[Piuparts-devel] RFC: preview/restrict-master-access

[Andreas Beckmann]

Andreas Beckmann (9):
      p-m: rename to piuparts-master-backend.py
      p-m: add new wrapper script piuparts-master
      p-s/p-m: pass section via stdin instead of command line
      p-s/p-m: move chdir and stderr logging to master wrapper
      p-s: stop using master-directory
      p-s: stop using (master's) log-file
      p.conf: use simple master-command
      p-m.deb: restrict slave's ssh key to only allow running
piuparts-master
      p-s: support empty master command

it needs more testing (including setting up an instance from the .deb
packages)
but I'd really like to see this in 0.50
- we have a lot of renaming in 0.50, so just one more
- we are getting to a point where others could actually run piuparts in
  master-slave setup from packages
- for virtualizing piatti I'd consider restricting ssh access (to not be
able to run arbitrary commands) as a crucial requirement


concerning security:

sudoers (as sample and in the documentation) contains:

#piuparts admins
%piuparts       ALL=(piupartss) ALL
%piuparts       ALL=(piupartsm) ALL

which implies piupartsm is allowed to sudo something as piupartss that
is allowed to sudo anything without password as root ...
and piupartsm may be accessed via ssh from piuparts slaves with
passwordless keys
and running piuparts slaves may be potentially unsecure
(and maybe on non d.o hosts)

i.e. I don't like piupartsm having a path to sudo as root

in general I'd like to allow external slaves to feed piatti's master
with logs - either for weird tests it does not have the power for or for
different architectures (even if we don't know yet how to handle this)


Andreas