Author: arkurth
Date: Tue May  5 18:12:52 2009
New Revision: 771949

URL: http://svn.apache.org/viewvc?rev=771949&view=rev
Log:
VCL-125
Added ability to retrieve the value from the imagemeta.rootaccess column in 
DataStructure.pm and utils.pm::get_imagemeta_info().

Modified Windows_mod.pm::create_user() to check the rootaccess value and only 
add the user to the Administrators group if rootaccess is enabled.

Added apply_security_templates() sub in utils.pm after encountering a problem 
where a user could not log in if not in the Administrators group due to a 
corrupt security database on the machine. Reapplying security template files 
with secedit.exe fixed the problem. This sub also adds the ability to apply 
security settings automatically during image capture.

Added call to apply_security_templates() to Windows_mod.pm::pre_capture().


VCL-135
Updated file header and footer in utils.pm and DataStructure.pm.
Removed a section which was already commented out in utils.pm::hostname() 
referencing an NCSU DNS domain name.
Changed utils.pm::get_request_info() to set the default sitewwwaddress to 
http://cwiki.apache.org/VCL and helpaddress to vcl-u...@incubator.apache.org 
instead of NCSU addresses.


Other
Fixed bug in utils.pm::_sshd_status() where it was returning "on" if the test 
ssh command completely failed and returned undefined. It now returns off if it 
fails in this manner. 

Fixed minor bug in utils.pm::format_data() if an empty array was passed to it.

Modified:
    incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows_mod.pm
    incubator/vcl/trunk/managementnode/lib/VCL/utils.pm

Modified: incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=771949&r1=771948&r2=771949&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/DataStructure.pm Tue May  5 
18:12:52 2009
@@ -1,5 +1,7 @@
 #!/usr/bin/perl -w
-
+###############################################################################
+# $Id$
+###############################################################################
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
@@ -14,10 +16,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-##############################################################################
-# $Id$
-##############################################################################
+###############################################################################
 
 =head1 NAME
 
@@ -362,6 +361,7 @@
 $SUBROUTINE_MAPPINGS{imagemeta_subimages}            = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{subimages}';
 $SUBROUTINE_MAPPINGS{imagemeta_sysprep}              = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{sysprep}';
 $SUBROUTINE_MAPPINGS{imagemeta_usergroupid}          = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{usergroupid}';
+$SUBROUTINE_MAPPINGS{imagemeta_rootaccess}           = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{rootaccess}';
 $SUBROUTINE_MAPPINGS{imagemeta_usergroupmembercount} = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{USERGROUPMEMBERCOUNT}';
 $SUBROUTINE_MAPPINGS{imagemeta_usergroupmembers}     = 
'$self->request_data->{reservation}{RESERVATION_ID}{image}{imagemeta}{USERGROUPMEMBERS}';
 
@@ -1380,18 +1380,16 @@
 1;
 __END__
 
-=head1 BUGS and LIMITATIONS
-
- There are no known bugs in this module.
- Please report problems to the VCL team (vcl_h...@ncsu.edu).
-
-=head1 AUTHOR
+=head1 COPYRIGHT
 
- Aaron Peeler, aaron_pee...@ncsu.edu
- Andy Kurth, andy_ku...@ncsu.edu
+ Apache VCL incubator project
+ Copyright 2009 The Apache Software Foundation
+ 
+ This product includes software developed at
+ The Apache Software Foundation (http://www.apache.org/).
 
 =head1 SEE ALSO
 
-L<http://vcl.ncsu.edu>
+L<http://cwiki.apache.org/VCL/>
 
 =cut

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows_mod.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows_mod.pm?rev=771949&r1=771948&r2=771949&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows_mod.pm 
(original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows_mod.pm Tue May 
 5 18:12:52 2009
@@ -220,7 +220,19 @@
 #              notify($ERRORS{'WARNING'}, 0, "unable to delete 'System Startup 
Script' scheduled task");
 #              return 0;
 #      }
-       
+
+=item *
+
+Apply Windows security templates
+
+=cut
+
+       # This find any .inf security template files configured for the OS and 
run secedit.exe to apply them
+       if (!$self->apply_security_templates()) {
+               notify($ERRORS{'WARNING'}, 0, "unable to apply security 
templates");
+               return 0;
+       }
+
 =item *
 
 Disable the pagefile
@@ -996,7 +1008,7 @@
 
        my $management_node_keys = $self->data->get_management_node_keys();
        my $computer_node_name   = $self->data->get_computer_node_name();
-
+       
        # Attempt to get the user array from the arguments
        # If no argument was supplied, use the users specified in the 
DataStructure
        my $user_array_ref = shift;
@@ -1169,6 +1181,7 @@
 
        my $management_node_keys = $self->data->get_management_node_keys();
        my $computer_node_name   = $self->data->get_computer_node_name();
+       my $imagemeta_rootaccess = $self->data->get_imagemeta_rootaccess();
 
