10 req_envs = %w(ARVADOS_API_HOST ARVADOS_API_TOKEN ARVADOS_VIRTUAL_MACHINE_UUID)
13 abort "Fatal: These environment vars must be set: #{req_envs}"
17 exclusive_mode = ARGV.index("--exclusive")
18 exclusive_banner = "#######################################################################################
19 # THIS FILE IS MANAGED BY #{$0} -- CHANGES WILL BE OVERWRITTEN #
20 #######################################################################################\n\n"
21 start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
22 end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
24 # Don't try to create any local accounts
25 skip_missing_users = ARGV.index("--skip-missing-users")
30 arv = Arvados.new({ :suppress_ssl_warnings => false })
32 vm_uuid = ENV['ARVADOS_VIRTUAL_MACHINE_UUID']
34 logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
35 logins = [] if logins.nil?
36 logins = logins.reject { |l| l[:username].nil? or l[:hostname].nil? or l[:public_key].nil? or l[:virtual_machine_uuid] != vm_uuid }
40 open("/etc/login.defs", encoding: "utf-8") do |login_defs|
41 login_defs.each_line do |line|
42 next unless match = /^UID_MIN\s+(\S+)$/.match(line)
43 if match[1].start_with?("0x")
45 elsif match[1].start_with?("0")
50 new_uid_min = match[1].to_i(base)
51 uid_min = new_uid_min if (new_uid_min > 0)
57 return false if pwnam[l[:username]]
59 pwnam[l[:username]] = Etc.getpwnam(l[:username])
62 STDERR.puts "Account #{l[:username]} not found. Skipping"
66 if pwnam[l[:username]].uid < uid_min
67 STDERR.puts "Account #{l[:username]} uid #{pwnam[l[:username]].uid} < uid_min #{uid_min}. Skipping"
76 keys[l[:username]] = Array.new() if not keys.has_key?(l[:username])
78 # Handle putty-style ssh public keys
79 key.sub!(/^(Comment: "r[^\n]*\n)(.*)$/m,'ssh-rsa \2 \1')
80 key.sub!(/^(Comment: "d[^\n]*\n)(.*)$/m,'ssh-dss \2 \1')
84 keys[l[:username]].push(key) if not keys[l[:username]].include?(key)
88 devnull = open("/dev/null", "w")
91 next if seen[l[:username]]
92 seen[l[:username]] = true
94 unless pwnam[l[:username]]
95 STDERR.puts "Creating account #{l[:username]}"
96 groups = l[:groups] || []
97 # Adding users to the FUSE group has long been hardcoded behavior.
99 groups.select! { |g| Etc.getgrnam(g) rescue false }
101 unless system("useradd", "-m",
104 "-G", groups.join(","),
107 STDERR.puts "Account creation failed for #{l[:username]}: $?"
111 pwnam[l[:username]] = Etc.getpwnam(l[:username])
113 STDERR.puts "Created account but then getpwnam() failed for #{l[:username]}: #{e}"
118 @homedir = pwnam[l[:username]].dir
119 userdotssh = File.join(@homedir, ".ssh")
120 Dir.mkdir(userdotssh) if !File.exists?(userdotssh)
122 newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
124 keysfile = File.join(userdotssh, "authorized_keys")
126 if File.exists?(keysfile)
127 oldkeys = IO::read(keysfile)
133 newkeys = exclusive_banner + newkeys
134 elsif oldkeys.start_with?(exclusive_banner)
135 newkeys = start_banner + newkeys + end_banner
136 elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
137 newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
139 newkeys = start_banner + newkeys + end_banner + oldkeys
142 if oldkeys != newkeys then
143 f = File.new(keysfile, 'w')
147 FileUtils.chown_R(l[:username], nil, userdotssh)
148 File.chmod(0700, userdotssh)
149 File.chmod(0750, @homedir)
150 File.chmod(0600, keysfile)
154 rescue Exception => bang
155 puts "Error: " + bang.to_s
156 puts bang.backtrace.join("\n")
projects / arvados.git / blob