hasSomePassword and hasPassword now default to using the name of the host as the Context for the password. To specify a different context, use hasSomePassword' and hasPassword' (API change)

This commit is contained in:
Joey Hess 2014-11-23 16:39:49 -04:00
parent d8624e2e5d
commit baba668033
6 changed files with 45 additions and 28 deletions

View File

@ -366,9 +366,9 @@ standardSystemUnhardened hn suite arch motd = host hn
& Apt.installed ["etckeeper"] & Apt.installed ["etckeeper"]
& Apt.installed ["ssh"] & Apt.installed ["ssh"]
& GitHome.installedFor "root" & GitHome.installedFor "root"
& User.hasSomePassword "root" (Context hn) & User.hasSomePassword "root"
& User.accountFor "joey" & User.accountFor "joey"
& User.hasSomePassword "joey" (Context hn) & User.hasSomePassword "joey"
& Sudo.enabledFor "joey" & Sudo.enabledFor "joey"
& GitHome.installedFor "joey" & GitHome.installedFor "joey"
& Apt.installed ["vim", "screen", "less"] & Apt.installed ["vim", "screen", "less"]

View File

@ -29,7 +29,7 @@ hosts =
& Apt.unattendedUpgrades & Apt.unattendedUpgrades
& Apt.installed ["etckeeper"] & Apt.installed ["etckeeper"]
& Apt.installed ["ssh"] & Apt.installed ["ssh"]
& User.hasSomePassword "root" (Context "mybox.example.com") & User.hasSomePassword "root"
& Network.ipv6to4 & Network.ipv6to4
& File.dirExists "/var/www" & File.dirExists "/var/www"
& Docker.docked webserverContainer & Docker.docked webserverContainer

5
debian/changelog vendored
View File

@ -1,4 +1,4 @@
propellor (1.0.1) UNRELEASED; urgency=medium propellor (1.1.0) UNRELEASED; urgency=medium
* propellor --spin can now deploy propellor to hosts that do not have * propellor --spin can now deploy propellor to hosts that do not have
git, ghc, or apt-get. This is accomplished by uploading a fairly git, ghc, or apt-get. This is accomplished by uploading a fairly
@ -12,6 +12,9 @@ propellor (1.0.1) UNRELEASED; urgency=medium
find the full hostname. find the full hostname.
* Added group-related properties. Thanks, Félix Sipma. * Added group-related properties. Thanks, Félix Sipma.
* Added Git.barerepo. Thanks, Félix Sipma. * Added Git.barerepo. Thanks, Félix Sipma.
* hasSomePassword and hasPassword now default to using the name of the
host as the Context for the password. To specify a different context,
use hasSomePassword' and hasPassword' (API change)
-- Joey Hess <joeyh@debian.org> Sat, 22 Nov 2014 00:12:35 -0400 -- Joey Hess <joeyh@debian.org> Sat, 22 Nov 2014 00:12:35 -0400

View File

@ -1,5 +1,5 @@
Name: propellor Name: propellor
Version: 1.0.0 Version: 1.1.0
Cabal-Version: >= 1.6 Cabal-Version: >= 1.6
License: BSD3 License: BSD3
Maintainer: Joey Hess <id@joeyh.name> Maintainer: Joey Hess <id@joeyh.name>

