# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
+set -e; . /usr/local/lib/bash-bear; set +e
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-LC_USEBASHRC=t; . ~/.bashrc
usage() {
- cat <<EOF
-usage: ${0##*/} [-h|--help] [BASE_CODENAME] [ARCH]
+ cat <<'EOF'
+usage: faiserver-setup [-h|--help] [BASE_CODENAME] [ARCH]
install fai-server on the current machine
Initial setup of a fai server. works on localhost. Set's the current ip
work. Separate from running this, faiserver needs to be setup in dns to
point to whatever host this is run on.
-Default BASE_CODENAME is buster. Default ARCH is 64. The script expects corresponding
-$BASEFILE_DIR/${UPCASED_BASE_CODENAME}${ARCH}.tar.(gz|xz) to exist, and it must have been
+Default BASE_CODENAME is bookworm. Default ARCH is 64. The script expects corresponding
+$BASEFILE_DIR/${UPCASED_BASE_CODENAME}${ARCH}.tar.(zst|xz) to exist, and it must have been
generated around the same time as the nfsroot, at least so it has the
same kernel version.
+for copying and running this on a remote server,
+scp -tPrl fai SERVER:
+scp $(readlink -f ~/.ssh/home.pub) SERVER:.ssh
+scp /a/bin/cedit/cedit SERVER:/usr/local/bin
+# todo: make the above key be an option
+
+
+Note: there is a bug in 5.9.4, fixed by adding
+ sleep 2
+
+Note: in t9, there is a bug in recent fai packages (eg 2021+), where
+ unshare uses a too new argument. I was able to fix it by
+ just going to the site of the error and changing unshare to
+ chroot like it used to be, but I'm not bothering to make
+ any persistent fix, since I'm now on t10. If it ever came
+ up again, using an old fai package would also work.
+ /usr/sbin/fai-make-nfsroot:503, before apt-get update
+
+
EOF
- exit $1
+ exit 0
}
case $1 in
-h|--help) usage ;;
esac
-e() { echo "+ $@"; "$@"; }
+e() { echo "+ $*"; "$@"; }
-base=${1:-buster}
+base=${1:-bookworm}
arch=${2:-64}
if [[ $base == [[:upper:]] ]]; then
exit 1
fi
-basefile=($BASEFILE_DIR/${base^^}${arch^^}.tar.gz)
+basefile=$BASEFILE_DIR/${base^^}${arch^^}.tar.zst
sed="sed -ri --follow-symlinks"
if [[ ! -e $basefile ]]; then
[[ $(dpkg --print-architecture) == armhf ]]
}
-if grep -xFq 'VERSION="8 (jessie)"' /etc/os-release; then
- gpg -a --recv-keys 2BF8D9FE074BCDE4; gpg -a --export 2BF8D9FE074BCDE4 | apt-key add -
- cat >/etc/apt/sources.list.d/fai.list <<'EOF'
-deb https://fai-project.org/download jessie koeln
-EOF
-elif grep -iE 'VERSION=.*(stretch|flidas|xenail|buster|bullseye|etiona)' /etc/os-release; then
- # fai on ubuntu only has official support using the universe repo, but newer
- # tends to have less bugs.
- wget -O - https://fai-project.org/download/2BF8D9FE074BCDE4.asc | apt-key add -
-
- case $base in
- stretch|buster|bullseye)
- cat >/etc/apt/sources.list.d/fai.list <<EOF
+# fai on ubuntu only has official support using the universe repo, but newer
+# tends to have less bugs.
+wget -O - https://fai-project.org/download/fai-project.gpg | sudo dd of=/etc/apt/trusted.gpg.d/fai-project.gpg
+
+update=false
+case $base in
+ stretch|buster|bullseye|bookworm)
+ if ! grep -qFx "deb https://fai-project.org/download $base koeln" /etc/apt/sources.list.d/fai.list; then
+ update=true
+ fi
+ cat >/etc/apt/sources.list.d/fai.list <<EOF
deb https://fai-project.org/download $base koeln
EOF
- ;;
- *)
- echo "$0: error: script needs updating for new base" >&2
- exit 1
- ;;
- esac
-else
- rm -f /etc/apt/sources.list.d/fai.list
+ ;;
+ *)
+ echo "$0: error: script needs updating for new base" >&2
+ exit 1
+ ;;
+esac
+
+f=/var/cache/apt/pkgcache.bin;
+if [[ -r $f ]]; then
+ cachetime=$(stat -c %Y $f );
+ now=$(date +%s)
+ limittime=$(( now - 60*60*2 ))
