From 9b801d3be8e0268994169729cf5d5dd4600367cb Mon Sep 17 00:00:00 2001 From: Stefan Wold Date: Sat, 22 Feb 2014 18:29:41 +0100 Subject: git tag gpg signature validation of puppet modules Before staging a puppet module for install the latest git tag is verified using the available gpg key identities. The git tag pattern can be overriden using a fourth argument in cosmos-modules.conf. --- global/post-tasks.d/018packages | 96 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 85 insertions(+), 11 deletions(-) (limited to 'global') diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages index 9e25e69..bf7bf64 100755 --- a/global/post-tasks.d/018packages +++ b/global/post-tasks.d/018packages @@ -1,16 +1,90 @@ -#!/bin/sh +#!/bin/bash + +CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf} +CACHE_DIR=/var/cache/puppet-modules +MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules} +export GNUPGHOME=/etc/cosmos/gnupg python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml -if [ -f /etc/puppet/cosmos-modules.conf ]; then - grep -E -v "^#" /etc/puppet/cosmos-modules.conf | ( - cd /etc/puppet/modules && while read module src update; do - if [ ! -d /etc/puppet/modules/$module ]; then - echo $src | grep -q "://" && git clone $src $module || puppet module install $src - else - if [ "x$update" = "xyes" ]; then - echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src + +stage_module() { + rm -rf $CACHE_DIR/staging/$1 + git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -) +} + +if [ -f $CONFIG ]; then + if [ ! -d $MODULES_DIR ]; then + mkdir -p $MODULES_DIR + fi + if [ ! -d $CACHE_DIR ]; then + mkdir -p $CACHE_DIR/{scm,staging} + fi + + # First pass to clone any new modules, and update those marked for updating. + grep -E -v "^#" $CONFIG | ( + while read module src update pattern; do + # We only support git:// urls atm + if [ "${src:0:6}" = "git://" ]; then + if [ ! -d $CACHE_DIR/scm/$module ]; then + git clone -q $src $CACHE_DIR/scm/$module + elif [ -d $CACHE_DIR/scm/$module/.git ]; then + if [ "$update" = "yes" ]; then + cd $CACHE_DIR/scm/$module + git pull -q + else + continue fi - fi - done) + else + echo "ERROR: Ignoring non-git repository" + continue + fi + fi + done + ) + + # Second pass to verify the signatures on all modules and stage those that + # have good signatures. + grep -E -v "^#" $CONFIG | ( + while read module src update pattern; do + # We only support git:// urls atm + if [ "${src:0:6}" = "git://" ]; then + # Verify git tag + cd $CACHE_DIR/scm/$module + TAG=$(git tag -l "${pattern:-*}" | sort | tail -1) + if [ "$COSMOS_VERBOSE" = "y" ]; then + echo "" + echo "Checking signature on tag ${TAG} for puppet-module $module" + fi + if [ -z "$TAG" ]; then + echo "ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module $module" + continue + fi + git tag -v $TAG &> /dev/null + if [ $? == 0 ]; then + if [ "$COSMOS_VERBOSE" = "y" ]; then + # short output on good signature + git tag -v $TAG 2>&1 | grep "gpg: Good signature" + fi + # Put archive in staging since tag verified OK + stage_module $module $TAG + else + echo "################################################################" + echo "FAILED signature check on puppet-module $module" + echo "################################################################" + git tag -v $TAG + fi + fi + done + ) + + # Cleanup removed puppet modules from CACHE_DIR + for MODULE in $(ls -1 $CACHE_DIR/staging/); do + if ! grep -E -q "^$MODULE\s+" $CONFIG; then + rm -rf $CACHE_DIR/{scm,staging}/$MODULE + fi + done + + # Installing verified puppet modules + rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/ fi -- cgit v1.1 From 5c171118c151c9724b1576017da02a93a350c5ae Mon Sep 17 00:00:00 2001 From: Stefan Wold Date: Mon, 24 Feb 2014 08:13:53 +0100 Subject: Allow installing puppet modules using the standard method --- global/post-tasks.d/018packages | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'global') diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages index bf7bf64..cc5856e 100755 --- a/global/post-tasks.d/018packages +++ b/global/post-tasks.d/018packages @@ -39,6 +39,15 @@ if [ -f $CONFIG ]; then echo "ERROR: Ignoring non-git repository" continue fi + elif [[ "$src" =~ .*:// ]]; then + echo "ERROR: Don't know how to install '$src'" + continue + else + if [ ! -d /etc/puppet/modules/$module ]; then + puppet module install $src + elif [ "$update" = "yes" ]; then + puppet module upgrade $src + fi fi done ) -- cgit v1.1 From 0f44e1679c66a0aa223c8ac1d3f3e88d9934cc84 Mon Sep 17 00:00:00 2001 From: Stefan Wold Date: Mon, 24 Feb 2014 09:55:34 +0100 Subject: Opt-in for automatic reboot Use of && is bad in this context since it will return 1 causing cosmos to exit with status 1 if a reboot is not required. --- global/post-tasks.d/999reboot | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'global') diff --git a/global/post-tasks.d/999reboot b/global/post-tasks.d/999reboot index 5331446..2ed9fa7 100755 --- a/global/post-tasks.d/999reboot +++ b/global/post-tasks.d/999reboot @@ -1,3 +1,5 @@ #!/bin/sh -test -f /var/run/reboot-required -a ! -f /etc/cosmos-manual-reboot && reboot +if [ -f /var/run/reboot-required -a -f /etc/cosmos-automatic-reboot ]; then + reboot +fi -- cgit v1.1 From 2369e391d7418fdb8a402d403caf33608c86c70a Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Wed, 26 Feb 2014 00:17:40 +0100 Subject: nag a bit --- global/post-tasks.d/018packages | 3 +++ 1 file changed, 3 insertions(+) (limited to 'global') diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages index cc5856e..5ca5c63 100755 --- a/global/post-tasks.d/018packages +++ b/global/post-tasks.d/018packages @@ -43,6 +43,9 @@ if [ -f $CONFIG ]; then echo "ERROR: Don't know how to install '$src'" continue else + echo "WARNING" + echo "WARNING - attempting UNSAFE installation/upgrade of puppet-module $module from $src" + echo "WARNING" if [ ! -d /etc/puppet/modules/$module ]; then puppet module install $src elif [ "$update" = "yes" ]; then -- cgit v1.1