Merge branch '3.4'

confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient

@@ -403,6 +403,8 @@ if __name__ == '__main__':
         errout = sys.argv.pop(errout)
     except ValueError:
         errout = None
+    if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]):
+        data = open(sys.argv[-1]).read()
     if outbin:
         with open(outbin, 'ab+') as outf:
             reader = HTTPSClient(usejson=usejson, errout=errout).grab_url(
@@ -412,8 +414,6 @@ if __name__ == '__main__':
                 outf.write(chunk)
                 chunk = reader.read(16384)
         sys.exit(0)
-    if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]):
-        data = open(sys.argv[-1]).read()
     if waitfor:
         client = HTTPSClient(usejson, errout=errout)
         status = 201

confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh

@@ -18,4 +18,5 @@ mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
     echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts
 done
-cp /opt/confluent/bin/apiclient /sysroot/etc/confluent
+mkdir -p /sysroot/opt/confluent/bin
+cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin

confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh

@@ -19,4 +19,5 @@ mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
     echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts
 done
-cp /opt/confluent/bin/apiclient /sysroot/etc/confluent
+mkdir -p /sysroot/opt/confuent/bin
+cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin

confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis

@@ -155,8 +155,8 @@ done
 /usr/sbin/sshd
 confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg | awk '{print $2}')
 export confluent_profile
-/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /tmp/functions
-. /tmp/functions
+/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions
+. /etc/confluent/functions
 set_confluent_vars
 export confluent_mgr
 echo "Running https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/onboot.sh"

confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-. /tmp/functions
+. /etc/confluent/functions
 # This runs whenever this genesis profile boots for customization
 # purposes
 

confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh

@@ -18,7 +18,8 @@ cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
 cp -a /tls/* /mnt/var/lib/ca-certificates/pem
 cp -a /tls/*.pem /mnt/etc/pki/trust/anchors
 cat /tls/*.pem > /mnt/etc/confluent/ca.pem
-cp /opt/confluent/bin/apiclient /mnt/etc/confluent
+mkdir -p /mnt/opt/confluent/bin
+cp /opt/confluent/bin/apiclient /opt/confluent/bin/
 
 run_remote setupssh.sh
 

confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh

@@ -49,8 +49,9 @@ fi
 mkdir -p /opt/confluent/bin
 mkdir -p /etc/confluent
 cp -a /target/etc/confluent/* /etc/confluent
+mkdir -p /target/opt/confluent/bin
 cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin/
-cp /custom-installation/confluent/bin/apiclient /target/etc/confluent/
+cp /custom-installation/confluent/bin/apiclient /target/opt/confluent/bin
 
 mount -o bind /dev /target/dev
 mount -o bind /proc /target/proc

confluent_server/bin/osdeploy

@@ -297,9 +297,29 @@ def initialize(cmdset):
     if cmdset.l:
         local_node_trust_setup()
     if cmdset.k:
-        with open('/etc/ssh/ssh_known_hosts', 'a+b') as skh:
+        cas = set([])
+        cakeys = set([])
+        try:
+            with open('/etc/ssh/ssh_known_hosts', 'rb') as skh:
+                for line in skh.read().split(b'\n'):
+                    try:
+                        cakey = line.split()[3]
+                        cakeys.add(cakey)
+                    except IndexError:
+                        pass
+                    if line:
+                        cas.add(line)
+        except IOError:
+            pass
+        with open('/etc/ssh/ssh_known_hosts', 'wb') as skh:
+            for ca in cas:
+                skh.write(ca)
+                skh.write(b'\n')
             for cafile in glob.glob('/var/lib/confluent/public/site/ssh/*.ca'):
                 cacert = open(cafile, 'rb').read()
+                cakey = cacert.split()[1]
+                if cakey in cakeys:
+                    continue
                 cacert = b'@cert-authority * ' + cacert
                 skh.write(cacert)
     if cmdset.g:

misc/setupssh.sh

@@ -0,0 +1,32 @@
+[ -f /lib/confluent/functions ] && . /lib/confluent/functions
+[ -f /etc/confluent/functions ] && . /etc/confluent/functions
+[ -f /opt/confluent/bin/apiclient ] && confapiclient=/opt/confluent/bin/apiclient
+[ -f /etc/confluent/apiclient ] && confapiclient=/etc/confluent/apiclient
+nodename=$(grep ^NODENAME: /etc/confluent.info|awk '{print $NF}')
+for pubkey in /etc/ssh/ssh_host*key.pub; do
+    certfile=${pubkey/.pub/-cert.pub}
+    rm $certfile
+    confluentpython $confapiclient /confluent-api/self/sshcert $pubkey -o $certfile
+done
+TMPDIR=$(mktemp -d)
+cd $TMPDIR
+confluentpython $confapiclient /confluent-public/site/initramfs.tgz -o initramfs.tgz
+tar xf initramfs.tgz
+for ca in ssh/*.ca; do
+	LINE=$(cat $ca)
+	cp -af /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts.new
+	grep -v "$LINE" /etc/ssh/ssh_known_hosts > /etc/ssh/ssh_known_hosts.new
+	echo '@cert-authority *' $LINE >> /etc/ssh/ssh_known_hosts.new
+	mv /etc/ssh/ssh_known_hosts.new /etc/ssh/ssh_known_hosts
+done
+for pubkey in ssh/*.*pubkey; do
+	LINE=$(cat $pubkey)
+	cp -af /root/.ssh/authorized_keys /root/.ssh/authorized_keys.new
+	grep -v "$LINE" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.new
+	echo "$LINE" >> /root/.ssh/authorized_keys.new
+	mv /root/.ssh/authorized_keys.new /root/.ssh/authorized_keys
+done
+confluentpython $confapiclient /confluent-api/self/nodelist | sed -e 's/^- //' > /etc/ssh/shosts.equiv
+cat /etc/ssh/shosts.equiv > /root/.shosts
+cd -
+rm -rf $TMPDIR