Having to bootstrap the guest as a separate phase is annoying and can be avoided by assuming the root password is well-known. This doesn't hurt security because we're going to be changing the root password with a user-provided one the first time Ansible is run; moreover, we only leave key-based SSH authentication enabled for the root user. Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> --- guests/bootstrap.yml | 15 --------------- guests/group_vars/all/main.yml | 5 +++++ guests/lcitool | 25 +++++++++++++++++++++++++ guests/site.yml | 8 ++++++++ guests/tasks/base.yml | 11 ++++++++++- 5 files changed, 48 insertions(+), 16 deletions(-) delete mode 100644 guests/bootstrap.yml diff --git a/guests/bootstrap.yml b/guests/bootstrap.yml deleted file mode 100644 index 544dd9d..0000000 --- a/guests/bootstrap.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- hosts: all - gather_facts: no - - tasks: - - # Bootstrap Ansible itself - - include: tasks/bootstrap.yml - -- hosts: all - - tasks: - - # Prepare the base environment - - include: tasks/base.yml diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml index 81b7d43..d24af59 100644 --- a/guests/group_vars/all/main.yml +++ b/guests/group_vars/all/main.yml @@ -1,6 +1,11 @@ --- ansible_user: root +# This password is only used to access the guest the very first time +# Ansible is used: afterwards, the user's SSH key will have been installed +# in the guest and SSH password authentication will have been disabled +ansible_ssh_pass: root + jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp # Paths to various command. Can be overridden on a per-host basis diff --git a/guests/lcitool b/guests/lcitool index aaee5f9..10a72cf 100755 --- a/guests/lcitool +++ b/guests/lcitool @@ -12,6 +12,19 @@ die() { exit 1 } +# hash_file PASS_FILE +# +# Generate a password hash from the contents of PASS_FILE. +hash_file() { + PASS_FILE="$1" + + python2 -c " +import crypt +password = open('$PASS_FILE', 'r').read().strip() +print(crypt.crypt(password, + crypt.mksalt(crypt.METHOD_SHA512)))" +} + # ---------------------- # User-visible actions # ---------------------- @@ -44,11 +57,23 @@ do_prepare() { } VAULT_PASS_FILE="$CONFIG_DIR/vault-password" + ROOT_PASS_FILE="$CONFIG_DIR/root-password" # Make sure required passwords exist and are not invalid (empty) test -f "$VAULT_PASS_FILE" && test "$(cat "$VAULT_PASS_FILE")" || { die "$PROGRAM_NAME: $VAULT_PASS_FILE: Missing or invalid password" } + test -f "$ROOT_PASS_FILE" && test "$(cat "$ROOT_PASS_FILE")" || { + die "$PROGRAM_NAME: $ROOT_PASS_FILE: Missing or invalid password" + } + + ROOT_HASH_FILE="$CONFIG_DIR/.root-password.hash" + + # Regenerate root password hash. Ansible expects passwords as hashes but + # doesn't provide a built-in facility to generate one from plain text + hash_file "$ROOT_PASS_FILE" >"$ROOT_HASH_FILE" || { + die "$PROGRAM_NAME: Failure while hashing root password" + } ansible-playbook \ --vault-password-file "$VAULT_PASS_FILE" \ diff --git a/guests/site.yml b/guests/site.yml index e6cf10d..9c75dcb 100644 --- a/guests/site.yml +++ b/guests/site.yml @@ -1,5 +1,13 @@ --- - hosts: all + gather_facts: no + + tasks: + + # Bootstrap Ansible itself + - include: tasks/bootstrap.yml + +- hosts: all vars_files: - vars/mappings.yml diff --git a/guests/tasks/base.yml b/guests/tasks/base.yml index dd8d306..a9066e4 100644 --- a/guests/tasks/base.yml +++ b/guests/tasks/base.yml @@ -96,9 +96,10 @@ hostname: name: '{{ inventory_hostname }}' -- name: Configure root shell +- name: Configure root password and shell user: name: root + password: '{{ lookup("file", lookup("env", "HOME") + "/.config/lcitool/.root-password.hash") }}' shell: '{{ bash }}' - name: Configure ssh access for the root user @@ -106,3 +107,11 @@ user: root key: '{{ lookup("file", lookup("env", "HOME") + "/.ssh/id_rsa.pub") }}' state: present + +- name: Disable password authentication for the root user + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#*\s*PermitRootLogin\s*.*$' + line: 'PermitRootLogin without-password' + state: present + backup: yes -- 2.13.6 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
