diff --git a/chef/cookbooks/openssh/.gitignore b/chef/cookbooks/openssh/.gitignore new file mode 100644 index 0000000..a90cbbb --- /dev/null +++ b/chef/cookbooks/openssh/.gitignore @@ -0,0 +1,21 @@ +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ +*.tmp +*.bk +*.bkup +.kitchen.local.yml +Berksfile.lock +Gemfile.lock + +.bundle/ +.cache/ +.kitchen/ +.vagrant/ +.vagrant.d/ +bin/ +tmp/ +vendor/ diff --git a/chef/cookbooks/openssh/.kitchen.cloud.yml b/chef/cookbooks/openssh/.kitchen.cloud.yml new file mode 100644 index 0000000..cb33d96 --- /dev/null +++ b/chef/cookbooks/openssh/.kitchen.cloud.yml @@ -0,0 +1,71 @@ +--- +driver_plugin: vagrant +driver_plugin: digitalocean +driver_config: + digitalocean_client_id: <%= ENV['DIGITAL_OCEAN_CLIENT_ID'] %> + digitalocean_api_key: <%= ENV['DIGITAL_OCEAN_API_KEY'] %> + aws_access_key_id: <%= ENV['AWS_ACCESS_KEY_ID'] %> + aws_secret_access_key: <%= ENV['AWS_SECRET_ACCESS_KEY'] %> + aws_ssh_key_id: <%= ENV['AWS_KEYPAIR_NAME'] %> + ssh_key: <%= ENV['AWS_PRIVATE_KEY_PATH'] %> + rackspace_username: <%= ENV['RACKSPACE_USERNAME'] %> + rackspace_api_key: <%= ENV['RACKSPACE_API_KEY'] %> + require_chef_omnibus: latest + +platforms: +- name: centos-5.8 + driver_plugin: digitalocean + driver_config: + image_id: 1601 + flavor_id: 63 + region_id: 1 + ssh_key_ids: <%= ENV['DIGITAL_OCEAN_SSH_KEY_IDS'] %> + +- name: centos-6.4 + driver_plugin: digitalocean + driver_config: + image_id: 562354 + flavor_id: 63 + region_id: 1 + ssh_key_ids: <%= ENV['DIGITAL_OCEAN_SSH_KEY_IDS'] %> + +- name: amazon-2013.09 + driver_plugin: ec2 + driver_config: + image_id: ami-3be4bc52 + username: ec2-user + +- name: ubuntu-1004 + driver_plugin: digitalocean + driver_config: + image_id: 14097 + flavor_id: 63 + region_id: 1 + ssh_key_ids: <%= ENV['DIGITAL_OCEAN_SSH_KEY_IDS'] %> + run_list: + - recipe[apt] + +- name: ubuntu-1204 + driver_plugin: digitalocean + driver_config: + image_id: 1505447 + flavor_id: 63 + region_id: 1 + ssh_key_ids: <%= ENV['DIGITAL_OCEAN_SSH_KEY_IDS'] %> + run_list: + - recipe[apt] + +- name: ubuntu-1310 + driver_plugin: digitalocean + driver_config: + image_id: 1505699 + flavor_id: 63 + region_id: 1 + ssh_key_ids: <%= ENV['DIGITAL_OCEAN_SSH_KEY_IDS'] %> + run_list: + - recipe[apt] + +suites: + - name: default + run_list: + - recipe[openssh::default] diff --git a/chef/cookbooks/openssh/.kitchen.yml b/chef/cookbooks/openssh/.kitchen.yml new file mode 100644 index 0000000..55065be --- /dev/null +++ b/chef/cookbooks/openssh/.kitchen.yml @@ -0,0 +1,14 @@ +driver_plugin: vagrant +driver_config: + require_chef_omnibus: true + +platforms: + - name: ubuntu-12.04 + run_list: + - recipe[apt::default] + - name: centos-6.4 + +suites: + - name: default + run_list: + - recipe[openssh::default] diff --git a/chef/cookbooks/openssh/.rubocop.yml b/chef/cookbooks/openssh/.rubocop.yml new file mode 100644 index 0000000..5f5d138 --- /dev/null +++ b/chef/cookbooks/openssh/.rubocop.yml @@ -0,0 +1,11 @@ +AlignParameters: + Enabled: false + +Encoding: + Enabled: false + +LineLength: + Max: 200 + +HashSyntax: + EnforcedStyle: hash_rockets diff --git a/chef/cookbooks/openssh/.travis.yml b/chef/cookbooks/openssh/.travis.yml new file mode 100644 index 0000000..01655a9 --- /dev/null +++ b/chef/cookbooks/openssh/.travis.yml @@ -0,0 +1,9 @@ +rvm: + - 1.9.3 + - 2.0.0 +before_script: + - bundle exec berks install +script: + - bundle exec foodcritic -f any . + - bundle exec rspec --color --format progress + - bundle exec rubocop diff --git a/chef/cookbooks/openssh/Berksfile b/chef/cookbooks/openssh/Berksfile new file mode 100644 index 0000000..3b5ff95 --- /dev/null +++ b/chef/cookbooks/openssh/Berksfile @@ -0,0 +1,6 @@ +site :opscode +metadata + +group :integration do + cookbook 'apt', '~> 2.0' +end diff --git a/chef/cookbooks/openssh/CHANGELOG.md b/chef/cookbooks/openssh/CHANGELOG.md index b475a2b..4169f7c 100644 --- a/chef/cookbooks/openssh/CHANGELOG.md +++ b/chef/cookbooks/openssh/CHANGELOG.md @@ -3,6 +3,14 @@ openssh Cookbook CHANGELOG This file is used to list changes made in each version of the openssh cookbook. +v1.3.4 (2014-04-23) +------------------- +- [COOK-4576] - No way to override `AuthorizedKeysFile` +- [COOK-4584] - Use Upstart on Ubuntu 12.04 +- [COOK-4585] - skip match block in template if empty or unset +- [COOK-4586] OpenSSH Gentoo support + + v1.3.2 ------ ### Bug diff --git a/chef/cookbooks/openssh/CONTRIBUTING.md b/chef/cookbooks/openssh/CONTRIBUTING.md new file mode 100644 index 0000000..3a99897 --- /dev/null +++ b/chef/cookbooks/openssh/CONTRIBUTING.md @@ -0,0 +1,257 @@ +# Contributing to Opscode Cookbooks + +We are glad you want to contribute to Opscode Cookbooks! The first +step is the desire to improve the project. + +You can find the answers to additional frequently asked questions +[on the wiki](http://wiki.opscode.com/display/chef/How+to+Contribute). + +You can find additional information about +[contributing to cookbooks](http://wiki.opscode.com/display/chef/How+to+Contribute+to+Opscode+Cookbooks) +on the wiki as well. + +## Quick-contribute + +* Create an account on our [bug tracker](http://tickets.opscode.com) +* Sign our contributor agreement (CLA) +[ online](https://secure.echosign.com/public/hostedForm?formid=PJIF5694K6L) +(keep reading if you're contributing on behalf of your employer) +* Create a ticket for your change on the + [bug tracker](http://tickets.opscode.com) +* Link to your patch as a rebased git branch or pull request from the + ticket +* Resolve the ticket as fixed + +We regularly review contributions and will get back to you if we have +any suggestions or concerns. + +## The Apache License and the CLA/CCLA + +Licensing is very important to open source projects, it helps ensure +the software continues to be available under the terms that the author +desired. Chef uses the Apache 2.0 license to strike a balance between +open contribution and allowing you to use the software however you +would like to. + +The license tells you what rights you have that are provided by the +copyright holder. It is important that the contributor fully +understands what rights they are licensing and agrees to them. +Sometimes the copyright holder isn't the contributor, most often when +the contributor is doing work for a company. + +To make a good faith effort to ensure these criteria are met, Opscode +requires a Contributor License Agreement (CLA) or a Corporate +Contributor License Agreement (CCLA) for all contributions. This is +without exception due to some matters not being related to copyright +and to avoid having to continually check with our lawyers about small +patches. + +It only takes a few minutes to complete a CLA, and you retain the +copyright to your contribution. + +You can complete our contributor agreement (CLA) +[ online](https://secure.echosign.com/public/hostedForm?formid=PJIF5694K6L). +If you're contributing on behalf of your employer, have your employer +fill out our +[Corporate CLA](https://secure.echosign.com/public/hostedForm?formid=PIE6C7AX856) +instead. + +## Ticket Tracker (JIRA) + +The [ticket tracker](http://tickets.opscode.com) is the most important +documentation for the code base. It provides significant historical +information, such as: + +* Which release a bug fix is included in +* Discussion regarding the design and merits of features +* Error output to aid in finding similar bugs + +Each ticket should aim to fix one bug or add one feature. + +## Using git + +You can get a quick copy of the repository for this cookbook by +running `git clone +git://github.com/opscode-coobkooks/COOKBOOKNAME.git`. + +For collaboration purposes, it is best if you create a Github account +and fork the repository