From 687136131e1f871dda7aa9abf09962426c3c62d3 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Wed, 2 Mar 2022 08:40:27 -0500 Subject: [PATCH 1/6] Place Confluent CA certs into TLS anchors When processes may update the certificate authorities, the confluent CA trust would be lost. Place it appropriately so that update-ca-trust will keep it in the appropriate place. --- confluent_osdeploy/el8/profiles/default/kickstart | 1 + 1 file changed, 1 insertion(+) diff --git a/confluent_osdeploy/el8/profiles/default/kickstart b/confluent_osdeploy/el8/profiles/default/kickstart index a7742e10..9352ed88 100644 --- a/confluent_osdeploy/el8/profiles/default/kickstart +++ b/confluent_osdeploy/el8/profiles/default/kickstart @@ -94,6 +94,7 @@ chmod +x /mnt/sysimage/opt/confluent/bin/firstboot.sh %post cat /etc/confluent/tls/*.pem >> /etc/pki/tls/certs/ca-bundle.crt +cp /etc/confluent/tls/*.pem /etc/pki/ca-trust/source/anchors systemctl enable firstboot chgrp ssh_keys /etc/ssh/ssh*key restorecon /etc/ssh/ssh*key /root/.shosts /etc/ssh/shosts.equiv /etc/ssh/ssh_config.d/* /opt/confluent/bin/firstboot.sh From 15e7e4464e94bdd248bc9320d99b1de6d4bc4cf2 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Wed, 2 Mar 2022 16:04:01 -0500 Subject: [PATCH 2/6] Keep known_hosts cleaner When repeating osdeploy initialize of local known_hosts, more gracefeully avoid duplicate entries. --- confluent_server/bin/osdeploy | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/confluent_server/bin/osdeploy b/confluent_server/bin/osdeploy index 44a46b29..013063eb 100644 --- a/confluent_server/bin/osdeploy +++ b/confluent_server/bin/osdeploy @@ -297,9 +297,29 @@ def initialize(cmdset): if cmdset.l: local_node_trust_setup() if cmdset.k: - with open('/etc/ssh/ssh_known_hosts', 'a+b') as skh: + cas = set([]) + cakeys = set([]) + try: + with open('/etc/ssh/ssh_known_hosts', 'rb') as skh: + for line in skh.read().split(b'\n'): + try: + cakey = line.split()[3] + cakeys.add(cakey) + except IndexError: + pass + if line: + cas.add(line) + except IOError: + pass + with open('/etc/ssh/ssh_known_hosts', 'wb') as skh: + for ca in cas: + skh.write(ca) + skh.write(b'\n') for cafile in glob.glob('/var/lib/confluent/public/site/ssh/*.ca'): cacert = open(cafile, 'rb').read() + cakey = cacert.split()[1] + if cakey in cakeys: + continue cacert = b'@cert-authority * ' + cacert skh.write(cacert) if cmdset.g: From 003196bc9e2057c444d73a36d2877298eb896867 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 3 Mar 2022 08:25:04 -0500 Subject: [PATCH 3/6] Allow -o with data file This makes things like ssh key signing easier. --- .../common/initramfs/opt/confluent/bin/apiclient | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient index a22f9efd..579c9f86 100644 --- a/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient +++ b/confluent_osdeploy/common/initramfs/opt/confluent/bin/apiclient @@ -403,6 +403,8 @@ if __name__ == '__main__': errout = sys.argv.pop(errout) except ValueError: errout = None + if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]): + data = open(sys.argv[-1]).read() if outbin: with open(outbin, 'ab+') as outf: reader = HTTPSClient(usejson=usejson, errout=errout).grab_url( @@ -412,8 +414,6 @@ if __name__ == '__main__': outf.write(chunk) chunk = reader.read(16384) sys.exit(0) - if len(sys.argv) > 2 and os.path.exists(sys.argv[-1]): - data = open(sys.argv[-1]).read() if waitfor: client = HTTPSClient(usejson, errout=errout) status = 201 From 76fdf59122af53da59b6692e59c2a805860fbd0b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 3 Mar 2022 08:34:57 -0500 Subject: [PATCH 4/6] Change genesis functions location Put it in a place consistent with more normal use. --- .../genesis/initramfs/opt/confluent/bin/rungenesis | 4 ++-- confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis index d626e870..2e888928 100644 --- a/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis +++ b/confluent_osdeploy/genesis/initramfs/opt/confluent/bin/rungenesis @@ -155,8 +155,8 @@ done /usr/sbin/sshd confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg | awk '{print $2}') export confluent_profile -/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /tmp/functions -. /tmp/functions +/usr/libexec/platform-python /opt/confluent/bin/apiclient /confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions +. /etc/confluent/functions set_confluent_vars export confluent_mgr echo "Running https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/onboot.sh" diff --git a/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh b/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh index a05957d4..65347eab 100644 --- a/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh +++ b/confluent_osdeploy/genesis/profiles/default/scripts/onboot.sh @@ -1,5 +1,5 @@ #!