summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a129832)
raw | patch | inline | side by side (parent: a129832)
| author | Ian Kelling <ian@iankelling.org> | |
| Sun, 24 Jan 2016 07:42:30 +0000 (23:42 -0800) | ||
| committer | Ian Kelling <ian@iankelling.org> | |
| Mon, 6 Feb 2017 06:21:40 +0000 (22:21 -0800) |
diff --git a/fai-revm b/fai-revm
index 3b3e003c7e35ba20c0960c29de98ce4b59aadfe3..af8bc365c48fb01c0f4f583854c275baaa76dfb5 100755 (executable)
--- a/fai-revm
+++ b/fai-revm
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+new_disk=false
+[[ ! $1 ]] || new_disk=true
+
cd "${BASH_SOURCE%/*}"
./fai-redep
s virshrm demohost ||:
for f in /var/lib/libvirt/images/demohost{,b}; do
- [[ -e $f ]] || s qemu-img create -o preallocation=metadata -f qcow2 $f 30G
+ if $new_disk || [[ ! -e $f ]]; then
+ s qemu-img create -o preallocation=metadata -f qcow2 $f 30G
+ fi
done
# osinfo-query os | gr jessie
s virt-install --os-variant debian8 --cpu host -n demohost --pxe -r 2048 --vcpus 1 \
index f0bbd9d3cda8485332f1a059e3ab1fc44694f9c5..b39132aefa8b584aed1a3a1d9292a7987119f4b3 100755 (executable)
# use a list of classes for our demo machine
case $HOSTNAME in
demohost)
- echo "FAIBASE DEBIAN DESKTOP STABLE" ;;
+ echo "FAIBASE DEBIAN DESKTOP STABLE TWO_DISK" ;;
x2)
echo "FAIBASE DEBIAN DESKTOP ONE_DISK" ;;
tp)
diff --git a/fai/config/files/etc/apt/sources.list/DEFAULT b/fai/config/files/etc/apt/sources.list/DEFAULT
index feba838efe915410d00322a82810200e67432d6a..2877f34a6d8c7410bd5b4a8d8a77dcc7aeacd4a9 100644 (file)
deb http://httpredir.debian.org/debian testing main
-deb-src http://httpredir.debian.org/debian testing main
+deb-src http://http.us.debian.org/debian testing main
deb http://security.debian.org/ testing/updates main
deb-src http://security.debian.org/ testing/updates main
# jessie-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian testing-updates main
-deb-src http://httpredir.debian.org/debian testing-updates main
+deb-src http://http.us.debian.org/debian testing-updates main
index 1879648b73a71afd0d705ce2efe78c55c2be67cb..ab6e213617f02f65094b554d2f41e4a8da3b2c11 100755 (executable)
exit 0
fi
+keyfile=/var/lib/fai/config/distro-install-common/luks/host-$HOSTNAME
f=$target/root/keyscript
cat > $f <<EOFOUTER
#!/bin/sh
cat <<'EOF'
-$(cat /var/lib/fai/config/distro-install-common/luks/host-$HOSTNAME)
+$(cat $keyfile)
EOF
EOFOUTER
+chmod +x $f
+
+
+crypt_dev=(/dev/mapper/crypt_dev_?da3)
+crypt_dev=${crypt_dev[0]}
+crypt_name=${crypt_dev##/dev/mapper/}
+dev=(/dev/?da3)
+dev=${dev[0]}
+
+dd if=$keyfile of=$crypt_dev
+f=$target/root/keyscript-manual
+cat >$f <<'EOF'
+#!/bin/sh
+if ! [ -e /tmp/key ]; then
+ stty -echo
+ read pass
+ printf '%s' "$pass" > /tmp/key
+fi
+cat /tmp/key
+EOF
chmod +x $f
+
if ifclass tp; then
d=$target/root/shadow
mkdir -p $d
ls -la /var/lib/fai/config/distro-install-common
- cp /var/lib/fai/config/distro-install-common/traci{-simple} $d
+ cp /var/lib/fai/config/distro-install-common/traci{,-simple} $d
fi
index e3cd178e173f0970e73d50de27b656d80e07e29c..e2a32caea9814ab497ed8ebb67be80052cdd5fe8 100755 (executable)
# # fai's setup-storage won't do btrfs on luks,
# # so we do it ourself :)
-partition=false
-
-
-letters=(a)
+#### begin configuration
if ifclass VM; then
- d=/dev/vd
+ d=vd
else
- d=/dev/sd
+ d=sd
fi
+
if ifclass TWO_DISK; then
- skiptask partition
- devs=(${d}{a,b})
- [[ -e /dev/md127 ]] || partition=true
+ letters=(a b)
elif ifclass ONE_DISK; then
- skiptask partition
- devs=(${d}a)
+ letters=(a)
else
exit
fi
+##### end configuration
