From: Hans-Christoph Steiner Date: Mon, 4 Jul 2016 11:23:25 +0000 (+0200) Subject: buildserver: move trusty/paramiko hack to its own shell script X-Git-Tag: 0.7.0~35^2~6 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=fdroidserver.git;a=commitdiff_plain;h=2374b12a77b0b36f2f11f1d2655aa3628bb9dd74 buildserver: move trusty/paramiko hack to its own shell script This is part of the effort to remove moving parts from the whole build server setup. Why wrap shell scripts in ruby and chef if we can just directly run a shell script? --- diff --git a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb index 9ea5f508..3e0ace87 100644 --- a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb +++ b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb @@ -118,12 +118,3 @@ else command "update-java-alternatives --set java-1.8.0-openjdk-i386" end end - -# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings -# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055 -execute "support-ubuntu-trusty-paramiko" do - only_if { node[:settings][:ubuntu_trusty] == 'true' } - command "echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config" - command "echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config" - command "echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config" -end diff --git a/buildserver/provision-ubuntu-trusty-paramiko b/buildserver/provision-ubuntu-trusty-paramiko new file mode 100644 index 00000000..81a3cd23 --- /dev/null +++ b/buildserver/provision-ubuntu-trusty-paramiko @@ -0,0 +1,16 @@ +#!/bin/bash + +# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings +# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055 + +if ! grep --quiet ^Ciphers /etc/ssh/sshd_config; then + echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config +fi + +if ! grep --quiet ^MACs /etc/ssh/sshd_config; then + echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config +fi + +if ! grep --quiet ^KexAlgorithms /etc/ssh/sshd_config; then + echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config +fi diff --git a/makebuildserver b/makebuildserver index b4a890f4..b4c900ef 100755 --- a/makebuildserver +++ b/makebuildserver @@ -384,7 +384,6 @@ vagrantfile += """ chef.json = { :settings => { :debian_mirror => "%s", - :ubuntu_trusty => "%s", :user => "vagrant" } } @@ -399,9 +398,14 @@ vagrantfile += """ config.vm.provision "file", source: "gradle", destination: "/opt/gradle/bin/gradle" + # let Ubuntu/trusty's paramiko work with the VM instance + if `uname -v`.include? "14.04" + config.vm.provision "shell", path: "provision-ubuntu-trusty-paramiko" + end + end -""" % (config['debian_mirror'], - str('14.04' in os.uname()[3]).lower()) +""" % config['debian_mirror'] + # Check against the existing Vagrantfile, and if they differ, we need to # create a new box: