[libvirt] [libvirt-jenkins-ci PATCH v2 3/6] guests: Remove bootstrap phase

Andrea Bolognani abologna at redhat.com
Wed Oct 18 17:11:48 UTC 2017 

Having to bootstrap the guest as a separate phase is annoying and
can be avoided by assuming the root password is well-known.

This doesn't hurt security because we're going to be changing the
root password with a user-provided one the first time Ansible is
run; moreover, we only leave key-based SSH authentication enabled
for the root user.

Signed-off-by: Andrea Bolognani <abologna at redhat.com>
---
 guests/bootstrap.yml           | 15 ---------------
 guests/group_vars/all/main.yml |  5 +++++
 guests/lcitool                 | 25 +++++++++++++++++++++++++
 guests/site.yml                |  8 ++++++++
 guests/tasks/base.yml          | 11 ++++++++++-
 5 files changed, 48 insertions(+), 16 deletions(-)
 delete mode 100644 guests/bootstrap.yml

diff --git a/guests/bootstrap.yml b/guests/bootstrap.yml
deleted file mode 100644
index 544dd9d..0000000
--- a/guests/bootstrap.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- hosts: all
-  gather_facts: no
-
-  tasks:
-
-    # Bootstrap Ansible itself
-    - include: tasks/bootstrap.yml
-
-- hosts: all
-
-  tasks:
-
-    # Prepare the base environment
-    - include: tasks/base.yml
diff --git a/guests/group_vars/all/main.yml b/guests/group_vars/all/main.yml
index 81b7d43..d24af59 100644
--- a/guests/group_vars/all/main.yml
+++ b/guests/group_vars/all/main.yml
@@ -1,6 +1,11 @@
 ---
 ansible_user: root
 
+# This password is only used to access the guest the very first time
+# Ansible is used: afterwards, the user's SSH key will have been installed
+# in the guest and SSH password authentication will have been disabled
+ansible_ssh_pass: root
+
 jenkins_url: https://ci.centos.org/computer/{{ inventory_hostname }}/slave-agent.jnlp
 
 # Paths to various command. Can be overridden on a per-host basis
diff --git a/guests/lcitool b/guests/lcitool
index aaee5f9..10a72cf 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -12,6 +12,19 @@ die() {
     exit 1
 }
 
+# hash_file PASS_FILE
+#
+# Generate a password hash from the contents of PASS_FILE.
+hash_file() {
+    PASS_FILE="$1"
+
+    python2 -c "
+import crypt
+password = open('$PASS_FILE', 'r').read().strip()
+print(crypt.crypt(password,
+      crypt.mksalt(crypt.METHOD_SHA512)))"
+}
+
 # ----------------------
 #  User-visible actions
 # ----------------------
@@ -44,11 +57,23 @@ do_prepare() {
     }
 
     VAULT_PASS_FILE="$CONFIG_DIR/vault-password"
+    ROOT_PASS_FILE="$CONFIG_DIR/root-password"
 
     # Make sure required passwords exist and are not invalid (empty)
     test -f "$VAULT_PASS_FILE" && test "$(cat "$VAULT_PASS_FILE")" || {
         die "$PROGRAM_NAME: $VAULT_PASS_FILE: Missing or invalid password"
     }
+    test -f "$ROOT_PASS_FILE" && test "$(cat "$ROOT_PASS_FILE")" || {
+        die "$PROGRAM_NAME: $ROOT_PASS_FILE: Missing or invalid password"
+    }
+
+    ROOT_HASH_FILE="$CONFIG_DIR/.root-password.hash"
+
+    # Regenerate root password hash. Ansible expects passwords as hashes but
+    # doesn't provide a built-in facility to generate one from plain text
+    hash_file "$ROOT_PASS_FILE" >"$ROOT_HASH_FILE" || {
+        die "$PROGRAM_NAME: Failure while hashing root password"
+    }
 
     ansible-playbook \
         --vault-password-file "$VAULT_PASS_FILE" \
diff --git a/guests/site.yml b/guests/site.yml
index e6cf10d..9c75dcb 100644
--- a/guests/site.yml
+++ b/guests/site.yml
@@ -1,5 +1,13 @@
 ---
 - hosts: all
+  gather_facts: no
+
+  tasks:
+
+    # Bootstrap Ansible itself
+    - include: tasks/bootstrap.yml
+
+- hosts: all
 
   vars_files:
     - vars/mappings.yml
diff --git a/guests/tasks/base.yml b/guests/tasks/base.yml
index dd8d306..a9066e4 100644
--- a/guests/tasks/base.yml
+++ b/guests/tasks/base.yml
@@ -96,9 +96,10 @@
   hostname:
     name: '{{ inventory_hostname }}'
 
-- name: Configure root shell
+- name: Configure root password and shell
   user:
     name: root
+    password: '{{ lookup("file", lookup("env", "HOME") + "/.config/lcitool/.root-password.hash") }}'
     shell: '{{ bash }}'
 
 - name: Configure ssh access for the root user
@@ -106,3 +107,11 @@
     user: root
     key: '{{ lookup("file", lookup("env", "HOME") + "/.ssh/id_rsa.pub") }}'
     state: present
+
+- name: Disable password authentication for the root user
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#*\s*PermitRootLogin\s*.*$'
+    line: 'PermitRootLogin without-password'
+    state: present
+    backup: yes
-- 
2.13.6

More information about the libvir-list mailing list