        # Attempt to get the username from the arguments
        # If no argument was supplied, use the user specified in the 
DataStructure
@@ -1196,8 +1209,12 @@
 
        # Attempt to add the user account
        my $add_user_command = "net user \"$username\" \"$password\" /ADD  
/EXPIRES:NEVER /COMMENT:\"Account created by VCL\"";
-       $add_user_command .= " && net localgroup \"Administrators\" 
\"$username\" /ADD";
        $add_user_command .= " && net localgroup \"Remote Desktop Users\" 
\"$username\" /ADD";
+       
+       # Add the user to the Administrators group if imagemeta.rootaccess is 1
+       if ($imagemeta_rootaccess != 0) {
+               $add_user_command .= " && net localgroup \"Administrators\" 
\"$username\" /ADD";
+       }
 
        my ($add_user_exit_status, $add_user_output) = 
run_ssh_command($computer_node_name, $management_node_keys, $add_user_command);
        if (defined($add_user_exit_status) && $add_user_exit_status == 0) {
@@ -5679,6 +5696,194 @@
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 apply_security_templates
+
+ Parameters  : None
+ Returns     : If successful: true
+               If failed: false
+ Description : Runs secedit.exe to apply the security template files configured
+               for the OS. Windows security template files use the .inf
+               extension.
+               
+               Security templates are always copied from the management node
+               rather than using a copy stored locally on the computer. This
+               allows templates updated centrally to always be applied to the
+               computer. Template files residing locally on the computer are 
not
+               processed.
+               
+               The template files should reside in a directory named "Security"
+               under the OS source configuration directory. An example would 
be:
+               
+               /usr/local/vcl/tools/Windows_XP/Security/xp_security.inf
+               
+               This subroutine supports OS module inheritence meaning that if 
an
+               OS module inherits from another OS module, the security 
templates
+               of both will be applied. The order is from the highest parent
+               class down to any template files configured specifically for the
+               OS module which was instantiated.
+               
+               This allows any Windows OS module to inherit from another class
+               which has security templates defined and override any settings
+               from above.
+               
+               Multiple .inf security template files may be configured for each
+               OS. They will be applied in alphabetical order.
+               
+               Example: Inheritence is configured as follows, with the XP 
module
+               being the instantiated (lowest) class:
+               
+               VCL::Module
+               ^
+               VCL::Module::OS
+               ^
+               VCL::Module::OS::Windows
+               ^
+               VCL::Module::OS::Windows::Version_5
+               ^
+               VCL::Module::OS::Windows::Version_5::XP
+               
+               The XP and Windows classes each have 2 security template files
+               configured in their respective Security directories:
+               
+               /usr/local/vcl/tools/Windows/Security/eventlog_512.inf
+               /usr/local/vcl/tools/Windows/Security/windows_security.inf
+               /usr/local/vcl/tools/Windows_XP/Security/xp_eventlog_4096.inf
+               /usr/local/vcl/tools/Windows_XP/Security/xp_security.inf
+               
+               The templates will be applied in the order shown above. The
+               Windows templates are applied first because it is a parent class
+               of XP. For each class being processed, the files are applied in
+               alphabetical order.
+               
+               Assume in the example above that the Windows module's
+               eventlog_512.inf file configures the event log to be a maximum 
of
+               512 KB and that it is desirable under Windows XP to configure a
+               larger maximum event log size. In order to achieve this,
+               xp_eventlog_4096.inf was placed in XP's Security directory which
+               contains settings to set the maximum size to 4,096 KB. The
+               xp_eventlog_4096.inf file is applied after the eventlog_512.inf
+               file, thus overridding the setting configured in the
+               eventlog_512.inf file. The resultant maximum event log size will
+               be set to 4,096 KB.
+
+=cut
+
+sub apply_security_templates {
+       my $self = shift;
+       unless (ref($self) && $self->isa('VCL::Module')) {
+               notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called 
as a VCL::Module:: module object method");
+               return; 
+       }
+
+       my $management_node_keys = $self->data->get_management_node_keys();
+       my $computer_node_name   = $self->data->get_computer_node_name();
+       
+       # Get an array containing the configuration directory paths on the 
management node
+       # This is made up of all the the $SOURCE_CONFIGURATION_DIRECTORY values 
for the OS class and it's parent classes
+       # The first array element is the value from the top-most class the OS 
object inherits from
+       my @source_configuration_directories = 
$self->get_source_configuration_directories();
+       if (!...@source_configuration_directories) {
+               notify($ERRORS{'WARNING'}, 0, "unable to retrieve source 
