Browse Source

add ssh + admin account for every container

master
Jörg Thalheim 7 years ago
parent
commit
4120ca752b
  1. 4
      connection_plugins/lxc/lxc.py
  2. 1
      roles/common/tasks/main.yml
  3. 7
      roles/container/files/authorized_keys
  4. 8
      roles/container/files/bashrc
  5. 1
      roles/container/files/mirrorlist
  6. 1
      roles/container/files/ptmx.conf
  7. 12
      roles/container/files/sshd_config
  8. 92
      roles/container/files/sudoers
  9. 24
      roles/container/tasks/main.yml
  10. 10
      roles/container/tasks/ssh.yml

4
connection_plugins/lxc/lxc.py

@ -48,9 +48,9 @@ class Connection(object):
def _generate_cmd(self, executable, cmd):
if executable:
return [self.lxc_attach, "--name", self.host, "--", executable, "-c", cmd]
return [self.lxc_attach, "-e", "--name", self.host, "--", executable, "-c", cmd]
else:
return "%s --name %s -- %s" % (self.lxc_attach, self.host, cmd)
return "%s -e --name %s -- %s" % (self.lxc_attach, self.host, cmd)
def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable="/bin/sh", in_data=None, su=None, su_user=None):
""" run a command on the chroot """

1
roles/common/tasks/main.yml

@ -12,6 +12,7 @@
- the_silver_searcher
- zsh
- git
- sudo
- name: remove deprecated packages
pacman: name={{ item }} state=absent
with_items:

7
roles/container/files/authorized_keys

@ -0,0 +1,7 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC43IBVYIwyhNBGAH8G0NxBecnfXYVhrKQhe0mx1H2UawuYy9HGBfco/q5d8SynlPHla4nQoLIGOm/OUY1Ijksg9W28rjCPfjHxeZ+2JoDLF4Qc9PiaKfW8LuOcgKCbK1jaRn+3Zw0iIK9CuMMpPGSP2QmMIRE5rU7OBfBkxz6Uz0W6IpZXmtXo52Vxlr4IGXDpeMdLLWgG/jD93qYiNLSP3PYiM5H2DbL3d4qpjOiw3h01s4CYAyxAqRWgISCMKyD7denacfSWHl8/7+4E1bBvo+UzTv908046asXcL1i/kwp4q761ocoU6ZNdl2O+Aunro0UQaNHgxik8wtMqmhVj devkid@ThinkPad
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdS6xog803ySrz1+hTUYlL89Wbb5p+7hd1WvDXHP4ERICuouVYO/F54saCokpcZBSyMtBC11+Yvk5J+L6pNuDJki04y4fr0HMmIVc5khuvNAiiH/8IFZk9v8uf7dyHVJyKIB+4LFMXuFB5i9gtoTM8WpIu8lYzIK6BEG1xhnfmPrLTWOw4w1Ty3iE93VPt3qRYxsB6Dx4f2n3S0piLQ+sX/aHiDO+MNdZTKJMdzPkqp89b8kF6vRyAp8WuiQDJkZJK+QKG+dvMKAofv7G97eO01TKNLPLqtswDGCnkXjkBrQ2tY7Nq5fannLGKBl+qOu3SRq8FRBaiPDa7uzCV3Vr devkid@desktop
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqGFihjjWEF8yh/SkFl6vqjYHrYGAfdyqMcHSJdi38i9A6kUwFhAXREQ84PCOZbU35bkeNnZqb1ZATQR/clsTzEE3r3k4KzV6Qh+IYWdwh0QZ1JACOiC8Cv1+AafaCcK1LOzIJzghuoFjLeTvoCwQmc8+XXRsg/mDCAI0HFh5QeyWjVxw76KCPq/FqEBq0Gp+oN3RCKBnEGSa7qAG87rSqfeq1aidNLJi/KqbQ1SfwFhGd/kJqr/rNbnk+1l8Nc+DHOwyIApga+M8EPCrkfXO9yIEBMER3OLxcgyguOEZ42HD6elHKxo0sAH+XBKdEx30kc6zuKtG03OewUprWt8xl s4039299@e04003
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFEbRQAxq3GguBZh+O0YdgxLW3zGt4mkw1LLUbn5IQ49qa0jqfnJ/h4Dtvt2i9Pu4/mobB0w+jmFqjqQ5JIoFuFLwD+PxS3CN62hMwAc3mx7cPeXNHa/51PCDmSNNdPFprt4Wi1tyCXedlYAan/bFYYFHAVJLevFNgkCO4IyP/HQTxIPw== joerg@turingmachine
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmhREPkvzdhHA25RLPfczqbdvuxLTvjmboPNZtVoP/T+hnSyeGsWLSqZBlFIGFs/Hpb2eCwt98NR8j0JgHF4SyB89n9VEa4whbonGVNHceYbxfvIDcFMSYLBy0DYzMpaYesN/YK7leths4NLJqvTpf4by1dps8s/eVgvEkzUk8qgZ0HHdfLeHpP0tBI8tB5jqvGPgquJXG9z++HEKpHBlYlakpQSCn2owZexVKI6cKpUNZkYMVTvUFOlOOYpgHKgiu86t8M+k6Evr1rBFaWhpS1xeXvhLbcbRc3FaQSlIgkFUPYA7hUN3XzCbx6H+oMloJ9u2i3i89p1BtGGSK5EDf Albert@ipad albert
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/A9QBuYHRvKeueWKQxajqNhp9QOiQjdFTvrt8xG+URd6YHCkYHtCffyU6mftgP7x0jH0/ArHHfQWDujSguAn4UtXO90I4sZ3c01GWOSTit7I5aRh0/0J6Vjwfw2GorQMxyX/bBIzBQuyDX6k01gU8y4X0BfzhKMRI0CPBNjbGifSboAV1hEGXZiKFYLQWC5AD6JUhzu9dNyxOH8KcIogQiC/Rglwu25Y5NID5LR3IVhaX1nlLPe6BtfbiSF7Iid1z87f9Ff458TnZHNQBKR3Ak0u/iItmau56b0uDPmDVPDX25zMZ+F2gDZZzeiD8ePVOxY0lznn5ekmv9 albertschulz@Albert-Schulzs-MacBook-Pro.local

8
roles/container/files/bashrc

@ -9,9 +9,12 @@ export TTY=$(tty)
export GPG_TTY=$TTY
# shell opts: see bash(1)
shopt -s cdspell dirspell extglob histverify no_empty_cmd_completion checkwinsize
shopt -s autocd cdspell dirspell extglob no_empty_cmd_completion
shopt -s checkwinsize checkhash
shopt -s histverify histappend histreedit cmdhist
set -o notify # notify of completed background jobs immediately
set -o noclobber # don\'t overwrite files by accident
ulimit -S -c 0 # disable core dumps
stty -ctlecho # turn off control character echoing
@ -82,10 +85,11 @@ mkcd() {
[[ -d $1 ]] && builtin cd "$1"
}
function ff() { find . -type f -iname '*'"$*"'*' -ls ; }
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias ff='/usr/bin/find . -iname "*$@*"'
alias gensums='[[ -f PKGBUILD ]] && makepkg -g >> PKGBUILD'
alias info='info --vi-keys'
alias j='jobs'

1
roles/container/files/mirrorlist

@ -0,0 +1 @@
/etc/pacman.d/mirrorlist

1
roles/container/files/ptmx.conf

@ -0,0 +1 @@
L /dev/ptmx - - - - /dev/pts/ptmx

12
roles/container/files/sshd_config

@ -0,0 +1,12 @@
Port 22
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
UsePrivilegeSeparation sandbox
Subsystem sftp /usr/lib/ssh/sftp-server

92
roles/container/files/sudoers

@ -0,0 +1,92 @@
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
#Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
admin ALL=(ALL) NOPASSWD: ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

24
roles/container/tasks/main.yml

@ -16,13 +16,27 @@
- name: delete .zshrc
file: path=/root/.zshrs state=absent
- name: Allow wheel group to use sudo
lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'"
- name: Write mirrorlist
copy: src=sudoers dest=/etc/sudoers mode=0644
- user: name=admin shell=/bin/bash groups=wheel append=yes
- name: Create ~admin/.ssh
file: path=/home/admin/.ssh state=directory
- name: SSH Keys
copy: src=authorized_keys dest=/home/admin/.ssh/authorized_keys
- name: deploy dotfiles
copy: src={{ item }} dest=/root/.{{ item }}
with_items:
- bashrc
- dircolors
- vimrc
copy: src="{{ item[0] }}" dest="{{ item[1].dest }}/.{{ item[0] }}" owner="{{ item[1].owner }}" group="{{ item[1].group }}"
with_nested:
- ['bashrc', 'dircolors', 'vimrc']
-
- {dest: "/home/admin", owner: "admin", group: "admin"}
- {dest: "/root", owner: "root", group: "root"}
- mount: name=/run/systemd/journal/ src=/mnt/journal fstype=none opts=bind,ro state=present
- name: backup directory
file: path=/root/.vim.backupdir state=directory
- include: ssh.yml

10
roles/container/tasks/ssh.yml

@ -0,0 +1,10 @@
- name: install openssh
pacman: name=openssh state=present
- name: Write sshd_config
copy: src=sshd_config dest=/etc/ssh/sshd_config mode=0644
- name: symlink /dev/pts/ptmx to /dev/ptmx for sshd pty
file: src=/dev/pts/ptmx dest=/dev/ptmx state=link
- name: tmpfiles.d/ptmx.conf
copy: src=ptmx.conf dest=/etc/tmpfiles.d/ptmx.conf mode=0644
- name: start sshd.socket
service: name=sshd.socket state=started enabled=yes
Loading…
Cancel
Save