diff --git a/confluent_osdeploy/suse15/profiles/hpc/autoyast b/confluent_osdeploy/suse15/profiles/hpc/autoyast index b77fdaff..86507b64 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/autoyast +++ b/confluent_osdeploy/suse15/profiles/hpc/autoyast @@ -115,19 +115,27 @@ curl $proto://$mgr/confluent-public/os/$profile/scripts/pre.sh > /tmp/pre.sh mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}') profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //') proto=$(grep ^protocol: /tmp/confluent.deploycfg |awk '{print $2}') -curl $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/post.sh -. /tmp/post.sh -curl $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh +curl $proto://$mgr/confluent-public/os/$profile/scripts/prechroot.sh > /tmp/prechroot.sh +. /tmp/prechroot.sh +curl -f $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh +curl -f $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /mnt/etc/confluent/post.sh chmod +x /mnt/etc/confluent/firstboot.sh +chmod +x /mnt/etc/confluent/post.sh ]]> + diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh index 1f873835..cea4c664 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh @@ -8,3 +8,8 @@ profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassw proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg |awk '{print $2}') apikey=$(cat /etc/confluent/confluent.apikey) curl --capath /etc/confluent/tls -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -f -X POST -d "status: complete" https://$mgr/confluent-api/self/updatestatus +. /etc/confluent/functions + +# Custom scripts may go here +# run_remote example.sh +# run_remote_python example.py diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/functions b/confluent_osdeploy/suse15/profiles/hpc/scripts/functions new file mode 100644 index 00000000..e84bc821 --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/functions @@ -0,0 +1,14 @@ +run_remote() { + cd $(mktemp -d) + curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1 + chmod +x $1 + ./$1 + cd - +} + +run_remote_python() { + cd $(mktemp -d) + curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1 + python3 $1 + cd - +} diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh index 41ac2208..1ece9901 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh @@ -1,49 +1,22 @@ #!/bin/sh -# This script runs when install is finished, but while the installer -# is still running, with the to-be-booted system mounted in /mnt +# This script runs at the end of install in the installed system +# but still under the installer kernel. -# Carry over install-time ssh material into installed system -mkdir -p /mnt/root/.ssh/ -chmod 700 /mnt/root/.ssh/ -cp /root/.ssh/authorized_keys /mnt/root/.ssh/ -chmd 600 /mnt/root/.ssh/authorized_keys -cp /etc/ssh/*key* /mnt/etc/ssh/ -for i in /etc/ssh/*-cert.pub; do - echo HostCertificate $i >> /mnt/etc/ssh/sshd_config -done -for i in /ssh/*.ca; do - echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts -done -# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv -echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config -echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config -echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config -echo Host '*' >> /mnt/etc/ssh/ssh_config -echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config -echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config -# Limit the attempts of using host key. This prevents client from using 3 or 4 -# authentication attempts through host based attempts -echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config +# This is a good place to run most customizations that do not have any +# dependency upon the install target kernel being active. -# In SUSE platform, setuid for ssh-keysign is required for host based, -# and also must be opted into. -echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local -chmod 4711 /mnt/usr/lib/ssh/ssh-keysign +# If there are dependencies on the kernel (drivers or special filesystems) +# then firstboot.sh would be the script to customize. -# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root) -nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}') -curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes -cp /tmp/allnodes /mnt/root/.shosts -cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv +mgr=$(grep ^deploy_server /etc/confluent/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^profile: //') +nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}') +export mgr profile nodename +. /etc/confluennt/functions -# carry over deployment configuration and api key for OS install action -mkdir -p /mnt/etc/confluent -chmod 700 /mnt/etc/confluent -chmod 600 /tmp/confluent.* -cp /tmp/confluent.* /mnt/etc/confluent/ -cp -a /tls /mnt/etc/confluent/ -cp -a /tls/* /mnt/var/lib/ca-certificates/openssl -cp -a /tls/* /mnt/var/lib/ca-certificates/pem -cp -a /tls/*.pem /mnt/etc/pki/trust/anchors +# Customizations may go here +# Examples: +# run_remote script.sh +# run_remote_python script.py diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh index 296ae304..d8866be2 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh @@ -19,6 +19,7 @@ for i in /etc/ssh/ssh_host*key.pub; do echo HostCertificate $certname >> /etc/ssh/sshd_config done /usr/sbin/sshd -curl -f https://$mgr/confluent-public/os/$profile/scripts/getinstalldisk > /tmp/getinstalldisk -python3 /tmp/getinstalldisk +curl -f https://$mgr/confluent-public/os/$profile/scripts/functions > /tmp/functions +. /tmp/functions +run_remote_python getinstalldisk sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! -e "s?%%ROOTPASSWORD%%?${rootpw}?" /tmp/profile/autoinst.xml > /tmp/profile/modified.xml diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh new file mode 100644 index 00000000..90f9d1dd --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# This script runs when install is finished, but while the installer +# is still running, with the to-be-booted system mounted in /mnt + +# carry over deployment configuration and api key for OS install action +mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //') +nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}') +export mgr profile nodename +mkdir -p /mnt/etc/confluent +chmod 700 /mnt/etc/confluent +chmod 600 /tmp/confluent.* +cp /tmp/functions /mnt/etc/confluent/ +. /tmp/functions +cp /tmp/confluent.* /mnt/etc/confluent/ +cp -a /tls /mnt/etc/confluent/ +cp -a /tls/* /mnt/var/lib/ca-certificates/openssl +cp -a /tls/* /mnt/var/lib/ca-certificates/pem +cp -a /tls/*.pem /mnt/etc/pki/trust/anchors + +run_remote setupssh.sh diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh new file mode 100644 index 00000000..cadd7a72 --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# Carry over install-time ssh material into installed system +mkdir -p /mnt/root/.ssh/ +chmod 700 /mnt/root/.ssh/ +cp /root/.ssh/authorized_keys /mnt/root/.ssh/ +chmd 600 /mnt/root/.ssh/authorized_keys +cp /etc/ssh/*key* /mnt/etc/ssh/ +for i in /etc/ssh/*-cert.pub; do + echo HostCertificate $i >> /mnt/etc/ssh/sshd_config +done +for i in /ssh/*.ca; do + echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts +done +# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv +echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config +echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config +echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config +echo Host '*' >> /mnt/etc/ssh/ssh_config +echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config +echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config +# Limit the attempts of using host key. This prevents client from using 3 or 4 +# authentication attempts through host based attempts +echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config + +# In SUSE platform, setuid for ssh-keysign is required for host based, +# and also must be opted into. +echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local +chmod 4711 /mnt/usr/lib/ssh/ssh-keysign + +# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root) +curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes +cp /tmp/allnodes /mnt/root/.shosts +cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv +