limit fai nfs export to host being installed

[automated-distro-installer] / myfai-chboot-local

diff --git a/myfai-chboot-local b/myfai-chboot-local
index 66c496d069afa8dfb4f0b07782364a914c25cb1f..9ba87dcd5ff8e2a88aa61308a45a1c35289d9c6c 100755 (executable)
--- a/myfai-chboot-local
+++ b/myfai-chboot-local
@@ -20,6 +20,9 @@ if [[ ! $1 ]]; then
     exit 0
 fi
 
+host=$1
+ip=$(getent hosts $host | awk '{print $1}')
+
 std_arg="-u nfs://faiserver/srv/fai/config"
 e fai-chboot -Iv $std_arg default # set it to default to get a val out of it next
 kernel=$(fai-chboot -L '^default$' | awk '{print $3}')
@@ -31,7 +34,16 @@ my_ip=$(host faiserver $gateway_ip | sed -rn 's/^\S+ has address //p')
 k_args=$(fai-chboot -L '^default$' | \
              sed -r "s/^(\S+\s+){3}(.*root=)(.*)/\2$my_ip:\3/")
 rm -f /srv/tftp/fai/pxelinux.cfg/*
-e fai-chboot -k "$k_args" -v -f verbose,sshd,createvt,reboot $std_arg $kernel "$@"
+e fai-chboot -k "$k_args" -v -f verbose,sshd,createvt,reboot $std_arg $kernel "$host"
+
+# fai-setup without -e sets the ip to the local_ip/local_network, eg 192.168.1.3/24
+# I restrict it to one ip as simple but imperfect access control.
+sed -ri --follow-symlinks '\%^/srv/fai/%d' /etc/exports
+cat >>/etc/exports <<EOF
+/srv/fai/config $ip/32(async,ro,no_subtree_check)
+/srv/fai/nfsroot $ip/32(async,ro,no_subtree_check,no_root_squash)
+EOF
+exportfs -ra
 
 
 # todo, remove the nopxe script. adjust fai-check to reboot if it fails on the kexec.