configuration directories");
+               return;
+       }
+       
+       # Loop through the configuration directories for each OS class on the 
management node
+       # Find any .inf files residing under Security
+       my @inf_file_paths;
+       for my $source_configuration_directory 
(@source_configuration_directories) {
+               notify($ERRORS{'OK'}, 0, "checking if any security templates 
exist in: $source_configuration_directory/Security");
+               
+               # Check each source configuration directory for .inf files 
under a Security subdirectory
+               my $find_command = "find 
$source_configuration_directory/Security -name \"*.inf\" | sort -f";
+               my ($find_exit_status, $find_output) = 
run_command($find_command);
+               if (defined($find_exit_status) && $find_exit_status == 0) {
+                       notify($ERRORS{'DEBUG'}, 0, "ran find, output:\n" . 
join("\n", @$find_output));
+                       push @inf_file_paths, @$find_output;
+               }
+               elsif (defined($find_output) && grep(/No such file/i, 
@$find_output)) {
+                       notify($ERRORS{'DEBUG'}, 0, "path does not exist: 
$source_configuration_directory/Security, output:\...@{$find_output}");
+               }
+               elsif (defined($find_exit_status)) {
+                       notify($ERRORS{'WARNING'}, 0, "failed to run find, exit 
status: $find_exit_status, output:\...@{$find_output}");
+                       return;
+               }
+               else {
+                       notify($ERRORS{'WARNING'}, 0, "failed to run ssh 
command to run find");
+                       return;
+               }
+       }
+       
+       # Remove any newlines from the file paths in the array
+       chomp(@inf_file_paths);
+       notify($ERRORS{'DEBUG'}, 0, "security templates will be applied in this 
order:\n" . join("\n", @inf_file_paths));
+       
+       # Make sure the Security directory exists before attempting to copy 
files or SCP will fail
+       if (!$self->create_directory("$NODE_CONFIGURATION_DIRECTORY/Security")) 
{
+               notify($ERRORS{'WARNING'}, 0, "unable to create directory: 
$NODE_CONFIGURATION_DIRECTORY/Security");
+       }
+       
+       # Loop through the .inf files and apply them to the node using 
secedit.exe
+       my $inf_count = 0;
+       my $error_occurred = 0;
+       for my $inf_file_path (@inf_file_paths) {
+               $inf_count++;
+               
+               # Get the name of the file
+               my ($inf_file_name) = $inf_file_path =~ /.*[\\\/](.*)/g;
+               my ($inf_file_root) = $inf_file_path =~ /.*[\\\/](.*).inf/gi;
+               
+               # Construct the target path, prepend a number to indicate the 
order the files were processed
+               my $inf_target_path = 
"$NODE_CONFIGURATION_DIRECTORY/Security/$inf_count\_$inf_file_name";
+               
+               # Copy the file to the node and set the permissions to 644
+               notify($ERRORS{'DEBUG'}, 0, "attempting to copy file to: 
$inf_target_path");
+               if (run_scp_command($inf_file_path, 
"$computer_node_name:$inf_target_path", $management_node_keys)) {
+                       notify($ERRORS{'DEBUG'}, 0, "copied file: 
$computer_node_name:$inf_target_path");
+       
+                       # Set permission on the copied file
+                       if (!run_ssh_command($computer_node_name, 
$management_node_keys, "/usr/bin/chmod.exe -R 644 $inf_target_path", '', '', 
1)) {
+                               notify($ERRORS{'WARNING'}, 0, "could not set 
permissions on $inf_target_path");
+                       }
+               }
+               else {
+                       notify($ERRORS{'WARNING'}, 0, "failed to copy 
$inf_file_path to $inf_target_path");
+                       next;
+               }
+               
+               # Assemble the paths secedit needs
+               my $secedit_exe = '$SYSTEMROOT/System32/secedit.exe';
+               my $secedit_db = '$SYSTEMROOT/security/Database/' . 
"$inf_count\_$inf_file_root.sdb";
+               my $secedit_log = '$SYSTEMROOT/security/Logs/' . 
"$inf_count\_$inf_file_root.log";
+               
+               # The inf path must use backslashes or secedit.exe will fail
+               $inf_target_path =~ s/\//\\\\/g;
+               
+               my $secedit_command = "$secedit_exe /configure /cfg 
\"$inf_target_path\" /db $secedit_db /log $secedit_log /verbose";
+               my ($secedit_exit_status, $secedit_output) = 
run_ssh_command($computer_node_name, $management_node_keys, $secedit_command, 
'', '', 1);
+               if (defined($secedit_exit_status) && $secedit_exit_status == 0) 
{
+                       notify($ERRORS{'OK'}, 0, "ran secedit.exe to apply 
$inf_file_name");
+               }
+               elsif (defined($secedit_exit_status)) {
+                       notify($ERRORS{'WARNING'}, 0, "failed to run 
secedit.exe to apply $inf_target_path, exit status: $secedit_exit_status, 
output:\...@{$secedit_output}");
+                       $error_occurred++;
+               }
+               else {
+                       notify($ERRORS{'WARNING'}, 0, "failed to run SSH 
command to run secedit.exe to apply $inf_target_path");
+                       $error_occurred++;
+               }
+       }
+       
+       if ($error_occurred) {
+               return 0;
+       }
+       else {
+               return 1;
+       }
+       
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 1;
 __END__
 

