Madhuvishy has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/391619 )
Change subject: firstboot: Prevent non-root users from logging in during
instance set up
......................................................................
firstboot: Prevent non-root users from logging in during instance set up
Bug: T171508
Change-Id: Id3afe6fb9668baf9598b08e79c566f0d7d1b2704
---
M modules/labs_bootstrapvz/files/firstboot.sh
M modules/labs_vmbuilder/files/firstboot.sh
2 files changed, 9 insertions(+), 6 deletions(-)
Approvals:
Madhuvishy: Looks good to me, approved
Rush: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/labs_bootstrapvz/files/firstboot.sh
b/modules/labs_bootstrapvz/files/firstboot.sh
index abd6155..5dec237 100644
--- a/modules/labs_bootstrapvz/files/firstboot.sh
+++ b/modules/labs_bootstrapvz/files/firstboot.sh
@@ -3,7 +3,9 @@
set -x
# Prevent non-root logins while the VM is being setup
-echo "VM is work in progress" > /etc/nologin
+# The ssh-key-ldap-lookup script rejects non-root user logins if this file
+# is present.
+echo "VM is work in progress" > /etc/block-ldap-key-lookup
echo 'Enabling console logging for puppet while it does the initial run'
echo 'daemon.* |/dev/console' > /etc/rsyslog.d/60-puppet.conf
@@ -188,7 +190,7 @@
until [ $mount_attempts -gt 10 ]
do
echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}"
- echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}" >>
/etc/nologin
+ echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}" >>
/etc/block-ldap-key-lookup
((mount_attempts++))
/usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a && break
# Sleep for 10s before next attempt
@@ -201,4 +203,4 @@
puppet agent -t
# Remove the non-root login restriction
-rm /etc/nologin
+rm /etc/block-ldap-key-lookup
diff --git a/modules/labs_vmbuilder/files/firstboot.sh
b/modules/labs_vmbuilder/files/firstboot.sh
index 5971568..b674043 100644
--- a/modules/labs_vmbuilder/files/firstboot.sh
+++ b/modules/labs_vmbuilder/files/firstboot.sh
@@ -2,7 +2,8 @@
set -x
# Prevent non-root logins while the VM is being setup
-echo "VM is work in progress" > /etc/nologin
+# The ssh-key-ldap-lookup script rejects user logins when this file is present
+echo "VM is work in progress" > /etc/block-ldap-key-lookup
echo 'Enabling console logging for puppet while it does the initial run'
echo 'daemon.* |/dev/console' > /etc/rsyslog.d/60-puppet.conf
@@ -121,7 +122,7 @@
until [ $mount_attempts -gt 10 ]
do
echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}"
- echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}" >>
/etc/nologin
+ echo "Ensuring all NFS mounts are mounted, attempt ${mount_attempts}" >>
/etc/block-ldap-key-lookup
((mount_attempts++))
/usr/bin/timeout --preserve-status -k 10s 20s /bin/mount -a && break
# Sleep for 10s before next attempt
@@ -134,4 +135,4 @@
puppet agent -t
# Remove the non-root login restriction
-rm /etc/nologin
+rm /etc/block-ldap-key-lookup
--
To view, visit https://gerrit.wikimedia.org/r/391619
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id3afe6fb9668baf9598b08e79c566f0d7d1b2704
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Madhuvishy <[email protected]>
Gerrit-Reviewer: Madhuvishy <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
