Use pam_namespaces and pam_exec to clean-up home dirs and temp space

Also DRY-up sysctl/pam code repeated in Kafka and Hadoop; should be in BCPC
bloomberg · Sep 28, 2018 · 84bf2e1 · 84bf2e1
1 parent 46e2b52
commit 84bf2e1
Show file tree

Hide file tree

Showing 14 changed files with 109 additions and 62 deletions.
diff --git a/cookbooks/bcpc-hadoop/metadata.rb b/cookbooks/bcpc-hadoop/metadata.rb
@@ -12,7 +12,6 @@
 depends 'database'
 depends 'java'
 depends 'poise'
-depends 'pam'
 depends 'sysctl'
 depends 'ulimit'
 depends 'locking_resource'
diff --git a/cookbooks/bcpc-hadoop/recipes/configs.rb b/cookbooks/bcpc-hadoop/recipes/configs.rb
@@ -2,8 +2,6 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 
 include_recipe 'bcpc-hadoop::default'
-# NOTE: This include_recipe is necessary for resource collection
-include_recipe 'sysctl::default'
 
 # disable IPv6 (e.g. for HADOOP-8568)
 case node['platform_family']
@@ -19,29 +17,6 @@
   Chef::Log.warn '============ Unable to disable IPv6 for non-Debian systems'
 end
 
-# ensure we use /etc/security/limits.d to allow ulimit overriding
-if !node.key?('pam_d') || !node['pam_d'].key?('services') || !node['pam_d']['services'].key?('common-session')
-  node.default['pam_d']['services'] = {
-    'common-session' => {
-      'main' => {
-        'pam_permit_default' => { 'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
-        'pam_deny' => { 'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
-        'pam_permit_required' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
-        'pam_limits' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
-        'pam_umask' => { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
-        'pam_unix' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' }
-      },
-      'includes' => []
-    }
-  }
-end
-
-# set vm.swapiness to 0 (to lessen swapping)
-# NOTE: See above for note about resource collection
-sysctl_param 'vm.swappiness' do
-  value 0
-end
-
 # Populate node attributes for all kind of hosts
 set_hosts
 node.override['locking_resource']['zookeeper_servers'] = \

diff --git a/cookbooks/bcpc/attributes/default.rb b/cookbooks/bcpc/attributes/default.rb
@@ -250,3 +250,8 @@
 # sshd_config
 default['bcpc']['ssh']['address_family'] = 'inet'
 default['bcpc']['ssh']['x11_forwarding'] = false
+
+# pam config
+default['bcpc']['pam_namespace']['real_home_dir_users'] = 'ubuntu'
+default['bcpc']['pam_namespace']['shm_polyinstantion_dir'] = 'inst-dir'
+default['bcpc']['pam_namespace']['polyinstantion_dir'] = '/' + node['bcpc']['pam_namespace']['shm_polyinstantion_dir']
diff --git a/cookbooks/bcpc/metadata.rb b/cookbooks/bcpc/metadata.rb
@@ -22,4 +22,6 @@
 depends 'ntp'
 depends 'ubuntu'
 depends 'sudo'
+depends 'sysctl'
+depends 'pam'
 depends 'pdns'
diff --git a/cookbooks/bcpc/recipes/cronjobs.rb b/cookbooks/bcpc/recipes/cronjobs.rb
@@ -18,9 +18,12 @@
 
 # Base cronjobs/ pseudo-cronjobs that should be on all machines in the cluster.
 
+polyinstantion_dir = node['bcpc']['pam_namespace']['polyinstantion_dir']
+shm_polyinstantion_dir = node['bcpc']['pam_namespace']['shm_polyinstantion_dir']
+
 clear_tmp = node['bcpc']['cronjobs']['clear_tmp']
-execute 'clear /tmp' do
-  command '/usr/bin/find /tmp -type f '\
+execute 'clear tmp dirs' do
+  command '/usr/bin/find /tmp #{polyinstantion_dir} /dev/shm/#{shm_polyinstantion_dir} -type f '\
           "-atime +#{clear_tmp['atime_age']} -delete && "\
           '/usr/bin/touch /var/lib/clear-temp.run'
   not_if do

diff --git a/cookbooks/bcpc/recipes/pam.rb b/cookbooks/bcpc/recipes/pam.rb
@@ -0,0 +1,61 @@
+# Chef recipe to implement pam_namespace polyinstantiated directories
+# This will provide users the appearance they are the only user with data
+# in the affected directories -- also this will clean-up their data when
+# leaving the machine
+
+directory '/inst-dirs' do
+  user 'root'
+  group 'root'
+  mode 0o000
+end
+
+directory '/usr/local/sbin' do
+  action :create
+end
+
+polyinstantion_dir = node['bcpc']['pam_namespace']['polyinstantion_dir'],
+shm_polyinstantion_dir = node['bcpc']['pam_namespace']['shm_polyinstantion_dir']
+
+template '/usr/local/sbin/inst_dir.sh' do
+  source 'inst_dir.sh.erb'
+  mode 500
+  variables(shm_polyinstantion_dir: shm_polyinstantion_dir,
+            polyinstantion_dir: polyinstantion_dir)
+end
+
+template '/etc/security/namespace.conf' do
+  source 'pam_namespace.conf.erb'
+  mode 500
+  variables(real_home_dir_users:
+            node['bcpc']['pam_namespace']['real_home_dir_users'],
+            shm_polyinstantion_dir: shm_polyinstantion_dir,
+            polyinstantion_dir: polyinstantion_dir)
+end
+
+# NOTE: This include_recipe is necessary for resource collection
+include_recipe 'sysctl::default'
+
+# ensure we use /etc/security/limits.d to allow ulimit overriding
+if !node.key?('pam_d') || !node['pam_d'].key?('services') || !node['pam_d']['services'].key?('common-session')
+  node.default['pam_d']['services'] = {
+    'common-session' => {
+      'main' => {
+        'pam_permit_default' =>  { 'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
+        'pam_deny' =>            { 'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
+        'pam_permit_required' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
+        'pam_limits' =>          { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
+        'pam_umask' =>           { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
+        'pam_unix' =>            { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' },
+        'pam_exec' =>            { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_exec.so', 'args' => '/usr/local/sbin/inst_dir.sh' },
+        'pam_namespace' =>       { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_namespace.so', 'args' => 'unmnt_remnt' },
+      },
+      'includes' => []
+    }
+  }
+end
+
+# set vm.swapiness to 0 (to lessen swapping)
+sysctl_param 'vm.swappiness' do
+  value 0
+end
+
diff --git a/cookbooks/bcpc/templates/default/inst_dir.sh.erb b/cookbooks/bcpc/templates/default/inst_dir.sh.erb
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# This script is managed by Chef
+# It is designed to setup directories using pam_exec
+# for the pam_namespaces module to isolate user-direcotires
+
+if [ -z "$PAM_TYPE" -o "$PAM_TYPE" == "open_session" ]; then
+  # need to setup the polyinstantation directory for login
+  mkdir -pm 000 /dev/shm/<%= @shm_polyinstantion_dir %>
+elif [ -z "$PAM_TYPE" -o "$PAM_TYPE" == "close_session" ]; then
+  # see if user still has any prescence on this machine
+  pgrep -u $PAM_USER && exit 0
+  # if no prescense of user, remove all trace of their activity
+  rm -rf <%= @polyinstantion_dir %>/home_$PAM_USER \
+         <%= @polyinstantion_dir %>/tmp_$PAM_USER \
+         <%= @polyinstantion_dir %>/var_tmp_$PAM_USER \
+         /dev/shm/<%= @shm_polyinstantion_dir %>/inst_$PAM_USER
+fi
+exit 0
diff --git a/cookbooks/bcpc/templates/default/pam_namespace.conf.erb b/cookbooks/bcpc/templates/default/pam_namespace.conf.erb
@@ -0,0 +1,11 @@
+# /etc/security/namespace.conf
+#
+#############################
+# This file managed by Chef #
+#############################
+#
+#masked mnt point   real mnt point               isolation-level    excluded users
+/var/tmp            <%= @polyinstantion_dir %>/var_tmp_           user              root
+$HOME               <%= @polyinstantion_dir %>/home_              user              root,<%= @real_home_dir_users %>
+/tmp                <%= @polyinstantion_dir %>/tmp_               user              root
+/dev/shm            /dev/shm/<%= @shm_polyinstantion_dir %>/inst_      user              root
diff --git a/cookbooks/bcpc_kafka/metadata.rb b/cookbooks/bcpc_kafka/metadata.rb
@@ -12,8 +12,6 @@
 depends 'bcpc-hadoop'
 depends 'bcpc_jmxtrans'
 depends 'kafka', '>= 2.2.2'
-depends 'pam'
-depends 'sysctl'
 depends 'ulimit'
 
