Added sudoers file

5 months ago · 25941d046c
parent 9f6750f9b7
commit 25941d046c
5 changed files with 114 additions and 2 deletions
--- a/opennebula-common/APKBUILD
+++ b/opennebula-common/APKBUILD
@ -11,16 +11,19 @@ license="Apache"

 depends="
 	jq
-	openssh-client"
+	openssh-client
+	sudo"

 install="
 	${pkgname}.post-install
 	${pkgname}.post-deinstall"

 source="
-	ssh-config"
+	ssh-config
+	one-sudoers"

 package() {
 	install -Dm755 "${srcdir}/ssh-config" "${pkgdir}/usr/share/one/ssh/config"
+	install -Dm750 "${srcdir}/sudo-opennebula" "${pkgdir}/etc/sudoers.d/one-sudoers"
 }
 sha512sums="71c4ebfa1b1c32c59b0fead99730604e0edba617f6d6b9a4e9a4d9671fbe75c60f9f4d53fb5e2f35d7c632c7e308bd047af2f1db769de4134eb078d7b0fc3486  ssh-config"
--- a/opennebula-common/one-sudoers
+++ b/opennebula-common/one-sudoers
@ -0,0 +1,18 @@
+Defaults:oneadmin !requiretty
+Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+Cmnd_Alias ONE_CEPH = /usr/bin/rbd
+Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /usr/sbin/one-clean-firecracker-domain, /usr/sbin/one-prepare-firecracker-domain
+Cmnd_Alias ONE_HA = /bin/systemctl start opennebula-showback.timer, /bin/systemctl stop opennebula-showback.timer, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/bin/arping, /sbin/ip address *
+Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan, /sbin/lvextend
+Cmnd_Alias ONE_LXC = /bin/mount, /bin/umount, /usr/bin/bindfs, /sbin/losetup, /usr/bin/qemu-nbd, /usr/bin/lxc-attach, /usr/bin/lxc-config, /usr/bin/lxc-create, /usr/bin/lxc-destroy, /usr/bin/lxc-info, /usr/bin/lxc-ls, /usr/bin/lxc-start, /usr/bin/lxc-stop, /usr/bin/lxc-console, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd
+Cmnd_Alias ONE_LXD = /snap/bin/lxc, /usr/bin/catfstab, /bin/mount, /bin/umount, /bin/mkdir, /bin/lsblk, /sbin/losetup, /sbin/kpartx, /usr/bin/qemu-nbd, /sbin/blkid, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd, /usr/sbin/xfs_admin, /sbin/tune2fs
+Cmnd_Alias ONE_MARKET = /usr/lib/one/sh/create_container_image.sh, /usr/lib/one/sh/create_docker_image.sh
+Cmnd_Alias ONE_NET = /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ipset, /sbin/ip link *, /sbin/ip tuntap *, /sbin/ip route *, /sbin/ip neighbour *
+Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /usr/bin/ovs-appctl
+Cmnd_Alias ONE_MEM = /sbin/sysctl vm.drop_caches=3 vm.compact_memory=1
+Cmnd_Alias ONE_VGPU = /var/tmp/one/vgpu
+
+## Command aliases are enabled individually in dedicated
+## sudoers files by each OpenNebula component (server, node).
+# oneadmin ALL=(ALL) NOPASSWD: ONE_CEPH, ONE_FIRECRACKER, ONE_HA, ONE_LVM, ONE_LXC, ONE_LXD, ONE_MARKET, ONE_NET, ONE_OVS, ONE_MEM
--- a/opennebula-node-kvm/APKBUILD
+++ b/opennebula-node-kvm/APKBUILD
@ -0,0 +1,21 @@
+# Contributor: Santic <email@santic-zombie.ru>
+# Maintainer: Santic <email@santic-zombie.ru>
+pkgname=opennebula-node-kvm
+pkgver=6.8.0
+pkgrel=1
+pkgdesc="Services for OpenNebula KVM node (Community Edition)"
+url="https://opennebula.io/"
+arch="noarch"
+options="!check"
+license="Apache"
+
+depends=""
+
+install="
+	${pkgname}.post-install
+	${pkgname}.post-deinstall"
+
+source=""
+
+package() {
+}
--- a/opennebula-node-kvm/opennebula-common.post-deinstall
+++ b/opennebula-node-kvm/opennebula-common.post-deinstall
@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+ONE_GROUP=cloud
+ONE_USER=oneadmin
+
+userdel -r ${ONE_USER} 2>/dev/null  && echo ">> User '${ONE_USER}' has been removed."
+groupdel ${ONE_GROUP} 2>/dev/null  && echo ">> Group '${ONE_GROUP}' has been removed."
+
+rm -rf /var/lib/one /var/run/one /var/log/one /var/lock/one 2>/dev/null
+
+exit 0
--- a/opennebula-node-kvm/opennebula-common.post-install
+++ b/opennebula-node-kvm/opennebula-common.post-install
@ -0,0 +1,57 @@
+#!/bin/sh
+
+set -e
+
+ONEHOME=/var/lib/one
+ONE_GROUP=cloud
+ONE_USER=oneadmin
+ONE_UID=9869
+ONE_GID=9869
+ONE_COMMENT="OpenNebula administrator account"
+
+create_cloudgroup() {
+    if ! getent group $ONE_GROUP > /dev/null 2>&1; then
+        addgroup --system --gid $ONE_GID $ONE_GROUP
+    fi
+}
+
+create_oneuser() {
+    if ! getent passwd $ONE_USER > /dev/null 2>&1; then
+        adduser --system --gecos "$ONE_COMMENT" --uid $ONE_UID --ingroup $ONE_GROUP --home $ONEHOME --shell /bin/ash $ONE_USER
+    else
+        ONEHOME=`getent passwd $ONE_USER | cut -f6 -d:`
+        # Renable user (give him a shell)
+        usermod --shell /bin/ash $ONE_USER
+    fi
+
+    if ! getent group disk | grep "\b$ONE_USER\b" &>/dev/null; then
+        usermod -a -G disk $ONE_USER
+    fi
+}
+
+create_cloudgroup
+create_oneuser
+
+# Install ~oneadmin/.ssh/config if not present on a fresh install only
+if [ ! -e "${ONEHOME}/.ssh/config" ] && [ -z "$2" ]; then
+    if [ ! -d "${ONEHOME}/.ssh" ]; then
+        mkdir -p "${ONEHOME}/.ssh"
+        chmod 0700 "${ONEHOME}/.ssh"
+        chown "$ONE_USER:$ONE_GROUP" "${ONEHOME}/.ssh"
+    fi
+    cp /usr/share/one/ssh/config "${ONEHOME}/.ssh/config"
+    chmod 0600 "${ONEHOME}/.ssh/config"
+    chown "$ONE_USER:$ONE_GROUP" "${ONEHOME}/.ssh/config"
+fi
+
+# Set permissions and owner oneadmin:cloud
+for F in /var/lock/one /var/log/one /var/run/one
+do
+  if [ ! -d "${F}" ]; then
+    mkdir -p "${F}"
+    chmod 0750 "${F}"
+    chown "${ONE_USER}:${ONE_GROUP}" "${F}"
+  fi
+done
+
+exit 0