diff --git a/.gitmodules b/.gitmodules index 26e5463e..f5677f5c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,7 +3,7 @@ url = https://github.com/jtyr/ansible-udev_rename_netiface.git [submodule "ansible/roles/network_interface"] path = ansible/roles/network_interface - url = https://github.com/MartinVerges/ansible.network_interface.git + url = https://github.com/mit-scripts/ansible.network_interface.git [submodule "ansible/roles/pacemaker-corosync"] path = ansible/roles/pacemaker-corosync url = https://github.com/mit-scripts/ansible-pacemaker-corosync.git diff --git a/ansible/.gitignore b/ansible/.gitignore index a8b42eb6..7d07d7f9 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1 +1,2 @@ *.retry +*.pyc diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 9dc5a964..bc038617 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,6 +1,9 @@ [defaults] -inventory = inventory.yml +inventory = inventory remote_user = root +force_handlers = True +callback_whitelist = log_plays +conditional_bare_variables = False [ssh_connection] pipelining = True diff --git a/ansible/files/dotfiles/.bashrc b/ansible/files/dotfiles/.bashrc new file mode 100644 index 00000000..6d5616a8 --- /dev/null +++ b/ansible/files/dotfiles/.bashrc @@ -0,0 +1,23 @@ +# .bashrc + +# User specific aliases and functions + +alias rm='rm -i' +alias cp='cp -i' +alias mv='mv -i' + +DEFAULTVISUAL=emacs +if [ "$SSH_GSSAPI_NAME" = "adehnert/root@ATHENA.MIT.EDU" ]; then + DEFAULTVISUAL=vim +fi +export VISUAL=${VISUAL:-$DEFAULTVISUAL} + +# Source global definitions +if [ -f /etc/bashrc ]; then + . /etc/bashrc +fi + +alias vi=vim +alias view='vim -R' + +logger -p authpriv.warning -t bash -- "Root bash shell for ${SSH_GSSAPI_NAME:-unknown} from ${SSH_CLIENT:-local}" diff --git a/ansible/files/dotfiles/.emacs b/ansible/files/dotfiles/.emacs new file mode 100644 index 00000000..84281ec7 --- /dev/null +++ b/ansible/files/dotfiles/.emacs @@ -0,0 +1,24 @@ +;; .emacs + +(custom-set-variables + ;; uncomment to always end a file with a newline + ;'(require-final-newline t) + ;; uncomment to disable loading of "default.el" at startup + ;'(inhibit-default-init t) + ;; default to unified diffs + '(diff-switches "-u")) + +;;; uncomment for CJK utf-8 support for non-Asian users +;; (require 'un-define) + +; show column numbers +(setq column-number-mode t) + +; use spaces, not tabs +(setq-default indent-tabs-mode nil) +(setq-default tab-width 4) +(setq indent-line-function 'insert-tab) + +; recognize python executables +(add-to-list 'interpreter-mode-alist + '("python2" . python-mode)) diff --git a/ansible/files/dotfiles/.ldapvirc b/ansible/files/dotfiles/.ldapvirc new file mode 100644 index 00000000..ee6c4b1f --- /dev/null +++ b/ansible/files/dotfiles/.ldapvirc @@ -0,0 +1,11 @@ +profile default +host ldap://scripts-ldap.mit.edu/ +base dc=scripts,dc=mit,dc=edu +# kinit -k -t /etc/signup.keytab daemon/scripts-signup.mit.edu +bind sasl +sasl-mech GSSAPI + +profile local +host ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +bind sasl +sasl-mech EXTERNAL diff --git a/ansible/files/dotfiles/.screenrc b/ansible/files/dotfiles/.screenrc new file mode 100644 index 00000000..a9982520 --- /dev/null +++ b/ansible/files/dotfiles/.screenrc @@ -0,0 +1,6 @@ +startup_message off +msgwait 1 +hardstatus string "[screen %n*%f %t] %h" +caption always "%{= bW}%H %{+ c}%-Lw%50>%?%F%{+b W}%:%{+ w}%?%n*%f %t%{-}%+Lw%<%-010=%{+ W}" +altscreen on +defbce on diff --git a/ansible/files/dotfiles/.vimrc b/ansible/files/dotfiles/.vimrc new file mode 100644 index 00000000..1f59c2e9 --- /dev/null +++ b/ansible/files/dotfiles/.vimrc @@ -0,0 +1,3 @@ +set background=dark +set nocompatible +syntax on diff --git a/ansible/files/nrpe_local.cfg b/ansible/files/nrpe_local.cfg deleted file mode 100644 index 2c5723e5..00000000 --- a/ansible/files/nrpe_local.cfg +++ /dev/null @@ -1,7 +0,0 @@ -allowed_hosts=18.4.60.65 -command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hda1 -command[check_disk2]=/usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hdb1 -command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z -command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 -command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% diff --git a/ansible/files/scripts-syslog.conf b/ansible/files/scripts-syslog.conf index 8d9fc0bd..a057baf9 100644 --- a/ansible/files/scripts-syslog.conf +++ b/ansible/files/scripts-syslog.conf @@ -1,4 +1,24 @@ -if \ +ruleset(name="zpublic") { + |/run/zephyr-syslog-public;RSYSLOG_SyslogProtocol23Format + stop +} +ruleset(name="zprivate") { + |/run/zephyr-syslog-private;RSYSLOG_SyslogProtocol23Format + stop +} + +# Putting zroot in a queue means we can use the "stop" operator +# without affecting file output. +# See https://www.rsyslog.com/doc/v8-stable/rainerscript/rainerscript_call.html +ruleset(name="zroot" queue.type="Direct") { + # https://www.rsyslog.com/doc/v8-stable/rainerscript/control_structures.html + # https://rainer.gerhards.net/2012/10/how-to-use-rsyslogs-ruleset-and-call-statements.html + # https://www.rsyslog.com/doc/v8-stable/configuration/filters.html + + # $msg always has a leading space: https://www.rsyslog.com/log-normalization-and-the-leading-space/ + + # First, audit-related messages go to scripts-auto + if \ ($programname == 'sshd' and ( \ $msg startswith ' Authorized to root, ' \ or \ @@ -8,21 +28,89 @@ if \ or \ $msg == ' pam_unix(sshd:session): session closed for user root' \ )) \ -then |/run/zephyr-syslog-public;RSYSLOG_SyslogProtocol23Format + then { + call zpublic + } + # TODO: Look up ssh keys and annotate with whose key it is + # Publicly log all root sessions, except cron or sudo + if (re_match($msg, '^ pam_unix\\([^:]+:session\\): session \\S+ for user root')) then { + # Ignore all PAM session messages from cron + if ($programname == 'CRON') then stop + # sudo logs invocations itself with more information; ignore the + # PAM messages it generates. + if ($programname == 'sudo') then stop + # systemd --user can arbitrarily start PAM sessions; the + # underlying login session will trigger its own PAM logs so no + # need to report it twice. + if ($programname == 'systemd') then stop + call zpublic + } + if (re_match($msg, 'Root (\\S+) shell')) then call zpublic + if ($msg startswith ' Out of memory:') then call zpublic + if ($programname == 'admof') then call zpublic + # TODO: Spew when root runs su or sudo? + + # Next, ignore known-safe chatty messages (list taken from the old + # d_zroot.pl, with some F30 rewordings added) + if (re_match($msg, '^ pam_unix\\([^:]+:session\\): session')) then stop + if ($programname == 'sshd') then { + if ($msg startswith ' Authorized to ') then stop + if ($msg startswith ' Accepted ') then stop + if ($msg startswith ' Connection closed') then stop + if ($msg startswith ' Closing connection to') then stop + if ($msg startswith ' Starting session: ') then stop + if ($msg startswith ' Close session: ') then stop + if (re_match($msg, '^ Connection from \\S+ port \\S+')) then stop + if ($msg startswith ' Invalid user') then stop + if ($msg startswith ' input_userauth_request: invalid user') then stop + if ($msg startswith ' userauth_hostbased mismatch: ') then stop + if ($msg startswith ' Received disconnect from ') then stop + if ($msg startswith ' Disconnected from ') then stop + if ($msg startswith ' Postponed keyboard-interactive') then stop + if ($msg startswith ' Postponed gssapi-with-mic for ') then stop + if ($msg startswith ' Failed keyboard-interactive/pam') then stop + if ($msg startswith ' fatal: Read from socket failed: Connection reset by peer') then stop + if ($msg startswith ' error: kex_exchange_identification: read: Connection reset by peer') then stop + if ($msg startswith ' error: kex_exchange_identification: read: Connection closed by remote host') then stop + if ($msg startswith ' error: kex_exchange_identification: Connection closed by remote host') then stop + if ($msg startswith ' Connection reset by ') then stop + if ($msg startswith ' reverse mapping checking getaddrinfo') then stop + if ($msg startswith ' pam_succeed_if(sshd:auth):') then stop + if ($msg startswith ' error: PAM: Authentication failure') then stop + if ($msg startswith ' pam_unix(sshd:auth): authentication failure') then stop + if ($msg startswith ' pam_unix(sshd:auth): check pass; user unknown') then stop + if (re_match($msg, '^ Address \\S+ maps to \\S+, but this does not map back to the address')) then stop + if (re_match($msg, '^ Nasty PTR record .* is set up for .*, ignoring')) then stop + if ($msg startswith ' User child is on pid ') then stop + if (re_match($msg, '^ Accepted \\S+ public key \\S+ from \\S+$')) then stop + if ($msg startswith ' error: maximum authentication attempts exceeded for ') then stop + } + if (re_match($msg, '^ Transferred: sent \\d+, received \\d+ bytes$')) then stop + if ($msg == ' Setting tty modes failed: Invalid argument') then stop + if ($programname == 'sudo') then { + if (re_match($msg, '^ *nrpe .* COMMAND=/etc/nagios/check_ldap_mmr.real$')) then stop + if (re_match($msg, '^ *scripts : .*; USER=root ; COMMAND=/etc/httpd/export-scripts-certs$')) then stop + if (re_match($msg, '^ *pony : .*; USER=root ; COMMAND=/etc/pki/tls/gencsr-pony ')) then stop + if (re_match($msg, '^ *root : TTY=')) then stop + } + if ($msg startswith ' Set /proc/self/oom_adj to ') then stop + if ($msg startswith ' Set /proc/self/oom_score_adj to ') then stop + if ($msg == ' selinux sandbox not useful [preauth]') then stop + # Everything else goes to scripts-spew + call zprivate +} + +# Send errors, authpriv, and OOM events to the zroot queue if \ - $syslogseverity <= '4' \ - and \ - not ($programname == 'sshd' and ( \ - $msg == ' pam_unix(sshd:auth): check pass; user unknown' \ - or \ - $msg startswith ' PAM service(sshd) ignoring max retries; ' \ - or \ - $msg startswith ' error: maximum authentication attempts exceeded for ' \ - or \ - $msg startswith ' error: Received disconnect from ' \ - )) \ -then |/run/zephyr-syslog-private;RSYSLOG_SyslogProtocol23Format + $syslogseverity <= '4' \ + or \ + $syslogfacility-text == 'authpriv' \ + or \ + ($syslogfacility-text == 'kern' and ($msg contains 'Out of memory:' or $msg contains 'Killed process')) \ +then { + call zroot +} $ModLoad imrelp $InputRELPServerRun 2514 diff --git a/ansible/files/zephyr-syslog b/ansible/files/zephyr-syslog index ad8abede..aa0e199a 100755 --- a/ansible/files/zephyr-syslog +++ b/ansible/files/zephyr-syslog @@ -88,14 +88,14 @@ facilities = [ ] severity_symbols = [ - '@b(@color(magenta)☠)', - '@b(@color(magenta)☣)', - '@b(@color(magenta)☢)', - '@b(@color(red)⊗)', - '@b(@color(yellow)⚠)', - '@b(@color(blue)☞)', - '@b(@color(cyan)ⓘ)', - '@b(@color(green)☻)' + '@b(@color(magenta)EMERG)', + '@b(@color(magenta)ALERT)', + '@b(@color(magenta)CRIT)', + '@b(@color(red)ERR)', + '@b(@color(yellow)WARN)', + '@b(@color(blue)NOTICE)', + '@b(@color(cyan)INFO)', + '@b(@color(green)DEBUG)' ] syslog_re = re.compile(r'''^<(?P\d+)>(?P1) (?P\S*) (?P\S*) (?P\S*) (?P\S*) (?P\S*) (?P(?:\[[^]= "]+(?: [^]= "]+="(?:[^]"\\]|\\.)*")*\])*|-) (?P.*)$''') diff --git a/ansible/filter_plugins/subnetmath.py b/ansible/filter_plugins/subnetmath.py new file mode 100644 index 00000000..9de96f26 --- /dev/null +++ b/ansible/filter_plugins/subnetmath.py @@ -0,0 +1,88 @@ +# Make coding more python3-ish +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import netaddr +from itertools import groupby + +def _round_prefixes(value): + """Takes a list of subnets, and produces a new list of subnets that are /8, /16, or /24.""" + _ret = [] + for net in netaddr.cidr_merge(netaddr.IPNetwork(v) for v in value): + newprefix = ((net.prefixlen+7)//8)*8 + _ret.extend(net.subnet(newprefix)) + return _ret + +def inaddr_zones(value): + """inaddr_zones converts a list of IP subnets into a list of in-addr.arpa zone names that cover the subents.""" + nets = _round_prefixes(value) + _ret = [] + for net in nets: + val = "in-addr.arpa" + addr = int(net.network) + for i in range(0, net.prefixlen, 8): + val = str((addr >> (24-i)) & 0xff) + '.' + val + _ret.append(val) + return _ret + +def ipsubnets_regex(value): + """ipsubnets_regex converts a list of IP subnets into a regex that matches IP addresses on those subnets.""" + nets = _round_prefixes(value) + prefixes = [net.network.ipv4().format().split('.')[:net.prefixlen//8] for net in nets] + return '^' + _prefixes_to_regex(prefixes) + r'\.' + +def _prefixes_to_regex(prefixes): + """ + Convert a list of tuples containing IP prefixes into a regex that matches them. + + Args: + prefixes: list of prefixes like [(10,), (18, 1), (18, 2)] + + Returns: + regex like "(10|18\.[1-2])" + """ + out = [] + if max(len(x) for x in prefixes) == 1: + # Last component, try to use character classes + return _numbers_regex(x[0] for x in prefixes) + for octet, g in groupby(prefixes, lambda x: x[0]): + sub = [x[1:] for x in g if len(x) > 1] + match = str(octet) + if sub: + match += r'\.' + _prefixes_to_regex(sub) + out.append(match) + return '(' + '|'.join(out) + ')' + +def _numbers_regex(numbers): + """Find a simplified regex for matching a list of numbers""" + def key(x): return (x[0], len(x[1]), x[1][:-1]) + numbers = sorted((('', str(x)) for x in numbers), key=key) + simplified = False + while not simplified: + simplified = True + out = [] + for (suffix, _, prefix), g in groupby(numbers, key): + g = list(g) + if len(g) == 1 and not g[0][1]: + out.append(g[0]) + continue + simplified = False + digits = sorted(x[1][-1] for x in g) + if len(digits) == 1: + match = digits[0] + elif len(digits) == 10: + match = r'\d' + else: + match = '['+''.join(digits)+']' + out.append((match+suffix, prefix)) + numbers = out + if len(numbers) == 1: + return numbers[0][0] + return '('+ '|'.join(x[0] for x in numbers) + ')' + +class FilterModule(object): + def filters(self): + return { + 'inaddr_zones': inaddr_zones, + 'ipsubnets_regex': ipsubnets_regex, + } diff --git a/ansible/inventory.yml b/ansible/inventory.yml deleted file mode 100644 index d7b3ef32..00000000 --- a/ansible/inventory.yml +++ /dev/null @@ -1,67 +0,0 @@ -all: - vars: - maintainers: - - username: achernya - - username: adehnert - root_mail: adehnert-sipb@mit.edu - - username: andersk - - username: btidor - root_mail: btidor-scripts@mit.edu - - username: cela - - username: cereslee - - username: ezyang - - username: geofft - root_mail: null - - username: glasgall - - username: mitchb - - username: tboning - - username: quentin - - username: vasilvv - - vips: - - host: scripts-director-new.mit.edu - ip: 18.4.86.132 - cidr_netmask: 24 - nic: vlan486 - - host: scripts-new.mit.edu - ip: 18.4.86.43 - cidr_netmask: 24 - nic: vlan486 - - host: scripts-cert-new.mit.edu - ip: 18.4.86.50 - cidr_netmask: 24 - nic: vlan486 - - host: scripts-vhosts-new.mit.edu - ip: 18.4.86.46 - cidr_netmask: 24 - nic: vlan486 - - host: scripts-test-new.mit.edu - ip: 18.4.86.229 - cidr_netmask: 24 - nic: vlan486 - - host: sipb-new.mit.edu - ip: 18.4.86.29 - cidr_netmask: 24 - nic: vlan486 - - rsyslogs: - - 18.4.86.15 # log-flume - - 18.4.86.16 # log-normal - - children: - scripts-directors: - hosts: - george-lucas.mit.edu: - vlan486_address: 18.4.86.220 - vlan486_hwaddr: 00:50:56:87:03:c5 - joss-whedon.mit.edu: - vlan486_address: 18.4.86.226 - vlan486_hwaddr: 00:50:56:87:c2:23 - christopher-nolan.mit.edu: - vlan486_address: 18.4.86.111 - vlan486_hwaddr: 00:50:56:87:d4:4e - - scripts-syslogs: - hosts: - log-flume.mit.edu: {} - log-normal.mit.edu: {} diff --git a/ansible/inventory/.gitignore b/ansible/inventory/.gitignore new file mode 100644 index 00000000..20ebc05b --- /dev/null +++ b/ansible/inventory/.gitignore @@ -0,0 +1 @@ +local.yml diff --git a/ansible/inventory/inventory.yml b/ansible/inventory/inventory.yml new file mode 100644 index 00000000..3ab6a070 --- /dev/null +++ b/ansible/inventory/inventory.yml @@ -0,0 +1,219 @@ +all: + vars: + scripts_root: + - username: achernya + - username: adehnert + root_mail: adehnert-sipb@mit.edu + - username: andersk + - username: btidor + root_mail: btidor-scripts@mit.edu + - username: cela + - username: cereslee + - username: ezyang + - username: geofft + root_mail: null + - username: glasgall + - username: mitchb + - username: mrittenb + - username: quentin + - username: tboning + - username: vasilvv + maintainers: "{{ scripts_root }}" + + scripts_kiddies: + - username: jkoppel + - username: jnoguera + - username: rihn + + ip: "{{ lookup('dig', inventory_hostname) | replace('NXDOMAIN', '') }}" + + vips: + - host: scripts-director.mit.edu + ip: 18.4.86.132 + cidr_netmask: 24 + nic: vlan486 + type: director + - host: scripts.mit.edu + ip: 18.4.86.43 + cidr_netmask: 24 + nic: vlan486 + mail: True + - host: scripts-cert.mit.edu + ip: 18.4.86.50 + cidr_netmask: 24 + nic: vlan486 + type: cert + - host: scripts-vhosts.mit.edu + ip: 18.4.86.46 + cidr_netmask: 24 + nic: vlan486 + mail: True + - host: scripts-test.mit.edu + ip: 18.4.86.229 + cidr_netmask: 24 + nic: vlan486 + - host: sipb.mit.edu + ip: 18.4.86.29 + cidr_netmask: 24 + nic: vlan486 + type: vhost + - host: scripts-f20.mit.edu + ip: 18.4.86.22 + cidr_netmask: 24 + nic: vlan486 + mail: True + codename: Heisenbug + - host: scripts-f30.mit.edu + ip: 18.4.86.30 + cidr_netmask: 24 + nic: vlan486 + mail: True + codename: Thirty + + rsyslogs: + - 18.4.86.15 # log-flume + - 18.4.86.16 # log-normal + + mit_dns_servers: + - 18.0.70.160 + - 18.0.72.3 + - 18.0.71.151 + + # Generated from http://kb.mit.edu/confluence/x/F4DCAg + whois, 2019-11-18 + mit_subnets: + - 10/8 + - 18/11 + - 128.30/15 + - 128.52/16 + + children: + scripts-directors: + hosts: + george-lucas.mit.edu: + vlan486_address: 18.4.86.220 + vlan486_hwaddr: 00:50:56:87:03:c5 + joss-whedon.mit.edu: + vlan486_address: 18.4.86.226 + vlan486_hwaddr: 00:50:56:87:c2:23 + christopher-nolan.mit.edu: + vlan486_address: 18.4.86.111 + vlan486_hwaddr: 00:50:56:87:d4:4e + + scripts-proxy: + vars: + vlan486_address: "{{ ip }}" + children: + scripts-proxy-test: + vars: + maintainers: "{{ scripts_root + scripts_kiddies }}" + hosts: + scripts-test-proxy-1.mit.edu: + dscp_tag: 11 + scripts-test-proxy-2.mit.edu: + dscp_tag: 12 + scripts-test-proxy-3.mit.edu: + dscp_tag: 13 + scripts-proxy-quentin: + vars: + maintainers: + - username: quentin + hosts: + scripts-test-proxy-quentin-1.mit.edu: + + scripts-syslogs: + hosts: + log-flume.mit.edu: {} + log-normal.mit.edu: {} + + scripts-ldap: + hosts: + doppelganger.mit.edu: {} + alter-ego.mit.edu: {} + body-double.mit.edu: {} + + sql: + vars: + vlan461_address: "{{ ip | replace('18.4.86.', '172.21.0.') | replace('18.4.60.', '172.21.0.') }}" + hosts: + sql.mit.edu: {} + primary-key.mit.edu: {} + foreign-key.mit.edu: {} + sliced-bread.mit.edu: {} + + scripts-real: + children: + scripts-real-prod: + vars: + vlan486_address: "{{ ip }}" + vlan461_address: "{{ vlan486_address | replace('18.4.86.', '172.21.0.') }}" + children: + scripts-real-f30: + vars: + ansible_python_interpreter: /usr/bin/python3 + codename: Thirty + hosts: + better-mousetrap.mit.edu: + vlan486_hwaddr: 00:50:56:87:16:56 + vlan461_hwaddr: 00:50:56:87:2f:6f + primary: True + old-faithful.mit.edu: + vlan486_hwaddr: 00:50:56:87:15:39 + vlan461_hwaddr: 00:50:56:87:f2:50 + whole-enchilada.mit.edu: + vlan486_hwaddr: 00:50:56:87:f5:00 + vlan461_hwaddr: 00:50:56:87:48:9f + real-mccoy.mit.edu: + vlan486_hwaddr: 00:50:56:87:34:e4 + vlan461_hwaddr: 00:50:56:87:b6:8b + golden-egg.mit.edu: + vlan486_hwaddr: 00:50:56:87:69:dc + vlan461_hwaddr: 00:50:56:87:ba:12 + miracle-cure.mit.edu: + vlan486_hwaddr: 00:50:56:87:72:c6 + vlan461_hwaddr: 00:50:56:87:77:32 + #lucky-star.mit.edu: + scripts-real-f20: + vars: + codename: Heisenbug + hosts: + bees-knees.mit.edu: + cats-whiskers.mit.edu: + primary: True + pancake-bunny.mit.edu: + busy-beaver.mit.edu: + shining-armor.mit.edu: + scripts-real-test: + vars: + ansible_python_interpreter: /usr/bin/python3 + vips: + - host: scripts-test.mit.edu + ip: 18.4.86.229 + cidr_netmask: 24 + enable_testing_repo: yes + # Don't Zephyr from dev servers + syslog_client: no + afs_cache_size: 500000 + use_local_ldap: no + hosts: + quentin-ansible-test.xvm.mit.edu: {} + + scripts-f30-test.xvm.mit.edu: {} + + jkoppel-scripts-test.xvm.mit.edu: + maintainers: + - username: jkoppel + feral-purrbeast.xvm.mit.edu: + maintainers: + - username: cela + poisonous-stamp.xvm.mit.edu: + maintainers: + - username: bpchen + toasted-microwave.xvm.mit.edu: + maintainers: + - username: rihn + miriamscripts.xvm.mit.edu: + maintainers: + - username: mrittenb + anarchyscripts.xvm.mit.edu: + maintainers: + - username: jnoguera diff --git a/ansible/lookup_plugins/moira_ghal.py b/ansible/lookup_plugins/moira_ghal.py new file mode 100644 index 00000000..0398322f --- /dev/null +++ b/ansible/lookup_plugins/moira_ghal.py @@ -0,0 +1,43 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = """ +lookup: moira_ghal +description: +- This lookup returns the aliases of a Moira host. +""" + +import subprocess + +from ansible.module_utils._text import to_text +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display + +display = Display() + +DOMAIN = ".mit.edu" + +class LookupModule(LookupBase): + def ghal(self, host): + p = subprocess.Popen( + ["qy", "-n", "-s", "ghal", "*", host], + cwd=self._loader.get_basedir(), + stderr=subprocess.PIPE, + stdout=subprocess.PIPE) + (stdout, stderr) = p.communicate() + if stderr: + display.warning("qy: %s" % stderr) + return [s.split(',', 2)[0].lower() for s in to_text(stdout).splitlines()] + def run(self, terms, include_short_names=False, include_cname=False, **kwargs): + ret = [] + for host in sorted(set(host.lower() for host in terms)): + display.debug("Looking up aliases for: %s" % host) + aliases = self.ghal(host) + if include_cname: + aliases.insert(0, host) + ret.extend(aliases) + if include_short_names: + for h in aliases: + if h.endswith(DOMAIN): + ret.append(h[:-len(DOMAIN)]) + return ret diff --git a/ansible/playbook.yml b/ansible/playbook.yml index b7396ba3..9eeb0e58 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,5 +1,20 @@ +- hosts: all + serial: 1 + tasks: + - name: Install playbook Python dependencies + package: + name: + - python3-netaddr + - python3-dns{{ "python" if ansible_os_family == "Debian" else "" }} + state: present + - import_playbook: scripts-directors.yml - import_playbook: scripts-directors-cib.yml +- import_playbook: scripts-proxy.yml + - import_playbook: scripts-syslog.yml + +- import_playbook: scripts-real.yml + diff --git a/server/fedora/config/etc/krb5.conf b/ansible/roles/k5login/files/krb5.conf similarity index 90% rename from server/fedora/config/etc/krb5.conf rename to ansible/roles/k5login/files/krb5.conf index 1449b6bd..4d314a68 100644 --- a/server/fedora/config/etc/krb5.conf +++ b/ansible/roles/k5login/files/krb5.conf @@ -18,13 +18,15 @@ something = something-else } } +# The following libdefaults parameters are only for Heimdal Kerberos. + fcc-mit-ticketflags = true + [realms] ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu:88 - kdc = kerberos-1.mit.edu:88 + kdc = kerberos.mit.edu + kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 - kdc = kerberos-3.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } @@ -111,7 +113,12 @@ .ai.mit.edu = CSAIL.MIT.EDU ai.mit.edu = CSAIL.MIT.EDU .stanford.edu = stanford.edu + .slac.stanford.edu = SLAC.STANFORD.EDU + .toronto.edu = UTORONTO.CA + .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = true + +includedir /etc/krb5.conf.d diff --git a/ansible/roles/k5login/handlers/main.yml b/ansible/roles/k5login/handlers/main.yml index a5df68bb..05f83613 100644 --- a/ansible/roles/k5login/handlers/main.yml +++ b/ansible/roles/k5login/handlers/main.yml @@ -1,2 +1,9 @@ -- name: reload ssh +- name: reload ssh debian + listen: reload ssh service: name=ssh state=reloaded + when: ansible_os_family == "Debian" +- name: reload ssh redhat + listen: reload ssh + service: name=sshd state=reloaded + when: ansible_os_family == "RedHat" + diff --git a/ansible/roles/k5login/tasks/main.yml b/ansible/roles/k5login/tasks/main.yml index c88cc340..05adc773 100644 --- a/ansible/roles/k5login/tasks/main.yml +++ b/ansible/roles/k5login/tasks/main.yml @@ -17,3 +17,20 @@ {% for maintainer in maintainers %} {{ maintainer.username }}/root@ATHENA.MIT.EDU {% endfor %} +- name: Install Kerberos utilities + block: + - apt: name=krb5-user state=present + when: ansible_os_family == "Debian" + - dnf: name=krb5-workstation state=present + when: ansible_os_family == "RedHat" +- name: Ensure krb5.conf.d exists + file: + path: /etc/krb5.conf.d + state: directory +- name: Configure Kerberos + copy: + dest: /etc/krb5.conf + src: krb5.conf +- name: Configure realm in debconf + debconf: name=krb5-config question=krb5-config/default_realm vtype=string value=ATHENA.MIT.EDU + when: ansible_os_family == "Debian" diff --git a/ansible/roles/ldirectord-status/files/ldirectord-finger.socket b/ansible/roles/ldirectord-status/files/ldirectord-finger.socket index 3cdee20d..0dea7a6a 100644 --- a/ansible/roles/ldirectord-status/files/ldirectord-finger.socket +++ b/ansible/roles/ldirectord-status/files/ldirectord-finger.socket @@ -1,5 +1,6 @@ [Unit] Description=Finger Socket for LDirectord Status +OnFailure=ldirectord-finger.socket [Socket] ListenStream=79 diff --git a/ansible/roles/ldirectord-status/files/ldirectord-finger@.service b/ansible/roles/ldirectord-status/files/ldirectord-finger@.service index 9b6dd103..04f73dc1 100644 --- a/ansible/roles/ldirectord-status/files/ldirectord-finger@.service +++ b/ansible/roles/ldirectord-status/files/ldirectord-finger@.service @@ -2,5 +2,6 @@ Description=Finger Per-Connection Server [Service] -ExecStart=/etc/ldirectord-status/ldirectord-finger.sh +ExecStart=-/etc/ldirectord-status/ldirectord-finger.sh StandardInput=socket +RuntimeMaxSec=60 diff --git a/ansible/roles/ldirectord-status/files/ldirectord-http.socket b/ansible/roles/ldirectord-status/files/ldirectord-http.socket index 45765c47..ee990f40 100644 --- a/ansible/roles/ldirectord-status/files/ldirectord-http.socket +++ b/ansible/roles/ldirectord-status/files/ldirectord-http.socket @@ -1,9 +1,11 @@ [Unit] Description=HTTP Socket for LDirectord Status +OnFailure=ldirectord-http.socket [Socket] ListenStream=78 Accept=yes +TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/ansible/roles/ldirectord-status/files/ldirectord-http@.service b/ansible/roles/ldirectord-status/files/ldirectord-http@.service index 2fde134c..cc3ae0a3 100644 --- a/ansible/roles/ldirectord-status/files/ldirectord-http@.service +++ b/ansible/roles/ldirectord-status/files/ldirectord-http@.service @@ -2,5 +2,6 @@ Description=Finger Per-Connection Server [Service] -ExecStart=/etc/ldirectord-status/ldirectord-http.sh +ExecStart=-/etc/ldirectord-status/ldirectord-http.sh StandardInput=socket +RuntimeMaxSec=60 diff --git a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 index 9abb3756..5fc635b5 100644 --- a/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 +++ b/ansible/roles/lvs-iptables/files/scripts-iptables.rules.v4 @@ -1,6 +1,7 @@ ## Joe Presbrey ## Quentin Smith ## Mitchell Berger +## Miriam Rittenberg ## SIPB Scripts LVS Firewall marks *mangle @@ -9,8 +10,12 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -# Create a table for regular scripts hosts :scripts - [0:0] +:primary - [0:0] +:sipb - [0:0] +:f20 - [0:0] +:f30 - [0:0] +:test - [0:0] # scripts-vhosts.mit.edu -A PREROUTING -d 18.4.86.46 -j scripts @@ -18,24 +23,52 @@ -A PREROUTING -d 18.4.86.43 -j scripts # scripts-cert.mit.edu -A PREROUTING -d 18.4.86.50 -j scripts +# scripts-primary.mit.edu +-A PREROUTING -d 18.4.86.182 -j primary +# sipb.mit.edu +-A PREROUTING -d 18.4.86.29 -j sipb +# scripts-f20.mit.edu +-A PREROUTING -d 18.4.86.22 -j f20 +# scripts-f30.mit.edu +-A PREROUTING -d 18.4.86.30 -j f30 +# scripts-test.mit.edu +-A PREROUTING -d 18.4.86.229 -j test # Send Apache-bound traffic to FWM 2 (load-balanced) -A scripts -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 # Send SMTP-bound traffic to FWM 3 (load-balanced) -A scripts -m tcp -p tcp --dport 25 -j MARK --set-mark 3 -# Send finger-bound traffic to FWM 255 (the LVS director itself) --A scripts -m tcp -p tcp --dport 78:79 -j MARK --set-mark 255 +# Send finger-bound traffic to the LVS director itself +-A scripts -m tcp -p tcp --dport 78:79 -j RETURN # Send everything else to FWM 1 (primary) -A scripts -m mark --mark 0 -j MARK --set-mark 1 # scripts-primary.mit.edu goes to the primary (FWM 1) on all ports --A PREROUTING -d 18.4.86.182 -j MARK --set-mark 1 +-A primary -j MARK --set-mark 1 # sipb.mit.edu acts like regular scripts for the web ports, everything else goes to i-hate-penguins.xvm.mit.edu (FWM 4) --A PREROUTING -m tcp -m multiport -p tcp -d 18.4.86.29 --dports 80,443,444 -j MARK --set-mark 2 +-A sipb -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 # Also send port 25 there too because the IP is shared with rtfm.mit.edu (fix this after renaming the machine) -#-A PREROUTING -m tcp -m multiport -p tcp -d 18.181.0.29 --dports 20,21,25 -j MARK --set-mark 4 +#-A sipb -m tcp -m multiport -p tcp --dports 20,21,25 -j MARK --set-mark 4 # All else to i-hate-penguins --A PREROUTING -m mark --mark 0 -d 18.4.86.29 -j MARK --set-mark 4 +-A sipb -m mark --mark 0 -j MARK --set-mark 4 + +# f20 is the same as scripts but for the Fedora 20 pool +-A f20 -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 22 +-A f20 -m tcp -p tcp --dport 25 -j MARK --set-mark 23 +-A f20 -m tcp -p tcp --dport 78:79 -j RETURN +-A f20 -m mark --mark 0 -j MARK --set-mark 21 + +# f30 is the same as scripts but for the Fedora 30 pool +-A f30 -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 32 +-A f30 -m tcp -p tcp --dport 25 -j MARK --set-mark 33 +-A f30 -m tcp -p tcp --dport 78:79 -j RETURN +-A f30 -m mark --mark 0 -j MARK --set-mark 31 + +# send web traffic to HAProxy and everything else to f20 +-A test -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 92 +-A test -m tcp -p tcp --dport 25 -j MARK --set-mark 23 +-A test -m tcp -p tcp --dport 78:79 -j RETURN +-A test -m mark --mark 0 -j MARK --set-mark 21 COMMIT diff --git a/ansible/roles/lvs-ldirectord/handlers/main.yml b/ansible/roles/lvs-ldirectord/handlers/main.yml new file mode 100644 index 00000000..8d71252a --- /dev/null +++ b/ansible/roles/lvs-ldirectord/handlers/main.yml @@ -0,0 +1,3 @@ +- name: reload ldirectord + service: name=ldirectord state=reloaded + failed_when: no diff --git a/ansible/roles/lvs-ldirectord/tasks/main.yml b/ansible/roles/lvs-ldirectord/tasks/main.yml new file mode 100644 index 00000000..05ac08b4 --- /dev/null +++ b/ansible/roles/lvs-ldirectord/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Configure ldirectord + template: + dest: /etc/ha.d/ldirectord.cf + src: ldirectord.cf.j2 + notify: reload ldirectord diff --git a/ansible/roles/lvs-ldirectord/templates/ldirectord.cf.j2 b/ansible/roles/lvs-ldirectord/templates/ldirectord.cf.j2 new file mode 100644 index 00000000..9b422d72 --- /dev/null +++ b/ansible/roles/lvs-ldirectord/templates/ldirectord.cf.j2 @@ -0,0 +1,142 @@ +checktimeout=5 +checkinterval=1 +autoreload=yes +logfile="/var/log/ldirectord.log" +quiescent=yes + +# iptables rules caused SMTP to use FWM 3 +virtual=3 + #real=18.4.86.53:25 gate 4096 # old-faithful + #real=18.4.86.57:25 gate 4096 # better-mousetrap + real=18.4.86.167:25 gate 4096 # bees-knees + real=18.4.86.228:25 gate 1024 # cats-whiskers + real=18.4.86.234:25 gate 4096 # busy-beaver + #real=18.4.86.235:25 gate 4096 # real-mccoy + real=18.4.86.237:25 gate 4096 # pancake-bunny + #real=18.4.86.236:25 gate 1024 # whole-enchilada + real=18.4.86.135:25 gate 4096 # shining-armor + #real=18.4.86.141:25 gate 4096 # golden-egg + #real=18.4.86.203:25 gate 4096 # miracle-cure + #real=18.4.86.204:25 gate 4096 # lucky-star + service=http + request="heartbeat/smtp" + virtualhost="scripts.mit.edu" + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm + checktype=negotiate + checkport=80 + +# Apache (80, 443, and 444) uses FWM 2 +virtual=2 + #real=18.4.86.53 gate 4096 # old-faithful + #real=18.4.86.57 gate 4096 # better-mousetrap + real=18.4.86.167 gate 4096 # bees-knees + real=18.4.86.228 gate 1024 # cats-whiskers + real=18.4.86.234 gate 4096 # busy-beaver + #real=18.4.86.235 gate 4096 # real-mccoy + real=18.4.86.237 gate 4096 # pancake-bunny + #real=18.4.86.236 gate 1024 # whole-enchilada + real=18.4.86.135 gate 4096 # shining-armor + #real=18.4.86.141 gate 4096 # golden-egg + #real=18.4.86.203 gate 4096 # miracle-cure + #real=18.4.86.204 gate 4096 # lucky-star + fallback=127.0.0.1 gate + service=http + request="heartbeat/http" + virtualhost="scripts.mit.edu" + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm + +# Everything else uses FWM 1 and gets sent only to the primary +virtual=1 + #real=18.4.86.53 gate "heartbeat/services", "1" # old-faithful + #real=18.4.86.57 gate "heartbeat/services", "2" # better-mousetrap + real=18.4.86.167 gate "heartbeat/services", "3" # bees-knees + real=18.4.86.228 gate "heartbeat/services", "4" # cats-whiskers + real=18.4.86.234 gate "heartbeat/services", "5" # busy-beaver + #real=18.4.86.235 gate "heartbeat/services", "6" # real-mccoy + real=18.4.86.237 gate "heartbeat/services", "7" # pancake-bunny + #real=18.4.86.236 gate "heartbeat/services", "8" # whole-enchilada + real=18.4.86.135 gate "heartbeat/services", "9" # shining-armor + #real=18.4.86.141 gate "heartbeat/services", "10" # golden-egg + #real=18.4.86.203 gate "heartbeat/services", "11" # miracle-cure + #real=18.4.86.204 gate "heartbeat/services", "12" # lucky-star + service=http + scheduler=wrr + protocol=fwm + checktype=negotiate + checkport=80 + +## sipb.mit.edu needs an FTP server +#virtual=4 +# real=18.181.2.75 gate 1 +# service=ftp +# scheduler=wlc +# protocol=fwm +# checktype=ping +# checkport=21 +# persistent=600 + +# F20 and F30 pools are generated from inventory + +{% for group, offset in [('scripts-real-f20', 20), ('scripts-real-f30', 30)] %} +{% for service in ['smtp', 'http'] %} +virtual={{ offset + {'smtp': 3, 'http': 2}[service] }} +{% for hostname in groups[group] %} +{% with info = hostvars[hostname] %} + real={{ info['ip'] }} gate {{ 1024 if (info['primary'] | default(False)) else 4096 }} # {{ hostname }} +{% endwith %} +{% endfor %} +{% if service == 'http' %} + fallback=127.0.0.1 gate +{% endif %} + service=http + request="heartbeat/{{ service }}?codename={{ hostvars[groups[group][0]]['codename'] }}" + virtualhost="scripts.mit.edu" + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm +{% endfor %} + +# Everything else uses FWM 1 and gets sent only to the primary +virtual={{ offset + 1 }} +{% for hostname in groups[group] %} +{% with info = hostvars[hostname] %} + real={{ info['ip'] }} gate "heartbeat/services?codename={{ info['codename'] }}", "{{ hostname | replace('.mit.edu', '') }}" +{% endwith %} +{% endfor %} + service=http + scheduler=wrr + protocol=fwm + checktype=negotiate + checkport=80 +{% endfor %} + +# The proxy servers get only web traffic +virtual=92 +{% for hostname in groups['scripts-proxy-test'] %} +{% with info = hostvars[hostname] %} + real={{ info['ip'] }} gate 4096 # {{ hostname }} +{% endwith %} +{% endfor %} + fallback=127.0.0.1 gate + service=http + request="heartbeat/http?codename=ANY" + virtualhost="scripts.mit.edu" + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm diff --git a/ansible/roles/lvs-lighttpd/tasks/main.yml b/ansible/roles/lvs-lighttpd/tasks/main.yml index 5e98b07b..b6f9fdf3 100644 --- a/ansible/roles/lvs-lighttpd/tasks/main.yml +++ b/ansible/roles/lvs-lighttpd/tasks/main.yml @@ -1,11 +1,10 @@ --- - name: Install packages apt: - name: "{{ item }}" + name: + - lighttpd + - lighttpd-mod-magnet state: present - with_items: - - lighttpd - - lighttpd-mod-magnet - name: Install /etc/lighttpd/scripts-maint synchronize: dest: /etc/lighttpd/scripts-maint/ diff --git a/ansible/roles/mock/handlers/main.yml b/ansible/roles/mock/handlers/main.yml new file mode 100644 index 00000000..7742ed1c --- /dev/null +++ b/ansible/roles/mock/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart var-lib-mock + systemd: + daemon_reload: yes + name: var-lib-mock.service + enabled: yes + state: restarted diff --git a/ansible/roles/mock/tasks/main.yml b/ansible/roles/mock/tasks/main.yml new file mode 100644 index 00000000..ec51475e --- /dev/null +++ b/ansible/roles/mock/tasks/main.yml @@ -0,0 +1,69 @@ +--- +- name: Install mock and build dependencies + dnf: + name: + - mock + - redhat-lsb-core + - rpmdevtools + - cabal-install + - rubygems + - autoconf + state: present +- name: Disable setuid binaries in mock + copy: + dest: /etc/systemd/system/var-lib-mock.service + content: | + [Unit] + Description=Mock build directory nosuid bind mount + After=local-fs.target + # This wants to be a [Mount], but due to + # https://bugs.freedesktop.org/show_bug.cgi?id=53205 + # we can't actually achieve the desired effect. + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=/bin/mount -B /var/lib/mock /var/lib/mock + ExecStart=/bin/mount -o remount,nosuid /var/lib/mock + ExecStop=/bin/umount /var/lib/mock + [Install] + WantedBy=multi-user.target + notify: restart var-lib-mock +- name: Restrict mock to root + block: + - lineinfile: + path: /etc/pam.d/mock + insertafter: EOF + line: "{{ item }}" + loop: + - "auth required pam_deny.so" + - "account required pam_deny.so" + - replace: + path: /etc/pam.d/mock + regexp: '^(auth|account)\s+.*\s+system-auth' +- name: Configure mock chroots + vars: + releasever: "{{ item[0] }}" + arch: "{{ item[1] }}" + template: + src: chroot.cfg.j2 + dest: /etc/mock/scripts-fc{{ releasever }}-{{ arch }}.cfg + loop: + - ["{{ ansible_distribution_major_version }}", "x86_64"] + - ["{{ ansible_distribution_major_version }}", "i686"] +- name: Create local RPM repo + file: + path: /home/scripts-build/mock-local/ + owner: scripts-build + state: directory +- stat: + path: /home/scripts-build/mock-local/repodata/repomd.xml + register: md_st +- find: + paths: /home/scripts-build/mock-local/ + patterns: "*.rpm" + register: rpm_st +- name: Generate repo metadata + command: /usr/bin/createrepo /home/scripts-build/mock-local/ + become: yes + become_user: scripts-build + when: (not md_st.stat.exists) or (rpm_st.files and ((rpm_st.files|map(attribute='mtime')|max) > md_st.stat.mtime)) diff --git a/ansible/roles/mock/templates/chroot.cfg.j2 b/ansible/roles/mock/templates/chroot.cfg.j2 new file mode 100644 index 00000000..fabe85ca --- /dev/null +++ b/ansible/roles/mock/templates/chroot.cfg.j2 @@ -0,0 +1,138 @@ +config_opts['root'] = 'fedora-{{ releasever }}-{{ arch }}' +config_opts['target_arch'] = '{{ arch }}' +config_opts['legal_host_arches'] = ('{{ arch }}',{% if arch == 'i686' %}'x86_64',{% endif %}) +# config_opts['module_enable'] = ['list', 'of', 'modules'] +# config_opts['module_install'] = ['module1/profile', 'module2/profile'] +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc{{ releasever }}' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '{{ releasever }}' +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=2 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +best=1 +module_platform_id=platform:f{{ releasever }} + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates] +name=updates +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-testing] +name=updates-testing +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +{% for repo in rpm_repos %} +[{{ repo.key }}] +name={{ repo.name }} +baseurl={{ repo.baseurl }} +enabled={{ 1 if repo.enabled else 0 }} +gpgcheck=0 +{% endfor %} + +[fedora-debuginfo] +name=fedora-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-debuginfo] +name=updates-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[fedora-source] +name=fedora-source +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +enabled=0 +skip_if_unavailable=False + +[updates-source] +name=updates-source +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +enabled=0 +skip_if_unavailable=False + +# modular + +[fedora-modular] +name=Fedora Modular $releasever - $basearch +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-modular-debuginfo] +name=Fedora Modular $releasever - $basearch - Debug +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-debug-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-modular-source] +name=Fedora Modular $releasever - Source +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-source-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False +""" \ No newline at end of file diff --git a/ansible/roles/munin-node/handlers/main.yml b/ansible/roles/munin-node/handlers/main.yml index 306bffa7..b42b2d18 100644 --- a/ansible/roles/munin-node/handlers/main.yml +++ b/ansible/roles/munin-node/handlers/main.yml @@ -1,6 +1,12 @@ --- - name: reconfigure munin-node - shell: munin-node-configure --suggest --shell --remove-also | sh + shell: munin-node-configure --suggest --shell --remove-also | sh -x + register: munin_node_configure + changed_when: munin_node_configure.stderr != "" notify: restart munin-node + listen: network changed - name: restart munin-node - service: name=munin-node state=restarted + service: + name: munin-node + state: restarted + enabled: yes diff --git a/ansible/roles/munin-node/tasks/main.yml b/ansible/roles/munin-node/tasks/main.yml index 23f6ac14..6e61e579 100644 --- a/ansible/roles/munin-node/tasks/main.yml +++ b/ansible/roles/munin-node/tasks/main.yml @@ -1,8 +1,10 @@ --- -- name: Install munin-node - apt: - name: munin-node - state: present +- name: Install munin-node debian + apt: name=munin-node state=present + when: ansible_os_family == "Debian" +- name: Install munin-node redhat + dnf: name=munin-node state=present + when: ansible_os_family == "RedHat" - name: Configure munin blockinfile: path: /etc/munin/munin-node.conf diff --git a/ansible/roles/network_interface b/ansible/roles/network_interface index abc5f4e0..4f673acd 160000 --- a/ansible/roles/network_interface +++ b/ansible/roles/network_interface @@ -1 +1 @@ -Subproject commit abc5f4e04d9ef309f7ca5133f0e0bcc807e926f5 +Subproject commit 4f673acd8c1563de3567a422b60ed5523d445bba diff --git a/ansible/roles/nrpe/defaults/main.yml b/ansible/roles/nrpe/defaults/main.yml new file mode 100644 index 00000000..2505ae57 --- /dev/null +++ b/ansible/roles/nrpe/defaults/main.yml @@ -0,0 +1,8 @@ +--- +nrpe_checks: + check_load: /usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 + check_disk: /usr/lib/nagios/plugins/check_disk -w 10% -c 5% + check_disk1: /usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hda1 + check_disk2: /usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hdb1 + check_zombie_procs: /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z + check_total_procs: /usr/lib/nagios/plugins/check_procs -w 150 -c 200 diff --git a/ansible/roles/nrpe/handlers/main.yml b/ansible/roles/nrpe/handlers/main.yml new file mode 100644 index 00000000..b51cf678 --- /dev/null +++ b/ansible/roles/nrpe/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart nrpe debian + listen: restart nrpe + service: name=nagios-nrpe-server state=restarted + when: ansible_os_family == "Debian" +- name: restart nrpe redhat + listen: restart nrpe + service: name=nrpe state=restarted + when: ansible_os_family == "RedHat" + diff --git a/ansible/roles/nrpe/tasks/main.yml b/ansible/roles/nrpe/tasks/main.yml new file mode 100644 index 00000000..0868ec92 --- /dev/null +++ b/ansible/roles/nrpe/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Install nrpe debian + apt: name=nagios-nrpe-server state=present + when: ansible_os_family == "Debian" +- name: Install nrpe redhat + dnf: + name: + - nrpe + - nagios-plugins-all + state: present + when: ansible_os_family == "RedHat" +- name: Configure nrpe + lineinfile: + line: include=/etc/nagios/nrpe_local.cfg + path: /etc/nagios/nrpe.cfg + notify: restart nrpe +- name: Configure nrpe 2 + template: + src: nrpe_local.cfg.j2 + dest: /etc/nagios/nrpe_local.cfg + notify: restart nrpe +- name: Enable nrpe + service: + name: '{{ "nrpe" if ansible_os_family == "RedHat" else "nagios-nrpe-server" }}' + state: started + enabled: yes diff --git a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 new file mode 100644 index 00000000..2ec29273 --- /dev/null +++ b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 @@ -0,0 +1,4 @@ +allowed_hosts=18.4.60.65 +{% for name, command in nrpe_checks | dictsort %} +command[{{ name }}]={{ command }} +{% endfor %} diff --git a/ansible/roles/packages/tasks/main.yml b/ansible/roles/packages/tasks/main.yml new file mode 100644 index 00000000..1a648368 --- /dev/null +++ b/ansible/roles/packages/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: List scripts packages + dnf: + list: available + disablerepo: [fedora, updates, fedora-modular, updates-modular] + register: dnf_list_available +- set_fact: + scripts_packages: "{{ dnf_list_available | json_query('results[*].name') }}" diff --git a/ansible/roles/proxy-dns/defaults/main.yml b/ansible/roles/proxy-dns/defaults/main.yml new file mode 100644 index 00000000..1234fb51 --- /dev/null +++ b/ansible/roles/proxy-dns/defaults/main.yml @@ -0,0 +1 @@ +proxy_dns_port: 5353 diff --git a/ansible/roles/proxy-dns/files/named-scripts-proxy.service b/ansible/roles/proxy-dns/files/named-scripts-proxy.service new file mode 100644 index 00000000..97c8a5a1 --- /dev/null +++ b/ansible/roles/proxy-dns/files/named-scripts-proxy.service @@ -0,0 +1,30 @@ +[Unit] +Description=BIND serving pool information from Scripts LDAP +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +Before=haproxy.service +After=named-setup-rndc.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.scripts-proxy.conf +EnvironmentFile=-/etc/sysconfig/named-scripts-proxy +PIDFile=/run/named-scripts-proxy/named-scripts-proxy.pid + +User=named +Group=named +RuntimeDirectory=named-scripts-proxy +StateDirectory=named-scripts-proxy + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named -c ${NAMEDCONF} $OPTIONS +ExecReload=/bin/sh -c 'if /usr/sbin/rndc -p 5354 null > /dev/null 2>&1; then /usr/sbin/rndc -p 5354 reload; else /bin/kill -HUP $MAINPID; fi' + +ExecStop=/bin/sh -c '/usr/sbin/rndc -p 5354 stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/proxy-dns/handlers/main.yml b/ansible/roles/proxy-dns/handlers/main.yml new file mode 100644 index 00000000..8a33d37e --- /dev/null +++ b/ansible/roles/proxy-dns/handlers/main.yml @@ -0,0 +1,12 @@ +- name: restart named-scripts-proxy + systemd: + daemon_reload: yes + name: named-scripts-proxy.service + enabled: yes + state: restarted +# N.B. reload has to come after restart, or we might try to reload a +# service that doesn't exist yet. +- name: reload named-scripts-proxy + service: + name: named-scripts-proxy + state: reloaded diff --git a/ansible/roles/proxy-dns/tasks/main.yml b/ansible/roles/proxy-dns/tasks/main.yml new file mode 100644 index 00000000..04aefcce --- /dev/null +++ b/ansible/roles/proxy-dns/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install named + dnf: + name: + - bind + - bind-dlz-ldap + state: present +- name: Configure named + template: + dest: /etc/named.scripts-proxy.conf + src: named.scripts-proxy.conf.j2 + group: named + setype: named_conf_t + notify: reload named-scripts-proxy +- name: Install systemd unit + copy: + dest: /etc/systemd/system/named-scripts-proxy.service + src: named-scripts-proxy.service + notify: restart named-scripts-proxy +- name: Start or reload bind if necessary + meta: flush_handlers diff --git a/ansible/roles/proxy-dns/templates/named.scripts-proxy.conf.j2 b/ansible/roles/proxy-dns/templates/named.scripts-proxy.conf.j2 new file mode 100644 index 00000000..db67237b --- /dev/null +++ b/ansible/roles/proxy-dns/templates/named.scripts-proxy.conf.j2 @@ -0,0 +1,74 @@ +// Scripts LDAP-backed named configuration +// +// Note: This configuration is designed to serve addresses used internally +// by the scripts.mit.edu webhosting service to assign individual vhosts +// to load balancer pools. It does *NOT* serve the same addresses these +// vhosts have in real DNS. +// +// Originally by: +// Josh Noguera +// Mitch Berger + +controls { + inet 127.0.0.1 port 5354 allow { localhost; }; + inet ::1 port 5354 allow { localhost; }; +}; + +options { + listen-on port {{ proxy_dns_port }} { 127.0.0.1; }; + listen-on-v6 port {{ proxy_dns_port }} { ::1; }; + directory "/var/lib/named-scripts-proxy"; + pid-file "/run/named-scripts-proxy/named-scripts-proxy.pid"; + session-keyfile "/run/named-scripts-proxy/session.key"; +}; + +// Basic documentation for the configuration below can be found at: +// http://bind-dlz.sourceforge.net/ldap_driver.html +// +// Following is an explanation of things not made clear by that page: +// +// When dlz is sent a query for a given DNS domain name, it breaks +// that up into two pieces: a record and a zone. Initially, the zone +// is the entire domain name, and the record is "@". The dlz driver +// will run a "zone query" (explained shortly) to see if this server +// is authoritative for that zone. If so, it will run the "record +// query" (also explained shortly) to get the info. If not, the +// first component of the zone will be moved from the zone to the +// record (which will no longer have "@") and the zone query will +// be tried again with the shorter zone. Eventually, if zone queries +// keep failing, the record will end up with the entire domain name +// and the zone will be "." If that fails, too, the server won't +// return a result. +// +// The first LDAP URL below is the "zone query". Since we serve +// hostnames under scripts.mit.edu, under mit.edu, and externally +// registered hostnames, we must pretend to be authoritative for +// everything. So, we just look up the ou record that Scripts keeps +// all vhosts under. It does not matter at all what this query returns; +// it just has to return at least 1 result to become authoritative. +// It doesn't have to return any attributes at all, but it can; they +// are discarded. The zone query is required to have the $zone$ token +// somewhere in it; we are simply using it as a bogus attribute name +// to satisfy that requirement. +// +// The second LDAP URL below is the "record query". It has to return +// three attributes in order for an A record: the TTL, the record type, +// and the IP address. Because we're authoritative for all zones, the +// $record$ token will always be "@" in our case; as a result, we are +// using the $zone$ token despite it being nonintuitive. The record +// query is required to have the $record$ token somewhere in it; we +// are ORing it into the search though that clause will never match +// a real vhost in LDAP to satisfy that requirement. +// +// The documentation says the tokens are surrounded by percent signs; +// this changed some years ago to dollar signs. +// +// TODO: Check if queries are actually load-balanced among the servers. + +dlz "scripts-ldap" { + database "dlopen /usr/lib64/bind/dlz_ldap_dynamic.so {{ groups['scripts-ldap'] | length }} + v3 simple {} {} {{"{"}}{{ groups['scripts-ldap'] | join(' ') }}{{"}"}} + ldap:///ou=VirtualHosts,dc=scripts,dc=mit,dc=edu?$zone$?base + ldap:///ou=VirtualHosts,dc=scripts,dc=mit,dc=edu?scriptsVhostPoolTTL,scriptsVhostPoolDNSRecordType,scriptsVhostPoolIPv4?one?