to your own account. Once you do this you will +be able to push your changes to your Github repository for others to +see and use. + +If you have another repository in your GitHub account named the same +as the cookbook, we suggest you suffix the repository with -cookbook. + +### Branches and Commits + +You should submit your patch as a git branch named after the ticket, +such as COOK-1337. This is called a _topic branch_ and allows users to +associate a branch of code with the ticket. + +It is a best practice to have your commit message have a _summary +line_ that includes the ticket number, followed by an empty line and +then a brief description of the commit. This also helps other +contributors understand the purpose of changes to the code. + + [COOK-1757] - platform_family and style + + * use platform_family for platform checking + * update notifies syntax to "resource_type[resource_name]" instead of + resources() lookup + * COOK-692 - delete config files dropped off by packages in conf.d + * dropped debian 4 support because all other platforms have the same + values, and it is older than "old stable" debian release + +Remember that not all users use Chef in the same way or on the same +operating systems as you, so it is helpful to be clear about your use +case and change so they can understand it even when it doesn't apply +to them. + +### Github and Pull Requests + +All of Opscode's open source cookbook projects are available on +[Github](http://www.github.com/opscode-cookbooks). + +We don't require you to use Github, and we will even take patch diffs +attached to tickets on the tracker. However Github has a lot of +convenient features, such as being able to see a diff of changes +between a pull request and the main repository quickly without +downloading the branch. + +If you do choose to use a pull request, please provide a link to the +pull request from the ticket __and__ a link to the ticket from the +pull request. Because pull requests only have two states, open and +closed, we can't easily filter pull requests that are waiting for a +reply from the author for various reasons. + +### More information + +Additional help with git is available on the +[Working with Git](http://wiki.opscode.com/display/chef/Working+with+Git) +wiki page. + +## Functional and Unit Tests + +This cookbook is set up to run tests under +[Opscode's test-kitchen](https://github.com/opscode/test-kitchen). It +uses minitest-chef to run integration tests after the node has been +converged to verify that the state of the node. + +Test kitchen should run completely without exception using the default +[baseboxes provided by Opscode](https://github.com/opscode/bento). +Because Test Kitchen creates VirtualBox machines and runs through +every configuration in the Kitchenfile, it may take some time for +these tests to complete. + +If your changes are only for a specific recipe, run only its +configuration with Test Kitchen. If you are adding a new recipe, or +other functionality such as a LWRP or definition, please add +appropriate tests and ensure they run with Test Kitchen. + +If any don't pass, investigate them before submitting your patch. + +Any new feature should have unit tests included with the patch with +good code coverage to help protect it from future changes. Similarly, +patches that fix a bug or regression should have a _regression test_. +Simply put, this is a test that would fail without your patch but +passes with it. The goal is to ensure this bug doesn't regress in the +future. Consider a regular expression that doesn't match a certain +pattern that it should, so you provide a patch and a test to ensure +that the part of the code that uses this regular expression works as +expected. Later another contributor may modify this regular expression +in a way that breaks your use cases. The