From 32ba74a0ad3eb2d28e75c9455df07567b8ad31c7 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Wed, 27 Apr 2016 11:12:24 -0700 Subject: [PATCH 01/16] Initial check-in of klam-ssh support --- v3/profile.d/klam.sh | 2 + v3/util/setup-klam-ssh.sh | 219 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+) create mode 100644 v3/profile.d/klam.sh create mode 100644 v3/util/setup-klam-ssh.sh diff --git a/v3/profile.d/klam.sh b/v3/profile.d/klam.sh new file mode 100644 index 0000000..a6ca909 --- /dev/null +++ b/v3/profile.d/klam.sh @@ -0,0 +1,2 @@ +KLAM_USER=$(who -m | awk '{print $1}') +PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$KLAM_USER [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//") [$RETRN_VAL]"' diff --git a/v3/util/setup-klam-ssh.sh b/v3/util/setup-klam-ssh.sh new file mode 100644 index 0000000..1637050 --- /dev/null +++ b/v3/util/setup-klam-ssh.sh @@ -0,0 +1,219 @@ +#!/bin/bash +source /etc/environment +AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) +REGION=${AZ::-1} + +# Variable assignment based on REGION and service specific environments +case $NODE_TIER in + "stage") + ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" + ENCRYPTION_KEY_ID="" + ENCRYPTION_SECRET="" + if [[ $REGION == "eu-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" + elif [[ $REGION == "ap-northeast-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" + elif [[ $REGION == "us-east-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" + elif [[ $REGION == "us-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" + elif [[ $REGION == "us-west-2" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" + else + echo "An incorrect region value specified" + fi + ;; + "production") + ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" + ENCRYPTION_KEY_ID="" + ENCRYPTION_SECRET="" + if [[ $REGION == "eu-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" + elif [[ $REGION == "ap-northeast-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" + elif [[ $REGION == "us-east-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" + elif [[ $REGION == "us-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" + elif [[ $REGION == "us-west-2" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" + else + echo "An incorrect region value specified" + fi + ;; + "dev") + ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" + ENCRYPTION_KEY_ID="" + ENCRYPTION_SECRET="" + if [[ $REGION == "eu-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" + elif [[ $REGION == "ap-northeast-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" + elif [[ $REGION == "us-east-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" + elif [[ $REGION == "us-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" + elif [[ $REGION == "us-west-2" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" + else + echo "An incorrect region value specified" + fi + ;; + "sandbox") + ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" + ENCRYPTION_KEY_ID="touKXAyAsM9udkGq" + ENCRYPTION_SECRET="YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0" + if [[ $REGION == "eu-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" + elif [[ $REGION == "ap-northeast-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" + elif [[ $REGION == "us-east-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" + elif [[ $REGION == "us-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" + elif [[ $REGION == "us-west-2" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" + else + echo "An incorrect region value specified" + fi + ;; + "private") + ROLE_NAME="klam-user-ssh-cloudops-laserunicorn-all-sts" + ENCRYPTION_KEY_ID="ie5k1w03wWzF8b123H" + ENCRYPTION_SECRET="WRaCMt13I2D123SnjG4G" + if [[ $REGION == "eu-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" + elif [[ $REGION == "ap-northeast-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" + elif [[ $REGION == "us-east-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" + elif [[ $REGION == "us-west-1" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" + elif [[ $REGION == "us-west-2" ]]; then + KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" + else + echo "An incorrect region value specified" + fi + ;; + *) + echo $"Usage: Both ENV and REGION values must be specified" + exit 1 +esac + +# create nsswitch.conf +echo "passwd: files usrfiles ato" > /home/core/nsswitch.conf +echo "shadow: files usrfiles ato" >> /home/core/nsswitch.conf +echo "group: files usrfiles ato" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "hosts: files usrfiles dns" >> /home/core/nsswitch.conf +echo "networks: files usrfiles dns" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "services: files usrfiles" >> /home/core/nsswitch.conf +echo "protocols: files usrfiles" >> /home/core/nsswitch.conf +echo "rpc: files usrfiles" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "ethers: files" >> /home/core/nsswitch.conf +echo "netmasks: files" >> /home/core/nsswitch.conf +echo "netgroup: nisplus" >> /home/core/nsswitch.conf +echo "bootparams: files" >> /home/core/nsswitch.conf +echo "automount: files nisplus" >> /home/core/nsswitch.conf +echo "aliases: files nisplus" >> /home/core/nsswitch.conf + +# create klam-ssh.conf +echo "{" > /home/core/klam-ssh.conf +echo " \"key_location\": \"$KLAM_SSH_KEY_LOCATION\"," >> /home/core/klam-ssh.conf +echo " \"role_name\": \"$ROLE_NAME\"," >> /home/core/klam-ssh.conf +echo " \"encryption_id\": \"$ENCRYPTION_KEY_ID\"," >> /home/core/klam-ssh.conf +echo " \"encryption_key\": \"$ENCRYPTION_SECRET\"," >> /home/core/klam-ssh.conf +echo " \"resource_location\": \"amazon\"," >> /home/core/klam-ssh.conf +echo " \"time_skew\": \"permissive\"," >> /home/core/klam-ssh.conf +echo " \"s3_region\": \"$REGION\"" >> /home/core/klam-ssh.conf +echo "}" >> /home/core/klam-ssh.conf + +# Use sudo to become root +sudo su - < /etc/ld.so.conf.d/klam.conf +ldconfig +ldconfig -p | grep klam + +# Validate that the files exist in the correct folder +ls -l /opt/klam/lib64/libnss_ato.so* + +# Delete the /tmp/klam-installer +cd / && rm -rf /tmp/klam-installer + +# Check the contents of /usr/lib/klam and it should look similar to the following +ls -l /opt/klam/lib/ + +# Create the klamfed home directory +useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash +mkdir -p /home/klamfed +usermod -p "*" klamfed +usermod -U klamfed +update-ssh-keys -u klamfed + +# Add klamfed to wheel +usermod -a -G wheel klamfed + +# Validate that the klamfed user has the correct uid value (5000) and home directory +id klamfed +ls -ld /home/klamfed + +# Re-link nsswitch.conf +mv -f /home/core/nsswitch.conf /etc/nsswitch.conf +cat /etc/nsswitch.conf + +# generate the ATO config +grep klamfed /etc/passwd > /opt/klam/lib/klam-ato.conf + +# Validate that the contents of /opt/klam/lib/klam-ato.conf +cat /opt/klam/lib/klam-ato.conf + +# Move klam-ssh.conf +mv -f /home/core/klam-ssh.conf /opt/klam/lib/klam-ssh.conf +cat /opt/klam/lib/klam-ssh.conf + +# update /etc/ssh/sshd_config +cp /etc/ssh/sshd_config sshd_config +echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys-command.sh %u' >> sshd_config +echo 'AuthorizedKeysCommandUser root' >> sshd_config +mv -f sshd_config /etc/ssh/sshd_config +cat /etc/ssh/sshd_config +echo "" + +# Set up AuthorizedKeysCommand +echo '#!/bin/bash' >> /opt/klam/lib/authorizedkeys-command.sh +echo 'docker run --rm -e KLAM_SSH_ROLE_NAME=ethos-sandbox-all-sts -e KLAM_SSH_ENCRYPTION_ID=touKXAyAsM9udkGq -e KLAM_SSH_ENCRYPTION_KEY=YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0 eadasiak/klam-ssh:0.4 /usr/lib/klam/getKeys.py $1' >> /opt/klam/lib/authorizedkeys-command.sh +echo 'exit 0' >> /opt/klam/lib/authorizedkeys-command.sh +chmod 755 /opt/klam/lib/authorizedkeys-command.sh + +# Set up downloadS3 command +echo '#!/bin/bash' >> /opt/klam/lib/downloadS3.sh +echo 'docker run --rm -e KLAM_SSH_ROLE_NAME=ethos-sandbox-all-sts -e KLAM_SSH_ENCRYPTION_ID=touKXAyAsM9udkGq -e KLAM_SSH_ENCRYPTION_KEY=YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0 eadasiak/klam-ssh:0.4 /usr/lib/klam/downloadS3.py' >> /opt/klam/lib/downloadS3.sh +echo 'exit 0' >> /opt/klam/lib/downloadS3.sh +chmod 755 /opt/klam/lib/downloadS3.sh + +# Restart SSHD +systemctl restart sshd.service +RUN_AS_ROOT + +echo "KLAM SSH BOOTSTRAP COMPLETE" From 957e3fb4bc0e0f285bf2c2af86e2237aa3ee9a43 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Fri, 29 Apr 2016 16:28:47 -0700 Subject: [PATCH 02/16] klam-ssh additions --- v3/setup/images.sh | 4 + v3/setup/klam-ssh.sh | 137 +++++++++++++++++++ v3/util/authorizedkeys_command.sh | 12 ++ v3/util/downloadS3.sh | 10 ++ v3/util/setup-klam-ssh.sh | 219 ------------------------------ 5 files changed, 163 insertions(+), 219 deletions(-) create mode 100644 v3/setup/klam-ssh.sh create mode 100644 v3/util/authorizedkeys_command.sh create mode 100644 v3/util/downloadS3.sh delete mode 100644 v3/util/setup-klam-ssh.sh diff --git a/v3/setup/images.sh b/v3/setup/images.sh index 285dc0c..ea7e0a2 100755 --- a/v3/setup/images.sh +++ b/v3/setup/images.sh @@ -11,3 +11,7 @@ docker pull behance/docker-gocron-logrotate docker pull behance/docker-sumologic:latest docker pull behance/docker-sumologic:syslog-latest docker pull behance/docker-dd-agent + +# Adding klam-ssh image, which needs to be pulled globally +etcdctl set /images/klam-ssh "adobecloudops/klam-ssh:latest" +docker pull adobecloudops/klam-ssh:latest diff --git a/v3/setup/klam-ssh.sh b/v3/setup/klam-ssh.sh new file mode 100644 index 0000000..cd0e167 --- /dev/null +++ b/v3/setup/klam-ssh.sh @@ -0,0 +1,137 @@ +#!/bin/bash + +AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) +REGION=${AZ::-1} +ROLE_NAME="$(etcdctl get /klam-ssh/ROLE_NAME)" +ENCRYPTION_ID="$(etcdctl get /klam-ssh/ENCRYPTION_ID)" +ENCRYPTION_KEY="$(etcdctl get /klam-ssh/ENCRYPTION_KEY)" +KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)" +IMAGE="$(etcdctl get /images/klam-ssh)" + + +if [[ $REGION == "eu-west-1" ]]; then + KEY_LOCATION="-ew1" +elif [[ $REGION == "ap-northeast-1" ]]; then + KEY_LOCATION="-an1" +elif [[ $REGION == "us-east-1" ]]; then + KEY_LOCATION="-ue1" +elif [[ $REGION == "us-west-1" ]]; then + KEY_LOCATION="-uw1" +elif [[ $REGION == "us-west-2" ]]; then + KEY_LOCATION="-uw2" +else + echo "An incorrect region value specified" + exit 1 +fi + +# create nsswitch.conf +echo "passwd: files usrfiles ato" > /home/core/nsswitch.conf +echo "shadow: files usrfiles ato" >> /home/core/nsswitch.conf +echo "group: files usrfiles ato" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "hosts: files usrfiles dns" >> /home/core/nsswitch.conf +echo "networks: files usrfiles dns" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "services: files usrfiles" >> /home/core/nsswitch.conf +echo "protocols: files usrfiles" >> /home/core/nsswitch.conf +echo "rpc: files usrfiles" >> /home/core/nsswitch.conf +echo -e "\n" >> /home/core/nsswitch.conf +echo "ethers: files" >> /home/core/nsswitch.conf +echo "netmasks: files" >> /home/core/nsswitch.conf +echo "netgroup: nisplus" >> /home/core/nsswitch.conf +echo "bootparams: files" >> /home/core/nsswitch.conf +echo "automount: files nisplus" >> /home/core/nsswitch.conf +echo "aliases: files nisplus" >> /home/core/nsswitch.conf + +# create klam-ssh.conf +echo "{" > /home/core/klam-ssh.conf +echo " \"key_location\": \"${KEY_LOCATION_PREFIX}${KEY_LOCATION}\"," >> /home/core/klam-ssh.conf +echo " \"role_name\": \"${ROLE_NAME}\"," >> /home/core/klam-ssh.conf +echo " \"encryption_id\": \"${ENCRYPTION_ID}\"," >> /home/core/klam-ssh.conf +echo " \"encryption_key\": \"${ENCRYPTION_KEY}\"," >> /home/core/klam-ssh.conf +echo " \"resource_location\": \"amazon\"," >> /home/core/klam-ssh.conf +echo " \"time_skew\": \"permissive\"," >> /home/core/klam-ssh.conf +echo " \"s3_region\": \"${REGION}\"" >> /home/core/klam-ssh.conf +echo "}" >> /home/core/klam-ssh.conf + +# Create directory structure +mkdir -p /opt/klam/lib /opt/klam/lib64 /etc/ld.so.conf.d + +# Docker volume mount +docker run --name klam-ssh -v /opt/klam/lib64:/data ${IMAGE} + +# Copy libnss_ato library +docker cp klam-ssh:/tmp/klam-build/coreos/libnss_ato.so.2 /opt/klam/lib64 + +# Create symlink +ln -sf /opt/klam/lib64/libnss_ato.so.2 /opt/klam/lib64/libnss_ato.so + +# Docker remove container +docker rm klam-ssh + +# Move the ld.so.conf file to the correct location +echo "/opt/klam/lib64" > /etc/ld.so.conf.d/klam.conf +ldconfig +ldconfig -p | grep klam + +# Validate that the files exist in the correct folder +ls -l /opt/klam/lib64/libnss_ato.so* + +# Create the klamfed home directory +useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash +mkdir -p /home/klamfed +usermod -p "*" klamfed +usermod -U klamfed +update-ssh-keys -u klamfed + +# Add klamfed to wheel +usermod -a -G wheel klamfed + +# Add klamfed to sudo +usermod -a -G sudo klamfed + +# Add passwordless sudo to klamfed +echo "klamfed ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/klamfed + +# Validate that the klamfed user has the correct uid value (5000) and home directory +id klamfed +ls -ld /home/klamfed + +# Re-link nsswitch.conf +mv -f /home/core/nsswitch.conf /etc/nsswitch.conf +cat /etc/nsswitch.conf + +# generate the ATO config +grep klamfed /etc/passwd > /opt/klam/lib/klam-ato.conf + +# Validate that the contents of /opt/klam/lib/klam-ato.conf +cat /opt/klam/lib/klam-ato.conf + +# Move klam-ssh.conf +mv -f /home/core/klam-ssh.conf /opt/klam/lib/klam-ssh.conf +cat /opt/klam/lib/klam-ssh.conf + +# update /etc/ssh/sshd_config +cp /etc/ssh/sshd_config sshd_config +echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys_command.sh' >> sshd_config +echo 'AuthorizedKeysCommandUser root' >> sshd_config +mv -f sshd_config /etc/ssh/sshd_config +cat /etc/ssh/sshd_config +echo "" + +# Change ownership of authorizedkeys_command +chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh + +# Relocate authorizedkeys_command +mv /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh /opt/klam/lib + +# Change ownership of downloadS3 +chown root:root /home/core/mesos-systemd/v3/util/downloadS3.sh + +# Relocate downloadS3.sh +mv /home/core/mesos-systemd/v3/util/downloadS3.sh /opt/klam/lib + +# Restart SSHD +systemctl restart sshd.service + +echo "KLAM SSH BOOTSTRAP COMPLETE" diff --git a/v3/util/authorizedkeys_command.sh b/v3/util/authorizedkeys_command.sh new file mode 100644 index 0000000..7cf2825 --- /dev/null +++ b/v3/util/authorizedkeys_command.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID) +ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY) +ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME) +KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX) +IMAGE=$(etcdctl get /images/klam-ssh) + +echo "Running authorizedkeys_command for $1" | systemd-cat -p info -t klam-ssh + +docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/getKeys.py $1 +exit 0 diff --git a/v3/util/downloadS3.sh b/v3/util/downloadS3.sh new file mode 100644 index 0000000..bafb256 --- /dev/null +++ b/v3/util/downloadS3.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID) +ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY) +ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME) +KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX) +IMAGE=$(etcdctl get /images/klam-ssh) + +docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/downloadS3.py +exit 0 diff --git a/v3/util/setup-klam-ssh.sh b/v3/util/setup-klam-ssh.sh deleted file mode 100644 index 1637050..0000000 --- a/v3/util/setup-klam-ssh.sh +++ /dev/null @@ -1,219 +0,0 @@ -#!