From: Ian Kelling Date: Sat, 4 Sep 2021 19:11:17 +0000 (-0400) Subject: various fixes for bullseye and new ssh key changes X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=bfd6bbd3a188aac6871f8b5e1116a0979682d52b;p=automated-distro-installer various fixes for bullseye and new ssh key changes --- diff --git a/.gitignore b/.gitignore index 5e08dd9..d01c086 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /fai/config/class/51-multi-boot +/fai/config/files/root/.ssh/authorized_keys +/fai/config/files/usr/local diff --git a/chost b/chost index a26529f..18c0aac 100755 --- a/chost +++ b/chost @@ -11,5 +11,11 @@ host=$1 # a valid address and we just use that addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:) h=$(host $addr) +case $h in + *"no PTR record") + echo "error: chost: $h" >&2 + exit 1 + ;; +esac h=${h##* } echo $h diff --git a/fai-redep b/fai-redep index e7aab6d..df08b76 100755 --- a/fai-redep +++ b/fai-redep @@ -4,6 +4,8 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" usage() { @@ -53,94 +55,51 @@ readonly host distro target # i use faiserver as a dns alias, but ssh key is associated with # a canonical hostname and we will have ssh warning spam unless we # use it, so look it up just to avoid the warning spam. -faiserver_host=$(chost $host) || faiserver_host=$host +faiserver_host=$(/a/exe/chost $host) || faiserver_host=$host + +faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:) +if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then + rpre="-e 'ssh -F $HOME/.ssh/confighome' root@$faiserver_host:" + faiserver_shell="ssh -F $HOME/.ssh/confighome root@$faiserver_host" +fi -rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config root@$faiserver_host:/srv +# these are gitignored. +rsync -atL /home/iank/.ssh/authorized_keys fai/config/files/root/.ssh/authorized_keys/STANDARD +# we hssh and ssh_filter_btrbk for the initial btrbk (alternatively, I could open up the +# permissions in authorized_keys, but that just seems lazy) +install --owner=iank --group=iank -d fai/config/files/usr/local/bin/hssh +rsync -atL /a/bin/ds/hssh fai/config/files/usr/local/bin/hssh/STANDARD +install --owner=iank --group=iank -d fai/config/files/usr/local/bin/ssh_filter_btrbk.sh +rsync -atL /a/opt/btrbk/ssh_filter_btrbk.sh fai/config/files/usr/local/bin/ssh_filter_btrbk.sh/STANDARD + +rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config $rpre/srv -sudo rsync -a /root/.ssh/home.pub \ - root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/STANDARD # todo: automatically disable faiserver after a period so # these files are not available. if [[ $target ]]; then - if sudo test -e /q/root/shadow/$target; then + if test -e /q/root/shadow/$target; then shadowfile=shadow/$target # empty otherwise fi - sudo rsync -lpt --files-from=- /q/root root@$faiserver_host:/srv/fai/config/distro-install-common </dev/null ||: # broken pipe + $faiserver_shell dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe -rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ root@$faiserver_host:/srv/fai/config/basefiles/ -ssh root@$faiserver_host bash <<'EOF' -set -eE -o pipefail -# make it the root because pxe-kexec only looks there. -# It wouldn't be too hard to change if we needed. -# We could also just dump things in /srv/tftp, but fai -# has some defaults, which I don't even use, which expect -# the other directory, so it's kind of a tossup, whatever. -sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa -systemctl restart tftpd-hpa - -changed=false -f=/srv/fai/nfsroot/root/.ssh/known_hosts -install -d -m 700 /srv/fai/nfsroot/root/.ssh -# the known hosts entries that fai already sets up are like -# IP,HOSTNAME key_info... -# we are skipping the ip, because it doesn't block ssh -# with a prompt as long as you have the user supplied hostname, -# and i don't want to deal with getting it, it's not adding -# any important security in this case. -if ! grep -xFq "$line" $f &>/dev/null; then - changed=true - printf "%s\n" "$line" >>$f -fi - -if ! modprobe nfsd &>/dev/null; then - # no apt-cache on maru debian, because we are low on space already - sed -i '/^ *APTPROXY=/d' /srv/fai/config/class/DEBIAN.var - # maru debian doesn't have loopback devs created - if ! losetup -f; then - shopt -s nullglob - x=(/dev/loop*) - minor=0 - if (( ${#x[@]} )); then - minor=$(( ${x[-1]#/dev/loop} + 1 )) - fi - mknod -m660 /dev/loop$minor b 7 $minor - losetup -f - fi - # -B boo only iso, no nfsroot, no paritial miorr, no config space. - # -f = force, for overwriting - # -S = make squash image for http booting - # -d config space url, instead of putting it in the squash.img, - # this just makes it so that we don't have to regenerate the img - # when the config changes. - cd /srv/fai/config - tar czf /var/www/faiserver/html/config.tar.gz . - if $changed || [[ ! -e /var/www/faiserver/html/squash.img ]]; then - # note, on maru, selinux needs to be disabled in android before - # this will work. - mount - export debug=true - fai-cd -d http://faiserver:8080/config.tar.gz -f -M -S /var/www/faiserver/html/squash.img - mount - fi -fi -EOF +rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ $rpre/srv/fai/config/basefiles/ diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes index c62229f..8fc4cfb 100755 --- a/fai/config/class/50-host-classes +++ b/fai/config/class/50-host-classes @@ -79,41 +79,6 @@ echo FAIBASE STANDARD DEBIAN # # LINODE: For running a vm on linode, especially one created with fai-cd. -###### begin Template for 51-multi-boot ###### -# -# It has reasonable combinations of above classes. -# It's a noop until we replace _ with host names. - -#!/bin/bash -if [[ ! -e /a/bin/fai/fai-wrapper || $FAI_ACTION == dirinstall ]]; then - case $HOSTNAME in - # bookworm - _) echo BOOKWORM64 VOL_BOOKWORM_BOOTSTRAP BOOKWORM_FREE ;; - # bullseye based minimal recovery / bootstraping os: - _) echo BULLSEYE64 VOL_BULLSEYE_BOOTSTRAP BULLSEYE_FREE ;; - # buster - _) echo BUSTER64 VOL_BUSTER_BOOTSTRAP BUSTER_FREE ;; - # flidas - _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;; - # etiona - _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;; - # nabia - _) echo UBUNTU NABIA64 VOL_NABIA NABIA ;; - # stretch - _) echo STRETCH64 VOL_STRETCH STRETCH_FREE ;; - # buster - _) echo BUSTER64 VOL_BUSTER BUSTER_FREE ;; - # testing - _) echo STRETCH64 VOL_TESTING TESTING_FREE ;; - # xenial - _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;; - # bionic - _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;; - # focal - _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;; - esac -fi -###### end Template for 51-multi-boot ###### if [[ -e /a/bin/fai/fai-wrapper ]]; then source /a/bin/distro-functions/src/identify-distros @@ -149,3 +114,42 @@ if grep ^52:54:00: /sys/class/net/eth0/address &>/dev/null; then # if our eth0 mac is in the kvm range, we are a vm. echo "VM" fi + +exit 0 +### Below here is a comment of code, exit above is so it does not get executed ### + +###### begin Template for 51-multi-boot ###### +# +# It has reasonable combinations of above classes. +# It's a noop until we replace _ with host names. + +#!/bin/bash +if [[ ! -e /a/bin/fai/fai-wrapper || $FAI_ACTION == dirinstall ]]; then + case $HOSTNAME in + # bullseye based minimal recovery / bootstraping os: + _) echo BULLSEYE64 VOL_BULLSEYE_BOOTSTRAP BULLSEYE_FREE ;; + # flidas + _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;; + # etiona + _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;; + # nabia + _) echo UBUNTU NABIA64 VOL_NABIA NABIA ;; + # stretch + _) echo STRETCH64 VOL_STRETCH STRETCH_NONFREE ;; + # buster + _) echo BUSTER64 VOL_BUSTER BUSTER_NONFREE ;; + # bullseye + _) echo BULLSEYE64 VOL_BULLSEYE BULLSEYE_NONFREE ;; + # bookworm + _) echo BOOKWORM64 VOL_BOOKWORM BOOKWORM_NONFREE ;; + # testing + _) echo BOOKWORM64 VOL_TESTING TESTING_NONFREE ;; + # xenial + _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;; + # bionic + _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;; + # focal + _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;; + esac +fi +###### end Template for 51-multi-boot ###### diff --git a/fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP b/fai/config/files/etc/systemd/system/faicheck.service/VOL_BULLSEYE_BOOTSTRAP similarity index 100% rename from fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP rename to fai/config/files/etc/systemd/system/faicheck.service/VOL_BULLSEYE_BOOTSTRAP diff --git a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP index 330efcc..6717987 100755 --- a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP +++ b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP @@ -58,11 +58,12 @@ for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \ # Old partition scheme grub_extn=${dev}4 elif [[ $(blockdev --getsize64 ${dev}5) == 8388608 ]]; then + # Old partition scheme grub_extn=${dev}5 else grub_extn=${dev}7 fi - mount $dev /mnt + mount $grub_extn /mnt if $first; then if [[ -e /mnt/grubenv ]]; then set -x diff --git a/fai/config/hooks/instsoft.DEFAULT b/fai/config/hooks/instsoft.DEFAULT index 2d0c905..22c8104 100755 --- a/fai/config/hooks/instsoft.DEFAULT +++ b/fai/config/hooks/instsoft.DEFAULT @@ -33,12 +33,17 @@ if [[ ${files[0]} ]]; then fi -#### this bit is duplicated in rootsshsync -f=/var/lib/fai/config/files/root/.ssh/authorized_keys/STANDARD -d=$target/etc/initramfs-tools -d2=$target/etc/dropbear-initramfs -mkdir -p $d/root/.ssh $d2 -chmod 700 $d/root $d/root/.ssh -# i think buster uses the second, flidas uses the first. -cp -p $f $d/root/.ssh/authorized_keys -cp -p $f $d2/authorized_keys +#### this bit is duplicated in rootsshsync, except we skip update-initramfs, +# since I suspect its not needed. I'm not sure any of this is needed +# since we initially embed the key, and with distro-begin, we run rootsshsync +# around the same time as we remove it. +d=/etc/initramfs-tools +if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then + mkdir -p $d/root/.ssh /etc/dropbear-initramfs + chmod 700 $d/root $d/root/.ssh + cp -p /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys + cp -p /root/.ssh/authorized_keys /etc/dropbear-initramfs + if [[ -e /root/.ssh/authorized_keys2 ]]; then + cat /root/.ssh/authorized_keys2 >>/etc/dropbear-initramfs + fi +fi diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT index 56919e9..80f0d7c 100755 --- a/fai/config/hooks/partition.DEFAULT +++ b/fai/config/hooks/partition.DEFAULT @@ -394,6 +394,8 @@ if [[ ! $DISTRO ]]; then DISTRO=debianbuster elif ifclass VOL_BULLSEYE; then DISTRO=debianbullseye + elif ifclass VOL_BOOKWORM; then + DISTRO=debianbookworm elif ifclass VOL_TESTING; then DISTRO=debiantesting elif ifclass VOL_XENIAL; then diff --git a/fai/config/scripts/GRUB_PC/11-iank b/fai/config/scripts/GRUB_PC/11-iank index 5e74374..ecc093e 100755 --- a/fai/config/scripts/GRUB_PC/11-iank +++ b/fai/config/scripts/GRUB_PC/11-iank @@ -27,6 +27,7 @@ fi fcopy -riB /boot # this is also done by FABASE/10-misc by default (without B) fcopy -riB /root +fcopy -riB /usr/local/bin src=$FAI/distro-install-common/shadow diff --git a/faiserver-setup b/faiserver-setup index cf6b984..e1f744b 100755 --- a/faiserver-setup +++ b/faiserver-setup @@ -155,7 +155,7 @@ EOF ### begin setup security repo ### case $base in - stretch|buster|bullseye) + stretch|buster) cat >>/etc/fai/apt/sources.list <>/srv/fai/nfsroot/root/.ssh/known_hosts done +# make it the root because pxe-kexec only looks there. +# It wouldn't be too hard to change if we needed. +# We could also just dump things in /srv/tftp, but fai +# has some defaults, which I don't even use, which expect +# the other directory, so it's kind of a tossup, whatever. +sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa +systemctl restart tftpd-hpa + # serial console # mainly from diff --git a/myfai-chboot b/myfai-chboot index 7d775ea..308b1c7 100755 --- a/myfai-chboot +++ b/myfai-chboot @@ -36,8 +36,10 @@ case $1 in -h|--help) usage ;; esac + +faiserver_addr=$(host faiserver | sed -rn 's/^\S+ has address //p;T;q' ||:) host=$(./chost faiserver) -if [[ $host == $(./chost $HOSTNAME) ]]; then +if ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then ./myfai-chboot-local "$@" else ssh root@$host bash -s -- "$@" &2; } +PATH="/a/exe:$PATH" + ##### begin command line parsing ######## dhcp=true