From e402975b214abdb0b1f064f7b3c6eb1f1c1b6a97 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Mon, 22 Jun 2020 23:05:13 +0200 Subject: [PATCH 01/21] Allow to use ip address instead of device --- viirb-1-connect-flash-latest-openwrt.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/viirb-1-connect-flash-latest-openwrt.sh b/viirb-1-connect-flash-latest-openwrt.sh index 28ba121..c551ef1 100755 --- a/viirb-1-connect-flash-latest-openwrt.sh +++ b/viirb-1-connect-flash-latest-openwrt.sh @@ -2,24 +2,33 @@ # 2020-06-13, Nico Schottelius # See https://ungleich.ch/u/products/viirb-ipv6-box/ -if [ $# -ne 1 ]; then - echo "$0 interface" +if [ $# -lt 1 ]; then + echo "$0 interface [address]" echo " interface to add the config ip address to" + echo " address: connect to this address, ignore the interface" exit 1 fi set -x dev=$1; shift +if [ $# -ge 1 ]; then + viirb_ip=$1; shift + dev="" +else + viirb_ip=192.168.61.1 +fi + # openwrt version=19.07.3 filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin # IP address for setting it up initially -viirb_ip=192.168.61.1 -sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true -sudo ip addr add 192.168.61.2/24 dev "$dev" +if [ "$dev" ]; then + sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true + sudo ip addr add 192.168.61.2/24 dev "$dev" +fi # don't care about other/old known_host entries ssh-keygen -R ${viirb_ip} From 8e73c603c8f4ccf32a05594b990568262f221651 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 24 Jun 2020 08:53:37 +0200 Subject: [PATCH 02/21] Add fnux's key to devuan netboot image --- debian-devuan-netboot.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian-devuan-netboot.sh b/debian-devuan-netboot.sh index eb0d381..2858ae4 100755 --- a/debian-devuan-netboot.sh +++ b/debian-devuan-netboot.sh @@ -43,7 +43,7 @@ echo '* * * * * root ip -o -6 addr show | grep -E -v " lo |one" > /etc/issue' > mkdir -p ${chroot_dir}/root/.ssh -for key in balazs dominique jinguk nico; do +for key in fnux balazs dominique jinguk nico; do curl -s ${keyurl}/${key}.pub >> ${chroot_dir}/root/.ssh/authorized_keys done From afaa9ef712a536af0a314e28b0e71877c9fec85f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 29 Jun 2020 08:49:24 +0200 Subject: [PATCH 03/21] Create initial structure for LUKS-encrypted CentOS images --- .../centos-build-luks-opennebula-image.sh | 175 ++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100755 opennebula-images/centos-build-luks-opennebula-image.sh diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh new file mode 100755 index 0000000..e438df8 --- /dev/null +++ b/opennebula-images/centos-build-luks-opennebula-image.sh @@ -0,0 +1,175 @@ +#!/bin/sh + +# This script generates CentOS images for OpenNebula. + +# Depends on the following packages (as of CentOS 8): +# qemu-img util-linux coreutils dnf curl e2fsprogs cryptsetup + +# Run locally (without network) with: +# qemu-system-x86_64 -enable-kvm -m 1G -drive file=$IMAGE,format=qcow2 + +set -e +set -x + +# XXX: Handle command-line arguments? +RELEASE=7 +ARCH=x86_64 +IMAGE_PATH=centos-$RELEASE-$(date --iso-8601).img +IMAGE_SIZE=10G +LOOPBACK_DEVICE=/dev/loop0 +LUKS_PASSPHRASE=secretsecretsecret +LUKS_DEVICE_NAME=cryptroot +LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" + +# TODO: find the package definition and built ourself, publish in some RPM repository. +ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el8.noarch.rpm" +ONE_CONTEXT_RPM_PATH=/root/one-context.rpm + +cleanup() { + # The order here is important. + umount /mnt/dev/pts 2>/dev/null || true + umount /mnt/dev/shm 2>/dev/null || true + umount /mnt/dev 2>/dev/null || true + umount /mnt/proc 2>/dev/null || true + umount /mnt/run 2>/dev/null || true + umount /mnt/sys 2>/dev/null || true + umount /mnt/boot 2>/dev/null || true + umount /mnt 2>/dev/null || true + losetup -d "$LOOPBACK_DEVICE" +} + +run_root() { + chroot /mnt /usr/bin/env \ + PATH=/sbin:/usr/sbin:/bin:/usr/bin \ + sh -c "$*" +} + +if [ "$(whoami)" != 'root' ]; then + echo "This script must be run as root." >&2 + exit 1 +fi + +if [ ! -f '/etc/centos-release' ]; then + echo "WARNING: this script has been designed to run on a CentOS system." >&2 + echo "WARNING: Not running CentOS. Giving you 5 seconds to abort." >&2 + sleep 5 +fi + +# Create base RAW image (no LOOPBACK support in RHEL/CentOS). +qemu-img create -f raw "$IMAGE_PATH" "$IMAGE_SIZE" +losetup "$LOOPBACK_DEVICE" "$IMAGE_PATH" + +# Don't forget to cleanup, even if the script crash. +trap cleanup EXIT + +# Create partition table, format partitions. +{ +sfdisk --no-reread "$LOOPBACK_DEVICE" < /mnt/etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF + +# See https://github.com/OpenNebula/addon-context-linux/issues/121 for details. +# network-scripts.x86_64 : Legacy scripts for manipulating of network devices +run_root dnf -y install network-scripts + +# Install (magic?) one-context RPM and hope things works as expected. +curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" +run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" +run_root rm "$ONE_CONTEXT_RPM_PATH" + +# Install resize2fs, which is required to resize the root file-system. +run_root dnf -y install e2fsprogs + +# Initalize base services. +run_root systemd-machine-id-setup +run_root ln -sf /usr/share/zoneinfo/UTC /etc/localtime + +# Install and configure NTP client. +run_root dnf install -y chrony +run_root systemctl enable chronyd.service + +# Install kernel and bootloader. +# Note: linux-firmware is not required our environment and takes almost 200M +# uncompressed but is a direct dependency of kernel-core... +run_root dnf -y install kernel grub2 + +# Add support for virtio block devices at boot time. +cat > /mnt/etc/dracut.conf.d/virtio-blk.conf <>/mnt/etc/fstab < Date: Mon, 29 Jun 2020 12:25:39 +0200 Subject: [PATCH 04/21] Tune centos image for 7 --- .../centos-build-luks-opennebula-image.sh | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh index e438df8..fcd34c3 100755 --- a/opennebula-images/centos-build-luks-opennebula-image.sh +++ b/opennebula-images/centos-build-luks-opennebula-image.sh @@ -6,23 +6,21 @@ # qemu-img util-linux coreutils dnf curl e2fsprogs cryptsetup # Run locally (without network) with: -# qemu-system-x86_64 -enable-kvm -m 1G -drive file=$IMAGE,format=qcow2 +# qemu-system-x86_64 -enable-kvm -m 1G -drive file=$IMAGE,format=raw set -e set -x -# XXX: Handle command-line arguments? RELEASE=7 ARCH=x86_64 -IMAGE_PATH=centos-$RELEASE-$(date --iso-8601).img +IMAGE_PATH=centos-luks-$RELEASE-$(date --iso-8601).img IMAGE_SIZE=10G LOOPBACK_DEVICE=/dev/loop0 -LUKS_PASSPHRASE=secretsecretsecret +LUKS_PASSPHRASE=secret LUKS_DEVICE_NAME=cryptroot LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" -# TODO: find the package definition and built ourself, publish in some RPM repository. -ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el8.noarch.rpm" +ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el7.noarch.rpm" ONE_CONTEXT_RPM_PATH=/root/one-context.rpm cleanup() { @@ -82,13 +80,18 @@ mount "${LUKS_DEVICE}" /mnt mkdir /mnt/boot mount "${LOOPBACK_DEVICE}p1" /mnt/boot +# AppStream landed in CentOS 8. +if [ $RELEASE >= 8 ]; then + enabled_repos="--enablerepo=BaseOS --enablerepo=AppStream --enablerepo=extras" +else + enabled_repos="--enablerepo=Base --enablerepo=extras" +fi + dnf -y \ --releasever=$RELEASE \ --installroot=/mnt \ --disablerepo='*' \ - --enablerepo=BaseOS \ - --enablerepo=AppStream \ - --enablerepo=extras \ + $enabled_repos \ --setopt=install_weak_deps=False install \ bash basesystem systemd systemd-udev dnf centos-release @@ -147,6 +150,8 @@ kernel_version=$(ls /mnt/boot | grep "vmlinuz.*.$ARCH" | cut -d- -f2-) run_root dracut --force --kver $kernel_version # Configure grub2. +luks_uuid=$(blkid --match-tag UUID --output value "${LOOPBACK_DEVICE}p2") +echo "GRUB_CMDLINE_LINUX='rd.luks.uuid=$luks_uuid'" >> /mnt/etc/default/grub run_root grub2-install --target=i386-pc "${LOOPBACK_DEVICE}" run_root grub2-mkconfig -o /boot/grub2/grub.cfg From 4682ed9a3aa35f714a876ae840ddf904fb01a922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 29 Jun 2020 17:46:48 +0200 Subject: [PATCH 05/21] More tuning to CentOS LUKS image --- .../centos-build-luks-opennebula-image.