mirror of
https://github.com/xcat2/confluent.git
synced 2025-01-16 12:47:50 +00:00
624984b1c9
TIOCCONS was called for users that did not want to use serial. This makes the serial console delayeed when automatic, but avoids video users from being confused.
148 lines
6.9 KiB
Bash
148 lines
6.9 KiB
Bash
#!/bin/sh
|
|
get_tpm_apikey() {
|
|
lasthdl=""
|
|
if [ -c /dev/tpmrm0 ]; then
|
|
for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
|
|
tpm2_startauthsession --policy-session --session=session.ctx
|
|
tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy
|
|
unsealeddata=$(tpm2_unseal --auth=session:session.ctx -Q -c $hdl 2>/dev/null)
|
|
tpm2_flushcontext session.ctx
|
|
if echo $unsealeddata | grep "^CONFLUENT_APIKEY:" > /dev/null; then
|
|
confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:}
|
|
echo $confluent_apikey > /etc/confluent/confluent.apikey
|
|
if [ -n "$lasthdl" ]; then
|
|
tpm2_evictcontrol -c $lasthdl
|
|
fi
|
|
lasthdl=$hdl
|
|
fi
|
|
done
|
|
fi
|
|
if [ ! -z "$confluent_apikey" ]; then
|
|
if ! curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://${confluent_http_mgr}/confluent-api/self/myattribs > /dev/null; then
|
|
tpm2_evictcontrol -c $lasthdl
|
|
confluent_apikey=""
|
|
fi
|
|
fi
|
|
}
|
|
|
|
get_remote_apikey() {
|
|
while [ -z "$confluent_apikey" ]; do
|
|
/opt/confluent/bin/clortho $confluent_nodename $confluent_mgr > /etc/confluent/confluent.apikey
|
|
if grep ^SEALED: /etc/confluent/confluent.apikey > /dev/null; then
|
|
# we don't support remote sealed api keys anymore
|
|
echo > /etc/confluent/confluent.apikey
|
|
fi
|
|
confluent_apikey=$(cat /etc/confluent/confluent.apikey)
|
|
if [ -z "$confluent_apikey" ]; then
|
|
echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$confluent_nodename', retrying..."
|
|
sleep 10
|
|
elif [ -c /dev/tpmrm0 ]; then
|
|
tmpdir=$(mktemp -d)
|
|
cd $tmpdir
|
|
tpm2_startauthsession --session=session.ctx
|
|
tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy
|
|
tpm2_createprimary -G ecc -Q --key-context=prim.ctx
|
|
(echo -n "CONFLUENT_APIKEY:";cat /etc/confluent/confluent.apikey) | tpm2_create -Q --policy=pcr15.sha256.policy --public=data.pub --private=data.priv -i - -C prim.ctx
|
|
tpm2_load -Q --parent-context=prim.ctx --public=data.pub --private=data.priv --name=confluent.apikey --key-context=data.ctx
|
|
tpm2_evictcontrol -Q -c data.ctx
|
|
tpm2_flushcontext session.ctx
|
|
cd - > /dev/null
|
|
rm -rf $tmpdir
|
|
fi
|
|
done
|
|
}
|
|
|
|
if ! grep console= /proc/cmdline > /dev/null; then
|
|
autocons=$(/opt/confluent/bin/autocons)
|
|
autocons=${autocons##*/}
|
|
echo "Automatic console configured for $autocons"
|
|
fi
|
|
echo sshd:x:30:30:SSH User:/var/empty/sshd:/sbin/nologin >> /etc/passwd
|
|
cd /sys/class/net
|
|
for nic in *; do
|
|
ip link set $nic up
|
|
done
|
|
mkdir -p /etc/confluent
|
|
cd - > /dev/null
|
|
mkdir -p /etc/ssl/certs
|
|
cat /tls/*.pem > /etc/ssl/certs/ca-certificates.crt
|
|
cat /tls/*.pem > /etc/confluent/ca.pem
|
|
/opt/confluent/bin/copernicus -t > /etc/confluent/confluent.info
|
|
TRIES=0
|
|
while ! grep ^EXTMGRINFO: /etc/confluent/confluent.info | awk -F'|' '{print $3}' | grep 1 > /dev/null && [ "$TRIES" -lt 30 ]; do
|
|
TRIES=$((TRIES + 1))
|
|
/opt/confluent/bin/copernicus -t > /etc/confluent/confluent.info
|
|
sleep 1
|
|
done
|
|
confluent_mgr=$(grep '^EXTMGRINFO:.*1$' /etc/confluent/confluent.info | head -n 1 | awk -F': ' '{print $2}' | awk -F'|' '{print $1}')
|
|
