/fai/config/class/51-multi-boot
+/fai/config/files/root/.ssh/authorized_keys
+/fai/config/files/usr/local
# a valid address and we just use that
addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:)
h=$(host $addr)
+case $h in
+ *"no PTR record")
+ echo "error: chost: $h" >&2
+ exit 1
+ ;;
+esac
h=${h##* }
echo $h
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
usage() {
# i use faiserver as a dns alias, but ssh key is associated with
# a canonical hostname and we will have ssh warning spam unless we
# use it, so look it up just to avoid the warning spam.
-faiserver_host=$(chost $host) || faiserver_host=$host
+faiserver_host=$(/a/exe/chost $host) || faiserver_host=$host
+
+faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:)
+if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then
+ rpre="-e 'ssh -F $HOME/.ssh/confighome' root@$faiserver_host:"
+ faiserver_shell="ssh -F $HOME/.ssh/confighome root@$faiserver_host"
+fi
-rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config root@$faiserver_host:/srv
+# these are gitignored.
+rsync -atL /home/iank/.ssh/authorized_keys fai/config/files/root/.ssh/authorized_keys/STANDARD
+# we hssh and ssh_filter_btrbk for the initial btrbk (alternatively, I could open up the
+# permissions in authorized_keys, but that just seems lazy)
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/hssh
+rsync -atL /a/bin/ds/hssh fai/config/files/usr/local/bin/hssh/STANDARD
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/ssh_filter_btrbk.sh
+rsync -atL /a/opt/btrbk/ssh_filter_btrbk.sh fai/config/files/usr/local/bin/ssh_filter_btrbk.sh/STANDARD
+
+rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config $rpre/srv
-sudo rsync -a /root/.ssh/home.pub \
- root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/STANDARD
# todo: automatically disable faiserver after a period so
# these files are not available.
if [[ $target ]]; then
- if sudo test -e /q/root/shadow/$target; then
+ if test -e /q/root/shadow/$target; then
shadowfile=shadow/$target # empty otherwise
fi
- sudo rsync -lpt --files-from=- /q/root root@$faiserver_host:/srv/fai/config/distro-install-common <<EOF
+ rsync -lpt --files-from=- /q/root $rpre/srv/fai/config/distro-install-common <<EOF
luks/$target
luks/host-$target
$shadowfile
EOF
else
- sudo rsync -rlpt /q/root/shadow /q/root/luks root@$faiserver_host:/srv/fai/config/distro-install-common
+ rsync -rlpt /q/root/shadow /q/root/luks $rpre/srv/fai/config/distro-install-common
fi
dirs=(/p/c/machine_specific/${target:-*}/filesystem/etc/ssh)
if [[ -e ${dirs[0]} ]]; then
- rsync -rlpt --delete --relative ${dirs[@]} root@$faiserver_host:/srv/fai/config/distro-install-common
+ rsync -rlpt --delete --relative ${dirs[@]} $rpre/srv/fai/config/distro-install-common
fi
. /a/bin/distro-setup/pkgs
pall+=($(/a/bin/buildscripts/emacs -p; /a/bin/distro-setup/distro-pkgs $distro))
printf "%s\n%s\n" "PACKAGES install" ${pall[*]} | \
- ssh root@$faiserver_host dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe
+ $faiserver_shell dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe
-rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ root@$faiserver_host:/srv/fai/config/basefiles/
-ssh root@$faiserver_host bash <<'EOF'
-set -eE -o pipefail
-# make it the root because pxe-kexec only looks there.
-# It wouldn't be too hard to change if we needed.
-# We could also just dump things in /srv/tftp, but fai
-# has some defaults, which I don't even use, which expect
-# the other directory, so it's kind of a tossup, whatever.
-sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
-systemctl restart tftpd-hpa
-
-changed=false
-f=/srv/fai/nfsroot/root/.ssh/known_hosts
-install -d -m 700 /srv/fai/nfsroot/root/.ssh
-# the known hosts entries that fai already sets up are like
-# IP,HOSTNAME key_info...
-# we are skipping the ip, because it doesn't block ssh
-# with a prompt as long as you have the user supplied hostname,
-# and i don't want to deal with getting it, it's not adding
-# any important security in this case.
