Update ssh known hosts and tftp

This is also required to get install going.
2024-11-22 09:32:21 +00:00 · 2020-05-22 15:03:56 -04:00 · 2020-05-22 15:03:56 -04:00 · 968400d72b
commit 968400d72b
parent 88436ff129
1 changed files with 29 additions and 0 deletions
--- a/confluent_server/bin/osimage
+++ b/confluent_server/bin/osimage
@ -28,7 +28,9 @@ def main(args):
    wiz = sp.add_parser('initialize', help='Do OS deployment preparation')
    wiz.add_argument('-u', help='Pull in root user key for node deployment', action='store_true')
    wiz.add_argument('-s', help='Set up SSH CA for managing node to node ssh and known hosts', action='store_true')
+    wiz.add_argument('-k', help='Update local global known hosts file with confluent CA', action='store_true')
    wiz.add_argument('-t', help='Generate new TLS key for HTTPS operation and register with confluent repository', action='store_true')
+    wiz.add_argument('-p', help='Copy in TFTP contents required for PXE support', action='store_true')
    wiz.add_argument('-i', help='Interactively prompt for behaviors', action='store_true')
    osip = sp.add_parser('import', help='Import an OS image from an ISO image')
    osip.add_argument('imagefile', help='File to use for source of importing')
@ -39,6 +41,16 @@ def main(args):
        return initialize(cmdset)
    ap.print_help()

+def install_tftp_content():
+    if os.path.isdir('/var/lib/tftpboot'):
+        try:
+            os.makedirs('/var/lib/tftpboot/confluent/x86_64')
+        except OSError as e:
+            if e.errno == 17:
+                raise
+        shutil.copy('/opt/confluent/lib/ipxe/ipxe.efi', '/var/lib/tftpboot/confluent/x86_64/ipxe.efi')
+        shutil.copy('/opt/confluent/lib/ipxe/ipxe.kkpxe', '/var/lib/tftpboot/confluent/x86_64/ipxe.kkpxe')
+
 def initialize(cmdset):
    if os.getuid() != 0:
        sys.stderr.write('This command must run as root user\n')
@ -50,6 +62,10 @@ def initialize(cmdset):
        cmdset.u = input().strip().lower().startswith('y')
        sys.stdout.write('Set up an SSH authority to help manage known_hosts and node to node ssh for all users (-s)? (y/n): ')
        cmdset.s = input().strip().lower().startswith('y')
+        sys.stdout.write('Update global known hosts on this server to trust local CA certificates (-k)? (y/n): ')
+        cmdset.k = input().strip().lower().startswith('y')
+        sys.stdout.write('Update tftp directory with binaries to support PXE (-p) (y/n): ')
+        cmdset.p = input().strip().lower().startswith('y')
        sys.stdout.write('Generate new TLS certificates for HTTP, replacing any existing certificate (-t)? (y/n): ')
        cmdset.t = input().strip().lower().startswith('y')
        if not cmdset.t:
@ -74,6 +90,7 @@ def initialize(cmdset):
    if cmdset.t:
        didsomething = True
        certutil.create_certificate()
+        print('New HTTPS certificates generated, restart the web server')
    if cmdset.s:
        didsomething = True
        sshutil.initialize_ca()
@ -111,6 +128,18 @@ def initialize(cmdset):
            sys.exit(1)
    os.chdir(opath)
    os.rename(tmpname, '/var/lib/confluent/public/site/initramfs.cpio')
+    if cmdset.k:
+        with open('/etc/ssh/ssh_known_hosts', 'a+b') as skh:
+            for cafile in glob.glob('/var/lib/confluent/public/site/ssh/*.ca'):
+                cacert = open(cafile, 'rb').read()
+                cacert = b'@cert-authority * ' + cacert
+                skh.write(cacert)
+    if cmdset.p:
+        install_tftp_content()
+    # ok, also need to think on how to handle getinstalldisk
+    if not os.path.exists('/etc/confluent/srvcert.pem'):
+        subprocess.check_call(['collective', 'gencert'])
+    

 def osimport(imagefile):
    c = client.Command()