From 8f959a940b7053758ff1da1de9320ea59f58f264 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 18 Sep 2020 14:56:59 +0300 Subject: fix: glob ./*.py to avoid potential problems with filenames -*.py --- check | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check b/check index bc57b7a..dc38406 100755 --- a/check +++ b/check @@ -3,7 +3,7 @@ set -eu rm -f test.py -black --check contractor *.py +black --check contractor ./*.py echo "$1" > test.address echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" > test.env sp-codegen contractor.md -o test.py --run -- cgit v1.2.1 From 7f531f989ca154a2dc311f783e9c7d04c112ff38 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 15:05:54 +0300 Subject: create-vm --- create-vm | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 create-vm diff --git a/create-vm b/create-vm new file mode 100755 index 0000000..f79b0b1 --- /dev/null +++ b/create-vm @@ -0,0 +1,36 @@ +#!/bin/bash + +set -eu -o pipefail + +cloud_init_iso() +{ + local iso="$1" + local hostname="$2" + local pubkey="$3" + local dir="$(mktemp -d)" + + cat < "$dir/meta-data" +# Amazon EC2 style metadata +local-hostname: $hostname +EOF + + cat < "$dir/user-data" +#cloud-config +ssh_authorized_keys: +- $pubkey +EOF + + genisoimage -quiet -volid cidata -joliet -rock -output "$iso" "$dir" + rm -rf "$dir" +} + + +main() +{ + local vm="$1" + local pubkey="$(cat "$2")" + cloud_init_iso "$vm.iso" "$vm" "$pubkey" +} + + +main "$@" -- cgit v1.2.1 From 85c633d8861146604ae540acd5828afdc2326590 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 15:47:27 +0300 Subject: create-vm works --- create-vm | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/create-vm b/create-vm index f79b0b1..9fa374b 100755 --- a/create-vm +++ b/create-vm @@ -25,11 +25,55 @@ EOF } +create_vm() +{ + local name="$1" + local memory="$2" + local image="$3" + local iso="$4" + + virt-install \ + --name="$name" \ + --memory "$memory" \ + --disk="path=$image,cache=none" \ + --disk="path=$iso,readonly=on" \ + --network=network=default \ + --quiet \ + --connect qemu:///system \ + --cpu=host-passthrough \ + --os-variant=debian9 \ + --import \ + --graphics=spice \ + --noautoconsole +} + +wait_for_ssh() +{ + local host="$1" + while ! nc -w 1 "$host" 22 < /dev/null > /dev/null + do + sleep 5 + done +} + + main() { - local vm="$1" - local pubkey="$(cat "$2")" + local base="$1" + local vm="$2" + local memory="$3" + local img="$4" + local size="$5" + local pubkey="$(cat "$6")" + + local iso="$vm.iso" + cloud_init_iso "$vm.iso" "$vm" "$pubkey" + cp "$base" "$img" + qemu-img resize -q "$img" "$size" + create_vm "$vm" "$memory" "$img" "$iso" + wait_for_ssh "$vm" + rm -f "$iso" } -- cgit v1.2.1 From 82455c3a7904f3adb5a3040dafe0b4cb660d59cb Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 15:54:27 +0300 Subject: remove-vm --- remove-vm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100755 remove-vm diff --git a/remove-vm b/remove-vm new file mode 100755 index 0000000..d7e9b2a --- /dev/null +++ b/remove-vm @@ -0,0 +1,17 @@ +#!/bin/bash + +set -eu -o pipefail + +running() +{ + virsh domid "$1" > /dev/null +} + +for vm in "$@" +do + if running "$vm" + then + virsh destroy "$vm" > /dev/null + fi + virsh undefine "$vm" > /dev/null +done -- cgit v1.2.1 From ddffa71bc829dbacde242a1a96c55101fc683462 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 15:56:56 +0300 Subject: create-vm --- create-vm | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/create-vm b/create-vm index 9fa374b..3fe4544 100755 --- a/create-vm +++ b/create-vm @@ -29,12 +29,14 @@ create_vm() { local name="$1" local memory="$2" - local image="$3" - local iso="$4" + local cpus="$3" + local image="$4" + local iso="$5" virt-install \ --name="$name" \ --memory "$memory" \ + --vcpus "$cpus" \ --disk="path=$image,cache=none" \ --disk="path=$iso,readonly=on" \ --network=network=default \ @@ -62,16 +64,17 @@ main() local base="$1" local vm="$2" local memory="$3" - local img="$4" - local size="$5" - local pubkey="$(cat "$6")" + local cpus="$4" + local img="$5" + local size="$6" + local pubkey="$(cat "$7")" local iso="$vm.iso" cloud_init_iso "$vm.iso" "$vm" "$pubkey" cp "$base" "$img" qemu-img resize -q "$img" "$size" - create_vm "$vm" "$memory" "$img" "$iso" + create_vm "$vm" "$memory" "$cpus" "$img" "$iso" wait_for_ssh "$vm" rm -f "$iso" } -- cgit v1.2.1 From ada3064008a030803bb282812766836f2f7e35ce Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 16:17:56 +0300 Subject: create-vm in py --- create-vm | 169 +++++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 96 insertions(+), 73 deletions(-) diff --git a/create-vm b/create-vm index 3fe4544..454db06 100755 --- a/create-vm +++ b/create-vm @@ -1,83 +1,106 @@ -#!/bin/bash +#!/usr/bin/env python3 -set -eu -o pipefail +import os +import shutil +import socket +import subprocess +import sys +import tempfile +import time -cloud_init_iso() -{ - local iso="$1" - local hostname="$2" - local pubkey="$3" - local dir="$(mktemp -d)" - cat < "$dir/meta-data" +def cloud_init_iso(iso, hostname, pubkey): + tmp = tempfile.mkdtemp() + + with open(os.path.join(tmp, "meta-data"), "w") as f: + f.write( + f"""\ # Amazon EC2 style metadata -local-hostname: $hostname -EOF +local-hostname: {hostname} +""" + ) - cat < "$dir/user-data" + with open(os.path.join(tmp, "user-data"), "w") as f: + f.write( + f"""\ #cloud-config ssh_authorized_keys: -- $pubkey -EOF - - genisoimage -quiet -volid cidata -joliet -rock -output "$iso" "$dir" - rm -rf "$dir" -} - - -create_vm() -{ - local name="$1" - local memory="$2" - local cpus="$3" - local image="$4" - local iso="$5" - - virt-install \ - --name="$name" \ - --memory "$memory" \ - --vcpus "$cpus" \ - --disk="path=$image,cache=none" \ - --disk="path=$iso,readonly=on" \ - --network=network=default \ - --quiet \ - --connect qemu:///system \ - --cpu=host-passthrough \ - --os-variant=debian9 \ - --import \ - --graphics=spice \ - --noautoconsole -} - -wait_for_ssh() -{ - local host="$1" - while ! nc -w 1 "$host" 22 < /dev/null > /dev/null - do - sleep 5 - done -} +- {pubkey} +""" + ) + + subprocess.check_call( + [ + "genisoimage", + "-quiet", + "-volid", + "cidata", + "-joliet", + "-rock", + "-output", + iso, + tmp, + ] + ) + shutil.rmtree(tmp) + + +def create_vm(vm, image, iso, memory=1024, cpus=1): + subprocess.check_call( + [ + "virt-install", + "--name", + vm, + "--memory", + str(memory), + "--vcpus", + str(cpus), + f"--disk=path={image},cache=none", + f"--disk=path={iso},readonly=on", + "--network=network=default", + "--connect", + "qemu:///system", + "--cpu=host-passthrough", + "--os-variant=debian9", + "--import", + "--graphics=spice", + "--noautoconsole", + "--quiet", + ] + ) + + +def