From: Clinton Ebadi Date: Tue, 23 Jul 2013 01:36:39 +0000 (-0400) Subject: Remove mire from admin scripts X-Git-Url: http://git.hcoop.net/hcoop/scripts.git/commitdiff_plain/652feaf609ebcfb07fab4b748d0dc312d2c46af2 Remove mire from admin scripts * `freeze' will now work with bog * Install ssl certs to navajos * Do not copy keytabs etc. to mire * Do not deploy domtool-slave to mire --- diff --git a/ca-install b/ca-install index affe079..dc6cc5a 100755 --- a/ca-install +++ b/ca-install @@ -8,7 +8,7 @@ # If the certificate comes from the member's home directory, then # don't place an extra copy there. # -# Run this on deleuze as an admin. +# Run this on an administrative node while holding admin tokens. # # Usage: ca-install member domain cert-file.pem [key-file.pem] @@ -31,7 +31,7 @@ else KEY=$4 fi -WEBSERVER=mire.hcoop.net +WEBSERVER=navajos.hcoop.net function verify_cert () { if test -z "$2" || test -n "$3"; then @@ -56,9 +56,9 @@ function verify_cert () { fi } -# Make sure we run this from deleuze -if test "$(hostname -s)" != "deleuze"; then - echo "Error: This script must be run from deleuze." +# Make sure we run this from an admin host... +if test "$(hostname -s)" != "fritz"; then + echo "Error: This script must be run from fritz." exit 1 fi diff --git a/create-service-user b/create-service-user index a3144c4..83bdb1d 100755 --- a/create-service-user +++ b/create-service-user @@ -6,8 +6,7 @@ # - on fritz # - as a user with an /etc/sudoers line # - member of "wheel" unix group on deleuze (FIXME: TRUE?) -# - while holding tickets for a user who can 'ssh -K' to mire -# - and is a member of "wheel" on mire +# - while holding tickets for a user who can 'ssh -K' to all nodes # - while holding tokens for a user who is: # - a member of system:administrator # - listed in 'bos listusers fritz' @@ -19,7 +18,6 @@ # (To bootstrap yourself into admindom: # 1. Run '/etc/init.d/domtool-server stop' on deleuze. # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines -# (e.g., mire). # 3. Edit ~domtool/acl, following the example of adamc_admin to grant # yourself 'priv all'. # 4. Run '/etc/init.d/domtool-server start' on deleuze. diff --git a/create-user b/create-user deleted file mode 100755 index f71edfa..0000000 --- a/create-user +++ /dev/null @@ -1,279 +0,0 @@ -#!/bin/bash -ex - -# MUST be executed: -# - on fritz -# - as a user with an /etc/sudoers line -# - member of "wheel" unix group on deleuze (FIXME: TRUE?) -# - while holding tickets for a user who can 'ssh -K' to mire -# - and is a member of "wheel" on mire -# - while holding tokens for a user who is: -# - a member of system:administrator -# - listed in 'bos listusers fritz' -# - and who has been set up with Domtool admin privileges by: -# - running 'domtool-adduser $USER' while holding AFS admin tokens as -# someone who is already a Domtool admin -# - running 'domtool-admin grant $USER priv all' as someone who is already a -# Domtool admin -# (To bootstrap yourself into admindom: -# 1. Run '/etc/init.d/domtool-server stop' on deleuze. -# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines -# (e.g., mire). -# 3. Edit ~domtool/acl, following the example of adamc_admin to grant -# yourself 'priv all'. -# 4. Run '/etc/init.d/domtool-server start' on deleuze. -# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave -# machines. -# 6. Run 'domtool-adduser' as above.) - -USER=$1 - -export PATH=$PATH:/afs/hcoop.net/common/bin/ - -if test -z "$USER"; then - echo "Invoke as create-user " - exit 1 -fi - -# -# Helper functions -# - -# Run a command on both mire and deleuze; assumes that no escaping is -# needed. - - -function execute_on_web_nodes() { - ssh -K deleuze $* - ssh -K mire $* - ssh -K navajos $* -} - -# change to execute_on_domtool_server -function execute_on_domtool_server () { - ssh -K deleuze.hcoop.net $* -} - - -function execute_on_all_machines () { - $* - ssh -K mire.hcoop.net $* - ssh -K hopper.hcoop.net $* - ssh -K deleuze.hcoop.net $* - ssh -K navajos.hcoop.net $* - ssh -K bog.hcoop.net $* -} - -# -# Kerberos principals -# (creat kerberos principals: fred, fred/cgi, fred/mailfilter) -# - -# We use -randkey for user's main principal as well, to make sure that -# the creation process does not continue without having a main -# principal. (But you who want to set password for a user, don't -# worry - we'll invoke cpw later, so that it has the same effect -# as setting password right now - while it is more error tolerant). - -sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET" - -# -# Create AFS users corresponding to krb5 principals. -# (fred/cgi principal == fred.cgi AFS user) -# - -pts cu $USER || true -ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` -pts cu $USER.daemon || true -ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` - - -# -# Construct various paths for later perusal. -# - -# (If it's not clear, for user fred, PATHBITS = f/fr/fred) -PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER -HOMEPATH=/afs/hcoop.net/user/$PATHBITS -MAILPATH=/afs/hcoop.net/common/email/$PATHBITS - - -# LDAP bit excised (see git history...) - -# -# Export .mailfilter and .cgi keys to a keytab file -# - -# create a daemon keytab (used by /etc/exim4/get-token) -# *only* if it does not exist! -test -e /etc/keytabs/user.daemon/$USER || \ - sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET" - -# Properly chown/mod keytab files (must be $USER:www-data) -sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER -sudo chmod 440 /etc/keytabs/user.daemon/$USER - -# rsync keytabs -(cd /etc/keytabs - sudo tar clpf - user.daemon/$USER | \ - ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) -(cd /etc/keytabs - sudo tar clpf - user.daemon/$USER | \ - ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) -(cd /etc/keytabs - sudo tar clpf - user.daemon/$USER | \ - ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) -(cd /etc/keytabs - sudo tar clpf - user.daemon/$USER | \ - ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) -(cd /etc/keytabs - sudo tar clpf - user.daemon/$USER | \ - ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) - -# -# Create/mount/set-perms on user's volumes (home, mail, databases, logs) -# - -# HOME VOLUME -if vos examine user.$USER.d 2>/dev/null; then - echo "Reactivating old volume (user.$USER.d)" - vos rename user.$USER.d user.$USER -fi -vos examine user.$USER 2>/dev/null || \ - vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000 - -mkdir -p `dirname $HOMEPATH` -fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER -chown $USER:nogroup $HOMEPATH -fs sa $HOMEPATH $USER all -fs sa $HOMEPATH system:anyuser l -# cleanliness / needed to keep suphp happy -chown root:root $HOMEPATH/../../ -chown root:root $HOMEPATH/../ - -# Apache logs -mkdir -p $HOMEPATH/.logs -chown $USER:nogroup $HOMEPATH/.logs -mkdir -p $HOMEPATH/.logs/apache -chown $USER:nogroup $HOMEPATH/.logs/apache -fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk -mkdir -p $HOMEPATH/.logs/mail -fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk -chown $USER:nogroup $HOMEPATH/.logs/mail - -# public_html -test -e $HOMEPATH/public_html || \ - (mkdir -p $HOMEPATH/public_html; \ - chown $USER:nogroup $HOMEPATH/public_html; \ - fs sa $HOMEPATH/public_html system:anyuser none; \ - fs sa $HOMEPATH/public_html $USER.daemon rl) - -# .procmail.d -mkdir -p $HOMEPATH/.procmail.d -chown $USER:nogroup $HOMEPATH/.procmail.d -fs sa $HOMEPATH/.procmail.d system:anyuser rl - -# .public -mkdir -p $HOMEPATH/.public/ -chown $USER:nogroup $HOMEPATH/.public -fs sa $HOMEPATH/.public system:anyuser rl - -# .domtool -mkdir -p $HOMEPATH/.public/.domtool -chown $USER:nogroup $HOMEPATH/.public/.domtool -test -e $HOMEPATH/.domtool || \ - test -L $HOMEPATH/.domtool || \ - execute_on_domtool_server sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool - # ^^ work around sudo env_reset crap without having to - # actually figure out how to make it work cleanly -- clinton, - # 2011-11-30 - -# Gitweb hosting -test -L /var/cache/git/$USER || \ - sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER - -# MAIL VOLUME -if vos examine mail.$USER.d 2>/dev/null; then - echo "Reactivating old volume (mail.$USER.d)" - vos rename mail.$USER.d mail.$USER -fi -vos examine mail.$USER 2>/dev/null || \ - vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000 - -mkdir -p `dirname $MAILPATH` -fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER -fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER -chown $USER:nogroup $MAILPATH -chown $USER:nogroup $HOMEPATH/Maildir -fs sa $MAILPATH $USER all -fs sa $MAILPATH $USER.daemon all -if test ! -e $MAILPATH/new; then - mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp - echo -e "This email account is provided as a service for HCoop members." \ - "\n\nTo learn how to use it, please visit the page" \ - "\n on our website."