 %w(ubuntu).each do |os|

diff --git a/cookbooks/bcpc_kafka/recipes/default.rb b/cookbooks/bcpc_kafka/recipes/default.rb
@@ -22,33 +22,3 @@
 #
 include_recipe 'java'
 include_recipe 'java::oracle_jce'
-
-# ensure we use /etc/security/limits.d to allow ulimit over-riding
-if not node.has_key?('pam_d') or not node['pam_d'].has_key?('services') or not node['pam_d']['services'].has_key?('common-session')
-  node.default['pam_d']['services'] = {
-    'common-session' => {
-      'main' => {
-        'pam_permit_default' => {
-          'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
-        'pam_deny' => {
-          'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
-        'pam_permit_required' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
-        'pam_limits' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
-        'pam_umask' => {
-          'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
-        'pam_unix' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' }
-      },
-      'includes' => []
-    }
-  }
-end
-
-# set vm.swapiness to 0 (to lessen swapping)
-# NOTE: This include_recipe is necessary for resource collection
-include_recipe 'sysctl::default'
-sysctl_param 'vm.swappiness' do
-  value 0
-end
diff --git a/stub-environment/roles/BCPC-Hadoop-Head.json b/stub-environment/roles/BCPC-Hadoop-Head.json
@@ -21,8 +21,9 @@
     "recipe[bcpc-hadoop::hdp_repo]",
     "recipe[bach_krb5::krb5_client]",
     "recipe[hdfsdu::create_user]",
-    "recipe[bcpc-hadoop::configs]",
+    "recipe[bcpc::pam]",
     "recipe[pam::default]",
+    "recipe[bcpc-hadoop::configs]",
     "recipe[bach_krb5::keytab_directory]",
     "recipe[bcpc-hadoop::bach_backup_wrapper]",
     "recipe[bcpc-hadoop::zookeeper_server]",

diff --git a/stub-environment/roles/BCPC-Hadoop-Worker.json b/stub-environment/roles/BCPC-Hadoop-Worker.json
@@ -13,8 +13,9 @@
     "recipe[bach_krb5::krb5_client]",
     "recipe[hdfsdu::create_user]",
     "recipe[bcpc-hadoop::bach_backup_wrapper]",
-    "recipe[bcpc-hadoop::configs]",
+    "recipe[bcpc::pam]",
     "recipe[pam::default]",
+    "recipe[bcpc-hadoop::configs]",
     "recipe[bach_spark::default]",
     "recipe[bcpc-hadoop::datanode]",
     "recipe[bach_spark::cluster_install]",

diff --git a/stub-environment/roles/BCPC-Kafka-Head-Server.json b/stub-environment/roles/BCPC-Kafka-Head-Server.json
@@ -3,6 +3,7 @@
   "json_class": "Chef::Role",
   "run_list": [
     "role[Basic]",
+    "recipe[bcpc::pam]"
     "recipe[bcpc_kafka::kafka]"
   ],
   "description": "Role to setup Kafka Server",

diff --git a/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json b/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json
@@ -16,6 +16,7 @@
     "role[Basic]",
     "recipe[bach_krb5::keytab_directory]",
     "recipe[bach_krb5::krb5_client]",
+    "recipe[bcpc::pam]",
     "recipe[bcpc_kafka::zookeeper_server]"
   ],
   "description": "Zookeeper Role for Kafka Machines",