/bin/sh -. /tmp/functions +. /etc/confluent/functions # This runs whenever this genesis profile boots for customization # purposes From 5fb766e62b483e54b70d65f26112dbcc0ee8939b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 3 Mar 2022 11:11:29 -0500 Subject: [PATCH 5/6] Move apiclient consistently to /opt/confluent/bin It's more reasonable to have it in a bin directory --- .../initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh | 3 ++- .../initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh | 3 ++- confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh | 3 ++- .../ubuntu20.04/profiles/default/scripts/post.sh | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh index 3b3e98da..d970f61c 100644 --- a/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh +++ b/confluent_osdeploy/el7/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -18,4 +18,5 @@ mkdir -p /sysroot/etc/ssh/ for i in /ssh/*.ca; do echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts done -cp /opt/confluent/bin/apiclient /sysroot/etc/confluent +mkdir -p /sysroot/opt/confluent/bin +cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin diff --git a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh index e62eb313..69a21e6f 100644 --- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh +++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -19,4 +19,5 @@ mkdir -p /sysroot/etc/ssh/ for i in /ssh/*.ca; do echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts done -cp /opt/confluent/bin/apiclient /sysroot/etc/confluent +mkdir -p /sysroot/opt/confuent/bin +cp /opt/confluent/bin/apiclient /sysroot/opt/confluent/bin diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh index 7a3b0b63..f85b044d 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh @@ -18,7 +18,8 @@ cp -a /tls/* /mnt/var/lib/ca-certificates/openssl cp -a /tls/* /mnt/var/lib/ca-certificates/pem cp -a /tls/*.pem /mnt/etc/pki/trust/anchors cat /tls/*.pem > /mnt/etc/confluent/ca.pem -cp /opt/confluent/bin/apiclient /mnt/etc/confluent +mkdir -p /mnt/opt/confluent/bin +cp /opt/confluent/bin/apiclient /opt/confluent/bin/ run_remote setupssh.sh diff --git a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh index 4b6d8934..6c99735c 100755 --- a/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/ubuntu20.04/profiles/default/scripts/post.sh @@ -49,8 +49,9 @@ fi mkdir -p /opt/confluent/bin mkdir -p /etc/confluent cp -a /target/etc/confluent/* /etc/confluent +mkdir -p /target/opt/confluent/bin cp /custom-installation/confluent/bin/apiclient /opt/confluent/bin/ -cp /custom-installation/confluent/bin/apiclient /target/etc/confluent/ +cp /custom-installation/confluent/bin/apiclient /target/opt/confluent/bin mount -o bind /dev /target/dev mount -o bind /proc /target/proc From ecd114ca5a79473e38e303dcaea9ba3f27862b0b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 3 Mar 2022 12:34:37 -0500 Subject: [PATCH 6/6] Add script for setting up ssh A frequent scenario is to 'refresh' ssh configuration toward the end of: -changing trust nodes -Adding a collective member -Repairing a broken configuration -As part of 'confluent-ifying' a node that wasn't confluent deployed --- misc/setupssh.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 misc/setupssh.sh diff --git a/misc/setupssh.sh b/misc/setupssh.sh new file mode 100644 index 00000000..7ac31040 --- /dev/null +++ b/misc/setupssh.sh @@ -0,0 +1,32 @@ +[ -f /lib/confluent/functions ] && . /lib/confluent/functions +[ -f /etc/confluent/functions ] && . /etc/confluent/functions +[ -f /opt/confluent/bin/apiclient ] && confapiclient=/opt/confluent/bin/apiclient +[ -f /etc/confluent/apiclient ] && confapiclient=/etc/confluent/apiclient +nodename=$(grep ^NODENAME: /etc/confluent.info|awk '{print $NF}') +for pubkey in /etc/ssh/ssh_host*key.pub; do + certfile=${pubkey/.pub/-cert.pub} + rm $certfile + confluentpython $confapiclient /confluent-api/self/sshcert $pubkey -o $certfile +done +TMPDIR=$(mktemp -d) +cd $TMPDIR +confluentpython $confapiclient /confluent-public/site/initramfs.tgz -o initramfs.tgz +tar xf initramfs.tgz +for ca in ssh/*.ca; do + LINE=$(cat $ca) + cp -af /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts.new + grep -v "$LINE" /etc/ssh/ssh_known_hosts > /etc/ssh/ssh_known_hosts.new + echo '@cert-authority *' $LINE >> /etc/ssh/ssh_known_hosts.new + mv /etc/ssh/ssh_known_hosts.new /etc/ssh/ssh_known_hosts +done +for pubkey in ssh/*.*pubkey; do + LINE=$(cat $pubkey) + cp -af /root/.ssh/authorized_keys /root/.ssh/authorized_keys.new + grep -v "$LINE" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.new + echo "$LINE" >> /root/.ssh/authorized_keys.new + mv /root/.ssh/authorized_keys.new /root/.ssh/authorized_keys +done +confluentpython $confapiclient /confluent-api/self/nodelist | sed -e 's/^- //' > /etc/ssh/shosts.equiv +cat /etc/ssh/shosts.equiv > /root/.shosts +cd - +rm -rf $TMPDIR