Do things as $SWAPPER.

(Much of the seed code for this profile came from a profile that insisted on being root; fix all of that.)
docc-lab · Sep 16, 2020 · b1f5dac · b1f5dac
1 parent 2152394
commit b1f5dac
Show file tree

Hide file tree

Showing 11 changed files with 164 additions and 198 deletions.
diff --git a/profile.py b/profile.py
@@ -11,7 +11,7 @@
 import os.path
 import sys
 
-TBCMD = "sudo mkdir -p /root/setup && (if [ -d /local/repository ]; then sudo -H /local/repository/setup-driver.sh 2>&1 | sudo tee /root/setup/setup-driver.log; else sudo -H /tmp/setup/setup-driver.sh 2>&1 | sudo tee /root/setup/setup-driver.log; fi)"
+TBCMD = "sudo mkdir -p /local/setup && sudo chown `cat /var/emulab/boot/swapper` /local/setup && sudo -u `cat /var/emulab/boot/swapper` -Hi /bin/sh -c '/local/repository/setup-driver.sh >/local/setup/setup-driver.log 2>&1'"
 
 #
 # For now, disable the testbed's root ssh key service until we can remove ours.

diff --git a/setup-disk-space.sh b/setup-disk-space.sh
@@ -10,10 +10,6 @@ set -x
 if [ -z "$EUID" ]; then
     EUID=`id -u`
 fi
-if [ $EUID -ne 0 ] ; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
 
 # Grab our libs
 . "`dirname $0`/setup-lib.sh"
@@ -41,16 +37,16 @@ maybe_install_packages lvm2 maybe_install_packages thin-provisioning-tools
 # First try to make LVM volumes; fall back to mkextrafs.pl /storage.  We
 # use /storage later, so we make the dir either way.
 #
-mkdir -p ${STORAGEDIR}
+$SUDO mkdir -p ${STORAGEDIR}
 echo "STORAGEDIR=${STORAGEDIR}" >> $LOCALSETTINGS
 # Check to see if we already have an `emulab` VG.  This would occur
 # if the user requested a temp dataset.  If this happens, we simple
 # rename it to the VG name we expect.
-vgdisplay emulab
+$SUDO vgdisplay emulab
 if [ $? -eq 0 ]; then
     if [ ! emulab = $VGNAME ]; then
-	vgrename emulab $VGNAME
-	sed -i -re "s/^(.*)(\/dev\/emulab)(.*)$/\1\/dev\/$VGNAME\3/" /etc/fstab
+	$SUDO vgrename emulab $VGNAME
+	$SUDO sed -i -re "s/^(.*)(\/dev\/emulab)(.*)$/\1\/dev\/$VGNAME\3/" /etc/fstab
     fi
     LVM=1
     echo "VGNAME=${VGNAME}" >> $LOCALSETTINGS
@@ -69,15 +65,15 @@ elif [ -z "$LVM" ] ; then
     # Well, now there's a new partition layout; try it.
     if [ "$ARCH" = "aarch64" -o "$ARCH" = "ppc64le" ]; then
 	maybe_install_packages gdisk
-	sgdisk -i 1 /dev/sda
+	$SUDO sgdisk -i 1 /dev/sda
 	if [ $? -eq 0 ] ; then
 	    nparts=`sgdisk -p /dev/sda | grep -E '^ +[0-9]+ +.*$' | wc -l`
 	    if [ $nparts -lt 4 ]; then
 		newpart=`expr $nparts + 1`
-		sgdisk -N $newpart /dev/sda
-		partprobe /dev/sda
+		$SUDO sgdisk -N $newpart /dev/sda
+		$SUDO partprobe /dev/sda
 		if [ $? -eq 0 ] ; then
-		    partprobe /dev/sda
+		    $SUDO partprobe /dev/sda
 		    # Add the new partition specifically
 		    MKEXTRAFS_ARGS="${MKEXTRAFS_ARGS} -s $newpart"
 		fi
@@ -88,33 +84,33 @@ elif [ -z "$LVM" ] ; then
     #
     # See if we can try to use an LVM instead of just the 4th partition.
     #
-    lsblk -n -P -b -o NAME,FSTYPE,MOUNTPOINT,PARTTYPE,PARTUUID,TYPE,PKNAME,SIZE | perl -e 'my %devs = (); while (<STDIN>) { $_ =~ s/([A-Z0-9a-z]+=)/;\$$1/g; eval "$_"; if (!($TYPE eq "disk" || $TYPE eq "part")) { next; }; if (exists($devs{$PKNAME})) { delete $devs{$PKNAME}; } if ($FSTYPE eq "" && $MOUNTPOINT eq "" && ($PARTTYPE eq "" || $PARTTYPE eq "0x0") && (int($SIZE) > 3221225472)) { $devs{$NAME} = "/dev/$NAME"; } }; print join(" ",values(%devs))."\n"' > /tmp/devs
+    $SUDO lsblk -n -P -b -o NAME,FSTYPE,MOUNTPOINT,PARTTYPE,PARTUUID,TYPE,PKNAME,SIZE | perl -e 'my %devs = (); while (<STDIN>) { $_ =~ s/([A-Z0-9a-z]+=)/;\$$1/g; eval "$_"; if (!($TYPE eq "disk" || $TYPE eq "part")) { next; }; if (exists($devs{$PKNAME})) { delete $devs{$PKNAME}; } if ($FSTYPE eq "" && $MOUNTPOINT eq "" && ($PARTTYPE eq "" || $PARTTYPE eq "0x0") && (int($SIZE) > 3221225472)) { $devs{$NAME} = "/dev/$NAME"; } }; print join(" ",values(%devs))."\n"' > /tmp/devs
     DEVS=`cat /tmp/devs`
     if [ -n "$DEVS" ]; then
-	pvcreate $DEVS && vgcreate $VGNAME $DEVS
+	$SUDO pvcreate $DEVS && vgcreate $VGNAME $DEVS
 	if [ ! $? -eq 0 ]; then
 	    echo "ERROR: failed to create PV/VG with '$DEVS'; falling back to mkextrafs.pl"
-	    vgremove $VGNAME
-	    pvremove $DEVS
+	    $SUDO vgremove $VGNAME
+	    $SUDO pvremove $DEVS
 	    DONE=0
 	else
 	    DONE=1
 	fi
     fi
 
     if [ $DONE -eq 0 ]; then
-	/usr/local/etc/emulab/mkextrafs.pl ${MKEXTRAFS_ARGS}
+	$SUDO /usr/local/etc/emulab/mkextrafs.pl ${MKEXTRAFS_ARGS}
 	if [ $? -ne 0 ]; then
-	    /usr/local/etc/emulab/mkextrafs.pl ${MKEXTRAFS_ARGS} -f
+	    $SUDO /usr/local/etc/emulab/mkextrafs.pl ${MKEXTRAFS_ARGS} -f
 	    if [ $? -ne 0 ]; then
-		/usr/local/etc/emulab/mkextrafs.pl -f ${STORAGEDIR}
+		$SUDO /usr/local/etc/emulab/mkextrafs.pl -f ${STORAGEDIR}
 		LVM=0
 	    fi
 	fi
     fi
 
     # Get integer total space (G) available.
-    VGTOTAL=`vgs -o vg_size --noheadings --units G $VGNAME | sed -ne 's/ *\([0-9]*\)[0-9\.]*G/\1/p'`
+    VGTOTAL=`$SUDO vgs -o vg_size --noheadings --units G $VGNAME | sed -ne 's/ *\([0-9]*\)[0-9\.]*G/\1/p'`
     echo "VGNAME=${VGNAME}" >> $LOCALSETTINGS
     echo "VGTOTAL=${VGTOTAL}" >> $LOCALSETTINGS
     echo "LVM=${LVM}" >> $LOCALSETTINGS
@@ -130,29 +126,29 @@ if [ $LVM -eq 1 ]; then
     LV_SIZE=`perl -e "print 0.75 * $vgt;"`
     echo "LV_SIZE=${LV_SIZE}" >> $LOCALSETTINGS
 
-    #lvcreate -l 75%FREE -n $LVNAME $VGNAME
-    lvcreate -L ${LV_SIZE}G -n $LVNAME $VGNAME
+    #$SUDO lvcreate -l 75%FREE -n $LVNAME $VGNAME
+    $SUDO lvcreate -L ${LV_SIZE}G -n $LVNAME $VGNAME
 
     if [ -f /sbin/mkfs.ext4 ]; then
-	mkfs.ext4 /dev/$VGNAME/$LVNAME
+	$SUDO mkfs.ext4 /dev/$VGNAME/$LVNAME
 	echo "/dev/$VGNAME/$LVNAME ${STORAGEDIR} ext4 defaults 0 0" \
-	    >> /etc/fstab
+	    | $SUDO tee -a /etc/fstab
     else
 	mkfs.ext3 /dev/$VGNAME/$LVNAME
 	echo "/dev/$VGNAME/$LVNAME ${STORAGEDIR} ext3 defaults 0 0" \
-	    >> /etc/fstab
+	    | $SUDO tee -a /etc/fstab
     fi
-    mount ${STORAGEDIR}
+    $SUDO mount ${STORAGEDIR}
 fi
 
 #
 # Redirect some Docker/k8s dirs into our extra storage.
 #
 for dir in docker kubelet ; do
-    mkdir -p $STORAGEDIR/$dir /var/lib/$dir
-    mount -o bind $STORAGEDIR/$dir /var/lib/$dir
+    $SUDO mkdir -p $STORAGEDIR/$dir /var/lib/$dir
+    $SUDO mount -o bind $STORAGEDIR/$dir /var/lib/$dir
     echo "$STORAGEDIR/$dir /var/lib/$dir none defaults,bind 0 0" \
-        >> /etc/fstab
+        | $SUDO tee -a /etc/fstab
 done
 
 logtend "disk-space"

diff --git a/setup-driver.sh b/setup-driver.sh
@@ -2,15 +2,7 @@
 
 set -x
 
-if [ -z "$EUID" ]; then
-    EUID=`id -u`
-fi
-if [ $EUID -ne 0 ] ; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
-ALLNODESCRIPTS="setup-root-ssh.sh setup-disk-space.sh"
+ALLNODESCRIPTS="setup-ssh.sh setup-disk-space.sh"
 HEADNODESCRIPTS="setup-nginx.sh setup-ssl.sh setup-kubespray.sh setup-kubernetes-extra.sh"
 
 export SRC=`dirname $0`

diff --git a/setup-kubernetes-extra.sh b/setup-kubernetes-extra.sh
@@ -2,14 +2,6 @@
 
 set -x
 
-if [ -z "$EUID" ]; then
-    EUID=`id -u`
-fi
-if [ $EUID -ne 0 ] ; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
 # Grab our libs
 . "`dirname $0`/setup-lib.sh"
 
@@ -20,7 +12,7 @@ fi
 logtstart "kubernetes-extra"
 
 # Create a localhost kube-proxy service and fire it off.
-cat <<'EOF' >/etc/systemd/system/kube-proxy.service
+cat <<'EOF' | $SUDO tee /etc/systemd/system/kube-proxy.service
 [Unit]
 Description=Kubernetes Local Proxy Service
 After=kubelet.service
@@ -36,9 +28,9 @@ StandardError=journal+console
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl daemon-reload
-systemctl enable kube-proxy
-systemctl start kube-proxy
+service_init_reload
+service_enable kube-proxy
+service_start kube-proxy
 
 # Expose the dashboard IFF we have a certificate configuration
 if [ ! "$SSLCERTTYPE" = "none" -a "$SSLCERTCONFIG" = "proxy" ]; then
@@ -49,7 +41,7 @@ if [ ! "$SSLCERTTYPE" = "none" -a "$SSLCERTCONFIG" = "proxy" ]; then
 	certpath="/etc/letsencrypt/live/${NFQDN}/fullchain.pem"
 	keypath="/etc/letsencrypt/live/${NFQDN}/privkey.pem"
     fi
-    cat <<EOF >/etc/nginx/sites-available/k8s-dashboard
+    cat <<EOF | $SUDO tee /etc/nginx/sites-available/k8s-dashboard
 map \$http_upgrade \$connection_upgrade {
         default Upgrade;
         ''      close;
@@ -75,9 +67,9 @@ server {
         }
 }
 EOF
-    ln -sf /etc/nginx/sites-available/k8s-dashboard \
+    $SUDO ln -sf /etc/nginx/sites-available/k8s-dashboard \
         /etc/nginx/sites-enabled/k8s-dashboard
-    systemctl restart nginx
+    service_restart nginx
 fi
 
 # Generate a cluster-wide token for an admin account, and dump it into

diff --git a/setup-kubespray.sh b/setup-kubespray.sh
@@ -2,14 +2,6 @@
 
 set -x
 
-if [ -z "$EUID" ]; then
-    EUID=`id -u`
-fi
-if [ $EUID -ne 0 ] ; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
 # Grab our libs
 . "`dirname $0`/setup-lib.sh"
 
@@ -22,8 +14,8 @@ logtstart "kubespray"
 # First, we need yq.
 are_packages_installed yq
 if [ ! $? -eq 1 ]; then
-    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
-    add-apt-repository -y ppa:rmescandon/yq
+    $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
+    $SUDO add-apt-repository -y ppa:rmescandon/yq
     maybe_install_packages yq
 fi
 