-if ! grep -xFq "$line" $f &>/dev/null; then
- changed=true
- printf "%s\n" "$line" >>$f
-fi
-
-if ! modprobe nfsd &>/dev/null; then
- # no apt-cache on maru debian, because we are low on space already
- sed -i '/^ *APTPROXY=/d' /srv/fai/config/class/DEBIAN.var
- # maru debian doesn't have loopback devs created
- if ! losetup -f; then
- shopt -s nullglob
- x=(/dev/loop*)
- minor=0
- if (( ${#x[@]} )); then
- minor=$(( ${x[-1]#/dev/loop} + 1 ))
- fi
- mknod -m660 /dev/loop$minor b 7 $minor
- losetup -f
- fi
- # -B boo only iso, no nfsroot, no paritial miorr, no config space.
- # -f = force, for overwriting
- # -S = make squash image for http booting
- # -d config space url, instead of putting it in the squash.img,
- # this just makes it so that we don't have to regenerate the img
- # when the config changes.
- cd /srv/fai/config
- tar czf /var/www/faiserver/html/config.tar.gz .
- if $changed || [[ ! -e /var/www/faiserver/html/squash.img ]]; then
- # note, on maru, selinux needs to be disabled in android before
- # this will work.
- mount
- export debug=true
- fai-cd -d http://faiserver:8080/config.tar.gz -f -M -S /var/www/faiserver/html/squash.img
- mount
- fi
-fi
-EOF
+rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ $rpre/srv/fai/config/basefiles/
#
# LINODE: For running a vm on linode, especially one created with fai-cd.
-###### begin Template for 51-multi-boot ######
-#
-# It has reasonable combinations of above classes.
-# It's a noop until we replace _ with host names.
-
-#!/bin/bash
-if [[ ! -e /a/bin/fai/fai-wrapper || $FAI_ACTION == dirinstall ]]; then
- case $HOSTNAME in
- # bookworm
- _) echo BOOKWORM64 VOL_BOOKWORM_BOOTSTRAP BOOKWORM_FREE ;;
- # bullseye based minimal recovery / bootstraping os:
- _) echo BULLSEYE64 VOL_BULLSEYE_BOOTSTRAP BULLSEYE_FREE ;;
- # buster
- _) echo BUSTER64 VOL_BUSTER_BOOTSTRAP BUSTER_FREE ;;
- # flidas
- _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;;
- # etiona
- _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;;
- # nabia
- _) echo UBUNTU NABIA64 VOL_NABIA NABIA ;;
- # stretch
- _) echo STRETCH64 VOL_STRETCH STRETCH_FREE ;;
- # buster
- _) echo BUSTER64 VOL_BUSTER BUSTER_FREE ;;
- # testing
- _) echo STRETCH64 VOL_TESTING TESTING_FREE ;;
- # xenial
- _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;;
- # bionic
- _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;;
- # focal
- _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;;
- esac
-fi
-###### end Template for 51-multi-boot ######
if [[ -e /a/bin/fai/fai-wrapper ]]; then
source /a/bin/distro-functions/src/identify-distros
# if our eth0 mac is in the kvm range, we are a vm.
echo "VM"
fi
+
+exit 0
+### Below here is a comment of code, exit above is so it does not get executed ###
+
+###### begin Template for 51-multi-boot ######
+#
+# It has reasonable combinations of above classes.
+# It's a noop until we replace _ with host names.
