The OCTOPASS is linux user mangement tool for cloud or github generation

The OCTOPASS is linux user mangement tool for cloud or github generation

YAPC::Fukuoka 2017 Hakata の 前々夜野菜 in GMO Pepabo の資料です

5d769d109697012317c09c6a27a6a4bf?s=128

linyows

June 30, 2017
Tweet

Transcript

  1. খా஌ԝ(.01FQBCP *OD +VOF :"1$'VLVPLB)BLBUBલʑ໷ࡇ ඇެࣜ $MPVEHJUIVC࣌୅ͷ -JOVYೝূΛ࣮ݱ͢Δ 0$501"44

  2. ϓϦϯγύϧΤϯδχΞ খా஌ԝ!MJOZPXT ٕज़෦ٕज़ج൫νʔϜ IUUQUPNPIJTBPEBDPN

  3. ʘʘɹΑ͏ͦ͜෱Ԭɹʗʗ ʘɹΑ͏ͦ͜ϖύϘ෱Ԭ΁ɹʗ ࣸਅఏڙɿ෱Ԭࢢ

  4. -JOVYϢʔβೝূ Ͳ͏͍ͯ͠·͔͢ʁ

  5. -JOVYϢʔβ౷߹؅ཧͱ͍͑͹ ๏ -%"1 ๏ 3BEJVT ๏ "DUJWF%JSFDUPSZ ๏ 45/4ʢฐࣾϐʔࢁ࡞

  6. ݖݶͷਃ੥ͱڐՄ ଐਓԽ͓ͨ͠࢓ࣄ ·ͨ͸ খن໛ʹ͸৑௕

  7. ͕͜͜ෆຬ ๏ ϩάΠϯ͍͚ͨͩ͠ͳͷʹڐՄ΋Β͏ͷ͕େม ๏ ౷߹؅ཧ͍ͯ͠Δಾͷ৬ۀ͕ੜ·ΕΔ ๏ ૊৫ن໛͕େ͖͍ͱ݁ہ֤ॴͰ؅ཧ͞ΕΔ ๏ খ͘͞؅ཧ͍ͨ͠ͷʹαʔόͨͯͨΓԿ͔ͱ࡞ۀ ๏

    ७ਮʹӡ༻͕໘౗
  8. ࠓ೔ɺԿ͔͠Β αʔόʹϩάΠϯ͠·ͨ͠ʁ

  9. ʘͦ͏͍͏͜ͱͳΜͰ͢Αʗ

  10. ࣌୅తͳ͜ͱ ๏ ΦϯϓϨϛε͔ΒΫϥ΢υ ๏ 3PMF)PTUɺ*OGSBTUSVDUVSFBT$PEF͕ී௨ ๏ ίϯςφܕԾ૝Խ͕ҰൠԽ ๏ )"ΫϥελʹΑΓϩάϞχλϦϯά͕֎΁ ๏

    αʔόϨεΞʔΩςΫνϟ
  11. ෳࡶ͞ස౓ػձɺݮͬͨͱ͸͍͑ -JOVYϢʔβ؅ཧ͸ ͳ͘ͳΒͳ͍ΜͰ͢Α

  12. ΄Μͱ͏ʹ΍Γ͍ͨ͜ͱ ๏ ݖݶ෼཭ɺҠৡʢେ౷Ұ͸ເ ๏ ֤෦ॺͰ-JOVYϢʔβΛҰݩ؅ཧ ๏ 44)ͷݤೝূ ๏ ؅ཧ͕؆୯Ͱ͙͢൓өͰ͖Δ

  13. ΄͍͠΋ͷ͸࡞Δʂ

  14. None
  15. 1MFBTFEPO`UEPUIFTFUIJOHT ʷ6TFUIF0DUPDBUPS(JU)VCMPHPGPSZPVSBQQMJDBUJPO`TJDPO ʷ$SFBUFBNPEJpFEWFSTJPOPGUIF0DUPDBUPS(JU)VCMPHP ʷ*OUFHSBUFUIF0DUPDBUPS(JU)VCMPHPJOUPZPVSMPHP ʷ6TFBOZ(JU)VCBSUXPSLXJUIPVUQFSNJTTJPO ʷ4FMMBOZ(JU)VCBSUXPSLXJUIPVUQFSNJTTJPO ʷ$IBOHFUIFDPMPST EJNFOTJPOTPSBEEZPVSPXOUFYUJNBHFT IUUQTHJUIVCDPNMPHPT