+ if (( cachetime > limittime )); then
+ update=true
+ fi
fi
-apt-get update
+if $update; then
+ apt-get update
+fi
# Relevant packages from fai-quickstart depends and fai-server recommends.
# I especially do not wait isc-dhcp-server or an inetd. Also excludes
# kernel, or the ability to install it.
# xorriso is for running fai-cd -a, not strictly need for fai-server
# perl-tk is for fai-monitor-gui
-pkgs=(fai-doc tftpd-hpa tar reprepro squashfs-tools binutils xorriso)
+# mtools is for fai-cd
+pkgs=(fai-doc tftpd-hpa tar reprepro squashfs-tools binutils xorriso perl-tk mtools)
if modprobe nfsd &>/dev/null; then
pkgs+=(nfs-kernel-server)
else
cat >/etc/fai/apt/sources.list <<EOF
deb $r $base main contrib
EOF
+
+### begin setup security repo ###
case $base in
- jessie|stretch|buster)
+ stretch|buster)
cat >>/etc/fai/apt/sources.list <<EOF
deb http://security.debian.org/debian-security $base/updates main contrib
EOF
deb http://security.debian.org/debian-security $base-security main contrib
EOF
esac
+### end setup security repo ###
cat >>/etc/fai/apt/sources.list <<EOF
deb http://fai-project.org/download $base koeln
EOF
-if [[ $base == jessie ]]; then
- cat >>/etc/fai/apt/sources.list <<'EOF'
-# fix tar https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819978
-deb http://ftp.debian.org/debian jessie-backports main
-EOF
- # note, fai doesn\'t look at /etc/fai/apt/preferences.d
- cat >/etc/fai/apt/preferences <<'EOF'
-Package: tar
-Pin: release a=jessie-backports
-Pin-Priority: 500
+## Get latest kernel and btrfs for dealing with btrfs issues.
+# if [[ $base == buster ]]; then
+# cat >>/etc/fai/apt/sources.list <<'EOF'
+# deb http://ftp.debian.org/debian buster-backports main
+# EOF
+# # note, fai doesn\'t look at /etc/fai/apt/preferences.d
+# cat >/etc/fai/apt/preferences <<'EOF'
+# Package: linux-* firmware-linux-free btrfs-progs
+# Pin: release a=buster-backports
+# Pin-Priority: 500
+# EOF
+# fi
+
+
+if [[ -s /q/root/shadow/standard ]]; then
+ $sed -f - /etc/fai/nfsroot.conf <<EOF
+$ a FAI_ROOTPW='$(</q/root/shadow/standard)'
+/^\s*FAI_ROOTPW/d
EOF
fi
-
$sed -f - /etc/fai/nfsroot.conf <<EOF
-$ a FAI_ROOTPW='$(</q/root/shadow/standard)'
-/^\s*FAI_ROOTPW/d
$ a SSH_IDENTITY=/root/.ssh/home.pub
/^\s*SSH_IDENTITY/d
s,^( *FAI_DEBOOTSTRAP=).*,\1"$base $r",
NFSROOT=/srv/fai/nfsroot
TFTPROOT=/srv/tftp/fai
- # test if our copy of setup_tftp has changed in fai-make-nfsroot,
- # and if not, run it.
+ # setup_tftp is copied from fai-make-nfsroot,
+ # todo: need to check for an update, and we had an unused variable in ours: $v
setup_tftp(){
# tftp environment
local pxebin
- # wheezy path
- if [ -f $NFSROOT/usr/lib/PXELINUX/pxelinux.0 ]; then
- pxebin=$NFSROOT/usr/lib/PXELINUX/pxelinux.0
- else
- # jessie+ path
- pxebin=$NFSROOT/usr/lib/syslinux/pxelinux.0
- fi
+ # jessie+ path
+ pxebin=$NFSROOT/usr/lib/syslinux/pxelinux.0
rm -f $NFSROOT/boot/*.bak
mkdir -p $TFTPROOT/pxelinux.cfg
echo "$0: error: No initrd was created. Check the package name of the linux-image package in /etc/fai/NFSROOT."
