Added sudoers file

dev
santic-zombie 5 months ago
parent 9f6750f9b7
commit 25941d046c
  1. 7
      opennebula-common/APKBUILD
  2. 18
      opennebula-common/one-sudoers
  3. 21
      opennebula-node-kvm/APKBUILD
  4. 13
      opennebula-node-kvm/opennebula-common.post-deinstall
  5. 57
      opennebula-node-kvm/opennebula-common.post-install

@ -11,16 +11,19 @@ license="Apache"
depends="
jq
openssh-client"
openssh-client
sudo"
install="
${pkgname}.post-install
${pkgname}.post-deinstall"
source="
ssh-config"
ssh-config
one-sudoers"
package() {
install -Dm755 "${srcdir}/ssh-config" "${pkgdir}/usr/share/one/ssh/config"
install -Dm750 "${srcdir}/sudo-opennebula" "${pkgdir}/etc/sudoers.d/one-sudoers"
}
sha512sums="71c4ebfa1b1c32c59b0fead99730604e0edba617f6d6b9a4e9a4d9671fbe75c60f9f4d53fb5e2f35d7c632c7e308bd047af2f1db769de4134eb078d7b0fc3486 ssh-config"

@ -0,0 +1,18 @@
Defaults:oneadmin !requiretty
Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Cmnd_Alias ONE_CEPH = /usr/bin/rbd
Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /usr/sbin/one-clean-firecracker-domain, /usr/sbin/one-prepare-firecracker-domain
Cmnd_Alias ONE_HA = /bin/systemctl start opennebula-showback.timer, /bin/systemctl stop opennebula-showback.timer, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/bin/arping, /sbin/ip address *
Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan, /sbin/lvextend
Cmnd_Alias ONE_LXC = /bin/mount, /bin/umount, /usr/bin/bindfs, /sbin/losetup, /usr/bin/qemu-nbd, /usr/bin/lxc-attach, /usr/bin/lxc-config, /usr/bin/lxc-create, /usr/bin/lxc-destroy, /usr/bin/lxc-info, /usr/bin/lxc-ls, /usr/bin/lxc-start, /usr/bin/lxc-stop, /usr/bin/lxc-console, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd
Cmnd_Alias ONE_LXD = /snap/bin/lxc, /usr/bin/catfstab, /bin/mount, /bin/umount, /bin/mkdir, /bin/lsblk, /sbin/losetup, /sbin/kpartx, /usr/bin/qemu-nbd, /sbin/blkid, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd, /usr/sbin/xfs_admin, /sbin/tune2fs
Cmnd_Alias ONE_MARKET = /usr/lib/one/sh/create_container_image.sh, /usr/lib/one/sh/create_docker_image.sh
Cmnd_Alias ONE_NET = /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ipset, /sbin/ip link *, /sbin/ip tuntap *, /sbin/ip route *, /sbin/ip neighbour *
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /usr/bin/ovs-appctl
Cmnd_Alias ONE_MEM = /sbin/sysctl vm.drop_caches=3 vm.compact_memory=1
Cmnd_Alias ONE_VGPU = /var/tmp/one/vgpu
## Command aliases are enabled individually in dedicated
## sudoers files by each OpenNebula component (server, node).
# oneadmin ALL=(ALL) NOPASSWD: ONE_CEPH, ONE_FIRECRACKER, ONE_HA, ONE_LVM, ONE_LXC, ONE_LXD, ONE_MARKET, ONE_NET, ONE_OVS, ONE_MEM

@ -0,0 +1,21 @@
# Contributor: Santic <email@santic-zombie.ru>
# Maintainer: Santic <email@santic-zombie.ru>
pkgname=opennebula-node-kvm
pkgver=6.8.0
pkgrel=1
pkgdesc="Services for OpenNebula KVM node (Community Edition)"
url="https://opennebula.io/"
arch="noarch"
options="!check"
license="Apache"
depends=""
install="
${pkgname}.post-install
${pkgname}.post-deinstall"
source=""
package() {
}

@ -0,0 +1,13 @@
#!/bin/sh
set -e
ONE_GROUP=cloud
ONE_USER=oneadmin
userdel -r ${ONE_USER} 2>/dev/null && echo ">> User '${ONE_USER}' has been removed."
groupdel ${ONE_GROUP} 2>/dev/null && echo ">> Group '${ONE_GROUP}' has been removed."
rm -rf /var/lib/one /var/run/one /var/log/one /var/lock/one 2>/dev/null
exit 0

@ -0,0 +1,57 @@
#!/bin/sh
set -e
ONEHOME=/var/lib/one
ONE_GROUP=cloud
ONE_USER=oneadmin
ONE_UID=9869
ONE_GID=9869
ONE_COMMENT="OpenNebula administrator account"
create_cloudgroup() {
if ! getent group $ONE_GROUP > /dev/null 2>&1; then
addgroup --system --gid $ONE_GID $ONE_GROUP
fi
}
create_oneuser() {
if ! getent passwd $ONE_USER > /dev/null 2>&1; then
adduser --system --gecos "$ONE_COMMENT" --uid $ONE_UID --ingroup $ONE_GROUP --home $ONEHOME --shell /bin/ash $ONE_USER
else
ONEHOME=`getent passwd $ONE_USER | cut -f6 -d:`
# Renable user (give him a shell)
usermod --shell /bin/ash $ONE_USER
fi
if ! getent group disk | grep "\b$ONE_USER\b" &>/dev/null; then
usermod -a -G disk $ONE_USER
fi
}
create_cloudgroup
create_oneuser
# Install ~oneadmin/.ssh/config if not present on a fresh install only
if [ ! -e "${ONEHOME}/.ssh/config" ] && [ -z "$2" ]; then
if [ ! -d "${ONEHOME}/.ssh" ]; then
mkdir -p "${ONEHOME}/.ssh"
chmod 0700 "${ONEHOME}/.ssh"
chown "$ONE_USER:$ONE_GROUP" "${ONEHOME}/.ssh"
fi
cp /usr/share/one/ssh/config "${ONEHOME}/.ssh/config"
chmod 0600 "${ONEHOME}/.ssh/config"
chown "$ONE_USER:$ONE_GROUP" "${ONEHOME}/.ssh/config"
fi
# Set permissions and owner oneadmin:cloud
for F in /var/lock/one /var/log/one /var/run/one
do
if [ ! -d "${F}" ]; then
mkdir -p "${F}"
chmod 0750 "${F}"
chown "${ONE_USER}:${ONE_GROUP}" "${F}"
fi
done
exit 0
Loading…
Cancel
Save