+skiptask partition
+devs=(${letters[@]/#//dev/${d}})
+crypt_devs=(${letters[@]/#//dev/mapper/crypt_dev_${d}})
+
+# we can set this manually to force partitioning
+#partition=false
-# somewhat crude detection of wehter to partition
+# somewhat crude detection of whether to partition
for dev in ${devs[@]}; do
+ x=($dev[0-9])
+ [[ ${#x[@]} == 4 ]] || partition=true
for part in ${dev}{1,2,3,4}; do
[[ -e $part ]] || partition=true
done
+ # type tells us it's not totally blank
+ for part in ${dev}{1,3}; do
+ blkid | grep "^$part:.*TYPE=" &>/dev/null || partition=true
+ done
done
+partition=true # override temporarily
+
# keyfiles generated like:
# head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
luks_dir=/var/lib/fai/config/distro-install-common/luks
else
lukspw=$(cat $luks_dir/ian)
fi
+if ifclass demohost; then
+ lukspw=x
+fi
boot_end=504
-! ifclass tp || letters=(a b)
-
-md() { ((${#letters[@]} > 1)); }
-
-if md; then
- # if partition with md0, then reboot into the installer,
- # it becomes md127. So might as well start with 127 for simplicity.
- crypt=md127
-else
- crypt=${d##/dev/}a3
-fi
+crypt=/dev/mapper/crypt_dev_${d##/dev/}a3
# 1.5 x based on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-disk-partitioning-setup-x86.html#sect-custom-partitioning-x86
-swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#letters[@]} * 2 ) / 1000 + boot_end ))MiB
+swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#devs[@]} * 2 ) / 1000 + boot_end ))
create_subvols() {
cd /mnt
if $partition; then
mkdir -p /tmp/fai
for dev in ${devs[@]}; do
- for x in /dev/md*; do [[ -d $x ]] || mdadm --stop $x; done
for x in $dev[0-9]; do wipefs -a $x; done
parted -s $dev mklabel gpt
# gpt ubuntu cloud image uses ~4. fai uses 1 MiB. ehh, i'll do 4.
# also, using MB instead of MiB causes complains about alignment.
parted -s $dev mkpart primary "ext3" 4MB ${boot_end}MiB
parted -s $dev set 1 boot on
- parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB $swap_end
- parted -s -- $dev mkpart primary "" $swap_end -0
- parted -s $dev set 3 raid on
+ parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB ${swap_end}MiB
+ parted -s -- $dev mkpart primary "" ${swap_end}MiB -0
parted -s $dev mkpart primary "" 1MiB 4MiB
parted -s $dev set 4 bios_grub on
# the mkfs failed randomly on a vm, so I threw a sleep in here.
sleep .1
mkfs.ext4 -F ${dev}1
+ # 3 is device which simply holds a key for the 4's,
+ # so we can unlock multi-device btrfs fs with 1 manually entered passphrase.
+ #
+ # Background: It's of course possible modify the initramfs to
+ # put the input from a passphrase prompt into a variable and use
+ # it to unlock multiple devices, but that would require figuring
+ # more things out.
+ #
+ for luks_dev in ${dev}3; do
+ yes YES | cryptsetup luksFormat $luks_dev $luks_dir/host-$HOSTNAME \
+ -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
+ $luks_dev || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+
+ cryptsetup luksOpen $luks_dev crypt_dev_${luks_dev##/dev/} \
+ --key-file $luks_dir/host-$HOSTNAME
+ done
done
- if md; then
- yes | mdadm --create /dev/$crypt --level=raid0 --force --run \
- --raid-devices=${#devs[@]} ${devs[@]/%/3} || [[ $? == 141 ]]
- fi
-
- yes YES | cryptsetup luksFormat /dev/$crypt $luks_dir/host-$HOSTNAME \
- -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
- yes "$lukspw" cryptsetup luksAddKey --key-file \
- $luks_dir/host-$HOSTNAME /dev/$crypt || [[ $? == 141 ]]
- # this would remove the keyfile. we will do that manually later.
