[Piuparts-devel] RFC: preview/restrict-master-access

Holger Levsen holger at layer-acht.org
Sat Mar 9 19:12:53 UTC 2013 

Hi Andreas,

On Samstag, 9. März 2013, Andreas Beckmann wrote:
> Andreas Beckmann (9):
>       p-m: rename to piuparts-master-backend.py
>       p-m: add new wrapper script piuparts-master
>       p-s/p-m: pass section via stdin instead of command line
>       p-s/p-m: move chdir and stderr logging to master wrapper
>       p-s: stop using master-directory
>       p-s: stop using (master's) log-file
>       p.conf: use simple master-command
>       p-m.deb: restrict slave's ssh key to only allow running
> piuparts-master
>       p-s: support empty master command
> 
> it needs more testing (including setting up an instance from the .deb
> packages)
> but I'd really like to see this in 0.50

then no. I really want to upload 0.50 now.

> - we have a lot of renaming in 0.50, so just one more

we have lots of (already tested) changes and one point one has to say "no, 
that's for the next release".

> - we are getting to a point where others could actually run piuparts in
>   master-slave setup from packages

yay!

> - for virtualizing piatti I'd consider restricting ssh access (to not be
> able to run arbitrary commands) as a crucial requirement

strictly speaking, not for virtualizing, but for adding more slaves.

> concerning security:
> 
> sudoers (as sample and in the documentation) contains:
> 
> #piuparts admins
> %piuparts       ALL=(piupartss) ALL
> %piuparts       ALL=(piupartsm) ALL
> 
> which implies piupartsm is allowed to sudo something as piupartss that
> is allowed to sudo anything without password as root ...
> and piupartsm may be accessed via ssh from piuparts slaves with
> passwordless keys
> and running piuparts slaves may be potentially unsecure
> (and maybe on non d.o hosts)
> 
> i.e. I don't like piupartsm having a path to sudo as root

right, me neither.
 
> in general I'd like to allow external slaves to feed piatti's master
> with logs - either for weird tests it does not have the power for or for
> different architectures (even if we don't know yet how to handle this)

yeah, but let's keep that for 0.52 even ;)


cheers,
	Holger

More information about the Piuparts-devel mailing list