From: Ian Kelling <iank@fsf.org>
Date: Thu, 25 Apr 2019 03:27:01 +0000 (-0400)
Subject: minor improvements and misc changes
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=917fa30617ccafa3a7ed5218a418cf058948b729;p=automated-distro-installer
minor improvements and misc changes
---
diff --git a/README b/README
index 97cf483..3146081 100644
--- a/README
+++ b/README
@@ -130,7 +130,7 @@ export SPECIAL_DISK=/dev/REPLACEMENT_DEV
ssh root@HOST
-for x in /target/*; do umount $x; done
+for x in /target/* /target; do umount $x; done
cat >p
PASSWORD HERE(ctrl-d ctrl-d)
cd /dev/disk/by-id/
diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 3948073..a6bc113 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -4,8 +4,8 @@ set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
if [[ $EUID != 0 ]]; then
- echo "$0: error: expected to be root."
- exit 1
+ echo "$0: error: expected to be root."
+ exit 1
fi
# ssh host keys
@@ -13,37 +13,37 @@ fi
src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
dst=$target/etc/ssh
if [[ -e $src && -e $dst ]]; then
- # outside of fai context, we skip this
- cp -rT $src $dst
+ # outside of fai context, we skip this
+ cp -rT $src $dst
fi
TPW=/q/root/shadow/traci-simple
if ifclass tp; then
- ROOTPW=/q/root/shadow/standard
-# ROOTPW="$TPW"
+ ROOTPW=/q/root/shadow/standard
+ # ROOTPW="$TPW"
else
- ROOTPW=/q/root/shadow/standard
+ ROOTPW=/q/root/shadow/standard
fi
chpw() {
- # generating a hashed password:
- # under debian, you can do
- # mkpasswd -m sha-512 -s >/q/root/shadow/standard
- # On arch, best seems to be copy your shadow file to a temp location,
- # then passwd, get out the new pass, then copy the shadow file back.
-
- user=$1
- pwfile=$2
- if [[ $pwfile && -e $pwfile ]]; then
- printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
- else
- echo "$0: warning: no pw set for $user" >&2
- fi
+ # generating a hashed password:
+ # under debian, you can do
+ # mkpasswd -m sha-512 -s >/q/root/shadow/standard
+ # On arch, best seems to be copy your shadow file to a temp location,
+ # then passwd, get out the new pass, then copy the shadow file back.
+
+ user=$1
+ pwfile=$2
+ if [[ $pwfile && -e $pwfile ]]; then
+ printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
+ else
+ echo "$0: warning: no pw set for $user" >&2
+ fi
}
au() { # add user. i don't use adduser for portability
- if ! $ROOTCMD getent passwd ${@: -1}; then
- $ROOTCMD useradd -Um -s /bin/bash $@
- fi
+ if ! $ROOTCMD getent passwd ${@: -1}; then
+ $ROOTCMD useradd -Um -s /bin/bash $@
+ fi
}
chpw root "$ROOTPW"
@@ -60,18 +60,18 @@ chpw iank "$ROOTPW"
au traci
if ifclass frodo; then
- chpw traci "$TPW"
+ chpw traci "$TPW"
fi
# comparing iank's groups to traci, I see none she should join on arch
$ROOTCMD usermod -a -G traci iank
+
$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker
$ROOTCMD usermod -a -G docker iank
# based on unison error, with 8192 from
# sysctl -a | grep fs.inotify.max_user_watches
#http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux
-
f=$target/etc/sysctl.d/99-sysctl.conf
key=fs.inotify.max_user_watches
if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
@@ -82,22 +82,22 @@ $ROOTCMD sysctl --system
f=$target/etc/sudoers
line='iank ALL=(ALL) NOPASSWD: ALL'
if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
- echo "$line" >> $f
+ echo "$line" >> $f
fi
dir=/p/c/machine_specific/$HOSTNAME/.unison
$ROOTCMD mkdir -p $dir
if ! $ROOTCMD test -L /root/.unison; then
- $ROOTCMD rm -rf /root/.unison
- $ROOTCMD ln -s -T $dir /root/.unison
+ $ROOTCMD rm -rf /root/.unison
+ $ROOTCMD ln -s -T $dir /root/.unison
fi
$ROOTCMD chown -R 1000:1000 $dir
while true; do
- $ROOTCMD chown 1000:1000 $dir
- $ROOTCMD chmod 700 $dir
- dir=$(dirname $dir)
- if [[ $dir == /p ]]; then break; fi
+ $ROOTCMD chown 1000:1000 $dir
+ $ROOTCMD chmod 700 $dir
+ dir=$(dirname $dir)
+ if [[ $dir == /p ]]; then break; fi
done
au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin
diff --git a/faiserver-setup b/faiserver-setup
index 4742ae1..d8489ed 100755
--- a/faiserver-setup
+++ b/faiserver-setup
@@ -21,7 +21,7 @@ x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
usage() {
cat <<EOF
-usage: ${0##*/} [-h|--help] [BASE_CODENAME]
+usage: ${0##*/} [-h|--help] [BASE_CODENAME] [ARCH]
install fai-server on the current machine
Initial setup of a fai server. works on localhost. Set's the current ip
@@ -29,8 +29,8 @@ as the tftp server. I vaguely remember that using a hostname does not
work. Separate from running this, faiserver needs to be setup in dns to
point to whatever host this is run on.