wait_for_ssh(hostname): + ssh_port = 22 + while True: + time.sleep(5) + try: + conn = socket.create_connection((hostname, ssh_port), timeout=1) + except Exception: + continue + conn.close() + break + + +def main(): + base, vm, memory, cpus, img, size, pubkey = sys.argv[1:] + + memory = int(memory) + cpus = int(cpus) + pubkey = open(pubkey).read() + + iso = f"{vm}.iso" + cloud_init_iso(iso, vm, pubkey) + + if os.path.exists(img): + os.remove(img) + shutil.copy(base, img) + + subprocess.check_call(["qemu-img", "resize", "-q", img, size]) + + create_vm(vm, img, iso, memory=memory, cpus=cpus) + wait_for_ssh(vm) + os.remove(iso) main() -{ - local base="$1" - local vm="$2" - local memory="$3" - local cpus="$4" - local img="$5" - local size="$6" - local pubkey="$(cat "$7")" - - local iso="$vm.iso" - - cloud_init_iso "$vm.iso" "$vm" "$pubkey" - cp "$base" "$img" - qemu-img resize -q "$img" "$size" - create_vm "$vm" "$memory" "$cpus" "$img" "$iso" - wait_for_ssh "$vm" - rm -f "$iso" -} - - -main "$@" -- cgit v1.2.1 From 8ba2b964d78810e760012bc20be08050000b0d32 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 16:24:47 +0300 Subject: fix remove-vm --- remove-vm | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/remove-vm b/remove-vm index d7e9b2a..67a078d 100755 --- a/remove-vm +++ b/remove-vm @@ -4,14 +4,23 @@ set -eu -o pipefail running() { - virsh domid "$1" > /dev/null + virsh domstate "$1" | grep -q -Fx running +} + +shutoff() +{ + virsh domstate "$1" | grep -q -Fx "shut off" } for vm in "$@" do if running "$vm" then - virsh destroy "$vm" > /dev/null + virsh shutdown "$vm" > /dev/null + while ! shutoff "$vm" + do + sleep 1 + done fi virsh undefine "$vm" > /dev/null done -- cgit v1.2.1 From dc0adcc9bcd65bd001fc94bf4bd3eb61df71c079 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 16:36:39 +0300 Subject: create-vm fix --- create-vm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/create-vm b/create-vm index 454db06..e085598 100755 --- a/create-vm +++ b/create-vm @@ -7,6 +7,7 @@ import subprocess import sys import tempfile import time +import yaml def cloud_init_iso(iso, hostname, pubkey): @@ -83,7 +84,15 @@ def wait_for_ssh(hostname): def main(): - base, vm, memory, cpus, img, size, pubkey = sys.argv[1:] + config = yaml.safe_load(open(sys.argv[1])) + + base = config["base_image"] + vm = config["name"] + img = config["image_file"] + size = config["image_size"] + pubkey = config["public_key"] + memory = config.get("memory", 1024) + cpus = config.get("cpus", 1) memory = int(memory) cpus = int(cpus) -- cgit v1.2.1 From 32e9d47ce40da71c31fd39192ba97597598d6ad2 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 17:34:44 +0300 Subject: create-vm ansible --- create-vm | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/create-vm b/create-vm index e085598..b65095e 100755 --- a/create-vm +++ b/create-vm @@ -83,6 +83,36 @@ def wait_for_ssh(hostname): break +def provision(vm, pubkey): + ssh_opts = [ + "ControlMaster=auto", + "ControlPersist=60s", + "StrictHostKeyChecking=accept-new", + "UserKnownHostsFile=/dev/null", + ] + + env = dict(os.environ) + env["ANSIBLE_SSH_ARGS"] = " ".join(f"-o{opt}" for opt in ssh_opts) + + vars_file = {"user_pub": pubkey} + + fd, filename = tempfile.mkstemp() + os.write(fd, yaml.safe_dump(vars_file).encode("UTF-8")) + os.close(fd) + + argv = [ + "ansible-playbook", + "-i", + "hosts", + "manager.yml", + f"-eansible_ssh_host={vm}", + f"-e@{filename}", + ] + subprocess.check_output(argv, env=env) + + os.remove(filename) + + def main(): config = yaml.safe_load(open(sys.argv[1])) @@ -96,9 +126,9 @@ def main(): memory = int(memory) cpus = int(cpus) - pubkey = open(pubkey).read() - + pubkey = open(pubkey).read().rstrip() iso = f"{vm}.iso" + cloud_init_iso(iso, vm, pubkey) if os.path.exists(img): @@ -111,5 +141,7 @@ def main(): wait_for_ssh(vm) os.remove(iso) + provision(vm, pubkey) + main() -- cgit v1.2.1 From 97999ca67b834b1216108e542cdb73010e36930d Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 17:34:58 +0300 Subject: ansible --- hosts | 1 + manager | 21 +++++++++++++++ manager-vm.yaml | 7 +++++ manager.yml | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ toy.yaml | 7 +++++ 5 files changed, 120 insertions(+) create mode 100644 hosts create mode 100755 manager create mode 100644 manager-vm.yaml create mode 100644 manager.yml create mode 100644 toy.yaml diff --git a/hosts b/hosts new file mode 100644 index 0000000..737929f --- /dev/null +++ b/hosts @@ -0,0 +1 @@ +manager diff --git a/manager b/manager new file mode 100755 index 0000000..2e24d63 --- /dev/null +++ b/manager @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 + +import os +import subprocess + +env = dict(os.environ) +env[ + "ANSIBLE_SSH_ARGS" +] = "-o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null" + +subprocess.check_call( + [ + "ansible-playbook", + "-i", + "hosts", + "manager.yml", + "-e@manager-vars.yml", + "-eansible_ssh_host=manager", + ], + env=env, +) diff --git a/manager-vm.yaml b/manager-vm.yaml new file mode 100644 index 0000000..d06f57a --- /dev/null +++ b/manager-vm.yaml @@ -0,0 +1,7 @@ +name: manager +image_file: /mnt/manager.qcow2 +image_size: 30G +memory: 8192 +cpus: 4 +base_image: /home/liw/debian-10-openstack-amd64.qcow2 +public_key: /home/liw/.ssh/liw-openpgp.pub diff --git a/manager.yml b/manager.yml new file mode 100644 index 0000000..11d8f2a --- /dev/null +++ b/manager.yml @@ -0,0 +1,84 @@ +- hosts: manager + remote_user: debian + become: true + tasks: + - name: "configure modprobe to enable nested VMs" + copy: + content: | + options kvm-intel nested=1 + options kvm-intel enable_shadow_vmcs=1 + options kvm-intel enable_apicv=1 + options kvm-intel ept=1 + dest: /etc/modprobe.d/kvm-nested.conf + + - name: "install needed packages" + apt: + name: + - ssh + - sudo + - qemu-system-x86 + - virtinst + - libvirt-daemon-system + - libvirt-clients + - locales-all + - jq + - rsync + - kpartx + + - name: "modify libvirt to use a non-standard IP range for guests" + args: + warn: false + shell: + sed -i 's/192\.168\.122\./192.168.99\./g' /etc/libvirt/qemu/networks/default.xml + + - name: "create manager user" + user: + comment: "Manager" + name: manager + shell: /bin/bash + groups: + - libvirt + + - name: "add authorized key to manager user" + authorized_key: + user: manager + key: "{{ user_pub }}" + + - name: "give manager sudo" + copy: + content: | + manager ALL=(ALL:ALL) NOPASSWD: ALL + dest: /etc/sudoers.d/manager + owner: root + group: root + mode: 0600 + + - name: "create ~manager/.ssh" + file: + state: directory + path: /home/manager/.ssh + owner: manager + group: manager + mode: 0700 + + - name: "add SSH keys to manager" + copy: + src: "{{ item }}" + dest: "/home/manager/.ssh/{{ item }}" + owner: manager + group: manager + mode: 0600 + with_items: + - manager.key + - manager.key.pub + + - name: "configure manager's ssh" + copy: + src: manager-ssh-config + dest: /home/manager/.ssh/config + owner: manager + group: manager + mode: 0600 + + vars: + ansible_python_interpreter: /usr/bin/python3 diff --git a/toy.yaml b/toy.yaml new file mode 100644 index 0000000..d2fdafd --- /dev/null +++ b/toy.yaml @@ -0,0 +1,7 @@ +name: toy2 +image_file: toy.qcow2 +image_size: 10G +memory: 2048 +cpus: 4 +base_image: /home/liw/debian-10-openstack-amd64.qcow2 +public_key: /home/liw/.ssh/liw-openpgp.pub -- cgit v1.2.1 From cc677d8872c4da74093f557b55550e191827c75b Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 17:41:02 +0300 Subject: foo --- heippa.yaml | 8 ++------ manager-config.yaml | 2 ++ 2 files changed, 4 insertions(+), 6 deletions(-) create mode 100644 manager-config.yaml diff --git a/heippa.yaml b/heippa.yaml index 4ec5f9b..22a98e8 100644 --- a/heippa.yaml +++ b/heippa.yaml @@ -9,10 +9,6 @@ ansible: - build-essential vars: ansible_python_interpreter: /usr/bin/python3 -source: /tmp/heippa -workspace: /tmp/heippa-workspace +source: . build: | - rm -rf .git - rm -f heippa - make - ./heippa + echo hello, world diff --git a/manager-config.yaml b/manager-config.yaml new file mode 100644 index 0000000..9b0e014 --- /dev/null +++ b/manager-config.yaml @@ -0,0 +1,2 @@ +manager_address: manager +log: ~/contractor.log -- cgit v1.2.1 From d051245ed058293546c3fe2247e59a17c839b1c0 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 4 Oct 2020 17:41:55 +0300 Subject: drop manager vmdb and non-basic worker vmdb etc --- vm.vmdb | 50 ------------------------ vm.yml | 79 ------------------------------------- worker-scap.vmdb | 49 ----------------------- worker-scap.yml | 110 ---------------------------------------------------- worker-subplot.vmdb | 49 ----------------------- worker-subplot.yml | 54 -------------------------- worker-vmdb2.vmdb | 49 ----------------------- worker-vmdb2.yml | 95 --------------------------------------------- 8 files changed, 535 deletions(-) delete mode 100644 vm.vmdb delete mode 100644 vm.yml delete mode 100644 worker-scap.vmdb delete mode 100644 worker-scap.yml delete mode 100644 worker-subplot.vmdb delete mode 100644 worker-subplot.yml delete mode 100644 worker-vmdb2.vmdb delete mode 100644 worker-vmdb2.yml diff --git a/vm.vmdb b/vm.vmdb deleted file mode 100644 index 45def5e..0000000 --- a/vm.vmdb +++ /dev/null @@ -1,50 +0,0 @@ -# An image for running the Ick contractor outer VM. - -steps: - - mkimg: "{{ output }}" - size: 20G - - - mklabel: msdos - device: "{{ output }}" - - - mkpart: primary - device: "{{ output }}" - start: 0% - end: 100% - tag: / - - - kpartx: "{{ output }}" - - - mkfs: ext4 - partition: / - - - mount: / - - - unpack-rootfs: / - - - debootstrap: buster - mirror: http://deb.debian.org/debian - target: / - unless: rootfs_unpacked - - - apt: install - packages: - - linux-image-amd64 - - locales-all - - python3 - - sudo - - ssh - - ansible - tag: / - unless: rootfs_unpacked - - - cache-rootfs: / - unless: rootfs_unpacked - - - fstab: / - - - ansible: / - playbook: vm.yml - - - grub: bios - tag: / diff --git a/vm.yml b/vm.yml deleted file mode 100644 index 783685b..0000000 --- a/vm.yml +++ /dev/null @@ -1,79 +0,0 @@ -- hosts: image - tasks: - - shell: | - echo "{{ host }}" > /etc/hostname - sed -i '/^127\.0\.0.*localhost.*/s/.*/127.0.0.1 localhost {{ host }}/' \ - /etc/hosts - sed -i '/^root:[^:]:/s//root::/' /etc/passwd - - copy: - content: | - auto lo - iface lo inet loopback - - auto eth0 - iface eth0 inet dhcp - dest: /etc/network/interfaces - - copy: - content: | - options kvm-intel nested=1 - options kvm-intel enable_shadow_vmcs=1 - options kvm-intel enable_apicv=1 - options kvm-intel ept=1 - dest: /etc/modprobe.d/kvm-nested.conf - - apt: - name: - - ssh - - sudo - - qemu-system-x86 - - virtinst - - libvirt-daemon-system - - libvirt-clients - - locales-all - - jq - - rsync - - kpartx - - name: "modify libvirt to use a non-standard IP range for guests" - shell: - sed -i 's/192\.168\.122\./192.168.99\./g' /etc/libvirt/qemu/networks/default.xml - - user: - comment: "Manager" - name: manager - shell: /bin/bash - groups: - - libvirt - - authorized_key: - user: manager - key: "{{ user_pub }}" - - copy: - content: | - manager ALL=(ALL:ALL) NOPASSWD: ALL - dest: /etc/sudoers.d/manager - owner: root - group: root - mode: 0600 - - file: - state: directory - path: /home/manager/.ssh - owner: manager - group: manager - mode: 0700 - - copy: - src: "{{ item }}" - dest: "/home/manager/.ssh/{{ item }}" - owner: manager - group: manager - mode: 0600 - with_items: - - manager.key - - manager.key.pub - - copy: - src: manager-ssh-config - dest: /home/manager/.ssh/config - owner: manager - group: manager - mode: 0600 - vars: - host: contractor - ansible_python_interpreter: /usr/bin/python3 - user_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/worker-scap.vmdb b/worker-scap.vmdb deleted file mode 100644 index a0b7a68..0000000 --- a/worker-scap.vmdb +++ /dev/null @@ -1,49 +0,0 @@ -steps: - - mkimg: "{{ output }}" - size: 4G - - - mklabel: msdos - device: "{{ output }}" - - - mkpart: primary - device: "{{ output }}" - start: 0% - end: 100% - tag: / - - - kpartx: "{{ output }}" - - - mkfs: ext4 - partition: / - - - mount: / - - - virtual-filesystems: / - - - unpack-rootfs: / - - - debootstrap: buster - mirror: http://deb.debian.org/debian - target: / - unless: rootfs_unpacked - - - apt: install - packages: - - linux-image-amd64 - - locales-all - - openssh-server - - python3 - - sudo - tag: / - unless: rootfs_unpacked - - - cache-rootfs: / - unless: rootfs_unpacked - - - fstab: / - - - ansible: / - playbook: worker-scap.yml - - - grub: bios - tag: / diff --git a/worker-scap.yml b/worker-scap.yml deleted file mode 100644 index 1003b77..0000000 --- a/worker-scap.yml +++ /dev/null @@ -1,110 +0,0 @@ -- hosts: image - tasks: - - shell: | - echo "{{ host }}" > /etc/hostname - sed -i '/^127\.0\.0.*localhost.*/s/.