diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/remote_puppet_afs.yaml index 6b57788f26..dc45e87606 100644 --- a/playbooks/remote_puppet_afs.yaml +++ b/playbooks/remote_puppet_afs.yaml @@ -9,3 +9,18 @@ strategy: free roles: - puppet + +- hosts: "mirror-update:!disabled" + name: "Create key for remote vos release" + tasks: + - name: Create vos release keypair + openssh_keypair: + path: /root/.ssh/id_vos_release + type: ed25519 + register: vos_release_keypair + +# Note: relies on vos_release_keypair installed to mirror above +- hosts: "afs:!disabled" + name: "Allow remote vos_release" + roles: + - vos-release \ No newline at end of file diff --git a/playbooks/roles/vos-release/README.rst b/playbooks/roles/vos-release/README.rst new file mode 100644 index 0000000000..27d2b9d1f4 --- /dev/null +++ b/playbooks/roles/vos-release/README.rst @@ -0,0 +1,27 @@ +vos release with localauth + +Install a user and script to do remote ``vos release`` with +``localauth`` authentication. This can avoid kerberos or AFS +timeouts. + +This relies on ``vos_release_keypair`` which is expected to be a +single keypair from the mirror-update host. It will allow that +keypair to run ``/usr/local/bin/vos_release.sh``, which filters the +incoming command. Releases are expected to be triggered on the update +host with:: + + ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release . + +Future work, if required + +* Allow multiple hosts to call the release script (i.e. handle + multiple keys). +* Implement locking within ``vos_release.sh`` script to prevent too + many simulatenous releases. + +**Role Variables** + +.. zuul:rolevar:: vos_release_keypair + + The authorized key to allow to run the + ``/usr/local/bin/vos_release.sh`` script diff --git a/playbooks/roles/vos-release/files/vos_release.sh b/playbooks/roles/vos-release/files/vos_release.sh new file mode 100755 index 0000000000..c2f2101b99 --- /dev/null +++ b/playbooks/roles/vos-release/files/vos_release.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then + echo "usage: vos release " + exit 1 +fi + +set -- $SSH_ORIGINAL_COMMAND + +if [[ $# != 3 || $1 != "vos" || $2 != "release" ]]; then + echo "usage: vos release " + exit 1 +fi + +vos release -v -localauth $3 + + diff --git a/playbooks/roles/vos-release/tasks/main.yaml b/playbooks/roles/vos-release/tasks/main.yaml new file mode 100644 index 0000000000..450df2daca --- /dev/null +++ b/playbooks/roles/vos-release/tasks/main.yaml @@ -0,0 +1,19 @@ +- name: Install vos release script + copy: + src: vos_relase.sh + dest: '/usr/local/bin/' + owner: root + group: root + mode: 0755 + +- name: Ensure update key + assert: + that: + - vos_release_keypair is defined + +- name: Install vos release key + authorized_key: + user: 'root' + state: present + key: '{{ vos_release_keypair["public_key"] }}' + key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' \ No newline at end of file