| \ - mail -s "Welcome to your HCoop email store" \ - -e -a "From: postmaster@hcoop.net" \ - real-$USER -fi -chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp - -# Set up shared SpamAssassin folder -if test -f $HOMEPATH/Maildir/shared-maildirs; then - # Deal with case where user rsync'd their Maildir from fyodor - pattern='^SpamAssassin /home/spamd' - file=$HOMEPATH/Maildir/shared-maildirs - if grep $pattern $file; then - sed -i -r -e \ - 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ - $file - fi -else - maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ - $HOMEPATH/Maildir -fi - -# Create database tablespaces -sudo /afs/hcoop.net/common/etc/scripts/create-user-database $USER - -# -# Mount points for backup volumes -# - -mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` -mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` -fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ - fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup -fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ - fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup -vos release old - -# technically this might not be necessary, but for good measure... -vos syncserv fritz -vos syncvldb fritz - -# refresh volume location cache (takes ~2hrs otherwise) -execute_on_all_machines fs checkvolumes - -# -# Non-AFS files and directories -# - -# Make per-user apache DAV lock directory -- the directory must be -# both user and group-writable, which is silly. -execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$USER -execute_on_web_nodes sudo chown $USER:www-data /var/lock/apache2/dav/$USER -execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER - -# -# Domtool integration -# - -execute_on_domtool_server domtool-adduser $USER - -# -# Subscribe user to our mailing lists. -# -echo $USER@hcoop.net | ssh -K deleuze sudo -u list \ - /var/lib/mailman/bin/add_members -r - hcoop-announce diff --git a/create-user-new b/create-user-new index b35f935..56de1fc 100755 --- a/create-user-new +++ b/create-user-new @@ -4,8 +4,7 @@ # - on fritz # - as a user with an /etc/sudoers line # - member of "wheel" unix group on deleuze (FIXME: TRUE?) -# - while holding tickets for a user who can 'ssh -K' to mire -# - and is a member of "wheel" on mire +# - while holding tickets for a user who can 'ssh -K' to all nodes # - while holding tokens for a user who is: # - a member of system:administrator # - listed in 'bos listusers fritz' @@ -17,7 +16,6 @@ # (To bootstrap yourself into admindom: # 1. Run '/etc/init.d/domtool-server stop' on deleuze. # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines -# (e.g., mire). # 3. Edit ~domtool/acl, following the example of adamc_admin to grant # yourself 'priv all'. # 4. Run '/etc/init.d/domtool-server start' on deleuze. diff --git a/deploy-domtool b/deploy-domtool index 5028e68..41494ac 100755 --- a/deploy-domtool +++ b/deploy-domtool @@ -5,7 +5,7 @@ HOSTS_SERVER="deleuze" # todo: outpost (needs kerberos auth) -HOSTS_SLAVE="fritz navajos bog hopper mire outpost" +HOSTS_SLAVE="fritz navajos bog hopper outpost" for master in $HOSTS_SERVER; do diff --git a/freeze b/freeze index 6883a58..6a6a741 100755 --- a/freeze +++ b/freeze @@ -97,7 +97,7 @@ use constant DRY => 0; use constant STORE => "/afs/hcoop.net/common/etc/frozen/cache"; use constant DEFAULT_SHELL => '/bin/bash'; use constant FROZEN_SHELL => '/afs/hcoop.net/common/etc/scripts/frozen_shell'; -use constant PUBLIC_ACCESS => (qw/mire/); +use constant PUBLIC_ACCESS => (qw/bog/); use constant RUN_SERVER => 'fritz'; my $store = {}; # cached info diff --git a/lib/create-user-lib.sh b/lib/create-user-lib.sh index 51834ef..40578d8 100644 --- a/lib/create-user-lib.sh +++ b/lib/create-user-lib.sh @@ -36,7 +36,6 @@ MAILPATH=/afs/hcoop.net/common/email/$PATHBITS function execute_on_web_nodes () { ssh -K deleuze $* - ssh -K mire $* ssh -K navajos $* } @@ -47,7 +46,6 @@ function execute_on_domtool_server () { function execute_on_all_machines () { $* - ssh -K mire.hcoop.net $* ssh -K hopper.hcoop.net $* ssh -K deleuze.hcoop.net $* ssh -K navajos.hcoop.net $* @@ -101,9 +99,6 @@ function export_user_keytabs () { sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER # rsync keytabs - (cd /etc/keytabs - sudo tar clpf - user.daemon/$NEWUSER | \ - ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) (cd /etc/keytabs sudo tar clpf - user.daemon/$NEWUSER | \ ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)