*/127.0.0.1 localhost {{ host }}/' \ - /etc/hosts - sed -i '/^root:[^:]:/s//root::/' /etc/passwd - - copy: - content: | - auto lo - iface lo inet loopback - - auto eth0 - iface eth0 inet dhcp - dest: /etc/network/interfaces - - copy: - content: "{{ ci_prod_signing_key }}" - dest: /etc/apt/trusted.gpg.d/ci_prod.asc - - apt_repository: - repo: "deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main" - - apt: - name: - - bash-completion - - build-essential - - ca-certificates - - debhelper - - dh-python - - flake8 - - git - - git-buildpackage - - libjpeg-dev - - locales-all - - openssh-server - - openssl - - pandoc - - php - - python-all-dev - - python-concurrent.futures - - python-configparser - - python-flake8 - - python-jinja2 - - python-openssl - - python-psutil - - python-pygments - - python-requests - - python-setuptools - - python-six - - python-yaml - - python3-all-dev - - rsync - - subplot - - sudo - - tox - - zlib1g-dev - - user: - comment: "Worker" - name: worker - shell: /bin/bash - - file: - state: directory - path: /home/worker/.ssh - owner: worker - group: worker - mode: 0700 - - copy: - src: manager.key.pub - dest: /home/worker/.ssh/authorized_keys - owner: worker - group: worker - mode: 0600 - - copy: - content: | - worker ALL=(ALL:ALL) NOPASSWD: ALL - dest: /etc/sudoers.d/worker - owner: root - group: root - mode: 0600 - vars: - host: worker - ansible_python_interpreter: /usr/bin/python3 - ci_prod_signing_key: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQINBFrLO7kBEADdz6mHstYmKU5Dp6OSjxWtWaqTDOX1sJdmmaIK/9EKVIH0Maxp - 5kvVO5G6mULLAjv/kLG0MxasHPrq8I2A/y8AqKAGVL8QelwLjQMIFZ30/VbGQPHS - +T5TZXEnoQtNce1GUhFwJ38ZyjjwHBFV9tSec7rZ2Q3YeM3nNnGPf6DacXGfEOPO - HIN4sXAN2hzNXNjKRzTIvxQseb6nr7afUh/SlZ3yhQOCrIzmYlD7tP9WJe7ofL0p - JY4pDQYw8rT6nC2BE/ioemh84kERCT1vCe+OVFlSRuMlqfEv+ZpKQ+itOmPDQ/lM - jpUm1K2hrW/lWpxT/ZxHKo/w1K36J5WshgMZxfUu5BMCL9LMqMcrXNhNjDMfxDMM - 3yBPOvQ4ls6fecOZ/bsFo1p8VzMk/w/eG8vPs5yuNa5XxN95yFMXoOHGb5Xbu8D4 - 6yiW+Af70LbiSNpGdmNdneiGB2fY38NxBukPw5u3S5qG8HedSmMr1RvSr5kHoAAe - UbOY+BYaaKsTAT7+1skUW1o3FJSqoRKCHAzTsMWC6zzhR8hRn7jVrrguH1hGbqq5 - TZSCFQZExuTJ7uXrTLG0WoBXIjB5wWNcSeXn8myUWYB51nJNF4tJBouZOz9JwWGl - kiAQkrHnBttLQWdW9FyjbIoTZMtpvVx+m6ObGTGdGL1cNlLAvWprMXGc+QARAQAB - tDJJY2sgQVBUIHJlcG9zaXRvcnkgc2lnbmluZyBrZXkgKDIwMTgpIDxsaXdAbGl3 - LmZpPokCTgQTAQgAOBYhBKL1uyDoXyxUH3O717Wr+TZVS6PGBQJayzu5AhsDBQsJ - CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELWr+TZVS6PGB5QQANTcikhRUHwt9N4h - dGc/Hp6CbqdshMoWlwpFskttoVDxQG5OAobuZl5XyzGcmja1lT85RGkZFfbca0IZ - LnXOLLSAu51QBkXNaj4OhjK/0uQ+ITrvL6RQSXNgHiUTR/W2XD1GIUq6nBqe2GSN - 31S1baYKKVj5QIMsi7Dq8ls3BBXuPCE+xTSaNmGWjes2t9pPidcRvxsksCLY1qgw - P1GFXBeMkBQ29kBP87SUL15SIk7OiQLlEURCy5iRls5rt/YEsdEpRWIb0Tm5Nrjv - 2M3VM+iBhfNXTwj0rJ34mlycF1qQmA7YcTEobT7z587GPY0VWzBpQUnEQj7rQWPM - cDYY0b+I6kQ8VKOaL4wVAtE98d7HzFIrIrwhTKufnrWrVDPYsmLZ+LPC1jiF7JBD - SR6Vftb+SdDR9xoE1yRuXbC6IfoW+5/qQNrdQ2mm9BFw5jOonBqchs18HTTf3441 - 6SWwP9fY3Vi+IZphPPi0Gf85oMStgnv/Wnw6LacEL32ek39Desero/D8iGLZernK - Q2mC9mua5A/bYGVhsNWyURNFkKdbFa+/wW3NfdKYyZnsSfo+jJ2luNewrhAY7Kod - GWXTer9RxzTGA3EXFGvNr+BBOOxSj0SfWTl0Olo7J5dnxof+jLAUS1VHpceHGHps - GSJSdir7NkZidgwoCPA7BTqsb5LN - =dXB0 - -----END PGP PUBLIC KEY BLOCK----- diff --git a/worker-subplot.vmdb b/worker-subplot.vmdb deleted file mode 100644 index 3ff1d1c..0000000 --- a/worker-subplot.vmdb +++ /dev/null @@ -1,49 +0,0 @@ -steps: - - mkimg: "{{ output }}" - size: 4G - - - mklabel: msdos - device: "{{ output }}" - - - mkpart: primary - device: "{{ output }}" - start: 0% - end: 100% - tag: / - - - kpartx: "{{ output }}" - - - mkfs: ext4 - partition: / - - - mount: / - - - virtual-filesystems: / - - - unpack-rootfs: / - - - debootstrap: buster - mirror: http://deb.debian.org/debian - target: / - unless: rootfs_unpacked - - - apt: install - packages: - - linux-image-amd64 - - locales-all - - openssh-server - - python3 - - sudo - tag: / - unless: rootfs_unpacked - - - cache-rootfs: / - unless: rootfs_unpacked - - - fstab: / - - - ansible: / - playbook: worker-subplot.yml - - - grub: bios - tag: / diff --git a/worker-subplot.yml b/worker-subplot.yml deleted file mode 100644 index 8cf09ec..0000000 --- a/worker-subplot.yml +++ /dev/null @@ -1,54 +0,0 @@ -- hosts: image - tasks: - - shell: | - echo "{{ host }}" > /etc/hostname - sed -i '/^127\.0\.0.*localhost.*/s/.*/127.0.0.1 localhost {{ host }}/' \ - /etc/hosts - sed -i '/^root:[^:]:/s//root::/' /etc/passwd - - copy: - content: | - auto lo - iface lo inet loopback - - auto eth0 - iface eth0 inet dhcp - dest: /etc/network/interfaces - - apt: - name: - - build-essential - - cargo - - graphviz - - librsvg2-bin - - locales-all - - pandoc - - pandoc-citeproc - - plantuml - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-recommended - - user: - comment: "Worker" - name: worker - shell: /bin/bash - - file: - state: directory - path: /home/worker/.ssh - owner: worker - group: worker - mode: 0700 - - copy: - src: manager.key.pub - dest: /home/worker/.ssh/authorized_keys - owner: worker - group: worker - mode: 0600 - - copy: - content: | - worker ALL=(ALL:ALL) NOPASSWD: ALL - dest: /etc/sudoers.d/worker - owner: root - group: root - mode: 0600 - vars: - host: worker - ansible_python_interpreter: /usr/bin/python3 diff --git a/worker-vmdb2.vmdb b/worker-vmdb2.vmdb deleted file mode 100644 index be9ab2d..0000000 --- a/worker-vmdb2.vmdb +++ /dev/null @@ -1,49 +0,0 @@ -steps: - - mkimg: "{{ output }}" - size: 4G - - - mklabel: msdos - device: "{{ output }}" - - - mkpart: primary - device: "{{ output }}" - start: 0% - end: 100% - tag: / - - - kpartx: "{{ output }}" - - - mkfs: ext4 - partition: / - - - mount: / - - - virtual-filesystems: / - - - unpack-rootfs: / - - - debootstrap: buster - mirror: http://deb.debian.org/debian - target: / - unless: rootfs_unpacked - - - apt: install - packages: - - linux-image-amd64 - - locales-all - - openssh-server - - python3 - - sudo - tag: / - unless: rootfs_unpacked - - - cache-rootfs: / - unless: rootfs_unpacked - - - fstab: / - - - ansible: / - playbook: worker-vmdb2.yml - - - grub: bios - tag: / diff --git a/worker-vmdb2.yml b/worker-vmdb2.yml deleted file mode 100644 index 112839d..0000000 --- a/worker-vmdb2.yml +++ /dev/null @@ -1,95 +0,0 @@ -- hosts: image - tasks: - - shell: | - echo "{{ host }}" > /etc/hostname - sed -i '/^127\.0\.0.*localhost.*/s/.