test you wrote will fail, +signalling to them to research your ticket and use case and accounting +for it. + +If you need help writing tests, please ask on the Chef Developer's +mailing list, or the #chef-hacking IRC channel. + +## Code Review + +Opscode regularly reviews code contributions and provides suggestions +for improvement in the code itself or the implementation. + +We find contributions by searching the ticket tracker for _resolved_ +tickets with a status of _fixed_. If we have feedback we will reopen +the ticket and you should resolve it again when you've made the +changes or have a response to our feedback. When we believe the patch +is ready to be merged, we will tag the _Code Reviewed_ field with +_Reviewed_. + +Depending on the project, these tickets are then merged within a week +or two, depending on the current release cycle. + +## Release Cycle + +The versioning for Opscode Cookbook projects is X.Y.Z. + +* X is a major release, which may not be fully compatible with prior + major releases +* Y is a minor release, which adds both new features and bug fixes +* Z is a patch release, which adds just bug fixes + +A released version of a cookbook will end in an even number, e.g. +"1.2.4" or "0.8.0". When development for the next version of the +cookbook begins, the "Z" patch number is incremented to the next odd +number, however the next release of the cookbook may be a major or +minor incrementing version. + +Releases of Opscode's cookbooks are usually announced on the Chef user +mailing list. Releases of several cookbooks may be batched together +and announced on the [Opscode Blog](http://www.opscode.com/blog). + +## Working with the community + +These resources will help you learn more about Chef and connect to +other members of the Chef community: + +* [chef](http://lists.opscode.com/sympa/info/chef) and + [chef-dev](http://lists.opscode.com/sympa/info/chef-dev) mailing + lists +* #chef and #chef-hacking IRC channels on irc.freenode.net +* [Community Cookbook site](http://community.opscode.com) +* [Chef wiki](http://wiki.opscode.com/display/chef) +* Opscode Chef [product page](http://www.opscode.com/chef) + + +## Cookbook Contribution Do's and Don't's + +Please do include tests for your contribution. If you need help, ask +on the +[chef-dev mailing list](http://lists.opscode.com/sympa/info/chef-dev) +or the +[#chef-hacking IRC channel](http://community.opscode.com/chat/chef-hacking). +Not all platforms that a cookbook supports may be supported by Test +Kitchen. Please provide evidence of testing your contribution if it +isn't trivial so we don't have to duplicate effort in testing. Chef +10.14+ "doc" formatted output is sufficient. + +Please do indicate new platform (families) or platform versions in the +commit message, and update the relevant ticket. + +If a contribution adds new platforms or platform versions, indicate +such in the body of the commit message(s), and update the relevant +COOK ticket. When writing commit messages, it is helpful for others if +you indicate the COOK ticket. For example: + + git commit -m '[COOK-1041] - Updated pool resource to correctly + delete.' + +Please do use [foodcritic](http://acrmp.github.com/foodcritic) to +lint-check the cookbook. Except FC007, it should pass all correctness +rules. FC007 is okay as long as the dependent cookbooks are *required* +for the default behavior of the cookbook, such as to support an +uncommon platform, secondary recipe, etc. + +Please do ensure that your changes do not break or modify behavior for +other platforms supported by the cookbook. For example if your changes +are for Debian, make sure that they do not break on CentOS. + +Please do not modify the version number in the metadata.rb, Opscode +will select the appropriate version based on the release cycle +information above. + +Please