(|(scriptsVhostName=$zone$)(scriptsVhostAlias=$zone$)(scriptsVhostName=$record$))"; +}; + diff --git a/ansible/roles/proxy-haproxy/handlers/main.yml b/ansible/roles/proxy-haproxy/handlers/main.yml new file mode 100644 index 00000000..57dd4bd8 --- /dev/null +++ b/ansible/roles/proxy-haproxy/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: reload haproxy + service: name=haproxy state=reloaded diff --git a/ansible/roles/proxy-haproxy/meta/main.yml b/ansible/roles/proxy-haproxy/meta/main.yml new file mode 100644 index 00000000..af518f8b --- /dev/null +++ b/ansible/roles/proxy-haproxy/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - proxy-dns diff --git a/ansible/roles/proxy-haproxy/tasks/install_Debian.yml b/ansible/roles/proxy-haproxy/tasks/install_Debian.yml new file mode 100644 index 00000000..f223bfbd --- /dev/null +++ b/ansible/roles/proxy-haproxy/tasks/install_Debian.yml @@ -0,0 +1,17 @@ +- copy: + dest: /etc/apt/sources.list.d/backports.list + content: | + deb http://deb.debian.org/debian buster-backports main + deb-src http://deb.debian.org/debian buster-backports main +- apt: + update_cache: yes +- apt: + name: + - haproxy + default_release: buster-backports + state: present +- apt: + name: + - hatop + - haproxyctl + state: present diff --git a/ansible/roles/proxy-haproxy/tasks/install_RedHat.yml b/ansible/roles/proxy-haproxy/tasks/install_RedHat.yml new file mode 100644 index 00000000..ec61afbc --- /dev/null +++ b/ansible/roles/proxy-haproxy/tasks/install_RedHat.yml @@ -0,0 +1,21 @@ +- name: Make Rawhide available + dnf: + name: + - fedora-repos-rawhide + state: present + when: ansible_distribution_major_version|int <= 31 +- name: "Install haproxy" + dnf: + name: + - haproxy + enablerepo: "{{ 'rawhide' if ansible_distribution_major_version|int <= 31 else '' }}" + state: present +- name: "Install hatop" + get_url: + url: https://raw.githubusercontent.com/feurix/hatop/64e0f26d2e392d1f2535f1b0229e45798c7514e8/bin/hatop + checksum: "sha256:0b2ff2a76e73530d8a8dbce965aa3c12bf958a8311170b5d7731e7aa1fb0c07f" + dest: /usr/local/bin/hatop + mode: '0755' +- name: "Install haproxyctl" + pip: + name: git+https://github.com/neurogeek/haproxyctl.git@8a10db76fdb7d6364a3ad99150c3ed37af439e71 diff --git a/ansible/roles/proxy-haproxy/tasks/main.yml b/ansible/roles/proxy-haproxy/tasks/main.yml new file mode 100644 index 00000000..15ff8e90 --- /dev/null +++ b/ansible/roles/proxy-haproxy/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- include_tasks: 'install_{{ ansible_os_family }}.yml' +- name: Configure haproxy + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + notify: reload haproxy +- name: Automatically restart haproxy on failure + block: + - file: + path: /etc/systemd/system/haproxy.service.d + state: directory + - copy: + dest: /etc/systemd/system/haproxy.service.d/10-scripts.conf + content: | + [Service] + Restart=on-failure + register: override +- name: Enable haproxy + service: + name: haproxy + daemon_reload: "{{ override.changed }}" + enabled: yes + state: started +# TODO: disable "client" when destination is off-subnet diff --git a/ansible/roles/proxy-haproxy/templates/haproxy.cfg.j2 b/ansible/roles/proxy-haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 00000000..2cb3ddcd --- /dev/null +++ b/ansible/roles/proxy-haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,118 @@ +#--------------------------------------------------------------------- +# Example configuration for a possible web application. See the +# full configuration options online. +# +# https://www.haproxy.org/download/1.8/doc/configuration.txt +# +#--------------------------------------------------------------------- + +#--------------------------------------------------------------------- +# Global settings +#--------------------------------------------------------------------- +global + # to have these messages end up in /var/log/haproxy.log you will + # need to: + # + # 1) configure syslog to accept network log events. This is done + # by adding the '-r' option to the SYSLOGD_OPTIONS in + # /etc/sysconfig/syslog + # + # 2) configure local2 events to go to the /var/log/haproxy.log + # file. A line like the following can be added to + # /etc/sysconfig/syslog + # + # local2.* /var/log/haproxy.log + # + #log 127.0.0.1 local2 debug + + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 +# user haproxy + group haproxy + daemon + # do-resolve is not threadsafe, so restrict haproxy to one thread + # See https://github.com/haproxy/haproxy/issues/227 + nbthread 1 + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + + # utilize system-wide crypto-policies + ssl-default-bind-ciphers PROFILE=SYSTEM + ssl-default-server-ciphers PROFILE=SYSTEM + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global + option httplog + option dontlognull + option http-server-close +# option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 5000 + +frontend scripts_http_frontend + bind *:80 + # the lower option is required to make it work in the http frontend + http-request do-resolve(txn.ldapip,scripts_dns,ipv4) req.hdr(host),lower + http-request do-resolve(txn.ldapip,scripts_dns,ipv4) str(scripts.mit.edu) if ! { var(txn.ldapip) -m found } + http-request capture var(txn.ldapip) len 40 + # everything but '%[capture.req.hdr(0)]' is the default http log format. '%[capture.req.header(0)]' gets the first thing we captured, which in this case is txn.ldapip. + # log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[capture.req.hdr(0)]" + use_backend scripts_http_offnet_backend if ! { var(txn.ldapip) 18.4.86.0/24 } + default_backend scripts_http_backend + +frontend scripts_tcp_frontend + bind *:443-444 + mode tcp + tcp-request inspect-delay 5s + tcp-request content do-resolve(txn.ldapip,scripts_dns,ipv4) req.ssl_sni + tcp-request content capture var(txn.ldapip) len 40 + # everything but '%[capture.req.hdr(0)]' is the default tcp log format. + # log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %[capture.req.hdr(0)]" + tcp-request content accept if { req.ssl_hello_type 1 } { var(txn.ldapip) -m found } + use_backend scripts_tcp_offnet_backend if ! { var(txn.ldapip) 18.4.86.0/24 } + default_backend scripts_tcp_backend + +backend scripts_http_backend + http-request reject unless { var(txn.ldapip) -m found } + http-request set-dst var(txn.ldapip) + source 0.0.0.0 usesrc client + server clear 0.0.0.0:0 + +backend scripts_tcp_backend + mode tcp + tcp-request content reject unless { var(txn.ldapip) -m found } + tcp-request content set-dst var(txn.ldapip) + source 0.0.0.0 usesrc client + server clear 0.0.0.0:0 + +backend scripts_http_offnet_backend + http-request reject unless { var(txn.ldapip) -m found } + http-request set-dst var(txn.ldapip) + server clear 0.0.0.0:0 + +backend scripts_tcp_offnet_backend + mode tcp + tcp-request content do-resolve(txn.ldapip,scripts_dns,ipv4) str(scripts.mit.edu) unless { var(txn.ldapip) -m found } + tcp-request content reject unless { var(txn.ldapip) -m found } + tcp-request content set-dst var(txn.ldapip) + server clear 0.0.0.0:0 + +resolvers scripts_dns + nameserver bind-ldap 127.0.0.1:{{ proxy_dns_port }} + resolve_retries 1 + accepted_payload_size 8192 diff --git a/ansible/roles/proxy-network/handlers/main.yml b/ansible/roles/proxy-network/handlers/main.yml new file mode 100644 index 00000000..663b3faa --- /dev/null +++ b/ansible/roles/proxy-network/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload iptables + service: name=iptables state=reloaded + diff --git a/ansible/roles/proxy-network/meta/main.yml b/ansible/roles/proxy-network/meta/main.yml new file mode 100644 index 00000000..78e5a62d --- /dev/null +++ b/ansible/roles/proxy-network/meta/main.yml @@ -0,0 +1,17 @@ +--- +dependencies: +- role: systemd-networkd + vars: + lo_extra: | + {% for vip in vips|rejectattr('codename', 'defined') if vip.type|default(True) != 'director' %} + [Address] + Address={{vip.ip}}/32 + {% endfor %} + [RoutingPolicyRule] + FirewallMark=1 + Table=1 + [Route] + Destination=0.0.0.0/0 + Type=local + Table=1 +- role: sysctl diff --git a/ansible/roles/proxy-network/tasks/main.yml b/ansible/roles/proxy-network/tasks/main.yml new file mode 100644 index 00000000..9ad7abe6 --- /dev/null +++ b/ansible/roles/proxy-network/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install iptables service + dnf: name=iptables-services state=present +- name: Handle inbound backend traffic with spoofed destinations + copy: + dest: /etc/sysconfig/iptables + content: | + *mangle + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :FORWARD ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + -A PREROUTING -p tcp -m socket -j MARK --set-xmark 1 + COMMIT + notify: reload iptables +- name: Start iptables rules + service: + name: iptables + enabled: yes + state: started +- name: Accept reply packets with spoofed destination addresses from backends + copy: + dest: /etc/sysctl.d/99-scripts-proxy.conf + content: | + net.ipv4.conf.all.rp_filter = 0 + net.ipv4.conf.all.accept_local = 1 + net.ipv4.conf.all.log_martians = 1 + notify: apply sysctl diff --git a/ansible/roles/real-afs/defaults/main.yml b/ansible/roles/real-afs/defaults/main.yml new file mode 100644 index 00000000..5098e049 --- /dev/null +++ b/ansible/roles/real-afs/defaults/main.yml @@ -0,0 +1,2 @@ +use_afs: "{{ 'fuse-better-mousetrapfs' in scripts_packages and 'openafs-client' in scripts_packages and 'dkms-openafs' in scripts_packages and 'tokensys' in scripts_packages }}" +afs_cache_size: 10000000 diff --git a/server/fedora/config/usr/vice/etc/CellServDB.local b/ansible/roles/real-afs/files/CellServDB.local similarity index 100% rename from server/fedora/config/usr/vice/etc/CellServDB.local rename to ansible/roles/real-afs/files/CellServDB.local diff --git a/ansible/roles/real-afs/handlers/main.yml b/ansible/roles/real-afs/handlers/main.yml new file mode 100644 index 00000000..718f027b --- /dev/null +++ b/ansible/roles/real-afs/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: restart openafs-client + service: + name: openafs-client + enabled: yes + state: restarted + notify: restart better-mousetrapfs + when: not openafs_started.changed +- name: restart better-mousetrapfs + systemd: + daemon_reload: yes + name: afs-000.mount + enabled: yes + state: restarted + when: not better_mousetrapfs_started.changed diff --git a/ansible/roles/real-afs/meta/main.yml b/ansible/roles/real-afs/meta/main.yml new file mode 100644 index 00000000..9be9eea7 --- /dev/null +++ b/ansible/roles/real-afs/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - packages + - sysctl + - real-fuse + - real-keytabs diff --git a/ansible/roles/real-afs/tasks/main.yml b/ansible/roles/real-afs/tasks/main.yml new file mode 100644 index 00000000..e412245d --- /dev/null +++ b/ansible/roles/real-afs/tasks/main.yml @@ -0,0 +1,146 @@ +--- +- name: Scripts AFS + when: use_afs + block: + - name: Install OpenAFS + dnf: + name: + - fuse-better-mousetrapfs + - scripts-dkms-openafs + - kernel-devel + - scripts-openafs-client + - scripts-openafs-authlibs + - scripts-openafs-devel + - scripts-openafs-krb5 + - tokensys + state: present + - name: Disable garbage collection of PAGs + copy: + dest: /etc/sysctl.d/99-scripts-afs.conf + content: | + afs.GCPAGs = 0 + notify: apply sysctl + - name: Increase AFS performance + ini_file: + no_extra_spaces: yes + path: /etc/sysconfig/openafs + section: null + option: AFSD_ARGS + value: '"-afsdb -dynroot -fakestat -stat 25000 -daemons 100 -volumes 4000 -files {{ afs_cache_size // 25 }} -chunksize 19"' + notify: restart openafs-client + - name: Configure ThisCell + copy: + dest: /usr/vice/etc/ThisCell + content: | + athena.mit.edu + notify: restart openafs-client + - name: Configure CellServDB + copy: + dest: /usr/vice/etc/CellServDB.local + src: CellServDB.local + notify: restart openafs-client + - name: Configure CellAlias + copy: + dest: /usr/vice/etc/CellAlias + content: | + athena.mit.edu athena + csail.mit.edu csail + dev.mit.edu dev + lees.mit.edu lees + net.mit.edu net + ops.mit.edu ops + sipb.mit.edu sipb + andrew.cmu.edu andrew + acpub.duke.edu acpub + notify: restart openafs-client + - name: Resize AFS cache + copy: + dest: /usr/vice/etc/cacheinfo + content: | + /afs:/usr/vice/cache:{{ afs_cache_size }} + notify: restart openafs-client + - name: Configure SuidCells + copy: + dest: /usr/vice/etc/{{ item }} + content: "" + loop: + - SuidCells + - SuidCells.dist + - SuidCells.local + notify: restart openafs-client + - name: Configure NetRestrict + template: + dest: /usr/vice/etc/NetRestrict + src: NetRestrict.j2 + notify: restart openafs-client + - name: Configure better-mousetrapfs + copy: + dest: /etc/systemd/system/afs-000.mount + content: | + [Unit] + Description=FUSE better mousetrap filesystem + Requires=openafs-client.service + Before=remote-fs.target + After=openafs-client.service + [Mount] + What=/usr/sbin/better-mousetrapfs + Where=/afs/000 + Type=fuse + Options=defaults,nonempty,_netdev,nofail + [Install] + WantedBy=multi-user.target + notify: restart better-mousetrapfs + register: afs000_mount + - name: Configure better-mousetrapfs mountpoint + copy: + dest: /usr/vice/etc/CellServDB.mousetrap + content: | + >000 #better-mousetrapfs (see /usr/local/sbin/better-mousetrapfs) + notify: + - restart openafs-client + - restart better-mousetrapfs + - name: Start openafs-client + service: + name: openafs-client + enabled: yes + state: started + register: openafs_started + - name: Start better-mousetrapfs + systemd: + daemon_reload: "{{ afs000_mount.changed }}" + name: afs-000.mount + enabled: yes + state: started + register: better_mousetrapfs_started + - name: Enable afsagent + systemd: + name: "{{ item }}" + enabled: yes + loop: + - scripts-afsagent.service + - scripts-afsagent-startup.service + - scripts-afsagent.timer + when: has_daemon_keytab + - name: Start afsagent + systemd: + name: "{{ item }}" + state: started + loop: + - scripts-afsagent-startup.service + - scripts-afsagent.timer + when: has_daemon_keytab + +# CellServDB maintains a mapping of cell names to IP addresses of servers +# serving them. + +# Under normal operation, CellServDB.dist (which is distributed by the +# OpenAFS package) and CellServDB.local (which is normally empty, but can +# be used to add local AFS cells.) + +# However, we patch OpenAFS's systemd unit file to instead concatenate +# CellServDB.local (which is Athena Ops provided database) and +# CellServDB.mousetrap (which is a bogus entry for better-mousetrapfs, +# which catches and kills 'find /afs'). + +# CellServDB.mousetrap must be concatenated at the end, as readdir on +# /afs returns cells in reverse order they are in CellServDB. diff --git a/ansible/roles/real-afs/templates/NetRestrict.j2 b/ansible/roles/real-afs/templates/NetRestrict.j2 new file mode 100644 index 00000000..24956248 --- /dev/null +++ b/ansible/roles/real-afs/templates/NetRestrict.j2 @@ -0,0 +1,3 @@ +{% for address in ansible_lo.ipv4_secondaries %} +{{ address.address }} +{% endfor %} diff --git a/server/fedora/config/etc/cron.daily/num-crontabs b/ansible/roles/real-cron/files/num-crontabs similarity index 100% rename from server/fedora/config/etc/cron.daily/num-crontabs rename to ansible/roles/real-cron/files/num-crontabs diff --git a/ansible/roles/real-cron/files/scripts.conf b/ansible/roles/real-cron/files/scripts.conf new file mode 100644 index 00000000..767de109 --- /dev/null +++ b/ansible/roles/real-cron/files/scripts.conf @@ -0,0 +1,3 @@ +[Unit] +Requires=scripts-afsagent.service +After=scripts-afsagent.service diff --git a/ansible/roles/real-cron/handlers/main.yml b/ansible/roles/real-cron/handlers/main.yml new file mode 100644 index 00000000..dfc01134 --- /dev/null +++ b/ansible/roles/real-cron/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart crond + systemd: daemon_reload=yes name=crond.service state=restarted diff --git a/ansible/roles/real-cron/meta/main.yml b/ansible/roles/real-cron/meta/main.yml new file mode 100644 index 00000000..5d233619 --- /dev/null +++ b/ansible/roles/real-cron/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - real-keytabs diff --git a/ansible/roles/real-cron/tasks/main.yml b/ansible/roles/real-cron/tasks/main.yml new file mode 100644 index 00000000..1a35a92d --- /dev/null +++ b/ansible/roles/real-cron/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Use sendmail to notify cron output + ini_file: + no_extra_spaces: yes + path: /etc/sysconfig/crond + section: null + option: CRONDARGS + value: "\"-m '/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t'\"" + notify: restart crond +- name: Require AFS tokens before crond starts + copy: + dest: /etc/systemd/system/crond.service.d/ + src: scripts.conf + notify: restart crond + when: has_daemon_keytab +- name: Write scripts cron status flag + copy: + dest: /etc/cron.d/scripts-cron_status + content: | + * * * * * scripts touch /afs/athena.mit.edu/contrib/scripts/cron_scripts/cron_status_flag/$(hostname -f) > /dev/null 2>&1 +- name: Check number of crontabs + copy: + dest: /etc/cron.daily/num-crontabs + src: num-crontabs + mode: preserve diff --git a/ansible/roles/real-dns/defaults/main.yml b/ansible/roles/real-dns/defaults/main.yml new file mode 100644 index 00000000..2ac1c1c0 --- /dev/null +++ b/ansible/roles/real-dns/defaults/main.yml @@ -0,0 +1 @@ +use_shackle: "{{ 'shackle' in scripts_packages }}" diff --git a/ansible/roles/real-dns/handlers/main.yml b/ansible/roles/real-dns/handlers/main.yml new file mode 100644 index 00000000..180dcc5a --- /dev/null +++ b/ansible/roles/real-dns/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: reload named + service: name=named state=reloaded diff --git a/ansible/roles/real-dns/tasks/main.yml b/ansible/roles/real-dns/tasks/main.yml new file mode 100644 index 00000000..6ceffc75 --- /dev/null +++ b/ansible/roles/real-dns/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: Install bind + dnf: + name: + - bind + state: present +- name: Configure named.mit.zones + template: + src: named.mit.zones.j2 + dest: /etc/named.mit.zones + notify: reload named +- name: Configure named.conf + blockinfile: + path: /etc/named.conf + block: | + include "/etc/named.mit.zones"; + notify: reload named +- name: Configure named listen port + vars: + port: "{% if use_shackle %}54{% else %}53{% endif %}" + lineinfile: + path: /etc/named.conf + insertafter: '^\s*options' + regexp: '^\s*{{ item.split()[0] }}\s' + line: "{{ item }}" + notify: reload named + loop: + - "listen-on port {{ port }} { 127.0.0.1; };" + - "listen-on-v6 port {{ port }} { ::1; };" +- name: Ensure named is listening on the correct port before continuing + meta: flush_handlers +- name: Shackle + when: use_shackle + block: + - name: Install shackle + dnf: name=shackle state=present + - name: Start shackle + systemd: + name: shackle.socket + state: started + enabled: yes +- name: Start named + service: + name: named + state: started + enabled: yes +- name: Configure DNS servers + copy: + dest: /etc/systemd/network/10-vlan486.network.d/dns.conf + content: | + [Network] + DNS=127.0.0.1 + Domains=mit.edu + [DHCPv4] + UseDNS=false + notify: restart systemd-networkd +- name: Remove temporary DNS servers + file: + path: /etc/systemd/network/10-vlan486.network.d/tempdns.conf + state: absent + notify: restart systemd-networkd diff --git a/ansible/roles/real-dns/templates/named.mit.zones.j2 b/ansible/roles/real-dns/templates/named.mit.zones.j2 new file mode 100644 index 00000000..ac6725d4 --- /dev/null +++ b/ansible/roles/real-dns/templates/named.mit.zones.j2 @@ -0,0 +1,12 @@ +{% macro zone(name) %} +zone "{{ name }}" IN { + type stub; + masters { {% for server in mit_dns_servers %}{{server}}; {% endfor %} }; + file "slaves/{{ name }}.stub"; +}; +{% endmacro %} +{{ zone("mit.edu") }} +{{ zone("0.4.3.0.6.2.ip6.arpa") }} +{% for name in mit_subnets | inaddr_zones %} +{{ zone(name) }} +{% endfor %} diff --git a/ansible/roles/real-fuse/meta/main.yml b/ansible/roles/real-fuse/meta/main.yml new file mode 100644 index 00000000..e9583480 --- /dev/null +++ b/ansible/roles/real-fuse/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - real-modprobe diff --git a/ansible/roles/real-fuse/tasks/main.yml b/ansible/roles/real-fuse/tasks/main.yml new file mode 100644 index 00000000..ff0fbb09 --- /dev/null +++ b/ansible/roles/real-fuse/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Install fuse.conf + copy: + dest: /etc/fuse.conf + content: | + user_allow_other +- name: Load fuse kernel module + copy: + dest: /etc/modules-load.d/fuse.conf + content: | + fuse + notify: load modules +- name: Immediately load new modules + meta: flush_handlers diff --git a/ansible/roles/real-hosts/meta/main.yml b/ansible/roles/real-hosts/meta/main.yml new file mode 100644 index 00000000..33a17c3a --- /dev/null +++ b/ansible/roles/real-hosts/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - real-moira diff --git a/ansible/roles/real-hosts/tasks/main.yml b/ansible/roles/real-hosts/tasks/main.yml new file mode 100644 index 00000000..71949807 --- /dev/null +++ b/ansible/roles/real-hosts/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install /etc/hosts + blockinfile: + path: /etc/hosts + block: | + {% for hostname in groups['sql'] + groups['scripts-real'] %} + {% with info = hostvars[hostname] %} + {% if hostname == inventory_hostname or ('ip' in info and 'vlan461_address' in info) %} + {{ info['ip'] }} {{ query('moira_ghal', hostname, include_short_names=True, include_cname=True)|join(' ') }} + {% if info['vlan461_address'] | default(False) %} + {{ info['vlan461_address'] }} {{ hostname }} + {% endif %} + {% endif %} + {% endwith %} + {% endfor %} + + {% for vip in vips %} + {{ vip.ip }} {{ vip.host }} {{ vip.host | replace('.mit.edu', '') }} + {% endfor %} + when: use_moira diff --git a/server/fedora/config/etc/pki/tls/certs/ca.pem b/ansible/roles/real-httpd/files/certs/ca.pem similarity index 100% rename from server/fedora/config/etc/pki/tls/certs/ca.pem rename to ansible/roles/real-httpd/files/certs/ca.pem diff --git a/server/fedora/config/etc/pki/tls/certs/check.pl b/ansible/roles/real-httpd/files/certs/check.pl similarity index 100% rename from server/fedora/config/etc/pki/tls/certs/check.pl rename to ansible/roles/real-httpd/files/certs/check.pl diff --git a/server/fedora/config/etc/pki/tls/certs/scripts-cert.pem b/ansible/roles/real-httpd/files/certs/scripts-cert.pem similarity index 100% rename from server/fedora/config/etc/pki/tls/certs/scripts-cert.pem rename to ansible/roles/real-httpd/files/certs/scripts-cert.pem diff --git a/server/fedora/config/etc/pki/tls/certs/scripts.pem b/ansible/roles/real-httpd/files/certs/scripts.pem similarity index 100% rename from server/fedora/config/etc/pki/tls/certs/scripts.pem rename to ansible/roles/real-httpd/files/certs/scripts.pem diff --git a/server/fedora/config/etc/pki/tls/certs/star.scripts.pem b/ansible/roles/real-httpd/files/certs/star.scripts.pem similarity index 100% rename from server/fedora/config/etc/pki/tls/certs/star.scripts.pem rename to ansible/roles/real-httpd/files/certs/star.scripts.pem diff --git a/server/fedora/config/etc/httpd/conf.d/auth_sslcert.conf b/ansible/roles/real-httpd/files/httpd/conf.d/auth_sslcert.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/auth_sslcert.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/auth_sslcert.conf diff --git a/server/fedora/config/etc/httpd/conf.d/execsys.conf b/ansible/roles/real-httpd/files/httpd/conf.d/execsys.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/execsys.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/execsys.conf diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf b/ansible/roles/real-httpd/files/httpd/conf.d/scripts-special.conf similarity index 87% rename from server/fedora/config/etc/httpd/conf.d/scripts-special.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/scripts-special.conf index b5872ecc..90e46f28 100644 --- a/server/fedora/config/etc/httpd/conf.d/scripts-special.conf +++ b/ansible/roles/real-httpd/files/httpd/conf.d/scripts-special.conf @@ -53,5 +53,4 @@ ErrorDocument 403 /__scripts/forbidden.shtml ErrorDocument 403 /__scripts/disabled.html -# Generated from https://whois.arin.net/rest/org/MIT-2/nets, 2019-08-09 -SetEnvIf REMOTE_ADDR ^(10|18\.(0\d?|1(0[012]?|1[0345]?|2[3457]?|[3-9])?|2\d?|3[0-48]?|4[02579]?|5[013-68]?|6[0-39]?|7[0124-9]?|8[0-35789]?|9[035]?)|128\.(3[01]|52))\. SCRIPTS_REMOTE_MITNET +Include conf.d/scripts-remote-mitnet.conf diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf b/ansible/roles/real-httpd/files/httpd/conf.d/scripts-vhost.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/scripts-vhost.conf diff --git a/server/fedora/config/etc/httpd/conf.d/vhosts-common-ssl-cert.conf b/ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common-ssl-cert.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/vhosts-common-ssl-cert.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common-ssl-cert.conf diff --git a/server/fedora/config/etc/httpd/conf.d/vhosts-common-ssl.conf b/ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common-ssl.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/vhosts-common-ssl.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common-ssl.conf diff --git a/server/fedora/config/etc/httpd/conf.d/vhosts-common.conf b/ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common.conf similarity index 100% rename from server/fedora/config/etc/httpd/conf.d/vhosts-common.conf rename to ansible/roles/real-httpd/files/httpd/conf.d/vhosts-common.conf diff --git a/server/fedora/config/etc/httpd/conf/httpd.conf b/ansible/roles/real-httpd/files/httpd/conf/httpd.conf similarity index 99% rename from server/fedora/config/etc/httpd/conf/httpd.conf rename to ansible/roles/real-httpd/files/httpd/conf/httpd.conf index bd0f358f..6463b9e5 100644 --- a/server/fedora/config/etc/httpd/conf/httpd.conf +++ b/ansible/roles/real-httpd/files/httpd/conf/httpd.conf @@ -294,6 +294,7 @@ ProxyRequests Off + Listen 443 Listen 444 @@ -378,6 +379,7 @@ ProxyRequests Off Include conf.d/vhosts-common-ssl-cert.conf Include /var/lib/scripts-certs/vhosts.conf + LoadModule fcgid_module modules/mod_fcgid.so diff --git a/server/fedora/config/etc/httpd/export-scripts-certs b/ansible/roles/real-httpd/files/httpd/export-scripts-certs similarity index 70% rename from server/fedora/config/etc/httpd/export-scripts-certs rename to ansible/roles/real-httpd/files/httpd/export-scripts-certs index 4002928e..cc19c94d 100755 --- a/server/fedora/config/etc/httpd/export-scripts-certs +++ b/ansible/roles/real-httpd/files/httpd/export-scripts-certs @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 import base64 import errno @@ -6,6 +6,8 @@ import fcntl import hashlib import itertools import ldap +import ldap.ldapobject +import ldap.resiter import os import subprocess import sys @@ -14,31 +16,52 @@ from OpenSSL import crypto, SSL CERTS_DIR = '/var/lib/scripts-certs' -ll = ldap.initialize('ldapi://%2fvar%2frun%2fslapd-scripts.socket/') -with open('/etc/signup-ldap-pw') as pw_file: - ll.simple_bind_s("cn=Directory Manager", pw_file.read()) +error = False + +def err(e): + global error + if isinstance(e, bytes): + sys.stderr.buffer.write(e) + else: + sys.stderr.write(e) + error = True + +class LDAPObject(ldap.ldapobject.SimpleLDAPObject, ldap.resiter.ResultProcessor): pass + +ldap_uri = ldap.get_option(ldap.OPT_URI) + +ll = LDAPObject(ldap_uri) +if ldap_uri.startswith('ldapi:'): + ll.sasl_external_bind_s() +else: + try: + ll.sasl_gssapi_bind_s() + except ldap.LOCAL_ERROR: + err('remote LDAP server and no Kerberos tickets; vhosts will be incomplete\n') + ll.simple_bind_s() if not os.path.exists(CERTS_DIR): os.mkdir(CERTS_DIR) -vhosts = ll.search_s( - 'ou=VirtualHosts,dc=scripts,dc=mit,dc=edu', - ldap.SCOPE_SUBTREE, - '(&(objectClass=scriptsVhost)(scriptsVhostCertificate=*))', - ['scriptsVhostName', 'scriptsVhostAlias', 'scriptsVhostCertificate', 'scriptsVhostCertificateKeyFile']) +vhosts = [] -vhosts.sort(key=lambda (dn, vhost): vhost['scriptsVhostName']) +try: + for res_type,res_data,res_msgid,res_controls in ll.allresults(ll.search( + 'ou=VirtualHosts,dc=scripts,dc=mit,dc=edu', + ldap.SCOPE_SUBTREE, + '(&(objectClass=scriptsVhost)(scriptsVhostCertificate=*))', + ['scriptsVhostName', 'scriptsVhostAlias', 'scriptsVhostCertificate', 'scriptsVhostCertificateKeyFile'])): + vhosts.extend(res_data) +except ldap.ADMINLIMIT_EXCEEDED: + err('LDAP server returned partial results\n') -cert_filenames = set() -error = False +vhosts.sort(key=lambda result: result[1]['scriptsVhostName']) -def err(e): - global error - sys.stderr.write(e) - error = True +cert_filenames = set() def conf(vhost): name, = vhost['scriptsVhostName'] + name = name.decode('utf-8') aliases = vhost.get('scriptsVhostAlias', []) certs, = vhost['scriptsVhostCertificate'] try: @@ -46,6 +69,7 @@ def conf(vhost): except KeyError: err('Error: missing scriptsVhostCertificateKeyFile for vhost {}\n'.format(name)) return + key_filename = key_filename.decode('utf-8') try: certs = [crypto.load_certificate(crypto.FILETYPE_ASN1, base64.b64decode(cert)) for cert in certs.split()] @@ -79,12 +103,12 @@ def conf(vhost): err('Error: key {} does not match certificate for vhost {}: {}\n'.format(key_path, name, e)) return - certs_pem = ''.join(crypto.dump_certificate(crypto.FILETYPE_PEM, cert) for cert in certs) - cert_filename = base64.urlsafe_b64encode(hashlib.sha256(certs_pem).digest()).strip() + '.pem' + certs_pem = b''.join(crypto.dump_certificate(crypto.FILETYPE_PEM, cert) for cert in certs) + cert_filename = base64.urlsafe_b64encode(hashlib.sha256(certs_pem).digest()).strip().decode() + '.pem' cert_filenames.add(cert_filename) cert_path = os.path.join(CERTS_DIR, cert_filename) if not os.path.exists(cert_path): - with open(cert_path + '.new', 'w') as cert_file: + with open(cert_path + '.new', 'wb') as cert_file: cert_file.write(certs_pem) os.rename(cert_path + '.new', cert_path) @@ -92,7 +116,7 @@ def conf(vhost): yield '\n'.format(ip, port) yield '\tServerName {}\n'.format(name) if aliases: - yield '\tServerAlias {}\n'.format(' '.join(aliases)) + yield '\tServerAlias {}\n'.format(b' '.join(aliases).decode()) yield '\tInclude conf.d/vhost_ldap.conf\n' yield '\tInclude conf.d/vhosts-common-ssl.conf\n' if port == 444: @@ -117,17 +141,17 @@ with open(os.path.join(CERTS_DIR, '.lock'), 'w') as lock_file: else: raise - if old_vhosts_conf is not None and new_vhosts_conf != old_vhosts_conf: + if old_vhosts_conf is None or new_vhosts_conf != old_vhosts_conf: with open(os.path.join(CERTS_DIR, 'vhosts.conf.new'), 'w') as new_vhosts_file: new_vhosts_file.write(new_vhosts_conf) os.rename(os.path.join(CERTS_DIR, 'vhosts.conf.new'), os.path.join(CERTS_DIR, 'vhosts.conf')) configtest = subprocess.Popen(['apachectl', 'configtest'], stderr=subprocess.PIPE) e = configtest.communicate()[1] - if configtest.returncode == 0 and e == 'Syntax OK\n': + if configtest.returncode == 0 and e == b'Syntax OK\n': subprocess.check_call(['apachectl', 'graceful']) else: - err('apachectl configtest failed:\n' + e) + err(b'apachectl configtest failed:\n' + e) for filename in os.listdir(CERTS_DIR): if filename.endswith('.pem') and filename not in cert_filenames: diff --git a/server/fedora/config/etc/httpd/scripts-special/disabled.html b/ansible/roles/real-httpd/files/httpd/scripts-special/disabled.html similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/disabled.html rename to ansible/roles/real-httpd/files/httpd/scripts-special/disabled.html diff --git a/server/fedora/config/etc/httpd/scripts-special/forbidden.shtml b/ansible/roles/real-httpd/files/httpd/scripts-special/forbidden.shtml similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/forbidden.shtml rename to ansible/roles/real-httpd/files/httpd/scripts-special/forbidden.shtml diff --git a/server/fedora/config/etc/httpd/scripts-special/hostname b/ansible/roles/real-httpd/files/httpd/scripts-special/hostname similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/hostname rename to ansible/roles/real-httpd/files/httpd/scripts-special/hostname diff --git a/server/fedora/config/etc/httpd/scripts-special/noaccount.html b/ansible/roles/real-httpd/files/httpd/scripts-special/noaccount.html similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/noaccount.html rename to ansible/roles/real-httpd/files/httpd/scripts-special/noaccount.html diff --git a/server/fedora/config/etc/httpd/scripts-special/server.shtml b/ansible/roles/real-httpd/files/httpd/scripts-special/server.shtml similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/server.shtml rename to ansible/roles/real-httpd/files/httpd/scripts-special/server.shtml diff --git a/server/fedora/config/etc/httpd/scripts-special/unauthorized.html b/ansible/roles/real-httpd/files/httpd/scripts-special/unauthorized.html similarity index 100% rename from server/fedora/config/etc/httpd/scripts-special/unauthorized.html rename to ansible/roles/real-httpd/files/httpd/scripts-special/unauthorized.html diff --git a/server/fedora/config/etc/httpd/statistics_log_mitonly.sh b/ansible/roles/real-httpd/files/httpd/statistics_log_mitonly.sh similarity index 100% rename from server/fedora/config/etc/httpd/statistics_log_mitonly.sh rename to ansible/roles/real-httpd/files/httpd/statistics_log_mitonly.sh diff --git a/ansible/roles/real-httpd/handlers/main.yml b/ansible/roles/real-httpd/handlers/main.yml new file mode 100644 index 00000000..9f693477 --- /dev/null +++ b/ansible/roles/real-httpd/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload httpd + service: name=httpd state=reloaded + notify: reconfigure munin-node diff --git a/ansible/roles/real-httpd/meta/main.yml b/ansible/roles/real-httpd/meta/main.yml new file mode 100644 index 00000000..e8eae216 --- /dev/null +++ b/ansible/roles/real-httpd/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - real-moira + - real-ldap + - real-php diff --git a/ansible/roles/real-httpd/tasks/main.yml b/ansible/roles/real-httpd/tasks/main.yml new file mode 100644 index 00000000..ce4ef001 --- /dev/null +++ b/ansible/roles/real-httpd/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: Configure httpd + when: "'httpd' in scripts_packages and 'httpdmods' in scripts_packages" + block: + - name: Install scripts-httpd + dnf: + name: + - scripts-httpd + - scripts-mod_ssl + - scripts-static-cat + - mod_ldap + - mod_fcgid + - httpdmods + - python3-ldap + - python3-pyOpenSSL + - logview + - httpd-tools + state: present + notify: reconfigure munin-node + - name: Allow scripts to export certificates + copy: + dest: /etc/sudoers.d/scripts-httpd + content: | + scripts ALL=(root) NOPASSWD: /etc/httpd/export-scripts-certs "" + - name: Configure Munin monitoring + block: + - name: Generate password + check_mode: no + shell: cat /etc/munin/apache-passwd {% if not ansible_check_mode %}|| (umask go-rwx && openssl rand -hex 32 | tee /etc/munin/apache-passwd && exit 254){% endif %} + register: password + failed_when: not ansible_check_mode and password.rc not in (0, 254) + changed_when: password.rc != 0 + - name: Check htpasswd file + check_mode: no + command: htpasswd -vi /etc/munin/apache-htpasswd munin + args: + stdin: "{{password.stdout}}" + changed_when: false + failed_when: false + register: htpasswd_verify + - name: Generate htpasswd line + when: htpasswd_verify.rc != 0 + command: htpasswd -ni munin + args: + stdin: "{{password.stdout}}" + register: htpasswd + - name: Update htpasswd file + when: htpasswd_verify.rc != 0 + copy: + dest: /etc/munin/apache-htpasswd + content: "{{htpasswd.stdout}}" + mode: 0600 + owner: apache + notify: reconfigure munin-node + - name: Configure apache plugins + copy: + dest: /etc/munin/plugin-conf.d/{{ item }} + content: | + [{{ item }}] + env.url http://munin:{{password.stdout}}@127.0.0.1:%d/server-status/?auto + mode: 0600 + owner: munin + loop: + - apache_accesses + - apache_processes + - apache_volume + notify: reconfigure munin-node + - name: Configure httpd + copy: + dest: /etc/httpd/ + src: httpd/ + mode: preserve + notify: reload httpd + - name: Configure MITnet regex + template: + dest: /etc/httpd/conf.d/scripts-remote-mitnet.conf + src: scripts-remote-mitnet.conf.j2 + notify: reload httpd + - name: Configure mod_vhost_ldap + template: + dest: /etc/httpd/conf.d/vhost_ldap.conf + src: vhost_ldap.conf.j2 + notify: reload httpd + - name: Configure vhost names + template: + dest: /etc/httpd/conf.d/scripts-vhost-names.conf + src: scripts-vhost-names.conf.j2 + notify: reload httpd + - name: Install certificates + copy: + dest: /etc/pki/tls/certs/ + src: certs/ + mode: preserve + notify: reload httpd + - name: Export certificates + command: /etc/httpd/export-scripts-certs + args: + creates: /var/lib/scripts-certs/vhosts.conf + ignore_errors: yes + - name: Enable httpd + service: + name: httpd + enabled: yes + state: started + notify: reconfigure munin-node diff --git a/ansible/roles/real-httpd/templates/scripts-remote-mitnet.conf.j2 b/ansible/roles/real-httpd/templates/scripts-remote-mitnet.conf.j2 new file mode 100644 index 00000000..b0145c81 --- /dev/null +++ b/ansible/roles/real-httpd/templates/scripts-remote-mitnet.conf.j2 @@ -0,0 +1 @@ +SetEnvIf REMOTE_ADDR {{ mit_subnets | ipsubnets_regex }} SCRIPTS_REMOTE_MITNET diff --git a/ansible/roles/real-httpd/templates/scripts-vhost-names.conf.j2 b/ansible/roles/real-httpd/templates/scripts-vhost-names.conf.j2 new file mode 100644 index 00000000..2717f887 --- /dev/null +++ b/ansible/roles/real-httpd/templates/scripts-vhost-names.conf.j2 @@ -0,0 +1,9 @@ +ServerName scripts.mit.edu +ServerAlias \ + {% for vip in vips | rejectattr('type', 'defined') %} + {{ vip.host }} {{ vip.host | replace('.mit.edu', '') }} {{ vip.ip }} \ + {% endfor %} + {% if use_moira %} + {{ query('moira_ghal', ansible_nodename, include_short_names=True, include_cname=True)|join(' ') }} {{ ansible_default_ipv4.address }} \ + {% endif %} + localhost 127.0.0.1 ::1 diff --git a/ansible/roles/real-httpd/templates/vhost_ldap.conf.j2 b/ansible/roles/real-httpd/templates/vhost_ldap.conf.j2 new file mode 100644 index 00000000..020d70f0 --- /dev/null +++ b/ansible/roles/real-httpd/templates/vhost_ldap.conf.j2 @@ -0,0 +1,3 @@ +VhostLDAPEnabled on +VhostLDAPUrl "{{ ldap_server_tcp }}ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" +VhostLDAPFallback notfound.example.com diff --git a/ansible/roles/real-iptables/handlers/main.yml b/ansible/roles/real-iptables/handlers/main.yml new file mode 100644 index 00000000..edaa3ab5 --- /dev/null +++ b/ansible/roles/real-iptables/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload iptables + service: name=iptables state=reloaded +- name: reload ip6tables + service: name=ip6tables state=reloaded diff --git a/ansible/roles/real-iptables/meta/main.yml b/ansible/roles/real-iptables/meta/main.yml new file mode 100644 index 00000000..0fedb8fa --- /dev/null +++ b/ansible/roles/real-iptables/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - sysctl + - real-modprobe + - real-postfix diff --git a/ansible/roles/real-iptables/tasks/main.yml b/ansible/roles/real-iptables/tasks/main.yml new file mode 100644 index 00000000..fee1416e --- /dev/null +++ b/ansible/roles/real-iptables/tasks/main.yml @@ -0,0 +1,47 @@ +--- +- name: Install iptables service + dnf: name=iptables-services state=present +- name: Configure iptables modules + copy: + dest: /etc/modules-load.d/iptables.conf + content: | + nfnetlink + nf_log_ipv4 + nf_log_ipv6 + xt_LOG + xt_owner + ipt_dscp + ipt_MARK + iptable_mangle + iptable_filter + ipt_REJECT + ip6_tables + ip6table_filter + ip6t_REJECT + notify: load modules +- name: Set socket fwmarks from packet marks + copy: + dest: /etc/sysctl.d/99-fwmark.conf + content: | + net.ipv4.tcp_fwmark_accept = 1 + notify: apply sysctl +- name: Immediately load new modules + meta: flush_handlers +- name: Configure iptables rules + template: + dest: /etc/sysconfig/iptables + src: iptables.j2 + notify: reload iptables +- name: Configure ip6tables rules + template: + dest: /etc/sysconfig/ip6tables + src: ip6tables.j2 + notify: reload ip6tables +- name: Start ip{,6}tables rules + service: + name: "{{ item }}" + enabled: yes + state: started + loop: + - iptables + - ip6tables diff --git a/server/fedora/config/etc/sysconfig/ip6tables b/ansible/roles/real-iptables/templates/ip6tables.j2 similarity index 100% rename from server/fedora/config/etc/sysconfig/ip6tables rename to ansible/roles/real-iptables/templates/ip6tables.j2 diff --git a/ansible/roles/real-iptables/templates/iptables.j2 b/ansible/roles/real-iptables/templates/iptables.j2 new file mode 100644 index 00000000..0cd6f8f7 --- /dev/null +++ b/ansible/roles/real-iptables/templates/iptables.j2 @@ -0,0 +1,37 @@ +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +# The packet mark works in concert with net.ipv4.tcp_fwmark_accept to +# set the fwmark on the rest of the connection. +# TODO: What do we do if packets come in from outside with a DSCP tag? +{% for hostname in groups['scripts-proxy'] %} +{% with info = hostvars[hostname] %} +{% if info.dscp_tag is defined %} +-A INPUT -m dscp --dscp {{ info.dscp_tag }} -j MARK --set-xmark {{ info.dscp_tag }} +{% endif %} +{% endwith %} +{% endfor %} +COMMIT +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:log-smtp - [0:0] +-A OUTPUT -p tcp -m tcp --dport 25 --syn -j log-smtp +-A log-smtp -m owner --uid-owner postfix -j RETURN +-A log-smtp -m owner --uid-owner nrpe -o lo -d 127.0.0.1 -j RETURN +# 537644531=scripts (for heartbeat) +-A log-smtp -m owner --uid-owner 537644531 -o lo -j RETURN +-A log-smtp -j LOG --log-prefix "SMTP " --log-uid +-A log-smtp -o lo -d 127.0.0.1 -j RETURN +# outgoing.mit.edu +{% for ip in lookup('dig', 'outgoing.mit.edu', wantlist=True) %} +-A log-smtp -d {{ ip }} -j RETURN +{% endfor %} +-A log-smtp -j REJECT --reject-with icmp-admin-prohibited +-A OUTPUT -d 192.42.116.41 -j LOG --log-prefix "Eitest sinkhole " --log-uid +-A OUTPUT -d 216.218.185.162 -j LOG --log-prefix "matsnu sinkhole " --log-uid +COMMIT diff --git a/server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 b/ansible/roles/real-iptables/templates/network-scripts/route-vlan486 similarity index 100% rename from server/fedora/config/etc/sysconfig/network-scripts/route-vlan486 rename to ansible/roles/real-iptables/templates/network-scripts/route-vlan486 diff --git a/server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486 b/ansible/roles/real-iptables/templates/network-scripts/rule-vlan486 similarity index 100% rename from server/fedora/config/etc/sysconfig/network-scripts/rule-vlan486 rename to ansible/roles/real-iptables/templates/network-scripts/rule-vlan486 diff --git a/ansible/roles/real-k5login/defaults/main.yml b/ansible/roles/real-k5login/defaults/main.yml new file mode 100644 index 00000000..1fa59df2 --- /dev/null +++ b/ansible/roles/real-k5login/defaults/main.yml @@ -0,0 +1 @@ +use_scripts_localauth: "{{ 'scripts-krb5-localauth' in scripts_packages }}" diff --git a/ansible/roles/real-k5login/meta/main.yml b/ansible/roles/real-k5login/meta/main.yml new file mode 100644 index 00000000..bd52c433 --- /dev/null +++ b/ansible/roles/real-k5login/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - k5login diff --git a/ansible/roles/real-k5login/tasks/main.yml b/ansible/roles/real-k5login/tasks/main.yml new file mode 100644 index 00000000..5120f06a --- /dev/null +++ b/ansible/roles/real-k5login/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Install scripts-krb5-localauth + dnf: name=scripts-krb5-localauth state=present + when: use_scripts_localauth +- name: Configure Kerberos to use scripts localauth + copy: + dest: /etc/krb5.conf.d/scripts + content: | + [plugins] + localauth = { + module = scripts:/usr/lib64/libscripts-krb5-localauth.so + enable_only = scripts + } + when: use_scripts_localauth +- name: Remove scripts localauth configuration + file: + path: /etc/krb5.conf.d/scripts + state: absent + when: not use_scripts_localauth diff --git a/ansible/roles/real-keytabs/tasks/main.yml b/ansible/roles/real-keytabs/tasks/main.yml new file mode 100644 index 00000000..26f7a93f --- /dev/null +++ b/ansible/roles/real-keytabs/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Check for /etc/daemon.keytab + stat: + path: /etc/daemon.keytab + register: daemon_keytab +- name: Check for /etc/krb5.keytab + stat: + path: /etc/krb5.keytab + register: host_keytab +- name: Record as facts + set_fact: + cacheable: true + has_daemon_keytab: "{{ daemon_keytab.stat.exists }}" + has_host_keytab: "{{ host_keytab.stat.exists }}" diff --git a/ansible/roles/real-ldap/defaults/main.yml b/ansible/roles/real-ldap/defaults/main.yml new file mode 100644 index 00000000..86f635aa --- /dev/null +++ b/ansible/roles/real-ldap/defaults/main.yml @@ -0,0 +1 @@ +run_local_ldap: yes diff --git a/server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif b/ansible/roles/real-ldap/files/98scripts-vhost.ldif similarity index 100% rename from server/fedora/config/etc/dirsrv/slapd-scripts/schema/98scripts-vhost.ldif rename to ansible/roles/real-ldap/files/98scripts-vhost.ldif diff --git a/ansible/roles/real-ldap/handlers/main.yml b/ansible/roles/real-ldap/handlers/main.yml new file mode 100644 index 00000000..2fd65e47 --- /dev/null +++ b/ansible/roles/real-ldap/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reindex ldap + command: dsconf scripts backend index reindex --wait userRoot +- name: reload ldap schema + command: dsconf scripts schema reload --wait diff --git a/ansible/roles/real-ldap/tasks/ldap_entry_iou.yml b/ansible/roles/real-ldap/tasks/ldap_entry_iou.yml new file mode 100644 index 00000000..20388d75 --- /dev/null +++ b/ansible/roles/real-ldap/tasks/ldap_entry_iou.yml @@ -0,0 +1,18 @@ +- name: Create entry if missing + ldap_entry: + server_uri: "{{ ldap_instance_uri }}" + dn: "{{ dn }}" + objectClass: "{{ objectClass }}" + attributes: "{{ attributes }}" + notify: "{{ notify | default(omit) }}" +- name: Set attributes + ldap_attr: + server_uri: "{{ ldap_instance_uri }}" + dn: "{{ dn }}" + name: "{{ attribute.key }}" + values: "{{ attribute.value }}" + state: exact + loop: "{{ attributes|dict2items }}" + loop_control: + loop_var: attribute + notify: "{{ notify | default(omit) }}" diff --git a/ansible/roles/real-ldap/tasks/main.yml b/ansible/roles/real-ldap/tasks/main.yml new file mode 100644 index 00000000..70636650 --- /dev/null +++ b/ansible/roles/real-ldap/tasks/main.yml @@ -0,0 +1,167 @@ +--- +- name: Install LDAP clients + dnf: + name: + - openldap + - ldapvi + state: present +- name: Configure ldap.conf + lineinfile: + path: /etc/openldap/ldap.conf + regexp: '(?i)^#?\s*{{ item | regex_search("^(\S+)") }}\s' + line: "{{ item }}" + loop: + - BASE dc=scripts,dc=mit,dc=edu + - URI {{ ldap_server }} +- name: Create /disabled + file: + path: /disabled + state: directory + mode: 0755 + owner: root + group: root +- name: Install and configure 389-ds + when: run_local_ldap + vars: + ldap_instance: scripts + ldap_instance_uri: "ldapi://%2fvar%2frun%2fslapd-scripts.socket/" + block: + - name: Install 389-ds + dnf: + name: + - 389-ds-base + state: present + - name: Create 389-ds instance + command: python3 - + args: + creates: "/etc/dirsrv/slapd-{{ldap_instance}}" + stdin: | + import sys + from lib389.cli_base import setup_script_logger + from lib389.instance.setup import SetupDs + from lib389.instance.options import General2Base, Slapd2Base, Backend2Base + from lib389.properties import * + + verbose = True + + log = setup_script_logger("dscreate", verbose) + + sd = SetupDs(verbose, False, log) + + general = General2Base(log) + general.set('start', False) + + slapd = Slapd2Base(log) + slapd.set('instance_name', '{{ ldap_instance }}') + slapd.set('self_sign_cert', False) + slapd.set('root_password', '{PBKDF2_SHA256}bogushash') + + backend = { + BACKEND_NAME: 'userRoot', + BACKEND_SUFFIX: 'dc=scripts,dc=mit,dc=edu', + 'create_suffix_entry': False, + } + if not sd.create_from_args(general.collect(), slapd.collect(), [backend]): + sys.exit(1) + - name: Install scripts schema + copy: + dest: "/etc/dirsrv/slapd-{{ ldap_instance }}/schema/98scripts-vhost.ldif" + src: 98scripts-vhost.ldif + notify: reload ldap schema + - name: Configure keytab + copy: + dest: "/etc/sysconfig/dirsrv-{{ ldap_instance }}" + content: | + KRB5_KTNAME=/etc/dirsrv/keytab + - name: Start 389-ds + service: + name: "dirsrv@{{ ldap_instance }}" + state: started + enabled: yes + - name: Configure GSSAPI authentication + include_tasks: ldap_entry_iou.yml + vars: + dn: "cn=mapname,cn=mapping,cn=sasl,cn=config" + objectClass: + - top + - nsSaslMapping + attributes: + cn: mapname + nsSaslMapRegexString: '\(.*\)' + nsSaslMapBaseDNTemplate: 'uid=\1,ou=People,dc=scripts,dc=mit,dc=edu' + nsSaslMapFilterTemplate: "(objectClass=posixAccount)" + - name: Configure indices + include_tasks: ldap_entry_iou.yml + vars: + dn: "cn={{ item }},cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" + objectClass: + - top + - nsIndex + attributes: + cn: "{{ item }}" + nsSystemIndex: "false" + nsIndexType: + - eq + - pres + notify: reindex ldap + loop: + - scriptsVhostName + - scriptsVhostAlias + - scriptsVhostAccount + - memberuid + - uidnumber + - gidnumber + - meta: flush_handlers + - name: Create scripts domain + include_tasks: ldap_entry_iou.yml + vars: + dn: "dc=scripts,dc=mit,dc=edu" + objectClass: + - top + - domain + attributes: + dc: scripts + - name: Create People ou + include_tasks: ldap_entry_iou.yml + vars: + dn: "ou=People,dc=scripts,dc=mit,dc=edu" + objectClass: + - top + - organizationalunit + attributes: + ou: People + - name: Create users for LDAP servers + include_tasks: ldap_entry_iou.yml + vars: + dn: "uid=ldap/{{ item }},ou=People,dc=scripts,dc=mit,dc=edu" + objectClass: + - top + - account + attributes: + uid: "ldap/{{ item }}" + loop: "{{ groups['scripts-ldap'] }}" + - name: Configure replica + include_tasks: ldap_entry_iou.yml + vars: + dn: 'cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config' + objectClass: + - top + - nsDS5Replica + attributes: + # Flags = 0 means the replica is read-only; if we want to be able to make changes, we need to set flags to 1 and initialize a changelog. + nsDS5Flags: 0 + nsDS5ReplicaId: 65535 + nsDS5ReplicaBindDN: "{{ groups['scripts-ldap'] | map('regex_replace', '^(.*)$', 'uid=ldap/\\1,ou=People,dc=scripts,dc=mit,dc=edu') | list }}" + nsDS5ReplicaType: 2 + nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu + - file: + path: /etc/systemd/system/dirsrv@scripts.service.d + state: directory + - name: Start dirsrv before dependencies + copy: + dest: /etc/systemd/system/dirsrv@scripts.service.d/10-scripts.conf + content: | + [Unit] + Before=httpd.service + Before=nslcd.service + Before=postfix.service diff --git a/server/fedora/config/etc/logrotate.d/httpd b/ansible/roles/real-logrotate/files/httpd similarity index 71% rename from server/fedora/config/etc/logrotate.d/httpd rename to ansible/roles/real-logrotate/files/httpd index 3bc70ae0..98ade39d 100644 --- a/server/fedora/config/etc/logrotate.d/httpd +++ b/ansible/roles/real-logrotate/files/httpd @@ -6,7 +6,7 @@ create 640 root logview sharedscripts postrotate - /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true + /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true endscript } @@ -26,7 +26,7 @@ notifempty sharedscripts postrotate - /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true + /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true endscript } @@ -38,6 +38,6 @@ create 600 root root sharedscripts postrotate - /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true + /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true endscript } diff --git a/ansible/roles/real-logrotate/tasks/main.yml b/ansible/roles/real-logrotate/tasks/main.yml new file mode 100644 index 00000000..e3d6f93a --- /dev/null +++ b/ansible/roles/real-logrotate/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Configure lograte for HTTPD + copy: + dest: /etc/logrotate.d/httpd + src: httpd +- name: Start logrotate + when: ansible_distribution_major_version|int >= 30 + systemd: + name: logrotate.timer + enabled: yes + state: started diff --git a/ansible/roles/real-logwatch/files/logwatch/conf/services/systemd.conf b/ansible/roles/real-logwatch/files/logwatch/conf/services/systemd.conf new file mode 100644 index 00000000..5057c794 --- /dev/null +++ b/ansible/roles/real-logwatch/files/logwatch/conf/services/systemd.conf @@ -0,0 +1,3 @@ +*OnlyService = systemd +*RemoveHeaders +*PreIgnore = "PIDFile= references path below legacy directory" diff --git a/ansible/roles/real-logwatch/files/logwatch/conf/services/zz-lm_sensors.conf b/ansible/roles/real-logwatch/files/logwatch/conf/services/zz-lm_sensors.conf new file mode 100644 index 00000000..869cdfe0 --- /dev/null +++ b/ansible/roles/real-logwatch/files/logwatch/conf/services/zz-lm_sensors.conf @@ -0,0 +1 @@ +$get_kvm_status = "python3 -c 'from ansible.module_utils.facts.virtual import linux; import sys; sys.exit(linux.LinuxVirtual(None).get_virtual_facts()["virtualization_role"] != "guest")'" diff --git a/ansible/roles/real-logwatch/files/logwatch/scripts/shared/preignore b/ansible/roles/real-logwatch/files/logwatch/scripts/shared/preignore new file mode 100755 index 00000000..7fc1f9c9 --- /dev/null +++ b/ansible/roles/real-logwatch/files/logwatch/scripts/shared/preignore @@ -0,0 +1,17 @@ +#!