*/127.0.0.1 localhost {{ host }}/' \ - /etc/hosts - sed -i '/^root:[^:]:/s//root::/' /etc/passwd - - copy: - content: | - auto lo - iface lo inet loopback - - auto eth0 - iface eth0 inet dhcp - dest: /etc/network/interfaces - - copy: - content: "{{ ci_prod_signing_key }}" - dest: /etc/apt/trusted.gpg.d/ci_prod.asc - - apt_repository: - repo: "deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main" - - apt: - name: - - ansible - - build-essential - - cmdtest - - debootstrap - - dosfstools - - git - - kpartx - - locales-all - - moreutils - - pandoc - - parted - - python3-all - - python3-cliapp - - python3-coverage-test-runner - - python3-jinja2 - - python3-yaml - - qemu-utils - - user: - comment: "Worker" - name: worker - shell: /bin/bash - - file: - state: directory - path: /home/worker/.ssh - owner: worker - group: worker - mode: 0700 - - copy: - src: manager.key.pub - dest: /home/worker/.ssh/authorized_keys - owner: worker - group: worker - mode: 0600 - - copy: - content: | - worker ALL=(ALL:ALL) NOPASSWD: ALL - dest: /etc/sudoers.d/worker - owner: root - group: root - mode: 0600 - vars: - host: worker - ansible_python_interpreter: /usr/bin/python3 - ci_prod_signing_key: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQINBFrLO7kBEADdz6mHstYmKU5Dp6OSjxWtWaqTDOX1sJdmmaIK/9EKVIH0Maxp - 5kvVO5G6mULLAjv/kLG0MxasHPrq8I2A/y8AqKAGVL8QelwLjQMIFZ30/VbGQPHS - +T5TZXEnoQtNce1GUhFwJ38ZyjjwHBFV9tSec7rZ2Q3YeM3nNnGPf6DacXGfEOPO - HIN4sXAN2hzNXNjKRzTIvxQseb6nr7afUh/SlZ3yhQOCrIzmYlD7tP9WJe7ofL0p - JY4pDQYw8rT6nC2BE/ioemh84kERCT1vCe+OVFlSRuMlqfEv+ZpKQ+itOmPDQ/lM - jpUm1K2hrW/lWpxT/ZxHKo/w1K36J5WshgMZxfUu5BMCL9LMqMcrXNhNjDMfxDMM - 3yBPOvQ4ls6fecOZ/bsFo1p8VzMk/w/eG8vPs5yuNa5XxN95yFMXoOHGb5Xbu8D4 - 6yiW+Af70LbiSNpGdmNdneiGB2fY38NxBukPw5u3S5qG8HedSmMr1RvSr5kHoAAe - UbOY+BYaaKsTAT7+1skUW1o3FJSqoRKCHAzTsMWC6zzhR8hRn7jVrrguH1hGbqq5 - TZSCFQZExuTJ7uXrTLG0WoBXIjB5wWNcSeXn8myUWYB51nJNF4tJBouZOz9JwWGl - kiAQkrHnBttLQWdW9FyjbIoTZMtpvVx+m6ObGTGdGL1cNlLAvWprMXGc+QARAQAB - tDJJY2sgQVBUIHJlcG9zaXRvcnkgc2lnbmluZyBrZXkgKDIwMTgpIDxsaXdAbGl3 - LmZpPokCTgQTAQgAOBYhBKL1uyDoXyxUH3O717Wr+TZVS6PGBQJayzu5AhsDBQsJ - CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELWr+TZVS6PGB5QQANTcikhRUHwt9N4h - dGc/Hp6CbqdshMoWlwpFskttoVDxQG5OAobuZl5XyzGcmja1lT85RGkZFfbca0IZ - LnXOLLSAu51QBkXNaj4OhjK/0uQ+ITrvL6RQSXNgHiUTR/W2XD1GIUq6nBqe2GSN - 31S1baYKKVj5QIMsi7Dq8ls3BBXuPCE+xTSaNmGWjes2t9pPidcRvxsksCLY1qgw - P1GFXBeMkBQ29kBP87SUL15SIk7OiQLlEURCy5iRls5rt/YEsdEpRWIb0Tm5Nrjv - 2M3VM+iBhfNXTwj0rJ34mlycF1qQmA7YcTEobT7z587GPY0VWzBpQUnEQj7rQWPM - cDYY0b+I6kQ8VKOaL4wVAtE98d7HzFIrIrwhTKufnrWrVDPYsmLZ+LPC1jiF7JBD - SR6Vftb+SdDR9xoE1yRuXbC6IfoW+5/qQNrdQ2mm9BFw5jOonBqchs18HTTf3441 - 6SWwP9fY3Vi+IZphPPi0Gf85oMStgnv/Wnw6LacEL32ek39Desero/D8iGLZernK - Q2mC9mua5A/bYGVhsNWyURNFkKdbFa+/wW3NfdKYyZnsSfo+jJ2luNewrhAY7Kod - GWXTer9RxzTGA3EXFGvNr+BBOOxSj0SfWTl0Olo7J5dnxof+jLAUS1VHpceHGHps - GSJSdir7NkZidgwoCPA7BTqsb5LN - =dXB0 - -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.1 From d74708086b78a1dec2a6e78227f95568583cff9e Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 08:41:58 +0300 Subject: don't provision VM Contractor will do it itself. --- create-vm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/create-vm b/create-vm index b65095e..00242fc 100755 --- a/create-vm +++ b/create-vm @@ -141,7 +141,8 @@ def main(): wait_for_ssh(vm) os.remove(iso) - provision(vm, pubkey) + +# provision(vm, pubkey) main() -- cgit v1.2.1 From 80c196e4309fcec58dd81aa3357b6175779bced4 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 08:44:13 +0300 Subject: fix: things linter complained about --- contractor | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/contractor b/contractor index 66693ed..5847485 100755 --- a/contractor +++ b/contractor @@ -248,7 +248,7 @@ class CopyWorkerImage(RemoteExecution): def argv(self): return ["sh", "-c", "rm -f temp.img; cp worker.img temp.img"] self.ssh(["rm", "-f", TEMP_IMG]) - ret = self.ssh(["cp", WORKER_IMG, TEMP_IMG]) + self.ssh(["cp", WORKER_IMG, TEMP_IMG]) class StartGuestNetworking(MayFail): @@ -560,7 +560,9 @@ def cmd_status(args): def cmd_build(args): - vrb = lambda msg: verbose(args, msg) + def vrb(msg): + verbose(args, msg) + vrb("building according to {}".format(args.spec)) bs = load_build_spec(args.spec) dest, port = manager_destination(args) @@ -659,6 +661,9 @@ def load_default_config(args): def load_config(filename, args): + def identity(x): + return x + with open(filename) as f: config = yaml.safe_load(f) @@ -673,7 +678,7 @@ def load_config(filename, args): if key in config: func = keys[key] if func is None: - func = lambda x: x + func = identity setattr(args, key, func(config[key])) -- cgit v1.2.1 From 6fa8261c4b3edaf821e547fa2a30d3d8aea2976a Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 08:57:49 +0300 Subject: provision manager VM in contractor --- contractor | 26 +++++++++++++++++++++++++- manager.yml | 15 +++++++++++---- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/contractor b/contractor index 5847485..e45bfb7 100755 --- a/contractor +++ b/contractor @@ -10,7 +10,6 @@ import sys import time import subprocess from subprocess import PIPE, STDOUT - import yaml @@ -549,6 +548,28 @@ def cmd_dump(args): sys.stdout.write("{}\n".format(json.dumps(bs.as_dict(), indent=4))) +def cmd_provision(args): + ssh_opts = [ + "ControlMaster=auto", + "ControlPersist=60s", + "StrictHostKeyChecking=accept-new", + "UserKnownHostsFile=/dev/null", + ] + + env = dict(os.environ) + env["ANSIBLE_SSH_ARGS"] = " ".join(f"-o{opt}" for opt in ssh_opts) + + argv = [ + "ansible-playbook", + "-i", + "hosts", + "manager.yml", + f"-eansible_ssh_host={args.manager_address}", + f"-eansible_ssh_port={args.manager_port}", + ] + subprocess.check_call(argv, env=env) + + def cmd_status(args): dest, port = manager_destination(args) verbose(args, "manager VM is {}:{}".format(dest, port)) @@ -701,6 +722,9 @@ def main(): dump.add_argument("spec") dump.set_defaults(func=cmd_dump) + provision = sub.add_parser("provision", help="provision manager VM") + provision.set_defaults(func=cmd_provision, **manager_defaults) + status = sub.add_parser("status", help="check status of manager VM") status.add_argument("-m", "--manager-address", help="address of manager VM") status.add_argument("-p", "--manager-port", help="SSH port of manager VM") diff --git a/manager.yml b/manager.yml index 11d8f2a..281b92f 100644 --- a/manager.yml +++ b/manager.yml @@ -39,11 +39,18 @@ groups: - libvirt - - name: "add authorized key to manager user" - authorized_key: - user: manager - key: "{{ user_pub }}" + - name: "create ~manager/.ssh" + file: + state: directory + path: /home/manager/.ssh + owner: manager + group: manager + mode: 0700 + - name: "copy root authorized_keys to manager user" + shell: | + install -o manager -g manager /root/.ssh/authorized_keys /home/manager/.ssh/. + - name: "give manager sudo" copy: content: | -- cgit v1.2.1 From 6226fe16bbc51bccf983b3515e6c282cf4ce074c Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 09:04:16 +0300 Subject: fix manager authz keys --- manager.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manager.yml b/manager.yml index 281b92f..8072c80 100644 --- a/manager.yml +++ b/manager.yml @@ -49,7 +49,8 @@ - name: "copy root authorized_keys to manager user" shell: | - install -o manager -g manager /root/.ssh/authorized_keys /home/manager/.ssh/. + install -o manager -g manager /root/.ssh/authorized_keys + sed -i 's/^.