }; do
id -u $i > /dev/null 2>&1
if [ $? == 1 ]; then
#adduser --disabled-password --gecos '' $i
adduser $i
fi
done
for i in ${sudoers//,/ }; do
if [ $(getent group sudo) ]; then
usermod -aG sudo $i
fi
if [ $(getent group wheel) ]; then
usermod -aG wheel $i
fi
done
sed -i -e '$aTrustedUserCAKeys /etc/ssh/ca_user.pub' /etc/ssh/sshd_config
# man sshd_config, under AuthorizedPrincipalsFile: The default is none, i.e. not to use a principals file
# in this case, the username of the user must appear in a certificate's principals list for it to be accepted.
#sed -i -e '$aAuthorizedPrincipalsFile /etc/ssh/auth_principals/%u' /etc/ssh/sshd_config
sed -i -e '$aHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' /etc/ssh/sshd_config
sed -i -e '/^PasswordAuthentication /d' /etc/ssh/sshd_config
sed -i -e '$aPasswordAuthentication no' /etc/ssh/sshd_config
> /etc/ssh/revoked-keys
sed -i -e '$aRevokedKeys /etc/ssh/revoked-keys' /etc/ssh/sshd_config
sed -i -e '$aPort '"$ssh_port" /etc/ssh/sshd_config
sed -i -e '$aPort 22' /etc/ssh/sshd_config
setenforce permissive
systemctl restart sshd
- path: /root/tatu-manage-revoked-keys.sh
permissions: '0700'
owner: root:root
content: |
#!/bin/bash
# Name: tatu-manage-revoked-keys.sh
#
# Purpose: Fetch the revoked keys data from Tatu and write it to /etc/ssh
# !/usr/bin/env python
metadata=$(cat /mnt/config/openstack/latest/meta_data.json)
auth_id=$(echo $metadata | grep -Po 'project_id": "\K[^"]*')
echo auth_id=$auth_id
vendordata=$(cat /mnt/config/openstack/latest/vendor_data2.json)
api=$(echo $vendordata | grep -Po '"api_endpoint": \K[^"]*')
url=$api/noauth/revokeduserkeys/$auth_id
echo Fetching revoked user keys from Tatu API at $url
response=$(curl -s -w "%{http_code}" $url)
code=${response##*\}}
if [ "$code" != "200" ]; then
echo Curl to Tatu API failed with code $code
exit 1
fi
echo Tatu response is $response
b64revoked=$(echo $response | grep -Po 'revoked_keys_data": "\K[^"]*')
echo $b64revoked | base64 -d > /etc/ssh/revoked-keys
runcmd:
- /root/tatu-setup-ssh.sh > /var/log/tatu-setup-ssh.log 2>&1
- /root/tatu-manage-revoked-keys.sh > /var/log/tatu-revoked-keys.log
- crontab -l | { cat; echo "* * * * * /root/tatu-manage-revoked-keys.sh >> /var/log/tatu-revoked-keys.log"; } | crontab -