Merge "AFS: Allow for remote vos release with localauth"

playbooks/remote_puppet_afs.yaml

@@ -9,3 +9,18 @@
   strategy: free
   roles:
     - puppet
+
+- hosts: "mirror-update:!disabled"
+  name: "Create key for remote vos release"
+  tasks:
+    - name: Create vos release keypair
+      openssh_keypair:
+        path: /root/.ssh/id_vos_release
+        type: ed25519
+      register: vos_release_keypair
+
+# Note: relies on vos_release_keypair installed to mirror above
+- hosts: "afs:!disabled"
+  name: "Allow remote vos_release"
+  roles:
+    - vos-release

playbooks/roles/vos-release/README.rst

@@ -0,0 +1,27 @@
+vos release with localauth
+
+Install a user and script to do remote ``vos release`` with
+``localauth`` authentication.  This can avoid kerberos or AFS
+timeouts.
+
+This relies on ``vos_release_keypair`` which is expected to be a
+single keypair from the mirror-update host.  It will allow that
+keypair to run ``/usr/local/bin/vos_release.sh``, which filters the
+incoming command.  Releases are expected to be triggered on the update
+host with::
+
+  ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release <mirror>.<volume>
+
+Future work, if required
+
+* Allow multiple hosts to call the release script (i.e. handle
+  multiple keys).
+* Implement locking within ``vos_release.sh`` script to prevent too
+  many simulatenous releases.
+
+**Role Variables**
+
+.. zuul:rolevar:: vos_release_keypair
+
+   The authorized key to allow to run the
+   ``/usr/local/bin/vos_release.sh`` script

playbooks/roles/vos-release/files/vos_release.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then
+    echo "usage: vos release <volume>"
+    exit 1
+fi
+
+set -- $SSH_ORIGINAL_COMMAND
+
+if [[ $# != 3 || $1 != "vos" || $2 != "release" ]]; then
+    echo "usage: vos release <volume>"
+    exit 1
+fi
+
+vos release -v -localauth $3
+
+

playbooks/roles/vos-release/tasks/main.yaml

@@ -0,0 +1,19 @@
+- name: Install vos release script
+  copy:
+    src: vos_relase.sh
+    dest: '/usr/local/bin/'
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure update key
+  assert:
+    that:
+      - vos_release_keypair is defined
+
+- name: Install vos release key
+  authorized_key:
+    user: 'root'
+    state: present
+    key: '{{ vos_release_keypair["public_key"] }}'
+    key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'