diff --git a/prepare.sh b/prepare.sh new file mode 100644 index 00000000..b8fa76af --- /dev/null +++ b/prepare.sh @@ -0,0 +1,61 @@ +# How to use this script: +# 1. Modify the value of SSH_FLAGS to have the right ssh key path +# 2. Take copy of the sudoers file and name it as 50-launchpad(Or anything suitable so that it does not override the existing sudoers files) +# 3. Make the changes you want to test in the copy of the sudoers file and run this script. + + +HOSTS="$(yq -r ".spec.hosts[].ssh.address" ./launchpad.yaml)" + +SSH_USER=rocky +SSH_FLAGS="-i examples/tf-aws/launchpad/ssh-keys/jn-PRODENG-2744-common.pem -o StrictHostKeyChecking=no" + +# --- helpers --- + +ssh() { + local host=$1 + shift; + local run=$@ + + echo "ssh $SSH_FLAGS $SSH_USER@$host -- $run" + #ssh $SSH_FLAGS $USER@$host -- "$run" +} + +scp() { + local host=$1 + shift; + local file=$@ + + echo "scp $SSH_FLAGS $file $SSH_USER@$host:~/$file" + #scp $SSH_FLAGS $USER@$host $file $file +} + +# --- handlers ___ + +sudo_prepareuser() { + host=$1 + + ssh $host "sudo useradd launchpad" + ssh $host "sudo cp -R /home/rocky/.ssh /home/launchpad/" + ssh $host "sudo chown -R launchpad:launchpad /home/launchpad" +} + +sudo_sudowhitelist() { + host=$1 + + scp $host 50-launchpad + ssh $host "sudo chown root:root ./50-launchpad" + ssh $host "sudo mv ./50-launchpad /etc/sudoers.d/" +} + +# --- fix all hosts --- + +set +x + +for host in $HOSTS +do + #echo "#-- HOST: $host" + ssh $host whoami + + sudo_prepareuser $host + sudo_sudowhitelist $host +done diff --git a/sudoers b/sudoers new file mode 100644 index 00000000..8e9f7707 --- /dev/null +++ b/sudoers @@ -0,0 +1,68 @@ +User_Alias CANLAUNCHPAD = launchpad + +CANLAUNCHPAD ALL = (root) NOPASSWD: /bin/ps +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/* +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /home/launchpad/installerLinux* +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/installerLinux* +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rpm -qa +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/netstat +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/journalctl +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop docker +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start docker +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl restart docker +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl status +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop containerd +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start containerd +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl cat * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat /etc/docker/daemon.json +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -rvf /var/run/docker.sock +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm /app/docker/swarm/worker/tasks.db +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker_gwbridge +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker0 +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sysctl -w net.ipv4.conf.all.rp_filter=1 +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/sysctl.d/99-app.conf +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/docker/daemon.json +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/pkill -9 containerd-shim +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/df +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/lsof +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ulimit -a +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/strace +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop appitrs +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start appitrs +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/daemon.json * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/yum install -y * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum-config-manager *' +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'rpm -qa *' +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'echo *' +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum install *' +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl enable docker +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker version +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/install * +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/launchpad/installerLinux* +CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/mkdir -p -- /tmp/launchpad + + +User_Alias CANINSTALLMCR = launchpad + +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/rpm -qa +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum install * +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum list * +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerurl +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerosversion +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --add-repo * +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --disable docker-ee-* +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --enable docker-ee-* +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum upgrade * +CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum downgrade * \ No newline at end of file