From b52568dc1042809d1123f85cb91c655881c0d25f Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 14 May 2020 15:47:08 -0400 Subject: [PATCH] Refactor RedHat/CentOS class profile Again, break things up for more approachable layout. --- .../dracut/hooks/pre-pivot/01-confluent.sh | 6 +- .../el8/profiles/default/kickstart | 65 +++++-------------- .../default/scripts/firstboot.service | 11 ++++ .../el8/profiles/default/scripts/post.sh | 25 +++++++ .../el8/profiles/default/scripts/pre.sh | 28 ++++++++ 5 files changed, 85 insertions(+), 50 deletions(-) create mode 100644 confluent_osdeploy/el8/profiles/default/scripts/firstboot.service create mode 100644 confluent_osdeploy/el8/profiles/default/scripts/post.sh create mode 100644 confluent_osdeploy/el8/profiles/default/scripts/pre.sh diff --git a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh index bb125d16..5c241a4f 100644 --- a/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh +++ b/confluent_osdeploy/el8/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -5,6 +5,8 @@ while [ -h $BUNDLENAME ]; do done cat /etc/pki/tls/certs/ca-bundle.crt > $BUNDLENAME +mkdir -p /sysroot/etc/confluent/ +cp -a /tls /sysroot/etc/confluent sed -i 's/install::/install:*:/' /sysroot/etc/shadow sed -i 's/root::/root:*:/' /sysroot/etc/shadow mkdir -p /sysroot/root/.ssh @@ -16,4 +18,6 @@ for i in /ssh/*.ca; do echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts done cp /etc/confluent.apikey /sysroot/etc/ -cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/ \ No newline at end of file +cp /etc/confluent.apikey /sysroot/etc/confluent/ +cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/ +cp /tmp/confluent.deploycfg /tmp/confluent.info /sysroot/etc/confluent diff --git a/confluent_osdeploy/el8/profiles/default/kickstart b/confluent_osdeploy/el8/profiles/default/kickstart index d6835d25..ddb048ad 100644 --- a/confluent_osdeploy/el8/profiles/default/kickstart +++ b/confluent_osdeploy/el8/profiles/default/kickstart @@ -11,63 +11,30 @@ python3 %end %pre -nodename=$(grep ^NODENAME /etc/confluent.info|awk '{print $2}') +profile=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}') mgr=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}') -tz=$(grep ^timezone: /etc/confluent.deploycfg) -tz=${tz#*: } -echo timezone $tz --utc > /tmp/timezone -rootpw=$(grep ^rootpassword /etc/confluent.deploycfg | awk '{print $2}') -if [ "$rootpw" = null ]; then - echo "rootpw --lock" > /tmp/rootpw -else - echo "rootpw --iscrypted $rootpw" > /tmp/rootpw -fi -for pubkey in /etc/ssh/ssh_host*key.pub; do - certfile=${pubkey/.pub/-cert.pub} - curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" -d @$pubkey https://$mgr/confluent-api/self/sshcert > $certfile - echo HostCertificate $certfile >> /etc/ssh/sshd_config.anaconda -done -/usr/sbin/sshd -f /etc/ssh/sshd_config.anaconda -if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then - consoledev=$(cat /run/install/cmdline.d/01-autocons.conf | sed -e 's!console=!/dev/!' -e 's/,.*//') - tmux a <> $consoledev >&0 2>&1 & -fi -curl https://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk -/usr/libexec/platform-python /tmp/getinstalldisk -if [ -e /tmp/installdisk ]; then - echo clearpart --all --initlabel >> /tmp/partitioning - echo ignoredisk --only-use $(cat /tmp/installdisk) >> /tmp/partitioning - echo autopart --nohome >> /tmp/partitioning -fi -curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes +curl -f https://$mgr/confluent-public/os/$profile/scripts/pre.sh > /tmp/preinst.sh +. /tmp/preinst.sh %end %post --nochroot -# need to copy over ssh key info -grep HostCert /etc/ssh/sshd_config.anaconda >> /mnt/sysimage/etc/ssh/sshd_config -echo HostbasedAuthentication yes >> /mnt/sysimage/etc/ssh/sshd_config -echo HostbasedUsesNameFromPacketOnly yes >> /mnt/sysimage/etc/ssh/sshd_config -echo IgnoreRhosts no >> /mnt/sysimage/etc/ssh/sshd_config -sshconf=/etc/ssh/ssh_config -if [ -d /mnt/sysimage/etc/ssh/ssh_config.d/ ]; then - sshconf=/mnt/sysimage/etc/ssh/ssh_config.d/01-confluent.conf -fi -echo 'Host *' >> $sshconf -echo ' HostbasedAuthentication yes' >> $sshconf -echo ' EnableSSHKeysign yes' >> $sshconf -echo ' HostbasedKeyTypes *ed25519*' >> $sshconf +mkdir -p /mnt/sysimage/etc/confluent +profile=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}') +mgr=$(grep ipv4_server /etc/confluent.deploycfg |awk '{print $2}') +curl -f