Modified: incubator/vcl/trunk/managementnode/lib/VCL/utils.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=771949&r1=771948&r2=771949&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/utils.pm Tue May  5 18:12:52 2009
@@ -1,5 +1,7 @@
 #!/usr/bin/perl -w
-
+###############################################################################
+# $Id$
+###############################################################################
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
@@ -14,10 +16,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-##############################################################################
-# $Id$
-##############################################################################
+###############################################################################
 
 =head1 NAME
 
@@ -2872,6 +2871,8 @@
        }
 
        my @sshcmd = run_ssh_command($node, $identity, "uname -s", "root");
+       
+       return "off" if (!defined($sshcmd[0]) || !defined($sshcmd[1]) || 
$sshcmd[0] == 1);
        foreach my $l (@{$sshcmd[1]}) {
                if ($l =~ /^Warning:/) {
                        #if 
(VCL::Module::Provisioning::xCAT::makesshgkh($node)) {
@@ -4243,10 +4244,7 @@
                        foreach $h (@host) {
                                if ($h =~ /([-a-z0-9]*)([.a-z]*)/) {
                                        chomp($h);
-                                       if ($h !~ /ncsu.edu/) {
-                                               #hack
-                                               #$h .= ".hpc.ncsu.edu";
-                                       }
+                                       
                                        @host = ($h, "linux");
                                        return @host;
                                }
@@ -6036,10 +6034,10 @@
 
        # Set the user's affiliation sitewwwaddress and help address if not 
defined or blank
        if (!defined($request_info{user}{affiliation}{sitewwwaddress}) || 
!$request_info{user}{affiliation}{sitewwwaddress}) {
-               $request_info{user}{affiliation}{sitewwwaddress} = 
'http://vcl.ncsu.edu';
+               $request_info{user}{affiliation}{sitewwwaddress} = 
'http://cwiki.apache.org/VCL';
        }
        if (!defined($request_info{user}{affiliation}{helpaddress}) || 
!$request_info{user}{affiliation}{helpaddress}) {
-               $request_info{user}{affiliation}{helpaddress} = 
'vcl_h...@ncsu.edu';
+               $request_info{user}{affiliation}{helpaddress} = 
'vcl-u...@incubator.apache.org';
        }
 
 
@@ -6453,6 +6451,7 @@
                                                                         
'usergroupid'          => '',
                                                                         
'sysprep'              => '1',
                                                                         
'postoption'           => '',
+                                                                        
'rootaccess'           => '1',
                                                                         
'USERGROUPMEMBERS'     => \%default_usergroupmembers,
                                                                         
'USERGROUPMEMBERCOUNT' => 0);
 
@@ -9751,7 +9750,7 @@
 =cut
 
 sub format_data {
-
+       
        my $return_string;
 
        my $level = 0;
@@ -9766,6 +9765,7 @@
        if (ref($_[0]) eq "HASH") {
                $data = $_[0];
                $type = '%';
+               return "%<empty>" if (keys(%{$_[0]}) == 0);
        }
        elsif (ref($_[0]) eq "ARRAY") {
                my $index = 0;
@@ -9774,6 +9774,7 @@
                        $index++;
                }
                $type = '@';
+               return "@<empty>" if (@{$_[0]} == 0);
        }
        elsif (ref($_[0]) eq "SCALAR") {
                $data = $_[0];
@@ -10513,18 +10514,16 @@
 1;
 __END__
 
-=head1 BUGS and LIMITATIONS
-
- There are no known bugs in this module.
- Please report problems to the VCL team (vcl_h...@ncsu.edu).
-
-=head1 AUTHOR
+=head1 COPYRIGHT
 
- Aaron Peeler, aaron_pee...@ncsu.edu
- Andy Kurth, andy_ku...@ncsu.edu
+ Apache VCL incubator project
+ Copyright 2009 The Apache Software Foundation
+ 
+ This product includes software developed at
+ The Apache Software Foundation (http://www.apache.org/).
 
 =head1 SEE ALSO
 
-L<http://vcl.ncsu.edu>
+L<http://cwiki.apache.org/VCL/>
 
 =cut


Reply via email to