Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-tools

opennebula-images/freebsd-build-opennebula-image.sh

@@ -2,26 +2,47 @@
 
 # This script generates FreeBSD images for OpenNebula, being heavily inspired
 # from srht's FreeBSD build image definition. It assumes running on a FreeBSD host.
+# ZFS installation as documented by the FreeBSD project
+# https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot
 
 set -e
 set -x
 
 # XXX: Handle command-line arguments?
-RELEASE=13.0-RELEASE
+RELEASE=13.1-RELEASE
 ARCH=amd64
-IMAGE_PATH=freebsd-$RELEASE-$(date -I).img.qcow2
+IMAGE_PATH_ZFS="freebsd-zfs-$RELEASE-$(date -I).img.qcow2"
+IMAGE_PATH_UFS="freebsd-ufs-$RELEASE-$(date -I).img.qcow2"
 IMAGE_SIZE=10G
 
-DIST_BASE="https://download.freebsd.org/ftp/releases/$ARCH/$RELEASE"
-PORTS_BASE="https://download.freebsd.org/ftp/snapshots/$ARCH/12.1-STABLE"
+# Comment out to simply use latest version
+# Hash checking is disabled when specifying this
+#CLOUDSETUP_VERSION=1.2
 
-ONE_CONTEXT_PKG_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.12.0/one-context-5.12.0_1.txz"
+DIST_BASE="https://download.freebsd.org/ftp/releases/$ARCH/$RELEASE"
+ZPOOL=zroot
+ZPOOL_TMP="zinstalling"
+
+ZFSTARGET="$(mktemp -d /var/tmp/zfsbuild.XXXXX)"
+UFSTARGET="$(mktemp -d /var/tmp/ufsbuild.XXXXX)"
+
+if zpool list -Ho name "$ZPOOL_TMP" 2>/dev/null; then
+	echo "The pool $ZPOOL_TMP is already imported." >&2
+	exit 1
+fi
 
 cleanup() {
-	sync || true
-	umount /mnt/dev || true
-	umount /mnt || true
-	mdconfig -du md0 || true
+	sync ||:
+	umount "$UFSTARGET/dev" ||:
+	umount "$UFSTARGET/tmp" ||:
+	umount "$UFSTARGET/var/tmp" ||:
+	umount "$UFSTARGET" ||:
+	zpool export "$ZPOOL_TMP" ||:
+	mdconfig -du md0 ||:
+	mdconfig -du md1 ||:
+	rm -rf "$CLOUDSETUP_WORK" ||:
+	rmdir "$ZFSTARGET" ||:
+	rmdir "$UFSTARGET" ||:
 }
 trap cleanup EXIT
 
@@ -30,20 +51,89 @@ if [ "$(whoami)" != 'root' ]; then
 	exit 1
 fi
 
-# Allocate and partition/format disk image.
-disk=$(mktemp)
-truncate -s 6G $disk
-mdconfig -a -t vnode -f $disk -u md0
-gpart create -s gpt /dev/md0
-gpart add -t freebsd-boot -l bootfs -b 40 -s 512K md0
-gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 md0
-gpart add -t freebsd-ufs -l rootfs -b 1M -s 5G md0
-newfs -U /dev/md0p2
+if ! command -v rsync >/dev/null
+then
+	env ASSUME_ALWAYS_YES=YES pkg install -y rsync
+fi
+if ! command -v qemu-img >/dev/null
+then
+	env ASSUME_ALWAYS_YES=YES pkg install -y qemu-tools
+fi
+
+portsnap fetch
+if [ -f /usr/ports/README ]
+then
+	portsnap update || portsnap extract
+else
+	portsnap extract
+fi
+
+if [ -n "$CLOUDSETUP_VERSION" ]
+then
+	sed -i .bak -e '/^PORTVERSION=/ s/[0-9]*\.[0-9]*/'"$CLOUDSETUP_VERSION/" /usr/ports/sysutils/firstboot-cloudsetup/Makefile
+	make -C /usr/ports/sysutils/firstboot-cloudsetup makesum
+fi
+make -C /usr/ports/sysutils/firstboot-cloudsetup clean package
+CLOUDSETUP_VERSION="$(fgrep VERSION /usr/ports/sysutils/firstboot-cloudsetup/Makefile | cut -f2- | tr -d \\t)"
+CLOUDSETUP_PKG="/usr/ports/sysutils/firstboot-cloudsetup/work/pkg/firstboot-cloudsetup-${CLOUDSETUP_VERSION}.pkg"
+tar -tzf "$CLOUDSETUP_PKG" >/dev/null # check that it's a valid tar, or we crash due to set -e
+# tar -t lists the contents of a tar file, but does not extract
+
+make -C /usr/ports/sysutils/firstboot-freebsd-update clean package
+FBUPDATE_VERSION="$(fgrep VERSION /usr/ports/sysutils/firstboot-freebsd-update/Makefile | cut -f2- | tr -d \\t)"
+FBUPDATE_PKG="/usr/ports/sysutils/firstboot-freebsd-update/work/pkg/firstboot-freebsd-update-${FBUPDATE_VERSION}.pkg"
+tar -tzf "$FBUPDATE_PKG" >/dev/null # check that it's a valid tar, or we crash due to set -e
+
+ufsdisk="$(mktemp /var/tmp/ufsdisk.XXXXX)"
+truncate -s 6G "$ufsdisk"
+mdconfig -a -t vnode -f "$ufsdisk" -u md1
+gpart create -s gpt /dev/md1
+#gpart add -t efi -l efiboot0 -s 260M md1
+gpart add -t freebsd-boot -l gptboot -b 40 -s 512K md1
+gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 md1
+gpart add -t freebsd-ufs -l rootfs -b 1M -s 5G md1
+newfs -U /dev/md1p2
 
