o Y7e= @sddlZddlZddlZddlZddlZddlZddlZeZ e j Z e j Z ej diej eje jdZejZejZejZdZddZddZdd Zd d Zd d ZddZddZ dddZ!dS)Nzrollout_conf.pyz.in.pycstjtjdfdd}|D]\}tdtj|tr>tj tj|dt t t }n}fdd}tj|||d}tjt ||d }t d d |gd d d dj}iid}sw|jd it}rdvrd|t|}rt|trdvrdddD}g} |dD]} |D]\} } | | dur| | nq| | qd| }tjt |} tdd| g||durtdd|gq||durt d d||dgd dqt d d|g|d tjdqdS)!zc Walk through configuration templates and adjust configs in target system accordingly. templatesc3sdtD])\}}}d|vrq|tdd}|D]}|dr)|dr)q||fVqqdS)z Walk through templates directory, yielding tuples of (folder, filename) for configuration or source files, excluding any pycache or swap files. __pycache__N.z.swp)oswalklen startswithendswith)folderdirsfilesfilename)rR/home/thorsten/Data/Arbeit/PerFact/Git/ema-modules/MigrationMonster/bin/rollout.py_walk_templates&s z configs.._walk_templateszProcessing config template: Ncs$|d}r|vr|tSS)zpReturns filename, but if the module defines an overriding function, call that and return its result. _filename)config)prefixfunc)rmodifymodulerr_fnameBs  zconfigs.._fnamesrctgtsudocatTF)textcapture_outputcheck)removerenamegeneraterulescSs.g|]}t|d|djditfqS)rrr)recompileformatr).0itemrrr ms&zconfigs.. mkdirz-pr rm-fr!mvz .disabledrteeinputrstdoutr)rpathjoinenv config_pathprintr RULES_SUFFIXperfactgeneric load_configr mount_path_runr3r&r isinstancestrsplitsearchappend_sudo subprocessDEVNULL)rr src_dirr src_filename tgt_filenamecontentsignalsr#resultlinerule replacement tgt_folderr)rrrrrconfigssx            rQcCstdds tddSdg}gd|}|D]^}tjt|ddd}tj|s1td |qtd |td d |gd dtg}||vrM| gd| dd|gdggdddggddggdg}|D] }t ||t j dqiqdS)zO Re-initialize git-repositories on the target system. Requires chroot. reset_git_reposTz7Skipping reset of git histories as requested in config.Nz/opt/perfact/dbutils-pgrepo)z/etcz/var/lib/zope2.13z/var/lib/zope4rz.gitzPath of git repo does not existzResetting git repor,z-rrchroot)r-ur:git-Cinit)rgc.auto0addr)commit-mzInitial commitgc)rrX1)r3) rgetr8rr4r5r=existsrDextendr>rErF) repos_perfactreposrepor4 cmd_prefixcmdscmdrrrrRs<     rRcCsLttjtd}t|rtdd|tdg|d}tgdddd j d k}d d ggd d dddddddddj dDit g dddd ddddddddj dDit ddgdddd ddddddddj dDit ddgg}t d r| gd!| dddd ddddddddj dDit dd"g| gd#| gd$|r|d% d&| d ddddj dDit dddddd&g | gd'| gd(d)}t|i}d*D]}tjdd+tjt|d,gd-d-d-d.j||<qtjdd/tjtd0gd1|d2d-tjd3tjdd/tjtd4gd5d6d7|Dd-tjd3ttjtd8}d9|d:d;}t|Wd:n 1sKwYtjtd<}tjdd/|gd=|d-tjd-d>tjdd d?d|gd-dtjdd+tjt|gd-d@}ttjtdAdB}t||dCWd:d:S1swYd:S)Ea Renew keys. This includes: * SSH server key * SSH private keys of root, perfact, phonehome, zope and mpr (which is a second key belonging to zope) This will also output the public key for phonehome to be entered on the perfact phonehome server. zetc/ssh/ssh_host_*Removingz, r,zhome/zope/.ssh/id_rsa.pub)testr-/etc/perfact/phonehome/id_rsaFr/rzdpkg-reconfigurezopenssh-server)r,r-z/root/.ssh/id_rsaz/root/.ssh/id_rsa.pub/home/zope/.ssh/id_rsaz/home/zope/.ssh/id_rsa.pub/home/perfact/.ssh/id_rsaz/home/perfact/.ssh/id_rsa.pubz ssh-keygenz-f/root/.ssh/id_rsaz-trsaz-b4096z-NrVzroot@{systemname}rrTr:zperfact@{systemname}r-rlzopezzope@{systemname}rkmpa_mpr_maintenance_keygen)r,r-/home/zope/.ssh/mpr-id_rsaz/home/zope/.ssh/mpr-id_rsa.pubz"/home/mpaproxy/.ssh/mpr-id_rsa.pubrr)rcprr/home/mpaproxy/.ssh/mpr-id_rsa)rchownmpaproxyrtrrj)ru pfphonehomerj!/etc/perfact/phonehome/id_rsa.pub)chgrprwrjrxz etc/perfact/phonehome/id_rsa.pub)rootz home/zoperz.ssh/id_rsa.pubT)rrrr0zroot/.ssh/authorized_keyszfrom="127.0.0.1" rzr1z"home/mpaproxy/.ssh/authorized_keysr*cSsg|]}d|qS)zfrom="127.0.0.1" {}r&)r'keyrrrr).szssh_keys..z etc/ssh/ssh_host_ed25519_key.pub Nzroot/.ssh/known_hostsz localhost )r2rr3rz-H)rz phonehome.pubwfiler)globrr4r5r=rr8rD _chroot_cmds returncoder&rr_rCrErunr3rFvaluesopenreadstriprA check_output build_path)keysphonehome_pubkeypath new_phonehomecommandspubkeyr4f known_hostsrrrssh_keyss         $rcCs0tdsdStjddtddgtddddS) zE Disable services by default according to the configuration. disable_servicesNrrS systemctldisableTr/)rrErr=rrrrservicesSs rcCstdsdStjddtdddgtdtjd}ttj t dd }|j D] }t |t ||d q'Wdn1s>wY| dS) Npurge_packagesrrSzapt-getpurgez-y)stderrzapt-errors.logrr)rr_rEPopenr=PIPErrr4r5rrr8wait)procrrMrrrpackages_purgebs"   rc stdsdSttjtdd}ttd|dddd Dtjd d t d gd fddd Ddddd D]}td |||dq8d t dd}tjd d t d dd|dgtj ddd}t |j}|dtd d|d|gd}|D]"\}}|vrqtdtjt d |gtjdd ||d qtjt d!}td|gtjd|d"d tgd#tjd$d%dS)&zE Generate random passwords and write them to build/passwords randomize_passwordsN passwordsr systemnamercSsi|] }|tjjdddqS) :abcdefghijklmnopqrstuvwxABCDEFGHIJKLMNOPQRSTUVWX0123456789)length valid_chars)r:r;generate_random_stringr'userrrr s zpasswords..)rzmaintrrSchpasswdr*csg|] }d||qS)z{}:{}r{rpwrrr)szpasswords..T)r2runiversal_newlinesz {}@ubuntu: {}z$/usr/share/perfact/zope{}/bin/python zope_versionz2,13rTrpz6/opt/perfact/migration/src/inchroot/zope-modify-passwd)r3rrzperfact@zope: {}r:))assign assign_worker)cronr) cachetriggerrr0zroot/.netrc-{}z&machine localhost login {} password {})r3rr2z8opt/perfact/dbutils-zoperepo/__root__/acl_users/__meta__metafile) rrTr:rUrVz/opt/perfact/dbutils-zoperepor[z-ar\zUpdate passwordsF)r3r)rrrr4r5rr8rErr=r&r_rjsonloadsr3closerDrFr)outfiler interpreterrdata netrc_filesfnamerrrrrssx         rc Cs2tgdgdgdgdddddtd gd S) zJ Call script in chroot to regenerate the HAProxy SSL certificate. )bashz-cz"chown zope:zope /etc/haproxy/ssl/*)ruz root:haproxy/etc/haproxy/ssl)chmodzg+rwxr)rzo-rwxrrrTrpz6/opt/perfact/migration/src/inchroot/haproxy-renew-cert cert_subjectN)rrrrrrssl_certsrcCsF|durdg}t|ts|g}|D]}tjddtdd|gddqdS)z? Rebuild the mapping files for postfix (using postmap) Nz/etc/postfix/transport_closedrrSz/usr/sbin/postmapTr/)r?listrErr=)r r4rrrpostfix_postmaps rr)N)"rr$rErrperfact.genericr:helpers create_envr6rr= Namespacer;r<r4r5r7rrr>rrD chroot_cmdsrr9rQrRrrrrrrrrrrs8p*a