Refactor RedHat/CentOS class profile

Again, break things up for more approachable layout.

confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh

@@ -5,6 +5,8 @@ while [ -h $BUNDLENAME ]; do
 done
 
 cat /etc/pki/tls/certs/ca-bundle.crt > $BUNDLENAME
+mkdir -p /sysroot/etc/confluent/
+cp -a /tls /sysroot/etc/confluent
 sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
@@ -16,4 +18,6 @@ for i in /ssh/*.ca; do
     echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts
 done
 cp /etc/confluent.apikey /sysroot/etc/
-cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/
+cp /etc/confluent.apikey /sysroot/etc/confluent/
+cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/
+cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/confluent

confluent_osdeploy/el8/profiles/default/kickstart

@@ -11,63 +11,30 @@ python3
 %end
 
 %pre
-nodename=$(grep ^NODENAME /etc/confluent.info|awk '{print $2}')
+profile=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}')
 mgr=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}')
-tz=$(grep ^timezone: /etc/confluent.deploycfg)
-tz=${tz#*: }
-echo timezone $tz --utc > /tmp/timezone
-rootpw=$(grep ^rootpassword /etc/confluent.deploycfg | awk '{print $2}')
-if [ "$rootpw" = null ]; then
-    echo "rootpw --lock" > /tmp/rootpw
-else
-    echo "rootpw --iscrypted $rootpw" > /tmp/rootpw
-fi
-for pubkey in /etc/ssh/ssh_host*key.pub; do
-    certfile=${pubkey/.pub/-cert.pub}
-    curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" -d @$pubkey https://$mgr/confluent-api/self/sshcert > $certfile
-    echo HostCertificate $certfile >> /etc/ssh/sshd_config.anaconda
-done
-/usr/sbin/sshd -f /etc/ssh/sshd_config.anaconda
-if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then
-    consoledev=$(cat /run/install/cmdline.d/01-autocons.conf | sed -e 's!console=!/dev/!' -e 's/,.*//')
-    tmux a <> $consoledev >&0 2>&1 &
-fi
-curl https://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk
-/usr/libexec/platform-python /tmp/getinstalldisk
-if [ -e /tmp/installdisk ]; then
-    echo clearpart --all --initlabel >> /tmp/partitioning
-    echo ignoredisk --only-use $(cat /tmp/installdisk) >> /tmp/partitioning
-    echo autopart --nohome >> /tmp/partitioning
-fi
-curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
+curl -f https://$mgr/confluent-public/os/$profile/scripts/pre.sh > /tmp/preinst.sh
+. /tmp/preinst.sh
 %end
 
 %post --nochroot
-# need to copy over ssh key info
-grep HostCert /etc/ssh/sshd_config.anaconda >> /mnt/sysimage/etc/ssh/sshd_config
-echo HostbasedAuthentication yes >> /mnt/sysimage/etc/ssh/sshd_config
-echo HostbasedUsesNameFromPacketOnly yes >> /mnt/sysimage/etc/ssh/sshd_config
-echo IgnoreRhosts no >> /mnt/sysimage/etc/ssh/sshd_config
-sshconf=/etc/ssh/ssh_config
-if [ -d /mnt/sysimage/etc/ssh/ssh_config.d/ ]; then
-    sshconf=/mnt/sysimage/etc/ssh/ssh_config.d/01-confluent.conf
-fi
-echo 'Host *' >> $sshconf
-echo '    HostbasedAuthentication yes' >> $sshconf
-echo '    EnableSSHKeysign yes' >> $sshconf
-echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
+mkdir -p /mnt/sysimage/etc/confluent
+profile=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}')
+mgr=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}')
+curl -f https://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/postinst.sh
+. /tmp/postinst.sh
 
-cp /etc/ssh/ssh_host_* /mnt/sysimage/etc/ssh/
-mkdir /mnt/sysimage/root/.ssh/
-chmod 700 /mnt/sysimage/root/.ssh/
-cp /root/.ssh/authorized_keys /mnt/sysimage/root/.ssh/
-chmod 600 /mnt/sysimage/root/.ssh/authorized_keys
-cp /etc/ssh/ssh_known_hosts /mnt/sysimage/etc/ssh/
-cp /tmp/allnodes /mnt/sysimage/etc/ssh/shosts.equiv
-cp /tmp/allnodes /mnt/sysimage/root/.shosts
+# Hook firstboot.sh
+curl -f https://$mgr/confluent-public/os/$profile/scripts/firstboot.service > /mnt/sysimage/etc/systemd/system/firstboot.service
+curl -f https://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/sysimage/etc/confuent/firstboot.sh
+chmod +x /mnt/sysimage/etc/confluent/firstboot.sh
+
+chmod 664 /etc/systemd/system/runonce.service
+systemctl enable runonce
 %end
 
