diskimage-builder/elements/rhel-common/os-refresh-config/pre-configure.d/06-rhel-registration
Ryan Brady 2fb72d6ed9 Deprecates username and password from boot time registration
The username and password combination is considered insecure to store in
the metadata passed to the stack as they can easily be obtained and
possibly used in an unathorized manner by logging into one of the
registration systems. The use of an activation key is more desirable
as it can only be used in conjunction with subscription-manager to
register a RHEL system.

This patch deprecates the username and password support from the script
that registers RHEL with either Satellite or RH Customer Portal during
boot-time.  This patch also adds a warning if the username and password
combination is used in the stack metadata. The documentation and examples
have also been updated to warn operators of the deprecation of username
and password.

This patch does not affect the username and password support for
registration activities while building images with diskimage-builder.

Change-Id: I05b7a18e910d31ad2273042409f8657ad9dee36a
2014-12-09 10:56:55 -05:00

125 lines
4.4 KiB
Bash
Executable File

#!/bin/bash
set -eux
set -o pipefail
REG_ACTIVATION_KEY="$(os-apply-config --key rh_registration.activation_key --type raw --key-default '')"
REG_AUTO_ATTACH="$(os-apply-config --key rh_registration.auto_attach --type raw --key-default 'true')"
REG_BASE_URL="$(os-apply-config --key rh_registration.base_url --type raw --key-default '')"
REG_ENVIRONMENT="$(os-apply-config --key rh_registration.environment --type raw --key-default '')"
REG_FORCE="$(os-apply-config --key rh_registration.force --type raw --key-default '')"
REG_MACHINE_NAME="$(os-apply-config --key rh_registration.machine_name --type raw --key-default '')"
REG_ORG="$(os-apply-config --key rh_registration.org --type raw --key-default '')"
REG_PASSWORD="$(os-apply-config --key rh_registration.password --type raw --key-default '')"
REG_POOL_ID="$(os-apply-config --key rh_registration.poolid --type raw --key-default '')"
REG_RELEASE="$(os-apply-config --key rh_registration.release --type raw --key-default '')"
REG_REPOS="$(os-apply-config --key rh_registration.repos --type raw --key-default '')"
REG_SAT_URL="$(os-apply-config --key rh_registration.satellite_url --type raw --key-default '')"
REG_SERVER_URL="$(os-apply-config --key rh_registration.server_url --type raw --key-default '')"
REG_SERVICE_LEVEL="$(os-apply-config --key rh_registration.service_level --type raw --key-default '')"
REG_USER="$(os-apply-config --key rh_registration.user --type raw --key-default '')"
REG_TYPE="$(os-apply-config --key rh_registration.type --type raw --key-default '')"
REG_METHOD="$(os-apply-config --key rh_registration.method --type raw --key-default '')"
opts=
attach_opts=
repos="repos --enable rhel-7-server-rpms"
satellite_repo="rhel-7-server-rh-common-beta-rpms"
if [ -n "${REG_AUTO_ATTACH:-}" ]; then
opts="$opts --auto-attach"
if [ -n "${REG_SERVICE_LEVEL:-}" ]; then
opts="$opts --servicelevel $REG_SERVICE_LEVEL"
fi
if [ -n "${REG_RELEASE:-}" ]; then
opts="$opts --release=$REG_RELEASE"
fi
else
if [ -n "${REG_SERVICE_LEVEL:-}" ]; then
echo "WARNING: REG_SERVICE_LEVEL set without REG_AUTO_ATTACH."
fi
if [ -n "${REG_RELEASE:-}" ]; then
echo "WARNING: REG_RELEASE set without REG_AUTO_ATTACH."
fi
if [ -n "${REG_POOL_ID:-}" ]; then
attach_opts="$attach_opts --pool=$REG_POOL_ID"
fi
fi
if [ -n "${REG_BASE_URL:-}" ]; then
opts="$opts --baseurl=$REG_BASE_URL"
fi
if [ -n "${REG_ENVIRONMENT:-}" ]; then
opts="$opts --env=$REG_ENVIRONMENT"
fi
if [ -n "${REG_FORCE:-}" ]; then
opts="$opts --force"
fi
if [ -n "${REG_SERVER_URL:-}" ]; then
opts="$opts --serverurl=$REG_SERVER_URL"
fi
if [ -n "${REG_ACTIVATION_KEY:-}" ]; then
opts="$opts --activationkey=$REG_ACTIVATION_KEY"
if [ -z "${REG_ORG:-}" ]; then
echo "WARNING: REG_ACTIVATION_KEY set without REG_ORG."
fi
else
echo "WARNING: Support for registering with a username and password is deprecated."
echo "Please use activation keys instead. See the README for more information."
if [ -n "${REG_PASSWORD:-}" ]; then
opts="$opts --password $REG_PASSWORD"
fi
if [ -n "${REG_USER:-}" ]; then
opts="$opts --username $REG_USER"
fi
fi
if [ -n "${REG_MACHINE_NAME:-}" ]; then
opts="$opts --name $REG_MACHINE_NAME"
fi
if [ -n "${REG_ORG:-}" ]; then
opts="$opts --org=$REG_ORG"
fi
if [ -n "${REG_REPOS:-}" ]; then
for repo in $(echo $REG_REPOS | tr ',' '\n'); do
repos="$repos --enable $repo"
done
fi
if [ -n "${REG_TYPE:-}" ]; then
opts="$opts --type=$REG_TYPE"
fi
case "${REG_METHOD:-}" in
portal)
subscription-manager register $opts
if [ -z "${REG_AUTO_ATTACH:-}" ]; then
subscription-manager attach $attach_opts
fi
subscription-manager $repos
;;
satellite)
repos="$repos --enable ${satellite_repo}"
rpm -Uvh "$REG_SAT_URL/pub/katello-ca-consumer-latest.noarch.rpm" || true
subscription-manager register $opts
subscription-manager $repos
yum install -y katello-agent || true # needed for errata reporting to satellite6
katello-package-upload
# beta-rpms repo only needed to support the katello-ca rpm above.
subscription-manager repos --disable ${satellite_repo}
;;
*)
echo "WARNING: only 'portal' and 'satellite' are valid values for REG_METHOD."
exit 0 # keeps the stack from failing if you don't set a value in REG_METHOD
esac