-Default BASE_CODENAME is stretch, and it expects corresponding
-$BASEFILE_DIR/${UPCASED_BASE_CODENAME}64.tar.gz to exist, and it must have been
+Default BASE_CODENAME is stretch. Default ARCH is 64. The script expects corresponding
+$BASEFILE_DIR/${UPCASED_BASE_CODENAME}${ARCH}.tar.(gz|xz) to exist, and it must have been
generated around the same time as the nfsroot, at least so it has the
same kernel version.
@@ -42,15 +42,21 @@ case $1 in
esac
-e() { echo "$@"; "$@"; }
+e() { echo "+ $@"; "$@"; }
base=${1:-stretch}
-basefile=$BASEFILE_DIR/${base^^}64.tar.gz
+arch=${2:-64}
+basefile=($BASEFILE_DIR/${base^^}${arch^^}.tar.[gx]z)
sed="sed -ri --follow-symlinks"
if [[ ! -e $basefile ]]; then
- printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR does not exist"
+ printf "%s\n" "$0: error basefile=$basefile does not exist" >&2
+ exit 1
+fi
+
+if [[ ! -d $BASEFILE_DIR ]]; then
+ printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR does not exist" >&2
exit 1
fi
@@ -63,35 +69,12 @@ armhf() {
[[ $(dpkg --print-architecture) == armhf ]]
}
-if armhf; then
- if apt-cache policy | grep o=Debian,a=testing,n=stretch &>/dev/null; then
- cat >/etc/apt/sources.list.d/testing.list <<'EOF'
-deb http://http.us.debian.org/debian testing main contrib non-free
-deb-src http://http.us.debian.org/debian testing main contrib non-free
-
-deb http://security.debian.org/ testing/updates main contrib non-free
-deb-src http://security.debian.org/ testing/updates main contrib non-free
-
-deb http://http.us.debian.org/debian testing-updates main contrib non-free
-deb-src http://http.us.debian.org/debian testing-updates main contrib non-free
-EOF
-
- cat >/etc/apt/preferences.d/fai <<'EOF'
-Package: fai-server fai-client fai-doc
-Pin: release a=testing
-Pin-Priority: 500
-
-Package: *
-Pin: release a=testing
-Pin-Priority: -10
-EOF
- fi
-elif grep -xFq 'VERSION="8 (jessie)"' /etc/os-release; then
+if grep -xFq 'VERSION="8 (jessie)"' /etc/os-release; then
gpg -a --recv-keys 2BF8D9FE074BCDE4; gpg -a --export 2BF8D9FE074BCDE4 | apt-key add -
cat >/etc/apt/sources.list.d/fai.list <<'EOF'
deb https://fai-project.org/download jessie koeln
EOF
-elif grep -xFq 'VERSION="9 (stretch)"' /etc/os-release || grep -iE 'flidas|xenail' /etc/os-release ; then
+elif grep -iE 'VERSION=.*(stretch|flidas|xenail)' /etc/os-release; then
# fai on ubuntu only has official support using the universe repo, but newer
# tends to have less bugs.
gpg --keyserver hkp://pool.sks-keyservers.net -a --recv-keys 2BF8D9FE074BCDE4; gpg -a --export 2BF8D9FE074BCDE4 | apt-key add -
@@ -128,10 +111,10 @@ else
fi
-apt-get install -y ${pkgs[@]}
+e apt-get install -y ${pkgs[@]}
# confnew since we edit /etc/fai/NFSROOT in an automated way
# fai-client is already a fai-server dependency, but make sure it gets upgraded
-apt-get install --no-install-recommends -y -o Dpkg::Options::="--force-confnew" fai-server fai-client
+e apt-get install --no-install-recommends -y -o Dpkg::Options::="--force-confnew" fai-server fai-client
r=http://http.us.debian.org/debian
# like default, but scrap httpredir, and nonfree.
@@ -184,6 +167,7 @@ $sed 's/#LOGUSER/LOGUSER/' /etc/fai/fai.conf
$sed -i '/^LOGUSER=/d' /etc/fai/fai.conf
$sed -i '/^FAI_FLAGS=/d' /etc/fai/fai.conf
echo "FAI_FLAGS=verbose" >>/etc/fai/fai.conf
+# note if this isnt set, the user isnt created
echo "LOGUSER=fai" >>/etc/fai/fai.conf
# from man fai-make-nfsroot,
@@ -200,8 +184,8 @@ fi
if armhf; then
cd /srv/fai
- rm -rf nfsroot
- tar Jxf $basefile
+ e rm -rf nfsroot
+ e tar Jxf $basefile
# background: Can't build the nfsroot on my arm system now. First,
# fai-make-nfsroot won't work out of the box. One idea to make it work
# is by installing qemu-user-static, then copying qemu-x86_64-static
@@ -247,12 +231,12 @@ if armhf; then
type setup_tftp
EOF
)
- setup_tftp
+ e setup_tftp
# -g causes skipping set_root_pw() in fai-make-nfsroot, -ag
# is the only way to make it run without chrooting. the options
# seem contradictory, but it works.
- fai-setup -evag
+ e fai-setup -evag
else # not armhf
# note, this copies the -B arg to
diff --git a/lk b/lk
index dbe9d2e..7715fda 100644
--- a/lk
+++ b/lk
@@ -23,7 +23,12 @@ fai kexec from upstream live cds, i.e. curl|bash
You can copy this to a http server, then wget -O- url|sudo bash
curl is sometimes not preinstalled on a live cd.
-This has been tested on trisquel belenos and ubuntu xenial & 18.10.
+Alternative to http server:
+1. on install machine nc -l 1234 | sudo bash
+2. On another machine nc INSTALL_MACHINE 1234 <live-kexec
+Obviously beware that anyone on your network could send commands to the install machine.
+
+This has been tested on trisquel 7 & 8 & ubuntu 16.04 & 18.10.
With 18.10 on an x200, kexec was unreliable, resulting in freezes and
kernel panics.
diff --git a/pxe-server b/pxe-server
index 3abb1ba..c46c72e 100755
--- a/pxe-server
+++ b/pxe-server
@@ -22,26 +22,28 @@ x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
usage() {
cat <<EOF
-Usage: ${0##*/} [OPTIONS] [HOST TYPE]
-Configure dnsmasq boot options and fai-chboot if appropriate.
+Usage: ${0##*/} [OPTIONS] [HOST] [TYPE]
+Configure dnsmasq boot options and fai-chboot if appropriate. This is
+not general purpose, it has code specific to dhcp servers I run.
-Without HOST TYPE, disable server and fai server.
+Without TYPE, disable server and fai server. In that case, HOST is only
+needed for fsf office network.
HOST A hostname known to the dhcp server, or default for all.
TYPE One of arch, parabola, plain, fai.
--d Don't alter dhcp config. Only make sense for fai type, and on network
- other than home network.
--r Don't redeploy fai config. For example, if there is a different host
- that is mid-install.
-
-a Don't setup pxe, just Wait for 2 dhcp acks, then disable the pxe
server after a delay. First ack is for pxe boot, 2nd ack is
for os boot. Sometimes on debian, there is a 3rd one shortly
after the 2nd. I can't remember exactly why this caused a
problem, but I'm hoping the sleep will take care of it.
