Commit 77cb5a5b authored by Leigh Stoller's avatar Leigh Stoller

Some minor changes:

* Change how we get the root key over to boss during initial installation.
  Instead of breaking out and having the user do it by hand, we have a
  default keypair in the repo that is installed long enough to allow boss
  to ssh over to ops and install the newly generated keypair. The keypair
  is in the repo cause it won't ever be used anyplace else. Just to be
  safe, I prefix it with a from="boss.emulab.net" option when ops-install
  sticks it into root's authkeys file.

* Fix a couple of bugs in the root key ssh. @ needs to be escaped in perl,
  and must use BatchMode=yes option or else the check to see of the root
  key was copied just hangs!

* Add initialization of mysql user and group since the pkg does not do that
  (the port does though).
parent 3318968d
......@@ -48,6 +48,7 @@ my $PKG_INFO = "/usr/sbin/pkg_info";
my $PKG_ADD = "/usr/sbin/pkg_add";
my $TOUCH = "/usr/bin/touch";
my $SSH = "/usr/bin/ssh";
my $SCP = "/usr/bin/scp";
my $CP = "/bin/cp";
my $ENV = "/usr/bin/env";
......@@ -83,6 +84,7 @@ my $CRACKLIB_DICT = "/usr/local/lib/pw_dict.pwd";
my $STL_PATCH = "$TOP_SRCDIR/patches/g++.patch";
my $M2CRYPTO_PATCH = "$TOP_SRCDIR/patches/m2crypto.patch";
my $INIT_PRIVKEY = "$TOP_SRCDIR/install/identity";
my $SSH_CONFIG = "/etc/ssh/ssh_config";
......@@ -203,7 +205,7 @@ if ($UID != 0) {
die "This script must be run as root.\n";
}
Phase "groups", "Creating groups", sub {
Phase "usersgroups", "Creating users and groups", sub {
Phase "tbadmin", "Creating tbadmin group", sub {
if (getgrnam("tbadmin")) {
PhaseSkip("tbadmin group already exists");
......@@ -216,6 +218,21 @@ Phase "groups", "Creating groups", sub {
}
ExecQuietFatal("$PW groupadd root -g 103");
};
# Added next two cause the mysql package does not do this (port does).
Phase "mysqlgroup", "Creating mysql group", sub {
if (getgrnam("mysql")) {
PhaseSkip("mysql group already exists");
}
ExecQuietFatal("$PW groupadd mysql -g 88");
};
Phase "mysqluser", "Creating mysql user", sub {
if (getpwnam("mysql")) {
PhaseSkip("mysql user already exists");
}
ExecQuietFatal("$PW useradd mysql -g 88 -g 88 -h - ".
"-d /var/db/mysql -s /sbin/nologin -c 'MySQL Daemon'");
ExecQuietFatal("$CHOWN mysql:mysql /var/db/mysql");
};
};
Phase "dirs", "Setting directory permissions", sub {
......@@ -623,17 +640,24 @@ Phase "ssh", "Setting up root ssh from boss to ops", sub {
" Protocol 1,2");
};
Phase "keycopy", "Copy root ssh keys to ops", sub {
if (ExecQuiet("$SSH root@$USERNODE pwd")) {
if (! ExecQuiet("$SSH -o 'BatchMode=yes' root\@${USERNODE} pwd")) {
PhaseSkip("Key already copied");
} else {
PhaseFail("You'll need to manually copy boss's public SSH key\n".
"over to ops print so boss can get into ops without a\n" .
"password. Run the following print as root:\n" .
"scp $ROOT_PUBKEY ${USERNODE}:$ROOT_AUTHKEY");
}
ExecQuietFatal("$SCP -i $INIT_PRIVKEY ".
"$ROOT_PUBKEY ${USERNODE}:$ROOT_AUTHKEY");
if (ExecQuiet("$SSH -o 'BatchMode=yes' root\@${USERNODE} pwd")) {
PhaseFail("You'll need to manually copy boss's public SSH key\n".
"over to ops print so boss can get into ops without\n".
"a password. Run the following print as root:\n" .
"scp $ROOT_PUBKEY ${USERNODE}:$ROOT_AUTHKEY");
}
};
};
};
PrintLastOutput();
Phase "rndc", "Setting up rndc for control of nameserver", sub {
DoneIfExists($RNDC_KEY);
ExecQuietFatal("$RNDC_CONFGEN -a -r /dev/urandom");
......
1024 35 149706469596819386301960850136175505608809471396630115738044176979537429718848471895024488348802402212836575405915218146036512809678640632180619808876293410188593686822462984642237347334716765393914874341866641852670014892130249990175424894795196799282031758070532708970531070942788879242175101182042519843989 Initial key for boss/ops install. This will be removed during the boss installation process.
......@@ -107,6 +107,8 @@ my $NEWSYSLOG_CONF = "/etc/newsyslog.conf";
my $SUDOERS = "/usr/local/etc/sudoers";
my $SSHD_CONFIG = "/etc/ssh/sshd_config";
my $CRONTAB = "/etc/crontab";
my $AUTHKEYS = "/root/.ssh/authorized_keys";
#
# Some directories we care about
......@@ -136,6 +138,7 @@ my @TESTBED_DIRS = ([$PREFIX, "0775"], ["/users", "0755"],
my $ELVIND_CONF = "/usr/local/etc/elvind.conf";
my $OPS_ELVIND_CONF = "$TOP_OBJDIR/event/etc/elvind-ops.conf";
my $M2CRYPTO_PATCH = "$TOP_SRCDIR/patches/m2crypto.patch";
my $IDENTPUB = "$TOP_SRCDIR/install/identity.pub";
#
# The meta-port (name and version) that drags in all the dependancies for
......@@ -154,7 +157,6 @@ if (! $batchmode) {
my $response = <>;
die "Installation aborted!\n" unless ($response =~ /^y/i);
}
exit(0);
if ($UID != 0) {
die "This script must be run as root.\n";
......@@ -435,7 +437,15 @@ Phase "ssh", "Allowing root ssh", sub {
mkdir("/root/.ssh",0700) or
PhaseFail("Unable to create /root/.ssh: $!");
};
Phase "authkeys", "Adding stub identity to /root/.ssh/authorized_keys", sub {
DoneIfEdited($AUTHKEYS);
my $ident = `cat $IDENTPUB`;
PhaseFail("Could not read $IDENTPUB")
if ($?);
chomp($ident);
AppendToFileFatal($AUTHKEYS,
"from=\"${BOSSNODE}\" $ident");
};
};
Phase "capture", "Setting up capture", sub {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment