confluent/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh

#!/bin/bash
deploycfg=/custom-installation/confluent/confluent.deploycfg
mkdir -p /var/log/confluent
mkdir -p /opt/confluent/bin
mkdir -p /etc/confluent
cp /custom-installation/confluent/confluent.info /custom-installation/confluent/confluent.apikey /etc/confluent/
cat /custom-installation/tls/*.pem >> /etc/confluent/ca.pem
cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin
cp $deploycfg /etc/confluent/
(
exec >> /var/log/confluent/confluent-pre.log
exec 2>> /var/log/confluent/confluent-pre.log
chmod 600 /var/log/confluent/confluent-pre.log

cryptboot=$(grep encryptboot: $deploycfg|sed -e 's/^encryptboot: //')


cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
nodename=$(grep ^NODENAME: /custom-installation/confluent/confluent.info|awk '{print $2}')
apikey=$(cat /custom-installation/confluent/confluent.apikey)
for pubkey in /etc/ssh/ssh_host*key.pub; do
    certfile=${pubkey/.pub/-cert.pub}
    keyfile=${pubkey%.pub}
    curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -d @$pubkey https://$confluent_mgr/confluent-api/self/sshcert > $certfile
    echo HostKey $keyfile >> /etc/ssh/sshd_config.d/confluent.conf
    echo HostCertificate $certfile >> /etc/ssh/sshd_config.d/confluent.conf
done
echo HostbasedAuthentication yes >> /etc/ssh/sshd_config.d/confluent.conf
echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config.d/confluent.conf
echo IgnoreRhosts no >> /etc/ssh/sshd_config.d/confluent.conf
systemctl restart sshd
mkdir -p /etc/confluent
export nodename confluent_profile confluent_mgr
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions
. /etc/confluent/functions
run_remote_parts pre.d
curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" https://$confluent_mgr/confluent-api/self/nodelist > /tmp/allnodes
if [ ! -e /tmp/installdisk ]; then
    curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/getinstalldisk > /custom-installation/getinstalldisk
    python3 /custom-installation/getinstalldisk
fi
sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
    run_remote_python addcrypt "$lukspass"
    if ! grep 'password:' /autoinstall.yaml > /dev/null; then
        echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console
        [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))
        while :; do sleep 86400; done
    fi
    sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
    sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
    echo -n $lukspass > /etc/confluent_lukspass

fi
) &
tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console
Add ubuntu22.04 profile Ubuntu 22.04 makes some changes, notably removing the custom-installation hooks. Change to injecting our modifications more directly to where the custom-installation hooks used to be. 2022-05-04 13:25:49 +00:00			`#!/bin/bash`
			`deploycfg=/custom-installation/confluent/confluent.deploycfg`
Add pre.d to ubuntu 22 diskful 2023-09-18 14:19:50 +00:00			`mkdir -p /var/log/confluent`
			`mkdir -p /opt/confluent/bin`
			`mkdir -p /etc/confluent`
			`cp /custom-installation/confluent/confluent.info /custom-installation/confluent/confluent.apikey /etc/confluent/`
			`cat /custom-installation/tls/*.pem >> /etc/confluent/ca.pem`
			`cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin`
			`cp $deploycfg /etc/confluent/`
			`(`
			`exec >> /var/log/confluent/confluent-pre.log`
			`exec 2>> /var/log/confluent/confluent-pre.log`
			`chmod 600 /var/log/confluent/confluent-pre.log`
Add ubuntu22.04 profile Ubuntu 22.04 makes some changes, notably removing the custom-installation hooks. Change to injecting our modifications more directly to where the custom-installation hooks used to be. 2022-05-04 13:25:49 +00:00
			`cryptboot=$(grep encryptboot: $deploycfg\|sed -e 's/^encryptboot: //')`


			`cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys`
			`nodename=$(grep ^NODENAME: /custom-installation/confluent/confluent.info\|awk '{print $2}')`
			`apikey=$(cat /custom-installation/confluent/confluent.apikey)`
			`for pubkey in /etc/ssh/ssh_host*key.pub; do`
			`certfile=${pubkey/.pub/-cert.pub}`
			`keyfile=${pubkey%.pub}`
			`curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -d @$pubkey https://$confluent_mgr/confluent-api/self/sshcert > $certfile`
			`echo HostKey $keyfile >> /etc/ssh/sshd_config.d/confluent.conf`
			`echo HostCertificate $certfile >> /etc/ssh/sshd_config.d/confluent.conf`
			`done`
			`echo HostbasedAuthentication yes >> /etc/ssh/sshd_config.d/confluent.conf`
			`echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config.d/confluent.conf`
			`echo IgnoreRhosts no >> /etc/ssh/sshd_config.d/confluent.conf`
			`systemctl restart sshd`
Add pre.d to ubuntu 22 diskful 2023-09-18 14:19:50 +00:00			`mkdir -p /etc/confluent`
Export nodename in ubuntu pre 2023-10-04 13:49:09 +00:00			`export nodename confluent_profile confluent_mgr`
Add pre.d to ubuntu 22 diskful 2023-09-18 14:19:50 +00:00			`curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions`
			`. /etc/confluent/functions`
			`run_remote_parts pre.d`
Add ubuntu22.04 profile Ubuntu 22.04 makes some changes, notably removing the custom-installation hooks. Change to injecting our modifications more directly to where the custom-installation hooks used to be. 2022-05-04 13:25:49 +00:00			`curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" https://$confluent_mgr/confluent-api/self/nodelist > /tmp/allnodes`
Add pre.d to ubuntu 22 diskful 2023-09-18 14:19:50 +00:00			`if [ ! -e /tmp/installdisk ]; then`
			`curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/getinstalldisk > /custom-installation/getinstalldisk`
			`python3 /custom-installation/getinstalldisk`
			`fi`
Add ubuntu22.04 profile Ubuntu 22.04 makes some changes, notably removing the custom-installation hooks. Change to injecting our modifications more directly to where the custom-installation hooks used to be. 2022-05-04 13:25:49 +00:00			`sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml`
Begin work on a cryptboot support for ubuntu Start implementing a tpm2-initramfs-tool based approach. This requires a bit of an odd transition as the PCR 7 is likely to change between the install phase and the boot phase, so we have to select different PCRs, but that requires an argument to pass that crypttab does not support. 2024-07-25 15:24:41 +00:00			`if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then`
Rework Ubuntu addcrypt support The comment based hook is destroyed during early install process. Use python to manipulate the autoinstall file in a more sophisticated way. Also refactor the initramfs hook material to be standalone files. 2024-07-26 15:33:01 +00:00			`lukspass=$(head -c 66 < /dev/urandom \|base64 -w0)`
Fix omitted argument to addcrypt 2024-07-26 15:50:53 +00:00			`run_remote_python addcrypt "$lukspass"`
Correct spelling of key for luks check 2024-07-26 15:54:10 +00:00			`if ! grep 'password:' /autoinstall.yaml > /dev/null; then`
Switch to using systemd-cryptenroll The design more cleanly uses luks slot, but requires providing initramfs hooks. Those hooks are provided now. 2024-07-26 14:33:38 +00:00			`echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console`
			`[ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))`
			`while :; do sleep 86400; done`
			`fi`
Begin work on a cryptboot support for ubuntu Start implementing a tpm2-initramfs-tool based approach. This requires a bit of an odd transition as the PCR 7 is likely to change between the install phase and the boot phase, so we have to select different PCRs, but that requires an argument to pass that crypttab does not support. 2024-07-25 15:24:41 +00:00			`sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml`
			`sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml`
Switch to using systemd-cryptenroll The design more cleanly uses luks slot, but requires providing initramfs hooks. Those hooks are provided now. 2024-07-26 14:33:38 +00:00			`echo -n $lukspass > /etc/confluent_lukspass`
Begin work on a cryptboot support for ubuntu Start implementing a tpm2-initramfs-tool based approach. This requires a bit of an odd transition as the PCR 7 is likely to change between the install phase and the boot phase, so we have to select different PCRs, but that requires an argument to pass that crypttab does not support. 2024-07-25 15:24:41 +00:00
			`fi`
Add pre.d to ubuntu 22 diskful 2023-09-18 14:19:50 +00:00			`) &`
			`tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console`