From e72de00afc11b7681555f30b1dba3433125b84e2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Javier=20B=C3=A9rtoli?= <jbertoli@curii.com>
Date: Mon, 21 Mar 2022 18:42:45 -0300
Subject: [PATCH] 18633: add sudo passwordless on shell role
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Arvados-DCO-1.1-Signed-off-by: Javier BÃ©rtoli <jbertoli@curii.com>
---
 .../aws/states/shell_sudo_passwordless.sls    | 27 +++++++++++++++++++
 .../states/shell_sudo_passwordless.sls        | 27 +++++++++++++++++++
 tools/salt-install/provision.sh               |  4 ++-
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 tools/salt-install/config_examples/multi_host/aws/states/shell_sudo_passwordless.sls
 create mode 100644 tools/salt-install/config_examples/single_host/single_hostname/states/shell_sudo_passwordless.sls

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/shell_sudo_passwordless.sls b/tools/salt-install/config_examples/multi_host/aws/states/shell_sudo_passwordless.sls
new file mode 100644
index 0000000000..dbcc9c907a
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/shell_sudo_passwordless.sls
@@ -0,0 +1,27 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+extra_shell_sudo_passwordless_sudo_pkg_installed:
+  pkg.installed:
+    - name: sudo
+
+extra_shell_sudo_passwordless_config_file_managed:
+  file.managed:
+    - name: /etc/sudoers.d/arvados_passwordless
+    - makedirs: true
+    - user: root
+    - group: root
+    - mode: '0440'
+    - replace: false
+    - contents: |
+        # This file managed by Salt, do not edit by hand!!
+        # Allow members of group sudo to execute any command without password
+        %sudo ALL=(ALL:ALL) NOPASSWD:ALL
+    - require:
+      - pkg: extra_shell_sudo_passwordless_sudo_pkg_installed
diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/shell_sudo_passwordless.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_sudo_passwordless.sls
new file mode 100644
index 0000000000..dbcc9c907a
--- /dev/null
+++ b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_sudo_passwordless.sls
@@ -0,0 +1,27 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+extra_shell_sudo_passwordless_sudo_pkg_installed:
+  pkg.installed:
+    - name: sudo
+
+extra_shell_sudo_passwordless_config_file_managed:
+  file.managed:
+    - name: /etc/sudoers.d/arvados_passwordless
+    - makedirs: true
+    - user: root
+    - group: root
+    - mode: '0440'
+    - replace: false
+    - contents: |
+        # This file managed by Salt, do not edit by hand!!
+        # Allow members of group sudo to execute any command without password
+        %sudo ALL=(ALL:ALL) NOPASSWD:ALL
+    - require:
+      - pkg: extra_shell_sudo_passwordless_sudo_pkg_installed
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 0f3c9a1411..c4ccfd1269 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -514,7 +514,7 @@ if [ -d "${F_DIR}"/extra/extra ]; then
     # Same when using self-signed certificates.
     SKIP_SNAKE_OIL="dont_add_snakeoil_certs"
   fi
-  for f in $(ls "${F_DIR}"/extra/extra/*.sls | grep -v ${SKIP_SNAKE_OIL}); do
+  for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_sudo_passwordless"); do
   echo "    - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls
   done
   # Use byo or self-signed certificates
@@ -544,6 +544,7 @@ if [ -z "${ROLES}" ]; then
     grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
   fi
 
+  echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
   echo "    - postgres" >> ${S_DIR}/top.sls
   echo "    - docker.software" >> ${S_DIR}/top.sls
   echo "    - arvados" >> ${S_DIR}/top.sls
@@ -753,6 +754,7 @@ else
       ;;
       "shell")
         # States
+        echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
         grep -q "docker" ${S_DIR}/top.sls       || echo "    - docker.software" >> ${S_DIR}/top.sls
         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
         # Pillars
-- 
2.30.2