diff --git a/perl-xCAT/xCAT/Schema.pm b/perl-xCAT/xCAT/Schema.pm index 3c1fe110f..a77358ce0 100755 --- a/perl-xCAT/xCAT/Schema.pm +++ b/perl-xCAT/xCAT/Schema.pm @@ -1178,6 +1178,8 @@ passed as argument rather than by table value', " all of the nodes passed into the cmd and create the mypostscript file\n" . " for each node, and put them in a directory of tftpdir(such as: /tftpboot)\n" . " If no, it will not generate the mypostscript file in the tftpdir.\n\n" . +" secureroot: If set to 1, xCAT will use secure mode to transfer root password hash\n" . +" during the installation. Default is 0.\n\n" . " setinstallnic: Set the network configuration for installnic to be static.\n\n" . " sharedtftp: Set to 0 or no, xCAT should not assume the directory\n" . " in tftpdir is mounted on all on Service Nodes. Default is 1/yes.\n" . diff --git a/xCAT-server/lib/perl/xCAT/Template.pm b/xCAT-server/lib/perl/xCAT/Template.pm index 0fd80d9ef..1440272b3 100644 --- a/xCAT-server/lib/perl/xCAT/Template.pm +++ b/xCAT-server/lib/perl/xCAT/Template.pm @@ -1598,6 +1598,7 @@ sub crydb }; $kp = $get_query_map->($key); return undef if (!defined($kp)); + return '*' if ($::XCATSITEVALS{secureroot} eq "1"); return xCAT::PasswordUtils::crypt_system_password($table, $kp, \@fields); } diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm index f613f0152..f046deaeb 100644 --- a/xCAT-server/lib/xcat/plugins/credentials.pm +++ b/xCAT-server/lib/xcat/plugins/credentials.pm @@ -33,6 +33,7 @@ use IO::Socket::INET; use Time::HiRes qw(sleep); use xCAT::Utils; +use xCAT::PasswordUtils; use xCAT::MsgUtils; use Getopt::Long; @@ -316,6 +317,16 @@ sub process_request } $tfilename = "/etc/xcatdockerca/cert/dockerhost-cert.pem"; + } elsif ($parm =~ /xcat_secure_pw:/) { + xCAT::MsgUtils->trace(0, 'I', "credentials: sending $parm to $client"); + my @users=split(/:/,$parm); + if (defined($users[1]) and $users[1] eq 'root') { + my $pass = xCAT::PasswordUtils::crypt_system_password(); + if ($pass) { + push @{$rsp->{'data'}}, { content => [ $pass ], desc => [ $parm ] }; + } + } + next; } else { xCAT::MsgUtils->trace(0, 'W', "credentials: Not supported type: $parm"); next; diff --git a/xCAT-server/lib/xcat/plugins/packimage.pm b/xCAT-server/lib/xcat/plugins/packimage.pm index 709a04b31..18a219b3d 100755 --- a/xCAT-server/lib/xcat/plugins/packimage.pm +++ b/xCAT-server/lib/xcat/plugins/packimage.pm @@ -394,11 +394,15 @@ sub process_request { system("umount $rootimg_dir/proc"); copybootscript($installroot, $rootimg_dir, $osver, $arch, $profile, $callback); + my $pass = xCAT::PasswordUtils::crypt_system_password(); if (!defined($pass)) { $pass = 'cluster'; } - + my @secure_root = xCAT::TableUtils->get_site_attribute("secureroot"); + if ($secure_root[0] == 1) { + $pass = '*'; + } my $oldmask = umask(0077); my $shadow; open($shadow, "<", "$rootimg_dir/etc/shadow"); diff --git a/xCAT/postscripts/remoteshell b/xCAT/postscripts/remoteshell index 5d35add8e..4b424888d 100755 --- a/xCAT/postscripts/remoteshell +++ b/xCAT/postscripts/remoteshell @@ -462,6 +462,73 @@ then fi fi +# if secureroot is enabled then we get root password hash, not for updatenode +if [ "x$SECUREROOT" = "x1" ] && [ "x$UPDATENODE" != "x1" ]; then + logger -t xcat -p local4.info "remoteshell: secure root is enabled" + if [ $useflowcontrol = "1" ]; then + logger -t xcat -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + if [ $rc -ne 0 ]; then + logger -t xcat -p local4.info "remoteshell: error from xcatflowrequest (rc=$rc), will not use flow control" + useflowcontrol=0 + fi + fi + getcredentials.awk xcat_secure_pw:root | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/secure_root_hash + + logger -t xcat -p local4.info "remoteshell: gathering password hash for root" + #check whether the message is an error or not + grep -E '' /tmp/secure_root_hash > /dev/null + if [ $? -ne 0 ]; then + #The message contains the data we request + rootpwhash=`cat /tmp/secure_root_hash | grep -E '' | sed -n 's%.*\(.*\).*%\1%p'` + + MAX_RETRIES=10 + RETRY=0 + while [ -z "$rootpwhash" ]; do + if [ $useflowcontrol = "0" ]; then + let SLI=$RANDOM%10 + let SLI=SLI+10 + sleep $SLI + fi + RETRY=$(($RETRY+1)) + if [ $RETRY -eq $MAX_RETRIES ]; then + ERR_MSG="Too many retries" + break + fi + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t xcat -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + if [ $rc -ne 0 ]; then + logger -t xcat -p local4.info "remoteshell: error from xcatflowrequest (rc=$rc), will not use flow control" + useflowcontrol=0 + fi + fi + getcredentials.awk xcat_secure_pw:root | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/secure_root_hash + grep -E '' /tmp/secure_root_hash > /dev/null + if [ $? -ne 0 ]; then + rootpwhash=`cat /tmp/secure_root_hash | grep -E '' | sed -n 's%.*\(.*\).*%\1%p'` + else + ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/secure_root_hash` + break + fi + done + if [ -n "$rootpwhash" ]; then + #updat shadow + usermod -p "$rootpwhash" root + fi + else + #This is an error message + ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/secure_root_hash` + fi + rm /tmp/secure_root_hash + if [ "x" != "x$ERR_MSG" ]; then + logger -t xcat -p local4.err "Failed to acquire secure root password: $ERR_MSG" + fi +fi + # start up the sshd for syncfiles postscript to do the sync work logger -t xcat -p local4.info "start up sshd" if [[ $OSVER == ubuntu* || $OSVER == debian* ]]