From 820581cad0c673ff3195f7152741338035f52bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roni=20V=C3=A4yrynen?= Date: Mon, 6 Dec 2021 13:49:26 +0200 Subject: [PATCH] add option to use sudo with non privileged user --- sample.xo-install.cfg | 10 ++++++++ xo-install.sh | 54 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/sample.xo-install.cfg b/sample.xo-install.cfg index aa8aed5..565da58 100644 --- a/sample.xo-install.cfg +++ b/sample.xo-install.cfg @@ -2,6 +2,16 @@ # default: root #XOUSER= +# Optional parameter if running as non privileged user to use sudo when mounting/umounting shares inside Xen Orchestra +# no effect if XOUSER is root +# options true/false +#USESUDO=false + +# Optional parameter to generate sudoers config when missing completely if USESUDO is set to true +# no effect if XOUSER is root +# options true/false +#GENSUDO=false + # Port number where xen-orchestra service is bound PORT="80" diff --git a/xo-install.sh b/xo-install.sh index 9a41124..c52d4b6 100755 --- a/xo-install.sh +++ b/xo-install.sh @@ -38,6 +38,8 @@ ARCH_CHECK="${ARCH_CHECK:-"true"}" PATH_TO_HTTPS_CERT="${PATH_TO_HTTPS_CERT:-""}" PATH_TO_HTTPS_KEY="${PATH_TO_HTTPS_KEY:-""}" AUTOCERT="${AUTOCERT:-"false"}" +USESUDO="${USESUDO:-"false"}" +GENSUDO="${GENSUDO:-"false"}" # set variables not changeable in configfile TIME=$(date +%Y%m%d%H%M) @@ -46,6 +48,7 @@ LOGFILE="${LOGPATH}/xo-install.log-$TIME" NODEVERSION="14" FORCE="false" INTERACTIVE="false" +SUDOERSFILE="/etc/sudoers.d/xo-server-$XOUSER" # Set path where new source is cloned/pulled XO_SRC_DIR="$INSTALLDIR/xo-src/xen-orchestra" @@ -467,6 +470,42 @@ function InstallXOPlugins { } +# install sudo package and generate config if defined in configuration +function InstallSudo { + + set -uo pipefail + + trap ErrorHandling ERR INT + + if [[ -z $(runcmd_stdout "command -v sudo") ]]; then + if [[ "$PKG_FORMAT" == "deb" ]]; then + echo + printprog "Installing sudo" + runcmd "apt-get install -y sudo" + printok "Installing sudo" + elif [[ "$PKG_FORMAT" == "rpm" ]]; then + printprog "Installing sudo" + runcmd "yum install -y sudo" + printok "Installing sudo" + fi + fi + + if [[ "$GENSUDO" == "true" ]] && [[ ! -f "$SUDOERSFILE" ]]; then + echo + printinfo "Generating sudoers configuration to $SUDOERSFILE" + TMPSUDOERS="$(mktemp /tmp/xo-sudoers.XXXXXX)" + runcmd "echo '$XOUSER ALL=(root) NOPASSWD: /bin/mount, /bin/umount' > '$TMPSUDOERS'" + if runcmd "visudo -cf $TMPSUDOERS"; then + runcmd "mv $TMPSUDOERS $SUDOERSFILE" + else + printfail "sudoers syntax check failed, not activating $SUDOERSFILE" + runcmd "rm -f $TMPSUDOERS" + fi + fi + +} + + # run actual xen orchestra installation. procedure is the same for new installation and update. we always build it from scratch. function InstallXO { @@ -482,9 +521,11 @@ function InstallXO { printprog "Creating missing $XOUSER user" runcmd "useradd -s /sbin/nologin $XOUSER -m" printok "Creating missing $XOUSER user" - sleep 2 fi - fi + if [[ "$USESUDO" == "true" ]]; then + InstallSudo + fi + fi # Create installation directory if doesn't exist already if [[ ! -d "$INSTALLDIR" ]]; then @@ -686,6 +727,14 @@ function InstallXO { fi sleep 2 fi + if [[ "$USESUDO" == "true" ]]; then + printinfo "Enabling useSudo in xo-server configuration file" + runcmd "sed -i \"s/#useSudo = false/useSudo = true/\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml" + printinfo "Changing default mountsDir in xo-server configuration file" + runcmd "sed -i \"s%#mountsDir.*%mountsDir = '$INSTALLDIR/mounts'%\" $INSTALLDIR/xo-builds/xen-orchestra-$TIME/packages/xo-server/sample.config.toml" + runcmd "mkdir -p $INSTALLDIR/mounts" + runcmd "chown -R $XOUSER:$XOUSER $INSTALLDIR/mounts" + fi printinfo "Activating modified configuration file" runcmd "mkdir -p $CONFIGPATH/.config/xo-server" @@ -712,6 +761,7 @@ function InstallXO { runcmd "chown -R $XOUSER:$XOUSER /var/lib/xo-server" runcmd "chown -R $XOUSER:$XOUSER $CONFIGPATH/.config/xo-server" + fi # fix to prevent older installations to not update because systemd service is not symlinked anymore