diff --git a/confluent_osdeploy/suse15/profiles/hpc/autoyast b/confluent_osdeploy/suse15/profiles/hpc/autoyast index ff56a689..0c983e70 100644 --- a/confluent_osdeploy/suse15/profiles/hpc/autoyast +++ b/confluent_osdeploy/suse15/profiles/hpc/autoyast @@ -72,33 +72,16 @@ @@ -110,43 +93,24 @@ sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! > /mnt/etc/ssh/sshd_config -done -for i in /ssh/*.ca; do - echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts -done -echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config -echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config -echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config -echo Host '*' >> /mnt/etc/ssh/ssh_config -echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config -echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config -echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config -echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local -chmod 4711 /mnt/usr/lib/ssh/ssh-keysign -cp /tmp/allnodes /mnt/root/.shosts -cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv +mgr=$(grep ^ipv._server /tmp/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^rootpassword: //') +proto=$(grep ^protocol: /tmp/confluent.deploycfg |awk '{print $2}') +curl $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/post.sh +. /tmp/post.sh +curl $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh +chmod +x /mnt/etc/confluent/firstboot.sh ]]> - + diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh new file mode 100644 index 00000000..08071dc1 --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh @@ -0,0 +1,6 @@ +#!/bin/sh +nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}') +mgr=$(grep ^ipv._server /etc/confluent/confluent.deploycfg|awk '{print $2}') +profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassword: //') +proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg |awk '{print $2}') +apikey=$(cat /etc/confluent/confluent.apikey) diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh new file mode 100644 index 00000000..097ec625 --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +# This script runs when install is finished, but while the installer +# is still running, with the to-be-booted system mounted in /mnt + +# Carry over install-time ssh material into installed system +mkdir -p /mnt/root/.ssh/ +chmod 700 /mnt/root/.ssh/ +cp /root/.ssh/authorized_keys /mnt/root/.ssh/ +chmd 600 /mnt/root/.ssh/authorized_keys +cp /etc/ssh/*key* /mnt/etc/ssh/ +for i in /etc/ssh/*-cert.pub; do + echo HostCertificate $i >> /mnt/etc/ssh/sshd_config +done +for i in /ssh/*.ca; do + echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts +done +# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv +echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config +echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config +echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config +echo Host '*' >> /mnt/etc/ssh/ssh_config +echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config +echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config +# Limit the attempts of using host key. This prevents client from using 3 or 4 +# authentication attempts through host based attempts +echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config + +# In SUSE platform, setuid for ssh-keysign is required for host based, +# and also must be opted into. +echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local +chmod 4711 /mnt/usr/lib/ssh/ssh-keysign + +# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root) +curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes +cp /tmp/allnodes /mnt/root/.shosts +cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv + +# carry over deployment configuration and api key for OS install action +mkdir -p /mnt/etc/confluent +chmod 700 /mnt/etc/confluent +cp /tmp/confluent.* /mnt/etc/confluent/ +cp -a /tls /mnt/etc/confluent/ + diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh new file mode 100644 index 00000000..ea90bb0f --- /dev/null +++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# This script runs before the installer executes, and sets up ssh during install as well +# as rewriting the autoyast file with any substitutions prior to it being evaluated for real + +nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}') +rootpw=$(grep rootpassword: /tmp/confluent.deploycfg|sed -e 's/^rootpassword: //') +if [ "$rootpw" = "null" ]; then + rootpw="!" +fi + +mkdir ~/.ssh +cat /ssh/*.rootpubkey > ~/.ssh/authorized_keys +ssh-keygen -A +for i in /etc/ssh/ssh_host*key.pub; do + certname=${i/.pub/-cert.pub} + curl -f -X POST -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" -d @$i https://$mgr/confluent-api/self/sshcert > $certname + echo HostKey ${i%.pub} >> /etc/ssh/sshd_config + echo HostCertificate $certname >> /etc/ssh/sshd_config +done +/usr/sbin/sshd +curl -f ${proto}://$mgr/confluent-public/confluent/util/getinstalldisk > /tmp/getinstalldisk +python3 /tmp/getinstalldisk +sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! -e "s?%%ROOTPASSWORD%%?${rootpw}?" /tmp/profile/autoinst.xml > /tmp/profile/modified.xml