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh index fcd34c3..63effac 100755 --- a/opennebula-images/centos-build-luks-opennebula-image.sh +++ b/opennebula-images/centos-build-luks-opennebula-image.sh @@ -20,7 +20,7 @@ LUKS_PASSPHRASE=secret LUKS_DEVICE_NAME=cryptroot LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" -ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el7.noarch.rpm" +ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el$RELEASE.noarch.rpm" ONE_CONTEXT_RPM_PATH=/root/one-context.rpm cleanup() { @@ -81,10 +81,12 @@ mkdir /mnt/boot mount "${LOOPBACK_DEVICE}p1" /mnt/boot # AppStream landed in CentOS 8. -if [ $RELEASE >= 8 ]; then +if [ $RELEASE -ge 8 ]; then enabled_repos="--enablerepo=BaseOS --enablerepo=AppStream --enablerepo=extras" + release_specific_packages="systemd-udev" else - enabled_repos="--enablerepo=Base --enablerepo=extras" + enabled_repos="--enablerepo=base --enablerepo=extras" + release_specific_packages="dnf" fi dnf -y \ @@ -93,7 +95,7 @@ dnf -y \ --disablerepo='*' \ $enabled_repos \ --setopt=install_weak_deps=False install \ - bash basesystem systemd systemd-udev dnf centos-release + bash basesystem systemd dnf centos-release cryptsetup $release_specific_packages mount --bind /dev /mnt/dev mount --bind /dev/pts /mnt/dev/pts @@ -119,7 +121,9 @@ EOF # See https://github.com/OpenNebula/addon-context-linux/issues/121 for details. # network-scripts.x86_64 : Legacy scripts for manipulating of network devices -run_root dnf -y install network-scripts +if [ $RELEASE -ge 8 ]; then + run_root dnf -y install network-scripts +fi # Install (magic?) one-context RPM and hope things works as expected. curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" @@ -147,7 +151,7 @@ cat > /mnt/etc/dracut.conf.d/virtio-blk.conf < Date: Thu, 2 Jul 2020 21:42:46 +0200 Subject: [PATCH 06/21] adjust monit for broken init script / ceph osds --- monit-ceph-create-start | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/monit-ceph-create-start b/monit-ceph-create-start index 9b9cb58..afcac60 100755 --- a/monit-ceph-create-start +++ b/monit-ceph-create-start @@ -20,13 +20,26 @@ if echo $to_monitor | grep ^osd; then depends="${depends}, ${to_monitor}-whoami" osd="yes" osdid=$(echo $to_monitor | cut -d. -f2) -fi + cat > "$conf" < "$conf" < "$conf" <> "$conf" < Date: Thu, 2 Jul 2020 21:55:15 +0200 Subject: [PATCH 07/21] use pkill for ceph monitors --- monit-ceph-create-start | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/monit-ceph-create-start b/monit-ceph-create-start index afcac60..a44efa0 100755 --- a/monit-ceph-create-start +++ b/monit-ceph-create-start @@ -24,7 +24,7 @@ if echo $to_monitor | grep ^osd; then # Generated by $0 check process ${to_monitor} with pidfile /var/run/ceph/${to_monitor}.pid start program = "/usr/bin/ceph-osd -i ${osdid} --pid-file /var/run/ceph/osd.${osdid}.pid -c /etc/ceph/ceph.conf --cluster ceph --setuser ceph --setgroup ceph" with timeout 3600 seconds - + stop program = "/usr/bin/pkill -f '/usr/bin/ceph-osd -i ${osdid}'" EOF else @@ -33,6 +33,7 @@ else # Generated by $0 check process ${to_monitor} with pidfile /var/run/ceph/${to_monitor}.pid start program = "/etc/init.d/ceph start ${to_monitor}" with timeout 60 seconds + stop program = "/etc/init.d/ceph stop ${to_monitor}" EOF @@ -40,7 +41,6 @@ fi # final clause same for both cat >> "$conf" < Date: Mon, 6 Jul 2020 09:35:47 +0200 Subject: [PATCH 08/21] CentOS luks image -> replace sfdisk by parted --- .../centos-build-luks-opennebula-image.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh index 63effac..d577e9f 100755 --- a/opennebula-images/centos-build-luks-opennebula-image.sh +++ b/opennebula-images/centos-build-luks-opennebula-image.sh @@ -61,12 +61,10 @@ losetup "$LOOPBACK_DEVICE" "$IMAGE_PATH" trap cleanup EXIT # Create partition table, format partitions. -{ -sfdisk --no-reread "$LOOPBACK_DEVICE" < Date: Mon, 6 Jul 2020 09:36:10 +0200 Subject: [PATCH 09/21] centos luks image: use local repo dir, crypttab instead of kernel args --- .../centos-build-luks-opennebula-image.sh | 10 +++++----- .../rpm-repositories/centos-7-minus.repo | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 opennebula-images/rpm-repositories/centos-7-minus.repo diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh index d577e9f..f39d937 100755 --- a/opennebula-images/centos-build-luks-opennebula-image.sh +++ b/opennebula-images/centos-build-luks-opennebula-image.sh @@ -93,6 +93,7 @@ dnf -y \ --disablerepo='*' \ $enabled_repos \ --setopt=install_weak_deps=False install \ + --setopt=reposdir=rpm-repositories \ bash basesystem systemd dnf centos-release cryptsetup $release_specific_packages mount --bind /dev /mnt/dev @@ -144,16 +145,15 @@ run_root systemctl enable chronyd.service # uncompressed but is a direct dependency of kernel-core... run_root dnf -y install kernel grub2 -# Add support for virtio block devices at boot time. +# Add support for virtio block devices at boot time, configure bootloader. cat > /mnt/etc/dracut.conf.d/virtio-blk.conf <> /mnt/etc/default/grub +echo "cryptroot UUID=$luks_uuid luks,timeout=30" >> /mnt/etc/crypttab + +run_root dracut -v --force --kver $kernel_version run_root grub2-install --target=i386-pc "${LOOPBACK_DEVICE}" run_root grub2-mkconfig -o /boot/grub2/grub.cfg diff --git a/opennebula-images/rpm-repositories/centos-7-minus.repo b/opennebula-images/rpm-repositories/centos-7-minus.repo new file mode 100644 index 0000000..53bae51 --- /dev/null +++ b/opennebula-images/rpm-repositories/centos-7-minus.repo @@ -0,0 +1,16 @@ +[base] +name=CentOS-$releasever - Base +mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra +#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ +gpgcheck=0 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra +#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ +gpgcheck=0 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From c9d1ab6e13521601c0d5ba807871f2b3dde86e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 09:44:41 +0200 Subject: [PATCH 10/21] Add missing centos-extras repo --- opennebula-images/rpm-repositories/centos-extras.repo | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 opennebula-images/rpm-repositories/centos-extras.repo diff --git a/opennebula-images/rpm-repositories/centos-extras.repo b/opennebula-images/rpm-repositories/centos-extras.repo new file mode 100644 index 0000000..c53d52a --- /dev/null +++ b/opennebula-images/rpm-repositories/centos-extras.repo @@ -0,0 +1,7 @@ +[extras] +name=CentOS-$releasever - Extras +mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra +#baseurl=http://mirror.centos.org/$contentdir/$releasever/extras/$basearch/os/ +gpgcheck=0 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial From 45f48f3e05ad7ab87c37c07706d723342d124cf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 09:59:52 +0200 Subject: [PATCH 11/21] centos-build-luks -> centos7-build-luks, fix blkid calls --- .../centos7-build-luks-opennebula-image.sh | 182 ++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100755 opennebula-images/centos7-build-luks-opennebula-image.sh diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh new file mode 100755 index 0000000..d5696fc --- /dev/null +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -0,0 +1,182 @@ +#!/bin/sh + +# This script generates CentOS images for OpenNebula. Expected to run on CentOS 7. + +# Depends on the following packages: +# qemu-img util-linux coreutils dnf curl e2fsprogs cryptsetup parted + +# Run locally (without network) with: +# qemu-system-x86_64 -enable-kvm -m 1G -drive file=$IMAGE,format=raw + +set -e +set -x + +RELEASE=7 +ARCH=x86_64 +IMAGE_PATH=centos-luks-$RELEASE-$(date --iso-8601).img +IMAGE_SIZE=10G +LOOPBACK_DEVICE=/dev/loop2 +LUKS_PASSPHRASE=secret +LUKS_DEVICE_NAME=cryptroot2 +LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" + +ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el$RELEASE.noarch.rpm" +ONE_CONTEXT_RPM_PATH=/root/one-context.rpm + +cleanup() { + # The order here is important. + umount /mnt/dev/pts 2>/dev/null || true + umount /mnt/dev/shm 2>/dev/null || true + umount /mnt/dev 2>/dev/null || true + umount /mnt/proc 2>/dev/null || true + umount /mnt/run 2>/dev/null || true + umount /mnt/sys 2>/dev/null || true + umount /mnt/boot 2>/dev/null || true + umount /mnt 2>/dev/null || true + losetup -d "$LOOPBACK_DEVICE" +} + +run_root() { + chroot /mnt /usr/bin/env \ + PATH=/sbin:/usr/sbin:/bin:/usr/bin \ + sh -c "$*" +} + +if [ "$(whoami)" != 'root' ]; then + echo "This script must be run as root." >&2 + exit 1 +fi + +if [ ! -f '/etc/centos-release' ]; then + echo "WARNING: this script has been designed to run on a CentOS system." >&2 + echo "WARNING: Not running CentOS. Giving you 5 seconds to abort." >&2 + sleep 5 +fi + +# Create base RAW image (no LOOPBACK support in RHEL/CentOS). +qemu-img create -f raw "$IMAGE_PATH" "$IMAGE_SIZE" +losetup "$LOOPBACK_DEVICE" "$IMAGE_PATH" + +# Don't forget to cleanup, even if the script crash. +trap cleanup EXIT + +# Create partition table, format partitions. +parted --script "$LOOPBACK_DEVICE" \ + mklabel msdos \ + mkpart primary ext4 1M 500M \ + mkpart primary ext4 500M 100% + +partprobe "$LOOPBACK_DEVICE" + +mkfs.ext4 "${LOOPBACK_DEVICE}p1" +echo -n "$LUKS_PASSPHRASE" | cryptsetup luksFormat -v -d - "${LOOPBACK_DEVICE}p2" +echo -n "$LUKS_PASSPHRASE" | cryptsetup open -v -d - "${LOOPBACK_DEVICE}p2" "$LUKS_DEVICE_NAME" +mkfs.ext4 "$LUKS_DEVICE" + +# Mount partitions, install base OS. +mount "${LUKS_DEVICE}" /mnt +mkdir /mnt/boot +mount "${LOOPBACK_DEVICE}p1" /mnt/boot + +# AppStream landed in CentOS 8. +if [ $RELEASE -ge 8 ]; then + enabled_repos="--enablerepo=BaseOS --enablerepo=AppStream --enablerepo=extras" + release_specific_packages="systemd-udev" +else + enabled_repos="--enablerepo=base --enablerepo=extras" + release_specific_packages="dnf" +fi + +dnf -y \ + --releasever=$RELEASE \ + --installroot=/mnt \ + --disablerepo='*' \ + $enabled_repos \ + --setopt=install_weak_deps=False install \ + --setopt=reposdir=rpm-repositories \ + bash basesystem systemd dnf centos-release cryptsetup $release_specific_packages + +mount --bind /dev /mnt/dev +mount --bind /dev/pts /mnt/dev/pts +mount --bind /dev/shm /mnt/dev/shm +mount --bind /proc /mnt/proc +mount --bind /run /mnt/run +mount --bind /sys /mnt/sys + +# Guest networking is to be handled by the one-context package. +# See https://github.com/OpenNebula/addon-context-linux for details. +# Note: as of writing, one-context does not support NetworkManager or +# systemd-networkd. + +# Required to resolve package mirror in chroot. +cp /etc/resolv.conf /mnt/etc/resolv.conf + +# Initialize /etc/hosts. +cat > /mnt/etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF + +# See https://github.com/OpenNebula/addon-context-linux/issues/121 for details. +# network-scripts.x86_64 : Legacy scripts for manipulating of network devices +if [ $RELEASE -ge 8 ]; then + run_root dnf -y install network-scripts +fi + +# Install (magic?) one-context RPM and hope things works as expected. +curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" +run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" +run_root rm "$ONE_CONTEXT_RPM_PATH" + +# Install resize2fs, which is required to resize the root file-system. +run_root dnf -y install e2fsprogs + +# Initalize base services. +run_root systemd-machine-id-setup +run_root ln -sf /usr/share/zoneinfo/UTC /etc/localtime + +# Install and configure NTP client. +run_root dnf install -y chrony +run_root systemctl enable chronyd.service + +# Install kernel and bootloader. +# Note: linux-firmware is not required our environment and takes almost 200M +# uncompressed but is a direct dependency of kernel-core... +run_root dnf -y install kernel grub2 + +# Add support for virtio block devices at boot time, configure bootloader. +cat > /mnt/etc/dracut.conf.d/virtio-blk.conf <> /mnt/etc/crypttab + +run_root dracut -v --force --kver $kernel_version +run_root grub2-install --target=i386-pc "${LOOPBACK_DEVICE}" +run_root grub2-mkconfig -o /boot/grub2/grub.cfg + +# Install en configure SSH daemon. +run_root dnf -y install openssh-server +run_root systemctl enable sshd + +# Generate fstab file. +boot_uuid=$(blkid -o value "${LOOPBACK_DEVICE}p1" | head -n 1) +root_uuid=$(blkid -o value "$LUKS_DEVICE" | head -n 1) +cat >>/mnt/etc/fstab < Date: Mon, 6 Jul 2020 10:38:17 +0200 Subject: [PATCH 12/21] Remove incomplete centos-8 support centos-luks ONE image --- .../centos-build-luks-opennebula-image.sh | 182 ------------------ .../centos7-build-luks-opennebula-image.sh | 30 +-- 2 files changed, 9 insertions(+), 203 deletions(-) delete mode 100755 opennebula-images/centos-build-luks-opennebula-image.sh diff --git a/opennebula-images/centos-build-luks-opennebula-image.sh b/opennebula-images/centos-build-luks-opennebula-image.sh deleted file mode 100755 index f39d937..0000000 --- a/opennebula-images/centos-build-luks-opennebula-image.sh +++ /dev/null @@ -1,182 +0,0 @@ -#!/bin/sh - -# This script generates CentOS images for OpenNebula. - -# Depends on the following packages (as of CentOS 8): -# qemu-img util-linux coreutils dnf curl e2fsprogs cryptsetup - -# Run locally (without network) with: -# qemu-system-x86_64 -enable-kvm -m 1G -drive file=$IMAGE,format=raw - -set -e -set -x - -RELEASE=7 -ARCH=x86_64 -IMAGE_PATH=centos-luks-$RELEASE-$(date --iso-8601).img -IMAGE_SIZE=10G -LOOPBACK_DEVICE=/dev/loop0 -LUKS_PASSPHRASE=secret -LUKS_DEVICE_NAME=cryptroot -LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" - -ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el$RELEASE.noarch.rpm" -ONE_CONTEXT_RPM_PATH=/root/one-context.rpm - -cleanup() { - # The order here is important. - umount /mnt/dev/pts 2>/dev/null || true - umount /mnt/dev/shm 2>/dev/null || true - umount /mnt/dev 2>/dev/null || true - umount /mnt/proc 2>/dev/null || true - umount /mnt/run 2>/dev/null || true - umount /mnt/sys 2>/dev/null || true - umount /mnt/boot 2>/dev/null || true - umount /mnt 2>/dev/null || true - losetup -d "$LOOPBACK_DEVICE" -} - -run_root() { - chroot /mnt /usr/bin/env \ - PATH=/sbin:/usr/sbin:/bin:/usr/bin \ - sh -c "$*" -} - -if [ "$(whoami)" != 'root' ]; then - echo "This script must be run as root." >&2 - exit 1 -fi - -if [ ! -f '/etc/centos-release' ]; then - echo "WARNING: this script has been designed to run on a CentOS system." >&2 - echo "WARNING: Not running CentOS. Giving you 5 seconds to abort." >&2 - sleep 5 -fi - -# Create base RAW image (no LOOPBACK support in RHEL/CentOS). -qemu-img create -f raw "$IMAGE_PATH" "$IMAGE_SIZE" -losetup "$LOOPBACK_DEVICE" "$IMAGE_PATH" - -# Don't forget to cleanup, even if the script crash. -trap cleanup EXIT - -# Create partition table, format partitions. -parted --script "$LOOPBACK_DEVICE" \ - mklabel msdos \ - mkpart primary ext4 1M 500M \ - mkpart primary ext4 500M 100% - -partprobe "$LOOPBACK_DEVICE" - -mkfs.ext4 "${LOOPBACK_DEVICE}p1" -echo -n "$LUKS_PASSPHRASE" | cryptsetup luksFormat -v -d - "${LOOPBACK_DEVICE}p2" -echo -n "$LUKS_PASSPHRASE" | cryptsetup open -v -d - "${LOOPBACK_DEVICE}p2" "$LUKS_DEVICE_NAME" -mkfs.ext4 "$LUKS_DEVICE" - -# Mount partitions, install base OS. -mount "${LUKS_DEVICE}" /mnt -mkdir /mnt/boot -mount "${LOOPBACK_DEVICE}p1" /mnt/boot - -# AppStream landed in CentOS 8. -if [ $RELEASE -ge 8 ]; then - enabled_repos="--enablerepo=BaseOS --enablerepo=AppStream --enablerepo=extras" - release_specific_packages="systemd-udev" -else - enabled_repos="--enablerepo=base --enablerepo=extras" - release_specific_packages="dnf" -fi - -dnf -y \ - --releasever=$RELEASE \ - --installroot=/mnt \ - --disablerepo='*' \ - $enabled_repos \ - --setopt=install_weak_deps=False install \ - --setopt=reposdir=rpm-repositories \ - bash basesystem systemd dnf centos-release cryptsetup $release_specific_packages - -mount --bind /dev /mnt/dev -mount --bind /dev/pts /mnt/dev/pts -mount --bind /dev/shm /mnt/dev/shm -mount --bind /proc /mnt/proc -mount --bind /run /mnt/run -mount --bind /sys /mnt/sys - -# Guest networking is to be handled by the one-context package. -# See https://github.com/OpenNebula/addon-context-linux for details. -# Note: as of writing, one-context does not support NetworkManager or -# systemd-networkd. - -# Required to resolve package mirror in chroot. -cp /etc/resolv.conf /mnt/etc/resolv.conf - -# Initialize /etc/hosts. -cat > /mnt/etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF - -# See https://github.com/OpenNebula/addon-context-linux/issues/121 for details. -# network-scripts.x86_64 : Legacy scripts for manipulating of network devices -if [ $RELEASE -ge 8 ]; then - run_root dnf -y install network-scripts -fi - -# Install (magic?) one-context RPM and hope things works as expected. -curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" -run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" -run_root rm "$ONE_CONTEXT_RPM_PATH" - -# Install resize2fs, which is required to resize the root file-system. -run_root dnf -y install e2fsprogs - -# Initalize base services. -run_root systemd-machine-id-setup -run_root ln -sf /usr/share/zoneinfo/UTC /etc/localtime - -# Install and configure NTP client. -run_root dnf install -y chrony -run_root systemctl enable chronyd.service - -# Install kernel and bootloader. -# Note: linux-firmware is not required our environment and takes almost 200M -# uncompressed but is a direct dependency of kernel-core... -run_root dnf -y install kernel grub2 - -# Add support for virtio block devices at boot time, configure bootloader. -cat > /mnt/etc/dracut.conf.d/virtio-blk.conf <> /mnt/etc/crypttab - -run_root dracut -v --force --kver $kernel_version -run_root grub2-install --target=i386-pc "${LOOPBACK_DEVICE}" -run_root grub2-mkconfig -o /boot/grub2/grub.cfg - -# Install en configure SSH daemon. -run_root dnf -y install openssh-server -run_root systemctl enable sshd - -# Generate