if [ -z "$confluent_mgr" ]; then
|
|
confluent_mgr=$(grep ^MANAGER: /etc/confluent/confluent.info|head -n 1 | awk '{print $2}')
|
|
fi
|
|
if echo $confluent_mgr | grep : >/dev/null; then
|
|
confluent_http_mgr="[$confluent_mgr]"
|
|
else
|
|
confluent_http_mgr=$confluent_mgr
|
|
fi
|
|
confluent_nodename=$(grep ^NODENAME: /etc/confluent/confluent.info |awk '{print $NF}')
|
|
hostname $confluent_nodename
|
|
get_tpm_apikey
|
|
if [ -z "$confluent_apikey" ]; then
|
|
get_remote_apikey
|
|
fi
|
|
if echo $confluent_mgr | grep '%' > /dev/null; then
|
|
echo $confluent_mgr | awk -F% '{print $2}' > /tmp/confluent.ifidx
|
|
ifidx=$(cat /tmp/confluent.ifidx)
|
|
ifname=$(ip link |grep ^$ifidx:|awk '{print $2}')
|
|
ifname=${ifname%:}
|
|
fi
|
|
curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://${confluent_http_mgr}/confluent-api/self/deploycfg2 > /etc/confluent/confluent.deploycfg
|
|
if [ ! -z "$autocons" ] && grep textconsole: true /etc/confluent/confluent.deploycfg > /dev/null; then /opt/confluent/bin/autocons -c > /dev/null; fi
|
|
v6meth=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg|awk '{print $2}')
|
|
if [ "$v6meth" = static ]; then
|
|
v6addr=$(grep ^ipv6_address: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
v6prefix=$(grep ^ipv6_prefix: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
ip addr add dev $ifname $v6addr/$v6prefix
|
|
v6gw=$(grep ^ipv6_gateway: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
if [ ! -z "$v6gw" -a "$v6gw" != "null" ]; then
|
|
ip route add default via $v6gw
|
|
fi
|
|
fi
|
|
v4meth=$(grep ^ipv6_method: /etc/confluent/confluent.deploycfg|awk '{print $2}')
|
|
if [ "$v4meth" = static ]; then
|
|
v4addr=$(grep ^ipv4_address: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
v4prefix=$(grep ^prefix: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
ip addr add dev $ifname $v4addr/$v4prefix
|
|
v4gw=$(grep ^ipv4_gateway: /etc/confluent/confluent.deploycfg | awk '{print $2}')
|
|
if [ ! -z "$v4gw" -a "$v4gw" != "null" ]; then
|
|
ip route add default via $v4gw
|
|
fi
|
|
fi
|
|
mkdir -p /run/sshd
|
|
mkdir -p /etc/ssh
|
|
echo Port 2222 > /etc/ssh/sshd_config
|
|
ssh-keygen -A
|
|
for k in /etc/ssh/*key.pub; do
|
|
certfile=$(echo $k|sed -e s/.pub/-cert.pub/)
|
|
privkey=$(echo $k|sed -e s/.pub//)
|
|
curl --cacert /etc/confluent/ca.pem -sSf -H "CONFLUENT_NODENAME: $confluent_nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" -d @$k https://${confluent_http_mgr}/confluent-api/self/sshcert >> $certfile
|
|
if [ -s $certfile ]; then
|
|
if ! grep $certfile /etc/ssh/sshd_config > /dev/null; then
|
|
echo HostCertificate $certfile >> /etc/ssh/sshd_config
|
|
fi
|
|
if ! grep "HostKey $privkey" /etc/ssh/sshd_config > /dev/null; then
|
|
echo HostKey $privkey >> /etc/ssh/sshd_config
|
|
fi
|
|
fi
|
|
done
|
|
/usr/sbin/sshd
|
|
mkdir -p /root/.ssh
|
|
cat /ssh/*pubkey > /root/.ssh/authorized_keys
|
|
if [ -c /dev/tpmrm0 ]; then
|
|
tpm2_pcrextend 15:sha256=2fbe96c50dde38ce9cd2764ddb79c216cfbcd3499568b1125450e60c45dd19f2
|
|
fi
|
|
confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg| awk '{print $2}')
|
|
confluent_proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg| awk '{print $2}')
|
|
confluent_mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg| awk '{print $2}')
|
|
curl -sf https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/functions > /etc/confluent/functions
|
|
exec /bin/bash /etc/confluent/functions source_remote imageboot.sh
|