- # yes 'test' | cryptsetup luksRemoveKey /dev/... \
- # /key/file || [[ $? == 141 ]]
- cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt --key-file \
- $luks_dir/host-$HOSTNAME
+ mkfs.btrfs -f ${crypt_devs[@]/%/3}
parted ${devs[0]} set 1 boot on
- mkfs.btrfs -f /dev/mapper/crypt_dev_$crypt
- mount /dev/mapper/crypt_dev_$crypt /mnt
+ mount $crypt /mnt
create_subvols
else
for dev in ${devs[@]}; do
mkfs.ext4 -F ${dev}1
+ cryptsetup luksOpen ${dev}3 crypt_dev_${dev##/dev/}3 \
+ --key-file $luks_dir/host-$HOSTNAME || [[ $? == 141 ]]
done
- yes "$lukspw" | \
- cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt || [[ $? == 141 ]]
sleep 1
- mount -o subvolid=0 /dev/mapper/crypt_dev_$crypt /mnt
+ mount -o subvolid=0 $crypt /mnt
# systemd creates subvolumes we want to delete.
s=($(btrfs subvolume list --sort=-path /mnt |
sed -rn 's#^.*path\s*(root/\S+)\s*$#\1#p'))
create_subvols
fi
-cat > /tmp/fai/crypttab <<EOF
-crypt_dev_$crypt /dev/$crypt none keyscript=/root/keyscript,discard,luks
+
+for dev in ${devs[@]}; do
+ cat >>/tmp/fai/crypttab <<EOF
+crypt_dev_${dev##/dev/}3 ${dev}3 none keyscript=/root/keyscript,discard,luks
EOF
+done
for dev in ${devs[@]}; do
- cat >> /tmp/fai/crypttab <<EOF
+ cat >>/tmp/fai/crypttab <<EOF
swap ${dev}2 /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
EOF
done
# this is duplicated in arch-init
cat > /tmp/fai/fstab <<EOF
-/dev/mapper/crypt_dev_$crypt / btrfs noatime,subvol=/root 0 0
-/dev/mapper/crypt_dev_$crypt /a btrfs noatime,subvol=/a 0 0
-/dev/mapper/crypt_dev_$crypt /home btrfs noatime,subvol=/home 0 0
+$crypt / btrfs noatime,subvol=/root 0 0
+$crypt /a btrfs noatime,subvol=/a 0 0
+$crypt /home btrfs noatime,subvol=/home 0 0
${devs[0]}1 /boot ext4 noatime 0 2
EOF
cat >/tmp/fai/disk_var.sh <<EOF
-ROOT_PARTITION=\${ROOT_PARTITION:-/dev/mapper/crypt_dev_$crypt}
+ROOT_PARTITION=\${ROOT_PARTITION:-$crypt}
BOOT_PARTITION=\${BOOT_PARTITION:-${devs[0]}1}
BOOT_DEVICE=\${BOOT_DEVICE:-"${devs[0]}"}
SWAPLIST=\${SWAPLIST:-"${devs[@]/%/2}"}
index 6e39b327a441414c6f9fb5cd6458b8f522ed8f43..58c8d09f5cff98ba4f7650f27819d7683d8a7464 100644 (file)
isc-dhcp-client
PACKAGES install GRUB_PC
-grub-pc mdadm cryptsetup btrfs-tools sudo bridge-utils grub-legacy- lilo-
+grub-pc cryptsetup btrfs-tools sudo bridge-utils grub-legacy- lilo-
PACKAGES install LVM
lvm2
index 0ef4afdc48fb3e1e00f8dd77d95f29276db0af61..8dcc58ce0d9b8a9d4017c7031f71e9e5716d8c69 100755 (executable)
/var/lib/fai/config/distro-install-common/end
fcopy -rM -i /home/ian/.ssh
-chown -R 1000:1000 $target/home/ian/.ssh
-chmod -R u=Xrw,og= $target/home/ian/.ssh
-cp -ar $target/home/ian/.ssh $target/root
-chown -R root:root $target/root/.ssh
+$ROOTCMD chown -R 1000:1000 /home/ian/.ssh
+$ROOTCMD chmod -R u=Xrw,og= /home/ian/.ssh
+$ROOTCMD cp -ar /home/ian/.ssh /root
+$ROOTCMD chown -R root:root /root/.ssh
-for dir in $target/{a,p}/c/machine_specific/$HOSTNAME/.unison; do
- [[ -e $dir ]] || continue
- $ROOTCMD rm -rf $target/root/.unison
- $ROOTCMD ln -s $dir $target/root
-done
+$ROOTCMD ln -s /a/p /
+dir=/a/p/c/machine_specific/$HOSTNAME/.unison
+$ROOTCMD mkdir -p $dir
+$ROOTCMD rm -rf /root/.unison
+$ROOTCMD ln -s $dir /root
$ROOTCMD usermod -aG cdrom,floppy,sudo,audio,dip,video,plugdev,netdev ian