/bin/bash -source /etc/environment -AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) -REGION=${AZ::-1} - -# Variable assignment based on REGION and service specific environments -case $NODE_TIER in - "stage") - ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" - ENCRYPTION_KEY_ID="" - ENCRYPTION_SECRET="" - if [[ $REGION == "eu-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" - elif [[ $REGION == "ap-northeast-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" - elif [[ $REGION == "us-east-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" - elif [[ $REGION == "us-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" - elif [[ $REGION == "us-west-2" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" - else - echo "An incorrect region value specified" - fi - ;; - "production") - ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" - ENCRYPTION_KEY_ID="" - ENCRYPTION_SECRET="" - if [[ $REGION == "eu-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" - elif [[ $REGION == "ap-northeast-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" - elif [[ $REGION == "us-east-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" - elif [[ $REGION == "us-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" - elif [[ $REGION == "us-west-2" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" - else - echo "An incorrect region value specified" - fi - ;; - "dev") - ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" - ENCRYPTION_KEY_ID="" - ENCRYPTION_SECRET="" - if [[ $REGION == "eu-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" - elif [[ $REGION == "ap-northeast-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" - elif [[ $REGION == "us-east-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" - elif [[ $REGION == "us-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" - elif [[ $REGION == "us-west-2" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" - else - echo "An incorrect region value specified" - fi - ;; - "sandbox") - ROLE_NAME="$(etcdctl get /environment/KLAM_SSH_ROLE_NAME)" - ENCRYPTION_KEY_ID="touKXAyAsM9udkGq" - ENCRYPTION_SECRET="YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0" - if [[ $REGION == "eu-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" - elif [[ $REGION == "ap-northeast-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" - elif [[ $REGION == "us-east-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" - elif [[ $REGION == "us-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" - elif [[ $REGION == "us-west-2" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" - else - echo "An incorrect region value specified" - fi - ;; - "private") - ROLE_NAME="klam-user-ssh-cloudops-laserunicorn-all-sts" - ENCRYPTION_KEY_ID="ie5k1w03wWzF8b123H" - ENCRYPTION_SECRET="WRaCMt13I2D123SnjG4G" - if [[ $REGION == "eu-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ew1" - elif [[ $REGION == "ap-northeast-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-an1" - elif [[ $REGION == "us-east-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-ue1" - elif [[ $REGION == "us-west-1" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw1" - elif [[ $REGION == "us-west-2" ]]; then - KLAM_SSH_KEY_LOCATION="adobe-cloudops-ssh-users-uw2" - else - echo "An incorrect region value specified" - fi - ;; - *) - echo $"Usage: Both ENV and REGION values must be specified" - exit 1 -esac - -# create nsswitch.conf -echo "passwd: files usrfiles ato" > /home/core/nsswitch.conf -echo "shadow: files usrfiles ato" >> /home/core/nsswitch.conf -echo "group: files usrfiles ato" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "hosts: files usrfiles dns" >> /home/core/nsswitch.conf -echo "networks: files usrfiles dns" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "services: files usrfiles" >> /home/core/nsswitch.conf -echo "protocols: files usrfiles" >> /home/core/nsswitch.conf -echo "rpc: files usrfiles" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "ethers: files" >> /home/core/nsswitch.conf -echo "netmasks: files" >> /home/core/nsswitch.conf -echo "netgroup: nisplus" >> /home/core/nsswitch.conf -echo "bootparams: files" >> /home/core/nsswitch.conf -echo "automount: files nisplus" >> /home/core/nsswitch.conf -echo "aliases: files nisplus" >> /home/core/nsswitch.conf - -# create klam-ssh.conf -echo "{" > /home/core/klam-ssh.conf -echo " \"key_location\": \"$KLAM_SSH_KEY_LOCATION\"," >> /home/core/klam-ssh.conf -echo " \"role_name\": \"$ROLE_NAME\"," >> /home/core/klam-ssh.conf -echo " \"encryption_id\": \"$ENCRYPTION_KEY_ID\"," >> /home/core/klam-ssh.conf -echo " \"encryption_key\": \"$ENCRYPTION_SECRET\"," >> /home/core/klam-ssh.conf -echo " \"resource_location\": \"amazon\"," >> /home/core/klam-ssh.conf -echo " \"time_skew\": \"permissive\"," >> /home/core/klam-ssh.conf -echo " \"s3_region\": \"$REGION\"" >> /home/core/klam-ssh.conf -echo "}" >> /home/core/klam-ssh.conf - -# Use sudo to become root -sudo su - < /etc/ld.so.conf.d/klam.conf -ldconfig -ldconfig -p | grep klam - -# Validate that the files exist in the correct folder -ls -l /opt/klam/lib64/libnss_ato.so* - -# Delete the /tmp/klam-installer -cd / && rm -rf /tmp/klam-installer - -# Check the contents of /usr/lib/klam and it should look similar to the following -ls -l /opt/klam/lib/ - -# Create the klamfed home directory -useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash -mkdir -p /home/klamfed -usermod -p "*" klamfed -usermod -U klamfed -update-ssh-keys -u klamfed - -# Add klamfed to wheel -usermod -a -G wheel klamfed - -# Validate that the klamfed user has the correct uid value (5000) and home directory -id klamfed -ls -ld /home/klamfed - -# Re-link nsswitch.conf -mv -f /home/core/nsswitch.conf /etc/nsswitch.conf -cat /etc/nsswitch.conf - -# generate the ATO config -grep klamfed /etc/passwd > /opt/klam/lib/klam-ato.conf - -# Validate that the contents of /opt/klam/lib/klam-ato.conf -cat /opt/klam/lib/klam-ato.conf - -# Move klam-ssh.conf -mv -f /home/core/klam-ssh.conf /opt/klam/lib/klam-ssh.conf -cat /opt/klam/lib/klam-ssh.conf - -# update /etc/ssh/sshd_config -cp /etc/ssh/sshd_config sshd_config -echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys-command.sh %u' >> sshd_config -echo 'AuthorizedKeysCommandUser root' >> sshd_config -mv -f sshd_config /etc/ssh/sshd_config -cat /etc/ssh/sshd_config -echo "" - -# Set up AuthorizedKeysCommand -echo '#!