buildserver: move trusty/paramiko hack to its own shell script

This is part of the effort to remove moving parts from the whole build
server setup.  Why wrap shell scripts in ruby and chef if we can just
directly run a shell script?

diff --git a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
index 9ea5f5085a747184537057b4a570eaf23b8ba5ed..3e0ace87cbc32f309266c0f98ee4a41f6b4bb570 100644 (file)
--- a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
+++ b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
@@ -118,12 +118,3 @@ else
     command "update-java-alternatives --set java-1.8.0-openjdk-i386"
   end
 end
-
-# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings
-# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055
-execute "support-ubuntu-trusty-paramiko" do
-  only_if { node[:settings][:ubuntu_trusty] == 'true' }
-  command "echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config"
-  command "echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config"
-  command "echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config"
-end

diff --git a/buildserver/provision-ubuntu-trusty-paramiko b/buildserver/provision-ubuntu-trusty-paramiko
new file mode 100644 (file)
index 0000000..81a3cd2
--- /dev/null
+++ b/buildserver/provision-ubuntu-trusty-paramiko
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings
+# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055
+
+if ! grep --quiet ^Ciphers /etc/ssh/sshd_config; then
+    echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config
+fi
+
+if ! grep --quiet ^MACs /etc/ssh/sshd_config; then
+    echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config
+fi
+
+if ! grep --quiet ^KexAlgorithms /etc/ssh/sshd_config; then
+    echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config
+fi

diff --git a/makebuildserver b/makebuildserver
index b4a890f402f6776eb810ff6b1bee78543ba7f4e2..b4c900ef8114d963dd9fa645f31bb8272e25495b 100755 (executable)
--- a/makebuildserver
+++ b/makebuildserver
@@ -384,7 +384,6 @@ vagrantfile += """
     chef.json = {
       :settings => {
         :debian_mirror => "%s",
-        :ubuntu_trusty => "%s",
         :user => "vagrant"
       }
     }
@@ -399,9 +398,14 @@ vagrantfile += """
   config.vm.provision "file", source: "gradle",
     destination: "/opt/gradle/bin/gradle"
 
+  # let Ubuntu/trusty's paramiko work with the VM instance
+  if `uname -v`.include? "14.04"
+    config.vm.provision "shell", path: "provision-ubuntu-trusty-paramiko"
+  end
+
 end
-""" % (config['debian_mirror'],
-       str('14.04' in os.uname()[3]).lower())
+""" % config['debian_mirror']
+
 
 # Check against the existing Vagrantfile, and if they differ, we need to
 # create a new box: