Add some content from exploring suse15/el8 install

2024-11-25 11:01:09 +00:00 · 2020-04-28 19:43:47 -04:00 · 2020-04-28 19:43:47 -04:00 · 45eba14b10
commit 45eba14b10
parent 3437b8b03c
3 changed files with 314 additions and 0 deletions
--- a/misc/autoyast.suse15
+++ b/misc/autoyast.suse15
@ -0,0 +1,152 @@
+<?xml version="1.0"?>
+<!DOCTYPE profile SYSTEM "/usr/share/YaST2/include/autoinstall/profile.dtd">
+<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns" xmlns:xi="http://www.w3.org/2001/XInclude">
+    <general>
+      <clock>
+        <hwclock>UTC</hwclock>
+        <xi:include href="file:///tmp/timezone"/>
+      </clock>
+      <mode>
+	      <confirm config:type="boolean">false</confirm>
+      </mode>
+    </general>
+    <add-on>
+        <add_on_products config:type="list">
+            <listentry><xi:include href="file:///tmp/pkgurl"/><product>sle-module-basesystem</product><product_dir>/Module-Basesystem</product_dir></listentry>
+	    <listentry><xi:include href="file:///tmp/pkgurl"/><product>sle-module-hpc</product><product_dir>/Module-HPC</product_dir></listentry>
+	    <listentry><xi:include href="file:///tmp/pkgurl"/><product>sle-module-server-applications</product><product_dir>/Module-Server-Applications</product_dir></listentry>
+	    <listentry><xi:include href="file:///tmp/pkgurl"/><product>sle-module-containers</product><product_dir>/Module-Containers</product_dir></listentry>
+	    <listentry><xi:include href="file:///tmp/pkgurl"/><product>SLE_HPC</product><product_dir>/Product-HPC</product_dir></listentry>
+	    <listentry><xi:include href="file:///tmp/pkgurl"/><product>Legacy-Module</product><product_dir>/Module-Legacy</product_dir></listentry>
+        </add_on_products>
+</add-on>
+    <software>
+       <products config:type="list">
+          <product>SLE_HPC</product>
+      </products>
+      <patterns config:type="list">
+        <pattern>base</pattern>
+      </patterns>
+      <packages config:type="list">
+        <package>openssl</package>
+        <package>chrony</package>
+        <package>rsync</package>
+        <package>screen</package>
+        <package>vim</package>
+        <package>binutils</package>
+        <package>pciutils</package>
+        <package>usbutils</package>
+        <package>nfs-client</package>
+        <package>ethtool</package>
+      </packages>
+    </software>
+  <partitioning config:type="list">
+	  <drive>
+		  <device>%%INSTDISK%%</device>
+		  <initialize config:type="boolean">true</initialize>
+		  <use>all</use>
+		  <type config:type="symbol">CT_LVM</type>
+          </drive>
+ </partitioning>
+    <users config:type="list">
+      <user>
+        <username>root</username>
+        <user_password>%%ROOTPASSWORD%%</user_password>
+        <encrypted config:type="boolean">true</encrypted>
+	<xi:include href="file:///tmp/rootkeys.xml"/>
+      </user>
+    </users>
+    <networking>
+	    <dns>
+		    <hostname>%%NODENAME%%</hostname>
+            </dns>
+	    <keep_install_network config:type="boolean">true</keep_install_network>
+    </networking>
+    <services-manager>
+	    <services>
+		    <enable config:type="list">
+			    <service>sshd</service>
+			</enable>
+		</services>
+	</services-manager>
+    <scripts>
+         <pre-scripts config:type="list">
+        <script>
+          <filename>pre.sh</filename>
+          <interpreter>shell</interpreter>
+          <source>
+<![CDATA[
+#!/bin/sh
+nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
+mgr=$(grep ^ipv._server /tmp/confluent.deploycfg|awk '{print $2}')
+proto=$(grep ^protocol /tmp/confluent.deploycfg |awk '{print $2}')
+rootpw=$(grep rootpassword /tmp/confluent.deploycfg|sed -e 's/^rootpassword: //')
+curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
+if [ "$rootpw" = "null" ]; then
+    rootpw="!"
+fi
+
+mkdir ~/.ssh
+cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys
+ssh-keygen -A
+for i in  /etc/ssh/ssh_host*key.pub; do
+    certname=${i/.pub/-cert.pub}
+    curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" -d @$i https://$mgr/confluent-api/self/sshcert > $certname
+    echo HostKey ${i%.pub} >> /etc/ssh/sshd_config
+    echo HostCertificate $certname >> /etc/ssh/sshd_config
+done
+/usr/sbin/sshd
+curl -f ${proto}://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk
+python3 /tmp/getinstalldisk
+sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! -e "s?%%ROOTPASSWORD%%?${rootpw}?" /tmp/profile/autoinst.xml > /tmp/profile/modified.xml
+]]>
+          </source>
+        </script>
+      </pre-scripts>
+         <chroot-scripts config:type="list">
+        <script>
+          <filename>chroot.sh</filename>
+          <interpreter>shell</interpreter>
+          <source>
+<![CDATA[
+#!/bin/sh
+mkdir -p /mnt/root/.ssh/
+chmod 700 /mnt/root/.ssh/
+cp /root/.ssh/authorized_keys /mnt/root/.ssh/
+chmd 600 /mnt/root/.ssh/authorized_keys
+cp /etc/ssh/*key* /mnt/etc/ssh/
+for i in /etc/ssh/*-cert.pub; do
+    echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
+done
+for i in /ssh/*.ca; do
+    echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
+done
+echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
+echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
+echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
+echo Host '*' >> /mnt/etc/ssh/ssh_config
+echo "    HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
+echo "    EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
+echo "    HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
+echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
+chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
+cp /tmp/allnodes /mnt/root/.shosts
+cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
+]]>
+          </source>
+        </script>
+      </chroot-scripts>
+      <!--         <post-scripts config:type="list">
+        <script>
+          <filename>post.sh</filename>
+          <interpreter>shell</interpreter>
+          <source>
+<![CDATA[
+mkdir -p /var/log/xcat/
+]]>
+          </source>
+        </script>
+</post-scripts> -->
+
+    </scripts>
+</profile>
--- a/misc/kickstart.el8
+++ b/misc/kickstart.el8
@ -0,0 +1,73 @@
+%include /tmp/rootpw
+%include /tmp/timezone
+%include /tmp/partitioning
+reboot
+
+%packages
+@^minimal-environment
+chrony
+rsync
+python3
+%end
+
+%pre
+nodename=$(grep ^NODENAME /etc/confluent.info|awk '{print $2}')
+mgr=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}')
+tz=$(grep ^timezone: /etc/confluent.deploycfg)
+tz=${tz#*: }
+echo timezone $tz --utc > /tmp/timezone
+rootpw=$(grep ^rootpassword /etc/confluent.deploycfg | awk '{print $2}')
+if [ "$rootpw" = null ]; then
+    echo "rootpw --lock" > /tmp/rootpw
+else
+    echo "rootpw --iscrypted $rootpw" > /tmp/rootpw
+fi
+for pubkey in /etc/ssh/ssh_host*key.pub; do
+    certfile=${pubkey/.pub/-cert.pub}
+    curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" -d @$pubkey https://$mgr/confluent-api/self/sshcert > $certfile
+    echo HostCertificate $certfile >> /etc/ssh/sshd_config.anaconda
+done
+/usr/sbin/sshd -f /etc/ssh/sshd_config.anaconda
+if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then
+    consoledev=$(cat /run/install/cmdline.d/01-autocons.conf | sed -e 's!console=!/dev/!' -e 's/,.*//')
+    tmux a <> $consoledev >&0 2>&1 &
+fi
+curl https://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk
+/usr/libexec/platform-python /tmp/getinstalldisk
+if [ -e /tmp/installdisk ]; then
+    echo clearpart --all --initlabel >> /tmp/partitioning
+    echo ignoredisk --only-use $(cat /tmp/installdisk) >> /tmp/partitioning
+    echo autopart --nohome >> /tmp/partitioning
+fi
+curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
+%end
+
+%post --nochroot
+# need to copy over ssh key info
+grep HostCert /etc/ssh/sshd_config.anaconda >> /mnt/sysimage/etc/ssh/sshd_config
+echo HostbasedAuthentication yes >> /mnt/sysimage/etc/ssh/sshd_config
+echo HostbasedUsesNameFromPacketOnly yes >> /mnt/sysimage/etc/ssh/sshd_config
+echo IgnoreRhosts no >> /mnt/sysimage/etc/ssh/sshd_config
+sshconf=/etc/ssh/ssh_config
+if [ -d /mnt/sysimage/etc/ssh/ssh_config.d/ ]; then
+    sshconf=/mnt/sysimage/etc/ssh/ssh_config.d/01-confluent.conf
+fi
+echo 'Host *' >> $sshconf
+echo '    HostbasedAuthentication yes' >> $sshconf
+echo '    EnableSSHKeysign yes' >> $sshconf
+echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
+
+cp /etc/ssh/ssh_host_* /mnt/sysimage/etc/ssh/
+mkdir /mnt/sysimage/root/.ssh/
+chmod 700 /mnt/sysimage/root/.ssh/
+cp /root/.ssh/authorized_keys /mnt/sysimage/root/.ssh/
+chmod 600 /mnt/sysimage/root/.ssh/authorized_keys
+cp /etc/ssh/ssh_known_hosts /mnt/sysimage/etc/ssh/
+cp /tmp/allnodes /mnt/sysimage/etc/ssh/shosts.equiv
+cp /tmp/allnodes /mnt/sysimage/root/.shosts
+%end
+
+%post
+chgrp ssh_keys /etc/ssh/ssh*key
+restorecon /etc/ssh/ssh*key /root/.shosts /etc/ssh/shosts.equiv /etc/ssh/ssh_config.d/*
+%end
--- a/misc/suseagent.sh
+++ b/misc/suseagent.sh
@ -0,0 +1,89 @@
+#!/bin/bash
+echo "Installing certificates"
+echo '<authorized_keys xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns" config:type="list">' > /tmp/rootkeys.xml
+for pub in /ssh/*.rootpubkey; do
+    echo '<listentry>'$(cat $pub)'</listentry>' >> /tmp/rootkeys.xml
+done
+echo '</authorized_keys>' >> /tmp/rootkeys.xml
+/usr/bin/cp /tls/*.0 /var/lib/ca-certificates/openssl/
+/usr/bin/cp /tls/*.0 /etc/ssl/certs/
+echo "LineMode: 1" > /etc/linuxrc.d/01-confluent
+autocons=""
+if ! grep console /proc/cmdline > /dev/null; then
+	autocons=$(/opt/confluent/bin/autocons)
+	if [ ! -z "$autocons" ]; then
+		echo "ConsoleDevice: ${autocons%,*}" >> /etc/linuxrc.d/01-confluent
+	fi
+fi
+cd /sys/class/net
+for nic in *; do
+	ip link set $nic up
+done
+echo -n "Discovering confluent..."
+/opt/confluent/bin/copernicus -t > /tmp/confluent.info
+while ! grep MANAGER: /tmp/confluent.info > /dev/null; do
+	/opt/confluent/bin/copernicus -t > /tmp/confluent.info
+done
+nodename=$(grep ^NODENAME: /tmp/confluent.info | head -n 1 | sed -e 's/NODENAME: //')
+echo "done ($nodename)"
+echo "Hostname: $nodename" >> /etc/linuxrc.d/01-confluent
+mgr=$(grep ^MANAGER: /tmp/confluent.info | head -n 1 | sed -e 's/MANAGER: //')
+echo -n "Acquiring configuration from $mgr..."
+bootifidx=${mgr#*%}
+for nic in *; do
+	if [ "$(cat $nic/ifindex)" = "$bootifidx" ]; then
+		bootif=$nic
+	fi
+done
+cd -
+echo "NetDevice: $bootif" >> /etc/linuxrc.d/01-confluent
+/opt/confluent/bin/clortho $nodename $mgr > /tmp/confluent.apikey
+mgr="[$mgr]"
+curl -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/deploycfg > /tmp/confluent.deploycfg
+
+tz=$(grep timezone: /tmp/confluent.deploycfg | awk '{print $2}')
+echo "<timezone>${tz}</timezone>" > /tmp/timezone
+autoconfigmethod=$(grep ipv4_method /tmp/confluent.deploycfg)
+autoconfigmethod=${autoconfigmethod#ipv4_method: }
+if [ "$autoconfigmethod" = "dhcp" ]; then
+	echo "DHCP: 1" >> /etc/linuxrc.d/01-confluent
+else
+	v4addr=$(grep ^ipv4_address: /tmp/confluent.deploycfg)
+	v4addr=${v4addr#ipv4_address: }
+	v4gw=$(grep ^ipv4_gateway: /tmp/confluent.deploycfg)
+	v4gw=${v4gw#ipv4_gateway: }
+	v4nm=$(grep ipv4_netmask: /tmp/confluent.deploycfg)
+	v4nm=${v4nm#ipv4_netmask: }
+	echo "HostIP: $v4addr" >> /etc/linuxrc.d/01-confluent
+	echo "Netmask: $v4nm" >> /etc/linuxrc.d/01-confluent
+	if [ "$v4gw" != "null" ]; then
+		echo "Gateway: $v4gw" >> /etc/linuxrc.d/01-confluent
+	fi
+	nameserversec=0
+	while read -r entry; do
+		if [ $nameserversec = 1 ]; then
+			if [[ $entry == "-"* ]]; then
+				echo Nameserver: ${entry#- } >> /etc/linuxrc.d/01-confluent
+				continue
+			fi
+		fi
+		nameserversec=0
+		if [ ${entry%:*} = "nameservers" ]; then
+			nameserversec=1
+			continue
+		fi
+	done < /tmp/confluent.deploycfg
+fi
+echo done
+mgr=$(grep ^ipv4_server: /tmp/confluent.deploycfg)
+mgr=${mgr#ipv4_server: }
+profilename=$(grep ^profile: /tmp/confluent.deploycfg)
+profilename=${profilename#profile: }
+proto=$(grep ^protocol: /tmp/confluent.deploycfg)
+proto=${proto#protocol: }
+
+echo "<media_url>${proto}://${mgr}/confluent-public/os/${profilename}/distribution/2</media_url>" > /tmp/pkgurl
+
+echo "AutoYaST: $proto://$mgr/confluent-public/os/$profilename/autoyast" >> /etc/linuxrc.d/01-confluent
+echo "Install: $proto://$mgr/confluent-public/os/$profilename/distribution/1" >> /etc/linuxrc.d/01-confluent
+exec /init