/bin/bash' >> /opt/klam/lib/authorizedkeys-command.sh -echo 'docker run --rm -e KLAM_SSH_ROLE_NAME=ethos-sandbox-all-sts -e KLAM_SSH_ENCRYPTION_ID=touKXAyAsM9udkGq -e KLAM_SSH_ENCRYPTION_KEY=YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0 eadasiak/klam-ssh:0.4 /usr/lib/klam/getKeys.py $1' >> /opt/klam/lib/authorizedkeys-command.sh -echo 'exit 0' >> /opt/klam/lib/authorizedkeys-command.sh -chmod 755 /opt/klam/lib/authorizedkeys-command.sh - -# Set up downloadS3 command -echo '#!/bin/bash' >> /opt/klam/lib/downloadS3.sh -echo 'docker run --rm -e KLAM_SSH_ROLE_NAME=ethos-sandbox-all-sts -e KLAM_SSH_ENCRYPTION_ID=touKXAyAsM9udkGq -e KLAM_SSH_ENCRYPTION_KEY=YhbJDp3Joqlh0oVJi8avwZbF9c7a6VT0 eadasiak/klam-ssh:0.4 /usr/lib/klam/downloadS3.py' >> /opt/klam/lib/downloadS3.sh -echo 'exit 0' >> /opt/klam/lib/downloadS3.sh -chmod 755 /opt/klam/lib/downloadS3.sh - -# Restart SSHD -systemctl restart sshd.service -RUN_AS_ROOT - -echo "KLAM SSH BOOTSTRAP COMPLETE" From 3a1a4b9caaaf24f3f303f8837a978e88719cf0b6 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Tue, 3 May 2016 15:43:52 -0700 Subject: [PATCH 03/16] Last few refinements --- v3/setup/images.sh | 4 ---- v3/setup/klam-ssh.sh | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/v3/setup/images.sh b/v3/setup/images.sh index ea7e0a2..285dc0c 100755 --- a/v3/setup/images.sh +++ b/v3/setup/images.sh @@ -11,7 +11,3 @@ docker pull behance/docker-gocron-logrotate docker pull behance/docker-sumologic:latest docker pull behance/docker-sumologic:syslog-latest docker pull behance/docker-dd-agent - -# Adding klam-ssh image, which needs to be pulled globally -etcdctl set /images/klam-ssh "adobecloudops/klam-ssh:latest" -docker pull adobecloudops/klam-ssh:latest diff --git a/v3/setup/klam-ssh.sh b/v3/setup/klam-ssh.sh index cd0e167..d5e7f9b 100644 --- a/v3/setup/klam-ssh.sh +++ b/v3/setup/klam-ssh.sh @@ -58,7 +58,7 @@ echo "}" >> /home/core/klam-ssh.conf mkdir -p /opt/klam/lib /opt/klam/lib64 /etc/ld.so.conf.d # Docker volume mount -docker run --name klam-ssh -v /opt/klam/lib64:/data ${IMAGE} +docker create --name klam-ssh ${IMAGE} # Copy libnss_ato library docker cp klam-ssh:/tmp/klam-build/coreos/libnss_ato.so.2 /opt/klam/lib64 From a457ce55bf56c3c1aa6933911306b831ee91895d Mon Sep 17 00:00:00 2001 From: eadasiak Date: Tue, 3 May 2016 15:45:45 -0700 Subject: [PATCH 04/16] make scripts executable --- v3/setup/klam-ssh.sh | 0 v3/util/authorizedkeys_command.sh | 0 v3/util/downloadS3.sh | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 v3/setup/klam-ssh.sh mode change 100644 => 100755 v3/util/authorizedkeys_command.sh mode change 100644 => 100755 v3/util/downloadS3.sh diff --git a/v3/setup/klam-ssh.sh b/v3/setup/klam-ssh.sh old mode 100644 new mode 100755 diff --git a/v3/util/authorizedkeys_command.sh b/v3/util/authorizedkeys_command.sh old mode 100644 new mode 100755 diff --git a/v3/util/downloadS3.sh b/v3/util/downloadS3.sh old mode 100644 new mode 100755 From 3b26a28d054c3fb7828602d19fa557e0f085dd5f Mon Sep 17 00:00:00 2001 From: eadasiak Date: Wed, 4 May 2016 14:13:11 -0700 Subject: [PATCH 05/16] update from master; fixes from comments in PR --- v3/setup/klam-ssh.sh | 98 ++++++++++++++++--------------- v3/util/authorizedkeys_command.sh | 10 ++-- v3/util/downloadS3.sh | 10 ++-- 3 files changed, 62 insertions(+), 56 deletions(-) diff --git a/v3/setup/klam-ssh.sh b/v3/setup/klam-ssh.sh index d5e7f9b..e157af0 100755 --- a/v3/setup/klam-ssh.sh +++ b/v3/setup/klam-ssh.sh @@ -1,58 +1,65 @@ -#!/bin/bash +#!/bin/bash -xe AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) REGION=${AZ::-1} -ROLE_NAME="$(etcdctl get /klam-ssh/ROLE_NAME)" -ENCRYPTION_ID="$(etcdctl get /klam-ssh/ENCRYPTION_ID)" -ENCRYPTION_KEY="$(etcdctl get /klam-ssh/ENCRYPTION_KEY)" -KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)" +ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" +ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" +ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" +KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" IMAGE="$(etcdctl get /images/klam-ssh)" - - -if [[ $REGION == "eu-west-1" ]]; then - KEY_LOCATION="-ew1" -elif [[ $REGION == "ap-northeast-1" ]]; then - KEY_LOCATION="-an1" -elif [[ $REGION == "us-east-1" ]]; then - KEY_LOCATION="-ue1" -elif [[ $REGION == "us-west-1" ]]; then - KEY_LOCATION="-uw1" -elif [[ $REGION == "us-west-2" ]]; then - KEY_LOCATION="-uw2" -else +: ${IMAGE:="adobecloudops/klam-ssh:latest"} + + +case $REGION in + "eu-west-1") + KEY_LOCATION="-ew1" ;; + "ap-northeast-1") + KEY_LOCATION="-an1" ;; + "us-east-1") + KEY_LOCATION="-ue1" ;; + "us-west-1") + KEY_LOCATION="-uw1" ;; + "us-west-2") + KEY_LOCATION="-uw2" ;; + *) echo "An incorrect region value specified" exit 1 -fi + ;; +esac # create nsswitch.conf -echo "passwd: files usrfiles ato" > /home/core/nsswitch.conf -echo "shadow: files usrfiles ato" >> /home/core/nsswitch.conf -echo "group: files usrfiles ato" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "hosts: files usrfiles dns" >> /home/core/nsswitch.conf -echo "networks: files usrfiles dns" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "services: files usrfiles" >> /home/core/nsswitch.conf -echo "protocols: files usrfiles" >> /home/core/nsswitch.conf -echo "rpc: files usrfiles" >> /home/core/nsswitch.conf -echo -e "\n" >> /home/core/nsswitch.conf -echo "ethers: files" >> /home/core/nsswitch.conf -echo "netmasks: files" >> /home/core/nsswitch.conf -echo "netgroup: nisplus" >> /home/core/nsswitch.conf -echo "bootparams: files" >> /home/core/nsswitch.conf -echo "automount: files nisplus" >> /home/core/nsswitch.conf -echo "aliases: files nisplus" >> /home/core/nsswitch.conf +cat << EOT >> /home/core/nsswitch.conf +passwd: files usrfiles ato +shadow: files usrfiles ato +group: files usrfiles ato + +hosts: files usrfiles dns +networks: files usrfiles dns + +services: files usrfiles +protocols: files usrfiles +rpc: files usrfiles + +ethers: files +netmasks: files +netgroup: nisplus +bootparams: files +automount: files nisplus +aliases: files nisplus +EOT # create klam-ssh.conf -echo "{" > /home/core/klam-ssh.conf -echo " \"key_location\": \"${KEY_LOCATION_PREFIX}${KEY_LOCATION}\"," >> /home/core/klam-ssh.conf -echo " \"role_name\": \"${ROLE_NAME}\"," >> /home/core/klam-ssh.conf -echo " \"encryption_id\": \"${ENCRYPTION_ID}\"," >> /home/core/klam-ssh.conf -echo " \"encryption_key\": \"${ENCRYPTION_KEY}\"," >> /home/core/klam-ssh.conf -echo " \"resource_location\": \"amazon\"," >> /home/core/klam-ssh.conf -echo " \"time_skew\": \"permissive\"," >> /home/core/klam-ssh.conf -echo " \"s3_region\": \"${REGION}\"" >> /home/core/klam-ssh.conf -echo "}" >> /home/core/klam-ssh.conf +cat << EOT >> /home/core/klam-ssh.conf +{ + key_location: ${KEY_LOCATION_PREFIX}${KEY_LOCATION}, + role_name: ${ROLE_NAME}, + encryption_id: ${ENCRYPTION_ID}, + encryption_key: ${ENCRYPTION_KEY}, + resource_location: amazon, + time_skew: permissive, + s3_region: ${REGION} +} +EOT # Create directory structure mkdir -p /opt/klam/lib /opt/klam/lib64 /etc/ld.so.conf.d @@ -117,7 +124,6 @@ echo 'AuthorizedKeysCommand /opt/klam/lib/authorizedkeys_command.sh' >> sshd_con echo 'AuthorizedKeysCommandUser root' >> sshd_config mv -f sshd_config /etc/ssh/sshd_config cat /etc/ssh/sshd_config -echo "" # Change ownership of authorizedkeys_command chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh diff --git a/v3/util/authorizedkeys_command.sh b/v3/util/authorizedkeys_command.sh index 7cf2825..51cc7d2 100755 --- a/v3/util/authorizedkeys_command.sh +++ b/v3/util/authorizedkeys_command.sh @@ -1,10 +1,10 @@ #!/bin/bash -ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID) -ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY) -ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME) -KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX) -IMAGE=$(etcdctl get /images/klam-ssh) +ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" +ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" +ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" +KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" +IMAGE="$(etcdctl get /images/klam-ssh)" echo "Running authorizedkeys_command for $1" | systemd-cat -p info -t klam-ssh diff --git a/v3/util/downloadS3.sh b/v3/util/downloadS3.sh index bafb256..816a715 100755 --- a/v3/util/downloadS3.sh +++ b/v3/util/downloadS3.sh @@ -1,10 +1,10 @@ #!/bin/bash -ENCRYPTION_ID=$(etcdctl get /klam-ssh/ENCRYPTION_ID) -ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY) -ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME) -KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX) -IMAGE=$(etcdctl get /images/klam-ssh) +ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" +ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" +ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" +KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" +IMAGE="$(etcdctl get /images/klam-ssh)" docker run --rm -e ROLE_NAME=${ROLE_NAME} -e ENCRYPTION_ID=${ENCRYPTION_ID} -e ENCRYPTION_KEY=${ENCRYPTION_KEY} -e KEY_LOCATION_PREFIX=${KEY_LOCATION_PREFIX} ${IMAGE} /usr/lib/klam/downloadS3.py exit 0 From 285bcc82eda017c50b3803688be87a3150c9d300 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Wed, 4 May 2016 14:18:28 -0700 Subject: [PATCH 06/16] Modify global prompt for klam-ssh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit uses who -m instead of \u in the command prompt. Since users are squashed to a single user (klamfed) via libnss_ato, everyone except for core had a prompt of 'klamfed@…' killed off klam.sh since it doesn’t really work in CoreOS --- v3/profile.d/klam.sh | 2 -- v3/profile.d/profile.sh | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 v3/profile.d/klam.sh diff --git a/v3/profile.d/klam.sh b/v3/profile.d/klam.sh deleted file mode 100644 index a6ca909..0000000 --- a/v3/profile.d/klam.sh +++ /dev/null @@ -1,2 +0,0 @@ -KLAM_USER=$(who -m | awk '{print $1}') -PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$KLAM_USER [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//") [$RETRN_VAL]"' diff --git a/v3/profile.d/profile.sh b/v3/profile.d/profile.sh index 3f2931d..f008ff6 100644 --- a/v3/profile.d/profile.sh +++ b/v3/profile.d/profile.sh @@ -9,5 +9,5 @@ fi # set the prompt for non-root users if [[ ${EUID} != 0 ]]; then source /etc/environment - export PS1="\[\\033[01;32m\]\u@\h\[\\033[01;34m\] \[\\033[01;30m\]$NODE_TIER-$NODE_PRODUCT-$ZONE-$NODE_ROLE \[\\033[01;34m\]\w \$\[\\033[00m\] " + export PS1="\[\\033[01;32m\]$(who -m | awk '{print $1}')@\h\[\\033[01;34m\] \[\\033[01;30m\]$NODE_TIER-$NODE_PRODUCT-$ZONE-$NODE_ROLE \[\\033[01;34m\]\w \$\[\\033[00m\] " fi From 25a6ac4a3f9ca68e7d74aedc6c10d62d6f5305f5 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Wed, 4 May 2016 14:39:43 -0700 Subject: [PATCH 07/16] setting default klam-ssh image value --- v3/setup/klam-ssh.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/v3/setup/klam-ssh.sh b/v3/setup/klam-ssh.sh index e157af0..4f688eb 100755 --- a/v3/setup/klam-ssh.sh +++ b/v3/setup/klam-ssh.sh @@ -1,5 +1,7 @@ #!/bin/bash -xe +etcdctl set /images/klam-ssh "adobecloudops/klam-ssh:latest" + AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone) REGION=${AZ::-1} ROLE_NAME="$(etcdctl get /klam-ssh/config/role-name)" @@ -7,7 +9,6 @@ ENCRYPTION_ID="$(etcdctl get /klam-ssh/config/encryption-id)" ENCRYPTION_KEY="$(etcdctl get /klam-ssh/config/encryption-key)" KEY_LOCATION_PREFIX="$(etcdctl get /klam-ssh/config/key-location-prefix)" IMAGE="$(etcdctl get /images/klam-ssh)" -: ${IMAGE:="adobecloudops/klam-ssh:latest"} case $REGION in From 05ec34dd9d328b112212b219cfcb0b94b57abfb6 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Thu, 12 May 2016 14:00:22 -0700 Subject: [PATCH 08/16] etcd2 setup for bastion host as well --- init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init b/init index 09e4629..8617c72 100755 --- a/init +++ b/init @@ -13,7 +13,7 @@ else fi # Control tier - must form an etcd2 cluster first -if [ "$NODE_ROLE" = "control" ]; then +if [ "$NODE_ROLE" = "control" -o "$NODE_ROLE" = "bastion"]; then sudo ${SCRIPTDIR}/$VERSION/util/etcd2-setup.sh $SCRIPTDIR fi if [ "$NODE_ROLE" = "it-hybrid" ]; then From 3b5a4d0081724bd304980f7ac9ffaf227d4cbdc0 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 12:59:35 -0700 Subject: [PATCH 09/16] Bastion support in mesos-systemd --- init | 2 +- v3/profile.d/bastion/etcdctl.sh | 1 + v3/profile.d/bastion/fleetctl.sh | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) create mode 120000 v3/profile.d/bastion/etcdctl.sh create mode 120000 v3/profile.d/bastion/fleetctl.sh diff --git a/init b/init index 139c489..43f3ed2 100755 --- a/init +++ b/init @@ -13,7 +13,7 @@ else fi # Control tier - must form an etcd2 cluster first -if [ "$NODE_ROLE" = "control" -o "$NODE_ROLE" = "bastion"]; then +if [ "$NODE_ROLE" = "control" ] || [ "$NODE_ROLE" = "bastion" ]; then sudo ${SCRIPTDIR}/$VERSION/util/etcd2-setup.sh $SCRIPTDIR fi if [ "$NODE_ROLE" = "it-hybrid" ]; then diff --git a/v3/profile.d/bastion/etcdctl.sh b/v3/profile.d/bastion/etcdctl.sh new file mode 120000 index 0000000..5699a39 --- /dev/null +++ b/v3/profile.d/bastion/etcdctl.sh @@ -0,0 +1 @@ +../common/etcdctl.sh \ No newline at end of file diff --git a/v3/profile.d/bastion/fleetctl.sh b/v3/profile.d/bastion/fleetctl.sh new file mode 120000 index 0000000..e2027d1 --- /dev/null +++ b/v3/profile.d/bastion/fleetctl.sh @@ -0,0 +1 @@ +../common/fleetctl.sh \ No newline at end of file From 0c9ce4028ab2e5c4d03c8b9975b776ae2d22a6d1 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 13:35:38 -0700 Subject: [PATCH 10/16] Fixing klam-ssh installation issues due to reliance on values from seed-etcd.sh --- init | 5 ++++- v3/{setup => util}/klam-ssh.sh | 0 2 files changed, 4 insertions(+), 1 deletion(-) rename v3/{setup => util}/klam-ssh.sh (100%) diff --git a/init b/init index 43f3ed2..5e89865 100755 --- a/init +++ b/init @@ -12,7 +12,7 @@ else VERSION="$1" fi -# Control tier - must form an etcd2 cluster first +# Control and Bastion tiers - must form an etcd2 cluster first if [ "$NODE_ROLE" = "control" ] || [ "$NODE_ROLE" = "bastion" ]; then sudo ${SCRIPTDIR}/$VERSION/util/etcd2-setup.sh $SCRIPTDIR fi @@ -46,6 +46,9 @@ done # custom-provided etcd vals ${SCRIPTDIR}/$VERSION/util/seed-etcd.sh || : +# The klam-ssh.sh script must run after seed-etcd.sh +sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : + # The mesos-credentials.sh script must run after seed-etcd.sh sudo ${SCRIPTDIR}/$VERSION/util/mesos-credentials.sh || : diff --git a/v3/setup/klam-ssh.sh b/v3/util/klam-ssh.sh similarity index 100% rename from v3/setup/klam-ssh.sh rename to v3/util/klam-ssh.sh From 0d8aa6fcf848b99d3be5fccd11d43db831267df7 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 14:07:25 -0700 Subject: [PATCH 11/16] something's not right... --- init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init b/init index 5e89865..6aaa362 100755 --- a/init +++ b/init @@ -47,7 +47,7 @@ done ${SCRIPTDIR}/$VERSION/util/seed-etcd.sh || : # The klam-ssh.sh script must run after seed-etcd.sh -sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : +# sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : # The mesos-credentials.sh script must run after seed-etcd.sh sudo ${SCRIPTDIR}/$VERSION/util/mesos-credentials.sh || : From 94a8485ac18c1d297bd3a3d3d1f77afef23d0f64 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 14:30:46 -0700 Subject: [PATCH 12/16] Revert "something's not right..." This reverts commit 0d8aa6fcf848b99d3be5fccd11d43db831267df7. --- init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init b/init index 6aaa362..5e89865 100755 --- a/init +++ b/init @@ -47,7 +47,7 @@ done ${SCRIPTDIR}/$VERSION/util/seed-etcd.sh || : # The klam-ssh.sh script must run after seed-etcd.sh -# sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : +sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : # The mesos-credentials.sh script must run after seed-etcd.sh sudo ${SCRIPTDIR}/$VERSION/util/mesos-credentials.sh || : From e7843af72a65f1093d1778ede2de5904e3eccca2 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 15:07:13 -0700 Subject: [PATCH 13/16] Rearranging the script order --- init | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/init b/init index 5e89865..cba78d2 100755 --- a/init +++ b/init @@ -46,12 +46,12 @@ done # custom-provided etcd vals ${SCRIPTDIR}/$VERSION/util/seed-etcd.sh || : -# The klam-ssh.sh script must run after seed-etcd.sh -sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : - # The mesos-credentials.sh script must run after seed-etcd.sh sudo ${SCRIPTDIR}/$VERSION/util/mesos-credentials.sh || : +# The klam-ssh.sh script must run after seed-etcd.sh +sudo ${SCRIPTDIR}/$VERSION/util/klam-ssh.sh || : + etcdctl get /environment/SCRIPTS-FORK if [[ $? = 4 ]]; then # 4 == 404 - key not found From 685f7870225ec363ede0567ebb2c9f3aecc05adc Mon Sep 17 00:00:00 2001 From: eadasiak Date: Mon, 16 May 2016 15:33:06 -0700 Subject: [PATCH 14/16] update-ssh-keys is causing problems --- v3/util/klam-ssh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/util/klam-ssh.sh b/v3/util/klam-ssh.sh index 4f688eb..5c33a75 100755 --- a/v3/util/klam-ssh.sh +++ b/v3/util/klam-ssh.sh @@ -90,7 +90,7 @@ useradd -p "*" -U -G sudo -u 5000 -m klamfed -s /bin/bash mkdir -p /home/klamfed usermod -p "*" klamfed usermod -U klamfed -update-ssh-keys -u klamfed +update-ssh-keys -u klamfed || : # Add klamfed to wheel usermod -a -G wheel klamfed From 09c83ccd6f8388a224dc68f1dc1bc307dc8a0f60 Mon Sep 17 00:00:00 2001 From: eadasiak Date: Thu, 19 May 2016 16:12:33 -0700 Subject: [PATCH 15/16] Bastion host ssh helper script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will generate the correct ssh config file for a user’s workstation to connect through the bastion to the internal hosts --- v3/util/ssh-client-config.sh | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100755 v3/util/ssh-client-config.sh diff --git a/v3/util/ssh-client-config.sh b/v3/util/ssh-client-config.sh new file mode 100755 index 0000000..8b02e88 --- /dev/null +++ b/v3/util/ssh-client-config.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# Use meta-data to determine the public IPv4 of this bastion host and the vpc's cidr block +IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) +ETH0_MAC=$(ifconfig eth0 | grep ether | awk '{print tolower($2)}') +VPC_CIDR=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${ETH0_MAC}/vpc-ipv4-cidr-block) + +# Split the network IP from the mask and assign them to separate variables +IFS='/' read -r -a CIDR_ARRAY <<< "${VPC_CIDR}" +NETWORK=${CIDR_ARRAY[0]} +MASK=${CIDR_ARRAY[1]} + +# Determine how many /24 networks fit into the given VPC_CIDR. Yes, this is ugly for two reasons. +# One, ssh_config only allows string pattern matching, so for subnets, one can only use a network +# terminated with a wildcard for the last octet. Second, there's a limit to the size of the VPC +# that can be allocated in Adobe private address space. HamCIDR only allows CIDR blocks from /25 +# to /22, so any other value is bypassing SOP. A case statement can't do range comparisons, and +# I didn't want to implement a subnet calculator in BASH, so there's this: + +if [[ "${MASK}" -ge 24 ]]; then SUBNETS=1 +elif [[ "${MASK}" == 23 ]]; then SUBNETS=2 +elif [[ "${MASK}" == 22 ]]; then SUBNETS=4 +elif [[ "${MASK}" == 21 ]]; then SUBNETS=8 +elif [[ "${MASK}" == 20 ]]; then SUBNETS=16 +else + echo "Your large CIDR block broke teh internets." + exit 1 +fi + +# Build the string of /24 networks to use in the ssh_config +HOSTS=$(for ((i = 0; i < ${SUBNETS}; i++)); do echo ${NETWORK} | awk -v x="${i}" -F. '{printf "%d.%d.%d.%s", $1,$2,$3+x,"* "}'; done; echo) + + +cat << EOF +Host ${IP} + IdentityFile ~/.ssh/ssh.pem + +Host ${HOSTS} + IdentityFile ~/.ssh/ssh.pem + ProxyCommand ssh ${IP} ncat %h %p +EOF From 2f66d3718ede2c9ce4479044a04da6df62a85ecb Mon Sep 17 00:00:00 2001 From: eadasiak Date: Tue, 24 May 2016 11:24:04 -0700 Subject: [PATCH 16/16] Updating the ssh client config script to use the Bastion as a forward agent --- v3/util/ssh-client-config.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/util/ssh-client-config.sh b/v3/util/ssh-client-config.sh index 8b02e88..e512f80 100755 --- a/v3/util/ssh-client-config.sh +++ b/v3/util/ssh-client-config.sh @@ -33,6 +33,7 @@ HOSTS=$(for ((i = 0; i < ${SUBNETS}; i++)); do echo ${NETWORK} | awk -v x="${i}" cat << EOF Host ${IP} + ForwardAgent yes IdentityFile ~/.ssh/ssh.pem Host ${HOSTS}