Andrew Bogott has submitted this change and it was merged.
Change subject: Labs: Generate/store root passwords for instances
......................................................................
Labs: Generate/store root passwords for instances
Each project will have a root password that applies to all
project instances. The password is stored in
/var/local/instance-root/passwords/$projectname on the labs
puppetmaster.
Passwords are automatically regenerated if the file is missing,
so removing the password file is an easy way to reset passwords
if needed.
Bug: T142216
Change-Id: Ia9eb2bdb5879fe074ecb9e175f57f3849ff52821
---
M modules/base/manifests/labs.pp
A modules/puppetmaster/files/make-labs-root-password
A modules/puppetmaster/manifests/labsrootpass.pp
M modules/role/manifests/labs/puppetmaster.pp
4 files changed, 58 insertions(+), 0 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/base/manifests/labs.pp b/modules/base/manifests/labs.pp
index 74a82d0..83afb42 100644
--- a/modules/base/manifests/labs.pp
+++ b/modules/base/manifests/labs.pp
@@ -49,4 +49,9 @@
user => 'root',
}
}
+
+ # Create a root password and store it on the puppetmaster
+ user { 'root':
+ password => generate('/usr/local/sbin/make-labs-root-password',
$::labsproject)
+ }
}
diff --git a/modules/puppetmaster/files/make-labs-root-password
b/modules/puppetmaster/files/make-labs-root-password
new file mode 100644
index 0000000..86a1649
--- /dev/null
+++ b/modules/puppetmaster/files/make-labs-root-password
@@ -0,0 +1,24 @@
+#!/bin/sh
+alias errcho='>&2 echo'
+
+PROJECT=$1
+DIRECTORY=/var/local/labs-root-passwords
+
+if [ -z "$PROJECT" ]; then
+ errcho "No project name specified."
+ exit 1
+fi
+
+if [ ! -d "$DIRECTORY" ]; then
+ errcho "Directory for passwords not found."
+ exit 1
+fi
+
+if [ -f $DIRECTORY/$PROJECT ]; then
+ PASSWORD=$(cat $DIRECTORY/$PROJECT)
+else
+ PASSWORD=$(pwgen -sy 16 1)
+ umask 027
+ echo $PASSWORD > $DIRECTORY/$PROJECT
+fi
+mkpasswd -m sha-512 $PASSWORD
diff --git a/modules/puppetmaster/manifests/labsrootpass.pp
b/modules/puppetmaster/manifests/labsrootpass.pp
new file mode 100644
index 0000000..6599ef0
--- /dev/null
+++ b/modules/puppetmaster/manifests/labsrootpass.pp
@@ -0,0 +1,28 @@
+# Class: puppetmaster::labsrootpass
+#
+# Set up a script to generate root passwords for puppet clients
+#
+# Used in labs instance roles like this:
+#
+# user { 'root':
+# password => generate('/usr/local/sbin/make-labs-root-password',
$::labsproject)
+# }
+#
+
+class puppetmaster::labsrootpass {
+
+ require_package('pwgen')
+
+ file { '/usr/local/sbin/make-labs-root-password':
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ source => 'puppet:///modules/puppetmaster/make-labs-root-password'
+ }
+
+ file { '/var/local/labs-root-passwords':
+ ensure => 'directory',
+ mode => '0700',
+ }
+}
diff --git a/modules/role/manifests/labs/puppetmaster.pp
b/modules/role/manifests/labs/puppetmaster.pp
index c394c2a..7e42fe6 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -4,6 +4,7 @@
include network::constants
include ldap::role::config::labs
+ include puppetmaster::labsrootpass
$labs_metal = hiera('labs_baremetal_servers', [])
$ldapconfig = $ldap::role::config::labs::ldapconfig
--
To view, visit https://gerrit.wikimedia.org/r/303617
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia9eb2bdb5879fe074ecb9e175f57f3849ff52821
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Gehel <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