+
+#!/bin/bash
+if [[ ! -e /a/bin/fai/fai-wrapper || $FAI_ACTION == dirinstall ]]; then
+ case $HOSTNAME in
+ # bullseye based minimal recovery / bootstraping os:
+ _) echo BULLSEYE64 VOL_BULLSEYE_BOOTSTRAP BULLSEYE_FREE ;;
+ # flidas
+ _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;;
+ # etiona
+ _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;;
+ # nabia
+ _) echo UBUNTU NABIA64 VOL_NABIA NABIA ;;
+ # stretch
+ _) echo STRETCH64 VOL_STRETCH STRETCH_NONFREE ;;
+ # buster
+ _) echo BUSTER64 VOL_BUSTER BUSTER_NONFREE ;;
+ # bullseye
+ _) echo BULLSEYE64 VOL_BULLSEYE BULLSEYE_NONFREE ;;
+ # bookworm
+ _) echo BOOKWORM64 VOL_BOOKWORM BOOKWORM_NONFREE ;;
+ # testing
+ _) echo BOOKWORM64 VOL_TESTING TESTING_NONFREE ;;
+ # xenial
+ _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;;
+ # bionic
+ _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;;
+ # focal
+ _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;;
+ esac
+fi
+###### end Template for 51-multi-boot ######
# Old partition scheme
grub_extn=${dev}4
elif [[ $(blockdev --getsize64 ${dev}5) == 8388608 ]]; then
+ # Old partition scheme
grub_extn=${dev}5
else
grub_extn=${dev}7
fi
- mount $dev /mnt
+ mount $grub_extn /mnt
if $first; then
if [[ -e /mnt/grubenv ]]; then
set -x
fi
-#### this bit is duplicated in rootsshsync
-f=/var/lib/fai/config/files/root/.ssh/authorized_keys/STANDARD
-d=$target/etc/initramfs-tools
-d2=$target/etc/dropbear-initramfs
-mkdir -p $d/root/.ssh $d2
-chmod 700 $d/root $d/root/.ssh
-# i think buster uses the second, flidas uses the first.
-cp -p $f $d/root/.ssh/authorized_keys
-cp -p $f $d2/authorized_keys
+#### this bit is duplicated in rootsshsync, except we skip update-initramfs,
+# since I suspect its not needed. I'm not sure any of this is needed
+# since we initially embed the key, and with distro-begin, we run rootsshsync
+# around the same time as we remove it.
+d=/etc/initramfs-tools
+if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then
+ mkdir -p $d/root/.ssh /etc/dropbear-initramfs
+ chmod 700 $d/root $d/root/.ssh
+ cp -p /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys
+ cp -p /root/.ssh/authorized_keys /etc/dropbear-initramfs
+ if [[ -e /root/.ssh/authorized_keys2 ]]; then
+ cat /root/.ssh/authorized_keys2 >>/etc/dropbear-initramfs
+ fi
+fi
DISTRO=debianbuster
elif ifclass VOL_BULLSEYE; then
DISTRO=debianbullseye
+ elif ifclass VOL_BOOKWORM; then
+ DISTRO=debianbookworm
elif ifclass VOL_TESTING; then
DISTRO=debiantesting
elif ifclass VOL_XENIAL; then
fcopy -riB /boot
# this is also done by FABASE/10-misc by default (without B)
fcopy -riB /root
+fcopy -riB /usr/local/bin
src=$FAI/distro-install-common/shadow
### begin setup security repo ###
case $base in
- stretch|buster|bullseye)
+ stretch|buster)
cat >>/etc/fai/apt/sources.list <<EOF
deb http://security.debian.org/debian-security $base/updates main contrib
EOF
echo "$ip $key" >>/srv/fai/nfsroot/root/.ssh/known_hosts
done
+# make it the root because pxe-kexec only looks there.
+# It wouldn't be too hard to change if we needed.
+# We could also just dump things in /srv/tftp, but fai
+# has some defaults, which I don't even use, which expect
+# the other directory, so it's kind of a tossup, whatever.
+sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
+systemctl restart tftpd-hpa
+
# serial console
# mainly from
-h|--help) usage ;;
esac
+
+faiserver_addr=$(host faiserver | sed -rn 's/^\S+ has address //p;T;q' ||:)
host=$(./chost faiserver)
-if [[ $host == $(./chost $HOSTNAME) ]]; then
+if ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then
./myfai-chboot-local "$@"
else
ssh root@$host bash -s -- "$@" <myfai-chboot-local
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
e() { printf "$pre %s\n" "$*"; }
err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $pre: $*" >&2; }
+PATH="/a/exe:$PATH"
+
##### begin command line parsing ########
dhcp=true
iankelling.org / git / automated-distro-installer / commitdiff