https://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/postinst.sh +. /tmp/postinst.sh -cp /etc/ssh/ssh_host_* /mnt/sysimage/etc/ssh/ -mkdir /mnt/sysimage/root/.ssh/ -chmod 700 /mnt/sysimage/root/.ssh/ -cp /root/.ssh/authorized_keys /mnt/sysimage/root/.ssh/ -chmod 600 /mnt/sysimage/root/.ssh/authorized_keys -cp /etc/ssh/ssh_known_hosts /mnt/sysimage/etc/ssh/ -cp /tmp/allnodes /mnt/sysimage/etc/ssh/shosts.equiv -cp /tmp/allnodes /mnt/sysimage/root/.shosts +# Hook firstboot.sh +curl -f https://$mgr/confluent-public/os/$profile/scripts/firstboot.service > /mnt/sysimage/etc/systemd/system/firstboot.service +curl -f https://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/sysimage/etc/confuent/firstboot.sh +chmod +x /mnt/sysimage/etc/confluent/firstboot.sh + +chmod 664 /etc/systemd/system/runonce.service +systemctl enable runonce %end %post +systemctl enable firstboot chgrp ssh_keys /etc/ssh/ssh*key restorecon /etc/ssh/ssh*key /root/.shosts /etc/ssh/shosts.equiv /etc/ssh/ssh_config.d/* %end diff --git a/confluent_osdeploy/el8/profiles/default/scripts/firstboot.service b/confluent_osdeploy/el8/profiles/default/scripts/firstboot.service new file mode 100644 index 00000000..0fefec09 --- /dev/null +++ b/confluent_osdeploy/el8/profiles/default/scripts/firstboot.service @@ -0,0 +1,11 @@ +[Unit] +Description=First Boot Process +Requires=network-online.target +After=network-online.target + +[Service] +ExecStart=/etc/confluent/firstboot.sh + +[Install] +WantedBy=multi-user.target + diff --git a/confluent_osdeploy/el8/profiles/default/scripts/post.sh b/confluent_osdeploy/el8/profiles/default/scripts/post.sh new file mode 100644 index 00000000..116f3add --- /dev/null +++ b/confluent_osdeploy/el8/profiles/default/scripts/post.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# need to copy over ssh key info +grep HostCert /etc/ssh/sshd_config.anaconda >> /mnt/sysimage/etc/ssh/sshd_config +echo HostbasedAuthentication yes >> /mnt/sysimage/etc/ssh/sshd_config +echo HostbasedUsesNameFromPacketOnly yes >> /mnt/sysimage/etc/ssh/sshd_config +echo IgnoreRhosts no >> /mnt/sysimage/etc/ssh/sshd_config +sshconf=/etc/ssh/ssh_config +if [ -d /mnt/sysimage/etc/ssh/ssh_config.d/ ]; then + sshconf=/mnt/sysimage/etc/ssh/ssh_config.d/01-confluent.conf +fi +echo 'Host *' >> $sshconf +echo ' HostbasedAuthentication yes' >> $sshconf +echo ' EnableSSHKeysign yes' >> $sshconf +echo ' HostbasedKeyTypes *ed25519*' >> $sshconf + +cp /etc/ssh/ssh_host_* /mnt/sysimage/etc/ssh/ +mkdir /mnt/sysimage/root/.ssh/ +chmod 700 /mnt/sysimage/root/.ssh/ +cp /root/.ssh/authorized_keys /mnt/sysimage/root/.ssh/ +chmod 600 /mnt/sysimage/root/.ssh/authorized_keys +cp /etc/ssh/ssh_known_hosts /mnt/sysimage/etc/ssh/ +cp /tmp/allnodes /mnt/sysimage/etc/ssh/shosts.equiv +cp /tmp/allnodes /mnt/sysimage/root/.shosts +cp -a /etc/confluent /mnt/sysimage/etc +curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes diff --git a/confluent_osdeploy/el8/profiles/default/scripts/pre.sh b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh new file mode 100644 index 00000000..e2abf2c4 --- /dev/null +++ b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh @@ -0,0 +1,28 @@ +#!/bin/sh +nodename=$(grep ^NODENAME /etc/confluent.info|awk '{print $2}') +tz=$(grep ^timezone: /etc/confluent.deploycfg) +tz=${tz#*: } +echo timezone $tz --utc > /tmp/timezone +rootpw=$(grep ^rootpassword /etc/confluent.deploycfg | awk '{print $2}') +if [ "$rootpw" = null ]; then + echo "rootpw --lock" > /tmp/rootpw +else + echo "rootpw --iscrypted $rootpw" > /tmp/rootpw +fi +for pubkey in /etc/ssh/ssh_host*key.pub; do + certfile=${pubkey/.pub/-cert.pub} + curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent.apikey)" -d @$pubkey https://$mgr/confluent-api/self/sshcert > $certfile + echo HostCertificate $certfile >> /etc/ssh/sshd_config.anaconda +done +/usr/sbin/sshd -f /etc/ssh/sshd_config.anaconda +if [ -f "/run/install/cmdline.d/01-autocons.conf" ]; then + consoledev=$(cat /run/install/cmdline.d/01-autocons.conf | sed -e 's!console=!/dev/!' -e 's/,.*//') + tmux a <> $consoledev >&0 2>&1 & +fi +curl https://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk +/usr/libexec/platform-python /tmp/getinstalldisk +if [ -e /tmp/installdisk ]; then + echo clearpart --all --initlabel >> /tmp/partitioning + echo ignoredisk --only-use $(cat /tmp/installdisk) >> /tmp/partitioning + echo autopart --nohome >> /tmp/partitioning +fi