 %post
+systemctl enable firstboot
 chgrp ssh_keys /etc/ssh/ssh*key
 restorecon /etc/ssh/ssh*key /root/.shosts /etc/ssh/shosts.equiv /etc/ssh/ssh_config.d/*
 %end

confluent_osdeploy/el8/profiles/default/scripts/firstboot.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=First Boot Process
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+ExecStart=/etc/confluent/firstboot.sh
+
+[Install]
+WantedBy=multi-user.target
+

confluent_osdeploy/el8/profiles/default/scripts/post.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# need to copy over ssh key info
+grep HostCert /etc/ssh/sshd_config.anaconda >> /mnt/sysimage/etc/ssh/sshd_config
+echo HostbasedAuthentication yes >> /mnt/sysimage/etc/ssh/sshd_config
+echo HostbasedUsesNameFromPacketOnly yes >> /mnt/sysimage/etc/ssh/sshd_config
+echo IgnoreRhosts no >> /mnt/sysimage/etc/ssh/sshd_config
+sshconf=/etc/ssh/ssh_config
+if [ -d /mnt/sysimage/etc/ssh/ssh_config.d/ ]; then
+    sshconf=/mnt/sysimage/etc/ssh/ssh_config.d/01-confluent.conf
+fi
+echo 'Host *' >> $sshconf
+echo '    HostbasedAuthentication yes' >> $sshconf
+echo '    EnableSSHKeysign yes' >> $sshconf
+echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
+
+cp /etc/ssh/ssh_host_* /mnt/sysimage/etc/ssh/
+mkdir /mnt/sysimage/root/.ssh/
+chmod 700 /mnt/sysimage/root/.ssh/
+cp /root/.ssh/authorized_keys /mnt/sysimage/root/.ssh/
+chmod 600 /mnt/sysimage/root/.ssh/authorized_keys
+cp /etc/ssh/ssh_known_hosts /mnt/sysimage/etc/ssh/
+cp /tmp/allnodes /mnt/sysimage/etc/ssh/shosts.equiv
+cp /tmp/allnodes /mnt/sysimage/root/.shosts
+cp -a /etc/confluent /mnt/sysimage/etc
+curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes

confluent_osdeploy/el8/profiles/default/scripts/pre.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+nodename=$(grep ^NODENAME /etc/confluent.info|awk '{print $2}')
+tz=$(grep ^timezone: /etc/confluent.deploycfg)
+tz=${tz#*: }
+echo timezone $tz --utc > /tmp/timezone
+rootpw=$(grep ^rootpassword /etc/confluent.deploycfg | awk '{print $2}')
+if [ "$rootpw" = null ]; then
+    echo "rootpw --lock" > /tmp/rootpw
+else
+    echo "rootpw --iscrypted $rootpw" > /tmp/rootpw
+fi
+for pubkey in /etc/ssh/ssh_host*key.pub; do
+    certfile=${pubkey/.pub/-cert.pub}
+    curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" -d @$pubkey https://$mgr/confluent-api/self/sshcert > $certfile
+    echo HostCertificate $certfile >> /etc/ssh/sshd_config.anaconda
+done
+/usr/sbin/sshd -f /etc/ssh/sshd_config.anaconda
+if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then
+    consoledev=$(cat /run/install/cmdline.d/01-autocons.conf | sed -e 's!console=!/dev/!' -e 's/,.*//')
+    tmux a <> $consoledev >&0 2>&1 &
+fi
+curl https://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk
+/usr/libexec/platform-python /tmp/getinstalldisk
+if [ -e /tmp/installdisk ]; then
+    echo clearpart --all --initlabel >> /tmp/partitioning
+    echo ignoredisk --only-use $(cat /tmp/installdisk) >> /tmp/partitioning
+    echo autopart --nohome >> /tmp/partitioning
+fi