FYI: wrote YUM plugin and posted it on spacewalk-devel list, tested on my hosts
- it works - code below.
While RHN has a limitation on locking the host from the Web UI, user is still
able to run yum operations from the host (granted user has proper access).
I wrote a simple YUM plugin to check if the host is locked in RHN and if it is,
prevent yum usage on the host.
Needless to say, this is proof of concept and my python skills are lacking,
nevertheless it works.
TODO:
* Move Authentication part into config - easy to do but not secure
* Use alternative method of authentication used by rhnplugin - need to see how
that can be done - if it all possible
I need help with understanding how i can leverage rhnplugin type of auth with
RHN Lock Yum Plugin.
The proof of concept code is below - if you could make any suggestions and
improvements - it would be appreciated.
Thanks
ilya
----------- /etc/yum/pluginconf.d/rhnlockplugin.conf --------
[main]
enabled=1
------------
---------- /usr/share/yum-plugins/rhnlockplugin.py ----------
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from xml.dom import minidom
import xmlrpclib
requires_api_version = '2.3'
plugin_type = (TYPE_CORE, TYPE_INTERACTIVE)
def init_hook(conduit):
conduit.info(2, 'Checking if system is locked in RHN/Spacewalk')
SATELLITE_URL = "http://spacewalk.hostname.com/rpc/api";
SATELLITE_LOGIN = "admin"
SATELLITE_PASSWORD = "password"
client = xmlrpclib.Server(SATELLITE_URL, verbose=0)
key = client.auth.login(SATELLITE_LOGIN, SATELLITE_PASSWORD)
#----------------------------------------------------------------------
def getSystemID(xml):
"""
Print out all names found in xml
"""
doc = minidom.parse(xml)
node = doc.documentElement
members = doc.getElementsByTagName("member")
for member in members:
name = member.getElementsByTagName("name")[0].firstChild.data
if name == "system_id":
value = \
member.getElementsByTagName("string")[0].firstChild.data
return value.replace("ID-","")
def getLockStatus(sysID):
"""
Function to check if the host is locked
"""
details = client.system.getDetails(key, int(sysID))
if details['lock_status']:
#print "ERROR: Skipping RHN/Spacewalk locked system %s" % sysID
raise PluginYumExit('ERROR: Skipping RHN/Spacewalk locked system:
%s' % sysID)
else:
print "NOTE: This host in not locked in RHN/Spacewalk"
systemIDfile = '/etc/sysconfig/rhn/systemid'
mySystemID = getSystemID(systemIDfile)
getLockStatus(getSystemID(systemIDfile))
client.auth.logout(key)
-----------------------------------
________________________________________
From: [email protected] [[email protected]] On
Behalf Of Musayev, Ilya [[email protected]]
Sent: Thursday, June 07, 2012 2:45 PM
To: [email protected]
Subject: Re: [Spacewalk-list] how to block yum usage on client systems
An example, various business units have their own developers/admins that
require root on their own servers which run in their own SILOs.
The right way of deploying RPMs in house is through an intermediary utility
such as opsware SA. Through that, we can reproduce and keep the state of the
box consistent. If the box was to die, a new one comes up online and the same
RPMs+configs (via software policy created on opsware) will be installed - end
of story - box is ready to be used.
IF we loosen the access now with spacewalk, then rogue elements will take
shortcuts and quickly deploy this or that RPM - because its convenient.
In the long term - not easily reproducible and will create a mess - especially
when count of servers is in 1000s.
I agree there are many ways to poke a hole and get around YUM, but restricting
YUM via spacewalk - would at least give some piece of mind - knowing - no one
deployed and installed something that would not be easily reproducible in the
future.
Its a business mindset - i don't disagree with - and i have to work with it.
________________________________________
From: [email protected] [[email protected]] On
Behalf Of Brian Collins [[email protected]]
Sent: Thursday, June 07, 2012 1:48 PM
To: [email protected]
Subject: Re: [Spacewalk-list] how to block yum usage on client systems
> My issues is identical to yours.
>
> I'm afraid to give users YUM access as they will begin Installing stuff left
> and
> right, bypassing the other system we use for package deployment - HP SA
> (aka Opsware).
If they have root, they can also just go grab tarballs, make them, and install
them. Or they can wget pre-built RPMs and install them using 'RPM'. The real
problem is that you have users with root access whom you do not trust. THAT is
the problem to fix. Either trust them or remove root from them.
Also, what software might they install that you do not want them having?
--Brian Collins
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