/usr/bin/perl + +# logwatch 7.5.3 has a built-in Pre_Ignore setting, but F30 has +# logwatch 7.5.2 so we have to do it ourselves. + +my @patterns = @ARGV; + +while (my $line = ) { + print $line unless grep { $line =~ m/$_/ } @patterns; +} + +# vi: shiftwidth=3 syntax=perl tabstop=3 et +# Local Variables: +# mode: perl +# perl-indent-level: 3 +# indent-tabs-mode: nil +# End: diff --git a/ansible/roles/real-logwatch/meta/main.yml b/ansible/roles/real-logwatch/meta/main.yml new file mode 100644 index 00000000..bacb1c22 --- /dev/null +++ b/ansible/roles/real-logwatch/meta/main.yml @@ -0,0 +1,4 @@ +--- +# logwatch requires rsyslogd to function. +dependencies: + - syslog-client diff --git a/ansible/roles/real-logwatch/tasks/main.yml b/ansible/roles/real-logwatch/tasks/main.yml new file mode 100644 index 00000000..867fb389 --- /dev/null +++ b/ansible/roles/real-logwatch/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Install logwatch + dnf: + name: + - logwatch + state: present +- name: Configure logwatch + copy: + dest: /etc/logwatch/ + src: logwatch/ + mode: preserve +# TODO: Configure an e-mail destination for logwatch (new Moira list?) +# TODO: Enable logwatch.timer diff --git a/server/fedora/config/etc/scripts/modprobe b/ansible/roles/real-modprobe/files/modprobe similarity index 100% rename from server/fedora/config/etc/scripts/modprobe rename to ansible/roles/real-modprobe/files/modprobe diff --git a/ansible/roles/real-modprobe/handlers/main.yml b/ansible/roles/real-modprobe/handlers/main.yml new file mode 100644 index 00000000..ef567061 --- /dev/null +++ b/ansible/roles/real-modprobe/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: load modules + service: + name: systemd-modules-load + state: restarted diff --git a/ansible/roles/real-modprobe/meta/main.yml b/ansible/roles/real-modprobe/meta/main.yml new file mode 100644 index 00000000..d0708a72 --- /dev/null +++ b/ansible/roles/real-modprobe/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - sysctl diff --git a/ansible/roles/real-modprobe/tasks/main.yml b/ansible/roles/real-modprobe/tasks/main.yml new file mode 100644 index 00000000..39c07b02 --- /dev/null +++ b/ansible/roles/real-modprobe/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Ensure /etc/scripts exists + file: + path: /etc/scripts/ + state: directory +- name: Install modprobe replacement script + copy: + dest: /etc/scripts/modprobe + src: modprobe + mode: preserve +- name: Load binfmt_misc + copy: + dest: /etc/modules-load.d/binfmt_misc.conf + content: | + binfmt_misc + notify: load modules +- name: Load rpc_pipefs + copy: + dest: /etc/modules-load.d/rpc_pipefs.conf + content: | + rpc_pipefs + notify: load modules +- name: Load vmw_vsock_vmci_transport + copy: + dest: /etc/modules-load.d/vmw_vsock_vmci_transport.conf + content: | + vmw_vsock_vmci_transport + notify: load modules + when: ansible_virtualization_type == "VMware" +- name: Activate modprobe replacement script + copy: + dest: /etc/sysctl.d/99-scripts-modprobe.conf + content: | + kernel.modprobe = /etc/scripts/modprobe + notify: apply sysctl diff --git a/ansible/roles/real-moira/defaults/main.yml b/ansible/roles/real-moira/defaults/main.yml new file mode 100644 index 00000000..af1336e0 --- /dev/null +++ b/ansible/roles/real-moira/defaults/main.yml @@ -0,0 +1 @@ +use_moira: "{{ 'moira-clients' in scripts_packages }}" diff --git a/ansible/roles/real-moira/tasks/main.yml b/ansible/roles/real-moira/tasks/main.yml new file mode 100644 index 00000000..30058614 --- /dev/null +++ b/ansible/roles/real-moira/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Ensure moira is installed + dnf: + name: moira-clients + state: present + when: use_moira diff --git a/ansible/roles/real-munin-node/meta/main.yml b/ansible/roles/real-munin-node/meta/main.yml new file mode 100644 index 00000000..761edcbc --- /dev/null +++ b/ansible/roles/real-munin-node/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - munin-node diff --git a/ansible/roles/real-munin-node/tasks/main.yml b/ansible/roles/real-munin-node/tasks/main.yml new file mode 100644 index 00000000..1b2e438d --- /dev/null +++ b/ansible/roles/real-munin-node/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Run munin as non-root + lineinfile: + path: /etc/munin/munin-node.conf + regexp: '^#?\s*{{ item.split()[0] }}\s' + line: "{{ item }}" + loop: + - user munin + - group munin + notify: restart munin-node +- name: Configure sudoers + copy: + dest: /etc/sudoers.d/scripts-munin-node + content: | + Defaults:munin !syslog + + munin ALL=(root) SETENV: NOPASSWD: /etc/munin/plugins/postfix_mailqueue , /etc/munin/plugins/postfix_mailvolume , /etc/munin/plugins/sendmail* , /etc/munin/plugins/if_* , /etc/munin/plugins/if_err_eth2 +- name: Run certain munin plugins as root + copy: + dest: /etc/munin/plugin-conf.d/zzz-scripts + content: | + [postfix*] + user root + env.logfile maillog + env.logdir /var/log + command sudo -E %c + + [sendmail] + user root + env.mspqueue /var/spool/clientmqueue + command sudo -E %c + + [if_*] + user root + command sudo -E %c + env.PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin + notify: reconfigure munin-node +- name: Install scripts-munin-plugins + dnf: name=scripts-munin-plugins state=present + ignore_errors: yes + notify: reconfigure munin-node diff --git a/ansible/roles/real-network/meta/main.yml b/ansible/roles/real-network/meta/main.yml new file mode 100644 index 00000000..12d39eb5 --- /dev/null +++ b/ansible/roles/real-network/meta/main.yml @@ -0,0 +1,24 @@ +--- +dependencies: +- role: systemd-networkd + vars: + lo_extra: | + {% for vip in vips %} + {% if vip.type|default(True) != 'director' and (vip.codename|default(ansible_lsb.codename) == ansible_lsb.codename)%} + [Address] + Address={{vip.ip}}/32 + {% endif %} + {% endfor %} + vlan486_extra: | + {% for hostname in groups['scripts-proxy'] %} + {% with info = hostvars[hostname] %} + {% if info.dscp_tag is defined %} + [RoutingPolicyRule] + FirewallMark={{ info.dscp_tag }} + Table={{ info.dscp_tag }} + [Route] + Gateway={{ info.vlan486_address }} + Table={{ info.dscp_tag }} + {% endif %} + {% endwith %} + {% endfor %} diff --git a/server/fedora/config/etc/nagios/check_afs b/ansible/roles/real-nrpe/files/plugins/check_afs similarity index 83% rename from server/fedora/config/etc/nagios/check_afs rename to ansible/roles/real-nrpe/files/plugins/check_afs index eb3cea73..70e8557a 100755 --- a/server/fedora/config/etc/nagios/check_afs +++ b/ansible/roles/real-nrpe/files/plugins/check_afs @@ -13,10 +13,10 @@ fi STATUS=$? -$ECHO "$CHECKS" +echo "$CHECKS" if [ $STATUS -gt 0 ]; then - if $ECHO "$CHECKS" | grep -i ARTEMIS >/dev/null; then + if echo "$CHECKS" | grep -i ARTEMIS >/dev/null; then exit $STATE_CRITICAL; else exit $STATE_WARNING; diff --git a/server/fedora/config/etc/nagios/check_cron_working b/ansible/roles/real-nrpe/files/plugins/check_cron_working similarity index 100% rename from server/fedora/config/etc/nagios/check_cron_working rename to ansible/roles/real-nrpe/files/plugins/check_cron_working diff --git a/server/fedora/config/etc/nagios/check_kern_taint b/ansible/roles/real-nrpe/files/plugins/check_kern_taint similarity index 96% rename from server/fedora/config/etc/nagios/check_kern_taint rename to ansible/roles/real-nrpe/files/plugins/check_kern_taint index 4899bd34..16954376 100755 --- a/server/fedora/config/etc/nagios/check_kern_taint +++ b/ansible/roles/real-nrpe/files/plugins/check_kern_taint @@ -4,7 +4,7 @@ taintval=$(cat /proc/sys/kernel/tainted) if [ "$taintval" = 0 ]; then - $ECHO "Not tainted" + echo "Not tainted" exit $STATE_OK fi @@ -38,7 +38,7 @@ for i in P F S R M B U D A W C I; do flag=$(($flag * 2)) done -$ECHO "Tainted: $taints" +echo "Tainted: $taints" case "$taints" in *M*|*B*|*D*) exit $STATE_CRITICAL;; diff --git a/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr new file mode 100755 index 00000000..e3b77d0b --- /dev/null +++ b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr @@ -0,0 +1,6 @@ +#!/bin/sh + +export USE_NEWLINES=1 +# TODO: Create a non-root user to run this plugin that has read-only +# access to the replication status objects. +exec /usr/bin/sudo /etc/nagios/check_ldap_mmr.real diff --git a/server/fedora/config/etc/nagios/check_ldap_mmr.real b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr.real similarity index 87% rename from server/fedora/config/etc/nagios/check_ldap_mmr.real rename to ansible/roles/real-nrpe/files/plugins/check_ldap_mmr.real index 4b54e04d..a9bdea49 100755 --- a/server/fedora/config/etc/nagios/check_ldap_mmr.real +++ b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr.real @@ -4,6 +4,7 @@ # Adapted for scripts.mit.edu by Mitchell Berger use Net::LDAP; +use Authen::SASL; use strict; my $nl = $ENV{'USE_NEWLINES'} ? "\n" : ""; @@ -12,9 +13,19 @@ my $tab = $ENV{'USE_NEWLINES'} ? " " : ""; # Nagios codes my %ERRORS=('OK'=>0, 'WARNING'=>1, 'CRITICAL'=>2, 'UNKNOWN'=>3, 'DEPENDENT'=>4); -my $ldapserver = 'ldapi://%2fvar%2frun%2fslapd-scripts.socket'; -my $user = 'cn=Directory Manager'; -my $passwdfile = '/etc/signup-ldap-pw'; +my $ldapserver; + +open(my $conf, "<", "/etc/openldap/ldap.conf") or die "open: $!"; +while (my $line = <$conf>) { + if ($line =~ m/^URI\s+(\S+)/) { + $ldapserver = $1; + } +} +close($conf) or die "close: $!"; + +if (not $ldapserver) { + die "Couldn't find LDAP URI"; +} my $configBase = "cn=config"; my $replicatedBase = "dc=scripts,dc=mit,dc=edu"; my $server="nsDS5ReplicaHost"; @@ -71,7 +82,12 @@ sub ConnectLdap { open (PASSWD, $passwdfile) || &nagios_return("CRITICAL", "Could not read credentials"); my $passwd = ; close (PASSWD); - my $mesg = $ldap->bind ( "$user", password => "$passwd" , version => 3 ); + my $mesg; + if ($ldapserver =~ m/^ldapi:/) { + $mesg = $ldap->bind(sasl => Authen::SASL->new(mech => "EXTERNAL"), version => 3); + } else { + $mesg = $ldap->bind(version => 3); + } if ($mesg->code) { &nagios_return("CRITICAL", "Failed to bind to LDAP: " . $mesg->error); } diff --git a/server/fedora/config/etc/nagios/check_mail_dnsrbl b/ansible/roles/real-nrpe/files/plugins/check_mail_dnsrbl similarity index 100% rename from server/fedora/config/etc/nagios/check_mail_dnsrbl rename to ansible/roles/real-nrpe/files/plugins/check_mail_dnsrbl diff --git a/ansible/roles/real-nrpe/meta/main.yml b/ansible/roles/real-nrpe/meta/main.yml new file mode 100644 index 00000000..d62489b3 --- /dev/null +++ b/ansible/roles/real-nrpe/meta/main.yml @@ -0,0 +1,22 @@ +--- +dependencies: + - role: nrpe + vars: + nrpe_checks: + check_users: /usr/lib64/nagios/plugins/check_users -w 25 -c 50 + check_load: /usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 + check_disk: /usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt + check_procs_cpu: /usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 + check_procs_crond: "/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond" + check_procs_nscd: /usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd + check_procs_postfix: /usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix + check_postfix_mailq: /usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix + check_afs: /etc/nagios/check_afs + check_afs_athena: /etc/nagios/check_afs athena + check_afs_sipb: /etc/nagios/check_afs sipb + check_cron_working: /etc/nagios/check_cron_working + check_ldap_mmr: /etc/nagios/check_ldap_mmr + check_kern_taint: /etc/nagios/check_kern_taint + check_backend: /usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP + check_smtp: /usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 + check_mail_dnsrbl: /etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` diff --git a/ansible/roles/real-nrpe/tasks/main.yml b/ansible/roles/real-nrpe/tasks/main.yml new file mode 100644 index 00000000..ed91cc23 --- /dev/null +++ b/ansible/roles/real-nrpe/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install NRPE plugins + copy: + src: plugins/ + dest: /etc/nagios/ + mode: preserve +- name: Allow NRPE to check LDAP status + copy: + dest: /etc/sudoers.d/scripts-nrpe + content: | + nrpe ALL=(root) NOPASSWD: /etc/nagios/check_ldap_mmr.real diff --git a/ansible/roles/real-nsspam/defaults/main.yml b/ansible/roles/real-nsspam/defaults/main.yml new file mode 100644 index 00000000..ca79aea2 --- /dev/null +++ b/ansible/roles/real-nsspam/defaults/main.yml @@ -0,0 +1 @@ +use_nss_nonlocal: "{{ 'nss_nonlocal' in scripts_packages }}" diff --git a/ansible/roles/real-nsspam/files/authselect/README b/ansible/roles/real-nsspam/files/authselect/README new file mode 100644 index 00000000..c0cfa3bc --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/README @@ -0,0 +1 @@ +scripts.mit.edu LDAP configuration diff --git a/ansible/roles/real-nsspam/files/authselect/fingerprint-auth b/ansible/roles/real-nsspam/files/authselect/fingerprint-auth new file mode 100644 index 00000000..add89c4a --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/fingerprint-auth @@ -0,0 +1 @@ +# scripts does not use fingerprint authentication. diff --git a/ansible/roles/real-nsspam/files/authselect/password-auth b/ansible/roles/real-nsspam/files/authselect/password-auth new file mode 100644 index 00000000..66a97d8b --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/password-auth @@ -0,0 +1,23 @@ +#%PAM-1.0 +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/ansible/roles/real-nsspam/files/authselect/postlogin b/ansible/roles/real-nsspam/files/authselect/postlogin new file mode 100644 index 00000000..29a16b46 --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/postlogin @@ -0,0 +1,4 @@ +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed diff --git a/ansible/roles/real-nsspam/files/authselect/smartcard-auth b/ansible/roles/real-nsspam/files/authselect/smartcard-auth new file mode 100644 index 00000000..5a882427 --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/smartcard-auth @@ -0,0 +1 @@ +# scripts does not use smartcard auth. diff --git a/ansible/roles/real-nsspam/files/authselect/system-auth b/ansible/roles/real-nsspam/files/authselect/system-auth new file mode 100644 index 00000000..66a97d8b --- /dev/null +++ b/ansible/roles/real-nsspam/files/authselect/system-auth @@ -0,0 +1,23 @@ +#%PAM-1.0 +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/ansible/roles/real-nsspam/handlers/main.yml b/ansible/roles/real-nsspam/handlers/main.yml new file mode 100644 index 00000000..a25c92ad --- /dev/null +++ b/ansible/roles/real-nsspam/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: apply authselect + command: /usr/bin/authselect apply-changes +- name: restart nslcd + service: name=nslcd state=restarted +- name: restart nscd + service: name=nscd state=restarted + # Reloading nscd does not cause it to reread its configuration. diff --git a/ansible/roles/real-nsspam/tasks/main.yml b/ansible/roles/real-nsspam/tasks/main.yml new file mode 100644 index 00000000..7811c279 --- /dev/null +++ b/ansible/roles/real-nsspam/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Install nscd and nslcd + dnf: + name: + - nscd + - nss-pam-ldapd + state: present +- name: Configure nscd for caching + lineinfile: + path: /etc/nscd.conf + regexp: '(?i)^#?\s*{{ item.split()[0] }}\s+{{ (item.split()[1] in ("passwd group hosts services netgroup").split()) | ternary(item.split()[1] + "\s+", "") }}' + line: "{{ item }}" + loop: + - threads 32 + - max-threads 128 + - negative-time-to-live passwd 5 + - negative-time-to-live group 5 + - suggested-size passwd 1999 + - persistent passwd no + - suggested-size group 1999 + - persistent group no + - suggested-size hosts 1999 + notify: restart nscd +- name: Enable nscd + service: + name: nscd + enabled: yes + state: started +- name: Configure nslcd + copy: + dest: /etc/nslcd.conf + content: | + uid nslcd + gid ldap + uri {{ ldap_server }} + base dc=scripts,dc=mit,dc=edu + base group ou=Groups,dc=scripts,dc=mit,dc=edu + base passwd ou=People,dc=scripts,dc=mit,dc=edu + timelimit 120 + bind_timelimit 120 + idle_timelimit 3600 + notify: restart nslcd +- name: Enable nslcd + service: + name: nslcd + enabled: yes + state: started +- name: Install nss_nonlocal + dnf: + name: nss_nonlocal + state: present + when: use_nss_nonlocal +- name: Create authselect profile + copy: + dest: /etc/authselect/custom/scripts/ + src: authselect/ + notify: apply authselect +- name: Configure nsswitch + template: + dest: /etc/authselect/custom/scripts/nsswitch.conf + src: nsswitch.conf.j2 + notify: + - apply authselect + - restart nscd +- name: Get current authselect profile + command: + /usr/bin/authselect current -r + check_mode: no + changed_when: False + register: authselect_current +- name: Switch authselect profile + command: + /usr/bin/authselect select custom/scripts --force + when: authselect_current.stdout != "custom/scripts" diff --git a/ansible/roles/real-nsspam/templates/nsswitch.conf.j2 b/ansible/roles/real-nsspam/templates/nsswitch.conf.j2 new file mode 100644 index 00000000..2d9d083c --- /dev/null +++ b/ansible/roles/real-nsspam/templates/nsswitch.conf.j2 @@ -0,0 +1,17 @@ +passwd: files {% if use_nss_nonlocal %}nonlocal +passwd_nonlocal: {% endif %}ldap +shadow: files +group: files {% if use_nss_nonlocal %}nonlocal +group_nonlocal: {% endif %}ldap +hosts: files dns myhostname + +ethers: files +netmasks: files +networks: files +protocols: files +rpc: files +services: files + +bootparams: files +automount: files +aliases: files diff --git a/ansible/roles/real-ntp/handlers/main.yml b/ansible/roles/real-ntp/handlers/main.yml new file mode 100644 index 00000000..f7ef20da --- /dev/null +++ b/ansible/roles/real-ntp/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart chronyd + service: name=chronyd state=restarted diff --git a/ansible/roles/real-ntp/tasks/main.yml b/ansible/roles/real-ntp/tasks/main.yml new file mode 100644 index 00000000..50a4e92b --- /dev/null +++ b/ansible/roles/real-ntp/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install chrony + dnf: + name: + - chrony + state: present +- name: Configure Chrony to not use a pool + lineinfile: + path: /etc/chrony.conf + regexp: '^(#?)(pool .*)$' + line: '#\2' + backrefs: yes + notify: restart chronyd +- name: Configure NTP servers + blockinfile: + path: /etc/chrony.conf + block: | + server time.mit.edu + server tick.mit.edu + notify: restart chronyd diff --git a/ansible/roles/real-php/defaults/main.yml b/ansible/roles/real-php/defaults/main.yml new file mode 100644 index 00000000..78030e33 --- /dev/null +++ b/ansible/roles/real-php/defaults/main.yml @@ -0,0 +1 @@ +use_scripts_php: "{{ 'php_scripts' in scripts_packages }}" diff --git a/ansible/roles/real-php/meta/main.yml b/ansible/roles/real-php/meta/main.yml new file mode 100644 index 00000000..6e6ad557 --- /dev/null +++ b/ansible/roles/real-php/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - tmpfiles diff --git a/ansible/roles/real-php/tasks/main.yml b/ansible/roles/real-php/tasks/main.yml new file mode 100644 index 00000000..e5aca257 --- /dev/null +++ b/ansible/roles/real-php/tasks/main.yml @@ -0,0 +1,103 @@ +--- +- name: Install PHP + dnf: + name: + - php + - php-cli + # Extensions for scripts.mit.edu textpattern + - php-json + - php-mysqlnd + - php-mbstring + state: present +- name: Explicitly remove php-fpm + dnf: + name: php-fpm + disable_excludes: main + state: absent +- name: Install php_scripts + dnf: + name: + - php_scripts + state: present + when: use_scripts_php +- name: Create session directories + copy: + dest: /etc/tmpfiles.d/scripts-php-sessions.conf + content: | + d /var/lib/scripts-php-sessions 1773 root root 30d + d /tmp/sessions 1773 root root 30d + notify: create tmpfiles +- name: Configure php.ini + ini_file: + path: /etc/php.ini + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + loop: + - section: PHP + option: short_open_tag + value: "On" + - section: PHP + option: memory_limit + value: "1024M" + - section: PHP + option: variables_order + value: '"EGPCS"' + - section: PHP + option: enable_dl + value: "On" + - section: Date + option: date.timezone + value: '"US/Eastern"' + - section: MySQLi + option: mysqli.default_host + value: '"sql.mit.edu"' + - section: Session + option: session.save_path + value: '"/var/lib/scripts-php-sessions"' + - section: Session + option: url_rewriter.tags + value: '"a=href,area=href,frame=src,input=src,form=fakeentry"' +- name: Create /etc/scripts/php.d + file: + path: /etc/scripts/php.d + state: directory +- name: Configure php.d/_scripts.ini + copy: + dest: /etc/scripts/php.d/_scripts.ini + # TODO: Reconcile this with php.ini above. + content: | + extension=bz2 + extension=calendar + extension=ctype + extension=curl + extension=dom + extension=exif + extension=fileinfo + extension=ftp + extension=gettext + extension=iconv + extension=mysqlnd + extension=pdo + extension=phar + extension=simplexml + extension=sockets + extension=sqlite3 + extension=tokenizer + extension=xml + extension=xmlwriter + extension=xsl + + extension=mysqli + extension=pdo_mysql + extension=pdo_sqlite + extension=wddx + extension=xmlreader + + {% if use_scripts_php %} + zend_extension = /usr/lib64/php/modules/scripts.so + {% endif %} + cgi.fix_pathinfo = 1 + cgi.force_redirect = 0 + memory_limit = 1024M + date.timezone = America/New_York diff --git a/server/fedora/config/etc/pki/tls/gencsr b/ansible/roles/real-pki/files/gencsr/gencsr similarity index 100% rename from server/fedora/config/etc/pki/tls/gencsr rename to ansible/roles/real-pki/files/gencsr/gencsr diff --git a/server/fedora/config/etc/pki/tls/gencsr-pony b/ansible/roles/real-pki/files/gencsr/gencsr-pony similarity index 92% rename from server/fedora/config/etc/pki/tls/gencsr-pony rename to ansible/roles/real-pki/files/gencsr/gencsr-pony index de2aa274..684eda89 100755 --- a/server/fedora/config/etc/pki/tls/gencsr-pony +++ b/ansible/roles/real-pki/files/gencsr/gencsr-pony @@ -17,9 +17,14 @@ if any(hostname for hostname in hostnames if '.' not in hostname): exit('error: Hostnames must be fully qualified') # Connect to LDAP -ll = ldap.initialize('ldapi://%2fvar%2frun%2fslapd-scripts.socket/') -with open('/etc/signup-ldap-pw') as pw_file: - ll.simple_bind_s('cn=Directory Manager', pw_file.read()) +ldap_uri = ldap.get_option(ldap.OPT_URI) + +ll = LDAPObject(ldap_uri) +if ldap_uri.startswith('ldapi:'): + ll.sasl_external_bind_s() +else: + # Consider using /etc/signup.keytab to bind with GSSAPI + ll.simple_bind_s() # Verify hostname existence and ownership locker_dn = ldap.dn.dn2str([[('uid', locker, 1)], [('ou', 'People', 1)], [('dc', 'scripts', 1)], [('dc', 'mit', 1)], [('dc', 'edu', 1)]]) diff --git a/ansible/roles/real-pki/tasks/main.yml b/ansible/roles/real-pki/tasks/main.yml new file mode 100644 index 00000000..5605a4c4 --- /dev/null +++ b/ansible/roles/real-pki/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Install gencsr + copy: + dest: /etc/pki/tls/ + src: gencsr/ + mode: preserve +- name: Allow pony to run gencsr-pony + copy: + dest: /etc/sudoers.d/scripts-gencsr-pony + content: | + pony ALL=(root) NOPASSWD: /etc/pki/tls/gencsr-pony +- name: Configure OpenSSL for CSR generation + ini_file: + path: /etc/pki/tls/openssl.cnf + section: " {{ item.0.section }} " + option: "{{ item.1.option }}" + value: "{{ item.1.value }}" + with_subelements: + - + - section: req_distinguished_name + options: + - option: countryName_default + value: US + - option: stateOrProvinceName_default + value: Massachusetts + - option: organizationalUnitName + value: OU + - option: organizationalUnitName_default + value: scripts.mit.edu web hosting service + - option: emailAddress_default + value: scripts@mit.edu + - section: req + options: + - option: default_md + value: sha256 + - options diff --git a/ansible/roles/real-postfix/files/aliases b/ansible/roles/real-postfix/files/aliases new file mode 100644 index 00000000..c7ea1edb --- /dev/null +++ b/ansible/roles/real-postfix/files/aliases @@ -0,0 +1,108 @@ +# +# Aliases in this file will NOT be expanded in the header from +# Mail, but WILL be visible over networks or from /bin/mail. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to sendmail. +# + +# Basic system aliases -- these MUST be present. +mailer-daemon: postmaster +postmaster: root + +# General redirections for pseudo accounts. +bin: root +daemon: root +adm: root +lp: root +sync: root +shutdown: root +halt: root +mail: root +news: root +uucp: root +operator: root +games: root +gopher: root +ftp: root +nobody: root +radiusd: root +nut: root +dbus: root +vcsa: root +canna: root +wnn: root +rpm: root +nscd: root +pcap: root +apache: root +webalizer: root +dovecot: root +fax: root +quagga: root +radvd: root +pvm: root +amandabackup: root +privoxy: root +ident: root +named: root +xfs: root +gdm: root +mailnull: root +postgres: root +sshd: root +smmsp: root +postfix: root +netdump: root +ldap: root +squid: root +ntp: root +mysql: root +desktop: root +rpcuser: root +rpc: root +nfsnobody: root + +ingres: root +system: root +toor: root +manager: root +dumper: root +abuse: root + +newsadm: news +newsadmin: news +usenet: news +ftpadm: ftp +ftpadmin: ftp +ftp-adm: ftp +ftp-admin: ftp +www: webmaster +webmaster: root +noc: root +security: root +hostmaster: root + + +# trap decode to catch security attacks +decode: root + +# Person who should get root's mail +# root: (moved to /etc/scripts/root-procmailrc so this mail gets spam filtered) + +scripts: root +signup: root +afsagent: root +logview: root +scripts-build: root + +# People who are abusing or otherwise causing problems with the mail system +# MOVED TO LDAP +# cat < root +# For domains on this pool, virtual-alias-maps-ldap.cf does foo@bar.com -> user+foo@localhost +# For domains on another pool, virtual-alias-maps-relay-ldap.cf does foo@bar.com -> foo!bar.com@[18.4.86.22] +# For users on another pool, pass-scripts.mit.edu matches *@scripts.mit.edu and virtual-alias-maps-relay-user-ldap.cf does foo@scripts.mit.edu -> foo!scripts.mit.edu@[18.4.86.22] +# pass-scripts.mit.edu-suffix and virtual-alias-maps-relay-user-suffix-ldap.cf do the same for foo+bar@scripts.mit.edu +# Native routing does foo@scripts.mit.edu -> foo +# smtp_generic_map rewrites foo!scripts.mit.edu@[18.4.86.22] -> foo@scripts.mit.edu after the transport is selected +# To override, put something in /etc/postfix/force_pool +virtual_alias_domains = {% for vip in vips | rejectattr('type', 'defined') %}{% if (vip.codename|default(ansible_lsb.codename) == ansible_lsb.codename) %}!{{ vip.host }}, !{{ vip.host | replace('.mit.edu', '') }}, {% endif %}{% endfor %}!$myhostname, !localhost, pcre:/etc/postfix/force_pool, ldap:/etc/postfix/virtual-alias-domains-ldap.cf +virtual_alias_maps = ldap:/etc/postfix/virtual-alias-maps-ldap-reserved.cf, ldap:/etc/postfix/virtual-alias-maps-ldap.cf, ldap:/etc/postfix/virtual-alias-maps-relay-ldap.cf, pipemap:{pcre:/etc/postfix/pass-scripts.mit.edu,ldap:/etc/postfix/virtual-alias-maps-relay-user-ldap.cf}, pipemap:{pcre:/etc/postfix/pass-scripts.mit.edu-suffix,ldap:/etc/postfix/virtual-alias-maps-relay-user-suffix-ldap.cf} +smtp_generic_maps = pcre:/etc/postfix/generic-strip-pool +data_directory = /var/lib/postfix +authorized_flush_users = fail +authorized_mailq_users = /etc/postfix/mailq_users +authorized_submit_users = !ldap:/etc/postfix/authorized-submit-users-ldap.cf, static:all +non_smtpd_milters = unix:/run/spamass-milter/postfix/sock +# "all" is the default, but if we do not specify it, Fedora's packaging +# will add the wrong value here. +inet_protocols = all +# note: as of 21 Oct 2015, our IPv6 addresses do not have rDNS and are rejected by Gmail +smtp_address_preference = ipv4 +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination diff --git a/ansible/roles/real-postfix/templates/postfix/authorized-submit-users-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/authorized-submit-users-ldap.cf.j2 new file mode 100644 index 00000000..18a12ab2 --- /dev/null +++ b/ansible/roles/real-postfix/templates/postfix/authorized-submit-users-ldap.cf.j2 @@ -0,0 +1,7 @@ +# N.B. If this /does/ match, the user is /blocked/. +server_host = {{ ldap_server }} +search_base = ou=People,dc=scripts,dc=mit,dc=edu +query_filter = (&(objectClass=posixAccount)(uid=%s)(scriptsBlockMailSubmit=TRUE)) +result_attribute = uid +bind = no +version = 3 diff --git a/server/fedora/config/etc/postfix/mailbox-command-maps-ldap.cf b/ansible/roles/real-postfix/templates/postfix/mailbox-command-maps-ldap.cf.j2 similarity index 73% rename from server/fedora/config/etc/postfix/mailbox-command-maps-ldap.cf rename to ansible/roles/real-postfix/templates/postfix/mailbox-command-maps-ldap.cf.j2 index 6cc9dc02..a83ad2dc 100644 --- a/server/fedora/config/etc/postfix/mailbox-command-maps-ldap.cf +++ b/ansible/roles/real-postfix/templates/postfix/mailbox-command-maps-ldap.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +server_host = {{ ldap_server }} search_base = ou=People,dc=scripts,dc=mit,dc=edu query_filter = (&(objectClass=posixAccount)(uid=%s)) result_attribute = scriptsMailboxCommand diff --git a/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf b/ansible/roles/real-postfix/templates/postfix/virtual-alias-domains-ldap.cf.j2 similarity index 85% rename from server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf rename to ansible/roles/real-postfix/templates/postfix/virtual-alias-domains-ldap.cf.j2 index ca211045..507ee7dd 100644 --- a/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-domains-ldap.cf.j2 @@ -11,9 +11,9 @@ # value we were queried with (the domain whose mail we host). Protocol # version 3 is necessary to use ldapi. -server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +server_host = {{ ldap_server }} search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu -query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu))) +query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu))(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %})) result_attribute = scriptsVhostName result_format = %S bind = no diff --git a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap-reserved.cf b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap-reserved.cf.j2 similarity index 82% rename from server/fedora/config/etc/postfix/virtual-alias-maps-ldap-reserved.cf rename to ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap-reserved.cf.j2 index f93fa6ca..995d018e 100644 --- a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap-reserved.cf +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap-reserved.cf.j2 @@ -1,4 +1,4 @@ -server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +server_host = {{ ldap_server }} search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(scriptsReservedMail=%u)) result_attribute = scriptsVhostName diff --git a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap.cf.j2 similarity index 81% rename from server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf rename to ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap.cf.j2 index 56c5973d..c333df92 100644 --- a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-ldap.cf.j2 @@ -12,11 +12,11 @@ # name of the locker that owns the vhost. Protocol version 3 is # necessary to use ldapi. -server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +server_host = {{ ldap_server }} search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu -query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))) +query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %})) result_attribute = uid -result_format = %s+%U +result_format = %s+%U@localhost bind = no version = 3 diff --git a/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-ldap.cf.j2 new file mode 100644 index 00000000..408f72db --- /dev/null +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-ldap.cf.j2 @@ -0,0 +1,11 @@ +# Check if the vhost is served from another pool; if so, we relay to +# that pool's IP. This is also used as a relay_domains map to tell +# Postfix it's a relay domain. + +server_host = {{ ldap_server }} +search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu +query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))(!(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %}))) +result_attribute = scriptsVhostPoolIPv4 +result_format = %U!%D@[%s] +bind = no +version = 3 diff --git a/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-ldap.cf.j2 new file mode 100644 index 00000000..2c7c90b4 --- /dev/null +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-ldap.cf.j2 @@ -0,0 +1,10 @@ +# Check if the user's vhost is served from another pool; if so, we +# relay to that pool's IP. + +server_host = {{ ldap_server }} +search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu +query_filter = (&(objectClass=scriptsVhost)(scriptsVhostName=%u.scripts.mit.edu)(!(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %}))) +result_attribute = scriptsVhostPoolIPv4 +result_format = %U!scripts.mit.edu@[%s] +bind = no +version = 3 diff --git a/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-suffix-ldap.cf.j2 b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-suffix-ldap.cf.j2 new file mode 100644 index 00000000..eb9df9c5 --- /dev/null +++ b/ansible/roles/real-postfix/templates/postfix/virtual-alias-maps-relay-user-suffix-ldap.cf.j2 @@ -0,0 +1,11 @@ +# Check if the user's vhost is served from another pool; if so, we +# relay to that pool's IP. This lookup handles user@+suffix as the +# input (transformed by pass-scripts.mit.edu-suffix). + +server_host = {{ ldap_server }} +search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu +query_filter = (&(objectClass=scriptsVhost)(scriptsVhostName=%u.scripts.mit.edu)(!(|{% for ip in ansible_all_ipv4_addresses %}(scriptsVhostPoolIPv4={{ip}}){% endfor %}))) +result_attribute = scriptsVhostPoolIPv4 +result_format = %U%D!scripts.mit.edu@[%s] +bind = no +version = 3 \ No newline at end of file diff --git a/ansible/roles/real-postfix/templates/root-procmailrc.j2 b/ansible/roles/real-postfix/templates/root-procmailrc.j2 new file mode 100644 index 00000000..a3b222be --- /dev/null +++ b/ansible/roles/real-postfix/templates/root-procmailrc.j2 @@ -0,0 +1,4 @@ +:0 +! {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%} +{{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }} +{%- endfor %} \ No newline at end of file diff --git a/ansible/roles/real-spheroids/files/blacklist.txt b/ansible/roles/real-spheroids/files/blacklist.txt new file mode 100644 index 00000000..3e1ae2e8 --- /dev/null +++ b/ansible/roles/real-spheroids/files/blacklist.txt @@ -0,0 +1,5 @@ +php-pecl-uopz +php-libvirt +php-libguestfs +python2-basemap +python2-fedora diff --git a/ansible/roles/real-spheroids/files/erlang.txt b/ansible/roles/real-spheroids/files/erlang.txt new file mode 100644 index 00000000..c94a58ab --- /dev/null +++ b/ansible/roles/real-spheroids/files/erlang.txt @@ -0,0 +1,14 @@ +elixir +erlang-asn1 +erlang-compiler +erlang-crypto +erlang-erts +erlang-hipe +erlang-inets +erlang-kernel +erlang-mnesia +erlang-public_key +erlang-runtime_tools +erlang-ssl +erlang-stdlib +erlang-syntax_tools diff --git a/ansible/roles/real-spheroids/files/ghc.txt b/ansible/roles/real-spheroids/files/ghc.txt new file mode 100644 index 00000000..4bb34a6f --- /dev/null +++ b/ansible/roles/real-spheroids/files/ghc.txt @@ -0,0 +1,125 @@ +cabal-rpm +haskell-platform +ghc +ghc-Cabal-devel +ghc-GLURaw +ghc-GLURaw-devel +ghc-GLUT +ghc-GLUT-devel +ghc-HTTP +ghc-HTTP-devel +ghc-HUnit +ghc-HUnit-devel +ghc-MissingH +ghc-MonadCatchIO-mtl +ghc-MonadCatchIO-mtl-devel +ghc-OpenGL +ghc-OpenGL-devel +ghc-OpenGLRaw +ghc-OpenGLRaw-devel +ghc-QuickCheck +ghc-QuickCheck-devel +ghc-aeson +ghc-array-devel +ghc-async +ghc-async-devel +ghc-attoparsec +ghc-attoparsec-devel +ghc-base-unicode-symbols +ghc-base64-bytestring +ghc-binary-devel +ghc-blaze-builder +ghc-blaze-html +ghc-blaze-markup +ghc-bytestring-devel +ghc-case-insensitive +ghc-case-insensitive-devel +ghc-conduit +ghc-containers-devel +ghc-data-default +ghc-dataenc +ghc-deepseq-devel +ghc-digest +ghc-directory-devel +ghc-dlist +ghc-extensible-exceptions +ghc-extensible-exceptions-devel +ghc-fgl +ghc-fgl-devel +ghc-filepath-devel +ghc-ghc-devel +ghc-hashable +ghc-hashable-devel +ghc-haskell-src +ghc-haskell-src-devel +ghc-highlighting-kate +ghc-hpc-devel +ghc-hs-bibutils +ghc-hslogger +ghc-hslua +ghc-html +ghc-html-devel +ghc-json +ghc-libraries +ghc-lifted-base +ghc-mmap +ghc-mmorph +ghc-monad-control +ghc-mtl-devel +ghc-network +ghc-network-devel +ghc-old-locale +ghc-old-locale-devel +ghc-old-time +ghc-old-time-devel +ghc-pandoc +ghc-pandoc-types +ghc-parallel +ghc-parallel-devel +ghc-parsec-devel +ghc-pcre-light +ghc-pretty-devel +ghc-primitive +ghc-primitive-devel +ghc-process-devel +ghc-random +ghc-random-devel +ghc-regex-base +ghc-regex-base-devel +ghc-regex-compat +ghc-regex-compat-devel +ghc-regex-posix +ghc-regex-posix-devel +ghc-resourcet +ghc-rpm-macros +ghc-scientific +ghc-semigroups +ghc-setenv +ghc-split +ghc-split-devel +ghc-stm-devel +ghc-syb +ghc-syb-devel +ghc-tagsoup +ghc-tar +ghc-template-haskell-devel +ghc-temporary +ghc-texmath +ghc-text-devel +ghc-time-devel +ghc-transformers-base +ghc-transformers-devel +ghc-unix-devel +ghc-unordered-containers +ghc-unordered-containers-devel +ghc-utf8-string +ghc-utf8-string-devel +ghc-vector +ghc-vector-devel +ghc-void +ghc-xhtml-devel +ghc-xml +ghc-yaml +ghc-zip-archive +ghc-zlib +ghc-zlib-devel diff --git a/ansible/roles/real-spheroids/files/java.txt b/ansible/roles/real-spheroids/files/java.txt new file mode 100644 index 00000000..2be4580e --- /dev/null +++ b/ansible/roles/real-spheroids/files/java.txt @@ -0,0 +1,32 @@ +antlr3-java +apache-commons-cli +apache-commons-lang +apache-commons-logging +avalon-framework +avalon-logkit +bouncycastle +bouncycastle-mail +ecj +eclipse-equinox-osgi +geronimo-jms +graphviz-java +itext +itext-core +jansi +jansi-native +java_cup +javamail +javapackages-tools +javassist +jline +log4j +objectweb-asm +rhino +scala +slf4j +stringtemplate +stringtemplate4 +xalan-j2 +xbean +xml-commons-apis +xml-commons-resolver diff --git a/ansible/roles/real-spheroids/files/libraries.txt b/ansible/roles/real-spheroids/files/libraries.txt new file mode 100644 index 00000000..9ffecb27 --- /dev/null +++ b/ansible/roles/real-spheroids/files/libraries.txt @@ -0,0 +1,128 @@ +Xaw3d +aqbanking +atkmm +atlas +audiofile +bibutils-libs +bison +boost +boost-atomic +boost-chrono +boost-context +boost-date-time +boost-devel +boost-filesystem +boost-graph +boost-iostreams +boost-locale +boost-log +boost-math +boost-program-options +boost-random +boost-serialization +boost-test +boost-thread +boost-timer +boost-wave +botan +bwidget +byacc +cairomm +cal10n +celt051 +check +clearsilver +cln +cloog +clucene-core +compat-libgfortran-41 +compat-libstdc++-33 +compat-readline5 +cryptopp +cyrus-sasl-scram +dyninst +exempi +exiv2 +exiv2-libs +fftw +fftw-libs +fftw-libs-long +fftw-libs-quad +fftw-libs-single +fftw2 +flex +fltk +ftplib +gammu-libs +gcc-gfortran +gcr +ginac +glib +gmime +gnutls-c++ +gperftools-libs +gwenhywfar +ibus-libs +icu +imlib2 +imsettings-libs +inchi +iniparser +ivykis +jemalloc +lcms +ldns +lensfun +leveldb +libbsd +libcgroup +libdaemon +libdwarf +libgadu +libical +libiodbc +libkate +libmodplug +libmp4v2 +libofx +liboil +libopenraw +libosinfo +libplist +libpng12 +libpst-libs +libpurple +libteam +libwmf +libwpd +libx86 +link-grammar +loudmouth +lzo-minilzo +meanwhile +mhash +mozldap +neon +openjpeg-libs +ots-libs +pakchois +pangomm +paps-libs +phonon +plplot-libs +ppl +qimageblitz +qrupdate +schroedinger +shapelib +slv2 +speex +t1lib +taglib +unique +unique3 +ustr +xalan-c +xml-security-c +xmlsec1-gcrypt +xmlsec1-gnutls diff --git a/ansible/roles/real-spheroids/files/mono.txt b/ansible/roles/real-spheroids/files/mono.txt new file mode 100644 index 00000000..6548f30a --- /dev/null +++ b/ansible/roles/real-spheroids/files/mono.txt @@ -0,0 +1,12 @@ +gmime-sharp +graphviz-sharp +mono-addins +mono-core +mono-data +mono-data-sqlite +mono-extras +mono-mvc +mono-wcf +mono-web +mono-winfx +monodoc diff --git a/ansible/roles/real-spheroids/files/nodejs.txt b/ansible/roles/real-spheroids/files/nodejs.txt new file mode 100644 index 00000000..53c4615e --- /dev/null +++ b/ansible/roles/real-spheroids/files/nodejs.txt @@ -0,0 +1,66 @@ +node-gyp +nodejs-abbrev +nodejs-ansi +nodejs-archy +nodejs-asn1 +nodejs-assert-plus +nodejs-async +nodejs-aws-sign +nodejs-block-stream +nodejs-boom +nodejs-child-process-close +nodejs-chmodr +nodejs-chownr +nodejs-cmd-shim +nodejs-combined-stream +nodejs-config-chain +nodejs-cookie-jar +nodejs-couch-login +nodejs-cryptiles +nodejs-ctype +nodejs-delayed-stream +nodejs-editor +nodejs-forever-agent +nodejs-form-data +nodejs-fstream +nodejs-fstream-ignore +nodejs-fstream-npm +nodejs-github-url-from-git +nodejs-glob +nodejs-graceful-fs +nodejs-hawk +nodejs-hoek +nodejs-http-signature +nodejs-inherits +nodejs-ini +nodejs-json-stringify-safe +nodejs-lockfile +nodejs-lru-cache +nodejs-mime +nodejs-minimatch +nodejs-mkdirp +nodejs-mute-stream +nodejs-node-uuid +nodejs-nopt +nodejs-npm-user-validate +nodejs-npmlog +nodejs-oauth-sign +nodejs-once +nodejs-opener +nodejs-osenv +nodejs-promzard +nodejs-proto-list +nodejs-qs +nodejs-read +nodejs-request +nodejs-retry +nodejs-rimraf +nodejs-semver +nodejs-sha +nodejs-sigmund +nodejs-slide +nodejs-sntp +nodejs-tar +nodejs-tunnel-agent +nodejs-uid-number +nodejs-which diff --git a/ansible/roles/real-spheroids/files/perl.txt b/ansible/roles/real-spheroids/files/perl.txt new file mode 100644 index 00000000..3a50fc64 --- /dev/null +++ b/ansible/roles/real-spheroids/files/perl.txt @@ -0,0 +1,623 @@ +Algorithm::C3 +Algorithm::Dependency +Algorithm::Diff +Any::Moose +AnyEvent +AnyEvent::AIO +AnyEvent::BDB +Apache::LogFormat::Compiler +Apache::LogRegex +Apache::Session +App::Nopaste +AppConfig +Archive::Extract +Archive::Tar +Archive::Zip +Array::Compare +Async::MergePoint +Authen::SASL +AutoXS::Header +B::Hooks::EndOfScope +B::Keywords +B::Lint +B::Utils +BDB +BSD::Resource +BerkeleyDB +Bit::Vector +Browser::Open +Business::ISBN +Business::ISBN::Data +CGI +CGI::Compile +CGI::Emulate::PSGI +CGI::Fast +CGI::FastTemplate +CGI::FormBuilder +CGI::Session +CGI::Simple +CPAN +CPAN::DistnameInfo +CPAN::Meta +CPAN::Meta::Requirements +CPAN::Meta::YAML +CPANPLUS +CPANPLUS::Dist::Build +CSS::Squish +Cache +Cache::Cache +Cache::FastMmap +Cache::Memcached +Cache::Simple::TimedExpiry +Carp +Carp::Assert +Carp::Clan +Catalyst::Plugin::ConfigLoader +Catalyst::Plugin::Session +Catalyst::Plugin::Session::State::Cookie +Catalyst::Plugin::Session::Store::FastMmap +Catalyst::Plugin::Static::Simple +Catalyst::Runtime +Catalyst::View::TT +Class::Accessor +Class::Accessor::Chained +Class::Accessor::Grouped +Class::Autouse +Class::Base +Class::C3 +Class::C3::Adopt::NEXT +Class::C3::Componentised +Class::C3::XS +Class::Data::Inheritable +Class::ErrorHandler +Class::Factory::Util +Class::ISA +Class::Inspector +Class::Load +Class::MakeMethods +Class::Method::Modifiers +Class::MethodMaker +Class::ReturnValue +Class::Singleton +Class::Trigger +Class::WhiteHole +Class::XSAccessor +ClearSilver +Clipboard +Clone +Compress::Bzip2 +Compress::Raw::Bzip2 +Compress::Raw::Zlib +Compress::Zlib +Config::Any +Config::General +Config::GitLike +Config::INI +Config::IniFiles +Config::Record +Config::Tiny +Context::Preserve +Convert::ASN1 +Convert::BinHex +Convert::UUlib +Coro +Crypt::Blowfish +Crypt::CBC +Crypt::DES +Crypt::DH +Crypt::OpenSSL::Bignum +Crypt::OpenSSL::RSA +Crypt::OpenSSL::Random +Crypt::PasswdMD5 +Crypt::RC4 +Crypt::Rijndael +Crypt::SSLeay +Curses +DBD::CSV +DBD::Pg +DBD::SQLite +DBD::SQLite2 +DBD::mysql +DBI +DBIx::Class +DBIx::ContextualFetch +DBIx::DBSchema +DBIx::SearchBuilder +DBIx::Simple +DB_File +Danga::Socket +Data::Buffer +Data::Compare +Data::Dump +Data::Dump::Streamer +Data::Dumper +Data::Dumper::Concise +Data::ObjectDriver +Data::OptList +Data::Page +Data::Peek +Data::Section +Data::Stream::Bulk +Data::Visitor +Date::Calc +Date::Manip +Date::Parse +Date::Simple +DateTime +DateTime::Format::Builder +DateTime::Format::DateManip +DateTime::Format::Flexible +DateTime::Format::HTTP +DateTime::Format::ISO8601 +DateTime::Format::MySQL +DateTime::Format::Natural +DateTime::Format::Strptime +DateTime::Locale +DateTime::TimeZone +DateTimeX::Easy +Devel::Caller +Devel::CheckLib +Devel::Cover +Devel::Cycle +Devel::GlobalDestruction +Devel::LexAlias +Devel::PartialDump +Devel::REPL +Devel::StackTrace +Devel::StackTrace::AsHTML +Devel::Symdump +Digest +Digest::BubbleBabble +Digest::HMAC +Digest::MD2 +Digest::MD4 +Digest::MD5 +Digest::MD5::File +Digest::Nilsimsa +Digest::Perl::MD5 +Digest::SHA +Digest::SHA1 +Dist::CheckConflicts +EV +Email::Abstract +Email::Address +Email::Date +Email::Date::Format +Email::MIME +Email::MIME::ContentType +Email::MIME::Encodings +Email::MessageID +Email::Send +Email::Sender +Email::Simple +Email::Valid +Encode +Encode::Detect +Encode::Locale +Env +Error +Eval::Closure +Event +Event::Lib +Expect +Expect::Simple +Exporter +Exporter::Lite +ExtUtils::AutoInstall +ExtUtils::CBuilder +ExtUtils::Depends +ExtUtils::Embed +ExtUtils::Install +ExtUtils::MakeMaker +ExtUtils::Manifest +ExtUtils::ParseXS +ExtUtils::PkgConfig +FCGI +Feed::Find +File::BaseDir +File::CheckTree +File::Copy::Recursive +File::DesktopEntry +File::FcntlLock +File::Fetch +File::Find::Rule +File::HomeDir +File::Listing +File::MMagic +File::Map +File::MimeInfo +File::Modified +File::NCopy +File::NFSLock +File::Next +File::Path +File::Remove +File::ShareDir +File::Slurp +File::Spec +File::Tail +File::Temp +File::Which +File::chdir +File::chmod +File::pushd +FileHandle::Unget +Filter::Util::Exec +Font::AFM +FreezeThaw +Future +GD +GD::Barcode +GD::Text +GSSAPI +Gearman::Client +Getopt::Long +Getopt::Long::Descriptive +Git +Git::SVN +Glib +GnuPG::Interface +GraphViz +Guard +HTML::FillInForm +HTML::Form +HTML::Formatter +HTML::Lint +HTML::Parser +HTML::Scrubber +HTML::TableExtract +HTML::Tagset +HTML::Template +HTML::Tree +HTML::TreeBuilder::XPath +HTTP::Body +HTTP::Cookies +HTTP::Daemon +HTTP::Date +HTTP::Message +HTTP::Negotiate +HTTP::Request::AsCGI +HTTP::Server::Simple +HTTP::Tiny +Hash::Merge +Hash::MultiValue +Heap +IO::AIO +IO::Async +IO::HTML +IO::Interactive +IO::Multiplex +IO::Pipely +IO::Socket::INET6 +IO::Socket::IP +IO::Socket::SSL +IO::String +IO::Stringy +IO::Tty +IO::Zlib +IPC::Cmd +IPC::Run +IPC::Run3 +IPC::ShareLite +IPC::SharedCache +Ima::DBI +Image::Base +Image::Info +Image::Magick +Image::Xbm +Image::Xpm +Import::Into +Inline +JSON +JSON::Any +JSON::PP +JSON::XS +Jcode +LWP +LWP::MediaTypes +LWP::Protocol::https +LWP::UserAgent::Determined +Lexical::Persistence +Lingua::EN::Inflect +Lingua::EN::Inflect::Number +Linux::Pid +List::AllUtils +List::MoreUtils +List::Util +Locale::Codes +Locale::Maketext +Locale::Maketext::Fuzzy +Locale::Maketext::Lexicon +Locale::Maketext::Simple +Locale::Util +Locale::gettext +LockFile::Simple +Log::Dispatch +Log::Dispatch::FileRotate +Log::Log4perl +Log::Message +Log::Message::Simple +MIME::Lite +MIME::Tools +MIME::Types +MRO::Compat +Mail::Alias +Mail::Box +Mail::Box::Parser::C +Mail::DKIM +Mail::IMAPClient +Mail::RFC822::Address +Mail::SPF +Mail::Sender +Mail::Sendmail +Mail::Transport::Dbx +Mail::Util +Math::BigInt::GMP +Math::Random::ISAAC +Math::Round +Mixin::Linewise +Module::Build +Module::Compile +Module::CoreList +Module::Find +Module::Implementation +Module::Install +Module::Load +Module::Load::Conditional +Module::Loaded +Module::Metadata +Module::Pluggable +Module::Pluggable::Ordered +Module::Refresh +Module::Runtime +Module::ScanDeps +Module::Signature +Module::Versions::Report +Moo +MooX::Types::MooseLike +Moose +MooseX::AttributeHelpers +MooseX::ClassAttribute +MooseX::Emulate::Class::Accessor::Fast +MooseX::Getopt +MooseX::MethodAttributes +MooseX::Object::Pluggable +MooseX::Role::Parameterized +MooseX::Role::WithOverloading +MooseX::StrictConstructor +MooseX::Types +MooseX::Types::Common +MooseX::Types::DateTime +MooseX::Types::DateTime::ButMaintained +MooseX::Types::DateTime::MoreCoercions +MooseX::Types::DateTimeX +MooseX::Types::LoadableClass +Mouse +Mozilla::CA +Mozilla::LDAP::API +NKF +Net::Amazon::S3 +Net::CIDR +Net::CIDR::Lite +Net::DNS +Net::Daemon +Net::HTTP +Net::IP +Net::IP::CMatch +Net::LDAP +Net::LibIDN +Net::Patricia +Net::SMTP::SSL +Net::SNMP +Net::SSH +Net::SSLeay +Net::Server +NetAddr::IP +Number::Compare +OLE::Storage_Lite +Object::Accessor +Object::MultiType +Object::Realize::Later +Object::Signature +Olson::Abbreviations +OpenGL +PAR::Dist +PDL +POE +POSIX::strftime::Compiler +PPI +Package::Constants +Package::DeprecationManager +Package::Generator +Package::Stash +Package::Stash::XS +Package::Variant +PadWalker +Parallel::Iterator +Params::Check +Params::Util +Params::Validate +Parse::CPAN::Meta +Parse::RecDescent +Parse::Yapp +Path::Class +Perl::OSType +PerlIO::Layers +PerlIO::gzip +Plack +Plack::Middleware::ReverseProxy +Plack::Test +Plack::Test::ExternalServer +Pod::Checker +Pod::Coverage +Pod::Escapes +Pod::LaTeX +Pod::POM +Pod::Parser +Pod::Perldoc +Pod::Plainer +Pod::Simple +Pod::Tests +Pod::Text +Pod::Usage +Prima +Probe::Perl +RPC::XML +RRDp +RRDs +Razor2::Client::Agent +Readonly +Readonly::XS +Regexp::Common +Return::Value +Role::Tiny +Rose::Object +SGMLS +SNMP_Session +SOAP::Lite +SOAP::Transport::TCP +SQL::Abstract +SQL::Statement +SQL::Translator +Safe::Isa +Scope::Guard +Sendmail::PMilter +Socket +Socket6 +Software::License +Spreadsheet::ParseExcel +Spreadsheet::WriteExcel +Storable +Stream::Buffered +String::CRC32 +String::RewritePrefix +Sub::Exporter +Sub::Exporter::Progressive +Sub::Identify +Sub::Install +Sub::Name +Sub::Override +Sub::Uplevel +Sys::CPU +Sys::Hostname::Long +Sys::MemInfo +Sys::SigAction +Sys::Syscall +Sys::Syslog +Task::Weaken +TeX::Hyphen +Template +Template::Timer +Term::ProgressBar +Term::ProgressBar::Quiet +Term::ProgressBar::Simple +Term::ReadKey +Term::Size::Any +Term::Size::Perl +Term::UI +Test::ClassAPI +Test::Deep +Test::Differences +Test::Exception +Test::Fatal +Test::HTTP::Server::Simple +Test::Harness +Test::LongString +Test::Manifest +Test::MockObject +Test::NoWarnings +Test::Pod::Coverage +Test::Refcount +Test::Requires +Test::Script +Test::SharedFork +Test::Simple +Test::TCP +Test::Taint +Test::Tester +Test::Warn +Test::use::ok +Text::Autoformat +Text::CSV +Text::CSV_XS +Text::Diff +Text::Glob +Text::Haml +Text::Iconv +Text::Kakasi +Text::Markdown +Text::ParseWords +Text::RecordParser +Text::Reform +Text::SimpleTable +Text::Soundex +Text::TabularDisplay +Text::Template +Text::Unidecode +Thread::Queue +Throwable +Tie::IxHash +Tie::ToObject +Time::Duration +Time::Duration::Parse +Time::HiRes +Time::Local +Time::ParseDate +Time::Piece +Time::Piece::MySQL +Tk +Tree::DAG_Node +Tree::Simple +Tree::Simple::VisitorFactory +Try::Tiny +UNIVERSAL::isa +UNIVERSAL::require +URI +URI::Fetch +Unicode::Map +Unicode::Map8 +Unicode::String +Unix::Statgrab +Unix::Syslog +User::Identity +Variable::Magic +Version::Requirements +WWW::Curl +WWW::Mechanize +WWW::Pastebin::PastebinCom::Create +WWW::RobotRules +Want +XML::Atom +XML::DOM +XML::Filter::BufferText +XML::LibXML +XML::LibXSLT +XML::NamespaceSupport +XML::Parser +XML::RegExp +XML::SAX +XML::SAX::Base +XML::SAX::Writer +XML::Simple +XML::Smart +XML::Twig +XML::Writer +XML::XPath +XML::XPathEngine +YAML +YAML::LibYAML +YAML::Syck +YAML::Tiny +aliased +autodie +boolean +common::sense +constant +gv +namespace::autoclean +namespace::clean +parent +strictures +threads +threads::shared +version diff --git a/ansible/roles/real-spheroids/files/php.txt b/ansible/roles/real-spheroids/files/php.txt new file mode 100644 index 00000000..cc50416e --- /dev/null +++ b/ansible/roles/real-spheroids/files/php.txt @@ -0,0 +1,148 @@ +graphviz-php +mlt-php +php-Smarty +php-adodb +php-ast +php-bcmath +php-common +php-dba +php-devel +php-enchant +php-facedetect +php-gd +php-geos +php-gmp +php-horde-horde-lz4 +php-imap +php-interbase +php-intl +php-json +php-ldap +php-maxminddb +php-mbstring +php-ming +php-mysqlnd +php-odbc +php-opcache +php-pdo +php-pdo-dblib +php-pear +php-pear-Auth-OpenID +php-pear-Auth-RADIUS +php-pear-Auth-SASL +php-pear-Auth-Yubico +php-pear-CAS +php-pear-Cache-Lite +php-pear-CodeGen +php-pear-CodeGen-PECL +php-pear-Console-CommandLine +php-pear-Console-Getargs +php-pear-Console-Table +php-pear-Crypt-Blowfish +php-pear-Crypt-CHAP +php-pear-DB +php-pear-Date +php-pear-Date-Holidays +php-pear-Date-Holidays-USA +php-pear-File-Find +php-pear-File-Fstab +php-pear-File-Passwd +php-pear-HTML-Template-IT +php-pear-HTTP-OAuth +php-pear-HTTP-Request +php-pear-HTTP-Request2 +php-pear-Image-Text +php-pear-Log +php-pear-MDB2 +php-pear-MDB2-Driver-mysqli +php-pear-MDB2-Driver-pgsql +php-pear-MDB2-Schema +php-pear-Mail +php-pear-Mail-Mime +php-pear-Mail-mimeDecode +php-pear-Net-Curl +php-pear-Net-DNS2 +php-pear-Net-IDNA2 +php-pear-Net-IMAP +php-pear-Net-LDAP2 +php-pear-Net-SMTP +php-pear-Net-Sieve +php-pear-Net-Socket +php-pear-Net-URL +php-pear-Net-URL2 +php-pear-Numbers-Words +php-pear-OLE +php-pear-PEAR-Command-Packaging +php-pear-PHP-CodeSniffer +php-pear-PhpDocumentor +php-pear-Text-CAPTCHA +php-pear-Text-Diff +php-pear-Text-Figlet +php-pear-Text-Password +php-pear-XML-Parser +php-pear-XML-SVG +php-pear-XML-Serializer +php-pear-crypt-gpg +php-pear-math-biginteger +php-pear-phing +php-pecl-amqp +php-pecl-apcu +php-pecl-apcu-bc +php-pecl-apfd +php-pecl-couchbase2 +php-pecl-dio +php-pecl-ds +php-pecl-event +php-pecl-fann +php-pecl-gearman +php-pecl-geoip +php-pecl-http +php-pecl-igbinary +php-pecl-imagick +php-pecl-inotify +php-pecl-json-post +php-pecl-krb5 +php-pecl-lzf +php-pecl-mailparse +php-pecl-mcrypt +php-pecl-memcache +php-pecl-memcached +php-pecl-mongodb +php-pecl-msgpack +php-pecl-oauth +php-pecl-pcov +php-pecl-pq +php-pecl-propro +php-pecl-psr +php-pecl-radius +php-pecl-raphf +php-pecl-redis5 +php-pecl-rrd +php-pecl-selinux +php-pecl-solr2 +php-pecl-ssdeep +php-pecl-ssh2 +php-pecl-timecop +php-pecl-uuid +php-pecl-xattr +php-pecl-xdebug +php-pecl-xmldiff +php-pecl-yac +php-pecl-yaml +php-pecl-zip +php-pgsql +php-phpiredis +php-process +php-pspell +php-recode +php-redland +php-smbclient +php-snmp +php-soap +php-sodium +php-tidy +php-xml +php-xmlrpc +php-zmq +php-zstd +remctl-php diff --git a/ansible/roles/real-spheroids/files/python2-f29.txt b/ansible/roles/real-spheroids/files/python2-f29.txt new file mode 100644 index 00000000..f3e6c6e6 --- /dev/null +++ b/ansible/roles/real-spheroids/files/python2-f29.txt @@ -0,0 +1,86 @@ +Pyrex +TurboGears +pyPdf +python-pyblock +python2-TurboGears2 +python2-adns +python2-amara +python2-backlash +python2-beaker +python2-biopython +python2-bson +python2-cerealizer +python2-cherrypy2 +python2-clearsilver +python2-clientform +python2-cliff +python2-cmd2 +python2-colorama +python2-cpio +python2-crank +python2-cups +python2-cvxopt +python2-daap +python2-decoratortools +python2-dialog +python2-django-tagging +python2-durus +python2-ecdsa +python2-flask-login +python2-gasp +python2-greenlet +python2-htmlgen +python2-ipython +python2-irclib +python2-isprelink +python2-kid +python2-meld3 +python2-metar +python2-mpd +python2-myghty +python2-openbabel +python2-peak-rules +python2-peak-util-addons +python2-peak-util-assembler +python2-peak-util-extremes +python2-peak-util-symbols +python2-pretty +python2-protocols +python2-pyglet +python2-pyicu +python2-pylons +python2-pyspf +python2-recaptcha-client +python2-redland +python2-repoze-tm2 +python2-repoze-what +python2-repoze-what-plugins-sql +python2-repoze-what-quickstart +python2-repoze-who +python2-repoze-who-friendlyform +python2-repoze-who-plugins-sa +python2-repoze-who-testutil +python2-simplegeneric +python2-simpy +python2-slip +python2-slip-dbus +python2-slip-gtk +python2-smbpasswd +python2-soaplib +python2-sprox +python2-sssdconfig +python2-tgcaptcha2 +python2-tgext-admin +python2-tgext-crud +python2-tgmochikit +python2-toscawidgets +python2-tre +python2-turbocheetah +python2-turbojson +python2-turbokid +python2-turbomail +python2-tw-forms +python2-unidecode +python2-webpy +python2-xlrd +python2-xmltramp diff --git a/ansible/roles/real-spheroids/files/python2.txt b/ansible/roles/real-spheroids/files/python2.txt new file mode 100644 index 00000000..4497f4f8 --- /dev/null +++ b/ansible/roles/real-spheroids/files/python2.txt @@ -0,0 +1,215 @@ +bzr +createrepo +gyp +hplip-libs +pygobject2 +pykickstart +pyliblzma +pyorbit +python-cephfs +python-rbd +python2-Cython +python2-GeoIP +python2-GnuPGInterface +python2-IPy +python2-Levenshtein +python2-PyPDF2 +python2-alembic +python2-babel +python2-backports +python2-backports-ssl_match_hostname +python2-beautifulsoup +python2-beautifulsoup4 +python2-bibtex +python2-boto +python2-bottle +python2-bugzilla +python2-bunch +python2-cairo +python2-cairosvg +python2-cddb +python2-chardet +python2-cheetah +python2-cherrypy +python2-chm +python2-configobj +python2-coverage +python2-cracklib +python2-crypto +python2-cssselect +python2-daemon +python2-dateutil +python2-dbus +python2-decorator +python2-deltarpm +python2-demjson +python2-django1.11 +python2-dns +python2-docutils +python2-egenix-mx-base +python2-elixir +python2-enchant +python2-enum +python2-exif +python2-eyed3 +python2-feedparser +python2-flask +python2-flask-sqlalchemy +python2-flask-wtf +python2-flickrapi +python2-flup +python2-formencode +python2-fuse +python2-gamin +python2-gdata +python2-genshi +python2-gevent +python2-gobject +python2-googlevoice +python2-gpg +python2-graphviz +python2-gstreamer +python2-gstreamer1 +python2-hglib +python2-html2text +python2-html5lib +python2-httplib2 +python2-igraph +python2-iniparse +python2-inotify +python2-ipaddr +python2-isodate +python2-itsdangerous +python2-jinja2 +python2-kajiki +python2-kerberos +python2-kitchen +python2-krbv +python2-koji +python2-langtable +python2-lcms +python2-ldap +python2-ldap3 +python2-libs +python2-libuser +python2-libxml2 +python2-lockfile +python2-lxml +python2-m2crypto +python2-magic +python2-mailer +python2-mako +python2-markdown +python2-markdown2 +python2-markupsafe +python2-matplotlib +python2-mecab +python2-mechanize +python2-memcached +python2-mglob +python2-morbid +python2-mpmath +python2-musicbrainz2 +python2-mutagen +python2-mysql +python2-mysql-connector +python2-netaddr +python2-newt +python2-nine +python2-nltk +python2-nose +python2-numpy +python2-openid +python2-paramiko +python2-paste +python2-paste-deploy +python2-paste-script +python2-pexpect +python2-pillow +python2-pip +python2-ply +python2-policycoreutils +python2-pp +python2-prettytable +python2-psutil +python2-psycopg2 +python2-pyOpenSSL +python2-pyasn1 +python2-pyasn1-modules +python2-pycurl +python2-pydns +python2-pygments +python2-pygresql +python2-pyparsing +python2-pyparted +python2-pyserial +python2-pysvn +python2-pytz +python2-pyxattr +python2-pyxdg +python2-pyyaml +python2-qpid +python2-rapi +python2-rdflib +python2-reportlab +python2-repoze-lru +python2-requests +python2-routes +python2-rpm +python2-rra +python2-rrdtool +python2-rsa +python2-scipy +python2-setuptools +python2-simplejson +python2-simpletal +python2-sip +python2-six +python2-speaklater +python2-sphinx +python2-sqlalchemy +python2-sqlobject +python2-stomper +python2-subversion +python2-suds +python2-sympy +python2-talloc +python2-telepathy +python2-tempita +python2-textile +python2-tidy +python2-tools +python2-tornado +python2-tpg +python2-transaction +python2-tw2-core +python2-tw2-forms +python2-twisted +python2-urlgrabber +python2-urllib3 +python2-virtualenv +python2-vobject +python2-weberror +python2-webhelpers +python2-webob +python2-webtest +python2-werkzeug +python2-which +python2-wtforms +python2-xlib +python2-xmpp +python2-zeitgeist +python2-zmq +python2-zope-event +python2-zope-interface +python2-zope-sqlalchemy +python2-zsi +pyzor +rubber +sos +trac +trac-bazaar-plugin +trac-git-plugin +trac-mercurial-plugin +v8-devel +wireshark-cli diff --git a/ansible/roles/real-spheroids/files/python3-f30.txt b/ansible/roles/real-spheroids/files/python3-f30.txt new file mode 100644 index 00000000..3215c158 --- /dev/null +++ b/ansible/roles/real-spheroids/files/python3-f30.txt @@ -0,0 +1,3 @@ +python3-tre +python3-urlgrabber +python3-minikerberos diff --git a/ansible/roles/real-spheroids/files/python3.txt b/ansible/roles/real-spheroids/files/python3.txt new file mode 100644 index 00000000..4410a05a --- /dev/null +++ b/ansible/roles/real-spheroids/files/python3.txt @@ -0,0 +1,256 @@ +libuser-python3 +python3-Cython +python3-GeoIP +python3-IPy +python3-Levenshtein +python3-PyMySQL +python3-PyPDF2 +python3-TurboGears2 +python3-aiodns +python3-alembic +python3-babel +python3-backlash +python3-basemap +python3-beaker +python3-beautifulsoup4 +python3-biopython +python3-boto +python3-bottle +python3-bson +python3-bugzilla +python3-cairo +python3-cairosvg +python3-cephfs +python3-cerealizer +python3-chameleon +python3-chardet +python3-cheetah +python3-cherrypy +python3-cliff +python3-cmd2 +python3-colorama +python3-configobj +python3-coverage +python3-cpio +python3-crank +python3-crypto +python3-cssselect +python3-cups +python3-cvxopt +python3-daemon +python3-dateutil +python3-dbus +python3-decorator +python3-deltarpm +python3-demjson +python3-dialog +python3-django +python3-django-ajax-selects +python3-django-angular +python3-django-angular-doc +python3-django-annoying +python3-django-appconf +python3-django-authority +python3-django-avatar +python3-django-babel +python3-django-compressor +python3-django-contact-form +python3-django-cors-headers +python3-django-countries +python3-django-crispy-forms +python3-django-database-url +python3-django-debreach +python3-django-debug-toolbar +python3-django-doc +python3-django-filter +python3-django-formtools +python3-django-formtools-doc +python3-django-jsonfield +python3-django-macros +python3-django-markdownx +python3-django-nose +python3-django-pipeline +python3-django-post_office +python3-django-pyscss +python3-django-pytest +python3-django-redis +python3-django-registration +python3-django-rest-framework +python3-django-rest-framework-composed-permissions +python3-django-reversion +python3-django-robots +python3-django-stopforumspam +python3-django-tables2 +python3-django-tagging +python3-django-tastypie +python3-django-tinymce +python3-djangoql +python3-dns +python3-docutils +python3-ecdsa +python3-enchant +python3-exif +python3-eyed3 +python3-fedora +python3-feedparser +python3-flask +python3-flask-login +python3-flask-sqlalchemy +python3-flask-wtf +python3-flickrapi +python3-formencode +python3-fuse +python3-gearbox +python3-genshi +python3-gevent +python3-gnupg +python3-gobject +python3-google-api-client +python3-gpg +python3-graphviz +python3-greenlet +python3-gstreamer1 +python3-hglib +python3-html2text +python3-html5lib +python3-httplib2 +python3-igraph +python3-iniparse +python3-inotify +python3-ipython +python3-isodate +python3-itsdangerous +python3-jinja2 +python3-kajiki +python3-kerberos +python3-kickstart +python3-kitchen +python3-koji +python3-langtable +python3-ldap +python3-ldap3 +python3-libs +python3-libxml2 +python3-lockfile +python3-lxml +python3-m2crypto +python3-magic +python3-mailer +python3-mako +python3-markdown +python3-markdown2 +python3-markupsafe +python3-matplotlib +python3-meld3 +python3-memcached +python3-metar +python3-mglob +python3-migrate +python3-mpd +python3-mpmath +python3-mutagen +python3-mysql +python3-nbxmpp +python3-netaddr +python3-newt +python3-nine +python3-nltk +python3-nose +python3-numpy +python3-openbabel +python3-openid +python3-paramiko +python3-paste +python3-paste-deploy +python3-paste-script +python3-pexpect +python3-pillow +python3-pip +python3-ply +python3-policycoreutils +python3-prettytable +python3-psutil +python3-psycopg2 +python3-pyOpenSSL +python3-pyasn1 +python3-pyasn1-modules +python3-pycurl +python3-pyglet +python3-pygments +python3-pygresql +python3-pyicu +python3-pyparsing +python3-pyparted +python3-pyramid +python3-pyramid-mako +python3-pyramid-tm +python3-pyserial +python3-pyspf +python3-pysvn +python3-pytz +python3-pyxattr +python3-pyxdg +python3-pyyaml +python3-rados +python3-rbd +python3-rdflib +python3-reportlab +python3-repoze-lru +python3-repoze-tm2 +python3-repoze-who +python3-repoze-who-plugins-sa +python3-requests +python3-requests-kerberos +python3-routes +python3-rpm +python3-rrdtool +python3-rsa +python3-scipy +python3-setuptools +python3-simplegeneric +python3-simplejson +python3-simpletal +python3-simpy +python3-sip +python3-six +python3-slip +python3-slip-dbus +python3-slixmpp +python3-smbpasswd +python3-speaklater +python3-sphinx +python3-sqlalchemy +python3-sqlobject +python3-sssdconfig +python3-stomper +python3-subvertpy +python3-suds +python3-sympy +python3-talloc +python3-tempita +python3-textile +python3-tidy +python3-tornado +python3-tpg +python3-transaction +python3-tw2-core +python3-tw2-forms +python3-tw2-jquery +python3-twisted +python3-unidecode +python3-urllib3 +python3-virtualenv +python3-vobject +python3-webob +python3-webpy +python3-webtest +python3-werkzeug +python3-wtforms +python3-xlib +python3-xlrd +python3-xmltramp +python3-zmq +python3-zope-event +python3-zope-interface +python3-zope-sqlalchemy +pyzor diff --git a/ansible/roles/real-spheroids/files/rubygem.txt b/ansible/roles/real-spheroids/files/rubygem.txt new file mode 100644 index 00000000..93632a5c --- /dev/null +++ b/ansible/roles/real-spheroids/files/rubygem.txt @@ -0,0 +1,93 @@ +abstract +actionmailer +actionpack +activemodel +activerecord +activeresource +activesupport +arel +atk +atomic +authlogic +bigdecimal +builder +bundler +cairo +chunky_png +coffee-script +coffee-script-source +dalli +diff-lcs +domain_name +erubis +execjs +fssm +gdk_pixbuf2 +gem2rpm +gettext +glib2 +gtk2 +haml +highline +hike +hoe +hpricot +http-cookie +i18n +io-console +journey +json +levenshtein +listen +locale +mail +mechanize +mime-types +minitest +multi_json +mysql2 +net-http-digest_auth +net-http-persistent +nokogiri +pango +polyglot +psych +rack +rack-cache +rack-protection +rack-test +rails +rails-observers +railties +rake +rdoc +RedCloth +rmagick +rspec +rspec-core +rspec-expectations +rspec-mocks +rspec-rails +ruby2ruby +rubyforge +RubyInline +ruby_parser +sass +sexp_processor +sinatra +sprockets +sprockets-rails +sqlite3 +text +text-format +thor +thread_safe +tilt +treetop +tzinfo +unf +unf_ext +uuidtools +webrobots +xml-simple +ZenTest diff --git a/ansible/roles/real-spheroids/files/utilities.txt b/ansible/roles/real-spheroids/files/utilities.txt new file mode 100644 index 00000000..28bbb61d --- /dev/null +++ b/ansible/roles/real-spheroids/files/utilities.txt @@ -0,0 +1,250 @@ +ImageMagick +GraphicsMagick +a2ps +antlr-tool +antlr3-tool +apr-devel +apr-util-devel +aspell-en +babel +baekmuk-bdf-fonts +baekmuk-ttf-batang-fonts +baekmuk-ttf-dotum-fonts +baekmuk-ttf-fonts-common +baekmuk-ttf-gulim-fonts +baekmuk-ttf-hline-fonts +busybox +cadaver +catdoc +chkrootkit +cjkuni-ukai-fonts +cjkuni-uming-fonts +cmake +colordiff +crash +createrepo +cscope +cvs +darcs +dash +dejavu-lgc-sans-fonts +dejavu-lgc-sans-mono-fonts +dejavu-lgc-serif-fonts +dejavu-serif-fonts +diffstat +docbook-dtds +docbook-style-dsssl +docbook-style-xsl +docbook-utils +docbook2X +doxygen +dsniff +dump +ebtables +elinks +emacs-rpm-spec-mode +enca +enscript +epstool +expect +festival +festival-lib +festival-speechtools-libs +festvox-slt-arctic-hts +fetchmail +finger +flac +fortune-mod +frysk +ftp +gdb +geoipupdate +gnuplot +graphviz-devil +graphviz-gd +graphviz-graphs +graphviz-guile +graphviz-ocaml +graphviz-ruby +graphviz-tcl +groff +groff-perl +gstreamer-plugins-bad-free +gstreamer-plugins-good +guile +gvfs +highlight +htdig +html2ps +htop +iftop +ikiwiki +imake +indent +inotify-tools +iotop +iptraf-ng +jhead +jomolhari-fonts +js +kacst-fonts-common +kacst-pen-fonts +kasumi +khmeros-base-fonts +khmeros-fonts-common +koji +krb5-pkinit +ksh +kstart +ksysguardd +ldns-utils +lftp +liberation-sans-fonts +liberation-serif-fonts +libnl3-cli +libproxy-bin +librsvg2-tools +libpst +lighttpd +lklug-fonts +lohit-assamese-fonts +lohit-bengali-fonts +lohit-devanagari-fonts +lohit-gujarati-fonts +lohit-kannada-fonts +lohit-malayalam-fonts +lohit-tamil-fonts +lohit-telugu-fonts +lrzsz +ltrace +lua-expat +lua-socket +lynx +lyx-fonts +madan-fonts +mecab-ipadic +memtest86+ +mikmod +minicom +mlton +monotone +moreutils +mosh +mozldap-tools +mpage +mrtg +msmtp +mtools +mutt +ncdu +ncurses-term +netpbm-progs +nmap +numactl +ocaml +ocaml-camlp4 +ocaml-camlp5 +ocaml-compiler-libs +ocaml-runtime +octave +openbabel +openvpn +pandoc +paps +passivetex +patchutils +pax +pkcs11-helper +plotutils +po4a +portreserve +postgresql +protobuf-compiler +pstoedit +psutils-perl +pv +qemu +qemu-system-alpha +qemu-system-arm +qemu-system-cris +qemu-system-lm32 +qemu-system-m68k +qemu-system-microblaze +qemu-system-mips +qemu-system-moxie +qemu-system-ppc +qemu-system-s390x +qemu-system-sh4 +qemu-system-sparc +qemu-system-unicore32 +qemu-system-xtensa +qemu-user +qhull +quvi +raptor +rcs +rdist +rlwrap +rmt +rpmlint +rsh +rss2email +sazanami-gothic-fonts +sazanami-mincho-fonts +screen +scsi-target-utils +sdparm +setserial +sg3_utils +siege +sil-abyssinica-fonts +sil-padauk-fonts +sip +slang-slsh +slrn +smc-meera-fonts +smem +smp_utils +socat +sparse +spawn-fcgi +statserial +strace +stunnel +swig +systemtap +systemtap-client +systemtap-runtime +taipeifonts +talk +tcllib +tcsh +texinfo +texinfo-tex +thai-scalable-fonts-common +thai-scalable-waree-fonts +tmpwatch +tmux +transmission-cli +ttmkfdir +tulrich-tuffy-fonts +ufraw +unifdef +units +urlview +uucp +valgrind +vlgothic-fonts +vlgothic-p-fonts +vorbis-tools +w3m +wireshark-cli +wv +xfsprogs +xmlto +xsp +xz-lzma-compat +yara +yasm +zbar +zsh diff --git a/ansible/roles/real-spheroids/tasks/main.yml b/ansible/roles/real-spheroids/tasks/main.yml new file mode 100644 index 00000000..1e6c05a8 --- /dev/null +++ b/ansible/roles/real-spheroids/tasks/main.yml @@ -0,0 +1,157 @@ +--- +- name: Install Perl modules + dnf: + name: "{{ lookup('file', 'perl.txt').splitlines() | map('regex_replace', '^(.*)$', 'perl(\\1)') | list}}" + state: present +- name: Install Ruby gems + dnf: + name: "{{ lookup('file', 'rubygem.txt').splitlines() | map('regex_replace', '^(.*)$', 'rubygem(\\1)') | list}}" + state: present +- name: Install scripts-specific Ruby gems + dnf: + name: + - rubygem-fcgi + - rubygem-pony + state: present + ignore_errors: yes +# TODO: Consider disabling PHP modules by default +- name: Install PHP modules and libraries + dnf: + name: "{{ lookup('file', 'php.txt').splitlines() | list}}" + state: present +- name: Install Python 2 libraries + dnf: + name: "{{ lookup('file', 'python2.txt').splitlines() | list}}" + state: present +# TODO: Consider forward-porting missing Python packages +- name: Configure F29 repos as a source for old packages + when: ansible_distribution_major_version|int >= 30 + block: + - name: Configure F29 repos + copy: + dest: /etc/yum.repos.d/scripts-python2.repo + content: | + [scripts-f29] + name=Fedora 29 - $basearch + metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-29&arch=$basearch + enabled=0 + metadata_expire=7d + repo_gpgcheck=0 + type=rpm + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-$basearch + [scripts-f29-updates] + name=Fedora 29 - $basearch - Updates + metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f29&arch=$basearch + enabled=0 + repo_gpgcheck=0 + type=rpm + gpgcheck=1 + metadata_expire=6h + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-$basearch + - set_fact: f29_repos=scripts-f29,scripts-f29-updates +- name: Install Fedora 29 Python 2 libraries + dnf: + name: "{{ lookup('file', 'python2-f29.txt').splitlines() | list}}" + enablerepo: "{{ f29_repos | default('') }}" + state: present +# TODO: Update Python libraries for F29/F30 python packaging, and change default to on. +- name: Install scripts-specific Python 2 libraries + dnf: + name: + - python2-afs + - python2-hesiod + - python2-moira + - python2-zephyr + - python2-authkit + state: present + ignore_errors: yes +- name: Install scripts-specific Python 3 libraries + dnf: + name: + - python3-afs + - python3-hesiod + - python3-moira + - python3-zephyr + state: present + ignore_errors: yes +# TODO: Package flipflop and/or flup6 for Python 3 as replacements for flup +# TODO: Package mechanize, MechnicalSoup, or robobrowser for Python 3 +- name: Install Python 3 libraries + dnf: + name: "{{ lookup('file', 'python3.txt').splitlines() | list}}" + state: present +- name: Install Fedora 30+ Python 3 libraries + dnf: + name: "{{ lookup('file', 'python3-f30.txt').splitlines() | list}}" + state: present + when: ansible_distribution_major_version|int >= 30 +# TODO: Consider forward-porting Ruby gems rack-mount, rack-ssl, will_paginate +# TODO: Consider updating Ruby gem compass to be installable +- name: Install Glasgow Haskell Compiler + dnf: + name: "{{ lookup('file', 'ghc.txt').splitlines() | list}}" + state: present +# TODO: Consider forward-porting Haskell libraries like ghc-cgi, ghc-editline, ghc-unix-handle +- name: Install NodeJS + dnf: + name: "{{ lookup('file', 'nodejs.txt').splitlines() | list}}" + state: present +- name: Install Go + dnf: + name: + - golang + state: present +- name: Install Erlang + dnf: + name: "{{ lookup('file', 'erlang.txt').splitlines() | list}}" + state: present +- name: Install texlive + dnf: + name: + - rubber + - texlive + - texlive-collection-xetex + - texlive-collection-luatex + - texlive-collection-context + - texlive-collection-binextra + - texlive-collection-pstricks + - texlive-collection-pictures + - texlive-collection-fontutils + - texlive-collection-fontsextra + - texlive-collection-mathscience + - texlive-collection-formatsextra + - texlive-collection-metapost + - tex-preview + state: present +- name: Install C libraries + dnf: + name: "{{ lookup('file', 'libraries.txt').splitlines() | list}}" + state: present +- name: Install Java + dnf: + name: "{{ lookup('file', 'java.txt').splitlines() | list}}" + state: present +- name: Install Mono + dnf: + name: "{{ lookup('file', 'mono.txt').splitlines() | list}}" + state: present +- name: Install utilities + dnf: + name: "{{ lookup('file', 'utilities.txt').splitlines() | list}}" + state: present +- name: Install scripts development packages + dnf: + name: + - athena-aclocal + - openafs-authlibs-devel + - openafs-docs + state: present + ignore_errors: yes +- name: Make sure packages in blacklist.txt are not present + dnf: + name: "{{ lookup('file', 'blacklist.txt').splitlines() | list}}" + autoremove: yes + disable_excludes: main + state: absent +# TODO: Install all -devel packages for installed packages diff --git a/ansible/roles/real-sshd/defaults/main.yml b/ansible/roles/real-sshd/defaults/main.yml new file mode 100644 index 00000000..56c327b4 --- /dev/null +++ b/ansible/roles/real-sshd/defaults/main.yml @@ -0,0 +1 @@ +use_scripts_openssh: "{{ 'openssh-server' in scripts_packages }}" diff --git a/server/fedora/config/etc/issue.net b/ansible/roles/real-sshd/files/issue.net similarity index 100% rename from server/fedora/config/etc/issue.net rename to ansible/roles/real-sshd/files/issue.net diff --git a/server/fedora/config/etc/issue.net.no_tkt b/ansible/roles/real-sshd/files/issue.net.no_tkt similarity index 100% rename from server/fedora/config/etc/issue.net.no_tkt rename to ansible/roles/real-sshd/files/issue.net.no_tkt diff --git a/server/fedora/config/etc/issue.net.no_user b/ansible/roles/real-sshd/files/issue.net.no_user similarity index 100% rename from server/fedora/config/etc/issue.net.no_user rename to ansible/roles/real-sshd/files/issue.net.no_user diff --git a/ansible/roles/real-sshd/files/ssh_config-scripts.conf b/ansible/roles/real-sshd/files/ssh_config-scripts.conf new file mode 100644 index 00000000..013ea860 --- /dev/null +++ b/ansible/roles/real-sshd/files/ssh_config-scripts.conf @@ -0,0 +1,9 @@ +EnableSSHKeysign yes +PasswordAuthentication no +HostbasedAuthentication yes +Host * + GSSAPIAuthentication yes + ForwardX11Trusted yes + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE diff --git a/ansible/roles/real-sshd/meta/main.yml b/ansible/roles/real-sshd/meta/main.yml new file mode 100644 index 00000000..33a17c3a --- /dev/null +++ b/ansible/roles/real-sshd/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - real-moira diff --git a/ansible/roles/real-sshd/tasks/main.yml b/ansible/roles/real-sshd/tasks/main.yml new file mode 100644 index 00000000..00728d3d --- /dev/null +++ b/ansible/roles/real-sshd/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Install scripts-patched OpenSSH + dnf: + name: scripts-openssh-server + state: present + when: use_scripts_openssh +- name: Configure sshd to print helpful warnings + blockinfile: + path: /etc/pam.d/sshd + insertafter: "#%PAM-1.0" + block: | + # If their user exists (success), + auth [success=ignore ignore=ignore default=1] pam_succeed_if.so uid >= 0 + # print the "You don't have tickets" error: + auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_tkt + # else print the "your account doesn't exist" error: + auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_user + # If they somehow slipped through, deny: + auth required pam_deny.so +- name: Remove all other auth methods + replace: + path: /etc/pam.d/sshd + after: 'pam_deny.so' + regexp: '^(auth\s.+)$' + replace: '# \1' +- name: Install /etc/issue.net* + copy: + dest: "/etc/{{ item }}" + src: "{{ item }}" + loop: + - issue.net + - issue.net.no_tkt + - issue.net.no_user +- name: Configure sshd for scripts + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?\s*{{ item | regex_search("^(\S+)") }}\s' + line: "{{ item }}" + loop: + # "PasswordAuthentication no" and "GSSAPIAuthentication yes" comes from the k5login role + - ChallengeResponseAuthentication yes + - GSSAPICleanupCredentials yes + - GSSAPIStrictAcceptorCheck no + - GSSAPIKeyExchange yes + - X11Forwarding no + - Banner /etc/issue.net + - LogLevel VERBOSE + - MaxStartups 50:30:500 + - AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL EDITOR VISUAL + # See trac #23 + - HostbasedAuthentication yes + - IgnoreRhosts yes + - IgnoreUserKnownHosts yes + - DenyUsers {{ groups['scripts-real-prod'] | map('regex_replace', '^', 'root@') | join(' ') }} + - Match User !root,* + - ForceCommand /usr/local/bin/mbash + + notify: reload ssh +- name: Read ssh host keys + shell: "/bin/cat /etc/ssh/ssh_host_*_key.pub" + changed_when: no + check_mode: no + register: cat_host_keys +- name: Generate ssh_known_hosts + # N.B. This assumes that all the scripts servers share a single host key. + vars: + ssh_host_keys: "{{ cat_host_keys.stdout_lines }}" + template: + dest: /etc/ssh/ssh_known_hosts + src: ssh_known_hosts.j2 + when: use_moira +- name: Generate shosts.equiv + template: + dest: /etc/ssh/shosts.equiv + src: shosts.equiv.j2 +- name: Configure ssh for scripts + copy: + dest: /etc/ssh/ssh_config.d/99-scripts.conf + src: ssh_config-scripts.conf diff --git a/ansible/roles/real-sshd/templates/shosts.equiv.j2 b/ansible/roles/real-sshd/templates/shosts.equiv.j2 new file mode 100644 index 00000000..a496b3fb --- /dev/null +++ b/ansible/roles/real-sshd/templates/shosts.equiv.j2 @@ -0,0 +1,5 @@ +{% for host in groups['scripts-real-prod'] %} +{{ host }} +{{ hostvars[host].ip | default('') }} +{{ hostvars[host].vlan461_address | default('') }} +{% endfor %} diff --git a/ansible/roles/real-sshd/templates/ssh_known_hosts.j2 b/ansible/roles/real-sshd/templates/ssh_known_hosts.j2 new file mode 100644 index 00000000..71937a4a --- /dev/null +++ b/ansible/roles/real-sshd/templates/ssh_known_hosts.j2 @@ -0,0 +1,7 @@ +{% for host in groups['scripts-real-prod'] %} +{% set ghal = lookup('moira_ghal', host, include_short_names=True, include_cname=True) %} +{% set ips = [hostvars[host].ip, hostvars[host].vlan461_address] | select("defined") | select | join(',') %} +{% for key in ssh_host_keys %} +{{ ghal }},{{ ips }} {{ key }} +{% endfor %} +{% endfor %} \ No newline at end of file diff --git a/ansible/roles/real-statoverride/action_plugins/remove_filecaps.py b/ansible/roles/real-statoverride/action_plugins/remove_filecaps.py new file mode 100644 index 00000000..e0532ae2 --- /dev/null +++ b/ansible/roles/real-statoverride/action_plugins/remove_filecaps.py @@ -0,0 +1,27 @@ +# Make coding more python3-ish, this is required for contributions to Ansible +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible.module_utils.six.moves import shlex_quote +from ansible.plugins.action import ActionBase +from datetime import datetime + + +class ActionModule(ActionBase): + def run(self, tmp=None, task_vars=None): + result = super(ActionModule, self).run(tmp, task_vars) + + path = self._task.args.get('path') + + try: + getcap = self._low_level_execute_command(cmd='getcap %s' % shlex_quote(path)) + # N.B. We don't check rc or stderr here, so missing files will be skipped. + if len(getcap['stdout']) > 0: + result['changed'] = True + if not self._play_context.check_mode: + result.update(self._low_level_execute_command(cmd='setcap -r %s' % shlex_quote(path))) + except AnsibleAction as e: + result.update(e.result) + + return result + diff --git a/ansible/roles/real-statoverride/defaults/main.yml b/ansible/roles/real-statoverride/defaults/main.yml new file mode 100644 index 00000000..2ae53b7b --- /dev/null +++ b/ansible/roles/real-statoverride/defaults/main.yml @@ -0,0 +1,81 @@ +allowed_setugid: + - /usr/sbin/pam_timestamp_check + - /usr/sbin/unix_chkpwd + - /usr/bin/at + - /usr/bin/crontab + - /usr/bin/locate + - /usr/bin/screen + - /usr/bin/sudo + - /usr/libexec/openssh/ssh-keysign + - /usr/lib/polkit-1/polkit-agent-helper-1 + - /usr/libexec/utempter/utempter + - /usr/sbin/lockdev + - /usr/sbin/postdrop + - /usr/sbin/postqueue + - /usr/sbin/userhelper +allowed_filecaps: + - /usr/bin/ping + - /usr/bin/ping6 + - /usr/bin/systemd-detect-virt + - /usr/sbin/fping + - /usr/sbin/fping6 + - /usr/sbin/mtr-packet + - /usr/sbin/suexec +drop_setugid: + - /usr/bin/cgexec + - /usr/bin/fusermount + - /usr/bin/fusermount-glusterfs + - /usr/bin/mount + - /usr/bin/su + - /usr/bin/umount + - /usr/sbin/mount.nfs + - /usr/sbin/netreport + - /usr/bin/chage + - /usr/bin/chfn + - /usr/bin/chsh + - /usr/bin/gpasswd + - /usr/bin/lockfile + - /usr/bin/newgrp + - /usr/bin/newrole + - /usr/bin/passwd + - /usr/bin/rcp + - /usr/bin/rlogin + - /usr/bin/rsh + - /usr/bin/sperl5.10.1 + - /usr/bin/ssh-agent + - /usr/bin/wall + - /usr/bin/write + - /usr/bin/Xorg + - /usr/bin/ksu + - /usr/lib64/nspluginwrapper/plugin-config + - /usr/lib64/vte/gnome-pty-helper + - /usr/libexec/kde4/kpac_dhcp_helper + - /usr/sbin/ccreds_chkpwd + - /usr/sbin/userisdnctl + - /usr/sbin/usernetctl + - /usr/bin/pkexec + - /usr/sbin/mount.nfs + - /usr/sbin/netreport + - /usr/bin/ssh-agent + - /usr/bin/uustat + - /usr/bin/uucp + - /usr/bin/uux + - /usr/sbin/uuxqt + - /usr/sbin/uucico + - /usr/bin/uuname + - /usr/bin/cu + - /usr/libexec/qemu-bridge-helper + - /usr/sbin/grub2-set-bootflag + - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + - /usr/sbin/mtr-packet # Note: mtr-packet keeps its filecaps +drop_filecaps: + - /usr/bin/newuidmap + - /usr/bin/newgidmap + - /usr/bin/rsh + - /usr/bin/rcp + - /usr/bin/gnome-keyring-daemon + - /usr/bin/newrole + - /usr/bin/rlogin + - /usr/libexec/pt_chown + - /usr/sbin/arping + - /usr/sbin/clockdiff diff --git a/ansible/roles/real-statoverride/tasks/main.yml b/ansible/roles/real-statoverride/tasks/main.yml new file mode 100644 index 00000000..f9aa668b --- /dev/null +++ b/ansible/roles/real-statoverride/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Install post-transaction-actions plugin + dnf: name=python3-dnf-plugin-post-transaction-actions +- name: Ensure /etc/dnf/plugins/post-transaction-actions.d exists + file: + path: /etc/dnf/plugins/post-transaction-actions.d/ + state: directory +- name: Configure dnf to drop unneeded executable permissions + template: + src: post-action.j2 + dest: /etc/dnf/plugins/post-transaction-actions.d/drop-permissions.action +- name: Ensure /etc/scripts exists + file: + path: /etc/scripts/ + state: directory +- name: Install allowed-setugid.list + template: + src: list.j2 + dest: /etc/scripts/allowed-setugid.list + vars: + items: "{{ allowed_setugid }}" +- name: Install allowed-filecaps.list + template: + src: list.j2 + dest: /etc/scripts/allowed-filecaps.list + vars: + items: "{{ allowed_filecaps }}" +- name: Install cron job + copy: + dest: /etc/cron.d/scripts-check-statoverride + content: | + MAILTO=scripts-root@mit.edu + 23 5 * * * root find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list | grep -ve ^/var/lib/mock/ | sed 's/^/Extra set[ug]id binary: /' + 27 5 * * * root find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list | grep -ve ^/var/lib/mock/ | sed 's/^/Extra file_caps binary: /' +- name: Remove setugid on existing files + file: + path: "{{ item }}" + mode: "ug-s" + failed_when: False + loop: "{{ drop_setugid }}" +- name: Remove file caps on existing files + remove_filecaps: + path: "{{ item }}" + loop: "{{ drop_filecaps }}" +- name: Disable grub-boot-success + systemd: + name: grub-boot-success.timer + masked: yes + scope: global diff --git a/ansible/roles/real-statoverride/templates/list.j2 b/ansible/roles/real-statoverride/templates/list.j2 new file mode 100644 index 00000000..9c2b3f4d --- /dev/null +++ b/ansible/roles/real-statoverride/templates/list.j2 @@ -0,0 +1,3 @@ +{% for item in items %} +{{ item }} +{% endfor %} diff --git a/ansible/roles/real-statoverride/templates/post-action.j2 b/ansible/roles/real-statoverride/templates/post-action.j2 new file mode 100644 index 00000000..2286e6fc --- /dev/null +++ b/ansible/roles/real-statoverride/templates/post-action.j2 @@ -0,0 +1,6 @@ +{% for f in drop_setugid %} +{{f}}:in:chmod ug-s {{f}} +{% endfor %} +{% for f in drop_filecaps %} +{{f}}:in:setcap -r {{f}} +{% endfor %} diff --git a/ansible/roles/root-aliases/defaults/main.yml b/ansible/roles/root-aliases/defaults/main.yml new file mode 100644 index 00000000..60a6b572 --- /dev/null +++ b/ansible/roles/root-aliases/defaults/main.yml @@ -0,0 +1,2 @@ +--- +preferred_mta: "{{'exim4-daemon-light' if ansible_os_family == 'Debian' else 'postfix'}}" diff --git a/ansible/roles/root-aliases/tasks/main.yml b/ansible/roles/root-aliases/tasks/main.yml index 3021def1..be308603 100644 --- a/ansible/roles/root-aliases/tasks/main.yml +++ b/ansible/roles/root-aliases/tasks/main.yml @@ -1,3 +1,8 @@ +- name: Install MTA + package: + name: + - "{{ preferred_mta }}" + state: present - name: Update /etc/aliases lineinfile: path: /etc/aliases diff --git a/ansible/roles/sysctl/handlers/main.yml b/ansible/roles/sysctl/handlers/main.yml new file mode 100644 index 00000000..62132fbc --- /dev/null +++ b/ansible/roles/sysctl/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: apply sysctl + service: name=systemd-sysctl state=restarted diff --git a/ansible/roles/syslog-client/tasks/main.yml b/ansible/roles/syslog-client/tasks/main.yml index ce5b6814..cc92dcf5 100644 --- a/ansible/roles/syslog-client/tasks/main.yml +++ b/ansible/roles/syslog-client/tasks/main.yml @@ -1,5 +1,15 @@ -- name: Install rsyslog-relp +- name: Install rsyslog-relp debian apt: name=rsyslog-relp state=present + when: ansible_os_family == "Debian" +- name: Install rsyslog-relp redhat + dnf: name=rsyslog-relp state=present + when: ansible_os_family == "RedHat" +- name: Increase max log length + copy: + dest: /etc/rsyslog.d/00-maxmessagesize.conf + content: | + $MaxMessageSize 64k + notify: restart rsyslog - name: Configure rsyslog copy: dest: /etc/rsyslog.d/scripts-syslog-client.conf diff --git a/ansible/roles/systemd-networkd/defaults/main.yml b/ansible/roles/systemd-networkd/defaults/main.yml new file mode 100644 index 00000000..4211ae93 --- /dev/null +++ b/ansible/roles/systemd-networkd/defaults/main.yml @@ -0,0 +1,3 @@ +--- +lo_extra: "" +vlan486_extra: "" diff --git a/ansible/roles/systemd-networkd/handlers/main.yml b/ansible/roles/systemd-networkd/handlers/main.yml new file mode 100644 index 00000000..20c1e3ff --- /dev/null +++ b/ansible/roles/systemd-networkd/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: restart systemd-networkd + service: + name: systemd-networkd + state: restarted + notify: + - reconfigure munin-node + - setup diff --git a/ansible/roles/systemd-networkd/tasks/main.yml b/ansible/roles/systemd-networkd/tasks/main.yml new file mode 100644 index 00000000..6799d886 --- /dev/null +++ b/ansible/roles/systemd-networkd/tasks/main.yml @@ -0,0 +1,132 @@ +--- +- name: Remove network-scripts + dnf: + name: network-scripts + state: absent +- name: Remove NetworkManager + dnf: + name: NetworkManager + state: absent +- name: lo + block: + - copy: + dest: /etc/systemd/network/10-lo.network + content: | + [Match] + Name=lo + + [Address] + Address=127.0.0.1/8 + {{ lo_extra }} + notify: restart systemd-networkd +- name: vlan486 + block: + - when: vlan486_hwaddr is defined + copy: + dest: /etc/systemd/network/10-vlan486.link + content: | + [Match] + MACAddress={{vlan486_hwaddr}} + + [Link] + Description=Public (VLAN 486) + Name=vlan486 + notify: + - reboot + - network changed + - copy: + dest: /etc/systemd/network/10-vlan486.network + content: | + [Match] + MACAddress={{vlan486_hwaddr | default(ansible_default_ipv4.macaddress)}} + + [Network] + {% if vlan486_address is defined %} + Address={{vlan486_address}}/24 + + [Route] + Gateway=18.4.86.1 + {% else %} + DHCP=ipv4 + {% endif %} + + {{ vlan486_extra }} + notify: + - restart systemd-networkd + - network changed + - file: + path: /etc/systemd/network/10-vlan486.network.d/ + state: directory + - stat: + path: /etc/systemd/network/10-vlan486.network.d/dns.conf + register: dns_conf + - name: Configure temporary DNS servers + copy: + dest: /etc/systemd/network/10-vlan486.network.d/tempdns.conf + content: | + [Network] + {% for ip in mit_dns_servers %} + DNS={{ip}} + {% endfor %} + Domains=mit.edu + when: not dns_conf.stat.exists + notify: + - restart systemd-networkd + - network changed + - name: Remove network-scripts config file + file: + path: "{{item}}" + state: absent + loop: + - /etc/sysconfig/network-scripts/ifcfg-{{ansible_default_ipv4.interface}} + - /etc/sysconfig/network-scripts/ifcfg-eth0 + - /etc/sysconfig/network-scripts/ifcfg-vlan486 +- name: vlan461 + when: vlan461_address is defined and vlan461_hwaddr is defined + block: + - copy: + dest: /etc/systemd/network/10-vlan461.link + content: | + [Match] + MACAddress={{vlan461_hwaddr}} + + [Link] + Description=Backend (VLAN 461) + Name=vlan461 + notify: + - reboot + - network changed + - copy: + dest: /etc/systemd/network/10-vlan461.network + content: | + [Match] + Name=vlan461 + + [Address] + Address={{vlan461_address}}/24 + + {% for hostname in groups['sql'] + groups['scripts-real'] %} + {% with info = hostvars[hostname] %} + {% if info['vlan486_address'] | default(False) and info['vlan461_address'] | default(False) %} + [Route] + Destination={{ info['vlan486_address'] }} + Gateway={{ info['vlan461_address'] }} + {% endif %} + {% endwith %} + {% endfor %} + notify: + - restart systemd-networkd + - network changed + - name: Remove network-scripts config file + file: + path: "{{item}}" + state: absent + loop: + - /etc/sysconfig/network-scripts/ifcfg-eth1 + - /etc/sysconfig/network-scripts/ifcfg-vlan461 +- name: Start systemd-networkd + systemd: + name: systemd-networkd + state: started + enabled: yes + diff --git a/ansible/roles/tmpfiles/handlers/main.yml b/ansible/roles/tmpfiles/handlers/main.yml new file mode 100644 index 00000000..3e051e73 --- /dev/null +++ b/ansible/roles/tmpfiles/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: create tmpfiles + command: systemd-tmpfiles --create diff --git a/ansible/scripts-directors-cib.yml b/ansible/scripts-directors-cib.yml index 9bd38783..3c5b91b2 100644 --- a/ansible/scripts-directors-cib.yml +++ b/ansible/scripts-directors-cib.yml @@ -65,9 +65,30 @@ register: new_cib changed_when: False - - name: Update CIB - command: crm cib commit {{ shadow_name }} + - name: Make changes when: old_cib.stdout_lines != new_cib.stdout_lines + block: + - name: Diff changes + shell: diff -u <(crm configure show) <(crm -c {{ shadow_name }} configure show) + args: + executable: /bin/bash + check_mode: no + changed_when: diff.rc + failed_when: no + register: diff + + - name: Simulate changes + command: crm -c {{ shadow_name }} configure simulate nograph + check_mode: no + register: simulate + changed_when: simulate.stdout + + - name: Print changes + debug: + var: "{'diff': diff.stdout_lines, 'simulate': simulate.stdout_lines}" + + - name: Update CIB + command: crm cib commit {{ shadow_name }} - name: Delete shadow CIB command: crm cib delete {{ shadow_name }} diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml index 337c60b1..bceeb7f6 100644 --- a/ansible/scripts-directors.yml +++ b/ansible/scripts-directors.yml @@ -7,36 +7,30 @@ hwaddr: "{{ vlan486_hwaddr }}" cidr: "{{ vlan486_address }}/24" gateway: 18.4.86.1 - dns_nameservers: - - 18.0.70.160 - - 18.0.72.3 - - 18.0.71.151 + dns_nameservers: "{{ mit_dns_servers }}" dns_search: mit.edu pacemaker_corosync_ring_interface: vlan486 pacemaker_corosync_group: scripts-directors pre_tasks: - name: Install packages apt: - name: "{{ item }}" + name: + - open-vm-tools + - open-vm-tools-dkms + - resolvconf + - mlocate + - lighttpd + - lighttpd-mod-magnet + - pacemaker + - pacemaker-cli-utils + - crmsh + - ldirectord + - aptitude + - tcpdump + - tshark + - strace + - emacs-nox state: present - with_items: - - open-vm-tools - - open-vm-tools-dkms - - exim4-daemon-light - - resolvconf - - mlocate - - lighttpd - - lighttpd-mod-magnet - - nagios-nrpe-server - - pacemaker - - pacemaker-cli-utils - - crmsh - - ldirectord - - aptitude - - tcpdump - - tshark - - strace - - emacs-nox - systemd: name=ldirectord enabled=no - include_role: name=udev_rename_netiface - include_role: name=network_interface @@ -53,7 +47,9 @@ - ldirectord-status - lvs-iptables - lvs-lighttpd + - lvs-ldirectord - munin-node + - nrpe tasks: - name: Install munin cps plugin copy: @@ -81,11 +77,6 @@ [cps_3_0] env.graph_title Load balanced SMTP connections notify: restart munin-node - - name: Configure nrpe - copy: - dest: /etc/nagios/nrpe_local.cfg - src: files/nrpe_local.cfg - notify: restart nrpe - name: Load IPVS modules copy: dest: /etc/modules-load.d/lvs.conf @@ -111,6 +102,7 @@ content: | net.ipv4.ip_forward=1 net.ipv4.vs.expire_quiescent_template = 1 + net.ipv4.conf.all.accept_local = 1 notify: reload sysctl - name: "Install workaround for https://bugs.debian.org/808950" copy: @@ -133,10 +125,6 @@ vars: haveged_enabled: false pacemaker_enable_nodelist: false - - name: Configure ldirectord - copy: - dest: /etc/ha.d/ldirectord.cf - src: files/ldirectord.cf handlers: - name: load modules service: name=systemd-modules-load state=restarted @@ -146,7 +134,5 @@ service: name=ipvsadm state=restarted - name: reboot include_tasks: reboot.yml - - name: restart nrpe - service: name=nagios-nrpe-server state=restarted - name: setup setup: diff --git a/ansible/scripts-proxy.yml b/ansible/scripts-proxy.yml new file mode 100644 index 00000000..d8cf95d5 --- /dev/null +++ b/ansible/scripts-proxy.yml @@ -0,0 +1,32 @@ +- hosts: scripts-proxy + serial: 1 + pre_tasks: + - include_role: + name: proxy-network + - name: Install packages + package: + name: + - open-vm-tools + state: present + roles: + - k5login + - syslog-client + - root-aliases + - munin-node + - nrpe + - proxy-dns + - proxy-haproxy + # TODO: Configure logrotate + tasks: + - package: + name: + - vim + - emacs-nox + state: present + handlers: + - name: reboot + include_tasks: reboot.yml + listen: network changed + - name: setup + setup: + listen: network changed diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml new file mode 100644 index 00000000..c9ded6f2 --- /dev/null +++ b/ansible/scripts-real.yml @@ -0,0 +1,350 @@ +# TODO: Select and install miscellaneous packages +# TODO: Install credentials: + # /etc/krb5.keytab + # /etc/daemon.keytab (0400 afsagent:afsagent) + # /etc/signup.keytab (0400 signup:signup) + # /etc/dirsrv/keytab (0400 dirsrv:dirsrv) + # /etc/pki/tls/private/scripts*.key (0400 root:root) + # /etc/ssh/*_key{,.pub} +# Maybe: +# TODO: Consider installing a crontab for export-scripts-certs (currently in scripts locker's crontab) + +- hosts: scripts-real + serial: 1 + vars: + ldap_server: "{{ use_local_ldap | default(True) | ternary('ldapi://%2fvar%2frun%2fslapd-scripts.socket/', 'ldap://scripts-ldap.mit.edu/') }}" + ldap_server_tcp: "{{ use_local_ldap | default(True) | ternary('ldap://127.0.0.1/', 'ldap://scripts-ldap.mit.edu/') }}" + rpm_repos: + - key: scripts + name: Scripts + baseurl: https://web.mit.edu/scripts/yum-repos/rpm-fc{{ ansible_distribution_major_version }}/ + enabled: yes + - key: scripts-testing + name: Scripts Testing + baseurl: https://web.mit.edu/scripts/yum-repos/rpm-fc{{ ansible_distribution_major_version }}-testing/ + enabled: "{{ enable_testing_repo | default(False) }}" + preferred_mta: postfix + pre_tasks: + - name: Block Ansible on legacy realservers + assert: + that: + - ansible_distribution == "Fedora" and ansible_distribution_major_version|int >= 29 + - name: Remove stale packages + dnf: + name: + - fedora-obsolete-packages + - nfs-utils + autoremove: yes + disable_excludes: main + state: absent + - include_role: + name: real-network + - name: Configure dnf + block: + - name: Configure scripts RPM repos + copy: + dest: /etc/yum.repos.d/scripts.repo + content: | + {% for repo in rpm_repos %} + [{{ repo.key }}] + name={{ repo.name }} + baseurl={{ repo.baseurl }} + enabled={{ 1 if repo.enabled else 0 }} + gpgcheck=0 + {% endfor %} + - name: Configure dnf.conf + ini_file: + path: /etc/dnf/dnf.conf + section: main + option: "{{ item.option }}" + value: "{{ item.value }}" + loop: + - option: installonly_limit + value: 0 + - option: installonlypkgs + value: kernel kernel-devel kernel-modules kmod-openafs ghc-cgi ghc-cgi-devel + - option: excludepkgs + value: fedora-obsolete-packages php-fpm nfs-utils + roles: + - role: packages + tags: [always] + - role: syslog-client + when: syslog_client | default(True) + - mock + - sysctl + - tmpfiles + - real-statoverride + - real-munin-node + - real-dns + - real-hosts + - real-ntp + - role: real-ldap + tags: [ldap] + - real-k5login + - real-nrpe + - real-modprobe + - real-nsspam + - real-pki + - real-iptables + - real-sshd + - real-postfix + - real-afs + - real-php + - real-cron + - real-httpd + - real-logrotate + - real-logwatch + - role: real-spheroids + tags: [spheroids] + tasks: + - name: Editors + block: + - name: Install editors + dnf: + name: + - vim + - emacs-nox + state: present + - name: Disable viminfo + lineinfile: + path: /etc/vimrc + regexp: '^set viminfo=' + line: "set viminfo= \" don't keep a viminfo file" + - name: Install accountadm + dnf: + name: + - accountadm + state: present + when: use_accountadm | default('accountadm' in scripts_packages) + - name: execsys + when: use_execsys | default('execsys' in scripts_packages) + block: + - name: Install execsys + dnf: name=execsys state=present + - name: Enable execsys services + systemd: + name: "{{ item }}" + enabled: yes + state: started + loop: + - execsys-binfmt.service + - scripts-svn.socket + - scripts-git.socket + - scripts-local-smtp.socket + - name: Hesiod + block: + - name: Install hesiod + dnf: name=hesiod-devel state=present + when: use_hesiod | default('hesiod-devel' in scripts_packages) + - name: Configure hesiod + copy: + dest: /etc/hesiod.conf + content: | + rhs=.ATHENA.MIT.EDU + lhs=.ns + - name: Zephyr + when: use_zephyr | default('zephyr' in scripts_packages) + block: + - name: Install zephyr + dnf: + name: + - zephyr + - zephyr-devel + state: present + - name: Start zephyr + service: + name: zhm + enabled: yes + state: started + - name: autofs + when: use_autofs | default(ansible_distribution_major_version|int < 30 or 'autofs' in scripts_packages) + block: + - name: Install autofs + dnf: name={% if ansible_distribution_major_version|int >= 30 %}scripts-{% endif %}autofs state=present + - name: Configure autofs + copy: + dest: /etc/auto.master + content: | + /mit hesiod:hesiod + notify: reload autofs + - name: Enable autofs + service: + name: autofs + enabled: yes + state: started + - name: Configure sudoers + copy: + dest: /etc/sudoers.d/scripts + content: | + scripts ALL=(root) NOPASSWD: /usr/local/sbin/ldap-backup "" + scripts ALL=(root) NOPASSWD: /usr/local/sbin/get-homedirs "" + - name: Limit Java memory + lineinfile: + path: /etc/environment + line: JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M" + regexp: '^JAVA_TOOL_OPTIONS=' + - name: Clean up kdump cores + copy: + dest: /etc/tmpfiles.d/scripts-crash.conf + content: | + d /var/crash 1755 root root 10d + notify: create tmpfiles + - name: Configure resource limits + copy: + dest: /etc/security/limits.d/scripts + content: | + # No limits for root + root - + scripts-build - + + # For everyone else, + * soft core 0 + * - rss 524268 + * - data 1048576 + * - as 1572864 + - name: Enable per-user logs + block: + - name: Configure journald to split logs + ini_file: + no_extra_spaces: yes + path: /etc/systemd/journald.conf + section: Journal + option: SplitMode + value: uid + notify: restart journald + - name: Configure systemd user sessions to not log startup messages + ini_file: + no_extra_spaces: yes + path: /etc/systemd/user.conf + section: Manager + option: LogLevel + value: notice + - name: grub + block: + - name: Configure grub + ini_file: + no_extra_spaces: yes + path: /etc/default/grub + section: null + option: "{{ item.option }}" + value: "\"{{ item.value }}\"" + loop: + - option: GRUB_CMDLINE_LINUX + value: "biosdevname=0 console=tty1 console=ttyS0 console=hvc0 rd.md=0 rd.lvm=0 rd.dm=0 rd.luks=0 crashkernel=128M" + - option: GRUB_TERMINAL + value: "serial console" + notify: regenerate grub + - name: Enable update e-mails + block: + - name: Install dnf-automatic + dnf: name=dnf-automatic state=present + - name: Configure dnf-automatic + ini_file: + path: /etc/dnf/automatic.conf + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + loop: + - section: commands + option: download_updates + value: "True" + - section: commands + option: apply_updates + value: "False" + - section: emitters + option: emit_via + value: stdio, command_email + - section: command_email + option: email_from + value: root + - section: command_email + option: email_to + value: root + - name: Enable dnf-automatic + systemd: + name: dnf-automatic.timer + enabled: yes + state: started + - name: Configure reboot on {panic,oops,OOM} + copy: + dest: /etc/sysctl.d/99-scripts-reboot.conf + content: | + kernel.panic = 5 + kernel.panic_on_oops = 1 + vm.panic_on_oom = 1 + notify: apply sysctl + - name: Enable sysrq + copy: + dest: /etc/sysctl.d/99-scripts-sysrq.conf + content: | + kernel.sysrq = 1 + notify: apply sysctl + - name: Configure multihomed networking sysctls + copy: + dest: /etc/sysctl.d/99-scripts-networking.conf + content: | + net.ipv4.ip_forward = 1 + net.ipv4.tcp_syncookies = 1 + net.ipv4.conf.default.accept_source_route = 0 + net.ipv4.conf.default.arp_ignore = 1 + net.ipv4.conf.default.arp_announce = 2 + net.ipv4.conf.all.arp_ignore = 1 + net.ipv4.conf.all.arp_announce = 2 + net.ipv4.conf.all.rp_filter = 2 + net.ipv4.tcp_keepalive_time = 825 + notify: apply sysctl + - name: ClamAV + block: + - name: Install clamav + dnf: + name: + - clamav + - clamav-update + state: present + - name: sysstat + block: + - dnf: name=sysstat state=present + - name: Retain sysstat logs for 30 days + ini_file: + no_extra_spaces: yes + path: /etc/sysconfig/sysstat + section: null + option: "HISTORY" + value: "30" + - name: Install dotfiles + copy: + dest: /root/ + src: files/dotfiles/ + - name: athrun + dnf: name=athrun state=present + ignore_errors: yes + - name: discuss + dnf: + name: + - discuss + - discuss-emacs + state: present + ignore_errors: yes + - name: scripts-wizard + dnf: name=scripts-wizard state=present + ignore_errors: yes + - name: Disable rpcbind + systemd: + name: "{{ item }}" + enabled: no + state: stopped + loop: + - rpcbind.socket + - rpcbind.service + handlers: + - name: reload autofs + service: name=autofs state=reloaded + - name: restart journald + service: name=systemd-journald state=restarted + - name: regenerate grub + command: grub2-mkconfig -o /boot/grub2/grub.cfg + - name: reboot + reboot: + notify: setup + - name: setup + setup: diff --git a/ansible/scripts-syslog.yml b/ansible/scripts-syslog.yml index f5bdb33e..4cfa902f 100644 --- a/ansible/scripts-syslog.yml +++ b/ansible/scripts-syslog.yml @@ -4,22 +4,20 @@ - k5login - root-aliases tasks: - - name: Configure Kerberos - debconf: name=krb5-config question=krb5-config/default_realm vtype=string value=ATHENA.MIT.EDU - name: Configure Hesiod debconf: name=libhesiod0 question=hesiod/rhs vtype=string value=.athena.mit.edu - name: Install packages apt: - name: "{{ item }}" + name: + - open-vm-tools + - open-vm-tools-dkms + - rsyslog-relp + - libzephyr4-krb5 + - zephyr-clients + - aptitude + - vim + - emacs-nox state: present - with_items: - - open-vm-tools - - open-vm-tools-dkms - - rsyslog-relp - - exim4-daemon-light - - libzephyr4-krb5 - - zephyr-clients - - aptitude - name: Start zhm service: name=zhm state=started - name: Install zephyr-syslog diff --git a/host/credit-card/host.py b/host/credit-card/host.py index fe305291..024b496a 100644 --- a/host/credit-card/host.py +++ b/host/credit-card/host.py @@ -50,7 +50,6 @@ ('root', 0o600, 'etc/ssh/ssh_host_rsa_key'), ('root', 0o600, 'etc/pki/tls/private/scripts-1024.key'), ('root', 0o600, 'etc/pki/tls/private/scripts.key'), - ('root', 0o600, 'etc/whoisd-password'), ('afsagent', 0o600, 'etc/daemon.keytab'), ('root', 0o644, 'etc/ssh/ssh_host_dsa_key.pub'), diff --git a/proxy/doc/install-howto b/proxy/doc/install-howto new file mode 100644 index 00000000..cb5bd9d2 --- /dev/null +++ b/proxy/doc/install-howto @@ -0,0 +1,92 @@ +https://boston-vcenter.mit.edu/ +Login +Second tab (looks like post-it notes) +Right-click on "Scripts" and choose "New virtual machine" +"Create a new virtual machine" -> Next +Fill in short hostname ("scripts-test-proxy-quentin-1") +Select directory for VM +Next +Select a host +Next +No change for storage +Next +No changes for compatibility +Next +Select "Linux" -> "Debian GNU/Linux 8 (64-bit)" +Next +CPU -> 2 +Memory -> 8 GB +New Hard disk -> 50 GB +New Network -> dvSIPB-486 +New CD/DVD Drive -> Datastore ISO file -> OC11-4-IST-UNITY-1-ALU013 -> install images -> debian-buster-20191112-mini.iso +New CD/DVD Drive -> check "Connect" +Next +Finish + +Select the new VM in the list if not already selected +Click the green play button in the toolbar +Summary -> Launch Web Console + +From here, it's a normal Debian install, here's what I chose + +Advanced options -> Expert install + +"Enter" repeatedly until "Auto configure networking?" +"Auto configure networking? -> No" (if you choose yes, you will get IPv6-only) +IP -> 18.4.86.75 +Netmask -> Enter +Gateway -> Enter +Nameserver addresses -> "18.0.70.160 18.0.71.151 18.0.72.3" -> Enter +Confirmation -> Enter +Link timeout -> Enter +Hostname -> "scripts-test-proxy-quentin-1.mit.edu" -> Enter + +Choose a mirror -> Enter +Mirror protocol -> Enter ("http" default) +Debian archive mirror country -> page up until top of list ("enter information manually") -> Enter +Debian archive mirror hostname -> "mirrors.mit.edu" -> Enter +Debian archive mirror directory -> Enter +Enter through remaining mirror questions + +Download installer components -> Enter + +Enter through passwords until +Set root password -> scripts-dev root password -> Enter -> confirm -> Enter +Create a normal user account now? -> No -> Enter + +Configure the clock - NTP server to use -> time.mit.edu -> Enter + +# XXX: Not sure what the best partitioning scheme is +Partition the disks -> Guided - use entire disk and set up LVM +Select the disk -> Enter +All files in one partition -> Enter +Write the changes to disk -> Yes -> Enter +Enter through partitioning +Write the changes to disk -> Yes -> Enter + +Enter through installing the base system +Use non-free software? -> Yes -> Enter +Enable source repos? -> Enter +Services to use -> Enter +No automatic updates -> Enter +Participate in the package usage survey -> Enter +Software selection -> UNselect "Debian desktop environment", UNselect "print server", select "SSH server" and "standard system utilities" -> Enter + +Install the GRUB bootloader -> Enter -> /dev/sda -> Enter +EFI removable media path? No -> Enter +Finish the installation -> Enter + +Installation complete -> Enter + +back to vSphere UI -> edit settings (tiny icon to the right of power button) -> uncheck "Connected" on CD/DVD drive 1 + +Back to console, log in as root + +apt install ansible git +# same as kickstart.txt +cd /srv +git clone -b ansible-realserver --recurse-submodules https://github.com/mit-scripts/scripts repository +ln -s /srv/repository/server/fedora/ansible-config-me.service /etc/systemd/system/ +systemctl daemon-reload +systemctl enable ansible-config-me +systemctl start ansible-config-me diff --git a/server/common/oursrc/accountadm/Makefile.in b/server/common/oursrc/accountadm/Makefile.in index 1ced0141..dd89d74e 100644 --- a/server/common/oursrc/accountadm/Makefile.in +++ b/server/common/oursrc/accountadm/Makefile.in @@ -9,7 +9,7 @@ sysconfdir = @sysconfdir@ all-local: admof -admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread -lk5crypto +admof: LDLIBS = -lrokenafs -lafshcrypto -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread -lk5crypto admof: admof.o install: diff --git a/server/common/oursrc/accountadm/admof.c b/server/common/oursrc/accountadm/admof.c index 52125423..c166a819 100644 --- a/server/common/oursrc/accountadm/admof.c +++ b/server/common/oursrc/accountadm/admof.c @@ -44,6 +44,14 @@ extern int pioctl(char *, afs_int32, struct ViceIoctl *, afs_int32); #define _STR(x) #x #define STR(x) _STR(x) +#ifndef MAX +#define MAX(x,y) ({ \ + typeof(x) _x = (x); \ + typeof(y) _y = (y); \ + (void) (&_x == &_y); \ + _x > _y ? _x : _y; }) +#endif + #define SYSADMINS "system:scripts-root" #define SYSADMIN_CELL "athena.mit.edu" diff --git a/server/common/oursrc/accountadm/get-homedirs b/server/common/oursrc/accountadm/get-homedirs index 89b5f67b..5410d793 100755 --- a/server/common/oursrc/accountadm/get-homedirs +++ b/server/common/oursrc/accountadm/get-homedirs @@ -2,5 +2,5 @@ # Run this as root on scripts. -/usr/bin/ldapsearch -LLL -z 0 -b ou=People,dc=scripts,dc=mit,dc=edu -s one -x -D 'cn=Directory Manager' -y /etc/signup-ldap-pw 'objectClass=posixAccount' cn homeDirectory | \ +/usr/bin/ldapsearch -LLL -Y EXTERNAL -z 0 -b ou=People,dc=scripts,dc=mit,dc=edu -s one 'objectClass=posixAccount' cn homeDirectory | \ perl -0pe 's/\n //g; s/^dn: .