From ed842fcc1ad0c6d59cc573eb9d79c87dba046c1b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 17 Sep 2020 14:23:37 -0400 Subject: [PATCH] Add mods to adapt an xcat stateless image to a confluennt payload --- .../lib/dracut/hooks/cmdline/01-confluent.sh | 18 +++ .../dracut/hooks/initqueue/01-confluent.sh | 126 ++++++++++++++++++ .../dracut/hooks/pre-pivot/01-confluent.sh | 40 ++++++ misc/xcatstateless/scripts/earlyboot.sh | 11 ++ misc/xcatstateless/scripts/functions | 38 ++++++ misc/xcatstateless/scripts/setupssh.sh | 27 ++++ 6 files changed, 260 insertions(+) create mode 100644 misc/xcatstateless/initramfs/usr/lib/dracut/hooks/cmdline/01-confluent.sh create mode 100644 misc/xcatstateless/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh create mode 100644 misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh create mode 100644 misc/xcatstateless/scripts/earlyboot.sh create mode 100644 misc/xcatstateless/scripts/functions create mode 100644 misc/xcatstateless/scripts/setupssh.sh diff --git a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/cmdline/01-confluent.sh b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/cmdline/01-confluent.sh new file mode 100644 index 00000000..b11b6ddc --- /dev/null +++ b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/cmdline/01-confluent.sh @@ -0,0 +1,18 @@ +#!/bin/bash +mkdir -p /etc/pki/tls/certs +echo -n "" >> /tmp/net.ifaces +cat /tls/*.0 >> /etc/pki/tls/certs/ca-bundle.crt +if ! grep console= /proc/cmdline >& /dev/null; then + autocons=$(/opt/confluent/bin/autocons) + if [ -n "$autocons" ]; then + echo console=$autocons |sed -e 's!/dev/!!' >> /tmp/01-autocons.conf + autocons=${autocons%,*} + echo $autocons > /tmp/01-autocons.devnode + echo "Detected firmware specified console at $(cat /tmp/01-autocons.conf)" > $autocons + echo "Modify profile.yaml and run updateboot to have nodeconsole work by adding console=$(cat /tmp/01-autocons.conf)" > $autocons + fi +fi +if grep console=ttyS /proc/cmdline >& /dev/null; then + echo "Serial console has been requested in the kernel arguments, the local video may not show progress" > /dev/tty1 +fi + diff --git a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh new file mode 100644 index 00000000..34ed4d78 --- /dev/null +++ b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh @@ -0,0 +1,126 @@ +#!/bin/sh +[ -e /tmp/confluent.initq ] && return 0 +if [ -f /tmp/dd_disk ]; then + for dd in $(cat /tmp/dd_disk); do + if [ -e $dd ]; then + driver-updates --disk $dd $dd + fi + done +fi +TRIES=0 +oum=$(umask) +umask 0077 +mkdir -p /etc/confluent +echo -n > /etc/confluent/confluent.info +umask $oum +cd /sys/class/net +while ! grep ^EXTMGRINFO: /etc/confluent/confluent.info | awk -F'|' '{print $3}' | grep 1 >& /dev/null && [ "$TRIES" -lt 60 ]; do + TRIES=$((TRIES + 1)) + for currif in *; do + ip link set $currif up + done + /opt/confluent/bin/copernicus -t > /etc/confluent/confluent.info +done +cd / +grep ^EXTMGRINFO: /etc/confluent/confluent.info || return 0 # Do absolutely nothing if no data at all yet +echo -n "" > /tmp/confluent.initq +# restart cmdline +echo -n "" > /etc/cmdline.d/01-confluent.conf +mkdir -p /var/log/xcat + +#TODO: blkid --label to find mounted api +nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}') +mgr=$(grep ^EXTMGRINFO: /etc/confluent/confluent.info| sed -e 's/^EXTMGRINFO: //' | awk -F'|' '{print $1 " " $2 " " $3}' |grep 1$ | awk 'NR < 2') +if [ -z "$mgr" ]; then + mgr=$(grep ^EXTMGRINFO: /etc/confluent/confluent.info| sed -e 's/^EXTMGRINFO: //' | awk -F'|' '{print $1 " " $2 " " $3}' | awk 'NR < 2') +fi +mgtiface=$(echo $mgr | awk '{print $2}') +mgr=$(echo $mgr | awk '{print $1}') +if [ ! -f /etc/confluent/confluent.apikey ]; then + /opt/confluent/bin/clortho $nodename $mgr > /etc/confluent/confluent.apikey +fi +if echo $mgr | grep '%' > /dev/null; then + echo $mgr | awk -F% '{print $2}' > /tmp/confluent.ifidx +fi +apikey=$(cat /etc/confluent/confluent.apikey) +if echo $mgr | grep ':' > /dev/null; then + mgr="[$mgr]" +fi +curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -H "CONFLUENT_MGTIFACE: $mgtiface" https://$mgr/confluent-api/self/deploycfg > /etc/confluent/confluent.deploycfg + + + + +cat /tls/*.pem > /etc/confluent/ca.pem +ifidx=$(cat /tmp/confluent.ifidx) +ifname=$(ip link |grep ^$ifidx:|awk '{print $2}') +ifname=${ifname%:} +echo $ifname > /tmp/net.ifaces + +dnsdomain=$(grep ^dnsdomain: /etc/confluent/confluent.deploycfg) +dnsdomain=${dnsdomain#dnsdomain: } +hostname=$nodename +if [ ! -z "$dnsdomain" ] && [ "$dnsdomain" != "null" ]; then + hostname=$hostname.$dnsdomain +fi +mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg) +mgr=${mgr#deploy_server: } +if ! grep XCAT /proc/cmdline > /dev/null; then + echo XCAT=$mgr:3001 >> /etc/cmdline.d/01-confluent.conf +fi +profilename=$(grep ^profile: /etc/confluent/confluent.deploycfg) +profilename=${profilename#profile: } +proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg) +proto=${proto#protocol: } +textconsole=$(grep ^textconsole: /etc/confluent/confluent.deploycfg) +textconsole=${textconsole#textconsole: } +if [ "$textconsole" = "true" ] && ! grep console= /proc/cmdline > /dev/null; then + autocons=$(cat /tmp/01-autocons.devnode) + if [ ! -z "$autocons" ]; then + echo Auto-configuring installed system to use text console + echo Auto-configuring installed system to use text console > $autocons + cp /tmp/01-autocons.conf /etc/cmdline.d/ + else + echo "Unable to automatically detect requested text console" + fi +fi + +echo imgurl=$proto://$mgr/confluent-public/os/$profilename/rootimg.cpio.gz >> /etc/cmdline.d/01-confluent.conf +autoconfigmethod=$(grep ipv4_method /etc/confluent/confluent.deploycfg) +autoconfigmethod=${autoconfigmethod#ipv4_method: } +if [ "$autoconfigmethod" = "dhcp" ]; then + echo ip=$ifname:dhcp >> /etc/cmdline.d/01-confluent.conf +else + v4addr=$(grep ^ipv4_address: /etc/confluent/confluent.deploycfg) + v4addr=${v4addr#ipv4_address: } + v4gw=$(grep ^ipv4_gateway: /etc/confluent/confluent.deploycfg) + v4gw=${v4gw#ipv4_gateway: } + if [ "$v4gw" = "null" ]; then + v4gw="" + fi + v4nm=$(grep ipv4_netmask: /etc/confluent/confluent.deploycfg) + v4nm=${v4nm#ipv4_netmask: } + echo ip=$v4addr::$v4gw:$v4nm:$hostname:$ifname:none >> /etc/cmdline.d/01-confluent.conf + mkdir -p /etc/sysconfig/network-scripts + ifcfg=/etc/sysconfig/network-scripts/ifcfg-$ifname + echo DEVICE=$ifname >> $ifcfg + echo NAME=$ifname >> $ifcfg + echo IPADDR=$v4addr >> $ifcfg + echo GATEWAY=$v4gw >> $ifcfg + echo NETMASK=$v4nm >> $ifcfg +fi +nameserversec=0 +while read -r entry; do + if [ $nameserversec = 1 ]; then + if [[ $entry == "-"* ]] && [[ $entry != "- ''" ]]; then + echo nameserver=${entry#- } >> /etc/cmdline.d/01-confluent.conf + continue + fi + fi + nameserversec=0 + if [ "${entry%:*}" = "nameservers" ]; then + nameserversec=1 + continue + fi +done < /etc/confluent/confluent.deploycfg + diff --git a/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh new file mode 100644 index 00000000..59ce44eb --- /dev/null +++ b/misc/xcatstateless/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh @@ -0,0 +1,40 @@ +#!/bin/bash +BUNDLENAME=/sysroot/etc/pki/tls/certs/ca-bundle.crt +while [ -h $BUNDLENAME ]; do + BUNDLENAME=/sysroot/$(readlink $BUNDLENAME) +done +cat /tls/*.0 >> $BUNDLENAME +mkdir -p /sysroot/etc/confluent/ +chmod 700 /sysroot/etc/confluent +cp -a /tls /sysroot/etc/confluent +cp /etc/confluent/* /sysroot/etc/confluent +rootpw=$(grep ^rootpassword: /etc/confluent/confluent.deploycfg | awk '{print $2}') +if [ "null" = "$rootpw" -o "" = $rootpw ]; then + rootpw='*' +fi +sed -i "s!root:[^:]*:!root:$rootpw:!" /sysroot/etc/shadow +mkdir -p /sysroot/root/.ssh +chmod 700 /sysroot/root/.ssh +cat /ssh/*.rootpubkey > /sysroot/root/.ssh/authorized_keys +chmod 600 /sysroot/root/.ssh/authorized_keys +mkdir -p /sysroot/etc/ssh/ +for i in /ssh/*.ca; do + echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts +done +cp /opt/confluent/bin/apiclient /sysroot/etc/confluent +cp /etc/sysconfig/network-scripts/* /sysroot/etc/sysconfig/network-scripts/ +ifname=$(ip link|grep ^$(cat /tmp/confluent.ifidx) | awk '{print $2}'|sed -e 's/://') +mkdir /sysroot/tmp +ip link set $ifname down; ip link set $ifname up +while ! ip addr show dev $ifname|grep fe80 > /dev/null; do + sleep 0.1 +done +while ip addr|grep tentative > /dev/null; do + sleep 0.1 +done +mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|awk '{print $2}') +export mgr profile +curl -Ssf https://$mgr/confluent-public/os/$profile/scripts/earlyboot.sh > /sysroot/etc/confluent/earlyboot.sh +chroot /sysroot bash /etc/confluent/earlyboot.sh + diff --git a/misc/xcatstateless/scripts/earlyboot.sh b/misc/xcatstateless/scripts/earlyboot.sh new file mode 100644 index 00000000..fa23ee2d --- /dev/null +++ b/misc/xcatstateless/scripts/earlyboot.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|awk '{print $2}') +nodename=$(grep ^NODENAME: /etc/confluent/confluent.info|awk '{print $2}') +export mgr profile nodename +curl -sSf https://$mgr/confluent-public/os/$profile/scripts/functions > /tmp/functions +. /tmp/functions + +run_remote setupssh.sh + diff --git a/misc/xcatstateless/scripts/functions b/misc/xcatstateless/scripts/functions new file mode 100644 index 00000000..8c6e45bd --- /dev/null +++ b/misc/xcatstateless/scripts/functions @@ -0,0 +1,38 @@ +run_remote() { + requestedcmd="'$*'" + echo + echo '---------------------------------------------------------------------------' + echo Running $requestedcmd from https://$mgr/confluent-public/os/$profile/scripts/ + tmpdir=$(mktemp -d) + echo Executing in $tmpdir + cd $tmpdir + curl -f -sS https://$mgr/confluent-public/os/$profile/scripts/$1 > $1 + if [ $? != 0 ]; then echo $requestedcmd failed to download; return 1; fi + chmod +x $1 + cmd=$1 + if [ -x /usr/bin/chcon ]; then + chcon system_u:object_r:bin_t:s0 $cmd >& /dev/null + fi + shift + ./$cmd $* + retcode=$? + echo "$requestedcmd exited with code $retcode" + cd - > /dev/null + return $retcode +} + +run_remote_python() { + echo + echo '---------------------------------------------------------------------------' + echo Running python script "'$*'" from https://$mgr/confluent-public/os/$profile/scripts/ + tmpdir=$(mktemp -d) + echo Executing in $tmpdir + cd $tmpdir + curl -f -sS https://$mgr/confluent-public/os/$profile/scripts/$1 > $1 + if [ $? != 0 ]; then echo "'$*'" failed to download; return 1; fi + /usr/libexec/platform-python $* + retcode=$? + echo "'$*' exited with code $retcode" + cd - > /dev/null + return $retcode +} diff --git a/misc/xcatstateless/scripts/setupssh.sh b/misc/xcatstateless/scripts/setupssh.sh new file mode 100644 index 00000000..ba101469 --- /dev/null +++ b/misc/xcatstateless/scripts/setupssh.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +rm /etc/ssh/*host*key* >& /dev/null +ssh-keygen -A +/usr/libexec/platform-python /etc/confluent/apiclient >& /dev/null +for pubkey in /etc/ssh/ssh_host*key.pub; do + certfile=${pubkey/.pub/-cert.pub} + /usr/libexec/platform-python /etc/confluent/apiclient /confluent-api/self/sshcert $pubkey > $certfile + echo HostCertificate $certfile >> /etc/ssh/sshd_config +done + +echo HostbasedAuthentication yes >> /etc/ssh/sshd_config +echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config +echo IgnoreRhosts no >> /etc/ssh/sshd_config +if [ -d /etc/ssh/ssh_config.d/ ]; then + sshconf=/etc/ssh/ssh_config.d/01-confluent.conf +fi +echo 'Host *' >> $sshconf +echo ' HostbasedAuthentication yes' >> $sshconf +echo ' EnableSSHKeysign yes' >> $sshconf +echo ' HostbasedKeyTypes *ed25519*' >> $sshconf + +curl -Ssf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes +cp /tmp/allnodes /etc/ssh/shosts.equiv +cp /tmp/allnodes /root/.shosts +rm /tmp/allnodes +