 # Mount allocated image.
-mount /dev/md0p2 /mnt
-mkdir -p /mnt/dev
-mount -t devfs devfs /mnt/dev
+mount /dev/md1p2 "$UFSTARGET"
+
+# Allocate and partition/format disk image.
+# We use "legacy boot", aka BIOS boot
+# Preferably, we'd use EFI boot here, check the FreeBSD wiki link in the header
+# to see how to make that change, but make the EFI partition larger
+zfsdisk="$(mktemp /var/tmp/zfsdisk.XXXXX)"
+truncate -s 6G "$zfsdisk"
+mdconfig -a -t vnode -f "$zfsdisk" -u md0
+gpart create -s gpt /dev/md0
+#gpart add -t efi -l efiboot0 -s 260M md1
+gpart add -t freebsd-boot -l gptboot0 -b 40 -s 512K md0
+gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 md0
+gpart add -t freebsd-zfs -l zfs0 -b 1M -s 5G md0
+zpool create -O compression=on -o ashift=12 -o "altroot=$ZFSTARGET" -m none -t "$ZPOOL_TMP" "$ZPOOL" md0p2
+
+zfs create -o mountpoint=none                                  "$ZPOOL_TMP/ROOT"
+# We set zstd-19 so our image will become smaller, at the cost of a longer build time.
+# At the end of the process, we disable zstd-19 again using zfs inherit compression,
+# but all files already written will remain zstd-19 compressed
+zfs create -o mountpoint=/ -o canmount=noauto                  "$ZPOOL_TMP/ROOT/default"
+mount -t zfs "$ZPOOL_TMP/ROOT/default" "$ZFSTARGET"
+zpool set "bootfs=$ZPOOL_TMP/ROOT/default" "$ZPOOL_TMP"
+
+zfs create -o mountpoint=/tmp  -o exec=on      -o setuid=off   "$ZPOOL_TMP/tmp"
+zfs create -o canmount=off -o mountpoint=/usr                  "$ZPOOL_TMP/usr"
+zfs create                                                     "$ZPOOL_TMP/usr/home"
+zfs create                     -o exec=off     -o setuid=off   "$ZPOOL_TMP/usr/src"
+zfs create -o mountpoint=/usr/ports            -o setuid=off   "$ZPOOL_TMP/usr/ports"
+zfs create -o canmount=off -o mountpoint=/var                  "$ZPOOL_TMP/var"
+zfs create                     -o exec=off     -o setuid=off   "$ZPOOL_TMP/var/audit"
+zfs create                     -o exec=off     -o setuid=off   "$ZPOOL_TMP/var/crash"
+zfs create                     -o exec=off     -o setuid=off   "$ZPOOL_TMP/var/log"
+zfs create -o atime=on         -o exec=off     -o setuid=off   "$ZPOOL_TMP/var/mail"
+zfs create                     -o exec=on      -o setuid=off   "$ZPOOL_TMP/var/tmp"
+
+ln -s /usr/home "$ZFSTARGET/home"
+chmod 1777 "$ZFSTARGET/var/tmp"
+chmod 1777 "$ZFSTARGET/tmp"
 
