ubicloud/prog/bootstrap_rhizome.rb
Jeremy Evans 6de231a5de Fix PostgresServerNexus#destroy to not violate strand leases
Previously, PostgresServerNexus#destroy ran:

```ruby
strand.children.each { it.destroy }
```

This is not safe as there could be an existing lease for the
strand children.  Child strands are either:

* BootstrapRhizome
* InstallRhizome (via push from Bootstrap Rhizome)
* Postgres::PostgresServerNexus (via restart from #unavailable)

Fix this by adding a destroy semaphore for all child strands,
except the Postgres::PostgresServerNexus ones, as we don't want
a child restart prog for the same server to also go into destroy.

Note that if a restart has been triggered via unavailable, and
then the destroy semaphore has been incremented, the destroy
cannot complete until after the restart commands return
successfully.

It would probably be better to have restart in a separate prog,
that could exit similarly to how Boostrap/InstallRhizome are
setup, so that destruction could proceed even if the restart
commands will not run successfully.
2025-09-16 06:11:16 +09:00

77 lines
2.6 KiB
Ruby

# frozen_string_literal: true
require_relative "../lib/util"
class Prog::BootstrapRhizome < Prog::Base
subject_is :sshable
semaphore :destroy
def user
@user ||= frame.fetch("user", "root")
end
def before_run
when_destroy_set? do
pop "exiting early due to destroy semaphore"
end
end
label def start
sshable.update(raw_private_key_1: SshKey.generate.keypair) if sshable.raw_private_key_1.nil?
hop_setup
end
# Taken from https://infosec.mozilla.org/guidelines/openssh
SSHD_CONFIG = <<SSHD_CONFIG
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Terminate sessions with clients that cannot return packets rapidly.
ClientAliveInterval 2
ClientAliveCountMax 4
SSHD_CONFIG
LOGIND_CONFIG = <<LOGIND
[Login]
KillOnlyUsers=rhizome
KillUserProcesses=yes
LOGIND
label def setup
pop "rhizome user bootstrapped and source installed" if retval&.dig("msg") == "installed rhizome"
key_data = sshable.keys.map(&:private_key)
Util.rootish_ssh(sshable.host, user, key_data, <<SH)
set -ueo pipefail
sudo apt-get update
sudo apt-get -y install ruby-bundler
sudo which bundle
sudo userdel -rf rhizome || true
sudo adduser --disabled-password --gecos '' rhizome
echo 'rhizome ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/98-rhizome
sudo install -d -o rhizome -g rhizome -m 0700 /home/rhizome/.ssh
sudo install -o rhizome -g rhizome -m 0600 /dev/null /home/rhizome/.ssh/authorized_keys
sudo mkdir -p /etc/systemd/logind.conf.d
echo #{LOGIND_CONFIG.shellescape} | sudo tee /etc/systemd/logind.conf.d/rhizome.conf > /dev/null
echo #{SSHD_CONFIG.shellescape} | sudo tee /etc/ssh/sshd_config.d/10-clover.conf > /dev/null
echo #{sshable.keys.map(&:public_key).join("\n").shellescape} | sudo tee /home/rhizome/.ssh/authorized_keys > /dev/null
sync
SH
push Prog::InstallRhizome, {"target_folder" => frame["target_folder"]}
end
end