infrastructure August 2009

infrastructure@lists.fedoraproject.org

52 participants
70 discussions

[Change Request] koji theming
by Dennis Gilmore 24 Aug '09

24 Aug '09

Id like to update the koji theming i need to install the rpms from http://koji.fedoraproject.org/koji/taskinfo?taskID=1629426 and apply a small hotfix to kojiweb https://fedorahosted.org/fedora-infrastructure/ticket/1628 the impact is minimal and easily reversed. all changes are upstream. Ill be publishing the hg repos on fedorapeople later today for the theming rpms. can i get 2 +1's please

3 2

CSI doc
by Paul W. Frields 24 Aug '09

24 Aug '09

Mike et al., I made a few updates to the CSI Security Policy document's incident response plan -- Most of them were non-substantive, just fixing or clarifying the language. Any eyeballs or reviews of the changes appreciated. If it looks OK, feel free to publish the update at the appropriate infrastructure.fp.o location. By the way, if anyone has a tip for how to get Publican to build a proper PDF from that document, I'd appreciate it. It's totally hosed on my Fedora 11 box, although I was able to build an HTML version and then print to PDF from that. -- Paul W. Frields http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

2 2

Introduction
by Christopher Hultin 23 Aug '09

23 Aug '09

Hello, my name is Chris. I'm skilled with HTML/XHTML and CSS. I am also CIW Certified. I have hosted my own website, and have a home server configured with Fedora 11. Thanks for reading this introduction!

2 2

Re: changing tabs to spaces in pager.py
by Dennis Gilmore 22 Aug '09

22 Aug '09

My opinion is have at it. Fixing things is always welcome. If you can't commit a fix prepare a patch. Its a great way to be involved and start to help. Darren VanBuren <onekopaka(a)gmail.com> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >On Aug 22, 2009, at 10:04 AM, Mike McGrath wrote: > >> On Sat, 22 Aug 2009, Darren VanBuren wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I know that some of you dislike tabs, and when I was adding myself to >>> pager.py, I found there were tabs in the HTML portion as opposed to >>> spaces, >>> and tmz pointed out that several other lines are indented with tabs. >>> >>> I know it's pretty standard for us to use spaces for indentation, >>> but I wanted >>> to check whether it's okay to change pager.py further than adding >>> myself >>> (which ricky approved of on IRC earlier today). >>> >> >> This is correct, although at the moment unwritten. We prefer 4 >> spaces to >> a tab character. Or as Seth says "Tabs are a lie". >> >> -Mike >> >So what's your opinion on me changing it? > >Darren VanBuren >onekopaka(a)gmail.com >==================== >http://theoks.net/ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.9 (Darwin) > >iEYEARECAAYFAkqQJawACgkQBkMMSWb0YpYSJQCg4Ye64+aD7gHwsUWli2q9BCWR >gg4AoJ1xFzGxF033bopaekxLcpPepj90 >=euRS >-----END PGP SIGNATURE----- > >_______________________________________________ >Fedora-infrastructure-list mailing list >Fedora-infrastructure-list(a)redhat.com >https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- Dennis Gilmore

1 0

changing tabs to spaces in pager.py
by Darren VanBuren 22 Aug '09

22 Aug '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know that some of you dislike tabs, and when I was adding myself to pager.py, I found there were tabs in the HTML portion as opposed to spaces, and tmz pointed out that several other lines are indented with tabs. I know it's pretty standard for us to use spaces for indentation, but I wanted to check whether it's okay to change pager.py further than adding myself (which ricky approved of on IRC earlier today). Darren VanBuren onekopaka(a)gmail.com ==================== http://theoks.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkqQHf0ACgkQBkMMSWb0YpYD2ACgsHp6p8I/UWZ/vhalP2sH3X7i ScoAn3FFigmBenOfHzAZSsaFaePPAV+v =IV/9 -----END PGP SIGNATURE-----

2 2

[PATCH/RFC] mailman: Use Mailman's Secure_MakeRandomPassword() for list passwords
by Todd Zullinger 21 Aug '09

21 Aug '09

This should generate a bit stronger passwords than the previous code, which encoded the passwords as hex, limiting the characters in the password to the set [0-9a-f]. --- The mailman_server class is only included on collab[12] and hosted1, so it isn't actually affected by the current freeze policy. But I still wanted to float this by the list for comments and review. The current fedora-mailing-list-setup script creates a list password using: file('/dev/urandom', 'r').read(4).encode('hex') This seems to be a good bit weaker than it needs to be. Unless someone has better alternatives for creating decent list passwords, I suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() from mailman. The Secure_MakeRandomPassword() code is in: /usr/lib/mailman/Mailman/Utils.py configs/mailman/fedora-mailing-list-setup | 2 +- modules/mailman/files/fedora-mailing-list-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup index 8ccdda7..80b2c58 100755 --- a/configs/mailman/fedora-mailing-list-setup +++ b/configs/mailman/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup index 7d5dcd3..bf10b81 100755 --- a/modules/mailman/files/fedora-mailing-list-setup +++ b/modules/mailman/files/fedora-mailing-list-setup @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): host_name = mm_cfg.DEFAULT_EMAIL_HOST web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) mlist = MailList.MailList() try: -- 1.6.4 -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We waste more time by 8:00 in the morning than other companies do all day.