--S sets FAI_ACTION=sysinfo, see myfai-chboot for more info.
+-d Don't alter dhcp config. Only make sense for fai type, and on network
+ other than home or fsf.
-k Pass -k to myfai-chboot.
+-r Don't redeploy fai config. For example, if there is a different host
+ that is mid-install.
+
+-S sets FAI_ACTION=sysinfo, see myfai-chboot for more info.
-w Setup pxe, then wait like -a.
-h|--help Print help and exit
@@ -65,16 +67,22 @@ dhcp=true
redep=true
acks=2
wait=false
+fsf=false
+
+case $HOSTNAME in
+ x3|kw) fsf=true ;;
+esac
+
chboot_args=()
-temp=$(getopt -l help adrSkwh "$@") || usage 1
+temp=$(getopt -l help adkrSwh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-a) wait=true; set=false; shift ;;
-d) dhcp=false; shift ;;
+ -k) chboot_args+=(-k); shift ;;
-r) redep=false; shift ;;
-S) chboot_args+=(-S); shift ;;
- -k) chboot_args+=(-k); shift ;;
-w) wait=true; set=true; shift ;;
-h|--help) usage ;;
--) shift; break ;;
@@ -85,7 +93,7 @@ done
read -r host type <<<"$@"
case $# in
- 0);;
+ [01]);;
2)
case $type in
arch|parabola) cmd=archlike ;;
@@ -98,7 +106,7 @@ case $# in
esac
;;
*)
- echo "$0: error: expected 0 or 2 arguments"
+ echo "$0: error: expected 0-2 arguments"
echo
usage 1
;;
@@ -145,27 +153,52 @@ EOF
}
ack-wait() {
+ if $fsf; then
+ wait_cmd="ssh tarantula tail -n0 -f /var/log/syslog"
+ else
+ wait_cmd="ssh wrt logread -f"
+ fi
wait_count=$1
if [[ $host ]]; then
+ if $fsf; then
+ host_regex=" $(getent hosts kw | awk '{print $1}' | sed 's/\./\\./g')"
+ else
host_regex=" $host"
+ fi
fi
- regex=".*DHCPACK.*$host_regex$"
+ regex=".*DHCPACK.*$host_regex\b"
i=0
while (( i != wait_count )) && read -r line; do
if [[ $line =~ $regex ]]; then
i=$((i+1))
echo $line
fi
- done < <(ssh wrt logread -f)
+ done < <($wait_cmd ||:) # tail returns 2 it seems
e sleep 20
}
set-pxe() {
$dhcp || return 0
- echo "$0: updating dnsmasq.conf:"
- $cmd
- ${cmd:-:}|ssh wrt "cedit pxe /etc/dnsmasq.conf || /etc/init.d/dnsmasq restart
+ if $fsf; then
+ if [[ ! $cmd ]]; then
+ echo "$0: removing pxe for $host on tarantula"
+ ssh tarantula bash -e <<EOF
+sed -ri 's/^( *host +$host *\{).*/\1/' /etc/dhcp3/dhcpd.conf
+/etc/init.d/dhcp3-server restart
+EOF
+ elif [[ $cmd == fai ]]; then
+ echo "$0: adding pxe for $host on tarantula"
+ ssh tarantula bash -e <<EOF
+sed -ri 's/^( *host +$host *\{).*/\1 next-server faiserver.office.fsf.org; filename "pxelinux.0";/' /etc/dhcp3/dhcpd.conf
+/etc/init.d/dhcp3-server restart
+EOF
+ fi
+ else
+ echo "$0: updating dnsmasq.conf:"
+ $cmd
+ ${cmd:-:}|ssh wrt "cedit pxe /etc/dnsmasq.conf || /etc/init.d/dnsmasq restart
$([[ $type == arch || $type == parabola ]] && echo archlike-pxe-mount)"
+ fi
}
diff --git a/wrt-disabled-firewall-rules b/wrt-disabled-firewall-rules
index 29c80da..b2cfdf0 100644
--- a/wrt-disabled-firewall-rules
+++ b/wrt-disabled-firewall-rules
@@ -20,16 +20,6 @@ config rule
option target ACCEPT
option dest_port 63324
-config redirect
- option name frodobittorrent
- option src vpn
- option src_dport 63326
- option dest_ip 192.168.1.3
- option dest lan
-config rule
- option src vpn
- option target ACCEPT
- option dest_port 63326
config redirect
diff --git a/wrt-setup b/wrt-setup
index 3e71ef5..e9d620e 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -23,7 +23,7 @@ x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*}
usage() {
cat <<EOF
-usage: ${0##*/} [-h|--help] [-d|--dev2] [HOST/IP]
+usage: ${0##*/} [-h|--help] [-2|--dev2] [HOST/IP]
setup my router in general: dhcp, dns, etc.