exit 1
fi
- cp -p $v $NFSROOT/boot/vmlinu?-* $NFSROOT/boot/initrd.img-* $TFTPROOT
+ cp -p $NFSROOT/boot/vmlinu?-* $NFSROOT/boot/initrd.img-* $TFTPROOT
cp -u $pxebin $TFTPROOT
if [ -f $NFSROOT/usr/lib/syslinux/modules/bios/ldlinux.c32 ]; then
cp -u $NFSROOT/usr/lib/syslinux/modules/bios/ldlinux.c32 $TFTPROOT
fi
- if [ X$verbose = X1 ]; then
- echo "TFTP environment prepared. Enable DHCP and start the TFTP daemon on root $TFTPROOT."
- fi
}
- diff -u <(type setup_tftp) <(cat <(sed -n '/^setup_tftp(){/,/^}/p' $(which fai-make-nfsroot) ) - <<'EOF' |bash
-type setup_tftp
-EOF
- )
e setup_tftp
# -g causes skipping set_root_pw() in fai-make-nfsroot, -ag
e fai-setup -evf -B $basefile
# fai-setup expert mode avoids writing to /var/log/fai/variables
# at least config_src is needed for autodiscover
+
+
+ # lld /var/log/fai/remote-logs:
+ # d 750 fai nogroup 100 08-07 08:51 pm /var/log/fai/remote-logs
+ # We could change the group or something, but why not just give me more permissions :)
+ e usermod -a -G nogroup iank
$sed '/^FAI_CONFIGDIR|^FAI_CONFIG_SRC|^LOGUSER/d' /var/log/fai/variables
tee -a /var/log/fai/variables <<'EOF'
LOGUSER=fai
FAI_CONFIGDIR=/srv/fai/config
-FAI_CONFIG_SRC=nfs://faiserver/srv/fai/config
+FAI_CONFIG_SRC=nfs://faiserver.b8.nz/srv/fai/config
EOF
# make the faiserver also the apt proxy server
- apt-get -y install apt-cacher-ng
+ # apt-get -y install apt-cacher-ng
fi
rm -f /srv/fai/nfsroot/root/.ssh/known_hosts
-key=$(ssh-keyscan localhost |& grep -o "ecdsa-sha2-nistp256.*")
-for ip in faiserver $(ip addr show up| grep -w '^ *inet' | awk '{print $2}'| cut -d / -f 1 | grep -vF 127.0.0.1); do
+if [[ $HOSTNAME == kd ]]; then
+ keyscan_arg="-p 8989"
+fi
+key=$(ssh-keyscan $keyscan_arg localhost |& grep -o "ecdsa-sha2-nistp256.*")
+for ip in faiserver.b8.nz $(ip addr show up| grep -w '^ *inet' | awk '{print $2}'| cut -d / -f 1 | grep -vF 127.0.0.1); do
echo "$ip $key" >>/srv/fai/nfsroot/root/.ssh/known_hosts
done
+# make it the root because pxe-kexec only looks there.
+# It wouldn't be too hard to change if we needed.
+# We could also just dump things in /srv/tftp, but fai
+# has some defaults, which I don't even use, which expect
+# the other directory, so it's kind of a tossup, whatever.
+# This means fai's example isc-dhcp-server filename directory should remove the fai/ prefix.
+sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
+systemctl restart tftpd-hpa
+
# serial console
# mainly from
# the logsave prompted because the hostname faiserver was uknown.
# Here it was faiserver.lan when running from a faiserver vm.
# When running from a normal host with faiserver alias, it was the normal hosts name.
-$sed 's/(^[^,]+,)\S+/\1faiserver/' /srv/fai/nfsroot/root/.ssh/known_hosts
+$sed 's/(^[^,]+,)\S+/\1faiserver.b8.nz/' /srv/fai/nfsroot/root/.ssh/known_hosts
# ditch the logo banner up top which screws with less.
touch /srv/fai/nfsroot/.nocolorlogo
iankelling.org / git / automated-distro-installer / blobdiff