diff --git a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient index a22f9efd..579c9f86 100644 --- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient +++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient @@ -403,6 +403,8 @@ if __name__ == '__main__': errout = sys.argv.pop(errout) except ValueError: errout = None + if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]): + data = open(sys.argv[-1]).read() if outbin: with open(outbin, 'ab+') as outf: reader = HTTPSClient(usejson=usejson, errout=errout).grab_url( @@ -412,8 +414,6 @@ if __name__ == '__main__': outf.write(chunk) chunk = reader.read(16384) sys.exit(0) - if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]): - data = open(sys.argv[-1]).read() if waitfor: client = HTTPSClient(usejson, errout=errout) status = 201 diff --git a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh index 3b3e98da..d970f61c 100644 --- a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh +++ b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -18,4 +18,5 @@ mkdir -p /sysroot/etc/ssh/ for i in /ssh/*.ca; do echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts done -cp /opt/confluent/bin/apiclient /sysroot/etc/confluent +mkdir -p /sysroot/opt/confluent/bin +cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin diff --git a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh index e62eb313..69a21e6f 100644 --- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh +++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -19,4 +19,5 @@ mkdir -p /sysroot/etc/ssh/ for i in /ssh/*.ca; do echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts done -cp /opt/confluent/bin/apiclient /sysroot/etc/confluent +mkdir -p /sysroot/opt/confuent/bin +cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin diff --git a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis index d626e870..2e888928 100644 --- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis +++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis @@ -155,8 +155,8 @@ done /usr/sbin/sshd confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg | awk '{print $2}') export confluent_profile -/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /tmp/functions -. /tmp/functions +/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions +. /etc/confluent/functions set_confluent_vars export confluent_mgr echo "Running https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/onboot.sh" diff --git a/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh b/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh index a05957d4..65347eab 100644 --- a/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh +++ b/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh @@ -1,5 +1,5 @@ #!/bin/sh -. /tmp/functions +. /etc/confluent/functions # This runs whenever this genesis profile boots for customization # purposes diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh index 7a3b0b63..f85b044d 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh @@ -18,7 +18,8 @@ cp -a /tls/* /mnt/var/lib/ca-certificates/openssl cp -a /tls/* /mnt/var/lib/ca-certificates/pem cp -a /tls/*.pem /mnt/etc/pki/trust/anchors cat /tls/*.pem > /mnt/etc/confluent/ca.pem -cp /opt/confluent/bin/apiclient /mnt/etc/confluent +mkdir -p /mnt/opt/confluent/bin +cp /opt/confluent/bin/apiclient /opt/confluent/bin/ run_remote setupssh.sh diff --git a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh index 4b6d8934..6c99735c 100755 --- a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh @@ -49,8 +49,9 @@ fi mkdir -p /opt/confluent/bin mkdir -p /etc/confluent cp -a /target/etc/confluent/* /etc/confluent +mkdir -p /target/opt/confluent/bin cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin/ -cp /custom-installation/confluent/bin/apiclient /target/etc/confluent/ +cp /custom-installation/confluent/bin/apiclient /target/opt/confluent/bin mount -o bind /dev /target/dev mount -o bind /proc /target/proc diff --git a/confluent_server/bin/osdeploy b/confluent_server/bin/osdeploy index 44a46b29..013063eb 100644 --- a/confluent_server/bin/osdeploy +++ b/confluent_server/bin/osdeploy @@ -297,9 +297,29 @@ def initialize(cmdset): if cmdset.l: local_node_trust_setup() if cmdset.k: - with open('/etc/ssh/ssh_known_hosts', 'a+b') as skh: + cas = set([]) + cakeys = set([]) + try: + with open('/etc/ssh/ssh_known_hosts', 'rb') as skh: + for line in skh.read().split(b'\n'): + try: + cakey = line.split()[3] + cakeys.add(cakey) + except IndexError: + pass + if line: + cas.add(line) + except IOError: + pass + with open('/etc/ssh/ssh_known_hosts', 'wb') as skh: + for ca in cas: + skh.write(ca) + skh.write(b'\n') for cafile in glob.glob('/var/lib/confluent/public/site/ssh/*.ca'): cacert = open(cafile, 'rb').read() + cakey = cacert.split()[1] + if cakey in cakeys: + continue cacert = b'@cert-authority * ' + cacert skh.write(cacert) if cmdset.g: diff --git a/misc/setupssh.sh b/misc/setupssh.sh new file mode 100644 index 00000000..7ac31040 --- /dev/null +++ b/misc/setupssh.sh @@ -0,0 +1,32 @@ +[ -f /lib/confluent/functions ] && . /lib/confluent/functions +[ -f /etc/confluent/functions ] && . /etc/confluent/functions +[ -f /opt/confluent/bin/apiclient ] && confapiclient=/opt/confluent/bin/apiclient +[ -f /etc/confluent/apiclient ] && confapiclient=/etc/confluent/apiclient +nodename=$(grep ^NODENAME: /etc/confluent.info|awk '{print $NF}') +for pubkey in /etc/ssh/ssh_host*key.pub; do + certfile=${pubkey/.pub/-cert.pub} + rm $certfile + confluentpython $confapiclient /confluent-api/self/sshcert $pubkey -o $certfile +done +TMPDIR=$(mktemp -d) +cd $TMPDIR +confluentpython $confapiclient /confluent-public/site/initramfs.tgz -o initramfs.tgz +tar xf initramfs.tgz +for ca in ssh/*.ca; do + LINE=$(cat $ca) + cp -af /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts.new + grep -v "$LINE" /etc/ssh/ssh_known_hosts > /etc/ssh/ssh_known_hosts.new + echo '@cert-authority *' $LINE >> /etc/ssh/ssh_known_hosts.new + mv /etc/ssh/ssh_known_hosts.new /etc/ssh/ssh_known_hosts +done +for pubkey in ssh/*.*pubkey; do + LINE=$(cat $pubkey) + cp -af /root/.ssh/authorized_keys /root/.ssh/authorized_keys.new + grep -v "$LINE" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.new + echo "$LINE" >> /root/.ssh/authorized_keys.new + mv /root/.ssh/authorized_keys.new /root/.ssh/authorized_keys +done +confluentpython $confapiclient /confluent-api/self/nodelist | sed -e 's/^- //' > /etc/ssh/shosts.equiv +cat /etc/ssh/shosts.equiv > /root/.shosts +cd - +rm -rf $TMPDIR