View File

@ -17,6 +17,10 @@ import qualified Propellor.Property.Debootstrap as Debootstrap
-- This can replace one Linux distribution with different one. -- This can replace one Linux distribution with different one.
-- But, it can also fail and leave the system in an unbootable state. -- But, it can also fail and leave the system in an unbootable state.
-- --
-- To avoid this property being accidentially used, you have to provide
-- a Context containing the name of the host that you intend to apply the
-- property to.
--
-- This property only runs once. The cleanly installed system will have -- This property only runs once. The cleanly installed system will have
-- a file /etc/propellor-cleaninstall, which indicates it was cleanly -- a file /etc/propellor-cleaninstall, which indicates it was cleanly
-- installed. -- installed.
@ -26,7 +30,7 @@ import qualified Propellor.Property.Debootstrap as Debootstrap
-- working system. For example: -- working system. For example:
-- --
-- > & os (System (Debian Unstable) "amd64") -- > & os (System (Debian Unstable) "amd64")
-- > & cleanInstall (confirm "com.example.foo") (BackupOldOS <> UseOldKernel) -- > & cleanInstall (Context "foo.example.com") (BackupOldOS <> UseOldKernel)
-- > `onChange` propertyList "fixing up after clean install" -- > `onChange` propertyList "fixing up after clean install"
-- > [ fixupNetworkInterfaces -- > [ fixupNetworkInterfaces
-- > , fixupRootSsh -- > , fixupRootSsh
@ -34,38 +38,33 @@ import qualified Propellor.Property.Debootstrap as Debootstrap
-- > -- , installGrub -- > -- , installGrub
-- > ] -- > ]
-- > & Apt.installed ["ssh"] -- > & Apt.installed ["ssh"]
-- > & User.hasSomePassword "root"
-- > & User.accountFor "joey"
-- > & User.hasSomePassword "joey"
-- > -- rest of system properties here -- > -- rest of system properties here
cleanInstallOnce :: Confirmation -> Exceptions -> Property cleanInstallOnce :: Context -> Exceptions -> Property
cleanInstallOnce c = check (not <$> doesFileExist flagfile) $ cleanInstallOnce (Context c) = check (not <$> doesFileExist flagfile) $
Property "OS cleanly installed" $ do Property "OS cleanly installed" $ do
confirm c hostname <- asks hostName
when (hostname /= c) $
error "Run with bad context, not matching hostname. Not running cleanInstalOnce!"
error "TODO" error "TODO"
-- debootstrap /new-os chroot; avoid running -- debootstrap /new-os chroot, but don't run propellor
-- propellor inside the chroot yet -- inside the chroot.
-- unmount all mounts -- unmount all mounts
-- move all directories to /old-os, -- move all directories to /old-os,
-- except for /boot and /lib/modules -- except for /boot and /lib/modules
-- move /new-os to / -- move /new-os to /
-- touch /etc/propellor-cleaninstall -- touch flagfile
-- re-bootstrap propellor in /usr/local/propellor, -- re-bootstrap propellor in /usr/local/propellor,
-- (using git repo bundle, privdata file, and possibly -- (using git repo bundle, privdata file, and possibly
-- git repo url, which all need to be arranged to -- git repo url, which all need to be arranged to
-- be present in /old-os's /usr/local/propellor) -- be present in /old-os's /usr/local/propellor)
-- enable shadow passwords (to avoid foot-shooting)
-- return MadeChange -- return MadeChange
where where
flagfile = "/etc/propellor-cleaninstall" flagfile = "/etc/propellor-cleaninstall"
-- | To confirm you really intend to apply a dangerous Property to a
-- system, and have not copied and pasted it in by accident, you must
-- provide as confirmation, the hostname of the system you intend
-- to apply the Property to, written in the form form "com.example.somehost"
newtype Confirmation = Confirmation String
confirm :: String -> Confirmation
confirm (Confirmation c) h
| h ==(intercalate "." $ reverse $ split "." c) = return ()
| otherwise = error "Bad confirmation of dangerous Property; see the documentation to fix this."
-- | Sometimes you want an almost clean install, but with some exceptions. -- | Sometimes you want an almost clean install, but with some exceptions.
data Exceptions data Exceptions
= UseOldKernel -- ^ Leave /boot and /lib/modules from old OS, so the system can boot using them as before = UseOldKernel -- ^ Leave /boot and /lib/modules from old OS, so the system can boot using them as before

View File

@ -24,12 +24,27 @@ nuked user _ = check (isJust <$> catchMaybeIO (homedir user)) $ cmdProperty "use
-- | Only ensures that the user has some password set. It may or may -- | Only ensures that the user has some password set. It may or may
-- not be the password from the PrivData. -- not be the password from the PrivData.
hasSomePassword :: UserName -> Context -> Property hasSomePassword :: UserName -> Property
hasSomePassword user context = check ((/= HasPassword) <$> getPasswordStatus user) $ hasSomePassword user = property (user ++ "has password") $ do
hasPassword user context hostname <- asks hostName
ensureProperty $ hasSomePassword' user (Context hostname)
hasPassword :: UserName -> Context -> Property -- | While hasSomePassword uses the name of the host as context,
hasPassword user context = withPrivData (Password user) context $ \getpassword -> -- this allows specifying a different context. This is useful when
-- you want to use the same password on multiple hosts, for example.
hasSomePassword' :: UserName -> Context -> Property
hasSomePassword' user context = check ((/= HasPassword) <$> getPasswordStatus user) $
hasPassword' user context
-- | Ensures that a user's password is set to the password from the PrivData.
-- (Will change any existing password.)
hasPassword :: UserName -> Property
hasPassword user = property (user ++ "has password") $ do
hostname <- asks hostName
ensureProperty $ hasPassword' user (Context hostname)
hasPassword' :: UserName -> Context -> Property
hasPassword' user context = withPrivData (Password user) context $ \getpassword ->
property (user ++ " has password") $ property (user ++ " has password") $
getpassword $ \password -> makeChange $ getpassword $ \password -> makeChange $
withHandle StdinHandle createProcessSuccess withHandle StdinHandle createProcessSuccess