mirror of
https://github.com/xcat2/confluent.git
synced 2024-12-24 12:11:52 +00:00
Refactor SUSE installs
Apply same comment principles to suse as was applied to redhat.
This commit is contained in:
parent
d8266ea6c9
commit
886aade5dc
@ -115,19 +115,27 @@ curl $proto://$mgr/confluent-public/os/$profile/scripts/pre.sh > /tmp/pre.sh
|
||||
mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}')
|
||||
profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //')
|
||||
proto=$(grep ^protocol: /tmp/confluent.deploycfg |awk '{print $2}')
|
||||
curl $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/post.sh
|
||||
. /tmp/post.sh
|
||||
curl $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh
|
||||
curl $proto://$mgr/confluent-public/os/$profile/scripts/prechroot.sh > /tmp/prechroot.sh
|
||||
. /tmp/prechroot.sh
|
||||
curl -f $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh
|
||||
curl -f $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /mnt/etc/confluent/post.sh
|
||||
chmod +x /mnt/etc/confluent/firstboot.sh
|
||||
chmod +x /mnt/etc/confluent/post.sh
|
||||
]]>
|
||||
</source>
|
||||
</script>
|
||||
<script>
|
||||
<chrooted config:type="boolean">true</chrooted>
|
||||
<filename>post.sh</filename>
|
||||
<interpreter>shell</interpreter>
|
||||
<location>file:///etc/confluent/post.sh</location>
|
||||
</script>
|
||||
</chroot-scripts>
|
||||
<init-scripts config:type="list">
|
||||
<script>
|
||||
<filename>post.sh</filename>
|
||||
<filename>firstboot.sh</filename>
|
||||
<interpreter>shell</interpreter>
|
||||
<location>file:///etc/confluent/firstboot.sh</location>
|
||||
<location>file:///etc/confluent/firstboot.sh</location>
|
||||
</script>
|
||||
</init-scripts>
|
||||
|
||||
|
@ -8,3 +8,8 @@ profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassw
|
||||
proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg |awk '{print $2}')
|
||||
apikey=$(cat /etc/confluent/confluent.apikey)
|
||||
curl --capath /etc/confluent/tls -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -f -X POST -d "status: complete" https://$mgr/confluent-api/self/updatestatus
|
||||
. /etc/confluent/functions
|
||||
|
||||
# Custom scripts may go here
|
||||
# run_remote example.sh
|
||||
# run_remote_python example.py
|
||||
|
14
confluent_osdeploy/suse15/profiles/hpc/scripts/functions
Normal file
14
confluent_osdeploy/suse15/profiles/hpc/scripts/functions
Normal file
@ -0,0 +1,14 @@
|
||||
run_remote() {
|
||||
cd $(mktemp -d)
|
||||
curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
|
||||
chmod +x $1
|
||||
./$1
|
||||
cd -
|
||||
}
|
||||
|
||||
run_remote_python() {
|
||||
cd $(mktemp -d)
|
||||
curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
|
||||
python3 $1
|
||||
cd -
|
||||
}
|
@ -1,49 +1,22 @@
|
||||
#!/bin/sh
|
||||
|
||||
# This script runs when install is finished, but while the installer
|
||||
# is still running, with the to-be-booted system mounted in /mnt
|
||||
# This script runs at the end of install in the installed system
|
||||
# but still under the installer kernel.
|
||||
|
||||
# Carry over install-time ssh material into installed system
|
||||
mkdir -p /mnt/root/.ssh/
|
||||
chmod 700 /mnt/root/.ssh/
|
||||
cp /root/.ssh/authorized_keys /mnt/root/.ssh/
|
||||
chmd 600 /mnt/root/.ssh/authorized_keys
|
||||
cp /etc/ssh/*key* /mnt/etc/ssh/
|
||||
for i in /etc/ssh/*-cert.pub; do
|
||||
echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
|
||||
done
|
||||
for i in /ssh/*.ca; do
|
||||
echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
|
||||
done
|
||||
# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
|
||||
echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
|
||||
echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
|
||||
echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
|
||||
echo Host '*' >> /mnt/etc/ssh/ssh_config
|
||||
echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
|
||||
echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
|
||||
# Limit the attempts of using host key. This prevents client from using 3 or 4
|
||||
# authentication attempts through host based attempts
|
||||
echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
|
||||
# This is a good place to run most customizations that do not have any
|
||||
# dependency upon the install target kernel being active.
|
||||
|
||||
# In SUSE platform, setuid for ssh-keysign is required for host based,
|
||||
# and also must be opted into.
|
||||
echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
|
||||
chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
|
||||
# If there are dependencies on the kernel (drivers or special filesystems)
|
||||
# then firstboot.sh would be the script to customize.
|
||||
|
||||
# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
|
||||
nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
|
||||
curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
|
||||
cp /tmp/allnodes /mnt/root/.shosts
|
||||
cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
|
||||
mgr=$(grep ^deploy_server /etc/confluent/confluent.deploycfg|awk '{print $2}')
|
||||
profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^profile: //')
|
||||
nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
|
||||
export mgr profile nodename
|
||||
. /etc/confluennt/functions
|
||||
|
||||
# carry over deployment configuration and api key for OS install action
|
||||
mkdir -p /mnt/etc/confluent
|
||||
chmod 700 /mnt/etc/confluent
|
||||
chmod 600 /tmp/confluent.*
|
||||
cp /tmp/confluent.* /mnt/etc/confluent/
|
||||
cp -a /tls /mnt/etc/confluent/
|
||||
cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
|
||||
cp -a /tls/* /mnt/var/lib/ca-certificates/pem
|
||||
cp -a /tls/*.pem /mnt/etc/pki/trust/anchors
|
||||
# Customizations may go here
|
||||
|
||||
# Examples:
|
||||
# run_remote script.sh
|
||||
# run_remote_python script.py
|
||||
|
@ -19,6 +19,7 @@ for i in /etc/ssh/ssh_host*key.pub; do
|
||||
echo HostCertificate $certname >> /etc/ssh/sshd_config
|
||||
done
|
||||
/usr/sbin/sshd
|
||||
curl -f https://$mgr/confluent-public/os/$profile/scripts/getinstalldisk > /tmp/getinstalldisk
|
||||
python3 /tmp/getinstalldisk
|
||||
curl -f https://$mgr/confluent-public/os/$profile/scripts/functions > /tmp/functions
|
||||
. /tmp/functions
|
||||
run_remote_python getinstalldisk
|
||||
sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! -e "s?%%ROOTPASSWORD%%?${rootpw}?" /tmp/profile/autoinst.xml > /tmp/profile/modified.xml
|
||||
|
22
confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh
Normal file
22
confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh
Normal file
@ -0,0 +1,22 @@
|
||||
#!/bin/sh
|
||||
|
||||
# This script runs when install is finished, but while the installer
|
||||
# is still running, with the to-be-booted system mounted in /mnt
|
||||
|
||||
# carry over deployment configuration and api key for OS install action
|
||||
mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}')
|
||||
profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //')
|
||||
nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
|
||||
export mgr profile nodename
|
||||
mkdir -p /mnt/etc/confluent
|
||||
chmod 700 /mnt/etc/confluent
|
||||
chmod 600 /tmp/confluent.*
|
||||
cp /tmp/functions /mnt/etc/confluent/
|
||||
. /tmp/functions
|
||||
cp /tmp/confluent.* /mnt/etc/confluent/
|
||||
cp -a /tls /mnt/etc/confluent/
|
||||
cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
|
||||
cp -a /tls/* /mnt/var/lib/ca-certificates/pem
|
||||
cp -a /tls/*.pem /mnt/etc/pki/trust/anchors
|
||||
|
||||
run_remote setupssh.sh
|
34
confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh
Normal file
34
confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh
Normal file
@ -0,0 +1,34 @@
|
||||
#!/bin/bash
|
||||
# Carry over install-time ssh material into installed system
|
||||
mkdir -p /mnt/root/.ssh/
|
||||
chmod 700 /mnt/root/.ssh/
|
||||
cp /root/.ssh/authorized_keys /mnt/root/.ssh/
|
||||
chmd 600 /mnt/root/.ssh/authorized_keys
|
||||
cp /etc/ssh/*key* /mnt/etc/ssh/
|
||||
for i in /etc/ssh/*-cert.pub; do
|
||||
echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
|
||||
done
|
||||
for i in /ssh/*.ca; do
|
||||
echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
|
||||
done
|
||||
# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
|
||||
echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
|
||||
echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
|
||||
echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
|
||||
echo Host '*' >> /mnt/etc/ssh/ssh_config
|
||||
echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
|
||||
echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
|
||||
# Limit the attempts of using host key. This prevents client from using 3 or 4
|
||||
# authentication attempts through host based attempts
|
||||
echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
|
||||
|
||||
# In SUSE platform, setuid for ssh-keysign is required for host based,
|
||||
# and also must be opted into.
|
||||
echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
|
||||
chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
|
||||
|
||||
# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
|
||||
curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
|
||||
cp /tmp/allnodes /mnt/root/.shosts
|
||||
cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
|
||||
|
Loading…
Reference in New Issue
Block a user