From 66131e238157e4ee55040ec9ee38a4b87b748bce Mon Sep 17 00:00:00 2001 From: Brian Candler Date: Fri, 8 Jul 2016 14:18:21 +0000 Subject: [PATCH] Create user inside the container, enable ssh with password Also install instructor ssh keys (although lxc exec is also usable) --- ansible/gold-master.yml | 3 +++ ansible/group_vars/all | 6 +++++- ansible/hosts | 2 +- ansible/noc.yml | 8 +++++++ ansible/pc-master.yml | 7 +++++++ ansible/roles/container_ssh/defaults/main.yml | 2 ++ .../roles/container_ssh/files/authorized_keys | 13 ++++++++++++ ansible/roles/container_ssh/handlers/main.yml | 2 ++ ansible/roles/container_ssh/tasks/main.yml | 21 +++++++++++++++++++ .../roles/container_user/defaults/main.yml | 2 ++ ansible/roles/container_user/tasks/main.yml | 9 ++++++++ ansible/roles/nagios_base/tasks/main.yml | 2 +- .../roles/nagios_noc/templates/nmm_nagios.j2 | 2 +- 13 files changed, 75 insertions(+), 4 deletions(-) create mode 100644 ansible/roles/container_ssh/defaults/main.yml create mode 100644 ansible/roles/container_ssh/files/authorized_keys create mode 100644 ansible/roles/container_ssh/handlers/main.yml create mode 100644 ansible/roles/container_ssh/tasks/main.yml create mode 100644 ansible/roles/container_user/defaults/main.yml create mode 100644 ansible/roles/container_user/tasks/main.yml diff --git a/ansible/gold-master.yml b/ansible/gold-master.yml index 7426997..9a224dc 100644 --- a/ansible/gold-master.yml +++ b/ansible/gold-master.yml @@ -27,5 +27,8 @@ # Populate everything we want - role: container_base + - role: container_user + - role: container_ssh + # Stop before cloning - role: lxd_stop diff --git a/ansible/group_vars/all b/ansible/group_vars/all index 4733b86..ba6cc45 100644 --- a/ansible/group_vars/all +++ b/ansible/group_vars/all @@ -1,4 +1,8 @@ -class_password: nsrc+ws +admin_username: sysadm +admin_password: nsrc+ws +ssh_key_users: [root, sysadm] +#From whois package: mkpasswd --method=MD5 +admin_password_hash: '$1$fGTqfzoW$HX2HQ30g2qh3OUUWParly.' snmp_community: NetManage # Default networking parameters diff --git a/ansible/hosts b/ansible/hosts index 4dd3e9f..4dcb024 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -1,6 +1,6 @@ localhost ansible_connection=local -noc ansible_connection=lxd ipv4_address=10.10.0.250 ipv6_address=2001:db8:100::250 +noc ansible_connection=lxd ipv4_address=10.10.0.250 