*\ncn: (.*)\nhomeDirectory: (.*)\n\n/$1 $2\n/gm' diff --git a/server/common/oursrc/accountadm/ldap-backup b/server/common/oursrc/accountadm/ldap-backup index d7f7ed8d..a608ad07 100755 --- a/server/common/oursrc/accountadm/ldap-backup +++ b/server/common/oursrc/accountadm/ldap-backup @@ -1,172 +1,9 @@ -#!/usr/bin/perl -# -# BEGIN COPYRIGHT BLOCK -# This Program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation; version 2 of the License. -# -# This Program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple -# Place, Suite 330, Boston, MA 02111-1307 USA. -# -# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. -# Copyright (C) 2005 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK -# +#!/bin/bash -@instances = qw(userRoot); -@included = qw(); -@excluded = qw(); +set -e; -our $nowrap = 1; # output LDIF is not folded -our $nobase64 = 0; # avoid base64 encoding -our $noversion = 0; # don't print version line -our $nouniqueid = 0; # don't export unique id -our $useid2entry = 0; # use main db file only -our $onefile = 1; # one file (MUST BE 1) -our $printkey = 1; # print key -our $ldiffile; # override LDIF output file location +out="/var/lib/dirsrv/slapd-scripts/ldif/scripts-$(date +%Y_%m_%d_%H_%M_%S).ldif" -$doreplica = 0; -$ldifdir = "/var/lib/dirsrv/slapd-scripts/ldif"; -$servid = "scripts"; -$verbose = 0; -$rootdn = "cn=Directory Manager"; -our $passwd; -our $passwdfile = "/etc/signup-ldap-pw"; -$i = 0; -$insti = 0; -$incli = 0; -$excli = 0; -$decrypt_on_export = 0; +dsconf scripts backend export --not-folded -l "$out" dc=scripts,dc=mit,dc=edu > /dev/null -foreach (@ARGV) { - $verbose++ if ($_ eq "-v"); -} - -if ((!@instances && !@included) || !$rootdn || !($passwd || $passwdfile)) { &usage; exit(1); } - -($s, $m, $h, $dy, $mn, $yr, $wdy, $ydy, $r) = localtime(time); -$mn++; $yr += 1900; -$taskname = "export_${yr}_${mn}_${dy}_${h}_${m}_${s}"; -$dn = "dn: cn=$taskname, cn=export, cn=tasks, cn=config\n"; -$misc = "changetype: add\nobjectclass: top\nobjectclass: extensibleObject\n"; -$cn = "cn: $taskname\n"; -$i = 0; -$be = ""; -$nsinstance = ""; -foreach my $instance (@instances) { - $nsinstance .= "nsInstance: $instance\n"; - if ( !$be ) { - $be = "$instance"; - } else { - $be = "${be}-$instance"; - } - $i++; -} -$i = 0; -$nsincluded = ""; -foreach my $include (@included) { - $nsincluded .= "nsIncludeSuffix: $include\n"; - my ($rdn, $rest) = split(/,/, $include); - my ($rest, $tmpbe) = split(/=/, $rdn); - if ( !$be ) { - $be = "$tmpbe"; - } else { - $be = "${be}-$tmpbe"; - } - $i++; -} -$i = 0; -$nsexcluded = ""; -foreach my $exclude (@excluded) { - $nsexcluded .= "nsExcludeSuffix: $exclude\n"; - $i++; -} -if ($ldiffile eq "") { - if ($onefile == 0) { - $ldiffile = "${ldifdir}/${servid}-${yr}_${mn}_${dy}_${h}_${m}_${s}.ldif"; - } else { - $ldiffile = "${ldifdir}/${servid}-${be}-${yr}_${mn}_${dy}_${h}_${m}_${s}.ldif"; - } -} - -$nsreplica = ""; -if ($doreplica != 0) { $nsreplica = "nsExportReplica: true\n"; } -$nsnobase64 = ""; -if ($nobase64 != 0) { $nsnobase64 = "nsMinimalEncoding: true\n"; } -$nsnowrap = ""; -if ($nowrap != 0) { $nsnowrap = "nsNoWrap: true\n"; } -$nsnoversion = ""; -if ($noversion != 0) { $nsnoversion = "nsNoVersionLine: true\n"; } -$nsnouniqueid = ""; -if ($nouniqueid != 0) { $nsnouniqueid = "nsDumpUniqId: false\n"; } -$nsuseid2entry = ""; -if ($useid2entry != 0) { $nsuseid2entry = "nsUseId2Entry: true\n"; } -$nsonefile = ""; -if ($onefile != 0) { $nsonefile = "nsUseOneFile: true\n"; } -if ($onefile == 0) { $nsonefile = "nsUseOneFile: false\n"; } -$nsexportdecrypt = ""; -if ($decrypt_on_export != 0) { $nsexportdecrypt = "nsExportDecrypt: true\n"; } -$nsprintkey = ""; -if ($printkey == 0) { $nsprintkey = "nsPrintKey: false\n"; } -$nsldiffile = "nsFilename: ${ldiffile}\n"; -$entry = "${dn}${misc}${cn}${nsinstance}${nsincluded}${nsexcluded}${nsreplica}${nsnobase64}${nsnowrap}${nsnoversion}${nsnouniqueid}${nsuseid2entry}${nsonefile}${nsexportdecrypt}${nsprintkey}${nsldiffile}"; -my @vstr = (); -if ($verbose != 0) { @vstr = ("-v"); } -my @qstr = ("-q"); -if ($verbose) { @qstr = (); } -$ENV{'PATH'} = "/usr/lib64/mozldap:/usr/bin:"; -print STDERR ("Exporting to ldif file: ${ldiffile}\n") if ($verbose); - -my @pass; -if ($passwdfile) { - @pass = ("-j", $passwdfile); -} elsif ($passwd) { - @pass = ("-w", $passwd); -} - -my @cmd = ("ldapmodify", @vstr, @qstr, qw(-h localhost -p 389), "-D", $rootdn, @pass, "-a"); - -print STDERR "@cmd\n" if ($verbose); -print STDERR "$entry\n" if ($verbose); - -open(FOO, "|-", @cmd) or die "Couldn't start ldapmodify: $!"; -print(FOO "$entry"); -close(FOO); - -die "Couldn't successfully execute ldapmodify: $!" if $?; - -my @statuscmd = ("ldapsearch", @vstr, qw(-h localhost -p 389), "-D", $rootdn, @pass, qw(-T -b cn=export,cn=tasks,cn=config), "cn=$taskname", qw(nstaskstatus nstaskexitcode)); - -print STDERR "Status command: @statuscmd\n" if ($verbose); - -my $exitstatus=255; - -STATUS: while (1) { - sleep(1); - open(FOO, "-|", @statuscmd) or die "Couldn't start ldapsearch: $!"; - while () { - chomp; - my ($key, $value) = split(": ", $_, 2); - if ($key eq "nstaskstatus" && $verbose) { - print STDERR "Status: $value\n"; - } - if ($key eq "nstaskexitcode") { - $exitstatus = $value; - last STATUS; - } - } - close(FOO); -} - -open(OUTPUT, "<", $ldiffile) or die "Couldn't open output file: $!"; -print while (); -close(OUTPUT); - -exit $exitstatus; +cat "$out" diff --git a/server/common/oursrc/accountadm/mbash.in b/server/common/oursrc/accountadm/mbash.in index 8ba0fe98..a80720aa 100644 --- a/server/common/oursrc/accountadm/mbash.in +++ b/server/common/oursrc/accountadm/mbash.in @@ -1,3 +1,74 @@ -#!/bin/sh +#!/usr/bin/python3 -exec @bash_path@ --rcfile /usr/local/etc/mbashrc "$@" +import ldap, ldap.sasl, ldap.filter +import os, pwd, random, sys + +############### LDAP stuff ################# +# Largely copy+pasted from Pony +# Needs to be properly library-ized, assuming +# there's a good way to share code between the codebases + +class UserError(BaseException): + pass + + +LDAP_SERVERS = ["doppelganger", "alter-ego", "body-double"] + +def connect(): + hostname = "{0}.mit.edu".format(LDAP_SERVERS[random.randint(0, 2)]) + conn = ldap.initialize("ldap://{0}".format(hostname)) + # Only try to use the keytab if we have one + if False: #keytab.exists(): + keytab.auth() + auth = ldap.sasl.gssapi() + conn.sasl_interactive_bind_s("", auth) + else: + conn.simple_bind_s() + + return conn + +def get_vhost_info(conn, locker, hostname): + """Return path,aliases for the given hostname.""" + res = conn.search_s( + "ou=VirtualHosts,dc=scripts,dc=mit,dc=edu", + ldap.SCOPE_ONELEVEL, + ldap.filter.filter_format( + "(&(objectClass=scriptsVhost)(scriptsVhostAccount=uid=%s,ou=People,dc=scripts,dc=mit,dc=edu)(scriptsVhostName=%s))", + [locker, hostname], + ), + ["scriptsVhostDirectory", "scriptsVhostAlias", "scriptsVhostPoolIPv4"], + ) + try: + print(str(res)) + return ( + res[0][1]["scriptsVhostDirectory"][0], + res[0][1].get("scriptsVhostAlias", []), + res[0][1]["scriptsVhostPoolIPv4"][0] + ) + except IndexError: + raise UserError( + "The hostname '%s' does not exist for the '%s' locker." % (hostname, locker) + ) + + +################################################### + +def getVhostPoolIp(user): + conn = connect() + return get_vhost_info(conn, user, user + ".scripts.mit.edu")[2].decode('ascii') + +def ipConfigured(ip): + ipAddrOut = os.popen("ip addr").read() + return ("inet " + ip + "/") in ipAddrOut + +# SSH forwarding +user = pwd.getpwuid(os.getuid()).pw_name +vhostPoolIp = getVhostPoolIp(user) + +if ipConfigured(vhostPoolIp): + args = sys.argv[1:] + bash = '/usr/bin/bash' + os.execv(bash, [bash, '--rcfile', '/usr/local/etc/mbashrc'] + args) +else: + ssh = '/usr/bin/ssh' + os.execv(ssh, [ssh, str(vhostPoolIp)]) diff --git a/server/common/oursrc/athrun/configure.in b/server/common/oursrc/athrun/configure.in index 38bd3778..6bbb1e06 100644 --- a/server/common/oursrc/athrun/configure.in +++ b/server/common/oursrc/athrun/configure.in @@ -1,5 +1,3 @@ AC_INIT() -AC_PROG_CC - AC_OUTPUT(Makefile) diff --git a/server/common/oursrc/execsys/Makefile.am b/server/common/oursrc/execsys/Makefile.am new file mode 100644 index 00000000..27ffa3dc --- /dev/null +++ b/server/common/oursrc/execsys/Makefile.am @@ -0,0 +1,20 @@ +if HAVE_SYSTEMD +systemdsystemunit_DATA = \ + execsys-binfmt.service \ + scripts-svn.socket \ + scripts-svn@.service \ + scripts-git.socket \ + scripts-git@.service \ + scripts-local-smtp.socket \ + scripts-local-smtp@.service +endif + +dist_sbin_SCRIPTS = \ + ldapize.pl \ + svnproxy.pl \ + gitproxy.pl \ + local-smtp-proxy + +dist_trusted_SCRIPTS = \ + svn \ + git diff --git a/server/common/oursrc/execsys/Makefile.in b/server/common/oursrc/execsys/Makefile.in deleted file mode 100644 index ebbaffb7..00000000 --- a/server/common/oursrc/execsys/Makefile.in +++ /dev/null @@ -1,32 +0,0 @@ -CC = @CC@ -CFLAGS = @CFLAGS@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libexecdir = @libexecdir@ -sysconfdir = @sysconfdir@ -sbindir = @sbindir@ -trusteddir = /usr/libexec/scripts-trusted - -all-local: - -install: - install -D -p -m755 execsys-binfmt $(DESTDIR)/etc/init.d/execsys-binfmt - install -D -p -m755 ldapize.pl $(DESTDIR)$(sbindir)/ldapize.pl - - install -D -p -m755 svnproxy.pl $(DESTDIR)$(sbindir)/svnproxy.pl - install -D -p -m755 svn $(DESTDIR)$(trusteddir)/svn - install -D -p -m644 scripts-svn.xinetd $(DESTDIR)/etc/xinetd.d/scripts-svn - - install -D -p -m755 gitproxy.pl $(DESTDIR)$(sbindir)/gitproxy.pl - install -D -p -m755 git $(DESTDIR)$(trusteddir)/git - install -D -p -m644 scripts-git.xinetd $(DESTDIR)/etc/xinetd.d/scripts-git - - install -D -p -m755 local-smtp-proxy $(DESTDIR)$(sbindir)/local-smtp-proxy - install -D -p -m644 scripts-local-smtp.xinetd $(DESTDIR)/etc/xinetd.d/scripts-local-smtp - -clean: - rm -f static-cat - -distclean: clean - rm -f configure config.* Makefile - rm -rf auto*.cache diff --git a/server/common/oursrc/execsys/configure.ac b/server/common/oursrc/execsys/configure.ac new file mode 100644 index 00000000..20c265f7 --- /dev/null +++ b/server/common/oursrc/execsys/configure.ac @@ -0,0 +1,14 @@ +AC_INIT([execsys], [1.0]) +AM_INIT_AUTOMAKE([-Wall -Werror foreign]) + +PKG_PROG_PKG_CONFIG +AC_ARG_WITH([systemdsystemunitdir], + AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]), + [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)]) +AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir]) +AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir"]) + +AC_SUBST([trusteddir], [/usr/libexec/scripts-trusted]) + +AC_CONFIG_FILES(Makefile) +AC_OUTPUT diff --git a/server/common/oursrc/execsys/configure.in b/server/common/oursrc/execsys/configure.in deleted file mode 100644 index 95b5d243..00000000 --- a/server/common/oursrc/execsys/configure.in +++ /dev/null @@ -1,5 +0,0 @@ -AC_INIT([Makefile.in]) - -AC_PROG_CC - -AC_OUTPUT(Makefile) diff --git a/server/common/oursrc/execsys/execsys-binfmt b/server/common/oursrc/execsys/execsys-binfmt deleted file mode 100644 index 96fe913d..00000000 --- a/server/common/oursrc/execsys/execsys-binfmt +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# -# execsys-binfmt: test1 -# -# chkconfig: 2345 2 98 -# description: test2 -# -### BEGIN INIT INFO -# Provides: execsys-binfmt -# Required-Start: $syslog -# Required-Stop: $syslog -# Should-Start: $local_fs -# Should-Stop: $local_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start scripts.mit.edu execsys system -# Description: Decides what interpreter to use to execute files -### END INIT INFO - -stop () -{ - echo "-1" > /proc/sys/fs/binfmt_misc/status - umount /proc/sys/fs/binfmt_misc -} - -start () -{ - mount -t binfmt_misc none /proc/sys/fs/binfmt_misc - echo ':CLR:M::MZ::/usr/bin/mono:' > /proc/sys/fs/binfmt_misc/register -} - -case "$1" in -start) - stop 2>/dev/null || : - start - ;; -stop) - stop - ;; -force-reload) - stop - start - ;; -restart) - stop - start - ;; -*) - echo "Usage: $0 [start|stop|restart|force-reload]" >&2 - exit 2 - ;; -esac - -exit $? diff --git a/server/common/oursrc/execsys/execsys-binfmt.service b/server/common/oursrc/execsys/execsys-binfmt.service new file mode 100644 index 00000000..69bbf705 --- /dev/null +++ b/server/common/oursrc/execsys/execsys-binfmt.service @@ -0,0 +1,13 @@ +[Unit] +Description=Configure files to automatically run based on magic. +Requires=proc-sys-fs-binfmt_misc.mount +After=proc-sys-fs-binfmt_misc.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/sh -c "echo ':CLR:M::MZ::/usr/bin/mono:' > /proc/sys/fs/binfmt_misc/register" +ExecStop=/bin/sh -c "echo -1 > /proc/sys/fs/binfmt_misc/status" + +[Install] +WantedBy=multi-user.target diff --git a/server/common/oursrc/execsys/gitproxy.pl b/server/common/oursrc/execsys/gitproxy.pl index 1f06e9ca..de0f95c7 100755 --- a/server/common/oursrc/execsys/gitproxy.pl +++ b/server/common/oursrc/execsys/gitproxy.pl @@ -46,7 +46,8 @@ } # Now start the real git daemon based on the URL. -my $pid = open2(\*IN, \*OUT, '/usr/local/sbin/ldapize.pl', "git://$host/") or die "$0: open: $!"; +# TODO: Find ldapize.pl based on configure arguments. +my $pid = open2(\*IN, \*OUT, '/usr/sbin/ldapize.pl', "git://$host/") or die "$0: open: $!"; # Finally, go into a poll loop to transfer the remaining data # (STDIN -> OUT, IN -> STDOUT), including the client's message to git daemon. diff --git a/server/common/oursrc/execsys/ldapize.pl b/server/common/oursrc/execsys/ldapize.pl index 580b9fb0..dac0fd88 100755 --- a/server/common/oursrc/execsys/ldapize.pl +++ b/server/common/oursrc/execsys/ldapize.pl @@ -12,6 +12,24 @@ my $vhostName = $hostname; +my $uri; + +open(my $conf, "<", "/etc/openldap/ldap.conf") or die "open: $!"; +while (my $line = <$conf>) { + if ($line =~ m/^URI\s+(\S+)/) { + $uri = $1; + } +} +close($conf) or die "close: $!"; + +if (not $uri) { + die "Couldn't find LDAP URI"; +} + +my $ldap = Net::LDAP->new($uri); +$mesg = $ldap->bind(); +$mesg->code && die $mesg->error; + vhost: # oh my gosh Net::LDAP::Filter SUCKS my $filter = bless({and => @@ -24,10 +42,6 @@ assertionValue => $vhostName}}]}]}, 'Net::LDAP::Filter'); -my $ldap = Net::LDAP->new("ldapi://%2fvar%2frun%2fslapd-scripts.socket/"); -$mesg = $ldap->bind(); -$mesg->code && die $mesg->error; - $mesg = $ldap->search(base => "ou=VirtualHosts,dc=scripts,dc=mit,dc=edu", filter => $filter); $mesg->code && die $mesg->error; @@ -50,7 +64,7 @@ map { $userEntry->get_value($_) } qw(homeDirectory uidNumber gidNumber); (my $scriptsdir = $homeDirectory) =~ s{(?:/Scripts)?$}{/Scripts}; -if ($proto eq 'svn') { +if ($proto eq 'svn' || $proto =~ m/^svn\+/) { chdir '/usr/libexec/scripts-trusted'; exec('/usr/sbin/suexec', $uidNumber, $gidNumber, '/usr/libexec/scripts-trusted/svn', "$scriptsdir/svn/$vhostDirectory"); } elsif ($proto eq 'git') { diff --git a/server/common/oursrc/execsys/local-smtp-proxy b/server/common/oursrc/execsys/local-smtp-proxy index a05d453c..c0dfc335 100755 --- a/server/common/oursrc/execsys/local-smtp-proxy +++ b/server/common/oursrc/execsys/local-smtp-proxy @@ -75,13 +75,17 @@ def proxy(sock, uid): peer = sock.getpeername() class Proxy(object): - def process_message(self, peer, mailfrom, rcpttos, data): + def process_message(self, peer, mailfrom, rcpttos, data, **kwargs): + args = ['/usr/sbin/sendmail', '-f', mailfrom] + if 'BODY=8BITMIME' in kwargs.get('mail_options', []): + args += ['-B', '8BITMIME'] + args += rcpttos with subprocess.Popen( - ['/usr/sbin/sendmail', '-f', mailfrom] + rcpttos, + args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as p: - out, err = p.communicate(data.encode()) + out, err = p.communicate(data) if p.returncode == 0: return '250 OK' else: diff --git a/server/common/oursrc/execsys/mrproper b/server/common/oursrc/execsys/mrproper deleted file mode 100755 index 46a05848..00000000 --- a/server/common/oursrc/execsys/mrproper +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -rm -f configure config.* Makefile -rm -rf auto*.cache diff --git a/server/common/oursrc/execsys/scripts-git.socket b/server/common/oursrc/execsys/scripts-git.socket new file mode 100644 index 00000000..f52fc30b --- /dev/null +++ b/server/common/oursrc/execsys/scripts-git.socket @@ -0,0 +1,9 @@ +[Unit] +Description=Git proxy socket + +[Socket] +ListenStream=9418 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/server/common/oursrc/execsys/scripts-git.xinetd b/server/common/oursrc/execsys/scripts-git.xinetd deleted file mode 100644 index 5cf16903..00000000 --- a/server/common/oursrc/execsys/scripts-git.xinetd +++ /dev/null @@ -1,11 +0,0 @@ -service git -{ - disable = no - port = 9418 - socket_type = stream - protocol = tcp - wait = no - user = apache - passenv = PATH - server = /usr/local/sbin/gitproxy.pl -} diff --git a/server/common/oursrc/execsys/scripts-git@.service b/server/common/oursrc/execsys/scripts-git@.service new file mode 100644 index 00000000..26f377d8 --- /dev/null +++ b/server/common/oursrc/execsys/scripts-git@.service @@ -0,0 +1,8 @@ +[Unit] +Description=Git proxy server + +[Service] +ExecStart=-/usr/sbin/gitproxy.pl +StandardInput=socket +StandardError=journal +User=apache diff --git a/server/common/oursrc/execsys/scripts-local-smtp.socket b/server/common/oursrc/execsys/scripts-local-smtp.socket new file mode 100644 index 00000000..22366295 --- /dev/null +++ b/server/common/oursrc/execsys/scripts-local-smtp.socket @@ -0,0 +1,10 @@ +[Unit] +Description=Local SMTP proxy socket + +[Socket] +ListenStream=127.0.0.1:25 +ListenStream=[::1]:25 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/server/common/oursrc/execsys/scripts-local-smtp.xinetd b/server/common/oursrc/execsys/scripts-local-smtp.xinetd deleted file mode 100755 index 3e50cf34..00000000 --- a/server/common/oursrc/execsys/scripts-local-smtp.xinetd +++ /dev/null @@ -1,24 +0,0 @@ -service smtp -{ - disable = no - bind = 127.0.0.1 - port = 25 - socket_type = stream - protocol = tcp - wait = no - user = root - passenv = PATH - server = /usr/local/sbin/local-smtp-proxy -} -service smtp -{ - disable = no - bind = ::1 - port = 25 - socket_type = stream - protocol = tcp - wait = no - user = root - passenv = PATH - server = /usr/local/sbin/local-smtp-proxy -} diff --git a/server/common/oursrc/execsys/scripts-local-smtp@.service b/server/common/oursrc/execsys/scripts-local-smtp@.service new file mode 100644 index 00000000..e45dfdb8 --- /dev/null +++ b/server/common/oursrc/execsys/scripts-local-smtp@.service @@ -0,0 +1,7 @@ +[Unit] +Description=Local SMTP proxy server + +[Service] +ExecStart=-/usr/sbin/local-smtp-proxy +StandardInput=socket +StandardError=journal diff --git a/server/common/oursrc/execsys/scripts-svn.socket b/server/common/oursrc/execsys/scripts-svn.socket new file mode 100644 index 00000000..f30bf078 --- /dev/null +++ b/server/common/oursrc/execsys/scripts-svn.socket @@ -0,0 +1,9 @@ +[Unit] +Description=SVN proxy socket + +[Socket] +ListenStream=3690 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/server/common/oursrc/execsys/scripts-svn.xinetd b/server/common/oursrc/execsys/scripts-svn.xinetd deleted file mode 100644 index a862b59d..00000000 --- a/server/common/oursrc/execsys/scripts-svn.xinetd +++ /dev/null @@ -1,12 +0,0 @@ -service svn -{ - disable = no - port = 3690 - socket_type = stream - protocol = tcp - wait = no - user = apache - passenv = PATH - server = /usr/local/sbin/svnproxy.pl -# bind = 127.0.0.1 -} diff --git a/server/common/oursrc/execsys/scripts-svn@.service b/server/common/oursrc/execsys/scripts-svn@.service new file mode 100644 index 00000000..0b003f37 --- /dev/null +++ b/server/common/oursrc/execsys/scripts-svn@.service @@ -0,0 +1,8 @@ +[Unit] +Description=SVN proxy server + +[Service] +ExecStart=-/usr/sbin/svnproxy.pl +StandardInput=socket +StandardError=journal +User=apache diff --git a/server/common/oursrc/execsys/svnproxy.pl b/server/common/oursrc/execsys/svnproxy.pl index 0f6cf68a..10754e2d 100755 --- a/server/common/oursrc/execsys/svnproxy.pl +++ b/server/common/oursrc/execsys/svnproxy.pl @@ -29,13 +29,14 @@ defined $pid or die "$0: open: $!"; if ($pid == 0) { close(STDIN) or die "$0: close: $!"; + close(STDERR) or die "$0: close: $!"; exec('svnserve', '-i') or die "$0: exec svnproxy: $!"; } my $greeting = ''; for (;;) { my $n = sysread(IN, my $buf, 4096); - next if $n < 0 and $! == EINTR; - $n >= 0 or die "$0: read: $!"; + next if (not defined($n)) and $! == EINTR; + defined($n) or die "$0: read: $!"; last if $n == 0; $greeting .= $buf; } @@ -44,11 +45,11 @@ my $buf = $greeting; while ($buf ne '') { my $n = syswrite(STDOUT, $buf); - next if $n < 0 and $! == EINTR; - $n >= 0 or die "$0: write: $!"; + next if (not defined ($n)) and $! == EINTR; + defined($n) or die "$0: write: $!"; $buf = substr($buf, $n); } -close(IN) or die "$0: close: $!"; +close(IN); # ignore error; newer svnserve exits 1 waitpid(-1, 0) or die "$0: waitpid: $!"; # Receive the response from the client, and parse out the URL. @@ -71,7 +72,8 @@ } # Now start the real svnserve based on the URL. -$pid = open2(\*IN, \*OUT, '/usr/local/sbin/ldapize.pl', $url) or die "$0: open: $!"; +# TODO: Find ldapize.pl based on configure arguments. +$pid = open2(\*IN, \*OUT, '/usr/sbin/ldapize.pl', $url) or die "$0: open: $!"; # Read the greeting, expecting it to be identical to the dummy greeting. while ($greeting ne '') { diff --git a/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs b/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs index 53365cd0..2d148453 100755 --- a/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs +++ b/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 # -*- coding: utf-8 -*- # better-mousetrapfs: Filesystem that logs and kills any accessors @@ -43,7 +43,7 @@ class BetterMousetrapFS(fuse.Fuse): def getattr(self, path): if path == '/': - return fuse.Stat(st_mode = stat.S_IFDIR | 0755, st_nlink = 2) + return fuse.Stat(st_mode = stat.S_IFDIR | 0o755, st_nlink = 2) else: return -errno.EACCES diff --git a/server/common/oursrc/nss_nonlocal/configure.ac b/server/common/oursrc/nss_nonlocal/configure.ac index 6718d779..d04611b8 100644 --- a/server/common/oursrc/nss_nonlocal/configure.ac +++ b/server/common/oursrc/nss_nonlocal/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([nss_nonlocal], [2.1], [andersk@mit.edu]) +AC_INIT([nss_nonlocal], [2.2], [andersk@mit.edu]) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([-Wall -Werror foreign]) m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])]) diff --git a/server/common/oursrc/nss_nonlocal/nonlocal-group.c b/server/common/oursrc/nss_nonlocal/nonlocal-group.c index 57f01e2c..f80118bb 100644 --- a/server/common/oursrc/nss_nonlocal/nonlocal-group.c +++ b/server/common/oursrc/nss_nonlocal/nonlocal-group.c @@ -77,17 +77,19 @@ static service_user *__nss_group_nonlocal_database; static int internal_function -__nss_group_nonlocal_lookup(service_user **ni, const char *fct_name, - void **fctp) +__nss_group_nonlocal_lookup2(service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) { if (__nss_group_nonlocal_database == NULL - && __nss_database_lookup("group_nonlocal", NULL, NULL, - &__nss_group_nonlocal_database) < 0) + && __nss_database_lookup2("group_nonlocal", NULL, NULL, + &__nss_group_nonlocal_database) < 0) return -1; *ni = __nss_group_nonlocal_database; *fctp = __nss_lookup_function(*ni, fct_name); + if (*fctp == NULL && fct2_name != NULL) + *fctp = __nss_lookup_function(*ni, fct2_name); return 0; } @@ -100,7 +102,7 @@ check_nonlocal_gid(const char *user, const char *group, gid_t gid, int *errnop) char *buf; size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX); const struct walk_nss w = { - .lookup = &__nss_group_lookup, .fct_name = "getgrgid_r", + .lookup2 = &__nss_group_lookup2, .fct_name = "getgrgid_r", .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen }; const __typeof__(&_nss_nonlocal_getgrgid_r) self = &_nss_nonlocal_getgrgid_r; @@ -161,7 +163,7 @@ get_local_group(const char *name, struct group *grp, char **buffer, int *errnop) enum nss_status status; size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX); const struct walk_nss w = { - .lookup = &__nss_group_lookup, .fct_name = "getgrnam_r", + .lookup2 = &__nss_group_lookup2, .fct_name = "getgrnam_r", .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen }; const __typeof__(&_nss_nonlocal_getgrnam_r) self = &_nss_nonlocal_getgrnam_r; @@ -186,7 +188,7 @@ _nss_nonlocal_setgrent(int stayopen) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_group_nonlocal_lookup, .fct_name = "setgrent", + .lookup2 = &__nss_group_nonlocal_lookup2, .fct_name = "setgrent", .status = &status }; const __typeof__(&_nss_nonlocal_setgrent) self = NULL; @@ -197,8 +199,8 @@ _nss_nonlocal_setgrent(int stayopen) return status; if (!grent_initialized) { - __nss_group_nonlocal_lookup(&grent_startp, grent_fct_name, - &grent_fct_start); + __nss_group_nonlocal_lookup2(&grent_startp, grent_fct_name, NULL, + &grent_fct_start); __sync_synchronize(); grent_initialized = true; } @@ -212,7 +214,7 @@ _nss_nonlocal_endgrent(void) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_group_nonlocal_lookup, .fct_name = "endgrent", + .lookup2 = &__nss_group_nonlocal_lookup2, .fct_name = "endgrent", .status = &status, .all_values = 1, }; const __typeof__(&_nss_nonlocal_endgrent) self = NULL; @@ -255,7 +257,8 @@ _nss_nonlocal_getgrent_r(struct group *grp, char *buffer, size_t buflen, if (status == NSS_STATUS_SUCCESS) return NSS_STATUS_SUCCESS; - } while (__nss_next(&grent_nip, grent_fct_name, &grent_fct.ptr, status, 0) == 0); + } while (__nss_next2(&grent_nip, grent_fct_name, NULL, &grent_fct.ptr, + status, 0) == 0); grent_nip = NULL; return NSS_STATUS_NOTFOUND; @@ -268,7 +271,7 @@ _nss_nonlocal_getgrnam_r(const char *name, struct group *grp, { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_group_nonlocal_lookup, .fct_name = "getgrnam_r", + .lookup2 = &__nss_group_nonlocal_lookup2, .fct_name = "getgrnam_r", .status = &status, .errnop = errnop }; const __typeof__(&_nss_nonlocal_getgrnam_r) self = NULL; @@ -297,7 +300,7 @@ _nss_nonlocal_getgrgid_r(gid_t gid, struct group *grp, { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_group_nonlocal_lookup, .fct_name = "getgrgid_r", + .lookup2 = &__nss_group_nonlocal_lookup2, .fct_name = "getgrgid_r", .status = &status, .errnop = errnop }; const __typeof__(&_nss_nonlocal_getgrgid_r) self = NULL; @@ -360,7 +363,7 @@ _nss_nonlocal_initgroups_dyn(const char *user, gid_t group, long int *start, { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_group_nonlocal_lookup, .fct_name = "initgroups_dyn", + .lookup2 = &__nss_group_nonlocal_lookup2, .fct_name = "initgroups_dyn", .status = &status, .all_values = 1, .errnop = errnop }; const __typeof__(&_nss_nonlocal_initgroups_dyn) self = NULL; diff --git a/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c b/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c index 41ea4986..f310db71 100644 --- a/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c +++ b/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c @@ -54,17 +54,19 @@ static service_user *__nss_passwd_nonlocal_database; static int internal_function -__nss_passwd_nonlocal_lookup(service_user **ni, const char *fct_name, - void **fctp) +__nss_passwd_nonlocal_lookup2(service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) { if (__nss_passwd_nonlocal_database == NULL - && __nss_database_lookup("passwd_nonlocal", NULL, NULL, - &__nss_passwd_nonlocal_database) < 0) + && __nss_database_lookup2("passwd_nonlocal", NULL, NULL, + &__nss_passwd_nonlocal_database) < 0) return -1; *ni = __nss_passwd_nonlocal_database; *fctp = __nss_lookup_function(*ni, fct_name); + if (*fctp == NULL && fct2_name != NULL) + *fctp = __nss_lookup_function(*ni, fct2_name); return 0; } @@ -77,7 +79,7 @@ check_nonlocal_uid(const char *user, uid_t uid, int *errnop) char *buf; size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); const struct walk_nss w = { - .lookup = &__nss_passwd_lookup, .fct_name = "getpwuid_r", + .lookup2 = &__nss_passwd_lookup2, .fct_name = "getpwuid_r", .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen }; const __typeof__(&_nss_nonlocal_getpwuid_r) self = &_nss_nonlocal_getpwuid_r; @@ -126,7 +128,7 @@ check_nonlocal_user(const char *user, int *errnop) char *buf; size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); const struct walk_nss w = { - .lookup = __nss_passwd_lookup, .fct_name = "getpwnam_r", + .lookup2 = __nss_passwd_lookup2, .fct_name = "getpwnam_r", .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen }; const __typeof__(&_nss_nonlocal_getpwnam_r) self = &_nss_nonlocal_getpwnam_r; @@ -151,7 +153,7 @@ get_nonlocal_passwd(const char *name, struct passwd *pwd, char **buffer, enum nss_status status; size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); const struct walk_nss w = { - .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r", + .lookup2 = __nss_passwd_nonlocal_lookup2, .fct_name = "getpwnam_r", .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen }; const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL; @@ -177,7 +179,7 @@ _nss_nonlocal_setpwent(int stayopen) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "setpwent", + .lookup2 = &__nss_passwd_nonlocal_lookup2, .fct_name = "setpwent", .status = &status }; const __typeof__(&_nss_nonlocal_setpwent) self = NULL; @@ -188,8 +190,8 @@ _nss_nonlocal_setpwent(int stayopen) return status; if (!pwent_initialized) { - __nss_passwd_nonlocal_lookup(&pwent_startp, pwent_fct_name, - &pwent_fct_start); + __nss_passwd_nonlocal_lookup2(&pwent_startp, pwent_fct_name, NULL, + &pwent_fct_start); __sync_synchronize(); pwent_initialized = true; } @@ -203,7 +205,7 @@ _nss_nonlocal_endpwent(void) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "endpwent", + .lookup2 = &__nss_passwd_nonlocal_lookup2, .fct_name = "endpwent", .status = &status, .all_values = 1, }; const __typeof__(&_nss_nonlocal_endpwent) self = NULL; @@ -246,7 +248,8 @@ _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen, if (status == NSS_STATUS_SUCCESS) return NSS_STATUS_SUCCESS; - } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0); + } while (__nss_next2(&pwent_nip, pwent_fct_name, 0, &pwent_fct.ptr, status, + 0) == 0); pwent_nip = NULL; return NSS_STATUS_NOTFOUND; @@ -260,7 +263,7 @@ _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd, enum nss_status status; int group_errno; const struct walk_nss w = { - .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r", + .lookup2 = __nss_passwd_nonlocal_lookup2, .fct_name = "getpwnam_r", .status = &status, .errnop = errnop }; const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL; @@ -297,7 +300,7 @@ _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd, enum nss_status status; int group_errno; const struct walk_nss w = { - .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "getpwuid_r", + .lookup2 = &__nss_passwd_nonlocal_lookup2, .fct_name = "getpwuid_r", .status = &status, .errnop = errnop }; const __typeof__(&_nss_nonlocal_getpwuid_r) self = NULL; diff --git a/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c b/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c index 98142e18..eb115bc0 100644 --- a/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c +++ b/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c @@ -43,17 +43,19 @@ static service_user *__nss_shadow_nonlocal_database; static int internal_function -__nss_shadow_nonlocal_lookup(service_user **ni, const char *fct_name, - void **fctp) +__nss_shadow_nonlocal_lookup2(service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) { if (__nss_shadow_nonlocal_database == NULL - && __nss_database_lookup("shadow_nonlocal", NULL, NULL, - &__nss_shadow_nonlocal_database) < 0) + && __nss_database_lookup2("shadow_nonlocal", NULL, NULL, + &__nss_shadow_nonlocal_database) < 0) return -1; *ni = __nss_shadow_nonlocal_database; *fctp = __nss_lookup_function(*ni, fct_name); + if (*fctp == NULL && fct2_name != NULL) + *fctp = __nss_lookup_function(*ni, fct2_name); return 0; } @@ -73,7 +75,7 @@ _nss_nonlocal_setspent(int stayopen) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_shadow_nonlocal_lookup, .fct_name = "setspent", + .lookup2 = &__nss_shadow_nonlocal_lookup2, .fct_name = "setspent", .status = &status }; const __typeof__(&_nss_nonlocal_setspent) self = NULL; @@ -84,8 +86,8 @@ _nss_nonlocal_setspent(int stayopen) return status; if (!spent_initialized) { - __nss_shadow_nonlocal_lookup(&spent_startp, spent_fct_name, - &spent_fct_start); + __nss_shadow_nonlocal_lookup2(&spent_startp, spent_fct_name, NULL, + &spent_fct_start); __sync_synchronize(); spent_initialized = true; } @@ -99,7 +101,7 @@ _nss_nonlocal_endspent(void) { enum nss_status status; const struct walk_nss w = { - .lookup = &__nss_shadow_nonlocal_lookup, .fct_name = "endspent", + .lookup2 = &__nss_shadow_nonlocal_lookup2, .fct_name = "endspent", .status = &status }; const __typeof__(&_nss_nonlocal_endspent) self = NULL; @@ -137,7 +139,8 @@ _nss_nonlocal_getspent_r(struct spwd *pwd, char *buffer, size_t buflen, if (status == NSS_STATUS_SUCCESS) return NSS_STATUS_SUCCESS; - } while (__nss_next(&spent_nip, spent_fct_name, &spent_fct.ptr, status, 0) == 0); + } while (__nss_next2(&spent_nip, spent_fct_name, NULL, &spent_fct.ptr, + status, 0) == 0); spent_nip = NULL; return NSS_STATUS_NOTFOUND; @@ -150,7 +153,7 @@ _nss_nonlocal_getspnam_r(const char *name, struct spwd *pwd, { enum nss_status status; const struct walk_nss w = { - .lookup = __nss_shadow_nonlocal_lookup, .fct_name = "getspnam_r", + .lookup2 = __nss_shadow_nonlocal_lookup2, .fct_name = "getspnam_r", .status = &status, .errnop = errnop }; const __typeof__(&_nss_nonlocal_getspnam_r) self = NULL; diff --git a/server/common/oursrc/nss_nonlocal/nonlocal.h b/server/common/oursrc/nss_nonlocal/nonlocal.h index 7b8ca2f3..384e2eea 100644 --- a/server/common/oursrc/nss_nonlocal/nonlocal.h +++ b/server/common/oursrc/nss_nonlocal/nonlocal.h @@ -50,8 +50,8 @@ typedef bool _Bool; struct walk_nss { enum nss_status *status; int all_values; - int (*lookup)(service_user **ni, const char *fct_name, - void **fctp) internal_function; + int (*lookup2)(service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) internal_function; const char *fct_name; int *errnop; char **buf; diff --git a/server/common/oursrc/nss_nonlocal/nsswitch-internal.h b/server/common/oursrc/nss_nonlocal/nsswitch-internal.h index 4a2e91dc..d2cff7d8 100644 --- a/server/common/oursrc/nss_nonlocal/nsswitch-internal.h +++ b/server/common/oursrc/nss_nonlocal/nsswitch-internal.h @@ -6,10 +6,13 @@ #ifndef NSSWITCH_INTERNAL_H #define NSSWITCH_INTERNAL_H +#include #include "config.h" /* glibc/config.h.in */ -#if defined USE_REGPARMS && !defined PROF && !defined __BOUNDED_POINTERS__ +#if __GLIBC_PREREQ(2, 27) +# define internal_function +#elif defined USE_REGPARMS && !defined PROF && !defined __BOUNDED_POINTERS__ # define internal_function __attribute__ ((regparm (3), stdcall)) #else # define internal_function @@ -18,17 +21,20 @@ /* glibc/nss/nsswitch.h */ typedef struct service_user service_user; -extern int __nss_next (service_user **ni, const char *fct_name, void **fctp, - int status, int all_values); -extern int __nss_database_lookup (const char *database, - const char *alternative_name, - const char *defconfig, service_user **ni); +extern int __nss_next2 (service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp, int status, + int all_values); +extern int __nss_database_lookup2 (const char *database, + const char *alternative_name, + const char *defconfig, service_user **ni); extern void *__nss_lookup_function (service_user *ni, const char *fct_name); /* glibc/nss/XXX-lookup.c */ -extern int __nss_passwd_lookup (service_user **ni, const char *fct_name, - void **fctp) internal_function; -extern int __nss_group_lookup (service_user **ni, const char *fct_name, - void **fctp) internal_function; +extern int __nss_passwd_lookup2 (service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) + internal_function; +extern int __nss_group_lookup2 (service_user **ni, const char *fct_name, + const char *fct2_name, void **fctp) + internal_function; #endif /* NSSWITCH_INTERNAL_H */ diff --git a/server/common/oursrc/nss_nonlocal/walk_nss.h b/server/common/oursrc/nss_nonlocal/walk_nss.h index 24cf4c5c..0e45d5b0 100644 --- a/server/common/oursrc/nss_nonlocal/walk_nss.h +++ b/server/common/oursrc/nss_nonlocal/walk_nss.h @@ -36,7 +36,7 @@ int old_errno = errno; if (!initialized) { - if (w.lookup(&startp, w.fct_name, &fct_start) != 0) { + if (w.lookup2(&startp, w.fct_name, NULL, &fct_start) != 0) { *w.status = NSS_STATUS_UNAVAIL; goto walk_nss_out; } @@ -79,8 +79,8 @@ } goto walk_nss_morebuf; } - } while (__nss_next(&nip, w.fct_name, &fct.ptr, *w.status, w.all_values) == - 0); + } while (__nss_next2(&nip, w.fct_name, NULL, &fct.ptr, *w.status, + w.all_values) == 0); if (w.buf != NULL && *w.status != NSS_STATUS_SUCCESS) { free(*w.buf); diff --git a/server/common/oursrc/scripts-krb5-localauth/Makefile.am b/server/common/oursrc/scripts-krb5-localauth/Makefile.am new file mode 100644 index 00000000..0b7b2d5d --- /dev/null +++ b/server/common/oursrc/scripts-krb5-localauth/Makefile.am @@ -0,0 +1,4 @@ +lib_LTLIBRARIES = libscripts-krb5-localauth.la +libscripts_krb5_localauth_la_SOURCES = localauth.c +libscripts_krb5_localauth_la_LDFLAGS = $(KRB5_LIBS) +libscripts_krb5_localauth_la_CPPFLAGS = $(KRB5_CFLAGS) diff --git a/server/common/oursrc/scripts-krb5-localauth/configure.ac b/server/common/oursrc/scripts-krb5-localauth/configure.ac new file mode 100644 index 00000000..ed22ebb3 --- /dev/null +++ b/server/common/oursrc/scripts-krb5-localauth/configure.ac @@ -0,0 +1,11 @@ +AC_INIT([scripts-krb5-localauth], [1.0]) +AM_INIT_AUTOMAKE([-Wall -Werror foreign]) + +AC_PROG_CC +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +LT_INIT + +PKG_CHECK_MODULES([KRB5], [mit-krb5]) + +AC_CONFIG_FILES(Makefile) +AC_OUTPUT diff --git a/server/common/oursrc/scripts-krb5-localauth/localauth.c b/server/common/oursrc/scripts-krb5-localauth/localauth.c new file mode 100644 index 00000000..093a890c --- /dev/null +++ b/server/common/oursrc/scripts-krb5-localauth/localauth.c @@ -0,0 +1,61 @@ +#include +#include +#include +#include +#include +#include +#include + +static krb5_error_code +userok_scripts(krb5_context context, krb5_localauth_moddata data, + krb5_const_principal aname, const char *lname) { + // TODO: Return KRB5_PLUGIN_NO_HANDLE if some errors occur. + krb5_error_code result = EPERM; + char *princname = NULL; + char pwbuf[BUFSIZ]; + struct passwd pwx, *pwd; + int pid, status; + + /* Get the local user's homedir and uid. */ + if (getpwnam_r(lname, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0 || pwd == NULL) + goto cleanup; + + if (krb5_unparse_name(context, aname, &princname) != 0) + goto cleanup; + + if ((pid = fork()) == -1) + goto cleanup; + + if (pid == 0) { + char *args[4]; +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" + args[0] = ADMOF_PATH; + args[1] = (char *) lname; + args[2] = princname; + args[3] = NULL; + execv(ADMOF_PATH, args); + exit(1); + } + + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { + result = 0; + } + + cleanup: + free(princname); + return result; +} + +krb5_error_code +localauth_scripts_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + if (maj_ver == 1) { + krb5_localauth_vtable vt = (krb5_localauth_vtable)vtable; + + vt->name = "scripts"; + vt->userok = userok_scripts; + return 0; + } + return KRB5_PLUGIN_VER_NOTSUPP; +} diff --git a/server/common/oursrc/scripts-static-cat/Setup.hs b/server/common/oursrc/scripts-static-cat/Setup.hs deleted file mode 100644 index 9a994af6..00000000 --- a/server/common/oursrc/scripts-static-cat/Setup.hs +++ /dev/null @@ -1,2 +0,0 @@ -import Distribution.Simple -main = defaultMain diff --git a/server/common/oursrc/scripts-static-cat/StaticCat.hs b/server/common/oursrc/scripts-static-cat/StaticCat.hs deleted file mode 100644 index 22320c42..00000000 --- a/server/common/oursrc/scripts-static-cat/StaticCat.hs +++ /dev/null @@ -1,221 +0,0 @@ -{-# LANGUAGE DeriveDataTypeable, ViewPatterns #-} -{-# OPTIONS_GHC -O2 -Wall #-} - -import Prelude hiding (catch) -import Control.Applicative -import Control.Monad -import Control.Monad.CatchIO -import qualified Data.ByteString.Lazy as B -import Data.Char -import Data.Dynamic -import Data.Int -import qualified Data.Map as M -import Data.Time.Clock.POSIX -import Data.Time.Format -import Network.CGI -import Numeric -import System.FilePath -import System.IO -import System.IO.Error (isDoesNotExistError, isPermissionError) -import System.IO.Unsafe -import System.Locale -import System.Posix -import System.Posix.Handle - -types :: M.Map String String -types = M.fromList [ - (".avi", "video/x-msvideo"), - (".css", "text/css"), - (".doc", "application/msword"), - (".docm", "application/vnd.ms-word.document.macroEnabled.12"), - (".docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document"), - (".dot", "application/msword"), - (".dotm", "application/vnd.ms-word.template.macroEnabled.12"), - (".dotx", "application/vnd.openxmlformats-officedocument.wordprocessingml.template"), - (".eot", "application/vnd.ms-fontobject"), - (".gif", "image/gif"), - (".htm", "text/html"), - (".html", "text/html"), - (".ico", "image/vnd.microsoft.icon"), - (".il", "application/octet-stream"), - (".jar", "application/java-archive"), - (".jpeg", "image/jpeg"), - (".jpg", "image/jpeg"), - (".js", "application/javascript"), - (".mid", "audio/midi"), - (".midi", "audio/midi"), - (".mov", "video/quicktime"), - (".mp3", "audio/mpeg"), - (".mpeg", "video/mpeg"), - (".mpg", "video/mpeg"), - (".odb", "application/vnd.oasis.opendocument.database"), - (".odc", "application/vnd.oasis.opendocument.chart"), - (".odf", "application/vnd.oasis.opendocument.formula"), - (".odg", "application/vnd.oasis.opendocument.graphics"), - (".odi", "application/vnd.oasis.opendocument.image"), - (".odm", "application/vnd.oasis.opendocument.text-master"), - (".odp", "application/vnd.oasis.opendocument.presentation"), - (".ods", "application/vnd.oasis.opendocument.spreadsheet"), - (".odt", "application/vnd.oasis.opendocument.text"), - (".otf", "application/font-sfnt"), - (".otg", "application/vnd.oasis.opendocument.graphics-template"), - (".oth", "application/vnd.oasis.opendocument.text-web"), - (".otp", "application/vnd.oasis.opendocument.presentation-template"), - (".ots", "application/vnd.oasis.opendocument.spreadsheet-template"), - (".ott", "application/vnd.oasis.opendocument.text-template"), - (".pdf", "application/pdf"), - (".png", "image/png"), - (".pot", "application/vnd.ms-powerpoint"), - (".potm", "application/vnd.ms-powerpoint.template.macroEnabled.12"), - (".potx", "application/vnd.openxmlformats-officedocument.presentationml.template"), - (".ppa", "application/vnd.ms-powerpoint"), - (".ppam", "application/vnd.ms-powerpoint.addin.macroEnabled.12"), - (".pps", "application/vnd.ms-powerpoint"), - (".ppsm", "application/vnd.ms-powerpoint.slideshow.macroEnabled.12"), - (".ppsx", "application/vnd.openxmlformats-officedocument.presentationml.slideshow"), - (".ppt", "application/vnd.ms-powerpoint"), - (".pptm", "application/vnd.ms-powerpoint.presentation.macroEnabled.12"), - (".pptx", "application/vnd.openxmlformats-officedocument.presentationml.presentation"), - (".ps", "application/postscript"), - (".svg", "image/svg+xml"), - (".swf", "application/x-shockwave-flash"), - (".tar", "application/x-tar"), - (".tgz", "application/gzip"), - (".tif", "image/tiff"), - (".tiff", "image/tiff"), - (".ttf", "application/font-sfnt"), - (".wav", "audio/x-wav"), - (".wmv", "video/x-ms-wmv"), - (".woff", "application/font-woff"), - (".woff2", "font/woff2"), - (".xaml", "application/xaml+xml"), - (".xap", "application/x-silverlight-app"), - (".xhtml", "application/xhtml+xml"), - (".xla", "application/vnd.ms-excel"), - (".xlam", "application/vnd.ms-excel.addin.macroEnabled.12"), - (".xls", "application/vnd.ms-excel"), - (".xlsb", "application/vnd.ms-excel.sheet.binary.macroEnabled.12"), - (".xlsm", "application/vnd.ms-excel.sheet.macroEnabled.12"), - (".xlsx", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"), - (".xlt", "application/vnd.ms-excel"), - (".xltm", "application/vnd.ms-excel.template.macroEnabled.12"), - (".xltx", "application/vnd.openxmlformats-officedocument.spreadsheetml.template"), - (".xml", "text/xml"), - (".xsl", "application/xslt+xml"), - (".zip", "application/zip") - ] - -data MyError = NotModified | Forbidden | NotFound | BadMethod | BadRange - deriving (Show, Typeable) - -instance Exception MyError - -outputMyError :: MyError -> CGI CGIResult -outputMyError NotModified = setStatus 304 "Not Modified" >> outputNothing -outputMyError Forbidden = outputError 403 "Forbidden" [] -outputMyError NotFound = outputError 404 "Not Found" [] -outputMyError BadMethod = outputError 405 "Method Not Allowed" [] -outputMyError BadRange = outputError 416 "Requested Range Not Satisfiable" [] - -checkExtension :: FilePath -> CGI () -checkExtension file = - case M.lookup (map toLower (takeExtension file)) types of - Nothing -> throw Forbidden - Just t -> setHeader "Content-Type" t - -checkMethod :: CGI CGIResult -> CGI CGIResult -checkMethod rOutput = do - m <- requestMethod - case m of - "HEAD" -> rOutput >> outputNothing - "GET" -> rOutput - "POST" -> rOutput - _ -> throw BadMethod - -httpDate :: String -httpDate = "%a, %d %b %Y %H:%M:%S %Z" -formatHTTPDate :: EpochTime -> String -formatHTTPDate = formatTime defaultTimeLocale httpDate . - posixSecondsToUTCTime . realToFrac -parseHTTPDate :: String -> Maybe EpochTime -parseHTTPDate = (fromInteger . floor . utcTimeToPOSIXSeconds <$>) . - parseTime defaultTimeLocale httpDate - -checkModified :: EpochTime -> CGI () -checkModified mTime = do - setHeader "Last-Modified" $ formatHTTPDate mTime - (requestHeader "If-Modified-Since" >>=) $ maybe (return ()) $ \ims -> - when (parseHTTPDate ims >= Just mTime) $ throw NotModified - -checkIfRange :: EpochTime -> CGI (Maybe ()) -checkIfRange mTime = do - (requestHeader "If-Range" >>=) $ maybe (return $ Just ()) $ \ir -> - return $ if parseHTTPDate ir == Just mTime then Just () else Nothing - -parseRange :: String -> FileOffset -> Maybe (FileOffset, FileOffset) -parseRange (splitAt 6 -> ("bytes=", '-':(readDec -> [(len, "")]))) size = - Just (max 0 (size - len), size - 1) -parseRange (splitAt 6 -> ("bytes=", readDec -> [(a, "-")])) size = - Just (a, size - 1) -parseRange (splitAt 6 -> ("bytes=", readDec -> [(a, '-':(readDec -> [(b, "")]))])) size = - Just (a, min (size - 1) b) -parseRange _ _ = Nothing - -checkRange :: EpochTime -> FileOffset -> CGI (Maybe (FileOffset, FileOffset)) -checkRange mTime size = do - setHeader "Accept-Ranges" "bytes" - (requestHeader "Range" >>=) $ maybe (return Nothing) $ \range -> do - (checkIfRange mTime >>=) $ maybe (return Nothing) $ \() -> do - case parseRange range size of - Just (a, b) | a <= b -> return $ Just (a, b) - Just _ -> throw BadRange - Nothing -> return Nothing - -outputAll :: Handle -> FileOffset -> CGI CGIResult -outputAll h size = do - setHeader "Content-Length" $ show size - outputFPS =<< liftIO (B.hGetContents h) - --- | Lazily read a given number of bytes from the handle into a --- 'ByteString', then close the handle. -hGetClose :: Handle -> Int64 -> IO B.ByteString -hGetClose h len = do - contents <- B.hGetContents h - end <- unsafeInterleaveIO (hClose h >> return B.empty) - return (B.append (B.take len contents) end) - -outputRange :: Handle -> FileOffset -> Maybe (FileOffset, FileOffset) -> CGI CGIResult -outputRange h size Nothing = outputAll h size -outputRange h size (Just (a, b)) = do - let len = b - a + 1 - - setStatus 206 "Partial Content" - setHeader "Content-Range" $ - "bytes " ++ show a ++ "-" ++ show b ++ "/" ++ show size - setHeader "Content-Length" $ show len - liftIO $ hSeek h AbsoluteSeek (fromIntegral a) - outputFPS =<< liftIO (hGetClose h (fromIntegral len)) - -serveFile :: FilePath -> CGI CGIResult -serveFile file = (`catch` outputMyError) $ do - checkExtension file - - checkMethod $ do - - let handleOpenError e = - if isDoesNotExistError e then throw NotFound - else if isPermissionError e then throw Forbidden - else throw e - h <- liftIO (openBinaryFile file ReadMode) `catch` handleOpenError - (`onException` liftIO (hClose h)) $ do - - status <- liftIO $ hGetStatus h - let mTime = modificationTime status - size = fileSize status - checkModified mTime - - range <- checkRange mTime size - outputRange h size range - -main :: IO () -main = runCGI $ handleErrors $ serveFile =<< pathTranslated diff --git a/server/common/oursrc/scripts-static-cat/scripts-static-cat.cabal b/server/common/oursrc/scripts-static-cat/scripts-static-cat.cabal deleted file mode 100644 index 734acb25..00000000 --- a/server/common/oursrc/scripts-static-cat/scripts-static-cat.cabal +++ /dev/null @@ -1,23 +0,0 @@ -Name: scripts-static-cat -Version: 0.0 -Cabal-Version: >= 1.2 -Build-Type: Simple -License: GPL -Copyright: © 2010, Anders Kaseorg -Author: Anders Kaseorg -Maintainer: scripts@mit.edu - -Executable static-cat - Main-Is: StaticCat.hs - GHC-Options: -Wall -O2 - Build-Depends: - base >= 4, - bytestring, - cgi >= 3001.1.8, - containers, - filepath, - MonadCatchIO-mtl, - old-locale, - time, - unix, - unix-handle diff --git a/server/common/oursrc/scripts-static-cat/static-cat.go b/server/common/oursrc/scripts-static-cat/static-cat.go new file mode 100644 index 00000000..b1007101 --- /dev/null +++ b/server/common/oursrc/scripts-static-cat/static-cat.go @@ -0,0 +1,142 @@ +package main + +import ( + "log" + "net/http" + "net/http/cgi" + "os" + "path" + "strings" +) + +var mimeTypes = map[string]string{ + ".avi": "video/x-msvideo", + ".css": "text/css", + ".doc": "application/msword", + ".docm": "application/vnd.ms-word.document.macroEnabled.12", + ".docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + ".dot": "application/msword", + ".dotm": "application/vnd.ms-word.template.macroEnabled.12", + ".dotx": "application/vnd.openxmlformats-officedocument.wordprocessingml.template", + ".eot": "application/vnd.ms-fontobject", + ".gif": "image/gif", + ".htm": "text/html", + ".html": "text/html", + ".ico": "image/vnd.microsoft.icon", + ".il": "application/octet-stream", + ".jar": "application/java-archive", + ".jpeg": "image/jpeg", + ".jpg": "image/jpeg", + ".js": "application/javascript", + ".mid": "audio/midi", + ".midi": "audio/midi", + ".mov": "video/quicktime", + ".mp3": "audio/mpeg", + ".mpeg": "video/mpeg", + ".mpg": "video/mpeg", + ".odb": "application/vnd.oasis.opendocument.database", + ".odc": "application/vnd.oasis.opendocument.chart", + ".odf": "application/vnd.oasis.opendocument.formula", + ".odg": "application/vnd.oasis.opendocument.graphics", + ".odi": "application/vnd.oasis.opendocument.image", + ".odm": "application/vnd.oasis.opendocument.text-master", + ".odp": "application/vnd.oasis.opendocument.presentation", + ".ods": "application/vnd.oasis.opendocument.spreadsheet", + ".odt": "application/vnd.oasis.opendocument.text", + ".otf": "application/font-sfnt", + ".otg": "application/vnd.oasis.opendocument.graphics-template", + ".oth": "application/vnd.oasis.opendocument.text-web", + ".otp": "application/vnd.oasis.opendocument.presentation-template", + ".ots": "application/vnd.oasis.opendocument.spreadsheet-template", + ".ott": "application/vnd.oasis.opendocument.text-template", + ".pdf": "application/pdf", + ".png": "image/png", + ".pot": "application/vnd.ms-powerpoint", + ".potm": "application/vnd.ms-powerpoint.template.macroEnabled.12", + ".potx": "application/vnd.openxmlformats-officedocument.presentationml.template", + ".ppa": "application/vnd.ms-powerpoint", + ".ppam": "application/vnd.ms-powerpoint.addin.macroEnabled.12", + ".pps": "application/vnd.ms-powerpoint", + ".ppsm": "application/vnd.ms-powerpoint.slideshow.macroEnabled.12", + ".ppsx": "application/vnd.openxmlformats-officedocument.presentationml.slideshow", + ".ppt": "application/vnd.ms-powerpoint", + ".pptm": "application/vnd.ms-powerpoint.presentation.macroEnabled.12", + ".pptx": "application/vnd.openxmlformats-officedocument.presentationml.presentation", + ".ps": "application/postscript", + ".svg": "image/svg+xml", + ".swf": "application/x-shockwave-flash", + ".tar": "application/x-tar", + ".tgz": "application/gzip", + ".tif": "image/tiff", + ".tiff": "image/tiff", + ".ttf": "application/font-sfnt", + ".wav": "audio/x-wav", + ".wmv": "video/x-ms-wmv", + ".woff": "application/font-woff", + ".woff2": "font/woff2", + ".xaml": "application/xaml+xml", + ".xap": "application/x-silverlight-app", + ".xhtml": "application/xhtml+xml", + ".xla": "application/vnd.ms-excel", + ".xlam": "application/vnd.ms-excel.addin.macroEnabled.12", + ".xls": "application/vnd.ms-excel", + ".xlsb": "application/vnd.ms-excel.sheet.binary.macroEnabled.12", + ".xlsm": "application/vnd.ms-excel.sheet.macroEnabled.12", + ".xlsx": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + ".xlt": "application/vnd.ms-excel", + ".xltm": "application/vnd.ms-excel.template.macroEnabled.12", + ".xltx": "application/vnd.openxmlformats-officedocument.spreadsheetml.template", + ".xml": "text/xml", + ".xsl": "application/xslt+xml", + ".zip": "application/zip", +} + +func writeError(w http.ResponseWriter, err error) { + if os.IsNotExist(err) { + http.Error(w, "404 Not Found", http.StatusNotFound) + return + } + if os.IsPermission(err) { + http.Error(w, "403 Forbidden", http.StatusForbidden) + return + } + http.Error(w, "500 Internal Server Error", http.StatusInternalServerError) +} + +func handle(w http.ResponseWriter, r *http.Request) { + p := os.Getenv("PATH_TRANSLATED") + ext := path.Ext(p) + mime := mimeTypes[strings.ToLower(ext)] + if mime == "" { + http.Error(w, "403 Forbidden Extension", http.StatusForbidden) + return + } + // Explicitly set the content-type; otherwise ServeContent + // will attempt to infer from the file's magic. + w.Header().Set("Content-Type", mime) + // Open and stat the file. + f, err := os.Open(p) + if err != nil { + writeError(w, err) + return + } + defer f.Close() + d, err := f.Stat() + if err != nil { + writeError(w, err) + return + } + // Check to make sure it's a regular file we're trying to serve. + if !d.Mode().IsRegular() { + http.Error(w, "403 Forbidden Mode", http.StatusForbidden) + return + } + // Standard library handles range, if-modified-since, etc. + http.ServeContent(w, r, "", d.ModTime(), f) +} + +func main() { + if err := cgi.Serve(http.HandlerFunc(handle)); err != nil { + log.Fatal(err) + } +} diff --git a/server/common/oursrc/scripts-wizard/.keep b/server/common/oursrc/scripts-wizard/keep similarity index 100% rename from server/common/oursrc/scripts-wizard/.keep rename to server/common/oursrc/scripts-wizard/keep diff --git a/server/common/oursrc/shackle/Makefile.am b/server/common/oursrc/shackle/Makefile.am new file mode 100644 index 00000000..7533d1f9 --- /dev/null +++ b/server/common/oursrc/shackle/Makefile.am @@ -0,0 +1,8 @@ +if HAVE_SYSTEMD +systemdsystemunit_DATA = \ + shackle.service \ + shackle.socket +endif + +dist_sbin_SCRIPTS = \ + shackle diff --git a/server/common/oursrc/shackle/configure.ac b/server/common/oursrc/shackle/configure.ac new file mode 100644 index 00000000..06f58c33 --- /dev/null +++ b/server/common/oursrc/shackle/configure.ac @@ -0,0 +1,13 @@ +AC_INIT([shackle], [1.0]) +AM_INIT_AUTOMAKE([foreign]) + +PKG_PROG_PKG_CONFIG +AC_ARG_WITH([systemdsystemunitdir], + AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]), + [], [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)]) +AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir]) +AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir"]) + +AC_CONFIG_FILES([Makefile + shackle.service]) +AC_OUTPUT diff --git a/server/common/oursrc/shackle/shackle b/server/common/oursrc/shackle/shackle new file mode 100755 index 00000000..8a9550b3 --- /dev/null +++ b/server/common/oursrc/shackle/shackle @@ -0,0 +1,257 @@ +#!/usr/bin/python3 + +import copy +import ctypes +import pwd +import socket +from socket import AF_INET, AF_INET6, inet_pton +import struct +import sys +import syslog +from twisted.internet import address, error, reactor, udp +from twisted.names import client, dns, server +from twisted.python import log, systemd + +DBL_MIN_TIMEOUT_SECS = 0.5 + +try: + libpsl = ctypes.cdll.LoadLibrary("libpsl.so.5") +except OSError: + libpsl = ctypes.cdll.LoadLibrary("libpsl.so.0") + + +class psl_ctx_t(ctypes.Structure): + pass + + +psl_builtin = libpsl.psl_builtin +psl_builtin.restype = ctypes.POINTER(psl_ctx_t) +psl_builtin.argtypes = () + +psl_registrable_domain = libpsl.psl_registrable_domain +psl_registrable_domain.restype = ctypes.c_char_p +psl_registrable_domain.argtypes = (ctypes.POINTER(psl_ctx_t), ctypes.c_char_p) + +LOG_AUTHPRIV = 80 + +addrFamily = {address.IPv4Address: AF_INET, address.IPv6Address: AF_INET6} +tableFile = { + (AF_INET, "UDP"): "/proc/net/udp", + (AF_INET6, "UDP"): "/proc/net/udp6", + (AF_INET, "TCP"): "/proc/net/tcp", + (AF_INET6, "TCP"): "/proc/net/tcp6", +} + +MIN_UNSCRUPULOUS = inet_pton(AF_INET, "127.0.1.0") +MAX_UNSCRUPULOUS = inet_pton(AF_INET, "127.0.1.99") + +dblExplain = { + inet_pton(AF_INET, "127.0.1.2"): "spam domain", + inet_pton(AF_INET, "127.0.1.4"): "phish domain", + inet_pton(AF_INET, "127.0.1.5"): "malware domain", + inet_pton(AF_INET, "127.0.1.6"): "botnet C&C domain", + inet_pton(AF_INET, "127.0.1.102"): "abused legit spam", + inet_pton(AF_INET, "127.0.1.103"): "abused spammed redirector domain", + inet_pton(AF_INET, "127.0.1.104"): "abused legit phish", + inet_pton(AF_INET, "127.0.1.105"): "abused legit malware", + inet_pton(AF_INET, "127.0.1.106"): "abused legit botnet C&C", + inet_pton(AF_INET, "127.0.1.255"): "IP queries prohibited!", +} + + +class MousetrapQuery(object): + def __init__(self, factory, message, protocol, address, peer, query, domain): + self.factory = factory + self.message = message + self.protocol = protocol + self.address = address + self.peer = peer + self.query = query + self.done = False + self.dblDone = False + self.deferred = self.factory.resolver.query(query).addCallbacks( + self.gotResponse, self.gotError + ) + self.dblDeferred = self.factory.resolver.query( + dns.Query(domain + b".dbl.spamhaus.org") + ).addCallbacks(self.gotDBLResponse, self.gotDBLError) + self.timeoutCall = reactor.callLater(DBL_MIN_TIMEOUT_SECS, self.timeoutDBL) + + def update(self): + if self.done and self.dblDone: + if self.ok: + self.factory.gotResolverResponse( + self.result, self.message, self.protocol, self.address + ) + else: + self.factory.gotResolverError( + self.result, self.message, self.protocol, self.address + ) + + def gotResponse(self, response): + self.done = True + self.ok = True + self.result = response + self.update() + + def gotError(self, fail): + self.done = True + self.ok = False + self.result = fail + self.update() + + def gotDBLResponse(self, response): + family = addrFamily[type(self.peer)] + packed = inet_pton(family, self.peer.host) + chunks = len(packed) // 4 + src_hex = ( # WTF? + ("{:08X}" * chunks).format(*struct.unpack("<{}I".format(chunks), packed)) + + ":{:04X}".format(self.peer.port) + ).encode() + src0_hex = ("0" * 8 * chunks + ":{:04X}".format(self.peer.port)).encode() + + with open(tableFile[family, self.peer.type], "rb") as f: + for line in f: + line = line.split() + if line[1] == src_hex or line[1] == src0_hex: + uid = int(line[7]) + break + else: + return + + try: + username = pwd.getpwuid(uid).pw_name + except KeyError: + username = None + user = "%d" % uid + else: + user = "%d %r" % (uid, username) + + dblAddress = response[0][0].payload.address + if MIN_UNSCRUPULOUS <= dblAddress <= MAX_UNSCRUPULOUS and username not in [ + "postfix", + "sa-milt", + ]: + syslog.syslog( + syslog.LOG_WARNING | LOG_AUTHPRIV, + "unscrupulous query %r (%s) by uid %s" + % (str(self.query.name), dblExplain.get(dblAddress), user), + ) + + self.dblDone = True + self.timeoutCall.cancel() + self.update() + + def gotDBLError(self, fail): + self.dblDone = True + self.timeoutCall.cancel() + self.update() + + def timeoutDBL(self): + self.dblDone = True + self.dblDeferred.cancel() + self.update() + + +class MousetrapDNSServerFactory(server.DNSServerFactory, object): + def __init__(self, resolver, verbose=0): + super(MousetrapDNSServerFactory, self).__init__(verbose=verbose) + self.psl = psl_builtin() + assert self.psl, "Could not load public suffix list" + self.resolver = resolver + self.canRecurse = True + + def handleQuery(self, message, protocol, address): + if address: + peer = copy.copy(protocol.transport.getHost()) + peer.host, peer.port = address + else: + peer = protocol.transport.getPeer() + query = message.queries[0] + domain = psl_registrable_domain(self.psl, query.name.name) + if domain is None or domain.endswith(b".in-addr.arpa"): + return ( + self.resolver.query(query) + .addCallback(self.gotResolverResponse, protocol, message, address) + .addErrback(self.gotResolverError, protocol, message, address) + ) + else: + MousetrapQuery(self, protocol, message, address, peer, query, domain) + + +try: + adoptDatagramPort = reactor.adoptDatagramPort +except AttributeError: + + class PreexistingUDPPort(udp.Port): + @classmethod + def _fromListeningDescriptor( + cls, reactor, fd, addressFamily, protocol, maxPacketSize + ): + port = socket.fromfd(fd, addressFamily, cls.socketType) + interface = port.getsockname()[0] + self = cls( + None, + protocol, + interface=interface, + reactor=reactor, + maxPacketSize=maxPacketSize, + ) + self._preexistingSocket = port + return self + + def _bindSocket(self): + if self._preexistingSocket is None: + super(PreexistingUDPPort, self)._bindSocket() + else: + skt = self._preexistingSocket + self._preexistingSocket = None + self._realPortNumber = skt.getsockname()[1] + + log.msg( + "%s starting on %s" + % (self._getLogPrefix(self.protocol), self._realPortNumber) + ) + + self.connected = 1 + self.socket = skt + self.fileno = self.socket.fileno + + def adoptDatagramPort(fileDescriptor, addressFamily, protocol, maxPacketSize=8192): + if addressFamily not in (AF_INET, AF_INET6): + raise error.UnsupportedAddressFamily(addressFamily) + + p = PreexistingUDPPort._fromListeningDescriptor( + reactor, + fileDescriptor, + addressFamily, + protocol, + maxPacketSize=maxPacketSize, + ) + p.startListening() + return p + + +def main(): + upstreamAddr = sys.argv[1] + upstreamPort = int(sys.argv[2]) + syslog.openlog("shackle") + resolver = client.Resolver(servers=[(upstreamAddr, upstreamPort)]) + factory = MousetrapDNSServerFactory(resolver) + + for fd, domain, type in zip( + systemd.ListenFDs.fromEnvironment().inheritedDescriptors(), + sys.argv[3::2], + sys.argv[4::2], + ): + family = getattr(socket, "AF_" + domain) + if type == "DGRAM": + adoptDatagramPort(fd, family, dns.DNSDatagramProtocol(controller=factory)) + elif type == "STREAM": + reactor.adoptStreamPort(fd, family, factory) + + reactor.run() + + +if __name__ == "__main__": + main() diff --git a/server/common/oursrc/shackle/shackle.service.in b/server/common/oursrc/shackle/shackle.service.in new file mode 100644 index 00000000..52599005 --- /dev/null +++ b/server/common/oursrc/shackle/shackle.service.in @@ -0,0 +1,13 @@ +[Unit] +Description=Shackle DBL DNS resolver socket +After=shackle.socket +Requires=shackle.socket + +[Service] +ExecStart=@sbindir@/shackle 127.0.0.1 54 INET STREAM INET DGRAM +NonBlocking=true +User=nobody +Group=nobody + +[Install] +WantedBy=multi-user.target diff --git a/server/common/oursrc/shackle/shackle.socket b/server/common/oursrc/shackle/shackle.socket new file mode 100644 index 00000000..0a59f042 --- /dev/null +++ b/server/common/oursrc/shackle/shackle.socket @@ -0,0 +1,10 @@ +[Unit] +Description=Shackle DBL DNS resolver socket +PartOf=shackle.service + +[Socket] +ListenStream=127.0.0.1:53 +ListenDatagram=127.0.0.1:53 + +[Install] +WantedBy=sockets.target diff --git a/server/common/oursrc/sql-signup/Makefile b/server/common/oursrc/sql-signup/Makefile deleted file mode 100644 index c3890311..00000000 --- a/server/common/oursrc/sql-signup/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -install: - install -Dpm 644 sql-signup-capps ${DESTDIR}/etc/security/console.apps/sql-signup - install -Dpm 644 sql-signup-pam ${DESTDIR}/etc/pam.d/sql-signup - install -DpT sql-signup-sbin ${DESTDIR}/usr/sbin/sql-signup - mkdir -p ${DESTDIR}/usr/bin - ln -nfs /usr/bin/consolehelper ${DESTDIR}/usr/bin/sql-signup - -clean: - rm -f ${DESTDIR}/usr/bin/sql-signup - rm -f ${DESTDIR}/usr/sbin/sql-signup - rm -f ${DESTDIR}/etc/pam.d/sql-signup - rm -f ${DESTDIR}/etc/security/console.apps/sql-signup diff --git a/server/common/oursrc/sql-signup/sql-signup-capps b/server/common/oursrc/sql-signup/sql-signup-capps deleted file mode 100644 index 3adec689..00000000 --- a/server/common/oursrc/sql-signup/sql-signup-capps +++ /dev/null @@ -1 +0,0 @@ -PROGRAM=/usr/sbin/sql-signup diff --git a/server/common/oursrc/sql-signup/sql-signup-pam b/server/common/oursrc/sql-signup/sql-signup-pam deleted file mode 100644 index eb0fd434..00000000 --- a/server/common/oursrc/sql-signup/sql-signup-pam +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_succeed_if.so uid >= 1000 quiet -auth include config-util -account include config-util -session include config-util diff --git a/server/common/oursrc/sql-signup/sql-signup-sbin b/server/common/oursrc/sql-signup/sql-signup-sbin deleted file mode 100755 index 491f4220..00000000 --- a/server/common/oursrc/sql-signup/sql-signup-sbin +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/python - -from pwd import getpwuid -from os import getenv, setuid, setgid, execv -from sys import exit - -SQLUID = 537704221 -SQLGID = 537704221 -SQLBIN = '/afs/athena.mit.edu/contrib/sql/Scripts/checkout/web/main/batch/signup.php' - -caller = int(getenv('USERHELPER_UID')) -if caller is None or caller == 0: - exit('No user specified.') -else: - pw = getpwuid(caller) - (user_name, user_uid, user_gid) = (pw[0], pw[2], pw[3]) - - if len(user_name) and user_uid > 1000: - setgid(SQLGID) - setuid(SQLUID) - execv(SQLBIN, [SQLBIN, str(user_name), str(user_uid), str(user_gid)]) - else: - print 'Invalid UID:', user_uid diff --git a/server/common/oursrc/tokensys/configure.in b/server/common/oursrc/tokensys/configure.in index 8c60b3e9..ed66ec67 100644 --- a/server/common/oursrc/tokensys/configure.in +++ b/server/common/oursrc/tokensys/configure.in @@ -15,6 +15,14 @@ AC_ARG_WITH(kinit, ]) REQUIRE_PATH(kinit) +AC_ARG_WITH(klist, +[ --with-klist[=PATH] klist is located at PATH],[ + if test "$withval" != "no" -a "$withval" != "yes"; then + klist_path="$withval" + fi +]) +REQUIRE_PATH(klist) + AC_ARG_WITH(aklog, [ --with-aklog[=PATH] aklog is located at PATH],[ if test "$withval" != "no" -a "$withval" != "yes"; then diff --git a/server/common/oursrc/tokensys/renew.in b/server/common/oursrc/tokensys/renew.in index f8e1c257..e73f6cca 100644 --- a/server/common/oursrc/tokensys/renew.in +++ b/server/common/oursrc/tokensys/renew.in @@ -6,11 +6,13 @@ export KRB5CCNAME=/home/afsagent/krb5cc export KRBTKFILE=/home/afsagent/tkt +princ="$(@klist_path@ -k /etc/daemon.keytab | awk 'NR == 4 { print $2 }')" + # Option #1: invoke kinit with a password -#echo "password" | @kinit_path@ >/dev/null daemon/scripts.mit.edu +#echo "password" | @kinit_path@ >/dev/null "$princ" # Option #2: invoke kinit with a keytab -@kinit_path@ -k -t /etc/daemon.keytab daemon/scripts.mit.edu +@kinit_path@ -k -t /etc/daemon.keytab "$princ" # Obtain AFS tokens @aklog_path@ diff --git a/server/common/oursrc/tokensys/scripts-afsagent-startup.in b/server/common/oursrc/tokensys/scripts-afsagent-startup.in index 531702d6..ae900812 100644 --- a/server/common/oursrc/tokensys/scripts-afsagent-startup.in +++ b/server/common/oursrc/tokensys/scripts-afsagent-startup.in @@ -2,6 +2,6 @@ /sbin/sysctl -q afs.GCPAGs=0 @fs_path@ setcrypt on -@fs_path@ sysname 'amd64_fedora20_scripts' 'amd64_fedora17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora20' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' +@fs_path@ sysname 'amd64_fedora30_scripts' 'amd64_fedora20_scripts' 'amd64_fedora17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora30' 'amd64_fedora20' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' @fs_path@ setcell -nosuid -c athena diff --git a/server/common/oursrc/tokensys/scripts-afsagent-startup.service b/server/common/oursrc/tokensys/scripts-afsagent-startup.service index 287d1bf6..74c9073c 100644 --- a/server/common/oursrc/tokensys/scripts-afsagent-startup.service +++ b/server/common/oursrc/tokensys/scripts-afsagent-startup.service @@ -1,12 +1,14 @@ [Unit] Description=Scripts AFS Configuration Service After=syslog.target openafs-client.service -Before=remote-fs.target +Before=remote-fs.target scripts-afsagent.service Requires=openafs-client.service +Wants=scripts-afsagent.service [Service] Type=oneshot ExecStart=/usr/local/libexec/scripts-afsagent-startup +RemainAfterExit=yes [Install] WantedBy=multi-user.target remote-fs.target diff --git a/server/common/oursrc/tokensys/scripts-afsagent.service b/server/common/oursrc/tokensys/scripts-afsagent.service index 7d1f5cc5..58b78cb4 100644 --- a/server/common/oursrc/tokensys/scripts-afsagent.service +++ b/server/common/oursrc/tokensys/scripts-afsagent.service @@ -3,6 +3,7 @@ Description=Scripts afsagent Service After=syslog.target openafs-client.service Before=remote-fs.target Requires=openafs-client.service +ConditionPathExists=/etc/daemon.keytab [Service] Type=oneshot diff --git a/server/common/oursrc/whoisd/.gitignore b/server/common/oursrc/whoisd/.gitignore deleted file mode 100644 index ac63c975..00000000 --- a/server/common/oursrc/whoisd/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/configure -/autom4te.cache diff --git a/server/common/oursrc/whoisd/Makefile.in b/server/common/oursrc/whoisd/Makefile.in deleted file mode 100644 index 137382a5..00000000 --- a/server/common/oursrc/whoisd/Makefile.in +++ /dev/null @@ -1,7 +0,0 @@ -install: - install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac - install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service - -clean: - rm -f ${DESTDIR}@libexecdir@/whoisd.tac - rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service diff --git a/server/common/oursrc/whoisd/configure.in b/server/common/oursrc/whoisd/configure.in deleted file mode 100644 index 1d4c7959..00000000 --- a/server/common/oursrc/whoisd/configure.in +++ /dev/null @@ -1,2 +0,0 @@ -AC_INIT() -AC_OUTPUT(Makefile) diff --git a/server/common/oursrc/whoisd/crontab b/server/common/oursrc/whoisd/crontab deleted file mode 100644 index d5faf418..00000000 --- a/server/common/oursrc/whoisd/crontab +++ /dev/null @@ -1 +0,0 @@ -@reboot root /usr/bin/twistd -l /var/log/scripts-whoisd.log --pidfile /var/run/whoisd.pid -y /usr/local/libexec/whoisd.tac diff --git a/server/common/oursrc/whoisd/mrproper b/server/common/oursrc/whoisd/mrproper deleted file mode 100755 index 46a05848..00000000 --- a/server/common/oursrc/whoisd/mrproper +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -rm -f configure config.* Makefile -rm -rf auto*.cache diff --git a/server/common/oursrc/whoisd/scripts-whoisd.service b/server/common/oursrc/whoisd/scripts-whoisd.service deleted file mode 100644 index 972ef74c..00000000 --- a/server/common/oursrc/whoisd/scripts-whoisd.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Scripts whois Service -After=syslog.target dirsrv.service - -[Service] -Type=simple -ExecStart=/usr/bin/twistd --nodaemon -l /var/log/scripts-whoisd.log --pidfile /var/run/whoisd.pid -y /usr/local/libexec/whoisd.tac - -[Install] -WantedBy=multi-user.target diff --git a/server/common/oursrc/whoisd/whoisd.tac b/server/common/oursrc/whoisd/whoisd.tac deleted file mode 100644 index 43bac7f3..00000000 --- a/server/common/oursrc/whoisd/whoisd.tac +++ /dev/null @@ -1,73 +0,0 @@ -from twisted.application import internet, service -from twisted.internet import protocol, reactor, defer -from twisted.protocols import basic -import ldap, ldap.filter -import posixpath - -class WhoisProtocol(basic.LineReceiver): - def lineReceived(self, hostname): - (key, hostname) = hostname.split('=',2) - if key != self.factory.key: - self.transport.write("Unauthorized to use whois"+"\r\n") - self.transport.loseConnection() - else: - self.factory.getWhois(hostname - ).addErrback(lambda _: "Internal error in server" - ).addCallback(lambda m: - (self.transport.write(m+"\r\n"), - self.transport.loseConnection())) -class WhoisFactory(protocol.ServerFactory): - protocol = WhoisProtocol - def __init__(self, ldap_URL, ldap_base, keyFile): - self.ldap_URL = ldap_URL - self.ldap = ldap.initialize(self.ldap_URL) - self.ldap_base = ldap_base - self.key = file(keyFile).read() - def canonicalize(self, vhost): - vhost = vhost.lower().rstrip(".") - return vhost -# if vhost.endswith(".mit.edu"): -# return vhost -# else: -# return vhost + ".mit.edu" - def searchLDAP(self, vhost): - attrlist = ('scriptsVhostName', 'homeDirectory', 'scriptsVhostDirectory', 'uid') - results = self.ldap.search_st(self.ldap_base, ldap.SCOPE_SUBTREE, - ldap.filter.filter_format( - '(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))', (vhost,)*2), - attrlist=attrlist, timeout=5) - if len(results) >= 1: - result = results[0] - attrs = result[1] - for attr in attrlist: - attrs[attr] = attrs[attr][0] - return attrs - else: - return None - def getWhois(self, vhost): - vhost = self.canonicalize(vhost) - info = None - tries = 0 - while (tries < 3) and not info: - tries += 1 - try: - info = self.searchLDAP(vhost) - break - except (ldap.TIMEOUT, ldap.SERVER_DOWN): - self.ldap.unbind() - self.ldap = ldap.initialize(self.ldap_URL) - if info: - ret = "Hostname: %s\nAlias: %s\nLocker: %s\nDocument Root: %s" % \ - (info['scriptsVhostName'], vhost, info['uid'], - posixpath.join(info['homeDirectory'], 'web_scripts', info['scriptsVhostDirectory'])) - elif tries == 3: - ret = "The whois server is experiencing problems looking up LDAP records.\nPlease contact scripts@mit.edu for help if this problem persists." - else: - ret = "No such hostname" - return defer.succeed(ret) - -application = service.Application('whois', uid=99, gid=99) -factory = WhoisFactory( - "ldap://localhost", "ou=VirtualHosts,dc=scripts,dc=mit,dc=edu", "/etc/whoisd-password") -internet.TCPServer(43, factory).setServiceParent( - service.IServiceCollection(application)) diff --git a/server/common/patches/389-ds-indirect-cos.patch b/server/common/patches/389-ds-indirect-cos.patch deleted file mode 100644 index b816a3a1..00000000 --- a/server/common/patches/389-ds-indirect-cos.patch +++ /dev/null @@ -1,267 +0,0 @@ -From a9cd2ffd227c19a458b27415dedaaf4a6b4778ec Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 11 Jun 2015 12:28:07 -0400 -Subject: [PATCH] Ticket 47921 - indirect cos does not reflect changes in the - cos attribute - -Bug Description: Indirect cos results are incorrectly cached, so any changes - to entries that are indirect are not returned to the client. - -Fix Description: Do not cache the vattr result if it came from a indirect cos - definition. - -https://fedorahosted.org/389/ticket/47921 - -Reviewed by: ? ---- - dirsrvtests/tickets/ticket47921_test.py | 155 ++++++++++++++++++++++++++++++++ - ldap/servers/plugins/cos/cos_cache.c | 26 ++++-- - 2 files changed, 174 insertions(+), 7 deletions(-) - create mode 100644 dirsrvtests/tickets/ticket47921_test.py - -diff --git a/dirsrvtests/tickets/ticket47921_test.py b/dirsrvtests/tickets/ticket47921_test.py -new file mode 100644 -index 0000000..951d33b ---- /dev/null -+++ b/dirsrvtests/tickets/ticket47921_test.py -@@ -0,0 +1,155 @@ -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+installation1_prefix = None -+ -+ -+class TopologyStandalone(object): -+ def __init__(self, standalone): -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ global installation1_prefix -+ if installation1_prefix: -+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix -+ -+ # Creating standalone instance ... -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ # Clear out the tmp dir -+ standalone.clearTmpDir(__file__) -+ -+ return TopologyStandalone(standalone) -+ -+ -+def test_ticket47921(topology): -+ ''' -+ Test that indirect cos reflects the current value of the indirect entry -+ ''' -+ -+ INDIRECT_COS_DN = 'cn=cos definition,' + DEFAULT_SUFFIX -+ MANAGER_DN = 'uid=my manager,ou=people,' + DEFAULT_SUFFIX -+ USER_DN = 'uid=user,ou=people,' + DEFAULT_SUFFIX -+ -+ # Add COS definition -+ try: -+ topology.standalone.add_s(Entry((INDIRECT_COS_DN, -+ {'objectclass': 'top cosSuperDefinition cosIndirectDefinition ldapSubEntry'.split(), -+ 'cosIndirectSpecifier': 'manager', -+ 'cosAttribute': 'roomnumber' -+ }))) -+ except ldap.LDAPError, e: -+ log.fatal('Failed to add cos defintion, error: ' + e.message['desc']) -+ assert False -+ -+ # Add manager entry -+ try: -+ topology.standalone.add_s(Entry((MANAGER_DN, -+ {'objectclass': 'top extensibleObject'.split(), -+ 'uid': 'my manager', -+ 'roomnumber': '1' -+ }))) -+ except ldap.LDAPError, e: -+ log.fatal('Failed to add manager entry, error: ' + e.message['desc']) -+ assert False -+ -+ # Add user entry -+ try: -+ topology.standalone.add_s(Entry((USER_DN, -+ {'objectclass': 'top person organizationalPerson inetorgperson'.split(), -+ 'sn': 'last', -+ 'cn': 'full', -+ 'givenname': 'mark', -+ 'uid': 'user', -+ 'manager': MANAGER_DN -+ }))) -+ except ldap.LDAPError, e: -+ log.fatal('Failed to add manager entry, error: ' + e.message['desc']) -+ assert False -+ -+ # Test COS is working -+ try: -+ entry = topology.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, -+ "uid=user", -+ ['roomnumber']) -+ if entry: -+ if entry[0].getValue('roomnumber') != '1': -+ log.fatal('COS is not working.') -+ assert False -+ else: -+ log.fatal('Failed to find user entry') -+ assert False -+ except ldap.LDAPError, e: -+ log.error('Failed to search for user entry: ' + e.message['desc']) -+ assert False -+ -+ # Modify manager entry -+ try: -+ topology.standalone.modify_s(MANAGER_DN, [(ldap.MOD_REPLACE, 'roomnumber', '2')]) -+ except ldap.LDAPError, e: -+ log.error('Failed to modify manager entry: ' + e.message['desc']) -+ assert False -+ -+ # Confirm COS is returning the new value -+ try: -+ entry = topology.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, -+ "uid=user", -+ ['roomnumber']) -+ if entry: -+ if entry[0].getValue('roomnumber') != '2': -+ log.fatal('COS is not working after manager update.') -+ assert False -+ else: -+ log.fatal('Failed to find user entry') -+ assert False -+ except ldap.LDAPError, e: -+ log.error('Failed to search for user entry: ' + e.message['desc']) -+ assert False -+ -+ log.info('Test complete') -+ -+ -+def test_ticket47921_final(topology): -+ topology.standalone.delete() -+ log.info('Testcase PASSED') -+ -+ -+def run_isolated(): -+ global installation1_prefix -+ installation1_prefix = None -+ -+ topo = topology(True) -+ test_ticket47921(topo) -+ test_ticket47921_final(topo) -+ -+ -+if __name__ == '__main__': -+ run_isolated() -+ -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index 7d8e877..fa2b6b5 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -284,7 +284,7 @@ void cos_cache_backend_state_change(void *handle, char *be_name, - static int cos_cache_vattr_get(vattr_sp_handle *handle, vattr_context *c, Slapi_Entry *e, char *type, Slapi_ValueSet** results,int *type_name_disposition, char** actual_type_name, int flags, int *free_flags, void *hint); - static int cos_cache_vattr_compare(vattr_sp_handle *handle, vattr_context *c, Slapi_Entry *e, char *type, Slapi_Value *test_this, int* result, int flags, void *hint); - static int cos_cache_vattr_types(vattr_sp_handle *handle,Slapi_Entry *e,vattr_type_list_context *type_context,int flags); --static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Slapi_Entry *e, char *type, Slapi_ValueSet **out_attr, Slapi_Value *test_this, int *result, int *ops); -+static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Slapi_Entry *e, char *type, Slapi_ValueSet **out_attr, Slapi_Value *test_this, int *result, int *ops, int *indirect_cos); - - /* - compares s2 to s1 starting from end of string until the beginning of either -@@ -2096,8 +2096,9 @@ static int cos_cache_attrval_exists(cosAttrValue *pAttrs, const char *val) - - static int cos_cache_vattr_get(vattr_sp_handle *handle, vattr_context *c, Slapi_Entry *e, char *type, Slapi_ValueSet** results,int *type_name_disposition, char** actual_type_name, int flags, int *free_flags, void *hint) - { -- int ret = -1; - cos_cache *pCache = 0; -+ int indirect_cos = 0; -+ int ret = -1; - - LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_vattr_get\n",0,0,0); - -@@ -2108,10 +2109,15 @@ static int cos_cache_vattr_get(vattr_sp_handle *handle, vattr_context *c, Slapi_ - goto bail; - } - -- ret = cos_cache_query_attr(pCache, c, e, type, results, NULL, NULL, NULL); -+ ret = cos_cache_query_attr(pCache, c, e, type, results, NULL, NULL, NULL, &indirect_cos); - if(ret == 0) - { -- *free_flags = SLAPI_VIRTUALATTRS_RETURNED_COPIES | SLAPI_VIRTUALATTRS_VALUES_CACHEABLE; -+ if(indirect_cos){ -+ /* we can't cache indirect cos */ -+ *free_flags = SLAPI_VIRTUALATTRS_RETURNED_COPIES; -+ } else { -+ *free_flags = SLAPI_VIRTUALATTRS_RETURNED_COPIES | SLAPI_VIRTUALATTRS_VALUES_CACHEABLE; -+ } - *actual_type_name = slapi_ch_strdup(type); - *type_name_disposition = SLAPI_VIRTUALATTRS_TYPE_NAME_MATCHED_EXACTLY_OR_ALIAS; - } -@@ -2138,7 +2144,7 @@ static int cos_cache_vattr_compare(vattr_sp_handle *handle, vattr_context *c, Sl - goto bail; - } - -- ret = cos_cache_query_attr(pCache, c, e, type, NULL, test_this, result, NULL); -+ ret = cos_cache_query_attr(pCache, c, e, type, NULL, test_this, result, NULL, NULL); - - cos_cache_release(pCache); - -@@ -2179,7 +2185,7 @@ static int cos_cache_vattr_types(vattr_sp_handle *handle,Slapi_Entry *e, - lastattr = pCache->ppAttrIndex[index]->pAttrName; - - if(1 == cos_cache_query_attr(pCache, NULL, e, lastattr, NULL, NULL, -- NULL, &props)) -+ NULL, &props, NULL)) - { - /* entry contains this attr */ - vattr_type_thang thang = {0}; -@@ -2223,7 +2229,10 @@ bail: - overriding and allow the DS logic to pick it up by denying knowledge - of attribute - */ --static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Slapi_Entry *e, char *type, Slapi_ValueSet **out_attr, Slapi_Value *test_this, int *result, int *props) -+static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, -+ Slapi_Entry *e, char *type, Slapi_ValueSet **out_attr, -+ Slapi_Value *test_this, int *result, int *props, -+ int *indirect_cos) - { - int ret = -1; - cosCache *pCache = (cosCache*)ptheCache; -@@ -2420,6 +2429,9 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Sl - if (cos_cache_follow_pointer( context, (char*)slapi_value_get_string(indirectdn), - type, &tmp_vals, test_this, result, pointer_flags) == 0) - { -+ if(indirect_cos){ -+ *indirect_cos = 1; -+ } - hit = 1; - /* If the caller requested values, set them. We need - * to append values when we follow multiple pointers DNs. */ --- -1.9.3 - diff --git a/server/common/patches/hesiod-Remove-hard-coded-defaults-for-LHS-and-RHS.patch b/server/common/patches/hesiod-Remove-hard-coded-defaults-for-LHS-and-RHS.patch new file mode 100644 index 00000000..316957c2 --- /dev/null +++ b/server/common/patches/hesiod-Remove-hard-coded-defaults-for-LHS-and-RHS.patch @@ -0,0 +1,67 @@ +From 40fb2973fde5cefd1687637e208f2877865b4c5f Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 3 May 2016 13:34:32 -0400 +Subject: [PATCH] Remove hard-coded defaults for LHS and RHS + +Don't fall back to using a default LHS or RHS when the configuration +file can't be read. Instead, return an error. +Original report from https://bugzilla.redhat.com/show_bug.cgi?id=1332493 + +(cherry picked from commit 247e2ce1f2aff40040657acaae7f1a1d673d6618) +--- + src/lib/Makefile.am | 2 +- + src/lib/hesiod.c | 21 +-------------------- + 2 files changed, 2 insertions(+), 21 deletions(-) + +diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am +index d092565..e6324b1 100644 +--- a/src/lib/Makefile.am ++++ b/src/lib/Makefile.am +@@ -15,7 +15,7 @@ noinst_PROGRAMS = hestest + hestest_SOURCES = hestest.c + hestest_LDADD = libhesiod.la + +-TESTS_ENVIRONMENT = ./hestest ++TESTS_ENVIRONMENT = HESIOD_CONFIG=$(srcdir)/hesiod.conf.sample ./hestest + TESTS = hestest.conf + + EXTRA_DIST = hesiod.conf.sample hestest.conf +diff --git a/src/lib/hesiod.c b/src/lib/hesiod.c +index 2738713..e69a8ca 100644 +--- a/src/lib/hesiod.c ++++ b/src/lib/hesiod.c +@@ -81,10 +81,6 @@ static const char rcsid[] = "$Id: hesiod.c,v 1.30 2002-04-03 21:40:55 ghudson Ex + #define T_TXT 16 + #endif + +-/* Defaults if the configuration file is not present. */ +-#define DEF_RHS ".athena.mit.edu" +-#define DEF_LHS ".ns" +- + /* Maximum size of a Hesiod response from the DNS. */ + #define MAX_HESRESP 1024 + +@@ -301,22 +297,7 @@ static int read_config_file(struct hesiod_p *ctx, const char *filename) + /* Try to open the configuration file. */ + fp = fopen(filename, "r"); + if (!fp) +- { +- /* Use compiled in default domain names. */ +- ctx->lhs = malloc(strlen(DEF_LHS) + 1); +- ctx->rhs = malloc(strlen(DEF_RHS) + 1); +- if (ctx->lhs && ctx->rhs) +- { +- strcpy(ctx->lhs, DEF_LHS); +- strcpy(ctx->rhs, DEF_RHS); +- return 0; +- } +- else +- { +- errno = ENOMEM; +- return -1; +- } +- } ++ return -1; + + ctx->lhs = NULL; + ctx->rhs = NULL; diff --git a/server/common/patches/hesiod-Use-secure_getenv-when-it-s-available.patch b/server/common/patches/hesiod-Use-secure_getenv-when-it-s-available.patch new file mode 100644 index 00000000..7b607e10 --- /dev/null +++ b/server/common/patches/hesiod-Use-secure_getenv-when-it-s-available.patch @@ -0,0 +1,75 @@ +From 5e8ee67228ae97ce00feba1139d406f12b2b66f3 Mon Sep 17 00:00:00 2001 +From: Nalin Dahyabhai +Date: Tue, 3 May 2016 13:32:25 -0400 +Subject: [PATCH] Use secure_getenv() when it's available + +Factor out logic that attempts to only consult the environment when it's +safe to do so into its own function, and use secure_getenv() instead of +getenv() if it's available. Original report from +https://bugzilla.redhat.com/show_bug.cgi?id=1332508 + +(cherry picked from commit 39b21dac9bc6473365de04d94be0da94941c7c73) +--- + configure.ac | 3 ++- + src/lib/hesiod.c | 15 +++++++++++++-- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e5e94d4..9098afa 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -9,6 +9,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + AC_CONFIG_MACRO_DIR([m4]) + AC_CONFIG_SRCDIR([src/lib/hesiod.h]) + AC_CONFIG_HEADERS([config.h]) ++AC_USE_SYSTEM_EXTENSIONS + + # Checks for programs. + AC_PROG_CC +@@ -80,7 +81,7 @@ AC_EGREP_HEADER([pw_expire], [pwd.h], + # Checks for library functions. + AC_FUNC_MALLOC + AC_FUNC_REALLOC +-AC_CHECK_FUNCS([strchr strdup]) ++AC_CHECK_FUNCS([strchr strdup secure_getenv]) + + AC_CONFIG_FILES([ + Makefile +diff --git a/src/lib/hesiod.c b/src/lib/hesiod.c +index c96aebe..2738713 100644 +--- a/src/lib/hesiod.c ++++ b/src/lib/hesiod.c +@@ -99,6 +99,17 @@ static int read_config_file(struct hesiod_p *ctx, const char *filename); + static char **get_txt_records(struct hesiod_p *ctx, const char *name); + static int cistrcmp(const char *s1, const char *s2); + ++static const char *hesiod_getenv(const char *e) ++{ ++ if ((getuid() != geteuid()) || (getgid() != getegid())) ++ return NULL; ++#ifdef HAVE_SECURE_GETENV ++ return secure_getenv(e); ++#else ++ return getenv(e); ++#endif ++} ++ + /* This function is called to initialize a hesiod_p. */ + int hesiod_init(void **context) + { +@@ -109,13 +120,13 @@ int hesiod_init(void **context) + if (ctx) + { + *context = ctx; +- configname = ((getuid() == geteuid()) && (getgid() == getegid())) ? getenv("HESIOD_CONFIG") : NULL; ++ configname = hesiod_getenv("HESIOD_CONFIG"); + if (!configname) + configname = SYSCONFDIR "/hesiod.conf"; + if (read_config_file(ctx, configname) >= 0) + { + /* The default rhs can be overridden by an environment variable. */ +- p = ((getuid() == geteuid()) && (getgid() == getegid())) ? getenv("HES_DOMAIN") : NULL; ++ p = hesiod_getenv("HES_DOMAIN"); + if (p) + { + if (ctx->rhs) diff --git a/server/common/patches/httpd-bug57070.patch b/server/common/patches/httpd-bug57070.patch deleted file mode 100644 index a674081f..00000000 --- a/server/common/patches/httpd-bug57070.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: modules/ssl/ssl_engine_vars.c -=================================================================== ---- modules/ssl/ssl_engine_vars.c (revision 1630015) -+++ modules/ssl/ssl_engine_vars.c (working copy) -@@ -73,7 +73,9 @@ - static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data) - { - char *var = (char *)data; -- return ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var); -+ SSLConnRec *sslconn = myConnConfig(ctx->c); -+ -+ return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : ""; - } - - static int ssl_expr_lookup(ap_expr_lookup_parms *parms) diff --git a/server/common/patches/httpd-fixup-vhost.patch b/server/common/patches/httpd-fixup-vhost.patch index f1d3efb7..c51b77a7 100644 --- a/server/common/patches/httpd-fixup-vhost.patch +++ b/server/common/patches/httpd-fixup-vhost.patch @@ -39,7 +39,7 @@ diff --git a/server/config.c b/server/config.c index c1aae17..254c5d2 100644 --- a/server/config.c +++ b/server/config.c -@@ -2245,46 +2245,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf, +@@ -2344,46 +2344,52 @@ } } @@ -53,10 +53,8 @@ index c1aae17..254c5d2 100644 dconf->log = &main_server->log; - for (virt = main_server->next; virt; virt = virt->next) { -- merge_server_configs(p, main_server->module_config, -- virt->module_config); -+ merge_server_configs(p, main_server->module_config, -+ virt->module_config); +- merge_server_configs(p, main_server->module_config, virt); ++ merge_server_configs(p, main_server->module_config, virt); - virt->lookup_defaults = - ap_merge_per_dir_configs(p, main_server->lookup_defaults, @@ -112,12 +110,13 @@ index c1aae17..254c5d2 100644 +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) +{ + server_rec *virt; -+ + + for (virt = main_server->next; virt; virt = virt->next) + ap_fixup_virtual_host(p, main_server, virt); - ++ ap_core_reorder_directories(p, main_server); } + -- 1.8.1.2 diff --git a/server/common/patches/httpd-suexec-journald.patch b/server/common/patches/httpd-suexec-journald.patch index 4bc63694..b32aa49a 100644 --- a/server/common/patches/httpd-suexec-journald.patch +++ b/server/common/patches/httpd-suexec-journald.patch @@ -32,7 +32,7 @@ index 745d86c..4014c1f 100644 $(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD) suexec_OBJECTS = suexec.lo -+suexec_LDADD = "-lsystemd-journal -lsystemd-id128" ++suexec_LDADD = "-lsystemd" +suexec.lo: suexec.c + $(LIBTOOL) --mode=compile $(CC) $(ab_CFLAGS) $(ALL_CFLAGS) $(ALL_CPPFLAGS) \ + $(ALL_INCLUDES) $(PICFLAGS) $(LTCFLAGS) -DSCRIPTS_HAVE_SYSTEMD_JOURNAL \ diff --git a/server/common/patches/httpd-suexec-scripts.patch b/server/common/patches/httpd-suexec-scripts.patch index cff936ea..839017b7 100644 --- a/server/common/patches/httpd-suexec-scripts.patch +++ b/server/common/patches/httpd-suexec-scripts.patch @@ -295,7 +295,7 @@ index 32e7320..3a4d802 100644 log_err("file has no execute permission: (%s/%s)\n", cwd, cmd); exit(121); } -@@ -660,6 +802,30 @@ int main(int argc, char *argv[]) +@@ -660,6 +802,31 @@ int main(int argc, char *argv[]) /* * Execute the command, replacing our image with its own. */ @@ -310,6 +310,7 @@ index 32e7320..3a4d802 100644 + } + if (is_php_extension(cmd)) { + setenv("PHPRC", ".", 1); ++ setenv("PHP_INI_SCAN_DIR", "/etc/scripts/php.d", 1); + argv[1] = PHP_PATH; + argv[2] = "-f"; + /* diff --git a/server/common/patches/krb5-kuserok-scripts.patch b/server/common/patches/krb5-kuserok-scripts.patch deleted file mode 100644 index dd662da9..00000000 --- a/server/common/patches/krb5-kuserok-scripts.patch +++ /dev/null @@ -1,150 +0,0 @@ -# scripts.mit.edu krb5 kuserok patch -# Copyright (C) 2006 Tim Abbott -# 2011 Alexander Chernyakhovsky -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -# -# See /COPYRIGHT in this repository for more information. -# ---- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 -+++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 -@@ -32,6 +32,7 @@ - #if !defined(_WIN32) /* Not yet for Windows */ - #include - #include -+#include - - #if defined(_AIX) && defined(_IBMR2) - #include -@@ -51,39 +52,6 @@ - enum result { ACCEPT, REJECT, PASS }; - - /* -- * Find the k5login filename for luser, either in the user's homedir or in a -- * configured directory under the username. -- */ --static krb5_error_code --get_k5login_filename(krb5_context context, const char *luser, -- const char *homedir, char **filename_out) --{ -- krb5_error_code ret; -- char *dir, *filename; -- -- *filename_out = NULL; -- ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, -- KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); -- if (ret != 0) -- return ret; -- -- if (dir == NULL) { -- /* Look in the user's homedir. */ -- if (asprintf(&filename, "%s/.k5login", homedir) < 0) -- return ENOMEM; -- } else { -- /* Look in the configured directory. */ -- if (asprintf(&filename, "%s/%s", dir, luser) < 0) -- ret = ENOMEM; -- profile_release_string(dir); -- if (ret) -- return ret; -- } -- *filename_out = filename; -- return 0; --} -- --/* - * Determine whether principal is authorized to log in as luser according to - * the user's k5login file. Return ACCEPT if the k5login file authorizes the - * principal, PASS if the k5login file does not exist, or REJECT if the k5login -@@ -93,13 +61,12 @@ - static enum result - k5login_ok(krb5_context context, krb5_principal principal, const char *luser) - { -- int authoritative = TRUE, gobble; -+ int authoritative = TRUE; - enum result result = REJECT; -- char *filename = NULL, *princname = NULL; -- char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; -- struct stat sbuf; -+ char *princname = NULL; -+ char pwbuf[BUFSIZ]; - struct passwd pwx, *pwd; -- FILE *fp = NULL; -+ int pid, status; - - if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, -@@ -110,46 +77,29 @@ - if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) - goto cleanup; - -- if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) -- goto cleanup; -- -- if (access(filename, F_OK) != 0) { -- result = PASS; -- goto cleanup; -- } -- - if (krb5_unparse_name(context, principal, &princname) != 0) - goto cleanup; - -- fp = fopen(filename, "r"); -- if (fp == NULL) -+ if ((pid = fork()) == -1) - goto cleanup; -- set_cloexec_file(fp); -- -- /* For security reasons, the .k5login file must be owned either by -- * the user or by root. */ -- if (fstat(fileno(fp), &sbuf)) -- goto cleanup; -- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) -- goto cleanup; -- -- /* Check each line. */ -- while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { -- newline = strrchr(linebuf, '\n'); -- if (newline != NULL) -- *newline = '\0'; -- if (strcmp(linebuf, princname) == 0) -- result = ACCEPT; -- /* Clean up the rest of the line if necessary. */ -- if (newline == NULL) -- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); -+ -+ if (pid == 0) { -+ char *args[4]; -+#define ADMOF_PATH "/usr/local/sbin/ssh-admof" -+ args[0] = ADMOF_PATH; -+ args[1] = (char *) luser; -+ args[2] = princname; -+ args[3] = NULL; -+ execv(ADMOF_PATH, args); -+ exit(1); - } - -+ if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { -+ result = ACCEPT; -+ } -+ - cleanup: - free(princname); -- free(filename); -- if (fp != NULL) -- fclose(fp); - /* If k5login files are non-authoritative, never reject. */ - return (!authoritative && result == REJECT) ? PASS : result; - } diff --git a/server/common/patches/moira-fix-manpage-paths.patch b/server/common/patches/moira-fix-manpage-paths.patch deleted file mode 100644 index 12e7298a..00000000 --- a/server/common/patches/moira-fix-manpage-paths.patch +++ /dev/null @@ -1,40 +0,0 @@ -Index: moira/man/update_server.8 -=================================================================== ---- moira.orig/man/update_server.8 2010-01-04 21:12:54.000000000 -0500 -+++ moira/man/update_server.8 2010-01-04 22:03:58.000000000 -0500 -@@ -14,7 +14,7 @@ - it is needed. - .SH OPTIONS - While there are no command line options, a configuration file --.I /etc/athena/moira.conf -+.I /etc/moira.conf - may specify a number of options. This file may contain blank lines, - comments preceeded by hash marks, boolean options, or string options. - A boolean option is set by just putting the name of the option on a -@@ -48,7 +48,7 @@ - .B sms - in the local realm is assumed. - .SH FILES --/etc/athena/moira.conf \- For configuration variables. --/etc/athena/srvtab \- It must be able to get rcmd Kerberos tickets. -+/etc/moira.conf \- For configuration variables. -+/etc/srvtab \- It must be able to get rcmd Kerberos tickets. - .SH "SEE ALSO" - The Project Athena Technical Plan section on Moira. -Index: moira/man/moira.3 -=================================================================== ---- moira.orig/man/moira.3 2010-01-04 22:04:05.000000000 -0500 -+++ moira/man/moira.3 2010-01-04 22:04:20.000000000 -0500 -@@ -239,9 +239,9 @@ - except that it uses strcmp on the elements rather than comparing the - addresses directly. - .SH FILES --/usr/athena/include/moira.h -+/usr/include/moira/moira.h - .br --/usr/athena/include/mr_et.h -+/usr/include/moira/mr_et.h - .br - /tmp/tkt### - .SH "SEE ALSO" - diff --git a/server/common/patches/openafs-scripts.patch b/server/common/patches/openafs-scripts.patch index 7d082c86..b04a610a 100644 --- a/server/common/patches/openafs-scripts.patch +++ b/server/common/patches/openafs-scripts.patch @@ -131,7 +131,7 @@ index 2eb228f..d5d6e4a 100644 - attrs->va_gid = fakedir ? 