* ssh-rsa /ssh-rsa /' /home/manager/.ssh/authorized_keys - name: "give manager sudo" copy: -- cgit v1.2.1 From 96e95959da347cd085694be444ff71ba14113295 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 09:43:07 +0300 Subject: change how libvirt network is defindd --- manager.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/manager.yml b/manager.yml index 8072c80..8f41d21 100644 --- a/manager.yml +++ b/manager.yml @@ -24,12 +24,26 @@ - jq - rsync - kpartx + - python3-lxml - - name: "modify libvirt to use a non-standard IP range for guests" - args: - warn: false - shell: - sed -i 's/192\.168\.122\./192.168.99\./g' /etc/libvirt/qemu/networks/default.xml + - name: change IP block in default virtual network + replace: + path: /etc/libvirt/qemu/networks/default.xml + regexp: '192\.168\.122\.' + replace: '192.168.88.' + + - name: configure default virtual network + command: /usr/bin/virsh net-define /etc/libvirt/qemu/networks/default.xml + + - name: start default network now + virt_net: + state: active + name: default + + - name: start default network at boot + virt_net: + autostart: yes + name: default - name: "create manager user" user: @@ -49,7 +63,7 @@ - name: "copy root authorized_keys to manager user" shell: | - install -o manager -g manager /root/.ssh/authorized_keys + install -o manager -g manager /root/.ssh/authorized_keys /home/manager/.ssh/authorized_keys sed -i 's/^.* ssh-rsa /ssh-rsa /' /home/manager/.ssh/authorized_keys - name: "give manager sudo" -- cgit v1.2.1 From 469bb263c4ce52122c85647fe8b5330ff5dc2bf3 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 10:26:34 +0300 Subject: don't rmember host keys --- manager-ssh-config | 1 + 1 file changed, 1 insertion(+) diff --git a/manager-ssh-config b/manager-ssh-config index 7569c07..0921845 100644 --- a/manager-ssh-config +++ b/manager-ssh-config @@ -1,3 +1,4 @@ Host 192.168.* StrictHostKeyChecking accept-new + UserKnownHostsFile /dev/null IdentityFile ~/.ssh/manager.key -- cgit v1.2.1 From 864b2ea9ff43307b2a616410d0607c63da0b6661 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 10:26:52 +0300 Subject: use image file for workspace --- contractor | 104 ++++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 82 insertions(+), 22 deletions(-) diff --git a/contractor b/contractor index e45bfb7..7b71437 100755 --- a/contractor +++ b/contractor @@ -17,8 +17,10 @@ import yaml DEFAULT_CONFIGS = {os.path.expanduser("~/.config/contractor/config.yaml")} -# The device in the manager VM for the workspace disk. -WS_DEV = "/dev/vdb" +# The disk image file on the manager VM for the workspace disk. +WS_IMG = "/home/manager/workspace.img" +WS_SIZE = "20G" +WS_MNT = "/mnt" # The worker VM image file on manager VM. @@ -29,14 +31,6 @@ WORKER_IMG = "worker.img" TEMP_IMG = "temp.img" -# The UID of the worker account, on the worker VM. -WORKER_UID = 1000 - - -# The GID of the worker account, on the worker VM. -WORKER_GID = 1000 - - class ExecResult: def __init__(self, stdout, stderr, exit_code): self.stdout = stdout @@ -258,12 +252,44 @@ class StartGuestNetworking(MayFail): return virsh("net-start", "default") +class GetUID(RemoteExecution): + def msg(self): + return "get UID on manager" + + def argv(self): + return ["id", "-u"] + + +class GetGID(RemoteExecution): + def msg(self): + return "get GID of on manager" + + def argv(self): + return ["id", "-g"] + + +class CreateWS(RemoteExecution): + def msg(self): + return "creating workspace on manager" + + def argv(self): + return ["qemu-img", "create", "-q", "-f", "raw", WS_IMG, WS_SIZE] + + +class MkfsWS(RemoteExecution): + def msg(self): + return "mkfs workspace on manager" + + def argv(self): + return ["sudo", "mkfs", "-t", "ext4", "-q", WS_IMG] + + class MountWS(RemoteExecution): def msg(self): return "mounting workspace on manager" def argv(self): - return ["sudo", "mount", WS_DEV, "/mnt"] + return ["sudo", "mount", "-oloop", WS_IMG, WS_MNT] class MountWSonWorker(RemoteExecution): @@ -279,7 +305,7 @@ class TryUnmountWS(MayFail): return "trying to unmount workspace on manager" def argv(self): - return ["sudo", "umount", "--quiet", WS_DEV] + return ["sudo", "umount", "--quiet", WS_IMG] class UnmountWS(RemoteExecution): @@ -287,15 +313,19 @@ class UnmountWS(RemoteExecution): return "unmounting workspace on manager" def argv(self): - return ["sudo", "umount", "--quiet", WS_DEV] + return ["sudo", "umount", "--quiet", WS_IMG] class ChownWS(RemoteExecution): + def __init__(self, uid, gid): + self.uid = uid + self.gid = gid + def msg(self): return "set ownerships on workspace" def argv(self): - return ["sudo", "chown", "-R", "{}:{}".format(WORKER_UID, WORKER_GID), "/mnt"] + return ["sudo", "chown", "-R", "{}:{}".format(self.uid, self.gid), WS_MNT] class Mkdir(RemoteExecution): @@ -367,7 +397,7 @@ class AttachWS(RemoteExecution): "--quiet", "attach-disk", "worker", - WS_DEV, + WS_IMG, "vdb", "--targetbus", "virtio", @@ -509,7 +539,7 @@ def upload_worker_image(vrb, filename, dest, port): def sync_to_workspace(vrb, frm, dest, port, subdir): - destdir = "/mnt/{}".format(subdir) + destdir = "{}/{}".format(WS_MNT, subdir) vrb("syncing local {} to manager {}".format(frm, destdir)) er = rsync("{}/.".format(frm), "{}:{}/.".format(dest, destdir), port) if er.failed(): @@ -518,10 +548,10 @@ def sync_to_workspace(vrb, frm, dest, port, subdir): def sync_from_workspace(vrb, dest, port, ws): - vrb("syncing manager /mnt to local {}".format(ws)) + vrb("syncing manager {} to local {}".format(WS_MNT, ws)) if not os.path.exists(ws): os.makedirs(ws) - er = rsync("{}:/mnt/.".format(dest), "{}/.".format(ws), port) + er = rsync("{}:{}/.".format(dest), "{}/.".format(WS_MNT, ws), port) if er.failed(): error("Failed to rsync workspace from worker") sys.exit(1) @@ -605,12 +635,39 @@ def cmd_build(args): CopyWorkerImage(), StartGuestNetworking(), CreateWorkerVM(), - TryUnmountWS(), - MountWS(), - ChownWS(), ] exec_quietly(manager, *execs) + with Timer(vrb, "start-worker"): + execs = [GetUID()] + er = exec_quietly(manager, *execs) + manager_uid = int(er.stdout) + + with Timer(vrb, "start-worker"): + execs = [GetGID()] + er = exec_quietly(manager, *execs) + manager_gid = int(er.stdout) + + with Timer(vrb, "start-worker"): + execs = [TryUnmountWS()] + exec_quietly(manager, *execs) + + with Timer(vrb, "start-worker"): + execs = [CreateWS()] + exec_quietly(manager, *execs) + + with Timer(vrb, "start-worker"): + execs = [MkfsWS()] + exec_quietly(manager, *execs) + + with Timer(vrb, "start-worker"): + execs = [MountWS()] + exec_quietly(manager, *execs) + + with Timer(vrb, "start-worker"): + execs = [ChownWS(manager_uid, manager_gid)] + exec_quietly(manager, *execs) + with Timer(vrb, "upload-saved-workspace"): ws = bs.workspace() if ws: @@ -619,7 +676,10 @@ def cmd_build(args): sync_to_workspace(vrb, ws, dest, port, ".") with Timer(vrb, "upload-source"): - exec_quietly(manager, Mkdir("/mnt/src", owner=WORKER_UID, group=WORKER_GID)) + exec_quietly( + manager, + Mkdir("{}/src".format(WS_MNT), owner=manager_uid, group=manager_gid), + ) src = bs.source() sync_to_workspace(vrb, src, dest, port, "src") -- cgit v1.2.1 From 21a34ead1ed194dda53c2c5ecb5075e8eb1652d7 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 11:12:17 +0300 Subject: fixes for ws handline --- contractor | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/contractor b/contractor index 7b71437..9d06e34 100755 --- a/contractor +++ b/contractor @@ -23,6 +23,10 @@ WS_SIZE = "20G" WS_MNT = "/mnt" +# The device on the worker for the workspace disk. +WORKER_WS_DEV = "vdb" + + # The worker VM image file on manager VM. WORKER_IMG = "worker.img" @@ -268,6 +272,14 @@ class GetGID(RemoteExecution): return ["id", "-g"] +class RemoveWS(RemoteExecution): + def msg(self): + return "remove workspace image on manager" + + def argv(self): + return ["rm", "-f", WS_IMG] + + class CreateWS(RemoteExecution): def msg(self): return "creating workspace on manager" @@ -297,7 +309,7 @@ class MountWSonWorker(RemoteExecution): return "mounting workspace on worker" def argv(self): - return ["sudo", "mount", "/dev/vdb", "/workspace"] + return ["sudo", "mount", "/dev/{}".format(WORKER_WS_DEV), "/workspace"] class TryUnmountWS(MayFail): @@ -398,7 +410,7 @@ class AttachWS(RemoteExecution): "attach-disk", "worker", WS_IMG, - "vdb", + WORKER_WS_DEV, "--targetbus", "virtio", "--live", @@ -649,23 +661,14 @@ def cmd_build(args): manager_gid = int(er.stdout) with Timer(vrb, "start-worker"): - execs = [TryUnmountWS()] - exec_quietly(manager, *execs) - - with Timer(vrb, "start-worker"): - execs = [CreateWS()] - exec_quietly(manager, *execs) - - with Timer(vrb, "start-worker"): - execs = [MkfsWS()] - exec_quietly(manager, *execs) - - with Timer(vrb, "start-worker"): - execs = [MountWS()] - exec_quietly(manager, *execs) - - with Timer(vrb, "start-worker"): - execs = [ChownWS(manager_uid, manager_gid)] + execs = [ + TryUnmountWS(), + RemoveWS(), + CreateWS(), + MkfsWS(), + MountWS(), + ChownWS(manager_uid, manager_gid), + ] exec_quietly(manager, *execs) with Timer(vrb, "upload-saved-workspace"): -- cgit v1.2.1 From 339df49dc0a35f136925c6b91ab99b879a213dea Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 11:12:35 +0300 Subject: configure nop.yaml to use worker image outside src --- nop.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nop.yaml b/nop.yaml index 4ecef9d..8d168cd 100644 --- a/nop.yaml +++ b/nop.yaml @@ -1,4 +1,4 @@ -worker-image: ~/tmp/contractor/worker.img -source: nop +worker-image: ~/worker.img +source: . build: | echo hello, world -- cgit v1.2.1 From 52d5fdd55c9b0abf340a2c26e8fa5195e522faac Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 5 Oct 2020 11:12:54 +0300 Subject: run nop build once --- try.sh | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100755 try.sh diff --git a/try.sh b/try.sh new file mode 100755 index 0000000..38e1030 --- /dev/null +++ b/try.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +set -eu -o pipefail + +./contractor -c manager-config.yaml build nop.yaml +rm -f ~/contractor.log -- cgit v1.2.1 From 11c792b80ab3121d44a2ab7c04af3e20d4900af7 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 15 Oct 2020 11:16:59 +0300 Subject: fix contractor so it works for subplot --- contractor | 6 +++--- manager.yml | 1 + nop.yaml | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/contractor b/contractor index 9d06e34..75d809f 100755 --- a/contractor +++ b/contractor @@ -553,17 +553,17 @@ def upload_worker_image(vrb, filename, dest, port): def sync_to_workspace(vrb, frm, dest, port, subdir): destdir = "{}/{}".format(WS_MNT, subdir) vrb("syncing local {} to manager {}".format(frm, destdir)) - er = rsync("{}/.".format(frm), "{}:{}/.".format(dest, destdir), port) + er = rsync(f"{frm}/.", f"{dest}:{destdir}/.", port) if er.failed(): error("Failed to rsync saved workspace to worker") sys.exit(1) def sync_from_workspace(vrb, dest, port, ws): - vrb("syncing manager {} to local {}".format(WS_MNT, ws)) + vrb("syncing manager {!r} to local {!r} (port {!r})".format(WS_MNT, ws, port)) if not os.path.exists(ws): os.makedirs(ws) - er = rsync("{}:{}/.".format(dest), "{}/.".format(WS_MNT, ws), port) + er = rsync(f"{dest}:{WS_MNT}/.", f"{ws}/.", port) if er.failed(): error("Failed to rsync workspace from worker") sys.exit(1) diff --git a/manager.yml b/manager.yml index 8f41d21..c6241c6 100644 --- a/manager.yml +++ b/manager.yml @@ -25,6 +25,7 @@ - rsync - kpartx - python3-lxml + - ansible - name: change IP block in default virtual network replace: diff --git a/nop.yaml b/nop.yaml index 8d168cd..0a84568 100644 --- a/nop.yaml +++ b/nop.yaml @@ -1,4 +1,4 @@ -worker-image: ~/worker.img +worker-image: ~/tmp/contractor/worker.img source: . build: | echo hello, world -- cgit v1.2.1 From 473e921dcfea0bccba1c345dbb7d72e400354705 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:02:25 +0300 Subject: fix: typo --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 3b18b0b..7cc55b2 100644 --- a/contractor.md +++ b/contractor.md @@ -455,7 +455,7 @@ abstract: | further things. It is becoming infeasible to vet the whole set of software running during a build. If a build includes running local tests (unit tests, some integration tests), the problem gets worse - in magintude, if not quality. + in magnitude, if not quality. Some software ecosystems are especially vulnerable to this (nodejs, Python, Ruby, Go, Rust), but it's true for anything that has -- cgit v1.2.1 From 926549b72c02e1bc9034913bf2ba938e0cb4c1cc Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:03:38 +0300 Subject: doc: clarify that Linux distributions are not enough --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 7cc55b2..643726e 100644 --- a/contractor.md +++ b/contractor.md @@ -461,7 +461,7 @@ abstract: | Python, Ruby, Go, Rust), but it's true for anything that has dependencies on any code from outside its own code base, and even if all the dependencies come from a trusted source, such as the - operating system vendor. + operating system vendor or a Linux distribution. The Contractor is an attempt to be able to build software securely, by leveraging virtual machine technology. It attempts to be -- cgit v1.2.1 From 5513bd098d4743a10cf9da19bc7f901617764a42 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:04:24 +0300 Subject: doc: drop pointless mention of Ick --- contractor.