do not update the CHANGELOG.md for a new version. Not all +changes to a cookbook may be merged and released in the same versions. +Opscode will update the CHANGELOG.md when releasing a new version of +the cookbook. diff --git a/chef/cookbooks/openssh/Gemfile b/chef/cookbooks/openssh/Gemfile new file mode 100644 index 0000000..f465c78 --- /dev/null +++ b/chef/cookbooks/openssh/Gemfile @@ -0,0 +1,13 @@ +source 'https://rubygems.org' + +gem 'berkshelf', '~> 2.0' +gem 'chefspec', '~> 3.0' +gem 'foodcritic', '~> 3.0' +gem 'rubocop' + +group :integration do + gem 'test-kitchen', '~> 1.0' + gem 'kitchen-vagrant', '~> 0.11' + gem 'kitchen-digitalocean' + gem 'kitchen-ec2' +end diff --git a/chef/cookbooks/openssh/LICENSE b/chef/cookbooks/openssh/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/chef/cookbooks/openssh/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/chef/cookbooks/openssh/TESTING.md b/chef/cookbooks/openssh/TESTING.md new file mode 100644 index 0000000..b4102e3 --- /dev/null +++ b/chef/cookbooks/openssh/TESTING.md @@ -0,0 +1,53 @@ +This cookbook uses a variety of testing components: + +- Unit tests: [ChefSpec](https://github.com/acrmp/chefspec) +- Integration tests: [Test Kitchen](https://github.com/opscode/test-kitchen) +- Chef Style lints: [Foodcritic](https://github.com/acrmp/foodcritic) +- Ruby Style lints: [Rubocop](https://github.com/bbatsov/rubocop) + + +Prerequisites +------------- +To develop on this cookbook, you must have a sane Ruby 1.9+ environment. Given the nature of this installation process (and it's variance across multiple operating systems), we will leave this installation process to the user. + +You must also have `bundler` installed: + + $ gem install bundler + +You must also have Vagrant and VirtualBox installed: + +- [Vagrant](https://vagrantup.com) +- [VirtualBox](https://virtualbox.org) + +Once installed, you must install the `vagrant-berkshelf` plugin: + + $ vagrant plugin install vagrant-berkshelf + + +Development +----------- +1. Clone the git repository from GitHub: + + $ git clone git@github.com:opscode-cookbooks/COOKBOOK.git + +2. Install the dependencies using bundler: + + $ bundle install + +3. Create a branch for your changes: + + $ git checkout -b my_bug_fix + +4. Make any changes +5. Write tests to support those changes. It is highly recommended you write both unit and integration tests. +6. Run the tests: + - `bundle exec rspec` + - `bundle exec foodcritic .` + - `bundle exec rubocop` + - `bundle exec kitchen test` + +7. Assuming the tests pass, open a Pull Request on GitHub +8. Open a JIRA ticket for this compontent, linking the JIRA ticket to the Pull Request and visa versa. +9. Mark the JIRA ticket as "Fix Provided" + +For more information, see [Opscode's Contribution Guidelines](https://wiki.opscode.com/display/chef/How+to+Contribute). diff --git a/chef/cookbooks/openssh/attributes/default.rb b/chef/cookbooks/openssh/attributes/default.rb index 9fca9b4..d8e7dd2 100644 --- a/chef/cookbooks/openssh/attributes/default.rb +++ b/chef/cookbooks/openssh/attributes/default.rb @@ -24,7 +24,7 @@ default['openssh']['package_name'] = case node['platform_family'] when 'rhel', 'fedora' %w[openssh-clients openssh] - when 'arch', 'suse' + when 'arch', 'suse', 'gentoo' %w[openssh] when 'freebsd' %w[] @@ -33,7 +33,7 @@ default['openssh']['package_name'] = case node['platform_family'] end default['openssh']['service_name'] = case node['platform_family'] - when 'rhel', 'fedora', 'suse', 'freebsd' + when 'rhel', 'fedora', 'suse', 'freebsd', 'gentoo' 'sshd' else 'ssh' @@ -53,13 +53,19 @@ default['openssh']['rootgroup'] = case node['platform_family'] 'root' end +default['openssh']['group'] = node['openssh']['rootgroup'] +default['openssh']['user'] = 'root' +default['openssh']['shared']['private_key'] = nil +default['openssh']['shared']['public_key'] = nil +default['openssh']['shared']['authorized_key'] = nil +default['openssh']['passwordless']['role'] = 'os-compute-worker' # ssh config group default['openssh']['client']['host'] = '*' # default['openssh']['client']['forward_agent'] = 'no' # default['openssh']['client']['forward_x11'] = 'no' # default['openssh']['client']['rhosts_rsa_authentication'] = 'no' # default['openssh']['client']['rsa_authentication'] = 'yes' -# default['openssh']['client']['password_authentication'] = 'yes' +# default['openssh']['client']['password_authentication'] = 'no' # default['openssh']['client']['host_based_authentication'] = 'no' # default['openssh']['client']['gssapi_authentication'] = 'no' # default['openssh']['client']['gssapi_delegate_credentials'] = 'no' @@ -102,7 +108,7 @@ default['openssh']['client']['host'] = '*' # default['openssh']['server']['max_sessions'] = '10' # default['openssh']['server']['r_s_a_authentication'] = 'yes' # default['openssh']['server']['pubkey_authentication'] = 'yes' -default['openssh']['server']['authorized_keys_file'] = '%h/.ssh/authorized_keys' +# default['openssh']['server']['authorized_keys_file'] = '%h/.ssh/authorized_keys' # default['openssh']['server']['rhosts_r_s_a_authentication'] = 'no' # default['openssh']['server']['host_based_authentication'] = 'no' # default['openssh']['server']['ignore_user_known_hosts'] = 'no' diff --git a/chef/cookbooks/openssh/libraries/default.rb b/chef/cookbooks/openssh/libraries/default.rb new file mode 100644 index 0000000..e26983d --- /dev/null +++ b/chef/cookbooks/openssh/libraries/default.rb @@ -0,0 +1,39 @@ +# encoding: UTF-8 +# # +# # Cookbook Name:: openssh +# # libraries::master_election +# # +# # Author: sam.su@huawei.com +# # +# # Licensed under the Apache License, Version 2.0 (the 'License'); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an 'AS IS' BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +# # +# +def node_election(role, tag, chef_environment = nil) + chef_environment = chef_environment || node.chef_environment + master = search(:node, "run_list:role\\[#{role}\\] AND \ + chef_environment:#{chef_environment} AND \ + tags:#{tag}") || [] + if master.empty? + nodes = search(:node, "run_list:role\\[#{role}\\] AND \ + chef_environment:#{chef_environment}") || [] + nodes = nodes.sort_by { |node| node.name } unless nodes.empty? + if node.name.eql?(nodes.first.name) + node.tags << tag unless node.tags.include?(tag) + node.save + end + return nodes.first + else + return master.first + end +end + diff --git a/chef/cookbooks/openssh/metadata.json b/chef/cookbooks/openssh/metadata.json deleted file mode 100644 index b3c8cd3..0000000 --- a/chef/cookbooks/openssh/metadata.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "name": "openssh", - "version": "1.3.2", - "description": "Installs openssh", - "long_description": "", - "maintainer": "Opscode, Inc.", - "maintainer_email": "cookbooks@opscode.com", - "license": "Apache 2.0", - "platforms": { - "arch": ">= 0.0.0", - "centos": ">= 0.0.0", - "debian": ">= 0.0.0", - "fedora": ">= 0.0.0", - "freebsd": ">= 0.0.0", - "redhat": ">= 0.0.0", - "scientific": ">= 0.0.0", - "suse": ">= 0.0.0", - "ubuntu": ">= 0.0.0" - }, - "dependencies": { - "iptables": ">= 0.0.0" - }, - "recommendations": { - }, - "suggestions": { - }, - "conflicting": { - }, - "providing": { - }, - "replacing": { - }, - "attributes": { - }, - "groupings": { - }, - "recipes": { - "openssh": "Installs openssh", - "openssh::iptables": "Set up iptables to allow SSH inbound" - } -} \ No newline at end of file diff --git a/chef/cookbooks/openssh/metadata.rb b/chef/cookbooks/openssh/metadata.rb index 6717041..ec60cd2 100644 --- a/chef/cookbooks/openssh/metadata.rb +++ b/chef/cookbooks/openssh/metadata.rb @@ -3,10 +3,11 @@ maintainer 'Opscode, Inc.' maintainer_email 'cookbooks@opscode.com' license 'Apache 2.0' description 'Installs openssh' -version '1.3.2' +version '1.3.5' recipe 'openssh', 'Installs openssh' recipe 'openssh::iptables', 'Set up iptables to allow SSH inbound' +recipe 'openssh::passwordless', 'Set up SSH login without password' supports 'arch' supports 'centos' diff --git a/chef/cookbooks/openssh/providers/key.rb b/chef/cookbooks/openssh/providers/key.rb new file mode 100644 index 0000000..d79414f --- /dev/null +++ b/chef/cookbooks/openssh/providers/key.rb @@ -0,0 +1,59 @@ +require 'chef/mixin/shell_out' +include Chef::Mixin::ShellOut + +action :create do + ssh_keygen_node = node_election(new_resource.role, 'ssh_keygen') + a = node['openssh']['shared']['private_key'] + if node.name.eql?(ssh_keygen_node.name) and node['openssh']['shared']['private_key'].nil? + unless ::File.exist?(new_resource.private_key) + cmd = "ssh-keygen -t rsa -q -f #{new_resource.private_key} -P ''" + rc = shell_out(cmd) + end + pri_key = ::File.read(new_resource.private_key) + pub_key = ::File.read(new_resource.public_key) + node.set['openssh']['shared']['private_key'] = pri_key + node.set['openssh']['shared']['public_key'] = pub_key + node.set['openssh']['shared']['authorized_key'] = pub_key + node.save + if ::File.exist?(new_resource.authorized_key) + ruby_block new_resource.authorized_key do + block do + auth_file = Chef::Util::FileEdit.new(new_resource.authorized_key) + auth_file.insert_line_if_no_match(pub_key, pub_key) + auth_file.write_file + end + end + else + file "#{new_resource.authorized_key}" do + content node['openssh']['shared']['authorized_key'] + owner new_resource.username + group new_resource.username + mode 00600 + end + end + elsif !node.name.eql?(ssh_keygen_node.name) && node['openssh']['shared']['private_key'].nil? + directory "#{new_resource.home}/.ssh for ssh keys" do + path "#{new_resource.home}/.ssh" + owner new_resource.username + group new_resource.username + mode "0700" + end + if ssh_keygen_node.attribute?('openssh') + %w{private_key public_key authorized_key}.each do |key| + unless ssh_keygen_node['openssh']['shared']["#{key}"].nil? + node.set['openssh']['shared']["#{key}"] = ssh_keygen_node['openssh']['shared']["#{key}"] + node.save + file eval("new_resource.#{key}") do + content node['openssh']['shared']["#{key}"] + owner new_resource.username + group new_resource.username + mode 00600 + end + end + end + end + #else + ## TODO: + end +end + diff --git a/chef/cookbooks/openssh/recipes/default.rb b/chef/cookbooks/openssh/recipes/default.rb index 5d8b5d5..26fa951 100644 --- a/chef/cookbooks/openssh/recipes/default.rb +++ b/chef/cookbooks/openssh/recipes/default.rb @@ -27,7 +27,7 @@ node['openssh']['package_name'].each do |name| end service_provider = Chef::Provider::Service::Upstart if 'ubuntu' == node['platform'] && - Chef::VersionConstraint.new('>= 13.10').include?(node['platform_version']) + Chef::VersionConstraint.new('>= 12.04').include?(node['platform_version']) service 'ssh' do provider service_provider diff --git a/chef/cookbooks/openssh/recipes/passwordless.rb b/chef/cookbooks/openssh/recipes/passwordless.rb new file mode 100644 index 0000000..35b1d32 --- /dev/null +++ b/chef/cookbooks/openssh/recipes/passwordless.rb @@ -0,0 +1,4 @@ +openssh_key "SSH login without password" do + role node['openssh']['passwordless']['role'] + action :create +end diff --git a/chef/cookbooks/openssh/resources/key.rb b/chef/cookbooks/openssh/resources/key.rb new file mode 100644 index 0000000..dbf6779 --- /dev/null +++ b/chef/cookbooks/openssh/resources/key.rb @@ -0,0 +1,14 @@ +actions :create, :allow, :copy + +attribute :role, :kind_of => String, :name_attribute => true +attribute :username, :kind_of => String, :default => `whoami`.delete("\n") +attribute :home, :kind_of => String, :default => `eval echo ~${SUDO_USER}`.delete("\n") +attribute :port, :kind_of => Integer, :default => 22 +attribute :private_key, :kind_of => String, :default => `eval echo ~${SUDO_USER}`.delete("\n") + "/.ssh/id_rsa" +attribute :public_key, :kind_of => String, :default => `eval echo ~${SUDO_USER}`.delete("\n") + "/.ssh/id_rsa.pub" +attribute :authorized_key, :kind_of => String, :default => `eval echo ~${SUDO_USER}`.delete("\n") + "/.ssh/authorized_keys" + +def initialize(*args) + super + @action = :create +end diff --git a/chef/cookbooks/openssh/spec/spec_helper.rb b/chef/cookbooks/openssh/spec/spec_helper.rb new file mode 100644 index 0000000..1dd5126 --- /dev/null +++ b/chef/cookbooks/openssh/spec/spec_helper.rb @@ -0,0 +1,2 @@ +require 'chefspec' +require 'chefspec/berkshelf' diff --git a/chef/cookbooks/openssh/spec/unit/recipes/default_spec.rb b/chef/cookbooks/openssh/spec/unit/recipes/default_spec.rb new file mode 100644 index 0000000..25df614 --- /dev/null +++ b/chef/cookbooks/openssh/spec/unit/recipes/default_spec.rb @@ -0,0 +1,51 @@ +require 'spec_helper' + +describe 'openssh::default' do + let(:chef_run) { ChefSpec::Runner.new.converge(described_recipe) } + + it 'installs the openssh packages' do + expect(chef_run).to install_package('openssh-client') + expect(chef_run).to install_package('openssh-server') + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + + it 'writes the ssh_config' do + template = chef_run.template('/etc/ssh/ssh_config') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + describe 'sshd_config' do + + it 'writes the sshd_config' do + template = chef_run.template('/etc/ssh/sshd_config') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + it 'allow legacy default AuthorizedKeysFile behavior' do + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content(/AuthorizedKeysFile.*/) + end + + it 'writes a match group block' do + chef_run.node.set['openssh']['server']['match'] = { 'Group admins' => { 'permit_tunnel' => 'yes' } } + chef_run.converge(described_recipe) + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + it 'skips match group block' do + chef_run.node.set['openssh']['server']['match'] = {} + chef_run.converge(described_recipe) + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + end +end diff --git a/chef/cookbooks/openssh/templates/default/sshd_config.erb b/chef/cookbooks/openssh/templates/default/sshd_config.erb index 7bd4dc7..4cb7753 100644 --- a/chef/cookbooks/openssh/templates/default/sshd_config.erb +++ b/chef/cookbooks/openssh/templates/default/sshd_config.erb @@ -11,16 +11,17 @@ <% end -%> <% end -%> -<% node['openssh']['server']['match'].sort.map do |match_key, match_items| -%> +<% unless node['openssh']['server']['match'].empty? || !defined?(node['openssh']['server']['match']) -%> +<% node['openssh']['server']['match'].sort.map do |match_key, match_items| -%> Match <%= match_key %> -<% match_items.sort.map do |key, value| -%> -<% if value.kind_of? Array -%> -<% value.each do |item| -%> -<%= " #{key.split("_").map { |w| w.capitalize}.join} #{item}" %> -<% end -%> -<% else -%> -<%= " #{key.split("_").map { |w| w.capitalize}.join} #{value}"%> -<% end -%> -<% end -%> - -<% end -%> +<% match_items.sort.map do |key, value| -%> +<% if value.kind_of? Array -%> +<% value.each do |item| -%> +<%= " #{key.split("_").map { |w| w.capitalize}.join} #{item}" %> +<% end -%> +<% else -%> +<%= " #{key.split("_").map { |w| w.capitalize}.join} #{value}"%> +<% end -%> +<% end -%> +<% end -%> +<% end -%> diff --git a/chef/cookbooks/openssh/test/integration/default/bats/check_service.bats b/chef/cookbooks/openssh/test/integration/default/bats/check_service.bats new file mode 100644 index 0000000..7fccd3f --- /dev/null +++ b/chef/cookbooks/openssh/test/integration/default/bats/check_service.bats @@ -0,0 +1,3 @@ +@test 'check sshd service' { + ps -ef | grep -v grep |grep sshd +} \ No newline at end of file