[node-patches] Change in ovirt-node[ovirt-3.5]: hooks: Add on-boot hook validate-owner-ssh-keys

fabiand at redhat.com fabiand at redhat.com
Wed Feb 25 09:19:11 UTC 2015 

Hello Douglas Schilling Landgraf,

I'd like you to do a code review.  Please visit

    https://gerrit.ovirt.org/38153

to review the following change.

Change subject: hooks: Add on-boot hook validate-owner-ssh-keys
......................................................................

hooks: Add on-boot hook validate-owner-ssh-keys

During upgrades between releases of node may have
a different gid for ssh_keys group making the
registration or ssh connection impossible.

This patch adds a boot hook into ovirt-node to verify
if ssh_keys group exists and fix the permissions if required.

Change-Id: Iaafad60288d87a41470dae581e6a2c6bc77369cd
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1192523
Signed-off-by: Douglas Schilling Landgraf <dougsland at redhat.com>
---
M Makefile.am
M configure.ac
A hooks/Makefile.am
A hooks/README
A hooks/on-boot/03-validate-owner-ssh-keys
5 files changed, 88 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/53/38153/1

diff --git a/Makefile.am b/Makefile.am
index 49dfbb8..12930b5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@
   data \
   dracut \
   images \
+  hooks \
   recipe \
   scripts \
   src \
diff --git a/configure.ac b/configure.ac
index 9b239f0..e3b872d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,7 @@
                 data/Makefile
                 dracut/Makefile
                 images/Makefile
+                hooks/Makefile
                 scripts/Makefile
                 registration/Makefile
                 tools/Makefile
diff --git a/hooks/Makefile.am b/hooks/Makefile.am
new file mode 100644
index 0000000..f008d35
--- /dev/null
+++ b/hooks/Makefile.am
@@ -0,0 +1,22 @@
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+onbootdir = $(libexecdir)/ovirt-node/hooks/on-boot
+
+dist_onboot_SCRIPTS = \
+	on-boot/03-validate-owner-ssh-keys \
+	$(NULL)
diff --git a/hooks/README b/hooks/README
new file mode 100644
index 0000000..b544b01
--- /dev/null
+++ b/hooks/README
@@ -0,0 +1,2 @@
+on-boot dir contains scripts that will run during the boot.
+
diff --git a/hooks/on-boot/03-validate-owner-ssh-keys b/hooks/on-boot/03-validate-owner-ssh-keys
new file mode 100755
index 0000000..ce6e7ea
--- /dev/null
+++ b/hooks/on-boot/03-validate-owner-ssh-keys
@@ -0,0 +1,62 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# 03-validate-owner-ssh-keys - Copyright (C) 2015 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+import grp
+import os
+import pwd
+import subprocess
+import sys
+
+
+def main():
+    _RESTART_SSH_DAEMON = False
+    _GROUP_SSH_KEYS = "ssh_keys"
+    _PATH_KEYS = ("/etc/ssh/ssh_host_rsa_key",
+                  "/etc/ssh/ssh_host_key",
+                  "/etc/ssh/ssh_host_dsa_key",
+                  "/etc/ssh/ssh_host_ecdsa_key")
+
+    try:
+        for key in _PATH_KEYS:
+            if os.path.exists(key) and \
+                    grp.getgrnam(_GROUP_SSH_KEYS).gr_gid >= 0:
+                stat_info = os.stat(key)
+                user = pwd.getpwuid(stat_info.st_uid)[0]
+                group = grp.getgrgid(stat_info.st_gid)[0]
+                if user != "root" or group != _GROUP_SSH_KEYS:
+                    os.chown(key,
+                             pwd.getpwnam("root").pw_uid,
+                             grp.getgrnam(_GROUP_SSH_KEYS).gr_gid)
+                    _RESTART_SSH_DAEMON = True
+
+        if _RESTART_SSH_DAEMON:
+            cmd = subprocess.Popen(['service', 'sshd', 'restart'],
+                                   stdout=subprocess.PIPE,
+                                   stderr=subprocess.PIPE,
+                                   shell=False)
+
+            output, err = cmd.communicate()
+            if cmd.returncode != 0:
+                print("Cannot restart sshd service!")
+                return cmd.returncode
+
+    except KeyError:
+        print "No ssh keys group, nothing to do.."
+    except:
+        print "Exception got, raising it.."
+        raise
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())


-- 
To view, visit https://gerrit.ovirt.org/38153
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaafad60288d87a41470dae581e6a2c6bc77369cd
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: ovirt-3.5
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>
Gerrit-Reviewer: Douglas Schilling Landgraf <dougsland at redhat.com>

More information about the node-patches mailing list