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/contractor.md b/contractor.md index 643726e..a9e524c 100644 --- a/contractor.md +++ b/contractor.md @@ -467,8 +467,4 @@ abstract: | by leveraging virtual machine technology. It attempts to be secure, convenient, and reasonably efficient. - The Contractor is not a replacement for a Continuous Integration - engine, but its technology will hopefully one day become part of the - Ick CI engine. - ... -- cgit v1.2.1 From 18478cc0d45cc4da97398e3a4e8792c822fb09b1 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:06:20 +0300 Subject: doc: improve phrasing a little --- contractor.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index a9e524c..3b4d256 100644 --- a/contractor.md +++ b/contractor.md @@ -15,7 +15,8 @@ fundamentally the same. The process is roughly as follows: * run the software, perhaps as part of unit testing When the software is run, even if only a small unit of it, it can do -anything that the person running the build can do, in principle: +anything that the person running the build can do. For example, it can +do any and all of the following: * delete files * modify files -- cgit v1.2.1 From 2f2fe59e2e7733e6b08f93cf57d104e5b570b4c8 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:07:49 +0300 Subject: doc: add note that it's possible to guard against risks Don't want to be too alarmist. --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 3b4d256..32ba336 100644 --- a/contractor.md +++ b/contractor.md @@ -16,7 +16,7 @@ fundamentally the same. The process is roughly as follows: When the software is run, even if only a small unit of it, it can do anything that the person running the build can do. For example, it can -do any and all of the following: +do any and all of the following, unless guarded against: * delete files * modify files -- cgit v1.2.1 From 3f07b2888519ec4b5f599d4193220bb3daa643a6 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:08:26 +0300 Subject: doc: drop mention of ld.so bug in Debian Can't find a reference. --- contractor.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/contractor.md b/contractor.md index 32ba336..72d94dd 100644 --- a/contractor.md +++ b/contractor.md @@ -35,8 +35,6 @@ they work with don't do any of that. In both cases, they may be wrong: mistakes happen. It's a well-guarded secret among programmers that they sometimes, even if rarely, make catastrophic mistakes. -**FIXME**: reference the bug in Debian that removed the ld.so symlink - Accidents aside, mayhem and chaos may be intentional. Your own project may not have malware, and you may have vetted all your dependencies, and you trust them. But your dependencies have dependencies, which -- cgit v1.2.1 From 7e80f9819632c6d0756f346f205fe177e832ff5d Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:09:48 +0300 Subject: doc: better word choice --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 72d94dd..b65ed79 100644 --- a/contractor.md +++ b/contractor.md @@ -42,7 +42,7 @@ have further dependencies, which have dependencies of their own. You'd need to vet the whole dependency tree. Even decades ago, in the 1990s, this could easily be hundreds of thousands of lines of code, and modern systems a much larger. Note that build tools are themselves -dependencies, as is the whole operating system. Any code that is used +dependencies, as is the whole operating system. Any code that is invoked in the build process is a dependency. How certain are you that you can spot malicious code that's -- cgit v1.2.1 From 0309f7da3ff2c17650cf380ed1d579f7015957ed Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:11:07 +0300 Subject: fix: add missing word --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index b65ed79..487f4ab 100644 --- a/contractor.md +++ b/contractor.md @@ -59,7 +59,7 @@ This risk affects every operating system and every programming language. The degree in which it exists varies, a lot. Some programming language ecosystems seem more vulnerable than others: the nodejs/npm one, for example, values tiny and highly focused packages, -which leads to immense dependency trees. The direct or indirect +which leads to immense dependency trees. The more direct or indirect dependencies there are, the higher the chance that one of them turns out to be bad. -- cgit v1.2.1 From f76b963b2ad1622c8a78c9fd4f3cc24d9dc3186c Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:15:31 +0300 Subject: fix: typo --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 487f4ab..3df114e 100644 --- a/contractor.md +++ b/contractor.md @@ -164,7 +164,7 @@ These requirements stem from the threat model above. * **DefaultBuilder**: The Contractor SHOULD be easy to set up and to use. It should not require extensive configuration. Running a build - should be as easy as running **make**(1) on the commadnd line. It + should be as easy as running **make**(1) on the command line. It should be feasible to expect developers to use the Contractor for their normal development work. -- cgit v1.2.1 From 0bda1fb0d141e633fc5ac9674c9c16f7b2791fd5 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:22:28 +0300 Subject: doc: drop pointless mention of "will change soon" --- contractor.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/contractor.md b/contractor.md index 3df114e..6eedee3 100644 --- a/contractor.md +++ b/contractor.md @@ -243,9 +243,6 @@ This high-level design is chosen for the following reasons: technologies, although it doesn't do much to protect against virtualisation or hardware vulnerabilities (**HostProtection**) -**HOWEVER**, this architecture needs improvements, which will happen -soon. The current implementation is a proof of concept only. - ## Build process The architecture leads to a build process that would work roughly like -- cgit v1.2.1 From 515aa564410e068c3ed9d7f882a49e10077d62c2 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Tue, 20 Oct 2020 10:25:24 +0300 Subject: doc: mark section as needing updates --- contractor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contractor.md b/contractor.md index 6eedee3..430bd87 100644 --- a/contractor.md +++ b/contractor.md @@ -264,7 +264,7 @@ this: * command line tool reports to the developer build success or failure and where build log and build artifacts are -## Implementation sketch +## Implementation sketch (FIXME: update) This is the current status, to be improved upon. -- cgit v1.2.1