dev2 is for setting up a second device for testing etc.
@@ -55,7 +55,8 @@ fi
cat ~/.ssh/home.pub | ssh $h dd of=/etc/dropbear/authorized_keys 2>/dev/null
scp /a/bin/fai/wrt-setup-local /a/bin/cedit/cedit $h:/usr/bin
# build for openwrt 18.06.2, r7676-cddd7b4c77
-scp /a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk $h:
+sudo scp /q/root/shadow/router \
+ /a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk $h:
ssh $h <<EOF
if ! opkg list-installed|grep bash; then
opkg update
diff --git a/wrt-setup-local b/wrt-setup-local
index ddf78d6..f465da5 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -47,12 +47,40 @@ v() {
"$@"
}
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+# # default is wan
+# v uci set firewall.@forwarding[0].dest=$forward_dest
+# uci commit firewall
+# firewall_restart=true
+# fi
+####### end uci example #####
+
+uset() {
+ local key="$1"
+ local val="$2"
+ local service="${key%%.*}"
+ restart_var=${service}_restart
+ if [[ ! ${!restart_var} ]]; then
+ eval $restart_var=false
+ fi
+ if [[ $(uci get "$key") != "$val" ]]; then
+ v uci set "$key"="$val"
+ uci commit $service
+ eval $restart_var=true
+ fi
+}
+
+
### network config
###
ssid="check out gnu.org"
lan=10.0.0.0
if $dev2; then
- ssid="test1"
+ ssid="gnuv3"
lan=10.1.0.0
fi
mask=255.255.0.0
@@ -60,6 +88,14 @@ l=${lan%.0}
passwd -l root ||: #already locked fails
+sed -ibak '/^root:/d' /etc/shadow
+# /root/router created by manually running passwd then copying the resulting
+# line. We have no mkpasswd on wrt/librecmc, then we scp it in.
+cat /root/router >>/etc/shadow
+# otherwise, serial console gets root login with no password
+uset system.@system[0].ttylogin 1
+
+
cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
#!/bin/bash
# symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -154,32 +190,6 @@ EOF
-######### uci example:#######
-# # https://wiki.openwrt.org/doc/uci
-# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-# wan="firewall.@zone[$wan_index]"
-# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
-# # default is wan
-# v uci set firewall.@forwarding[0].dest=$forward_dest
-# uci commit firewall
-# firewall_restart=true
-# fi
-
-
-uset() {
- local key="$1"
- local val="$2"
- local service="${key%%.*}"
- restart_var=${service}_restart
- if [[ ! ${!restart_var} ]]; then
- eval $restart_var=false
- fi
- if [[ $(uci get "$key") != "$val" ]]; then
- v uci set "$key"="$val"
- uci commit $service
- eval $restart_var=true
- fi
-}
uset dropbear.@dropbear[0].PasswordAuth 0
uset dropbear.@dropbear[0].RootPasswordAuth 0
@@ -236,6 +246,8 @@ EOF
firewall_restart=false
v cedit /etc/config/firewall <<EOF || firewall_restart=true
+
+
config redirect
option name ssh
option src wan
@@ -330,7 +342,8 @@ $l.4 htpc
$l.5 x2
$l.6 demohost
$l.7 x3
-$l.8 tp faiserver b8.nz
+$l.8 tp b8.nz faiserver
+$l.9 bb8
72.14.176.105 li
# netns creation looks for next free subnet starting at 10.173, but I only