I have a custom global parameter “breakglass_password”.
I want to update/override this parameter in the provisioning template of type snippet on per host basis.
Currently I have this:
<%#
kind: snippet
name: user_breakglass
model: ProvisioningTemplate
snippet: true
description: |
Create breakglass user with a random password from global parameter.
-%>
<%-
username = 'breakglass'
password = SecureRandom.base64
cached_pass = "#{password}"
@host.comment = "breakglass password is: #{cached_pass}"
@host.save!
@host.params['breakglass_password'] = "#{password}"
@host.save!
home = '/var/home/breakglass'
shell = '/bin/bash'
-%>
<%- if @format == 'kickstart' -%>
/usr/sbin/useradd <%= username %> -m -d <%= home %> -s <%= shell %>
echo "<%= username %>:<%= cached_pass %>" | /usr/sbin/chpasswd
mkdir -p -m 0700 <%= home %>/.ssh/
cp -vrf /etc/skel/.* <%= home %>
chown -R <%= username %>:<%= username %> <%= home %>
echo '<%= username %> ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/00_breakglass
<%- else -%>
echo "user_breakglass format not defined"
<%- end -%>
I tried adding it to the comment section and it works, but i was just curious whether i can use a custom param for this purpose.
The current implementation which i have: @host.params['breakglass_password'] = "****" doesn’t work. It seems like we can just read params like this and not override it.
I understand that exposing password is a bad idea.
If you turn off Safemode Rendering in Settings, does it work correctly then?
“Safemode Rendering” Prevents Direct Database Writes: By default, Satellite enables a “safemode rendering” option for templates, including provisioning templates. This feature is a security measure designed to prevent “harmful code being executed from templates” and “denies access to variables and any object that is not listed in Satellite”. Your attempt to use @host.save! within the template is likely being blocked by this security mechanism, as it would constitute a direct write operation to the Satellite database from within the template’s execution context.
Can you create a global parameter under Configure → Global Parameters, called breakglass_password with a string value and set it to something random, since we will overwrite it below.
Then we can try this:
<%#
kind: snippet
name: user_breakglass
model: ProvisioningTemplate
snippet: true
description: |
Create breakglass user with a random password from global parameter.
-%>
<%-
username = 'breakglass'
password = SecureRandom.base64
cached_pass = "#{password}"
@host.comment = "breakglass password is: #{cached_pass}"
@host.params['breakglass_password'] = "#{password}"
@host.save!
@host.reload
home = '/var/home/breakglass'
shell = '/bin/bash'
-%>
<%- if @format == 'kickstart' -%>
/usr/sbin/useradd <%= username %> -m -d <%= home %> -s <%= shell %>
echo "<%= username %>:<%= cached_pass %>" | /usr/sbin/chpasswd
mkdir -p -m 0700 <%= home %>/.ssh/
cp -vrf /etc/skel/.* <%= home %>
chown -R <%= username %>:<%= username %> <%= home %>
echo '<%= username %> ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/00_breakglass
<%- else -%>
echo "user_breakglass format not defined"
<%- end -%>
I tried this on the Rails console and it worked for me, let me know if it works since I need to do some additional steps to my Foreman to provision.