fstab file. -boot_uuid=$(blkid --match-tag UUID --output value "${LOOPBACK_DEVICE}p1") -root_uuid=$(blkid --match-tag UUID --output value "$LUKS_DEVICE") -cat >>/mnt/etc/fstab < /mnt/etc/hosts << EOF 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - EOF -# See https://github.com/OpenNebula/addon-context-linux/issues/121 for details. -# network-scripts.x86_64 : Legacy scripts for manipulating of network devices -if [ $RELEASE -ge 8 ]; then - run_root dnf -y install network-scripts -fi - -# Install (magic?) one-context RPM and hope things works as expected. +# Install one-context RPM and hope things works as expected. curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" run_root rm "$ONE_CONTEXT_RPM_PATH" @@ -180,3 +165,6 @@ run_root dnf clean all # Make sure everything is written to disk before exiting. sync + +# Cleanup! +cleanup From c0f32f78e3059c9a0a9264e37f15a6e39d425c74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 10:43:27 +0200 Subject: [PATCH 13/21] CentOS/luks: disable SSH/user+password ONE scripts --- opennebula-images/centos7-build-luks-opennebula-image.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index 6bc6eca..6ea75e9 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -19,6 +19,7 @@ LOOPBACK_DEVICE=/dev/loop0 LUKS_PASSPHRASE=secret LUKS_DEVICE_NAME=cryptroot LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" +DISABLED_ONE_SCRIPTS="loc-20-set-username-password loc-22-ssh_public_key" ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el$RELEASE.noarch.rpm" ONE_CONTEXT_RPM_PATH=/root/one-context.rpm @@ -113,6 +114,9 @@ EOF curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" run_root rm "$ONE_CONTEXT_RPM_PATH" +for script in "$DISABLED_ONE_SCRIPTS"; do + run_root rm "/etc/one-context.d/$script" +done # Install resize2fs, which is required to resize the root file-system. run_root dnf -y install e2fsprogs From 9ba788e75b4d47483c3495e64597bf8ad6df39e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 10:52:55 +0200 Subject: [PATCH 14/21] Centos 7 / LUKS: fix ONE script removal --- opennebula-images/centos7-build-luks-opennebula-image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index 6ea75e9..ddb7189 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -114,7 +114,7 @@ EOF curl -L "$ONE_CONTEXT_RPM_URL" > "/mnt$ONE_CONTEXT_RPM_PATH" run_root dnf -y install "$ONE_CONTEXT_RPM_PATH" run_root rm "$ONE_CONTEXT_RPM_PATH" -for script in "$DISABLED_ONE_SCRIPTS"; do +for script in $DISABLED_ONE_SCRIPTS; do run_root rm "/etc/one-context.d/$script" done From 1e39b0aa84d70a9264ba5e766c3c81c954998fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 11:36:09 +0200 Subject: [PATCH 15/21] Do not use custom reposdir for centos7/LUKS image --- opennebula-images/centos7-build-luks-opennebula-image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index ddb7189..367211e 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -79,6 +79,7 @@ mount "${LUKS_DEVICE}" /mnt mkdir /mnt/boot mount "${LOOPBACK_DEVICE}p1" /mnt/boot +# Add --setopt=reposdir=rpm-repositories if you do not run on CentOS 7. dnf -y \ --releasever=$RELEASE \ --installroot=/mnt \ @@ -86,7 +87,6 @@ dnf -y \ --enablerepo=base \ --enablerepo=extras \ --setopt=install_weak_deps=False install \ - --setopt=reposdir=rpm-repositories \ bash basesystem systemd dnf centos-release cryptsetup dnf mount --bind /dev /mnt/dev From 8db3786b5b291a002c780acc0ea6a74e161a5c8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Jul 2020 12:37:18 +0200 Subject: [PATCH 16/21] centos7/LUKS script: take LUKS passphrase as command-line argument --- opennebula-images/centos7-build-luks-opennebula-image.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index 367211e..3be4b61 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -16,7 +16,6 @@ ARCH=x86_64 IMAGE_PATH=centos-luks-$RELEASE-$(date --iso-8601).img IMAGE_SIZE=10G LOOPBACK_DEVICE=/dev/loop0 -LUKS_PASSPHRASE=secret LUKS_DEVICE_NAME=cryptroot LUKS_DEVICE="/dev/mapper/$LUKS_DEVICE_NAME" DISABLED_ONE_SCRIPTS="loc-20-set-username-password loc-22-ssh_public_key" @@ -24,6 +23,13 @@ DISABLED_ONE_SCRIPTS="loc-20-set-username-password loc-22-ssh_public_key" ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el$RELEASE.noarch.rpm" ONE_CONTEXT_RPM_PATH=/root/one-context.rpm +# Get LUKS passphrase. +if [ -z "$1" ]; then + echo "Usage: centos7-build-luks-opennebula-image.sh LUKS_PASSPHRASE" + exit 1 +fi +LUKS_PASSPHRASE="$1" + cleanup() { # The order here is important. umount /mnt/dev/pts 2>/dev/null || true From 3ff2b138cb1b2d36d6bd4c0f1ee96fd5adc071cd Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Tue, 7 Jul 2020 21:00:49 +0200 Subject: [PATCH 17/21] in viirb2, output the commandline for next command --- viirb-2-configure-fully-after-upgrade.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/viirb-2-configure-fully-after-upgrade.sh b/viirb-2-configure-fully-after-upgrade.sh index 161b39d..284e783 100755 --- a/viirb-2-configure-fully-after-upgrade.sh +++ b/viirb-2-configure-fully-after-upgrade.sh @@ -211,5 +211,5 @@ uci commit reboot EOF -echo "Wireguard public key: ${public_key}" +echo "Wireguard public key and id: ${id} ${public_key}" echo ${public_key} > ${viirb_hostname}.public_key From 7e55e76b14d696724c3d9595ab05c4bc1ca5ff2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 21 Jul 2020 10:55:49 +0200 Subject: [PATCH 18/21] Fix FreeBSD ONE image build script --- .../freebsd-build-opennebula-image.sh | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/opennebula-images/freebsd-build-opennebula-image.sh b/opennebula-images/freebsd-build-opennebula-image.sh index ec64a56..535d2a6 100755 --- a/opennebula-images/freebsd-build-opennebula-image.sh +++ b/opennebula-images/freebsd-build-opennebula-image.sh @@ -9,15 +9,13 @@ set -x # XXX: Handle command-line arguments? RELEASE=12.1-RELEASE ARCH=amd64 -IMAGE_PATH=freebsd-$RELEASE-$(date +%+F).img.qcow2 +IMAGE_PATH=freebsd-$RELEASE-$(date -I).img.qcow2 IMAGE_SIZE=10G DIST_BASE="https://download.freebsd.org/ftp/releases/$ARCH/$RELEASE" PORTS_BASE="https://download.freebsd.org/ftp/snapshots/$ARCH/12.1-STABLE" -# TODO: find the package definition and built ourself, publish in some RPM repository. -ONE_CONTEXT_RPM_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context-5.10.0-1.el8.noarch.rpm" -ONE_CONTEXT_RPM_PATH=/root/one-context.rpm +ONE_CONTEXT_PKG_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.12.0/one-context-5.12.0_1.txz" cleanup() { sync || true @@ -70,7 +68,7 @@ growfs_enable=YES hostname="freebsd" EOF -cp /etc/resolv.conf > /mnt/etc/resolv.conf +cp /etc/resolv.conf /mnt/etc/resolv.conf tzsetup -s -C /mnt UTC cat >>/mnt/etc/ssh/sshd_config < Date: Tue, 21 Jul 2020 12:08:38 +0200 Subject: [PATCH 19/21] Install requirements for plain centos7 to build centos7 VM --- opennebula-images/centos7-build-luks-opennebula-image.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index 3be4b61..f3d34c8 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -60,6 +60,9 @@ if [ ! -f '/etc/centos-release' ]; then sleep 5 fi +# Install requirements +yum install -y qemu cryptsetup + # Create base RAW image (no LOOPBACK support in RHEL/CentOS). qemu-img create -f raw "$IMAGE_PATH" "$IMAGE_SIZE" losetup "$LOOPBACK_DEVICE" "$IMAGE_PATH" From 9e8e39b2ee5ea37b169a2418308eda3b15f8d521 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Tue, 21 Jul 2020 12:18:13 +0200 Subject: [PATCH 20/21] Also install dnf for centos --- opennebula-images/centos7-build-luks-opennebula-image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opennebula-images/centos7-build-luks-opennebula-image.sh b/opennebula-images/centos7-build-luks-opennebula-image.sh index f3d34c8..69a5c64 100755 --- a/opennebula-images/centos7-build-luks-opennebula-image.sh +++ b/opennebula-images/centos7-build-luks-opennebula-image.sh @@ -61,7 +61,7 @@ if [ ! -f '/etc/centos-release' ]; then fi # Install requirements -yum install -y qemu cryptsetup +yum install -y qemu cryptsetup dnf # Create base RAW image (no LOOPBACK support in RHEL/CentOS). qemu-img create -f raw "$IMAGE_PATH" "$IMAGE_SIZE" From a109bb16f8fbfd8ff16dcaeb464446f319416dbc Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Tue, 28 Jul 2020 15:40:15 +0200 Subject: [PATCH 21/21] [mikrotik] + permissions +shebang --- mikrotik-setup.sh | 0 mikrotik-update.sh | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 mikrotik-setup.sh diff --git a/mikrotik-setup.sh b/mikrotik-setup.sh old mode 100644 new mode 100755 diff --git a/mikrotik-update.sh b/mikrotik-update.sh index 934ea47..5d1c281 100755 --- a/mikrotik-update.sh +++ b/mikrotik-update.sh @@ -1,4 +1,4 @@ -#!/bin +#!/bin/sh # Nico Schottelius, 2019-12-02 # Update mikrotik routers to the latest package