1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
# Copyright (C) 2009-2011 Canonical Ltd.
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
#
# Author: Marc Cluet <marc.cluet@canonical.com>
# Based on code by Scott Moser <scott.moser@canonical.com>
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
#
# This file is part of cloud-init. See LICENSE file for license information.
""" Mcollective: Install, configure and start mcollective"""
import errno
import io
from logging import Logger
from textwrap import dedent
# Used since this can maintain comments
# and doesn't need a top level section
from configobj import ConfigObj
from cloudinit import log as logging
from cloudinit import subp, util
from cloudinit.cloud import Cloud
from cloudinit.config import Config
from cloudinit.config.schema import MetaSchema, get_meta_doc
from cloudinit.settings import PER_INSTANCE
PUBCERT_FILE = "/etc/mcollective/ssl/server-public.pem"
PRICERT_FILE = "/etc/mcollective/ssl/server-private.pem"
SERVER_CFG = "/etc/mcollective/server.cfg"
LOG = logging.getLogger(__name__)
MODULE_DESCRIPTION = """\
This module installs, configures and starts mcollective. If the ``mcollective``
key is present in config, then mcollective will be installed and started.
Configuration for ``mcollective`` can be specified in the ``conf`` key under
``mcollective``. Each config value consists of a key value pair and will be
written to ``/etc/mcollective/server.cfg``. The ``public-cert`` and
``private-cert`` keys, if present in conf may be used to specify the public and
private certificates for mcollective. Their values will be written to
``/etc/mcollective/ssl/server-public.pem`` and
``/etc/mcollective/ssl/server-private.pem``.
.. note::
The ec2 metadata service is readable by non-root users.
If security is a concern, use include-once and ssl urls.
"""
distros = ["all"]
meta: MetaSchema = {
"id": "cc_mcollective",
"name": "Mcollective",
"title": "Install, configure and start mcollective",
"description": MODULE_DESCRIPTION,
"distros": distros,
"examples": [
dedent(
"""\
# Provide server private and public key and provide the following
# config settings in /etc/mcollective/server.cfg:
# loglevel: debug
# plugin.stomp.host: dbhost
# WARNING WARNING WARNING
# The ec2 metadata service is a network service, and thus is
# readable by non-root users on the system
# (ie: 'ec2metadata --user-data')
# If you want security for this, please use include-once + SSL urls
mcollective:
conf:
loglevel: debug
plugin.stomp.host: dbhost
public-cert: |
-------BEGIN CERTIFICATE--------
<cert data>
-------END CERTIFICATE--------
private-cert: |
-------BEGIN CERTIFICATE--------
<cert data>
-------END CERTIFICATE--------
"""
),
],
"frequency": PER_INSTANCE,
"activate_by_schema_keys": ["mcollective"],
}
__doc__ = get_meta_doc(meta)
def configure(
config,
server_cfg=SERVER_CFG,
pubcert_file=PUBCERT_FILE,
pricert_file=PRICERT_FILE,
):
# Read server.cfg (if it exists) values from the
# original file in order to be able to mix the rest up.
try:
old_contents = util.load_file(server_cfg, quiet=False, decode=False)
mcollective_config = ConfigObj(io.BytesIO(old_contents))
except IOError as e:
if e.errno != errno.ENOENT:
raise
else:
LOG.debug(
"Did not find file %s (starting with an empty config)",
server_cfg,
)
mcollective_config = ConfigObj()
for (cfg_name, cfg) in config.items():
if cfg_name == "public-cert":
util.write_file(pubcert_file, cfg, mode=0o644)
mcollective_config["plugin.ssl_server_public"] = pubcert_file
mcollective_config["securityprovider"] = "ssl"
elif cfg_name == "private-cert":
util.write_file(pricert_file, cfg, mode=0o600)
mcollective_config["plugin.ssl_server_private"] = pricert_file
mcollective_config["securityprovider"] = "ssl"
else:
if isinstance(cfg, str):
# Just set it in the 'main' section
mcollective_config[cfg_name] = cfg
elif isinstance(cfg, (dict)):
# Iterate through the config items, create a section if
# it is needed and then add/or create items as needed
if cfg_name not in mcollective_config.sections:
mcollective_config[cfg_name] = {}
for (o, v) in cfg.items():
mcollective_config[cfg_name][o] = v
else:
# Otherwise just try to convert it to a string
mcollective_config[cfg_name] = str(cfg)
try:
# We got all our config as wanted we'll copy
# the previous server.cfg and overwrite the old with our new one
util.copy(server_cfg, "%s.old" % (server_cfg))
except IOError as e:
if e.errno == errno.ENOENT:
# Doesn't exist to copy...
pass
else:
raise
# Now we got the whole (new) file, write to disk...
contents = io.BytesIO()
mcollective_config.write(contents)
util.write_file(server_cfg, contents.getvalue(), mode=0o644)
def handle(
name: str, cfg: Config, cloud: Cloud, log: Logger, args: list
) -> None:
# If there isn't a mcollective key in the configuration don't do anything
if "mcollective" not in cfg:
log.debug(
"Skipping module named %s, no 'mcollective' key in configuration",
name,
)
return
mcollective_cfg = cfg["mcollective"]
# Start by installing the mcollective package ...
cloud.distro.install_packages(("mcollective",))
# ... and then update the mcollective configuration
if "conf" in mcollective_cfg:
configure(config=mcollective_cfg["conf"])
# restart mcollective to handle updated config
subp.subp(["service", "mcollective", "restart"], capture=False)
# vi: ts=4 expandtab
|