@@ -54,7 +46,7 @@ if [ $KUBESPRAYUSEVIRTUALENV -eq 1 ]; then
     $PIP install -r kubespray/requirements.txt
 else
     maybe_install_packages software-properties-common ${PYTHON}-pip
-    add-apt-repository --yes --update ppa:ansible/ansible
+    $SUDO add-apt-repository --yes --update ppa:ansible/ansible
     maybe_install_packages ansible
     $PIP install -r kubespray/requirements.txt
 fi
@@ -108,25 +100,25 @@ else
     ip=10.10.1.1
     nm=255.255.0.0
     cidr=$ip/16
-    echo "$ip $HEAD" >> /etc/hosts
-    ip link add type dummy name dummy0
-    ip addr add $cidr dev dummy0
-    ip link set dummy0 up
+    echo "$ip $HEAD" | $SUDO tee -a /etc/hosts
+    $SUDO ip link add type dummy name dummy0
+    $SUDO ip addr add $cidr dev dummy0
+    $SUDO ip link set dummy0 up
     DISTRIB_MAJOR=`. /etc/lsb-release && echo $DISTRIB_RELEASE | cut -d. -f1`
     if [ $DISTRIB_MAJOR -lt 18 ]; then
-	cat <<EOF > /etc/network/interfaces.d/kube-single-node.conf
+	cat <<EOF | $SUDO tee /etc/network/interfaces.d/kube-single-node.conf
 auto dummy0
 iface dummy0 inet static
     address $cidr
     pre-up ip link add dummy0 type dummy
 EOF
     else
-	cat <<EOF >/etc/systemd/network/dummy0.netdev
+	cat <<EOF | $SUDO tee /etc/systemd/network/dummy0.netdev
 [NetDev]
 Name=dummy0
 Kind=type
 EOF
-	cat <<EOF >/etc/systemd/network/dummy0.network
+	cat <<EOF | $SUDO tee /etc/systemd/network/dummy0.network
 [Match]
 Name=dummy0
 
@@ -331,9 +323,12 @@ if [ ! $? -eq 0 ]; then
 fi
 cd ..
 
-mkdir -p /root/.kube
-mkdir -p /users/$SWAPPER/.kube
+$SUDO rm -rf /root/.kube
+$SUDO mkdir -p /root/.kube
 cp -p $INVDIR/artifacts/admin.conf /root/.kube/config
+
+[ -d /users/$SWAPPER/.kube ] && rm -rf /users/$SWAPPER/.kube
+mkdir -p /users/$SWAPPER/.kube
 cp -p $INVDIR/artifacts/admin.conf /users/$SWAPPER/.kube/config
 chown -R $SWAPPER /users/$SWAPPER/.kube
 
@@ -347,7 +342,7 @@ which helm
 if [ ! $? -eq 0 -a -n "${HELM_VERSION}" ]; then
     wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz
     tar -xzvf helm-${HELM_VERSION}-linux-amd64.tar.gz
-    mv linux-amd64/helm /usr/local/bin/helm
+    $SUDO mv linux-amd64/helm /usr/local/bin/helm
 
     helm init --upgrade --force-upgrade
     kubectl create serviceaccount --namespace kube-system tiller

diff --git a/setup-letsencrypt.sh b/setup-letsencrypt.sh
@@ -2,14 +2,6 @@
 
 set -x
 
-if [ -z "$EUID" ]; then
-    EUID=`id -u`
-fi
-if [ $EUID -ne 0 ] ; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
 # Grab our libs
 . "`dirname $0`/setup-lib.sh"
 
@@ -20,17 +12,17 @@ fi
 logtstart "letsencrypt"
 
 maybe_install_packages python-certbot-nginx
-certbot certonly -d $NFQDN --nginx --agree-tos -m "$SWAPPER_EMAIL" -n
-mkdir -p /etc/nginx/ssl
-#cp -p /etc/letsencrypt/live/$NFQDN/*.pem /etc/nginx/ssl/
-#chown -R www-data:root /etc/nginx/ssl/
-#chmod 770 /etc/nginx/ssl
+$SUDO certbot certonly -d $NFQDN --nginx --agree-tos -m "$SWAPPER_EMAIL" -n
+$SUDO mkdir -p /etc/nginx/ssl
+#$SUDO cp -p /etc/letsencrypt/live/$NFQDN/*.pem /etc/nginx/ssl/
+#$SUDO chown -R www-data:root /etc/nginx/ssl/
+#$SUDO chmod 770 /etc/nginx/ssl
 
 #
 # Add a simple revocation service that runs on shutdown/reboot and if
 # the node is no longer allocated, certbot revoke .
 #
-cat <<'EOF' >/etc/systemd/system/tbhook.service
+cat <<'EOF' | $SUDO tee /etc/systemd/system/tbhook.service
 [Unit]
 Description=Testbed Hook Service
 After=testbed.service
@@ -46,9 +38,9 @@ StandardError=journal+console
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl daemon-reload
-systemctl enable tbhook
-systemctl start tbhook
+service_init_reload
+service_enable tbhook
+service_start tbhook
 
 logtend "letsencrypt"
 touch $OURDIR/letsencrypt-done