From 7990053403efe8cae8610168cd97c3b53f621b6d Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 24 Jan 2024 18:05:04 +0000 Subject: [PATCH] setup an image for trainees to have access Signed-off-by: Brendan Golden --- base_trainee.yaml | 72 +++++++++++++++++++++++++++++++++++++++++ files/sssd.conf_trainee | 38 ++++++++++++++++++++++ files/sudoers_trainee | 51 +++++++++++++++++++++++++++++ run.sh | 47 +++++++++++++++++++++++++-- 4 files changed, 205 insertions(+), 3 deletions(-) create mode 100644 base_trainee.yaml create mode 100644 files/sssd.conf_trainee create mode 100644 files/sudoers_trainee diff --git a/base_trainee.yaml b/base_trainee.yaml new file mode 100644 index 0000000..7dae3eb --- /dev/null +++ b/base_trainee.yaml @@ -0,0 +1,72 @@ +image: + name: debian-disco-x86_64 + distribution: debian + release: bookworm + description: |- + Debian {{ image.release }} + architecture: amd64 + +source: + downloader: rootfs-http + url: file://SKYNET_ROOT_DIR/images/base/rootfs.tar.xz + +targets: + lxc: + create_message: |- + You just created an {{ image.description }} container. + + To enable SSH, run: apt install openssh-server + No default root or user password are set by LXC. + config: + - type: all + before: 5 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/debian.common.conf + + - type: user + before: 5 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/debian.userns.conf + + - type: all + after: 4 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/common.conf + + - type: user + after: 4 + content: |- + lxc.include = LXC_TEMPLATE_CONFIG/userns.conf + + - type: all + content: |- + lxc.arch = {{ image.architecture_personality }} + +files: +- path: /skynet/sssd.conf + generator: copy + source: ./files/sssd.conf_trainee + +- path: /skynet/sudoers + generator: copy + source: ./files/sudoers_trainee + +packages: + manager: apt + update: true + cleanup: true + sets: + + +actions: +- trigger: post-files + action: |- + #!/bin/sh + set -eux + + cp /skynet/sssd.conf /etc/sssd/sssd.conf + chmod 600 /etc/sssd/sssd.conf + + cp /skynet/sudoers /etc/sudoers + chmod 440 /etc/sudoers + diff --git a/files/sssd.conf_trainee b/files/sssd.conf_trainee new file mode 100644 index 0000000..2033a1e --- /dev/null +++ b/files/sssd.conf_trainee @@ -0,0 +1,38 @@ +[domain/skynet.ie] +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap + +ldap_uri = ldap://account.skynet.ie:389 + +ldap_search_base = dc=skynet,dc=ie +# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d +ldap_user_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie)) +ldap_group_search_base = ou=groups,dc=skynet,dc=ie +# using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US +ldap_sudo_search_base = ou=users,dc=skynet,dc=ie?sub?(|(skMemberOf=cn=skynet-admins-linux,ou=groups,dc=skynet,dc=ie)(skMemberOf=cn=skynet-trainees-linux,ou=groups,dc=skynet,dc=ie)) + +ldap_group_nesting_level = 5 + +cache_credentials = false +entry_cache_timeout = 1 + +ldap_user_member_of = skMemberOf + +override_shell = /bin/bash +#ldap_library_debug_level = -1 +#ldap_schema = rfc2307bis + +[sssd] +config_file_version = 2 +services = nss, pam, sudo, ssh +domains = skynet.ie + +[nss] +# override_homedir = /home/%u + +[pam] + +[sudo] + +[autofs] diff --git a/files/sudoers_trainee b/files/sudoers_trainee new file mode 100644 index 0000000..265b907 --- /dev/null +++ b/files/sudoers_trainee @@ -0,0 +1,51 @@ +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu +# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) +Defaults use_pty + +# This preserves proxy settings from user environments of root +# equivalent users (group sudo) +#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" + +# This allows running arbitrary commands, but so does ALL, and it means +# different sudoers have their choice of editor respected. +#Defaults:%sudo env_keep += "EDITOR" + +# Completely harmless preservation of a user preference. +#Defaults:%sudo env_keep += "GREP_COLOR" + +# While you shouldn't normally run git as root, you need to with etckeeper +#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" + +# Per-user preferences; root won't have sensible values for them. +#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" + +# "sudo scp" or "sudo rsync" should be able to use your SSH agent. +#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + +# Ditto for GPG agent +#Defaults:%sudo env_keep += "GPG_AGENT_INFO" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL +%skynet-admins-linux ALL=(ALL:ALL) NOPASSWD: ALL +%skynet-trainees-linux ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/run.sh b/run.sh index 59ce264..8961c78 100755 --- a/run.sh +++ b/run.sh @@ -1,9 +1,50 @@ # nix-shell -p lxc debootstrap distrobuilder -cp /etc/resolv.conf /etc/resolv.conf.bak +function setup(){ + cp /etc/resolv.conf /etc/resolv.conf.bak +} -distrobuilder build-lxc base.yaml ./images/base +function cleanup(){ + cp /etc/resolv.conf.bak /etc/resolv.conf + + # reset permissions of output folder to the owner + local owner=$(ls -ld $PWD | awk '{print $3}') + local group=$(ls -ld $PWD | awk '{print $4}') + + chown -R "$owner:$group" ./images +} +function build () { + local config="$1" + local location="$2" -cp /etc/resolv.conf.bak /etc/resolv.conf + # file:// cannot have relative paths, so use a bit of subsitution to fix + if grep -q SKYNET_ROOT_DIR "$config"; then + + # create a copy with the file + cp "$config" "$config.tmp" + # sed normally uses / but that conflcts with file paths so use @ instead + sed -i "s@SKYNET_ROOT_DIR@$PWD@g" "$config.tmp" + + # normal command + distrobuilder build-lxc "$config.tmp" $location + + # cleanup + rm "$config.tmp" + else + distrobuilder build-lxc $config $location + fi +} + +function main(){ + setup + + build base.yaml ./images/base + build base_trainee.yaml ./images/base_trainee + + cleanup +} + + +main