From bbcaf8f8160da717332d823c2319b1d9b4ebb0ce Mon Sep 17 00:00:00 2001 From: Till Maas Date: Jun 12 2018 13:07:11 +0000 Subject: [PATCH 1/2] Use inventory in debug, use constants everywhere --- diff --git a/inventory/standard-inventory-qcow2 b/inventory/standard-inventory-qcow2 index 1592d7f..3fda2b0 100755 --- a/inventory/standard-inventory-qcow2 +++ b/inventory/standard-inventory-qcow2 @@ -56,6 +56,7 @@ AUTH_KEY = ("AAAAB3NzaC1yc2EAAAADAQABAAABAQDUOtNJdBEXyKxBB898rdT54ULjMGuO6v4jLX" DEF_USER = "root" DEF_PASSWD = "foobar" +DEF_HOST = "127.0.0.3" USER_DATA = """#cloud-config users: @@ -116,7 +117,7 @@ def start_qemu(image, cloudinit, log, portrange=(2222, 5555)): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) try: - sock.bind(("127.0.0.3", port)) + sock.bind((DEF_HOST, port)) except IOError: pass else: @@ -219,9 +220,9 @@ def inv_host(image): # The variables variables = { "ansible_port": "{0}".format(port), - "ansible_host": "127.0.0.3", - "ansible_user": "root", - "ansible_ssh_pass": "foobar", + "ansible_host": DEF_HOST, + "ansible_user": DEF_USER, + "ansible_ssh_pass": DEF_PASSWD, "ansible_ssh_private_key_file": identity, "ansible_ssh_common_args": "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" } @@ -327,8 +328,13 @@ def inv_host(image): if diagnose: sys.stderr.write("\n") - sys.stderr.write("DIAGNOSE: ssh -p {0} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null " - "root@{1} # password: {2}\n".format(port, "127.0.0.3", "foobar")) + sys.stderr.write("DIAGNOSE: ssh -p {port} -o StrictHostKeyChecking=no " + "-o UserKnownHostsFile=/dev/null -i {identity} " + "{user}@{host}\n".format(port=port, identity=identity, + user=DEF_USER, host=DEF_HOST + ) + ) + sys.stderr.write("DIAGNOSE: Passwort is: {}".format(DEF_PASSWD)) sys.stderr.write("DIAGNOSE: export ANSIBLE_INVENTORY={0}\n".format(inventory)) sys.stderr.write("DIAGNOSE: kill {0} # when finished\n".format(os.getpid())) From 84522f5e0c762f2e87963cf54cfc7bdf7ae32183 Mon Sep 17 00:00:00 2001 From: Till Maas Date: Jun 12 2018 13:07:37 +0000 Subject: [PATCH 2/2] Security issue: Restrict VNC to default host. This avoids the VNC server being accidentally exposed. If someone needs to connect to it, the "vncviewer -via" can be used or ssh with a local forward (-L). --- diff --git a/inventory/standard-inventory-qcow2 b/inventory/standard-inventory-qcow2 index 3fda2b0..7c47dbd 100755 --- a/inventory/standard-inventory-qcow2 +++ b/inventory/standard-inventory-qcow2 @@ -143,7 +143,7 @@ def start_qemu(image, cloudinit, log, portrange=(2222, 5555)): "-display", "none"] if diagnose: - qemu_cmd += ["-vnc", ":1,to=4095"] + qemu_cmd += ["-vnc", DEF_HOST + ":1,to=4095"] qemu_proc = subprocess.Popen(qemu_cmd, stdout=open(log, 'a'), stderr=subprocess.STDOUT)