  16. None
  17. None
  18. Πϯετʔϧͱઃఆ $ sudo apt-get install octopass $ cat <<EOF >

    /etc/octopass.conf Token = "iad87dih122ce66a1e20a751664c8a9dkoak87g7" Organization = "fukuokago" Team = “operators” EOF $ sudo chown root:root /etc/octopass.conf
  19. HJUIVC͔Β໊લ͕ͻ͚ɺݤ͕औΕΔ $ id ken uid=5458(ken) gid=2000(operators) groups=2000(operators) $ octopass passwd

    chun-li:x:14301:2000:managed by octopass:/home/chun-li:/bin/bash dhalsim:x:8875:2000:managed by octopass:/home/dhalsim:/bin/bash ken:x:5458:2000:managed by octopass:/home/ken:/bin/bash $ octopass ken ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqUJvs1vRgHRMH9dpxYcBBV687njS2YrJ+oeIK…
  20. ΄͔ʹ TTIE@DPOpH QBNETTIE OTTXJUDIDPOG Λमਖ਼͢Δ͚ͩͰTTIϩάΠϯ͕ Ͱ͖ΔΑ͏ʹͳΔΜͰ͢

  21. -JOVYೝূͷ࢓૊Έ

  22. -JOVYೝূͷ࢓૊Έ ๏ ೝূ͸1".͕֤ೝূ࣮૷ͷΠϯλʔϑΣʔεͱͳ͍ͬͯΔ ๏ 1".1MVHHBCMF"VUIFOUJDBUJPO.PEVMF ๏ ϢʔβΛ/44Λ௨໊ͯ͠લղܾ͍ͯ͠Δ ๏ /44/BNF4FSWJDF4XJUDI ๏

    IPTU QBTTXE HSPVQͳͲΛpMFT ECͱ͍ͬͨݕࡧݩΛࢦఆ
  23. OTTXJUDIDPOGFYBNQMF passwd: files ldap shadow: files group: files ldap hosts:

    dns nis files ethers: files nis …
  24. QBNDPOGFYBNQMF #%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok

    auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
  25. 44)% MJCQBN MJCOTT QBN@VOJY QBN@ OTT@pMFT OTT@ 44)%ͷ৔߹ ެ։ݤೝূ͸"VUIPSJ[FE,FZT$PNNBOE͕࢖͑ɺVTFQBN͢Δ͜ͱͰۭύεϫʔ υͰ΋ݤೝূͰ͖Δ

  26. 0$501"44Ͱ ޻෉ͨ͜͠ͱͱࠓޙͷ՝୊

  27. ΞʔΩςΫνϟ

  28. 0$501"44Ͱ޻෉ͨ͜͠ͱ ๏ (JUIVC͕མͪͯͯ΋ಈ࡞͢Δ DBDIF ๏ ໊લղܾͳͷͰߴ଎ʹಈ࡞͢Δ DBDIF ๏ VOJUUFTUॻ͘ʢDSJUFSJPO ๏

    ΋ͪΖΜ౷߹ςετʢCBTIEFʜ ๏ ґଘੑΛݮΒ͢ʢMJCDVSMͱKBOTTPO ๏ ֤छEJTUQLHͷ࡞੒ΛࣗಈԽ EPDLFSDPNQPTF
  29. 0$501"44͕ղܾ͢Δ͜ͱ ๏(JUIVC5FBNʹΑΔ-JOVY6TFSͷ໊લղܾ ๏(JUIVC1VCMJD,FZTʹΑΔݤೝূ ๏(JUIVC1FSTPOBM5PLFOʹΑΔೝূ

  30. ࢒ͨ͠՝୊ ๏େن໛ߏ੒Ͱಋೖ͢Δͱ(JUIVC"1*ͷ 3BUF-JNJUͷ͔͔ͬͯ͠·͏ Ὃ ๏&UDE΍$POTVM,7ͰΩϟογϡΛڞ௨Խ

  31. ·ͱΊ

  32. ·ͱΊ ๏ -JOVYϢʔβೝূ΋ਐԽ͠ͳ͚Ε͹ͳΒͳ͍͠޻෉͢ Δ͚ͩͰศརʹͳΔ ๏ ࢥͬͨΑΓ$ා͘ͳ͍͠৭ʑษڧʹͳΔ ๏ 0$501"44ຊ౰ʹศརͳͷͰ࢖ͬͯΈͯ

  33. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

  34. ͋Γ͕ͱ͏͍͟͝·ͨ͠