0 : avc->f.m.Group; /* yeah! */ + attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume; + attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner); - #if defined(AFS_SUN56_ENV) + #if defined(AFS_SUN5_ENV) attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; #elif defined(AFS_DARWIN80_ENV) diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c diff --git a/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch b/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch index a6992322..5a83942e 100644 --- a/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch +++ b/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch @@ -1,9 +1,14 @@ ---- openssh-4.7p1/gss-serv.c -+++ openssh-4.7p1/gss-serv.c -@@ -355,6 +355,13 @@ - child_set_env(envp, envsizep, gssapi_client.store.envvar, - gssapi_client.store.envval); +diff --git a/gss-serv.c b/gss-serv.c +index 1c0ac53..69bf73d 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -441,6 +441,18 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) } + } + ++void ++ssh_gssapi_do_child_principalname(char ***envp, u_int *envsizep) ++{ + if (gssapi_client.exportedname.length != 0 && + gssapi_client.exportedname.value != NULL) { + debug("Setting %s to %s", "SSH_GSSAPI_NAME", @@ -11,6 +16,32 @@ + child_set_env(envp, envsizep, "SSH_GSSAPI_NAME", + gssapi_client.exportedname.value); + } - } - ++} ++ /* Privileged */ + int + ssh_gssapi_userok(char *user, struct passwd *pw, int kex) +diff --git a/session.c b/session.c +index b989afc..f908d0e 100644 +--- a/session.c ++++ b/session.c +@@ -1085,6 +1085,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) + */ + if (s->authctxt->krb5_set_env) + ssh_gssapi_do_child(&env, &envsize); ++ ssh_gssapi_do_child_principalname(&env, &envsize); + #endif + + /* Set basic environment. */ +diff --git a/ssh-gss.h b/ssh-gss.h +index c7ec22d..e865d1e 100644 +--- a/ssh-gss.h ++++ b/ssh-gss.h +@@ -170,6 +170,7 @@ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); + int ssh_gssapi_userok(char *name, struct passwd *, int kex); + OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_do_child(char ***, u_int *); ++void ssh_gssapi_do_child_principalname(char ***, u_int *); + void ssh_gssapi_cleanup_creds(void); + int ssh_gssapi_storecreds(void); + const char *ssh_gssapi_displayname(void); diff --git a/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch b/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch deleted file mode 100644 index 86927f98..00000000 --- a/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch +++ /dev/null @@ -1,55 +0,0 @@ -From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Tue, 10 Nov 2015 19:03:07 +0000 -Subject: [PATCH] Fix leak with ASN.1 combine. - -When parsing a combined structure pass a flag to the decode routine -so on error a pointer to the parent structure is not zeroed as -this will leak any additional components in the parent. - -This can leak memory in any application parsing PKCS#7 or CMS structures. - -CVE-2015-3195. - -Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using -libFuzzer. - -PR#4131 - -Reviewed-by: Richard Levitte - -Edited-to-apply: Alexander Chernyakhovsky ---- - crypto/asn1/tasn_dec.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c -index febf605..9256049 100644 ---- a/crypto/asn1/tasn_dec.c -+++ b/crypto/asn1/tasn_dec.c -@@ -169,6 +169,8 @@ - int otag; - int ret = 0; - ASN1_VALUE **pchptr, *ptmpval; -+ int combine = aclass & ASN1_TFLG_COMBINE; -+ aclass &= ~ASN1_TFLG_COMBINE; - if (!pval) - return 0; - if (aux && aux->asn1_cb) -@@ -539,6 +541,7 @@ - auxerr: - ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); - err: -+ if (combine == 0) - ASN1_item_ex_free(pval, it); - if (errtt) - ERR_add_error_data(4, "Field=", errtt->field_name, -@@ -767,7 +770,7 @@ - { - /* Nothing special */ - ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -- -1, 0, opt, ctx); -+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); - if (!ret) - { - ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, diff --git a/server/common/patches/zephyr-zhm-pidfile.patch b/server/common/patches/zephyr-zhm-pidfile.patch new file mode 100644 index 00000000..ad24ecaf --- /dev/null +++ b/server/common/patches/zephyr-zhm-pidfile.patch @@ -0,0 +1,48 @@ +commit dcaf992bf1d5cfeda9a5842e69d9340b67846c29 +Author: Quentin Smith +Date: Wed Jun 26 01:59:34 2019 -0400 + + Write PID file after forking and before exiting. + +diff --git a/zhm/zhm.c b/zhm/zhm.c +index ec4696b7..409e737b 100644 +--- a/zhm/zhm.c ++++ b/zhm/zhm.c +@@ -414,12 +414,13 @@ init_hm(void) + #ifndef DEBUG + if (!inetd && !nofork) + detach(); +- +- /* Write pid to file */ +- fp = fopen(PidFile, "w"); +- if (fp != NULL) { ++ else { ++ /* Write pid to file */ ++ fp = fopen(PidFile, "w"); ++ if (fp != NULL) { + fprintf(fp, "%d\n", getpid()); + fclose(fp); ++ } + } + #endif /* DEBUG */ + +@@ -469,11 +470,18 @@ detach(void) + /* detach from terminal and fork. */ + register int i, x = ZGetFD(); + register long size; ++ FILE *fp; + + i = fork(); + if (i) { + if (i < 0) +- perror("fork"); ++ perror("fork"); ++ /* Write pid to file */ ++ fp = fopen(PidFile, "w"); ++ if (fp != NULL) { ++ fprintf(fp, "%d\n", i); ++ fclose(fp); ++ } + exit(0); + } + #ifdef _POSIX_VERSION diff --git a/server/common/patches/zephyr-zhm-service.patch b/server/common/patches/zephyr-zhm-service.patch new file mode 100644 index 00000000..597ece06 --- /dev/null +++ b/server/common/patches/zephyr-zhm-service.patch @@ -0,0 +1,14 @@ +--- /dev/null 2019-06-26 01:44:07.000000000 -0400 ++++ b/zhm.service 2019-06-26 01:42:54.000000000 -0400 +@@ -0,0 +1,11 @@ ++[Unit] ++Description=Zephyr Host Manager ++Documentation=man:zhm(8) ++ ++[Service] ++Type=forking ++ExecStart=/usr/sbin/zhm -f ++PIDFile=/var/run/zhm.pid ++ ++[Install] ++WantedBy=multi-user.target diff --git a/server/doc/install-howto.sh b/server/doc/install-howto.sh index d2b4f8be..f7c02f11 100644 --- a/server/doc/install-howto.sh +++ b/server/doc/install-howto.sh @@ -24,22 +24,16 @@ server=YOUR-SERVER-NAME-HERE # [PRODUCTION] If this is the first time you've installed this hostname, # you will need to update a bunch of files to add support for it. These # include: -# o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf -# (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu, -# scriptsN, scriptsN.mit.edu, and the IP address.) +# o Adding it to ansible/inventory.yml in either scripts-real or +# scripts-real-test +# o If this is a new distribution, set use_* to false in inventory.yml +# since none of the scripts packages will be built yet # o Adding routing rules for the static IP in # /etc/sysconfig/network-scripts/route-eth1 # o Adding the IP address to the hosts file (same hosts as for # scripts-vhost-names) -# o Update SSH config at -# - server/fedora/config/etc/ssh/shosts.equiv -# - server/fedora/config/etc/ssh/ssh_known_hosts -# - server/fedora/config/etc/ssh/sshd_config : DenyUsers -# (the last part is critical to ensure that rooting one server -# doesn't give you root to all the other servers) # o Put the hostname information in LDAP so SVN and Git work # o Set up Nagios monitoring on sipb-noc for the host -# o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf # o Update locker/etc/known_hosts # o Update website files: # /mit/scripts/web_scripts/home/server.css.cgi @@ -68,119 +62,45 @@ server=YOUR-SERVER-NAME-HERE # INFINITE INSTALLATION # Start with a Scripts kickstarted install of Fedora (install-fedora) +# For example, + remctl xvm-remote control $server install mirror=http://mirrors.mit.edu/fedora/linux/ dist=30 arch=x86_64 ks=https://raw.githubusercontent.com/mit-scripts/scripts/ansible-realserver/server/fedora/ks/kickstart.txt -# IMPORTANT: If you are installing a server without the benefit of -# Kickstart (for example, you are installing on XVM, it is VITALLY -# IMPORTANT that you go through the kickstart and apply all of the -# necessary changes--for example, disabling selinux or enabling -# network.) -# XXX We should make Kickstart work for test servers too +# On vSphere, create a new virtual machine with 6 CPUs, 10GB RAM, two +# disks of 100GB and 8GB each, two network cards on VLAN486 and +# VLAN461, and a serial port. +# Upload an install image using the Datastore tab, and attach it to +# the VM using Edit Settings. Don't forget to check the "Connected" box. +# To boot, use an F30 boot ISO, press tab on "Install", delete "rhgb +# quiet" and add to the command line -# Make sure selinux is disabled - selinuxenabled || echo "selinux not enabled" - -# Take updates, reboot if there's a kernel update. - yum update -y - -# Get rid of network manager (XXX figure out to make kickstarter do -# this for us) - yum remove NetworkManager - -# Make sure sendmail isn't installed, replace it with postfix - yum shell -y < packages.txt -# arrange for packages.txt to be passed to the server, then run: - cd /tmp - yumdownloader --disablerepo=scripts ghc-cgi ghc-cgi-devel - yum localinstall ghc-cgi*.x86_64.rpm - yum install -y $(cat packages.txt) -# The reason this works is that ghc-cgi is marked as installonlypkgs -# in yum.conf, telling yum to install them side-by-side rather than -# updating them. If it doesn't work, use --skip-broken on the yum -# command line. + su scripts-build - + cd /srv/repository/fedora/server && make all + cp /var/lib/mock/fedora-*/result/*.rpm /home/scripts-build/mock-local/ + createrepo ~/mock-local/ -# Check which packages are installed on your new server that are not -# in the snapshot, and remove ones that aren't needed for some reason -# on the new machine. Otherwise, aside from bloat, you may end up -# with undesirable things for security, like sendmail. - rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt - diff -u packages.txt newpackages.txt | grep -v kernel | less - # here's a cute script that removes all extra packages - yum erase -y $(grep -Fxvf packages.txt newpackages.txt) - # 20101208 - Mysteriously we manage to get these extra packages - # from kickstart: mcelog mobile-broadband-provider-info - # ModemManager PackageKit +# Copy the built packages and repo metadata to /mit/scripts/yum-repos/rpm-fcNN-testing/ +# After building packages, rerun Ansible to install and configure them. +# Note that web.mit.edu caching means you have to wait several minutes +# after installing the packages for them to become available. -# ----------------------------->8-------------------------------------- -# INFINITE CONFIGURATION + rm /etc/ansible-config-done + systemctl start ansible-config-me -# [PROD] Create fedora-ds user (needed for credit-card) -# [TEST] too if you want to run a local dirsrv instance -useradd -r -d /var/lib/dirsrv fedora-ds - -# Run credit-card to clone in credentials and make things runabble -# NOTE: You may be tempted to run credit-card earlier in the install -# process in order, for example, to be able to SSH in to the servers -# with Kerberos. However, it is better to install the credentials -# *after* we have run a boatload untrusted code as part of the -# spheroids objects process. So don't move this step earlier! -python host.py push $server - -# This is superseded by credit-card, which works for [PRODUCTION] and -# [WIZARD]. We don't have an easy way of running credit-card for XVM... -#b -# # # All types of servers will have an /etc/daemon.keytab file, however, # # different types of server will have different credentials in this # # keytab. @@ -188,59 +108,18 @@ python host.py push $server # # [WIZARD] daemon.scripts-security-upd # # [TESTSERVER] daemon.scripts-test -# Test that zephyr is working - systemctl enable zhm.service - systemctl start zhm.service - echo 'Test!' | zwrite -d -c scripts -i test - -# Check out the scripts /usr/vice/etc configuration - cd /root/vice - \cp -a etc /usr/vice -# [TESTSERVER] If you're installing a test server, this needs to be -# much smaller; the max filesize on XVM is 10GB. Pick something like -# 500000. Also, some of the AFS parameters are kind of silly (and if -# you're low on disk space, will actually exhaust our inodes). Edit -# these parameters in /etc/sysconfig/openafs (I just chopped a zero -# off of all of our parameters) - echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo - vim /etc/sysconfig/openafs - # [PRODUCTION] Set up replication (see ./install-ldap). # You'll need the LDAP keytab for this server: be sure to chown it # fedora-ds after you create the fedora-ds user ls -l /etc/dirsrv/keytab cat install-ldap -# Enable lots of services (currently in /etc checkout) - systemctl enable openafs-client.service - systemctl enable dirsrv.target - systemctl enable nslcd.service - systemctl enable nscd.service - systemctl enable postfix.service - systemctl enable nrpe.service # chkconfig'd - systemctl enable httpd.service # not for [WIZARD] - - systemctl start openafs-client.service - systemctl start dirsrv.target - systemctl start nslcd.service - systemctl start nscd.service - systemctl start postfix.service - systemctl start nrpe.service - systemctl start httpd.service # not for [WIZARD] - # Note about OpenAFS: Check that fs sysname is correct. You should see, # among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's # not, you probably did a distro upgrade and should update # tokensys (server/common/oursrc/tokensys/scripts-afsagent-startup.in) fs sysname -# Postfix doesn't actually deliver mail; fix this - cd /etc/postfix - postmap virtual - -# Munin might not be monitoring packages that were installed after it - munin-node-configure --suggest --shell | sh - # Run fmtutil-sys --all, which does something that makes TeX work. # (Note: this errors on XeTeX which is ok.) fmtutil-sys --all @@ -251,16 +130,6 @@ python host.py push $server # You can prune the first set of binaries using 'chmod u-s' and 'chmod g-s' # and remove capabilities using 'setcap -r' -# XXX check for selinux gunk - -# Fix etc by making sure none of our config files got overwritten - cd /etc - svn status -q - # Some usual candidates for clobbering include nsswitch.conf, - # resolv.conf and sysconfig/openafs - # [WIZARD/TEST] Remember that changes you made should not get - # reverted! - # Reboot the machine to restore a consistent state, in case you # changed anything. (Note: Starting kdump fails (this is ok)) @@ -272,53 +141,14 @@ python host.py push $server # o /etc/sysconfig/network # o your lvm thingies; probably don't need to edit -# [TESTSERVER] Enable password log in - vim /etc/ssh/sshd_config - service sshd reload - vim /etc/pam.d/sshd -# Replace the first auth block with: -# # If they're not root, but their user exists (success), -# auth [success=ignore ignore=ignore default=1] pam_succeed_if.so uid > 0 -# # print the "You don't have tickets" error: -# auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_tkt -# # If !(they are root), -# auth [success=1 ignore=ignore default=ignore] pam_succeed_if.so uid eq 0 -# # print the "your account doesn't exist" error: -# auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_user - - -# [WIZARD/TESTSERVER] If you are setting up a non-production server, -# there are some services that it won't provide, and you will need to -# make it talk to a real server instead. In particular: -# - We don't serve the web, so don't bind scripts.mit.edu -# - We don't serve LDAP, so use another server -# XXX: Someone should write sed scripts to do this -# This involves editing the following files: - svn rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3} - svn rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only -# o /etc/nslcd.conf -# replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ -# with: uri ldap://scripts.mit.edu/ -# (what happened to nss-ldapd?) -# o /etc/openldap/ldap.conf -# add: URI ldap://scripts.mit.edu/ -# BASE dc=scripts,dc=mit,dc=edu -# o /etc/httpd/conf.d/vhost_ldap.conf -# replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" -# with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" -# o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf -# replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ -# with: server_host = ldap://scripts.mit.edu -# to use scripts.mit.edu instead of localhost. - # [WIZARD/TESTSERVER] If you are setting up a non-production server, # afsagent's cronjob will attempt to be renewing with the wrong # credentials (daemon.scripts). Change this: vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu # [TESTSERVER] -# - You need a self-signed SSL cert or Apache will refuse to start -# or do SSL. Generate with: (XXX recommended CN?) +# - You might need a self-signed SSL cert depending on what you need to do. +# Generate with: (XXX recommended CN?) openssl req -new -x509 -sha256 -newkey rsa:2048 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts-cert.pem -nodes -extensions v3_req ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-2048.key # Also make the various public keys match up @@ -329,12 +159,3 @@ python host.py push $server # XXX alternate strategy replace all the pem's as above cd /etc/httpd/vhosts.d svn rm *.conf - -# [TESTSERVER] -# Remove vhosts.d which we don't have rights for XXX - -# [TESTSERVER] More stuff for test servers -# - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people -# - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu -# be an accepted vhost name -# - Look at the old test server and see what config changes are floating around diff --git a/server/doc/install-xvm b/server/doc/install-xvm index 84dda9c5..98e65e5c 100644 --- a/server/doc/install-xvm +++ b/server/doc/install-xvm @@ -26,45 +26,27 @@ you should be able to assign ownership to scripts. 2. Configure ------------ -Lest you be tempted to skimp on RAM: you must have more than 700MBish -to install Fedora; 1024MB is a good amount is a good amount to give to +Lest you be tempted to skimp on RAM: you must have more than 1 GB +to install Fedora; 2048MB is a good amount is a good amount to give to the server. Disk space on order of 40G is probably good enough. -While it is best to use the install CD from the most recent version -of Fedora, any kernel which supports Kickstarting can be used. A good -bet is to use the Netboot CD from the latest version of Fedora that -XVM has (since XVM is sort of bad about keeping their boot CDs up to -date.) Since you're doing an install CD, it's going to be an HVM. +Create a VM using the web interface but do not boot it. From the +command line with suitable tickets, run -You will need VNC access to perform the installation process. If you have -Java, just go to the Console page for the VM; if you do not, you can use -the following set of incants to setup a local VNC server which can talk -to the console: +remctl xvm-remote control $server install mirror=http://mirrors.mit.edu/fedora/linux/ dist=30 arch=x86_64 ks=https://raw.githubusercontent.com/mit-scripts/scripts/ansible-realserver/server/fedora/ks/kickstart.txt - athrun xvm invirt-vnc-client -a $AUTHTOKEN - vncviewer localhost +Watch the installation progress with -where AUTHTOKEN is the contents of the AUTHTOKEN param on the console page -(which would have had the Java applet.) +ssh $server@xvm-console.mit.edu -On the bootloader screen (usually it gives you a bunch of options -such as "Install" or "Advanced"), press TAB and edit the kernel boot -line to append the text: +When the installation finishes, the VM will shut down. Boot it with +the web interface or - ks=http://ezyang.scripts.mit.edu/kickstart/scripts.php?type=xvm&release=$RELEASE_NO&hostname=scripts-f$RELEASE_NO-test.xvm.mit.edu +remctl xvm-remote control $server create -with $RELEASE_NO interpolated properly. You should keep around any initrd -lines since the kernel image still needs to know how to boot up. - - XXX the kickstart file needs to live in a less sketchy place - -The install process will ask you for a password. Do NOT use the -scripts-root password. We have a password in -/mit/scripts/Private/scripts-test-passwd which we tend to use. - -We don't know how to convert to ParaVM yet, because latest Fedora -uses Grub2 but XVM's bootloader doesn't understand how to read it -(see also the Scripts patches we manually applied to our hosts.) +You will need to log in using the serial console or VNC console using +"root" with no password. sshd will not accept root logins until you +install a public key. 3. Debugging ------------ diff --git a/server/doc/upgrade-tips b/server/doc/upgrade-tips index 02bae99e..5d9eaae9 100644 --- a/server/doc/upgrade-tips +++ b/server/doc/upgrade-tips @@ -5,9 +5,9 @@ Upgrading Scripts for a new Fedora distribution ------------------- You should read the Release Notes for all of the intervening -releases. For example, here are the Fedora 13 release notes: +releases. For example, here are the Fedora 30 release notes: - http://docs.fedoraproject.org/en-US/Fedora/13/html/Release_Notes/ + https://fedoraproject.org/wiki/Releases/30/ChangeSet Because we sometimes skip releases, you should read any skipped release's report notes. @@ -26,34 +26,32 @@ specific, so when you are ramping up the new release, you will want a new branch to do development on, before merging back upon the official release. You can do this with: - svn cp svn://scripts.mit.edu/trunk \ - svn://scripts.mit.edu/branches/fcXX-dev + git checkout -b f30 -On the new branch, there are a number of files you will have to -update: +3. Install a new VM +------------------- -2.1 Mock +Update the kickstart file at server/fedora/ks/kickstart.txt for the +new release. At a minimum you'll need to change the "url" stanza, and +probably also change the branch name in the "git clone" command. -Mock needs to be setup for the new environment. The first thing to do -is to update the Makefile by substituting -s/scripts-fcOLD/scripts-fcNEW/g on the /usr/bin/mock invocations. -After that, you need to go to /etc/mock and create the new cfg file -for the new scripts-fcXX-ARCH configurations (where ARCH is x86_64 and -i386). You can base the new cfg off of the older version's, however -you will want to make the following changes: +Add your new VM to ansible/inventory.yml, probably in the +"scripts-real-test" section. Initially you won't have any Scripts +packages available for this distro, so set the use_* variables to "no" +to skip installing those packages. - * Update all references to the old Fedora release to the new - Fedora release. This includes root, dist, mirrorlist, baseurl +Install a new VM using the kickstart file. You might want to do this +with the kernel command-line parameter: - * Temporarily disabling the web.mit.edu Scripts RPM repository - and the local RPM repository by setting enabled=0 (it's there for - a reason!) However, the local RPM repository is fairly painless - to create and will come in handy when you start attempting to - build packages that have dependencies on other scriptsified - packages: you can set one up as scripts-build with: + inst.ks=https://raw.githubusercontent.com/mit-scripts/scripts/ansible-realserver/server/fedora/ks/kickstart.txt inst.text - mkdir ~/mock-local - createrepo ~/mock-local +The "ansible-config-me" service will run on first boot and execute the +Ansible playbook. If you're lucky, it will complete successfully on +the first try, but likely something has changed in the new +distro. Update the Ansible configuration in /srv/repository (either +locally or remotely and then pull your changes in) and re-run the +service with "systemctl start ansible-config-me" until the service +successfully completes. 3. Rebuild Scripts packages --------------------------- @@ -70,6 +68,9 @@ is a good choice. The Mock RPMs will be created in: /var/lib/mock/$MOCK_ENV/result/ +I suggest copying these to ~/mock-local and then rsyncing from there +to /mit/scripts/rpm-fcXX. + Here are some of the common troubles you'll have to deal with: 3.1 Spec patches are no longer necessary @@ -162,11 +163,11 @@ all you need to do is copy the RPMs from the build server to there your root tickets on a server.) When you're done, run `createrepo -d` on the directory. -Note that if you do a successive rebuild without bumping the Subversion -revision (via a `svn up`), the new package will have the *same* version -and yum will probably insist on using the old cached version. You can -use `yum clean all` to reset your cache and force yum to get the latest -version. +As you put RPMs in this directory, you can start flipping the use_* +flags in inventory.yml to start enabling these packages. You can rerun +Ansible at any time with + + /srv/repository/server/fedora/ansible-config-me.sh 5. Update fs sysname -------------------- @@ -202,13 +203,7 @@ and ensure run on the new platform. They include: Fedora occasionally updates the architecture name for 32-bit; the last such update was in Fedora 12, when i586 became i686. Fixing this usually just involves replacing i586 with i686 in the appropriate places -(Makefile, specfiles, /etc/mock configuration). Note that for -hysterical raisins we still refer to our 32-bit builds as i386. -[XXX: Maybe this should change] - -Until we decide that the performance impact is negligible, any new PHP -extensions other than the few we’ve whitelisted should be disabled by -emptying their .ini files in /etc/php.d. +(Makefile, specfiles, /etc/mock configuration). 9. Sending announcements ------------------------ diff --git a/server/fedora/Makefile b/server/fedora/Makefile index b8349286..de28f952 100644 --- a/server/fedora/Makefile +++ b/server/fedora/Makefile @@ -18,14 +18,13 @@ # # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh libgsasl openssl openssl.i686 389-ds-base -hackage = cgi-3001.1.8.5 unix-handle-0.0.0 -upstream_hackage = ghc-cgi ghc-unix-handle +FEDORA = fc$(shell lsb_release -rs) +upstream_yum = httpd openssh autofs gems = pony:1.8 fcgi:0.9.2.1 upstream_gems = rubygem-pony rubygem-fcgi upstream_eggs = python-authkit -upstream = openafs $(upstream_yum) $(upstream_hackage) $(upstream_gems) $(upstream_eggs) moira zephyr zephyr.i686 python-zephyr python-afs python-moira python-hesiod athena-aclocal discuss -oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i686 whoisd athrun php_scripts scripts-wizard scripts-base scripts-static-cat fuse-better-mousetrapfs scripts-munin-plugins +upstream = openafs hesiod $(upstream_yum) $(upstream_gems) $(upstream_eggs) moira zephyr zephyr.i686 python-zephyr python-afs python-moira python-hesiod athena-aclocal discuss fuse-python +oursrc = execsys tokensys accountadm httpdmods logview nss_nonlocal nss_nonlocal.i686 athrun php_scripts scripts-wizard scripts-base scripts-static-cat fuse-better-mousetrapfs scripts-munin-plugins scripts-krb5-localauth shackle allsrc = $(upstream) $(oursrc) oursrcdir = ${PWD}/../common/oursrc patches = ${PWD}/../common/patches @@ -33,14 +32,15 @@ specs = ${PWD}/specs topdir = ${HOME}/rpmbuild tmp_build = $(topdir)/BUILD -tmp_specs = $(topdir)/SPECS +rpm_specs = $(topdir)/SPECS +tmp_specs = $(topdir)/SPECS-SCRIPTS tmp_src = $(topdir)/SOURCES out_rpms = $(topdir)/RPMS out_srpms = $(topdir)/SRPMS out_sbin = $(topdir)/sbin dload = ${PWD}/.dload -openafs_url = "https://www.openafs.org/dl/openafs/1.6.22.1/openafs-1.6.22.1-1.src.rpm" +openafs_url = "http://www.openafs.org/dl/openafs/1.8.4/openafs-1.8.4-1.src.rpm" #zephyr_url = "http://zephyr.1ts.org/files/zephyr-3.0.2.tar.gz" PKG = $(patsubst %.i686,%,$@) @@ -63,25 +63,28 @@ clean: minimal-clean mkdir-tree: rpmdev-setuptree mkdir -p $(out_sbin) + mkdir -p $(tmp_specs) ln -sTf $(topdir) rpmbuild +openafs openafs-kernel ${tmp_specs}/openafs.spec: $(dload)/$(notdir $openafs_url) +$(dload)/$(notdir $openafs_url): + wget -P $(dload) $(openafs_url) + download: download_stamp download_stamp: mkdir -p $(dload) cd $(dload) && yumdownloader --disablerepo=scripts --source $(upstream_yum) - wget -P $(dload) $(openafs_url) #wget -P $(dload) $(zephyr_url) cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz https://debathena.mit.edu/apt/pool/debathena/d/debathena-moira/ - cabal update - cabal fetch --no-dependencies $(hackage) - cp -a $(hackage:%=~/.cabal/packages/*/*/*/%.tar.gz) $(tmp_src) - $(foreach gem, $(gems), gem fetch $(firstword $(subst :, ,$(gem))) -v $(lastword $(subst :, ,$(gem)));) + $(foreach gem, $(gems), cd $(tmp_src) && gem fetch $(firstword $(subst :, ,$(gem))) -v $(lastword $(subst :, ,$(gem)));) + spectool -g -R $(specs)/hesiod.spec spectool -g -R $(specs)/zephyr.spec spectool -g -R $(specs)/python-zephyr.spec spectool -g -R $(specs)/python-afs.spec spectool -g -R $(specs)/python-moira.spec spectool -g -R $(specs)/python-hesiod.spec spectool -g -R $(specs)/python-authkit.spec + spectool -g -R $(specs)/fuse-python.spec touch download_stamp cd $(tmp_src) && wget -nd -r -l1 -np -A.tar.gz https://debathena.mit.edu/apt/pool/debathena/d/debathena-aclocal/ @@ -94,40 +97,39 @@ copy-patches: mkdir-tree install-srpms: mkdir-tree download rpm $(rpm_args) -i $(dload)/*.src.rpm 2>/dev/null -copy-specs: mkdir-tree - cp ${specs}/*.spec $(tmp_specs) +# If we have a spec, just copy it. +${tmp_specs}/%.spec: ${specs}/%.spec mkdir-tree + cp $< $@ -# Remove old .orig files so we're not misled -patch-specs: install-srpms +# If we have a spec patch, install the SRPM and then patch it. +${tmp_specs}/%.spec: ${specs}/%.spec.patch install-srpms @set -ex; \ - cd ${tmp_specs}; \ - list=`ls ${specs}/*.spec.patch`; \ - rm -f *.orig; \ - rm -f *.spec.~*~; \ - for i in $$list; do \ - patch -bV numbered < $$i; \ - done + rm -f $@.orig; \ + rm -f $@.specs.~*~; \ + patch -bV numbered -o $@ ${rpm_specs}/$*.spec $< # 1. use the package's Makefile to delete leftover files and run autoconf # 2. create a tarball (we want it to contain the autoconf output) -tarballs: mkdir-tree +$(tmp_src)/%.tar.gz: $(oursrcdir)/% $(oursrcdir)/%/* mkdir-tree @set -ex; \ cd ${oursrcdir}; \ - list=`find -mindepth 1 -maxdepth 1 -type d`; \ - for i in $$list; do \ - pushd $$i; \ - if [ -x ./mrproper ]; then \ - ./mrproper; \ - if [ -e configure.in ] || [ -e configure.ac ]; then \ - autoconf; \ - fi; \ + pushd $<; \ + if [ -x ./mrproper ]; then \ + ./mrproper; \ + if [ -e configure.in ] || [ -e configure.ac ]; then \ + autoconf; \ fi; \ - popd; \ - tar -czf $(tmp_src)/$$i.tar.gz $$i; \ - done + fi; \ + popd; \ + tar -czf $@ $*; + +# Build a tarball for each package, if we can. +oursrcdirs := $(notdir $(wildcard $(oursrcdir)/*)) +${oursrcdirs}: %: $(tmp_src)/%.tar.gz +${oursrcdirs:%=%.i686}: %.i686: $(tmp_src)/%.tar.gz #setup: install-srpms copy-patches copy-specs patch-specs tarballs -setup: copy-patches copy-specs patch-specs tarballs +setup: copy-patches oursrc: make $(oursrc) @@ -140,34 +142,30 @@ all: $(oursrc): rpmbuild_args += --define 'scriptsversion $(scriptsversion)' -$(filter %.i686,$(oursrc)): %.i686: setup - PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc20-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` +mock_chroot = scripts-${FEDORA}-`uname -m` +mock_args = -r ${mock_chroot} ${rpmbuild_args} -$(filter-out %.i686,$(oursrc)): %: setup - PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc20-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` - -$(upstream) openafs-kernel: rpmbuild_args += --define 'scriptsversion $(scriptsversion)' +%.i686: mock_chroot = scripts-${FEDORA}-i686 +%.i686: mock_args += --arch=i686 --define="_lib lib" -kernel: rpmbuild_args += --define 'buildid .scripts.%{scriptsversion}' --without debug --without doc +define build-rpm = +rpmbuild ${rpmbuild_args} -bs $< +/usr/bin/mock ${mock_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` +endef -$(filter %.i686,$(upstream)): %.i686: setup patch-specs - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc20-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` +%: ${tmp_specs}/%.spec setup + $(build-rpm) +%.i686: ${tmp_specs}/%.spec setup + $(build-rpm) -$(filter-out %.i686,$(upstream)): %: setup patch-specs - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc20-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` +$(upstream) openafs-kernel: rpmbuild_args += --define 'scriptsversion $(scriptsversion)' -openafs-kernel: setup +openafs-kernel: ${tmp_specs}/openafs.spec setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/openafs*.spec - /usr/bin/mock -r scripts-fc27-`uname -m` --clean - /usr/bin/mock -r scripts-fc27-`uname -m` --install elfutils-libelf-devel - /usr/bin/mock -r scripts-fc27-`uname -m` --no-clean ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` + rpmbuild ${rpmbuild_args} -bs $< + /usr/bin/mock -r scripts-${FEDORA}-`uname -m` --clean + /usr/bin/mock -r scripts-${FEDORA}-`uname -m` --install elfutils-libelf-devel + /usr/bin/mock -r scripts-${FEDORA}-`uname -m` --no-clean ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` #sort -n sorts "2.6.25-1" later than "2.6.25.1-1", so it's Wrong #kernvers = $(shell rpm -q --qf "%{Version}-%{Release}\n" --whatprovides kernel | sort -n | tail -n1) diff --git a/server/fedora/ansible-config-me.service b/server/fedora/ansible-config-me.service new file mode 100644 index 00000000..e55edc03 --- /dev/null +++ b/server/fedora/ansible-config-me.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run ansible-pull at first boot to apply environment configuration +After=network-online.target +ConditionPathExists=!/etc/ansible-config-done + +[Service] +ExecStart=/srv/repository/server/fedora/ansible-config-me.sh +Type=oneshot + +[Install] +WantedBy=multi-user.target diff --git a/server/fedora/ansible-config-me.sh b/server/fedora/ansible-config-me.sh new file mode 100755 index 00000000..e2686a33 --- /dev/null +++ b/server/fedora/ansible-config-me.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e +set -x + +cd /srv/repository/ansible +ansible-playbook playbook.yml -c local -l "localhost,$(hostname -f | tr '[:upper:]' '[:lower:]'),$(hostname -s | tr '[:upper:]' '[:lower:]'),127.0.0.1" --diff -v + +touch /etc/ansible-config-done diff --git a/server/fedora/config/etc/ImageMagick-6/policy.xml b/server/fedora/config/etc/ImageMagick-6/policy.xml deleted file mode 100644 index 1704e77c..00000000 --- a/server/fedora/config/etc/ImageMagick-6/policy.xml +++ /dev/null @@ -1,64 +0,0 @@ - - - - - - - - -]> - - - - - - - - - - - - - - - - - - - diff --git a/server/fedora/config/etc/aliases b/server/fedora/config/etc/aliases deleted file mode 100644 index 40541d6c..00000000 --- a/server/fedora/config/etc/aliases +++ /dev/null @@ -1,169 +0,0 @@ -# -# Aliases in this file will NOT be expanded in the header from -# Mail, but WILL be visible over networks or from /bin/mail. -# -# >>>>>>>>>> The program "newaliases" must be run after -# >> NOTE >> this file is updated for any changes to -# >>>>>>>>>> show through to sendmail. -# - -# Basic system aliases -- these MUST be present. -mailer-daemon: postmaster -postmaster: root - -# General redirections for pseudo accounts. -bin: root -daemon: root -adm: root -lp: root -sync: root -shutdown: root -halt: root -mail: root -news: root -uucp: root -operator: root -games: root -gopher: root -ftp: root -nobody: root -radiusd: root -nut: root -dbus: root -vcsa: root -canna: root -wnn: root -rpm: root -nscd: root -pcap: root -apache: root -webalizer: root -dovecot: root -fax: root -quagga: root -radvd: root -pvm: root -amanda: root -privoxy: root -ident: root -named: root -xfs: root -gdm: root -mailnull: root -postgres: root -sshd: root -smmsp: root -postfix: root -netdump: root -ldap: root -squid: root -ntp: root -mysql: root -desktop: root -rpcuser: root -rpc: root -nfsnobody: root - -ingres: root -system: root -toor: root -manager: root -dumper: root -abuse: root - -newsadm: news -newsadmin: news -usenet: news -ftpadm: ftp -ftpadmin: ftp -ftp-adm: ftp -ftp-admin: ftp -www: webmaster -webmaster: root -noc: root -security: root -hostmaster: root - -# trap decode to catch security attacks -decode: root - -# Person who should get root's mail -# root: (moved to /etc/scripts/root-procmailrc so this mail gets spam filtered) - -scripts: root -signup: root -afsagent: root -logview: root -scripts-build: root - -# People who are abusing or otherwise causing problems with the mail system -# Put "/dev/null" as the target of their alias -# srimano: has a phpBB generating a lot of backscatter -srimano: /dev/null -# dbriggs: phpBB: added 2011-06-25, see mail to -root 2011-03-27, 2011-06-03 -dbriggs: /dev/null -# ro21531: spam to rosmosis.net: added 2011-06-25, see mail to -root 2011-06-03 -ro21531: /dev/null -# buechley: not responsive to mail sent by -root on 2013-05-14, added 2013-07-04 -buechley: /dev/null -# cssa: spam, added 2014-02-01 -cssa: /dev/null -# mitlti: added 2014-07-26, causing way too much queued mail and not -# yet responded to mail by -root -mitlti: /dev/null -# paxters: so much spam, added 2014-09-09 -paxters: /dev/null -# crhie: why all the same, added 2014-10-05 -crhie: /dev/null -# baker-foundation: spam, spam, and more spam. Added 2014-11-21 -baker-foundation: /dev/null -# 11.309j: still all spammy, despite contact on 2014-11-09. Added 2014-12-01 -11.309j: /dev/null -# kgsa: repeat unhappiness. Added 2014-12-01 -kgsa: /dev/null -# jains: compromised account sourcing spam. Added 2014-12-13 -jains: /dev/null -# unfolding: compromised account sourcing spam. Added 2014-12-13 -unfolding: /dev/null -# 4.332: compromised account sourcing spam. Added 2014-12-13 -4.332: /dev/null -# asme: compromised account sourcing spam. Added 2014-12-13 -asme: /dev/null -# alisono: compromised account sourcing spam. Added 2014-12-13 -alisono: /dev/null -# laublab: compromised account sourcing spam. Added 2014-12-24 -laublab: /dev/null -# eltahirgroup: compromised account sourcing spam. Added 2015-07-07 -eltahirgroup: /dev/null -# strategic: backscatter. Added 2015-10-09 -strategic: /dev/null -# je18337: cron spam. Added 2015-10-09 -je18337: /dev/null -# gsc: backscatter. Added 2015-10-09 -gsc: /dev/null -# rwf: backscatter. Added 2015-10-09 -rwf: /dev/null -# saxelab: spam. Added 2015-10-09 -saxelab: /dev/null -# qeg: spam. Added 2015-10-09 -qeg: /dev/null -# blackhistory: backscatter. Added 2016-09-03 -blackhistory: /dev/null -# tdc: mail loop on procmailrc. Added 2016-09-11 -tdc: /dev/null -# seek: spam. Added 2016-10-09. -seek: /dev/null -# braintrust: spam. Added 2016-10-20. -braintrust: /dev/null -# newmanlab: spam. Added 2016-12-04. -newmanlab: /dev/null -# game: spam. Added 2017-01-23 -game: /dev/null -# lebanon: spam. Added 2017-01-23 -lebanon: /dev/null -# crpg: spam. Added 2017-01-23 -crpg: /dev/null -# scioly: spam. Added 2017-02-23 -scioly: /dev/null -# xavid: mail loop. Added 2017-03-06 -xavid: /dev/null diff --git a/server/fedora/config/etc/auto.master b/server/fedora/config/etc/auto.master deleted file mode 100644 index 85bf7acd..00000000 --- a/server/fedora/config/etc/auto.master +++ /dev/null @@ -1 +0,0 @@ -/mit hesiod:hesiod diff --git a/server/fedora/config/etc/cron.d/check-filecaps b/server/fedora/config/etc/cron.d/check-filecaps deleted file mode 100644 index 27bd9f5e..00000000 --- a/server/fedora/config/etc/cron.d/check-filecaps +++ /dev/null @@ -1,2 +0,0 @@ -MAILTO=scripts-root@mit.edu -27 5 * * * root find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list | grep -ve ^/var/lib/mock/ | sed 's/^/Extra file_caps binary: /' diff --git a/server/fedora/config/etc/cron.d/check-setugid b/server/fedora/config/etc/cron.d/check-setugid deleted file mode 100644 index 2fa1f72c..00000000 --- a/server/fedora/config/etc/cron.d/check-setugid +++ /dev/null @@ -1,2 +0,0 @@ -MAILTO=scripts-root@mit.edu -23 5 * * * root find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list | grep -ve ^/var/lib/mock/ | sed 's/^/Extra set[ug]id binary: /' diff --git a/server/fedora/config/etc/cron.d/scripts-cron_status b/server/fedora/config/etc/cron.d/scripts-cron_status deleted file mode 100644 index e4b96512..00000000 --- a/server/fedora/config/etc/cron.d/scripts-cron_status +++ /dev/null @@ -1 +0,0 @@ -* * * * * scripts touch /afs/athena.mit.edu/contrib/scripts/cron_scripts/cron_status_flag/$(hostname -f) > /dev/null 2>&1 diff --git a/server/fedora/config/etc/cron.daily/.gitignore b/server/fedora/config/etc/cron.daily/.gitignore deleted file mode 100644 index af175c00..00000000 --- a/server/fedora/config/etc/cron.daily/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -/0logwatch -/cups -/logrotate -/makewhatis.cron -/mlocate.cron -/prelink -/readahead.cron -/tmpwatch diff --git a/server/fedora/config/etc/default/grub b/server/fedora/config/etc/default/grub deleted file mode 100644 index 18fbbdcf..00000000 --- a/server/fedora/config/etc/default/grub +++ /dev/null @@ -1,6 +0,0 @@ -GRUB_TIMEOUT=5 -GRUB_DISTRIBUTOR="Fedora" -GRUB_DEFAULT=saved -GRUB_TERMINAL="serial console" -GRUB_SERIAL_COMMAND="serial" -GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 KEYTABLE=us rd.luks=0 SYSFONT=True LANG=en_US.UTF-8 crashkernel=128M" diff --git a/server/fedora/config/etc/environment b/server/fedora/config/etc/environment deleted file mode 100644 index 887b2416..00000000 --- a/server/fedora/config/etc/environment +++ /dev/null @@ -1 +0,0 @@ -JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M" diff --git a/server/fedora/config/etc/freshclam.conf b/server/fedora/config/etc/freshclam.conf deleted file mode 100644 index 3d94770e..00000000 --- a/server/fedora/config/etc/freshclam.conf +++ /dev/null @@ -1,175 +0,0 @@ -## -## Example config file for freshclam -## Please read the freshclam.conf(5) manual before editing this file. -## - - -# Comment or remove the line below. -#Example - -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# Default: hardcoded (depends on installation options) -DatabaseDirectory /var/lib/clamav - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -UpdateLogFile /var/log/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# Default: no -#LogTime yes - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# This option allows you to save the process identifier of the daemon -# Default: disabled -#PidFile /var/run/freshclam.pid - -# By default when started freshclam drops privileges and switches to the -# "clamav" user. This directive allows you to change the database owner. -# Default: clamav (may depend on installation options) -#DatabaseOwner clamav - -# Initialize supplementary group access (freshclam must be started by root). -# Default: no -#AllowSupplementaryGroups yes - -# Use DNS to verify virus database version. Freshclam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# Uncomment the following line and replace XY with your country -# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. -#DatabaseMirror db.XY.clamav.net - -# database.clamav.net is a round-robin record which points to our most -# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is -# not working. DO NOT TOUCH the following line unless you know what you -# are doing. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# Default: disabled -#HTTPProxyServer myproxy.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# Default: clamav/version_number -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. -# Default: 30 -#ReceiveTimeout 60 - -# When enabled freshclam will submit statistics to the ClamAV Project about -# the latest virus detections in your environment. The ClamAV maintainers -# will then use this data to determine what types of malware are the most -# detected in the field and in what geographic area they are. -# This feature requires LogTime and LogFile to be enabled in clamd.conf. -# Default: no -#SubmitDetectionStats /path/to/clamd.conf - -# Country of origin of malware/detection statistics (for statistical -# purposes only). The statistics collector at ClamAV.net will look up -# your IP address to determine the geographical origin of the malware -# reported by your installation. If this installation is mainly used to -# scan data which comes from a different location, please enable this -# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) -# of the country of origin. -# Default: disabled -#DetectionStatsCountry country-code - -# This option enables support for Google Safe Browsing. When activated for -# the first time, freshclam will download a new database file (safebrowsing.cvd) -# which will be automatically loaded by clamd and clamscan during the next -# reload, provided that the heuristic phishing detection is turned on. This -# database includes information about websites that may be phishing sites or -# possible sources of malware. When using this option, it's mandatory to run -# freshclam at least every 30 minutes. -# Freshclam uses the ClamAV's mirror infrastructure to distribute the -# database and its updates but all the contents are provided under Google's -# terms of use. See http://code.google.com/support/bin/answer.py?answer=70015 -# and http://safebrowsing.clamav.net for more information. -# Default: disabled -#SafeBrowsing yes diff --git a/server/fedora/config/etc/fuse.conf b/server/fedora/config/etc/fuse.conf deleted file mode 100644 index a439ab82..00000000 --- a/server/fedora/config/etc/fuse.conf +++ /dev/null @@ -1 +0,0 @@ -user_allow_other diff --git a/server/fedora/config/etc/hesiod.conf b/server/fedora/config/etc/hesiod.conf deleted file mode 100644 index 2ffb2a93..00000000 --- a/server/fedora/config/etc/hesiod.conf +++ /dev/null @@ -1,2 +0,0 @@ -rhs=.ATHENA.MIT.EDU -lhs=.ns diff --git a/server/fedora/config/etc/hosts b/server/fedora/config/etc/hosts deleted file mode 100644 index 5695fdb0..00000000 --- a/server/fedora/config/etc/hosts +++ /dev/null @@ -1,37 +0,0 @@ -# Do not remove the following line, or various programs -# that require network functionality will fail. -127.0.0.1 localhost.localdomain localhost -::1 localhost.localdomain localhost - -18.4.60.52 sql.mit.edu sql - -18.4.86.43 scripts.mit.edu scripts -18.4.86.46 scripts-vhosts.mit.edu scripts-vhosts -18.4.86.50 scripts-cert.mit.edu scripts-cert -18.4.86.229 scripts-test.mit.edu scripts-test - -18.4.86.57 better-mousetrap.mit.edu better-mousetrap scripts1.mit.edu scripts1 -18.4.86.53 old-faithful.mit.edu old-faithful scripts2.mit.edu scripts2 -18.4.86.167 bees-knees.mit.edu bees-knees scripts3.mit.edu scripts3 -18.4.86.228 cats-whiskers.mit.edu cats-whiskers scripts4.mit.edu scripts4 -18.4.86.236 whole-enchilada.mit.edu whole-enchilada scripts5.mit.edu scripts5 -18.4.86.237 pancake-bunny.mit.edu pancake-bunny scripts6.mit.edu scripts6 -18.4.86.234 busy-beaver.mit.edu busy-beaver scripts7.mit.edu scripts7 -18.4.86.235 real-mccoy.mit.edu real-mccoy scripts8.mit.edu scripts8 -18.4.86.135 shining-armor.mit.edu shining-armor scripts9.mit.edu scripts9 -18.4.86.141 golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10 -18.4.86.203 miracle-cure.mit.edu miracle-cure scripts11.mit.edu scripts11 -18.4.86.204 lucky-star.mit.edu lucky-star scripts12.mit.edu scripts12 - -172.21.0.57 better-mousetrap.mit.edu -172.21.0.53 old-faithful.mit.edu -172.21.0.167 bees-knees.mit.edu -172.21.0.228 cats-whiskers.mit.edu -172.21.0.236 whole-enchilada.mit.edu -172.21.0.237 pancake-bunny.mit.edu -172.21.0.234 busy-beaver.mit.edu -172.21.0.235 real-mccoy.mit.edu -172.21.0.135 shining-armor.mit.edu -172.21.0.141 golden-egg.mit.edu -172.21.0.203 miracle-cure.mit.edu -172.21.0.204 lucky-star.mit.edu diff --git a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf b/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf deleted file mode 100644 index 9114fab5..00000000 --- a/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf +++ /dev/null @@ -1,20 +0,0 @@ -ServerName scripts.mit.edu -ServerAlias \ - scripts 18.4.86.43 \ - scripts-vhosts.mit.edu scripts-vhosts 18.4.86.46 \ - scripts-f20.mit.edu scripts-f20 18.4.86.22 \ - scripts-f30.mit.edu scripts-f30 18.4.86.30 \ - scripts-test.mit.edu scripts-test 18.4.86.229 \ - better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.4.86.57 \ - old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.4.86.53 \ - bees-knees.mit.edu bees-knees b-k.mit.edu b-k scripts3.mit.edu scripts3 18.4.86.167 \ - cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.4.86.228 \ - whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.4.86.236 \ - pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.4.86.237 \ - busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.4.86.234 \ - real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.4.86.235 \ - shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.4.86.135 \ - golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.4.86.141 \ - miracle-cure.mit.edu miracle-cure m-c.mit.edu m-c scripts11.mit.edu scripts11 18.4.86.203 \ - lucky-star.mit.edu lucky-star l-s.mit.edu l-s scripts12.mit.edu scripts12 18.4.86.204 \ - localhost 127.0.0.1 ::1 diff --git a/server/fedora/config/etc/httpd/conf.d/vhost_ldap.conf b/server/fedora/config/etc/httpd/conf.d/vhost_ldap.conf deleted file mode 100644 index 3ea699f1..00000000 --- a/server/fedora/config/etc/httpd/conf.d/vhost_ldap.conf +++ /dev/null @@ -1,12 +0,0 @@ -# -# mod_vhost_ldap allows you to keep your virtual host configuration -# in an LDAP directory and update it in nearly realtime. -# - -### NOTE ### -### mod_vhost_ldap depends on mod_ldap ### -### you have to enable mod_ldap as well ### - -VhostLDAPEnabled on -VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" -VhostLDAPFallback notfound.example.com diff --git a/server/fedora/config/etc/logwatch/scripts/services/named b/server/fedora/config/etc/logwatch/scripts/services/named deleted file mode 100644 index 450e1512..00000000 --- a/server/fedora/config/etc/logwatch/scripts/services/named +++ /dev/null @@ -1,568 +0,0 @@ -########################################################################## -# $Id: named,v 1.52 2007/04/28 20:58:39 bjorn Exp $ -########################################################################## -# $Log: named,v $ -# Revision 1.52 2007/04/28 20:58:39 bjorn -# More generic RCODE handling - prints summary of unexpected DNS RCODEs. -# -# Revision 1.51 2007/04/15 20:03:25 bjorn -# Filtering updating zones with views, based on submittal by -# Jesper K. Pedersen. -# -# Revision 1.50 2007/02/16 03:36:25 bjorn -# Filtering some D-BUS statements, by Ivana Varekova. -# -# Revision 1.49 2007/01/29 18:28:38 bjorn -# Better formatting of output, by Markus Lude. -# -# Revision 1.48 2006/11/12 21:14:02 bjorn -# Filtering 'transfer started' message, by Russell Coker / Tom London. -# -# Revision 1.47 2006/10/20 21:02:00 bjorn -# Typo fixed by Alex S. -# -# Revision 1.46 2006/10/20 16:44:38 bjorn -# Changed regexp to handle IPV6, by Willi Mann. -# -# Revision 1.45 2006/09/15 15:40:58 bjorn -# Additional filtering by Ivana Varekova. -# -# Revision 1.44 2006/03/20 20:42:57 bjorn -# Additional filtering, by Ivana Varekova. -# -# Revision 1.43 2005/11/30 05:01:44 bjorn -# Don't search for info: string (for Debian), by Willi Mann. -# -# Revision 1.42 2005/11/24 16:48:30 bjorn -# Handles additional statements, by Ivana Varekova. -# -# Revision 1.41 2005/09/29 15:02:52 bjorn -# Filtering 'succeeded' by Ivana Varekova. -# -# Revision 1.40 2005/04/15 21:44:35 bjorn -# testing from anonymous -# -# Revision 1.39 2005/04/15 21:36:59 bjorn -# typo fixed in 'named' release during 2004 -# -# Revision 1.38 2005/04/13 17:24:13 kirk -# Test change -# -# Revision 1.37 2005/02/24 17:08:04 kirk -# Applying consolidated patches from Mike Tremaine -# -# Revision 1.9 2005/02/21 19:09:52 mgt -# Bump to 5.2.8 removed some cvs logs -mgt -# -# Revision 1.8 2005/02/16 00:43:28 mgt -# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt -# -# Revision 1.7 2005/02/13 17:15:40 mgt -# perl -w corrections for uninit stuff -mgt -# -# Revision 1.6 2004/10/11 18:14:47 mgt -# update from Laurent -mgt -# -# Revision 1.41 2004/09/29 10:33:29 laurent Dufour -# Removed some ^ in regex to prevent message not being in start on line to be matched -# Added some check for error in named zone config file -# Added some check for message not being matched -# -# Revision 1.4 2004/07/29 19:33:29 mgt -# Chmod and removed perl call -mgt -# -# Revision 1.3 2004/07/10 01:54:35 mgt -# sync with kirk -mgt -# -######################################################################### - -######################################################## -# This was written and is maintained by: -# Kirk Bauer -# -# Please send all comments, suggestions, bug reports, -# etc, to kirk@kaybee.org. -######################################################## - -use Logwatch ':ip'; - - -#$DoLookup = ValueOrDefault($ENV{'named_ip_lookup'}, 0); -$Debug = ValueOrDefault($ENV{'LOGWATCH_DEBUG'}, 0); -$Detail = ValueOrDefault($ENV{'LOGWATCH_DETAIL_LEVEL'}, 0); - -# Avoid "Use of uninitialized value" warning messages. -sub ValueOrDefault { - my ($value, $default) = @_; - return ($value ? $value : $default); -} - -if ( $Debug >= 5 ) { - print STDERR "\n\nDEBUG: Inside NAMED Filter \n\n"; - $DebugCounter = 1; -} - - -while (defined($ThisLine = )) { - if ( $Debug >= 30 ) { - print STDERR "DEBUG($DebugCounter): $ThisLine"; - $DebugCounter++; - } - - if ( - ($ThisLine =~ /RR negative cache entry/) or - ($ThisLine =~ /ns_....: .* NS points to CNAME/) or - ($ThisLine =~ /accept: connection reset by peer/) or - ($ThisLine =~ /Connection reset by peer/) or - # typo fixed in 2004 release - ($ThisLine =~ /transfer(r)?ed serial/) or - ($ThisLine =~ /There may be a name server already running/) or - ($ThisLine =~ /exiting/) or - ($ThisLine =~ /running/) or - ($ThisLine =~ /NSTATS /) or - ($ThisLine =~ /Cleaned cache of \d+ RRs/) or - ($ThisLine =~ /USAGE \d+ \d+ CPU=\d+.*/) or - ($ThisLine =~ /XSTATS /) or - ($ThisLine =~ /Ready to answer queries/) or - ($ThisLine =~ /Forwarding source address is/) or - ($ThisLine =~ /bad referral/) or - ($ThisLine =~ /prerequisite not satisfied/) or - ($ThisLine =~ /(rcvd|Sent) NOTIFY/) or - ($ThisLine =~ /ns_resp: TCP truncated/) or - ($ThisLine =~ /No possible A RRs/) or - ($ThisLine =~ /points to a CNAME/) or - ($ThisLine =~ /dangling CNAME pointer/) or - ($ThisLine =~ /listening on/) or - ($ThisLine =~ /unrelated additional info/) or - ($ThisLine =~ /Response from unexpected source/) or - ($ThisLine =~ /No root nameservers for class IN/) or - ($ThisLine =~ /recvfrom: No route to host/) or - ($ThisLine =~ /(C|c)onnection refused/) or - ($ThisLine =~ /lame server resolving/) or - ($ThisLine =~ /transfer of/) or - ($ThisLine =~ /using \d+ CPU/) or - ($ThisLine =~ /loading configuration/) or - ($ThisLine =~ /command channel listening/) or - ($ThisLine =~ /no IPv6 interfaces found/) or - ($ThisLine =~ /^running/) or - ($ThisLine =~ /^exiting/) or - ($ThisLine =~ /no longer listening/) or - ($ThisLine =~ /the default for the .* option is now/) or - ($ThisLine =~ /stopping command channel on \S+/) or - ($ThisLine =~ /Malformed response from/) or - ($ThisLine =~ /client .* response from Internet for .*/) or - ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or - ($ThisLine =~ /client .+#\d+: query:/) or - # Do we really want to ignore these? - #($ThisLine =~ /unknown logging category/) or - ($ThisLine =~ /could not open entropy source/) or - ($ThisLine =~ /\/etc\/rndc.key: file not found/) or - ($ThisLine =~ /sending notifies/) or - # file syntax error get reported twice and are already caught below - ($ThisLine =~ /loading master file/) or - ($ThisLine =~ /^ succeeded$/) or - ($ThisLine =~ /\*\*\* POKED TIMER \*\*\*/) or - # The message about the end of transfer is the interesting one - ($ThisLine =~ /: Transfer started./) or - ($ThisLine =~ /D-BUS service (disabled|enabled)./) or - ($ThisLine =~ /D-BUS dhcdbd subscription disabled./) or - ($ThisLine =~ /automatic empty zone/) or - ($ThisLine =~ /binding TCP socket: address in use/) or - ($ThisLine =~ /dbus_mgr initialization failed. D-BUS service is disabled./) or - ($ThisLine =~ /dbus_svc_add_filter failed/) or - ($ThisLine =~ /isc_log_open 'named.run' failed: permission denied/) or - ($ThisLine =~ /weak RSASHA1 \(5\) key found \(exponent=3\)/) or - ($ThisLine =~ /Bad file descriptor/) or - ($ThisLine =~ /open: .*: file not found/) or - ($ThisLine =~ /queries: client [0-9.#:]* view localhost_resolver: query: .* IN .*/) or - ($ThisLine =~ /zone .*: NS '.*' is a CNAME \(illegal\)/) or - ($ThisLine =~ /zone .*: zone serial unchanged. zone may fail to transfer to slaves/) or - ($ThisLine =~ /zone .*: loading from master file .* failed/) or - ($ThisLine =~ /zone .*: NS '.*' has no address records/) or - ($ThisLine =~ /^no valid (DS|KEY|RRSIG) resolving/) or - ($ThisLine =~ /^not insecure resolving/) or - ($ThisLine =~ /.*: not a valid number$/) or - ($ThisLine =~ /.*: unexpected end of input/) or - ($ThisLine =~ /too many timeouts resolving '.*' .*: disabling EDNS/) or - ($ThisLine =~ /too many timeouts resolving '.*' .*: reducing the advertised EDNS UDP packet size to .* octets/) or - ($ThisLine =~ /reloading zones succeeded/) or - ($ThisLine =~ /success resolving '.*' \(in '.*'?\) after disabling EDNS/) or - ($ThisLine =~ /success resolving '.*' \(in '.*'?\) after reducing the advertised EDNS UDP packet size to 512 octets/) or - ($ThisLine =~ /the working directory is not writable/) or - ($ThisLine =~ /using default UDP\/IPv[46] port range: \[[0-9]*, [0-9]*\]/) or - ($ThisLine =~ /adjusted limit on open files from [0-9]* to [0-9]*/) or - ($ThisLine =~ /using up to [0-9]* sockets/) or - ($ThisLine =~ /built with/) - # too many timeouts resolving 'ns-ext.nrt1.isc.org/AAAA' (in '.'?): disabling EDNS: 3 Time(s) - ) { - # Don't care about these... - } elsif ( - ($ThisLine =~ /starting\..*named/) or - ($ThisLine =~ /starting BIND/) or - ($ThisLine =~ /named startup succeeded/) - ) { - $StartNamed++; - } elsif ( $ThisLine =~ /(reloading nameserver|named reload succeeded)/ ) { - $ReloadNamed++; - } elsif ( - ($ThisLine =~ /shutting down/) or - ($ThisLine =~ /named shutting down/ ) or - ($ThisLine =~ /named shutdown succeeded/ ) - ) { - $ShutdownNamed++; - } elsif ( ($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: zone transfer '(.+)' denied/ ) ) { - $DeniedZoneTransfers{$Host}{$Zone}++; - } elsif ( ($Zone) = ( $ThisLine =~ /cache zone \"(.*)\" loaded/ ) ) { - $ZoneLoaded{"cache $Zone"}++; - } elsif ( ($Zone) = ( $ThisLine =~ /cache zone \"(.*)\" .* loaded/ ) ) { - $ZoneLoaded{"cache $Zone"}++; - } elsif ( ($Zone) = ( $ThisLine =~ /primary zone \"(.+)\" loaded/ ) ) { - $ZoneLoaded{$Zone}++; - } elsif ( ($Zone) = ( $ThisLine =~ /master zone \"(.+)\" .* loaded/ ) ) { - $ZoneLoaded{$Zone}++; - } elsif ( ($Zone) = ( $ThisLine =~ /secondary zone \"(.+)\" loaded/ ) ) { - $ZoneLoaded{"secondary $Zone"}++; - } elsif ( ($Zone) = ( $ThisLine =~ /slave zone \"(.+)\" .* loaded/ ) ) { - $ZoneLoaded{"secondary $Zone"}++; - } elsif ( ($Zone) = ( $ThisLine =~ /zone (.+)\: loaded serial/ ) ) { - $ZoneLoaded{$Zone}++; - } elsif ( (undef,$Addr,undef,$Server) = ( $ThisLine =~ /ame server (on|resolving) '(.+)' \(in .+\):\s+(\[.+\]\.\d+)?\s*'?(.+)'?:?/ ) ) { - $LameServer{"$Addr ($Server)"}++; - } elsif ( ($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ ) ) { - $ZoneRemoved{$Zone}++; - } elsif ( ($Zone) = ( $ThisLine =~ /received notify for zone '(.*)'/ ) ) { - $ZoneReceivedNotify{$Zone}++; - } elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) { - $ZoneReceivedNotify{$Zone}++; - } elsif ( ($Host) = ( $ThisLine =~ /([^ ]+) has CNAME and other data \(invalid\)/ ) ) { - push @CNAMEAndOther, $Host; - } elsif ( ($File,$Line,$Entry,$Error) = ( $ThisLine =~ /dns_master_load: ([^:]+):(\d+): ([^ ]+): (.+)$/ ) ) { - $ZoneFileErrors{$File}{"$Entry: $Error"}++; - } elsif ( ($File,$Line,$Entry,$Error) = ( $ThisLine =~ /warning: ([^:]+):(\d+): (.+)$/ ) ) { - $ZoneFileErrors{$File}{"file does not end with newline: $Error"}++; - } elsif ( ($Way,$Host) = ( $ThisLine =~ /([^ ]+): sendto\(\[([^ ]+)\].+\): Network is unreachable/ ) ) { - $FullHost = LookupIP ($Host); - $NetworkUnreachable{$Way}{$FullHost}++; - } elsif ( ($Zone,$Message) = ( $ThisLine =~ /client [^\#]+#[^\:]+: (?:view \w+: )?updating zone '([^\:]+)': (.*)$/ ) ) { - $ZoneUpdates{$Zone}{$Message}++; - } elsif ( ($Host,$Zone) = ( $ThisLine =~ /approved AXFR from \[(.+)\]\..+ for \"(.+)\"/ ) ) { - $FullHost = LookupIP ($Host); - $AXFR{$Zone}{$FullHost}++; - } elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) { - $FullClient = LookupIP ($Client); - $DeniedTCPClient{$FullClient}++; - } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query \(cache\) denied/ ) ) { - $FullClient = LookupIP ($Client); - $DeniedQuery{$FullClient}++; - } elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update '(.*)' denied/)) { - $UpdateDenied{"$Rhost ($Ldom)"}++; - } elsif ( ($Zone) = ($ThisLine =~ /zone '([0-9a-zA-Z.-]+)' allows updates by IP address, which is insecure/)) { - $InsecUpdate{$Zone}++; - } elsif ( ($Zone) = ($ThisLine =~ /zone ([0-9a-zA-Z.\/-]+): journal rollforward failed: journal out of sync with zone/)) { - $JournalFail{$Zone}++; - } elsif ( ($Channel,$Reason) = ($ThisLine =~ /couldn't add command channel (.+#\d+): (.*)$/)) { - $ChannelAddFail{$Channel}{$Reason}++; - } elsif ( ($Zone,$Host,$Reason) = ($ThisLine =~ /zone ([^ ]*)\/IN: refresh: failure trying master ([^ ]*)#\d+: (.*)/) ) { - $MasterFailure{"$Zone from $Host"}{$Reason}++; - } elsif ( ($Zone) = ($ThisLine =~ /zone ([^\/]+)\/.+: refresh: non-authoritative answer from master/)) { - $NonAuthoritative{$Zone}++; - } elsif ( ($ThisLine =~ /unexpected RCODE \((.*)\) resolving/) ){ - $UnexpRCODE{$1}++; - } elsif ( ($ThisLine =~ /FORMERR resolving '[^ ]+: [0-9.#]+/) ) { - chomp($ThisLine); - $FormErr{$ThisLine}++; - } elsif ( ($ThisLine =~ /found [0-9]* CPU(s)?, using [0-9]* worker thread(s)?/) ) { - chomp($ThisLine); - $StartLog{$ThisLine}++; - } elsif ( (($File,$Line,$Problem) = ($ThisLine =~ /\/etc\/(rndc.key|named.conf):([0-9]+): (unknown option '[^ ]*')/)) or - (($File,$Line,$Problem) = ($ThisLine =~ /\/etc\/(rndc.key|named.conf):([0-9]+): ('[^ ]' expected near end of file)/)) or - (($File,$Line,$Problem) = ($ThisLine =~ /\/etc\/(named.*.conf):([0-9]+): (.*)/)) or - (($File,$Line,$Problem) = ($ThisLine =~ /()()(could not configure root hints from '.*': file not found)/))) { - $ConfProb{$File}{"$Line,$Problem"}++; - } elsif ( (($ErrorText) = ($ThisLine =~ /^(RUNTIME_CHECK.*)/))or - (($ErrorText) = ($ThisLine =~ /^(.* REQUIRE.* failed.*)$/)) or - (($ErrorText) = ($ThisLine =~ /(.*: fatal error)/)) ) { - $NError{$ErrorText}++; - } elsif ( ($From,$Log) = ($ThisLine =~ /invalid command from ([.0-9]*)#[0-9]*: (.*)/) ) { - $CCMessages{"$From,$Log"}++; - } elsif ( (($Log) = ($ThisLine =~ /(freezing .*zone.*)/)) or - (($Log) = ($ThisLine =~ /(thawing .*zone.*)/)) ) { - $CCMessages2{$Log}++; - } elsif (($CCC) = ($ThisLine =~ /unknown control channel command '(.*)'/)) { - $UnknownCCCommands{$CCC}++; - } elsif (($CCC) = ($ThisLine =~ /received control channel command '(.*)'/)) { - $CCCommands{$CCC}++; - } elsif (($Name,$Address) = ($ThisLine =~ /network unreachable resolving '(.*)': (.*)/)) { - $NUR{$Name}{$Address}++; - } elsif (($Name,$Address) = ($ThisLine =~ /host unreachable resolving '(.*)': (.*)/)) { - $HUR{$Name}{$Address}++; - } else { - # Report any unmatched entries... - # remove PID from named messages - $ThisLine =~ s/(client [.0-9]+)\S+/$1/; - chomp($ThisLine); - $OtherList{$ThisLine}++; - } -} - -####################################### - -if ( ( $Detail >= 5 ) and ($StartNamed) ) { - print "Named started: $StartNamed Time(s)\n"; -} - -if ( ( $Detail >= 5 ) and ($ReloadNamed) ) { - print "Named reloaded: $ReloadNamed Time(s)\n"; -} - -if ( ( $Detail >= 5 ) and ($ShutdownNamed) ) { - print "Named shutdown: $ShutdownNamed Time(s)\n"; -} - -if ( ( $Detail >= 5 ) and (keys %ZoneLoaded) ) { - print "\nLoaded Zones:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %ZoneLoaded) { - print " $ThisOne: $ZoneLoaded{$ThisOne} Time(s)\n"; - } -} - -if ( ( $Detail >= 5 ) and (keys %ZoneReceivedNotify) ) { - print "\nZones receiving notify:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %ZoneReceivedNotify) { - print " $ThisOne: $ZoneReceivedNotify{$ThisOne} Time(s)\n"; - } -} - -if ( ($Detail >= 5) and (keys %ChannelAddFail) ) { - print "\nCan't add command channel:\n"; - foreach $Channel (sort {$a cmp $b} keys %ChannelAddFail) { - print " $Channel:\n"; - foreach $Reason (sort {$a cmp $b} keys %{$ChannelAddFail{$Channel}}) { - print " $Reason: $ChannelAddFail{$Channel}{$Reason} Time(s)\n"; - } - } -} - -if ( ($Detail >= 5) and (keys %MasterFailure) ) { - print "\nFailure trying to refresh zone:\n"; - foreach $Zone (sort {$a cmp $b} keys %MasterFailure) { - print " $Zone:\n"; - foreach $Reason (sort {$a cmp $b} keys %{$MasterFailure{$Zone}}) { - print " $Reason: $MasterFailure{$Zone}{$Reason}++ Time(s)\n"; - } - } -} - -if ( ( $Detail >= 5 ) and (keys %DeniedZoneTransfers) ) { - print "\nDenied Zone Transfers:\n"; - foreach my $Host (keys %DeniedZoneTransfers) { - print " $Host:\n"; - foreach my $Zone (keys %{$DeniedZoneTransfers{$Host}}) { - print " $Zone: $DeniedZoneTransfers{$Host}{$Zone} Time(s)\n"; - } - print "\n"; - } -} - -if ( ( $Detail >= 5 ) and (keys %ZoneRemoved) ) { - print "\nRemoved Zones:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %ZoneRemoved) { - print " $ThisOne: $ZoneRemoved{$ThisOne} Time(s)\n"; - } -} - -if ( ( $Detail >= 5 ) and (keys %AXFR) ) { - print "\nZone Transfers:\n"; - foreach $ThisOne (keys %AXFR) { - print " Zone: $ThisOne\n"; - foreach $Temp (keys %{$AXFR{$ThisOne}}) { - print " by $Temp: $AXFR{$ThisOne}{$Temp} Time(s)\n"; - } - } -} - -if ( ( $Detail >= 5 ) and (keys %DeniedTCPClient) ) { - print "\nno more TCP clients warning:\n"; - foreach $ThisOne (keys %DeniedTCPClient) { - print " from $ThisOne: $DeniedTCPClient{$ThisOne} Time(s)\n"; - } -} - -if ( ( $Detail >= 5 ) and (keys %DeniedQuery) ) { - print "\nQueries (cache) that were denied:\n"; - foreach $ThisOne (keys %DeniedQuery) { - print " from $ThisOne: $DeniedQuery{$ThisOne} Time(s)\n"; - } -} - -if ( ( $Detail >= 10 ) and (@CNAMEAndOther) ) { - print "\nThese hosts have CNAME and other data (invalid):\n"; - foreach $ThisOne (@CNAMEAndOther) { - print " $ThisOne\n"; - } -} - -if ( ( $Detail >= 5 ) and (keys %ZoneFileErrors) ) { - print "\nSyntax errors in zone files:\n"; - for $File (keys %ZoneFileErrors) { - print " $File\n"; - for $Error ( keys %{$ZoneFileErrors{$File}} ) { - print " \"$Error\" " . $ZoneFileErrors{$File}{$Error} . " Time(s)\n"; - } - } -} - -if ( ( $Detail >= 10 ) and (keys %LameServer) ) { - print "\nThese addresses had lame server references:\n"; - foreach $ThisOne (keys %LameServer) { - print " $ThisOne: $LameServer{$ThisOne} Time(s)\n"; - } -} - -if ( ( $Detail >= 10 ) and (keys %NonAuthoritative) ) { - print "\nNon-authoritative answer from master for these zones:\n"; - foreach $ThisOne (keys %NonAuthoritative) { - print " " . $ThisOne . ": " . $NonAuthoritative{$ThisOne} . " Time(s)\n"; - } -} - -if ( ( $Detail >= 10 ) and (keys %NetworkUnreachable) ) { - print "\nNetwork is unreachable for:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %NetworkUnreachable) { - print " $ThisOne:\n"; - foreach $Host (sort {$a cmp $b} keys %{$NetworkUnreachable{$ThisOne}}) { - print " $Host: $NetworkUnreachable{$ThisOne}{$Host} Time(s)\n"; - } - } -} - -if ( ( $Detail >= 10 ) and (keys %NUR) ) { - print "\nNetwork unreachable resolving for:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %NUR) { - print " $ThisOne:\n"; - foreach $Host (sort {$a cmp $b} keys %{$NUR{$ThisOne}}) { - print " $Host: $NUR{$ThisOne}{$Host} Time(s)\n"; - } - } -} - -if ( ( $Detail >= 10 ) and (keys %HUR) ) { - print "\nHost unreachable resolving for:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %HUR) { - print " $ThisOne:\n"; - foreach $Host (sort {$a cmp $b} keys %{$HUR{$ThisOne}}) { - print " $Host: $HUR{$ThisOne}{$Host} Time(s)\n"; - } - } -} - -if ( ( $Detail >= 5 ) and (keys %ZoneUpdates) ) { - print "\nZone Updates:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %ZoneUpdates) { - print " $ThisOne:\n"; - foreach $Message (sort {$a cmp $b} keys %{$ZoneUpdates{$ThisOne}}) { - print " $Message: $ZoneUpdates{$ThisOne}{$Message} Time(s)\n"; - } - } -} - -if ( keys %UpdateDenied ) { - print "\nZone update refused:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %UpdateDenied) { - print " $ThisOne: $UpdateDenied{$ThisOne} Time(s)\n"; - } -} - -if ( keys %InsecUpdate ) { - print "\nInsecure zones (dynamic update allowed by IP address):\n"; - foreach $ThisOne (sort {$a cmp $b} keys %InsecUpdate) { - print " " . $ThisOne . ": " . $InsecUpdate{$ThisOne} . " Time(s)\n"; - } -} - -if ( keys %JournalFail ) { - print "\nJournall rollforward failed:\n"; - foreach $ThisOne (sort {$a cmp $b} keys %JournalFail) { - print " " . $ThisOne . ": " . $JournalFail{$ThisOne} . " Time(s)\n"; - } -} - -if (keys %ConfProb) { - print "\n Errors in configuration files\n"; - foreach $File (sort keys %ConfProb) { - if ($File =~ /.+/) { - print " file " . $File . "\n"; - foreach (keys %{$ConfProb{$File}}) { - ($Line,$Problem) = split ","; - print " " . $File . ":" . "$Line" . ": " . $Problem . ": " . $ConfProb{$File}{"$Line,$Problem"} . " Time(s)\n"; - } - } - else { - foreach (keys %{$ConfProb{$File}}) { - ($Line,$Problem) = split ","; - print " " . $Problem . ": " . $ConfProb{$File}{"$Line,$Problem"} . " Time(s)\n"; - } - } - } -} - -if (($Detail >= 5) and (keys %UnexpRCODE)) { - print "\n Unexpected DNS RCODEs:\n"; - foreach $ThisOne (keys %UnexpRCODE) { - print " " . $ThisOne . ": " . $UnexpRCODE{$ThisOne} . " Time(s)\n"; - } -} - -if (($Detail >= 5) and (keys %FormErr)) { - print "\n Incorrect response format:\n"; - foreach $ThisOne (keys %FormErr) { - print " " . $ThisOne . ": " . $FormErr{$ThisOne} . " Time(s)\n"; - } -} - -if (($Detail >= 10) and (keys %StartLog)) { - print "\n Named startup logs:\n"; - foreach $ThisOne (keys %StartLog) { - print " " . $ThisOne . ": " . $StartLog{$ThisOne} . " Time(s)\n"; - } -} - -if (keys %NError) { - print "\n Errors:\n"; - foreach $ThisOne (keys %NError) { - print " " . $ThisOne . ": " . $NError{$ThisOne} . " Time(s)\n"; - } -} - -if ((keys %CCMessages) or (keys %CCMessages2)){ - print "\n Messages from control channel\n"; - foreach (keys %CCMessages) { - ($From,$Log) = split ","; - print " " . $From . ": " . $Log . ": " . $CCMessages{"$From,$Log"} . " Time(s)\n"; - } - foreach $ThisOne (keys %CCMessages2) { - print " " . $ThisOne . ": " . $CCMessages2{$ThisOne} . " Time(s)\n"; - } -} - -if ((keys %CCCommands) or (keys %UnknownCCCommands)) { - print "\nReceived control channel commands\n"; - foreach $ThisOne (keys %CCCommands) { - print " " . $ThisOne . ": " . $CCCommands{$ThisOne} . " Time(s)\n"; - } - foreach $ThisOne (keys %UnknownCCCommands) { - print " " . $ThisOne . "(unknown command): " . $CCCommands{$ThisOne} . " Time(s)\n"; - } -} - -if (keys %OtherList) { - print "\n**Unmatched Entries**\n"; - foreach $line (sort {$a cmp $b} keys %OtherList) { - print " $line: $OtherList{$line} Time(s)\n"; - } -} - -exit(0); - -# vi: shiftwidth=3 tabstop=3 syntax=perl et - diff --git a/server/fedora/config/etc/mock/scripts-fc11-i386.cfg b/server/fedora/config/etc/mock/scripts-fc11-i386.cfg deleted file mode 100644 index b453a3b8..00000000 --- a/server/fedora/config/etc/mock/scripts-fc11-i386.cfg +++ /dev/null @@ -1,44 +0,0 @@ -config_opts['root'] = 'fedora-11-i386' -config_opts['target_arch'] = 'i586' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc11' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-11&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f11&arch=i386 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/11/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc11/ -enabled=1 -gpgcheck=0 -""" - - - diff --git a/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg deleted file mode 100644 index b3e5dc7b..00000000 --- a/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg +++ /dev/null @@ -1,47 +0,0 @@ -config_opts['root'] = 'fedora-11-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc11' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-11&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f11&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/11/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc11/ -enabled=1 -gpgcheck=0 -""" - - diff --git a/server/fedora/config/etc/mock/scripts-fc13-i386.cfg b/server/fedora/config/etc/mock/scripts-fc13-i386.cfg deleted file mode 100644 index 73a0ee16..00000000 --- a/server/fedora/config/etc/mock/scripts-fc13-i386.cfg +++ /dev/null @@ -1,40 +0,0 @@ -config_opts['root'] = 'fedora-13-i386' -config_opts['target_arch'] = 'i686' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc13' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-13&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/13/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ -enabled=1 -gpgcheck=0 -""" # end config_opts['yum.conf'] diff --git a/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg deleted file mode 100644 index 8bb4049a..00000000 --- a/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg +++ /dev/null @@ -1,53 +0,0 @@ -config_opts['root'] = 'fedora-13-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc13' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-13&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f13&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/13/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/13/x86_64/ -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ -enabled=1 -gpgcheck=0 -""" - - diff --git a/server/fedora/config/etc/mock/scripts-fc15-i386.cfg b/server/fedora/config/etc/mock/scripts-fc15-i386.cfg deleted file mode 100644 index 876a086e..00000000 --- a/server/fedora/config/etc/mock/scripts-fc15-i386.cfg +++ /dev/null @@ -1,44 +0,0 @@ -config_opts['root'] = 'fedora-15-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=i386 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/15/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg deleted file mode 100644 index d9450fea..00000000 --- a/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg +++ /dev/null @@ -1,48 +0,0 @@ -config_opts['root'] = 'fedora-15-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/15/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc17-i386.cfg b/server/fedora/config/etc/mock/scripts-fc17-i386.cfg deleted file mode 100644 index 91240357..00000000 --- a/server/fedora/config/etc/mock/scripts-fc17-i386.cfg +++ /dev/null @@ -1,47 +0,0 @@ -config_opts['root'] = 'fedora-17-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc17' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-17&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/17/Everything/i386/os/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/17/Everything/i386/os/ -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f17&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/17/i386/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/17/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg deleted file mode 100644 index 11ee88ba..00000000 --- a/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg +++ /dev/null @@ -1,51 +0,0 @@ -config_opts['root'] = 'fedora-17-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc17' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-17&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/17/Everything/x86_64/os/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/17/Everything/x86_64/os/ -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f17&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/17/x86_64/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/17/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc19-i386.cfg b/server/fedora/config/etc/mock/scripts-fc19-i386.cfg deleted file mode 100644 index 98786e24..00000000 --- a/server/fedora/config/etc/mock/scripts-fc19-i386.cfg +++ /dev/null @@ -1,69 +0,0 @@ -config_opts['root'] = 'fedora-19-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/i386/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/i386/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=i386 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=i386 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=i386 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=i386 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg deleted file mode 100644 index 94a54741..00000000 --- a/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg +++ /dev/null @@ -1,69 +0,0 @@ -config_opts['root'] = 'fedora-19-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=x86_64 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc20-i386.cfg b/server/fedora/config/etc/mock/scripts-fc20-i386.cfg deleted file mode 100644 index 8b9cf83c..00000000 --- a/server/fedora/config/etc/mock/scripts-fc20-i386.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-20-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '20' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Everything/i386/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/20/i386/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=i386 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=i386 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=i386 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=i386 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg deleted file mode 100644 index d056655f..00000000 --- a/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-20-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '20' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/20/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=x86_64 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg deleted file mode 100644 index 1363b17d..00000000 --- a/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-27-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc27' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '27' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-27&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/27/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f27&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/27/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f27&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc27/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-27&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f27&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f27&arch=x86_64 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/modules-load.d/binfmt_misc.conf b/server/fedora/config/etc/modules-load.d/binfmt_misc.conf deleted file mode 100644 index bc5c5d3d..00000000 --- a/server/fedora/config/etc/modules-load.d/binfmt_misc.conf +++ /dev/null @@ -1 +0,0 @@ -binfmt_misc diff --git a/server/fedora/config/etc/modules-load.d/fuse.conf b/server/fedora/config/etc/modules-load.d/fuse.conf deleted file mode 100644 index a517c488..00000000 --- a/server/fedora/config/etc/modules-load.d/fuse.conf +++ /dev/null @@ -1 +0,0 @@ -fuse diff --git a/server/fedora/config/etc/modules-load.d/iptables.conf b/server/fedora/config/etc/modules-load.d/iptables.conf deleted file mode 100644 index b8c5696f..00000000 --- a/server/fedora/config/etc/modules-load.d/iptables.conf +++ /dev/null @@ -1,9 +0,0 @@ -nf_log_ipv4 -xt_LOG -xt_owner -ip6_tables -ip6table_filter -ip6t_REJECT -nf_log_ipv6 -ipt_MARK -ipt_dscp diff --git a/server/fedora/config/etc/munin/apache-htpasswd b/server/fedora/config/etc/munin/apache-htpasswd deleted file mode 100644 index 25776dd9..00000000 --- a/server/fedora/config/etc/munin/apache-htpasswd +++ /dev/null @@ -1,2 +0,0 @@ -munin:$apr1$OHrCw...$YROR8zbWmgxWL9netgXGi. -geofft:AvCSyg9e75YZM diff --git a/server/fedora/config/etc/munin/munin-node.conf b/server/fedora/config/etc/munin/munin-node.conf deleted file mode 100644 index 7d025cac..00000000 --- a/server/fedora/config/etc/munin/munin-node.conf +++ /dev/null @@ -1,44 +0,0 @@ -# -# Example config-file for munin-node -# - -log_level 4 -log_file /var/log/munin-node/munin-node.log -pid_file /var/run/munin/munin-node.pid - -background 1 -setseid 1 - -user munin -group munin -setsid yes - -# Regexps for files to ignore - -ignore_file ~$ -ignore_file \.bak$ -ignore_file %$ -ignore_file \.dpkg-(tmp|new|old|dist)$ -ignore_file \.rpm(save|new)$ -ignore_file \.pod$ - -# Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 -# -#host_name x86-3.fedora.phx.redhat.com - -# A list of addresses that are allowed to connect. This must be a -# regular expression, due to brain damage in Net::Server, which -# doesn't understand CIDR-style network notation. You may repeat -# the allow line as many times as you'd like - -allow ^127\.0\.0\.1$ -allow ^18\.4\.60\.65$ - -# Which address to bind to; -host * -# host 127.0.0.1 - -# And which port -port 4949 - diff --git a/server/fedora/config/etc/munin/plugin-conf.d/apache_accesses b/server/fedora/config/etc/munin/plugin-conf.d/apache_accesses deleted file mode 100644 index 8bf13796..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/apache_accesses +++ /dev/null @@ -1,2 +0,0 @@ -[apache_accesses] -env.url http://munin:SsQWsHZWU5OJJOob78pD3UbxKu42Ka9ExGx9zYmvrWE1O5PCq4sBWJsQaJENi4R@127.0.0.1:%d/server-status/?auto diff --git a/server/fedora/config/etc/munin/plugin-conf.d/apache_processes b/server/fedora/config/etc/munin/plugin-conf.d/apache_processes deleted file mode 100644 index 1fc5888a..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/apache_processes +++ /dev/null @@ -1,2 +0,0 @@ -[apache_processes] -env.url http://munin:SsQWsHZWU5OJJOob78pD3UbxKu42Ka9ExGx9zYmvrWE1O5PCq4sBWJsQaJENi4R@127.0.0.1:%d/server-status/?auto diff --git a/server/fedora/config/etc/munin/plugin-conf.d/apache_volume b/server/fedora/config/etc/munin/plugin-conf.d/apache_volume deleted file mode 100644 index 6e585ae7..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/apache_volume +++ /dev/null @@ -1,2 +0,0 @@ -[apache_volume] -env.url http://munin:SsQWsHZWU5OJJOob78pD3UbxKu42Ka9ExGx9zYmvrWE1O5PCq4sBWJsQaJENi4R@127.0.0.1:%d/server-status/?auto diff --git a/server/fedora/config/etc/munin/plugin-conf.d/hddtemp_smartctl b/server/fedora/config/etc/munin/plugin-conf.d/hddtemp_smartctl deleted file mode 100644 index 3a64b0d0..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/hddtemp_smartctl +++ /dev/null @@ -1,4 +0,0 @@ -[hddtemp_smartctl] -user root -env.drives sda sdb -command sudo -E %c diff --git a/server/fedora/config/etc/munin/plugin-conf.d/munin-node b/server/fedora/config/etc/munin/plugin-conf.d/munin-node deleted file mode 100644 index c9f68528..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/munin-node +++ /dev/null @@ -1,46 +0,0 @@ -# This file is used to configure how the plugins are invoked. -# Place in /etc/munin/plugin-conf.d/ or corresponding directory. -# -# PLEASE NOTE: Changes in the plugin-conf.d directory are only -# read at munin-node startup, so restart at any changes. -# -# user # Set the user to run the plugin as -# group # Set the group to run the plugin as -# command # Run instead of the plugin. %c -# expands to what would normally be run. -# env. # Sets in the plugin's environment, see the -# individual plugins to find out which variables they -# care about. -# -# - -[mysql*] -#env.mysqlopts -u someuser - -[exim*] -group mail - -[cps*] -user root - -[apt] -user root - -[vlan*] -user root - -[postfix*] -user root - -[smart_*] -user root -command sudo %c - -[sensors_*] -user root -command sudo %c - -[if_*] -user root -command sudo -E %c -env.PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin diff --git a/server/fedora/config/etc/munin/plugin-conf.d/postfix b/server/fedora/config/etc/munin/plugin-conf.d/postfix deleted file mode 100644 index 6c4ba9fa..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/postfix +++ /dev/null @@ -1,5 +0,0 @@ -[postfix*] -user root -env.logfile maillog -env.logdir /var/log -command sudo -E %c diff --git a/server/fedora/config/etc/munin/plugin-conf.d/sendmail b/server/fedora/config/etc/munin/plugin-conf.d/sendmail deleted file mode 100644 index d65abf83..00000000 --- a/server/fedora/config/etc/munin/plugin-conf.d/sendmail +++ /dev/null @@ -1,4 +0,0 @@ -[sendmail*] -user root -env.mspqueue /var/spool/clientmqueue -command sudo -E %c diff --git a/server/fedora/config/etc/munin/plugins/apache_accesses b/server/fedora/config/etc/munin/plugins/apache_accesses deleted file mode 120000 index bc2616bc..00000000 --- a/server/fedora/config/etc/munin/plugins/apache_accesses +++ /dev/null @@ -1 +0,0 @@ -/usr/share/munin/plugins/apache_accesses \ No newline at end of file diff --git a/server/fedora/config/etc/munin/plugins/apache_processes b/server/fedora/config/etc/munin/plugins/apache_processes deleted file mode 120000 index 9db46af9..00000000 --- a/server/fedora/config/etc/munin/plugins/apache_processes +++ /dev/null @@ -1 +0,0 @@ -/usr/share/munin/plugins/apache_processes \ No newline at end of file diff --git a/server/fedora/config/etc/munin/plugins/apache_volume b/server/fedora/config/etc/munin/plugins/apache_volume deleted file mode 120000 index 27d3bc5c..00000000 --- a/server/fedora/config/etc/munin/plugins/apache_volume +++ /dev/null @@ -1 +0,0 @@ -/usr/share/munin/plugins/apache_volume \ No newline at end of file diff --git a/server/fedora/config/etc/nagios/check_ldap_mmr b/server/fedora/config/etc/nagios/check_ldap_mmr deleted file mode 100755 index 4930c341..00000000 --- a/server/fedora/config/etc/nagios/check_ldap_mmr +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -export USE_NEWLINES=1 -exec /usr/bin/sudo -u signup /etc/nagios/check_ldap_mmr.real diff --git a/server/fedora/config/etc/nagios/nrpe.cfg b/server/fedora/config/etc/nagios/nrpe.cfg deleted file mode 100644 index 31edbc11..00000000 --- a/server/fedora/config/etc/nagios/nrpe.cfg +++ /dev/null @@ -1,228 +0,0 @@ -############################################################################# -# Sample NRPE Config File -# Written by: Ethan Galstad (nagios@nagios.org) -# -# Last Modified: 11-23-2007 -# -# NOTES: -# This is a sample configuration file for the NRPE daemon. It needs to be -# located on the remote host that is running the NRPE daemon, not the host -# from which the check_nrpe client is being executed. -############################################################################# - - -# LOG FACILITY -# The syslog facility that should be used for logging purposes. - -log_facility=daemon - - - -# PID FILE -# The name of the file in which the NRPE daemon should write it's process ID -# number. The file is only written if the NRPE daemon is started by the root -# user and is running in standalone mode. - -pid_file=/var/run/nrpe/nrpe.pid - - - -# PORT NUMBER -# Port number we should wait for connections on. -# NOTE: This must be a non-priviledged port (i.e. > 1024). -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -server_port=5666 - - - -# SERVER ADDRESS -# Address that nrpe should bind to in case there are more than one interface -# and you do not want nrpe to bind on all interfaces. -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -#server_address=127.0.0.1 - - - -# NRPE USER -# This determines the effective user that the NRPE daemon should run as. -# You can either supply a username or a UID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_user=nrpe - - - -# NRPE GROUP -# This determines the effective group that the NRPE daemon should run as. -# You can either supply a group name or a GID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_group=nrpe - - - -# ALLOWED HOST ADDRESSES -# This is an optional comma-delimited list of IP address or hostnames -# that are allowed to talk to the NRPE daemon. -# -# Note: The daemon only does rudimentary checking of the client's IP -# address. I would highly recommend adding entries in your /etc/hosts.allow -# file to allow only the specified host to connect to the port -# you are running this daemon on. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -allowed_hosts=18.4.60.61,18.4.60.65,18.4.60.51 - - - -# COMMAND ARGUMENT PROCESSING -# This option determines whether or not the NRPE daemon will allow clients -# to specify arguments to commands that are executed. This option only works -# if the daemon was configured with the --enable-command-args configure script -# option. -# -# *** ENABLING THIS OPTION IS A SECURITY RISK! *** -# Read the SECURITY file for information on some of the security implications -# of enabling this variable. -# -# Values: 0=do not allow arguments, 1=allow command arguments - -dont_blame_nrpe=0 - - - -# COMMAND PREFIX -# This option allows you to prefix all commands with a user-defined string. -# A space is automatically added between the specified prefix string and the -# command line from the command definition. -# -# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** -# Usage scenario: -# Execute restricted commmands using sudo. For this to work, you need to add -# the nagios user to your /etc/sudoers. An example entry for alllowing -# execution of the plugins from might be: -# -# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ -# -# This lets the nagios user run all commands in that directory (and only them) -# without asking for a password. If you do this, make sure you don't give -# random users write access to that directory or its contents! - -# command_prefix=/usr/bin/sudo - - - -# DEBUGGING OPTION -# This option determines whether or not debugging messages are logged to the -# syslog facility. -# Values: 0=debugging off, 1=debugging on - -debug=0 - - - -# COMMAND TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# allow plugins to finish executing before killing them off. - -command_timeout=60 - - - -# CONNECTION TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# wait for a connection to be established before exiting. This is sometimes -# seen where a network problem stops the SSL being established even though -# all network sessions are connected. This causes the nrpe daemons to -# accumulate, eating system resources. Do not set this too low. - -connection_timeout=300 - - - -# WEEK RANDOM SEED OPTION -# This directive allows you to use SSL even if your system does not have -# a /dev/random or /dev/urandom (on purpose or because the necessary patches -# were not applied). The random number generator will be seeded from a file -# which is either a file pointed to by the environment valiable $RANDFILE -# or $HOME/.rnd. If neither exists, the pseudo random number generator will -# be initialized and a warning will be issued. -# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness - -#allow_weak_random_seed=1 - - - -# INCLUDE CONFIG FILE -# This directive allows you to include definitions from an external config file. - -#include= - - - -# INCLUDE CONFIG DIRECTORY -# This directive allows you to include definitions from config files (with a -# .cfg extension) in one or more directories (with recursion). - -#include_dir= -#include_dir= - - - -# COMMAND DEFINITIONS -# Command definitions that this daemon will run. Definitions -# are in the following format: -# -# command[]= -# -# When the daemon receives a request to return the results of -# it will execute the command specified by the argument. -# -# Unlike Nagios, the command line cannot contain macros - it must be -# typed exactly as it should be executed. -# -# Note: Any plugins that are used in the command lines must reside -# on the machine that this daemon is running on! The examples below -# assume that you have plugins installed in a /usr/local/nagios/libexec -# directory. Also note that you will have to modify the definitions below -# to match the argument format the plugins expect. Remember, these are -# examples only! - - -# The following examples use hardcoded command arguments... - -#command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 -#command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -#command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 -#command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z -#command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200 - - -# The following examples allow user-supplied arguments and can -# only be used if the NRPE daemon was compiled with support for -# command arguments *AND* the dont_blame_nrpe directive in this -# config file is set to '1'. This poses a potential security risk, so -# make sure you read the SECURITY file before doing this. - -command[check_users]=/usr/lib64/nagios/plugins/check_users -w 25 -c 50 -command[check_load]=/usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 -command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt -command[check_procs_cpu]=/usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 -command[check_procs_crond]=/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond -command[check_procs_nscd]=/usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd -command[check_procs_postfix]=/usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix -command[check_postfix_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix -command[check_afs]=/etc/nagios/check_afs -command[check_afs_athena]=/etc/nagios/check_afs athena -command[check_afs_sipb]=/etc/nagios/check_afs sipb -command[check_cron_working]=/etc/nagios/check_cron_working -command[check_ldap_mmr]=/etc/nagios/check_ldap_mmr -command[check_kern_taint]=/etc/nagios/check_kern_taint -command[check_backend]=/usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP -command[check_smtp]=/usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 -command[check_mail_dnsrbl]=/etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` diff --git a/server/fedora/config/etc/named.conf b/server/fedora/config/etc/named.conf deleted file mode 100644 index 2e80fcd4..00000000 --- a/server/fedora/config/etc/named.conf +++ /dev/null @@ -1,40 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - allow-query { localhost; }; - recursion yes; - #dnssec-enable yes; - #dnssec-validation yes; - #dnssec-lookaside . trust-anchor dlv.isc.org.; -}; - -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -include "/etc/named.mit.zones"; -include "/etc/named.rfc1912.zones"; - -#include "/etc/pki/dnssec-keys//named.dnssec.keys"; -#include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf"; diff --git a/server/fedora/config/etc/named.mit.zones b/server/fedora/config/etc/named.mit.zones deleted file mode 100644 index 0b27a202..00000000 --- a/server/fedora/config/etc/named.mit.zones +++ /dev/null @@ -1,524 +0,0 @@ -zone "mit.edu" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/mit.edu.stub"; -}; - -zone "0.4.3.0.6.2.ip6.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/0.4.3.0.6.2.ip6.arpa.stub"; -}; - -zone "10.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/10.in-addr.arpa.stub"; -}; - -// List of *.18.in-addr.arpa zones generated from -// https://whois.arin.net/rest/org/MIT-2/nets (2019-08-09) - -zone "0.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/0.18.in-addr.arpa.stub"; -}; - -zone "1.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/1.18.in-addr.arpa.stub"; -}; - -zone "2.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/2.18.in-addr.arpa.stub"; -}; - -zone "3.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/3.18.in-addr.arpa.stub"; -}; - -zone "4.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/4.18.in-addr.arpa.stub"; -}; - -zone "5.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/5.18.in-addr.arpa.stub"; -}; - -zone "6.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/6.18.in-addr.arpa.stub"; -}; - -zone "7.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/7.18.in-addr.arpa.stub"; -}; - -zone "8.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/8.18.in-addr.arpa.stub"; -}; - -zone "9.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/9.18.in-addr.arpa.stub"; -}; - -zone "10.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/10.18.in-addr.arpa.stub"; -}; - -zone "11.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/11.18.in-addr.arpa.stub"; -}; - -zone "12.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/12.18.in-addr.arpa.stub"; -}; - -zone "13.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/13.18.in-addr.arpa.stub"; -}; - -zone "14.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/14.18.in-addr.arpa.stub"; -}; - -zone "15.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/15.18.in-addr.arpa.stub"; -}; - -zone "16.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/16.18.in-addr.arpa.stub"; -}; - -zone "17.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/17.18.in-addr.arpa.stub"; -}; - -zone "18.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/18.18.in-addr.arpa.stub"; -}; - -zone "19.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/19.18.in-addr.arpa.stub"; -}; - -zone "20.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/20.18.in-addr.arpa.stub"; -}; - -zone "21.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/21.18.in-addr.arpa.stub"; -}; - -zone "22.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/22.18.in-addr.arpa.stub"; -}; - -zone "23.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/23.18.in-addr.arpa.stub"; -}; - -zone "24.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/24.18.in-addr.arpa.stub"; -}; - -zone "25.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/25.18.in-addr.arpa.stub"; -}; - -zone "26.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/26.18.in-addr.arpa.stub"; -}; - -zone "27.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/27.18.in-addr.arpa.stub"; -}; - -zone "28.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/28.18.in-addr.arpa.stub"; -}; - -zone "29.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/29.18.in-addr.arpa.stub"; -}; - -zone "30.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/30.18.in-addr.arpa.stub"; -}; - -zone "31.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/31.18.in-addr.arpa.stub"; -}; - -zone "32.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/32.18.in-addr.arpa.stub"; -}; - -zone "33.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/33.18.in-addr.arpa.stub"; -}; - -zone "34.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/34.18.in-addr.arpa.stub"; -}; - -zone "38.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/38.18.in-addr.arpa.stub"; -}; - -zone "40.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/40.18.in-addr.arpa.stub"; -}; - -zone "42.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/42.18.in-addr.arpa.stub"; -}; - -zone "45.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/45.18.in-addr.arpa.stub"; -}; - -zone "47.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/47.18.in-addr.arpa.stub"; -}; - -zone "49.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/49.18.in-addr.arpa.stub"; -}; - -zone "50.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/50.18.in-addr.arpa.stub"; -}; - -zone "51.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/51.18.in-addr.arpa.stub"; -}; - -zone "53.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/53.18.in-addr.arpa.stub"; -}; - -zone "54.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/54.18.in-addr.arpa.stub"; -}; - -zone "55.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/55.18.in-addr.arpa.stub"; -}; - -zone "56.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/56.18.in-addr.arpa.stub"; -}; - -zone "58.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/58.18.in-addr.arpa.stub"; -}; - -zone "60.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/60.18.in-addr.arpa.stub"; -}; - -zone "61.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/61.18.in-addr.arpa.stub"; -}; - -zone "62.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/62.18.in-addr.arpa.stub"; -}; - -zone "63.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/63.18.in-addr.arpa.stub"; -}; - -zone "69.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/69.18.in-addr.arpa.stub"; -}; - -zone "70.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/70.18.in-addr.arpa.stub"; -}; - -zone "71.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/71.18.in-addr.arpa.stub"; -}; - -zone "72.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/72.18.in-addr.arpa.stub"; -}; - -zone "74.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/74.18.in-addr.arpa.stub"; -}; - -zone "75.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/75.18.in-addr.arpa.stub"; -}; - -zone "76.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/76.18.in-addr.arpa.stub"; -}; - -zone "77.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/77.18.in-addr.arpa.stub"; -}; - -zone "78.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/78.18.in-addr.arpa.stub"; -}; - -zone "79.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/79.18.in-addr.arpa.stub"; -}; - -zone "80.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/80.18.in-addr.arpa.stub"; -}; - -zone "81.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/81.18.in-addr.arpa.stub"; -}; - -zone "82.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/82.18.in-addr.arpa.stub"; -}; - -zone "83.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/83.18.in-addr.arpa.stub"; -}; - -zone "85.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/85.18.in-addr.arpa.stub"; -}; - -zone "87.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/87.18.in-addr.arpa.stub"; -}; - -zone "88.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/88.18.in-addr.arpa.stub"; -}; - -zone "89.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/89.18.in-addr.arpa.stub"; -}; - -zone "90.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/90.18.in-addr.arpa.stub"; -}; - -zone "93.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/93.18.in-addr.arpa.stub"; -}; - -zone "95.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/95.18.in-addr.arpa.stub"; -}; - -zone "100.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/100.18.in-addr.arpa.stub"; -}; - -zone "101.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/101.18.in-addr.arpa.stub"; -}; - -zone "102.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/102.18.in-addr.arpa.stub"; -}; - -zone "110.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/110.18.in-addr.arpa.stub"; -}; - -zone "113.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/113.18.in-addr.arpa.stub"; -}; - -zone "114.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/114.18.in-addr.arpa.stub"; -}; - -zone "115.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/115.18.in-addr.arpa.stub"; -}; - -zone "123.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/123.18.in-addr.arpa.stub"; -}; - -zone "124.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/124.18.in-addr.arpa.stub"; -}; - -zone "125.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/125.18.in-addr.arpa.stub"; -}; - -zone "127.18.in-addr.arpa" IN { - type stub; - masters { 18.0.70.160; 18.0.71.151; 18.0.72.3; }; - file "slaves/127.18.in-addr.arpa.stub"; -}; diff --git a/server/fedora/config/etc/nscd.conf b/server/fedora/config/etc/nscd.conf deleted file mode 100644 index 936c20c1..00000000 --- a/server/fedora/config/etc/nscd.conf +++ /dev/null @@ -1,80 +0,0 @@ -# -# /etc/nscd.conf -# -# An example Name Service Cache config file. This file is needed by nscd. -# -# Legal entries are: -# -# logfile -# debug-level -# threads -# max-threads -# server-user -# server-user is ignored if nscd is started with -S parameters -# stat-user -# reload-count unlimited| -# paranoia -# restart-interval