3 3

smolt change request
by Mike McGrath 21 Aug '09

21 Aug '09

I'd like to do the hotfix described here: https://fedorahosted.org/fedora-infrastructure/ticket/1622 Changes are already upstream. -Mike

3 2

[Change Request] Add script/cron job for checking git repo perms
by Todd Zullinger 20 Aug '09

20 Aug '09

The git::check-perms class includes a script for checking that the permissions of git repositories are generally proper for shared repositories. It also runs this script each day via a cron job. This is included on the hosted1 node. --- The intent of this script is to check that git repos on hosted don't end up with permissions that will cause problems when folks try to push to them. This shouldn't happen too often anymore since we fixed a git bug and have better scripts for creating the repositories, but it can still crop up. This script won't catch something like the a repo having the wrong group, unless we want to standardize on group naming and fix up existing repositories that don't follow that convention. (Which doesn't seem worth the effort.) I just picked the time for the cron job at random. If there is a better time for it to run, I can change it before pushing this. The change should be very low risk and easy to fix should it cause any problems. If I weren't likely to forget about it, it could wait until after the freeze it over. :) manifests/nodes/hosted1.fedoraproject.org.pp | 4 + modules/git/README | 4 + modules/git/files/check-perms.py | 148 ++++++++++++++++++++++++++ modules/git/manifests/init.pp | 31 ++++++ 4 files changed, 187 insertions(+), 0 deletions(-) create mode 100755 modules/git/files/check-perms.py diff --git a/manifests/nodes/hosted1.fedoraproject.org.pp b/manifests/nodes/hosted1.fedoraproject.org.pp index e94c151..a6c86c0 100644 --- a/manifests/nodes/hosted1.fedoraproject.org.pp +++ b/manifests/nodes/hosted1.fedoraproject.org.pp @@ -5,6 +5,10 @@ node hosted1 { include openvpn::client include spamassassin::server + $git_check_perms_gitroot = "/git" + $git_check_perms_mailto = "sysadmin-hosted-members(a)fedoraproject.org" + include git::check-perms + $mailman_default_url_proto = "https" $mailman_default_url_host = "fedorahosted.org" $mailman_default_email_host = "lists.fedorahosted.org" diff --git a/modules/git/README b/modules/git/README index e9a5e99..100a560 100644 --- a/modules/git/README +++ b/modules/git/README @@ -14,6 +14,10 @@ The git rpm installs the core tools with minimal dependencies. To install all git packages, including tools for integrating with other SCMs, install the git-all meta-package. +The git::check-perms class includes a script for checking that the +permissions of git repositories are generally proper for shared +repositories. It also runs this script each day via a cron job. + The git::mail-hooks class installs some convenient tools for use as post-receive hooks, courtesy of the gnome.org sysadmins. diff --git a/modules/git/files/check-perms.py b/modules/git/files/check-perms.py new file mode 100755 index 0000000..88d7bff --- /dev/null +++ b/modules/git/files/check-perms.py @@ -0,0 +1,148 @@ +#!/usr/bin/python -tt +"""Check permissions of a tree of git repositories, optionally fixing any +problems found. +""" + +import os +import re +import sys +import optparse +from stat import * +from subprocess import call, PIPE, Popen + +usage = '%prog [options] [gitroot]' +parser = optparse.OptionParser(usage=usage) +parser.add_option('-f', '--fix', dest='fix', + action='store_true', default=False, + help='Correct any problems [%default]') +opts, args = parser.parse_args() + +if args: + gitroot = args[0] +else: + gitroot = '/git' + +object_re = re.compile('[0-9a-z]{40}') + +def is_object(path): + """Check if a path is a git object.""" + parts = path.split(os.path.sep) + if 'objects' in parts and len(parts) > 2 and \ + object_re.match(''.join(path.split(os.path.sep)[-2:])): + return True + return False + +def is_shared_repo(gitdir): + """Check if a git repository is shared.""" + cmd = ['git', '--git-dir', gitdir, 'config', 'core.sharedRepository'] + p = Popen(cmd, stdout=PIPE, stderr=PIPE) + shared, error = p.communicate() + sharedmodes = ['1', 'group', 'true', '2', 'all', 'world', 'everybody'] + if shared.rstrip() not in sharedmodes or p.returncode: + return False + return True + +def set_shared_repo(gitdir, value='group'): + """Set core.sharedRepository for a git repository.""" + mode_re = re.compile('06[0-7]{2}') + if value in [0, 'false', 'umask']: + value = 'umask' + elif value in [1, 'true', 'group']: + value = 'group' + elif value in [2, 'all', 'world', 'everybody']: + value = 'all' + elif mode_re.match(value): + pass + else: + raise SystemExit('Bogus core.sharedRepository value "%s"' % value) + cmd = ['git', '--git-dir', gitdir, 'config', 'core.sharedRepository', + value] + ret = call(cmd) + if ret: + return False + return True + +def check_git_perms(path, fix=False): + """Check if permissions on a git repo are correct. + + If fix is true, problems found are corrected. + """ + object_mode = S_IRUSR | S_IRGRP | S_IROTH + oldmode = mode = S_IMODE(os.lstat(path)[ST_MODE]) + errors = [] + if os.path.isdir(path): + newmode = mode | S_ISGID + if mode != newmode: + msg = 'Not SETGID (should be "%s")' % oct(newmode) + errors.append(msg) + mode = newmode + elif is_object(path) and mode ^ object_mode: + msg = 'Wrong object mode "%s" (should be "%s")' % ( + oct(mode), oct(object_mode)) + errors.append(msg) + mode = object_mode + if mode & S_IWUSR and not is_object(path): + newmode = mode | S_IWGRP + if mode != newmode: + msg = 'Not group writable (should be "%s")' % oct(newmode) + errors.append(msg) + mode = newmode + if mode != oldmode and not os.path.islink(path): + print >> sys.stderr, '%s:' % path, + print >> sys.stderr, ', '.join(['%s' % e for e in errors]) + if not fix: + return False + try: + os.chmod(path, mode) + return True + except Exception, e: + error = hasattr(e, 'strerror') and e.strerror or e + mode = oct(mode) + print >> sys.stderr, 'Error setting "%s" mode on %s: %s' % ( + mode, path, error) + return False + return True + +def main(): + if not os.path.isdir(gitroot): + raise SystemExit('%s does not exist or is not a directory' % gitroot) + + gitdirs = [] + for path, dirs, files in os.walk(gitroot): + if path in gitdirs: + continue + if 'description' in os.listdir(path): + gitdirs.append(path) + + problems = [] + for gitdir in sorted(gitdirs): + if not is_shared_repo(gitdir): + print >> sys.stderr, '%s: core.sharedRepository not set' % gitdir + if not opts.fix or not set_shared_repo(gitdir): + problems.append(gitdir) + continue + paths = [] + for path, dirs, files in os.walk(gitdir): + for d in dirs: + d = os.path.join(path, d) + if d not in paths: + paths.append(d) + for f in files: + f = os.path.join(path, f) + if f not in paths: + paths.append(f) + for path in paths: + if not check_git_perms(path, fix=opts.fix): + if path not in problems: + problems.append(path) + + if problems: + raise SystemExit('%d paths remain unfixed' % len(problems)) + + raise SystemExit() + +if __name__ == '__main__': + try: + main() + except KeyboardInterrupt: + raise SystemExit('\nExiting on user cancel (Ctrl-C)') diff --git a/modules/git/manifests/init.pp b/modules/git/manifests/init.pp index 87282b5..ab1abec 100644 --- a/modules/git/manifests/init.pp +++ b/modules/git/manifests/init.pp @@ -35,3 +35,34 @@ class git::mail-hooks { require => [File["$mailhooks/git.py"], File["$mailhooks/util.py"]]; } } + +class git::check-perms { + include git::package + + file { '/usr/local/bin/git-check-perms': + owner => 'root', + group => 'root', + mode => 0755, + source => 'puppet:///git/check-perms.py', + require => Package['git'], + } + + $gitroot = $git_check_perms_gitroot ? { + '' => '/git', + default => $git_check_perms_gitroot, + } + + $mailto = $git_check_perms_mailto ? { + '' => 'root', + default => $git_check_perms_mailto, + } + + cron { 'git-check-perms': + command => "git check-perms $gitroot", + user => 'nobody', + hour => 0, + minute => 10, + environment => ["MAILTO=$mailto", 'PATH=/usr/bin:/usr/local/bin'], + require => File['/usr/local/bin/git-check-perms'], + } +} -- 1.6.4 -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If Stupidity got us into this mess, then why can't it get us out? -- Will Rogers (1879-1935)

3 7

[Change Request] Mercurial upgrade on app1
by Diego Búrigo Zacarão 20 Aug '09

20 Aug '09

There is a bug related to Mercurial-1.2.x that is boring some of our translators when using Transifex[1]. Could I have +1's for updating it with the following version? https://admin.fedoraproject.org/updates/mercurial-1.3.1-3.el5 [1] http://transifex.org/ticket/279 Regards -- Diego Búrigo Zacarão http://diegobz.net

4 3

Change request - Mercurial - app1
by Mike McGrath 20 Aug '09

20 Aug '09

There's been a request to update mercurial on app1 from mercurial-1.2-2.el5.1 to mercurial-1.3.1-3.el5 which is the latest in epel 2+1's? -Mike

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

infrastructure August 2009