ipv6_address=2001:db8:100::250 admin_password_hash='$1$J/FvZsNZ$Awx/9YqK9fzbsUQ1CzssN1' [all-master] gold-master ansible_connection=lxd diff --git a/ansible/noc.yml b/ansible/noc.yml index 348c195..d3b2edf 100644 --- a/ansible/noc.yml +++ b/ansible/noc.yml @@ -6,8 +6,16 @@ profiles: [br-lan] - role: lxd_static_ip + # Re-iterate steps in case they have changed, or we + # want different password on the NOC + - role: container_base + - role: container_user + - role: container_ssh + # The NOC machine has pre-configuration work done on the tools # (which the students would normally do themselves) - role: nagios_setup - role: nagios_noc + + # Do this last in case apt-cacher isn't ready immediately - role: use_apt_cacher diff --git a/ansible/pc-master.yml b/ansible/pc-master.yml index 65011ce..73f2880 100644 --- a/ansible/pc-master.yml +++ b/ansible/pc-master.yml @@ -6,6 +6,13 @@ roles: - role: lxd_copy source: gold-master + # Repeat things from gold-master in case they have changed - role: container_base + - role: container_user + - role: container_ssh + + # Things we want to pre-install for the students - role: nagios_base + + # Stop before cloning - role: lxd_stop diff --git a/ansible/roles/container_ssh/defaults/main.yml b/ansible/roles/container_ssh/defaults/main.yml new file mode 100644 index 0000000..13b9ee1 --- /dev/null +++ b/ansible/roles/container_ssh/defaults/main.yml @@ -0,0 +1,2 @@ +ssh_key_users: [root] +admin_password_hash: '!' diff --git a/ansible/roles/container_ssh/files/authorized_keys b/ansible/roles/container_ssh/files/authorized_keys new file mode 100644 index 0000000..c4d43cc --- /dev/null +++ b/ansible/roles/container_ssh/files/authorized_keys @@ -0,0 +1,13 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmKsPtnihswa3JrRBK0w7syjibSqBPySYbZEL2WBHWG4SiLufhhfvS0yamzjlCPOZKV7iUtn71THHbtmZq0jbg3x3/+W4Ob0L3fdLLb1/uIteBEyQDQZ9g36z7seAWDw/Hz/dJP42HBJhMz1HQbx1+C5BX5EohKIyqCJDdTro2cYv3m3QrRJrDLpfKHJuToDIwW32Pc9FxLuaEQL6jJFIcLPdNKPsSqYUlXsRphnbstL2bK87eyJaQEyZfBFNfFEgp0W+7nNS2hCBSrka7XwqHL1FA1p1z+ah/pm+rd62mtQyWX1oplhxtCwQmCmKaSYXgdi+B2E0OiasyS7aA1DCR brian@Brians-MacBook-Air.local +ssh-dss