2
0
mirror of https://github.com/xcat2/confluent.git synced 2025-01-17 21:23:18 +00:00
Jarrod Johnson 624984b1c9 Do not assume SPCR until confluent confirms text console
TIOCCONS was called for users that did not want to use serial.  This
makes the serial console delayeed when automatic, but avoids video
users from being confused.
2021-12-09 10:34:12 -05:00

148 lines
6.9 KiB
Bash

#!/bin/sh
get_tpm_apikey() {
lasthdl=""
if [ -c /dev/tpmrm0 ]; then
for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
tpm2_startauthsession --policy-session --session=session.ctx
tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy
unsealeddata=$(tpm2_unseal --auth=session:session.ctx -Q -c $hdl 2>/dev/null)
tpm2_flushcontext session.ctx
if echo $unsealeddata | grep "^CONFLUENT_APIKEY:" > /dev/null; then
confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:}
echo $confluent_apikey > /etc/confluent/confluent.apikey
if [ -n "$lasthdl" ]; then
tpm2_evictcontrol -c $lasthdl
fi
lasthdl=$hdl
fi
done
fi
if [ ! -z "$confluent_apikey" ]; then
if ! curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://${confluent_http_mgr}/confluent-api/self/myattribs > /dev/null; then
tpm2_evictcontrol -c $lasthdl
confluent_apikey=""
fi
fi
}
get_remote_apikey() {
while [ -z "$confluent_apikey" ]; do
/opt/confluent/bin/clortho $confluent_nodename $confluent_mgr > /etc/confluent/confluent.apikey
if grep ^SEALED: /etc/confluent/confluent.apikey > /dev/null; then
# we don't support remote sealed api keys anymore
echo > /etc/confluent/confluent.apikey
fi
confluent_apikey=$(cat /etc/confluent/confluent.apikey)
if [ -z "$confluent_apikey" ]; then
echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$confluent_nodename', retrying..."
sleep 10
elif [ -c /dev/tpmrm0 ]; then
tmpdir=$(mktemp -d)
cd $tmpdir
tpm2_startauthsession --session=session.ctx
tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy
tpm2_createprimary -G ecc -Q --key-context=prim.ctx
(echo -n "CONFLUENT_APIKEY:";cat /etc/confluent/confluent.apikey) | tpm2_create -Q --policy=pcr15.sha256.policy --public=data.pub --private=data.priv -i - -C prim.ctx
tpm2_load -Q --parent-context=prim.ctx --public=data.pub --private=data.priv --name=confluent.apikey --key-context=data.ctx
tpm2_evictcontrol -Q -c data.ctx
tpm2_flushcontext session.ctx
cd - > /dev/null
rm -rf $tmpdir
fi
done
}
if ! grep console= /proc/cmdline > /dev/null; then
autocons=$(/opt/confluent/bin/autocons)
autocons=${autocons##*/}
echo "Automatic console configured for $autocons"
fi
echo sshd:x:30:30:SSH User:/var/empty/sshd:/sbin/nologin >> /etc/passwd
cd /sys/class/net
for nic in *; do
ip link set $nic up
done
mkdir -p /etc/confluent
cd - > /dev/null
mkdir -p /etc/ssl/certs
cat /tls/*.pem > /etc/ssl/certs/ca-certificates.crt
cat /tls/*.pem > /etc/confluent/ca.pem
/opt/confluent/bin/copernicus -t > /etc/confluent/confluent.info
TRIES=0
while ! grep ^EXTMGRINFO: /etc/confluent/confluent.info | awk -F'|' '{print $3}' | grep 1 > /dev/null && [ "$TRIES" -lt 30 ]; do
TRIES=$((TRIES + 1))
/opt/confluent/bin/copernicus -t > /etc/confluent/confluent.info
sleep 1
done
confluent_mgr=$(grep '^EXTMGRINFO:.*1$' /etc/confluent/confluent.info | head -n 1 | awk -F': ' '{print $2}' | awk -F'|' '{print $1}')
if [ -z "$confluent_mgr" ]; then
confluent_mgr=$(grep ^MANAGER: /etc/confluent/confluent.info|head -n 1 | awk '{print $2}')
fi
if echo $confluent_mgr | grep : >/dev/null; then
confluent_http_mgr="[$confluent_mgr]"
else
confluent_http_mgr=$confluent_mgr
fi
confluent_nodename=$(grep ^NODENAME: /etc/confluent/confluent.info |awk '{print $NF}')
hostname $confluent_nodename
get_tpm_apikey
if [ -z "$confluent_apikey" ]; then
get_remote_apikey
fi
if echo $confluent_mgr | grep '%' > /dev/null; then
echo $confluent_mgr | awk -F% '{print $2}' > /tmp/confluent.ifidx
ifidx=$(cat /tmp/confluent.ifidx)
ifname=$(ip link |grep ^$ifidx:|awk '{print $2}')
ifname=${ifname%:}
fi
curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://${confluent_http_mgr}/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
if [ ! -z "$autocons" ] && grep textconsole: true /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
v6meth=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg|awk '{print $2}')
if [ "$v6meth" = static ]; then
v6addr=$(grep ^ipv6_address: /etc/confluent/confluent.deploycfg | awk '{print $2}')
v6prefix=$(grep ^ipv6_prefix: /etc/confluent/confluent.deploycfg | awk '{print $2}')
ip addr add dev $ifname $v6addr/$v6prefix
v6gw=$(grep ^ipv6_gateway: /etc/confluent/confluent.deploycfg | awk '{print $2}')
if [ ! -z "$v6gw" -a "$v6gw" != "null" ]; then
ip route add default via $v6gw
fi
fi
v4meth=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg|awk '{print $2}')
if [ "$v4meth" = static ]; then
v4addr=$(grep ^ipv4_address: /etc/confluent/confluent.deploycfg | awk '{print $2}')
v4prefix=$(grep ^prefix: /etc/confluent/confluent.deploycfg | awk '{print $2}')
ip addr add dev $ifname $v4addr/$v4prefix
v4gw=$(grep ^ipv4_gateway: /etc/confluent/confluent.deploycfg | awk '{print $2}')
if [ ! -z "$v4gw" -a "$v4gw" != "null" ]; then
ip route add default via $v4gw
fi
fi
mkdir -p /run/sshd
mkdir -p /etc/ssh
echo Port 2222 > /etc/ssh/sshd_config
ssh-keygen -A
for k in /etc/ssh/*key.pub; do
certfile=$(echo $k|sed -e s/.pub/-cert.pub/)
privkey=$(echo $k|sed -e s/.pub//)
curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" -d @$k https://${confluent_http_mgr}/confluent-api/self/sshcert >> $certfile
if [ -s $certfile ]; then
if ! grep $certfile /etc/ssh/sshd_config > /dev/null; then
echo HostCertificate $certfile >> /etc/ssh/sshd_config
fi
if ! grep "HostKey $privkey" /etc/ssh/sshd_config > /dev/null; then
echo HostKey $privkey >> /etc/ssh/sshd_config
fi
fi
done
/usr/sbin/sshd
mkdir -p /root/.ssh
cat /ssh/*pubkey > /root/.ssh/authorized_keys
if [ -c /dev/tpmrm0 ]; then
tpm2_pcrextend 15:sha256=2fbe96c50dde38ce9cd2764ddb79c216cfbcd3499568b1125450e60c45dd19f2
fi
confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg| awk '{print $2}')
confluent_proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg| awk '{print $2}')
confluent_mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg| awk '{print $2}')
curl -sf https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions
exec /bin/bash /etc/confluent/functions source_remote imageboot.sh