AAAAB3NzaC1kc3MAAACBAJsalK4Ixu5fwqV0NEN27Qo+4vDVkD3rm1pdwO/r0wRVFMgwsLuVAkO3nnrPfJkVwkB27m/CX3ljV2v2P7C8MxTKCug4ndWW8PJigodBm6vKRW8CUy+3BlErrvfKWwxLPduruiNoEE1YSEVJvQaDZabLFUW8+0IQy6TKve+VNxa9AAAAFQDkS9xjHOTvtt+hmevNb5yLk6sTtwAAAIEAjZ5h9I5XPCDRDfRGNveR0rAeGXK6lgt3j/8ZeJF2MWYVdq+l99rokfG+dIVQn0RgepBSaDRZPP2GSyf7has9Z8L38vJwt/om+AlFSlCW+23RL9NuECNqlwPgAJMaeMBR2QPij+xCu93t8wD5JrTkkSGk0Ncivrn3o5zOH+6AVLgAAACAamVVMFDfzeZZpMJ5RPWgS2Wjjys5+jKF0IuCkWrzfbqxI3w9Ajn3fnbFiUxnSi9HF92wMvaaTADzy2cBZvT5GqbMoTnCx/9PVZPIfy9i1D3Vb3UZKM10kbybEHlg6g3iDpleKytBmaToSAkn1yUusf/fzrLI8/TQEdb/96hM4jI= cvicente@tiroloco +ssh-dss AAAAB3NzaC1kc3MAAACBAM4voDeHKOXwTUIwvMkDCHRJVpl7Mdh/DwvUVfqH7Cneky7yMWs0at8zyMvehMjH6lVEM3etz6AigZawOCnkmvqq+wzZoUilo5kltAmlIu7HVIONlF9QgQHI/icDnuVpnCpNGE7PHAsp8AJubm6sFb8AjAvCJ32KNuPRObd+MXadAAAAFQDz3jwAFtjr/U+AF3Fw7rMP4t4QsQAAAIEAr4+uqA0GU6bq/6hFOQPl8A+DsJfnRf8qmAb3SwuV1yIexdHDOOuYZBRNxQje9w1P0bUMYkgv8xCz4Nsyfa8rtt3VXsfirVpCcnTZ/+CWVANvzc1RHnhzrKOJqs5K+cK6atSN95kZdWMsH8pw4p+ZowZ+A+d5eNsxdjdIEbVo7y0AAACAUdjdiLOLw6hVPDt15zDXoaTkGZhVkWGu6b3v/jvyAXP3kKDfUn7LxouPvRveSHaGzdi5/JtLl04i7FdgOt8eNf2Ql2kZZol0yof3vLjgAadXo+uSkjC2YoHRUxyq9TVTzKDbXWwuMkOs8gvt+N881JzKGT1njcXV2W+Z7Iv0rYE= regnauld@macbook.balder +ssh-dss AAAAB3NzaC1kc3MAAACBAKtOEfM+/6BBoG9IefDlpiVxe/NLjrw9pTzIOaEl4GhSVUSEqJX6zzHdfuSvxsAWAM2+xqEyU7ttCbpGq4J73x17gXmrVQRym4V+F5iRFg3fkOEIkMmL4L5XrARK6ZaOjPdgY7SJafKW5AdQLwd+V4OhDid87TFsa/nkuRKSpNU7AAAAFQD4riVimJnJmGz5bSgFvCro3D/r2QAAAIAGlV+6ZheQ/8rk92Z7sZP3gxPgiJ2lAym26igGI/OPCM+JJTPFhBrQSOGX3CLV9LjRVVMV0fCdgd3smfwmfeuZJdt8ljIU0JHYudUO2tRDWblLB2wMGCBc3rbtOUsqL2NimiTdyf1b0JDrxZmgdwrFKT/0wQnHpVtJZ+T9q3S+vAAAAIAyprVZt1Ab20+RZs64kx1PHhzjsH6F5FB5SIpzFrQKj1f9Iz29cV2Bd/rnPlAU+0yiyO10BZMQQ0RM0cW9MxhkpHJ8I3sPeVlxadwxCuR7w18dJ9IFRFa50Db01LeAyWLuXVLgPg/NeCbrI+qRriUNz+IudahO26G/ykRsPDyH8g== hak@raven +ssh-dss AAAAB3NzaC1kc3MAAACBAOMJy6Y7/M7Ihvamw0b4gqigoLEKsdjpSPN8GdMZx8g00txARy7hOcYYwKwaWSRe2Ap6clI9nlu82Kigst1meEOyHUb0JHPnCniVgFC6mRMuLF2RBiGz+iDMdPl9JNE7M+A+KtmMrVB8OBjwrjKmhDQR2YY5oFrEiAkvglq3vwWfAAAAFQDaakaYPsbY1B4V21QIFEikp2bHEwAAAIEAn5ckaOcCmX+NaaWsc+1WXJjAtTlLU3xWtrubWQ3PfG6JAB27zvI4ceHH7FSKSVFm7nVrAFvhhWZVlKQDBPP2vNxBGexc4XdaHVpExLaiW0XgI36AlbmXqTN6a2HQmQhCCJGqbxx7Z6pdsm6fG1MWFPdpOqFqBa0idl/ZcPnzzfYAAACAOaOenLF6vpim52Aun/pz2AXMvYLS05ElVXMFylJPrIaqfjH08r7YZJvKlnB/usS762nCZVGakkZMxpYuuXE8PHd32xFXY23/f5s6rRAkXA4QQvTCGjycLdD1ustWHJWgltsL1wiUiYlsR6C3Uq1JNVyTOEdnug+ZDRWrb3BulJU= asjl@wark.lpnz.org +ssh-dss AAAAB3NzaC1kc3MAAACBAOzYs2q7T00808dY3oXINKsKa/TuiTx74D5EdGAqXv3BcslLNYlQIYfrt20D+xMD5lVHi0WNklBF2e3BdmtF9NGiwfaAVTrQMXdDgLsxY/nKq27tkOfr99KtnN4RJMyOKwZJuXET94nKF1a9av2KRnUL5C5ne9YjR9X3xdflR1zbAAAAFQDL4iYX4NzW4DUhf9jIHePl0+7rMwAAAIA3gCe6VtymdVe/E2ztl0K82YNUEoblG50/E8wu0Pjl520oTQ0tXfEhnntCQhrKz9AFZIfGVWGv9fcqfUrydwukZhA587I+AmN23kqvutwCJMmhMW3ItHOX5k1EIGU1MauAhRDQn/NXaEUXxlcWy4TELn0aUJ+AyGYxeIWs5mhZdQAAAIAeA09au/44HM9EnjLcs9pIYj+ri478dK7ZBg3Bbc2fGjY/qliQGi4rWjtikrqAYrlRCKpLBXt0dBv9CIXxAy4i+OofUYzNTuCipQk/7rMBvRpvKzZyL2Npsq/PkxjekE1SB7IBGkub5wKp+csuAkOnldJx+m+6FYpFYzci9MGEmg== pokui@psg.com +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAud6cF9xNmPBif4Rjhw10Rp1bl7hWZmn3C2OOhfoAwnkSi1Dd/XFJ8Lzx3MXAoP24pD9l804U7HIAWbObc3l+wJTvZiQcMVM2KwztbMnbfSaB6UfNvkcHQzTg7pjPLJg1pRGK7qL5kGW/9UexAo75ptsQd7ibwsDqvG0puZ/0bDOJw1AjlSS+6DHjoLGYfTv2pJwA0VvS6lurK7rmNKARRncvLHb1z8OPeMrxyVSTaJfHEUGeX2wV+NWIaGsSssDXCF8tY2kCBm5v7uDGXmFU+uqVmQ2PrWCjf9/0+RZmFkUoRMKUeGQYgOCKYfnlssF7G0vZDF2KABsvA3d2uG5Pdw== carmas@vserver3.rtn.com +ssh-dss AAAAB3NzaC1kc3MAAACBAMZNPzRQo33euLzfzhoWS3YlwE5ff1nY9EBBx70KqDzFoWOOU1wTYzh/i/JpxR6sySCDMZ2CO+8Q7tpWgtjb7jpAzzdseQUCgAacyE6PlxmaU5+vZ0F7WNPkjVXSzOfQkMBzE2GI6MlbMaKasstieZkWaUDjCCS6gnplpSLWWlSrAAAAFQDd9fQjJTHTd6yBxLwleek5lEeqwQAAAIBYpCQHscTJqjLrj0f5KAKgDN7JY5EVakoo9HxslzmwjlYeg/F/y9glUbyp4zWvnXyl4VYi7Ezg7hZSlNbroTDjdAXIA9TwgGRgLljAsFVuigYMlhQJVE6WBSB7VZx0RgTVlJUrYS8ZPPm2U3iyi7Vg7FejFWUxs/YfY2XSuKVscgAAAIA4bqTwx3145zB8dG6Vd7qfLHC6yj654vXHHI7wRT8ig1kfHSLmi6DtSHuFUep2xVP8nS+ly3FmPV5orCzu1acp8avqfl1UliLkxxjDHYK0fSisHKQvzxgO5kZQ9dkDSP65cr9BMzVcKI5kneUwM+4JIqzuJUhqn2yqfDMfQU36zA== dean@destruction +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsCVRHrFOHteME/+gdIwGKqgNLHSbPjllqWSNjI+4wyCwRLHpFrJdr6klFkRMJ3Q0pfyui6pGXFgbZa2b1xY59iR/gamfYeAL/DNTzG+byDeiCkFYopWg84iNEa0t3bv8+0y+lucdPve0tlBFt7GnXxW1P1rQbZf8+Uf3sm4nJ2YClH6iH6qoV3zzRylzeai2IU3+2rA+SmMgArorKg4YzZiXQy5ZfYyKPDmj8tbITB/O0m/h5KV/xFEUc1xlMMLiolrmNjHFL2rq+Svvc+d9n1DZaSXIK7LDTsv2/4SUUoSiBJriDYDw5cFvk9gqgR/Gr4/ZbtUyPNcTOVsNZCH0B hervey@nsrc.org +ssh-dss AAAAB3NzaC1kc3MAAACBAK4OD6Nd05dmA4hwNTFtd4PUDl+lrwXnJUr5YyllrGMwRpe7bNR7xWJAnh31RlDDc2MbHOKz3kZQa7jW+5QVo5jvYieSOCN9ruCoISGOvDlaq/m8SPk4GK8l7M/I+4H3A002AF1J3ufqEZof862OG95Qn/qSee58YOVTDhcFxl73AAAAFQCUAmMWksBCrWXeIuZgB//l44huIQAAAIA13IY4VtWEKOW0bkjp9eBoj/xHN/y8ciMSvuMdvphzUYxnl7rhaEXEKso46dVWq4bb2RnI0XTtKsjQsHkS1pUeQCk01JmO0SXTKtnGRscoO9c+3YTmuI7sZJvslNWjMc4NhHui69i8r+rqKaaXBnUolB9A8IhFkI4sRgU7WZUPvQAAAIAZJl83+84CON4hoWn7khf+FXUB170dsZ//dYUUASzxoZVirF9VhhwmeDtQqnZCP93kViKf5oD27lYlVXWF4Q7NkhtiWlFo3FqOAsnFylNsMaSefxmVlP5dioTbk5JV7MfJkUiTSg3UjdB+LbVLhKNJftm37ULmyMBzgueeqoBqWw== philip@Philips-MBPro.local +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAO+DwVfQekrHxiL5wNrXAfHcw3eCMfn3ip17FbNQXdwEjJMPkxSEWNZ8sKi9furhUgGPalJpRCI1alLkDge8hLGkqsddcZx88RLi+q3m9IvK2ybrWmO9+1j3arm5gE9gRU82tn0hybbnOHEc76x8sheyvIWTDKJ84Wo9WIsKgizbaaAhEic13wDtSJBQacjlFUjnCPU0W0HjsrHKjL/6QcrPoF0/BJHWp5H+A/oprXVE7dMNvAIQrNxFy4hqOsHYK4IccC4jRuiosxny2QWp44y+jgtlyYVgGAXheDV0VEY6D8jaBWOwSvO9ER6bDmlCNztVCuxNvZEpSblcVyeGB rotsted@Fuji-2.local +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/6W++UMqkKSteRGX73sBH2UPstkzkDwLG90VHcUb5GwJfqnBpyOnSxTsoofek+bOzmVUvbg2sN4u3iP4IiEHUMGBYHHZ12wnN8L0MTW3MCSQ78UlzJ+iUuzNXaHxTSOIQMfgVs5lQKB84KHeslUdKoX3fbJnvyRTCKePvsvfhEuAKV96QI0z4sj97eXVdqcJ0wzQ/OKK0S+kKPrcmYPcqfkuzGp97N9JGQfFQSxhXRqoB5WiVG2TWse8ikyV063EVmEGZvZU2PGNfFTJAC9weXYM0Csd5CNXniTYKJhvzQCHz0od8Db52v4hX7bLWmI9CcyoKG2RJMX6t4GFGM8Af jonathanbrewer@Jonathan-Brewers-iMac.local +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUamuARZ3nDpft+u8+uaPy36rhDj29ZLnTiGekkIhiZShUQHYOPqSVwATUOEpKLD3DxeghXG4QOttRTOUGFcXyNI5Yux+mnekRKMM7mCfvfxYWHiWgAkwGzjMNoELafpoBaNtMyh4PYBSgzC4GMikVnfdN1HLMOiT+LBTekxuo4d6TauP8Nc7G3SFa1i6FfzLfHOsvLC6tyYUjKQhTqODoGK8MgEPr/nf2CW4XqAeE6eSEmdsHBJicWcqRkjZ8HSk2inhl1nIbEMs3CU6TyqY1/buRXuawbr3B9mvOd2W5+FQ29lxeZvICXNhSo2bjdL6bqcBx/96wq8wWKF9Y0wxtJs39CwIwE26soqvQMhVD4+odW7j78OneALlgpRRWi55S+t4a1wqtO05Ju3R0F8Zc3H3dYE1Nhdi9MDLNUC49wRH7PmH/VcyruS9NZ+9//uN27lLkjS3Q+IWdp0as5s4AJxXLTAADue+RL9CU3CsMNBt3XJHjFENY3dfyKihjprnNg/AwVajzigfauoDIpeuUbmDfjdYNlUBaqFcU3d8yV0jwV2RlRQnjKpg6/izTfJ9njawty/D+ijheBJ/2QH3wInvjaz4O1+Rs0WK8gYRRhsh13q6+p1qdQu3wRVs+7UoycbOg44uaMK2D+2y3fy+F7hjDHFRtGj2HO8nMHX9vfw== mike@nsrc.org diff --git a/ansible/roles/container_ssh/handlers/main.yml b/ansible/roles/container_ssh/handlers/main.yml new file mode 100644 index 0000000..276ebfe --- /dev/null +++ b/ansible/roles/container_ssh/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart ssh + service: name=ssh state=restarted diff --git a/ansible/roles/container_ssh/tasks/main.yml b/ansible/roles/container_ssh/tasks/main.yml new file mode 100644 index 0000000..d4a797b --- /dev/null +++ b/ansible/roles/container_ssh/tasks/main.yml @@ -0,0 +1,21 @@ +- name: permit password login + notify: restart ssh + lineinfile: + dest: /etc/ssh/sshd_config + line: 'PasswordAuthentication yes' + regexp: '^PasswordAuthentication' + when: admin_password_hash != '!' + +- name: install authorized keys + authorized_key: user={{item}} key="{{ lookup('file', 'authorized_keys') }}" + with_items: '{{ssh_key_users}}' + +- name: disable HashKnownHosts + lineinfile: + dest: /etc/ssh/ssh_config + create: no + state: present + mode: 644 + backup: yes + line: ' HashKnownHosts no' + regexp: 'HashKnownHosts' diff --git a/ansible/roles/container_user/defaults/main.yml b/ansible/roles/container_user/defaults/main.yml new file mode 100644 index 0000000..10034a2 --- /dev/null +++ b/ansible/roles/container_user/defaults/main.yml @@ -0,0 +1,2 @@ +admin_uid: 1001 +admin_password_hash: '!' diff --git a/ansible/roles/container_user/tasks/main.yml b/ansible/roles/container_user/tasks/main.yml new file mode 100644 index 0000000..fba0c8c --- /dev/null +++ b/ansible/roles/container_user/tasks/main.yml @@ -0,0 +1,9 @@ +- name: create admin user + user: + name: '{{admin_username}}' + password: '{{admin_password_hash}}' + uid: '{{admin_uid}}' + groups: adm,audio,cdrom,dialout,dip,floppy,netdev,plugdev,sudo,video + append: yes + shell: /bin/bash + when: admin_username is defined diff --git a/ansible/roles/nagios_base/tasks/main.yml b/ansible/roles/nagios_base/tasks/main.yml index 666ad89..861c356 100644 --- a/ansible/roles/nagios_base/tasks/main.yml +++ b/ansible/roles/nagios_base/tasks/main.yml @@ -2,7 +2,7 @@ # Note: debconf module requires ansible 1.6 - name: prepare nagios debconf - debconf: name='nagios3-cgi' question='{{item}}' value='{{class_password}}' vtype='password' + debconf: name='nagios3-cgi' question='{{item}}' value='{{admin_password}}' vtype='password' with_items: - nagios3/adminpassword - nagios3/adminpassword-repeat diff --git a/ansible/roles/nagios_noc/templates/nmm_nagios.j2 b/ansible/roles/nagios_noc/templates/nmm_nagios.j2 index fd9620d..d442efb 100644 --- a/ansible/roles/nagios_noc/templates/nmm_nagios.j2 +++ b/ansible/roles/nagios_noc/templates/nmm_nagios.j2 @@ -148,7 +148,7 @@ define hostgroup { define service { hostgroup_name nagios-servers service_description NAGIOS - check_command check_http_url_auth!/nagios3/!nagiosadmin:{{class_password}} + check_command check_http_url_auth!/nagios3/!nagiosadmin:{{admin_password}} use generic-service } -- GitLab