 # Download and extract base system.
 dist_files="kernel.txz base.txz"
@@ -53,64 +143,81 @@ mkdir -p "$dist_dir"
 for f in $dist_files
 do
 	fetch -m -o "$dist_dir/$f" "$DIST_BASE/$f"
-	tar -C /mnt -xJf "$dist_dir/$f"
+	tar -C "$UFSTARGET" -xJf "$dist_dir/$f"
 done
 
+# Mount dev and tmp in chroot
+mount -t devfs devfs "$UFSTARGET/dev"
+mount_nullfs /tmp "$UFSTARGET/tmp"
+mount_nullfs /var/tmp "$UFSTARGET/var/tmp"
+
+# Install the first-boot script that configures the network and ssh key
+# We must use --rootdir and not --chroot, because the file is read from within the chroot
+# --automatic means that the package is considered to be installed "automatically",
+# aka as a dependency of something, so pkg autoremove will remove it.
+# We do not run pkg autoremove ourselves, that's up to the administrator.
+pkg --rootdir "$UFSTARGET" add --automatic "$CLOUDSETUP_PKG" "$FBUPDATE_PKG"
+
 # Configure new system.
-echo "/dev/gpt/rootfs / ufs rw,noatime 1 1" >/mnt/etc/fstab
-touch /mnt/firstboot
-echo 'autoboot_delay="-1"' >>/mnt/boot/loader.conf
+touch "$UFSTARGET/firstboot"
+sysrc -f "$UFSTARGET/boot/loader.conf" \
+	zfs_load="YES" \
+	autoboot_delay="-1" \
 
-cat >>/mnt/etc/rc.conf <<EOF
-ntpd_enable=YES
-sshd_enable=YES
-growfs_enable=YES
-hostname="freebsd"
-EOF
+sysrc -f "$UFSTARGET/etc/rc.conf" \
+	zfs_enable="YES" \
+	ntpd_enable="YES" \
+	sshd_enable="YES" \
+	growfs_enable="YES" \
+	hostname="freebsd" \
+	firstboot_cloudsetup_enable="YES" \
+	firstboot_freebsd_update_enable="YES" \
 
-cp /etc/resolv.conf /mnt/etc/resolv.conf
-tzsetup -s -C /mnt UTC
+# The resolv.conf file is written by firstboot_cloudsetup
+#cp /etc/resolv.conf "$UFSTARGET/etc/resolv.conf"
 
-cat >>/mnt/etc/ssh/sshd_config <<EOF
-PermitRootLogin yes
-PasswordAuthentication no
-PermitEmptyPasswords no
-EOF
+tzsetup -s -C "$UFSTARGET" UTC
 
-mkdir -p /mnt/usr/local/etc/pkg/repos/
-cat >/mnt/usr/local/etc/pkg/repos/FreeBSD.conf <<EOF
-FreeBSD: {
-	url: pkg+http://pkg.FreeBSD.org/\$\{ABI\}/latest
-	enabled: yes
-}
-EOF
-
-# freebsd-update is only supported for RELEASE
-if [ "${release%-RELEASE}" != "$RELEASE" ]
+# Add PermitRootLogin without-password, unless PermitRootLogin yes was already set
+sed -i .orig -e '/^#PermitRootLogin[[:blank:]]/a\
+PermitRootLogin without-password
+' -e '/^PermitRootLogin[[:blank:]]*no/ s/\([[:blank:]]\).*$/\1without-password/' \
+	"$UFSTARGET/etc/ssh/sshd_config"
+if ! grep -Eq '^PermitRootLogin (without-password|yes)' "$UFSTARGET/etc/ssh/sshd_config"
 then
-	env PAGER=true /usr/sbin/freebsd-update \
-		-b /mnt \
-		--currently-running "$RELEASE" \
-		--not-running-from-cron -F \
-		fetch install
+	cat >>"$UFSTARGET/etc/ssh/sshd_config" <<EOF
+
+# Added by Ungleich
+PermitRootLogin without-password
+EOF
 fi
 
-env ASSUME_ALWAYS_YES=YES pkg -c /mnt bootstrap -f
-env ASSUME_ALWAYS_YES=YES pkg -c /mnt install bash curl
+# Set zstd-19 compression, copy all data to the pool, and then set compression to default again
+# This will make the base image smaller, at the cost of taking longer to generate, as zstd-19 is slow to write
+# Therefore, afterwards we restore compression to default, so written files stay zstd-19, which is fast to read,
+# but files written by the user afterwards will be written with the default compression algorihtm.
+zfs set compression=zstd-19 "$ZPOOL_TMP/ROOT/default"
+umount "$UFSTARGET/dev" "$UFSTARGET/tmp" "$UFSTARGET/var/tmp"
+rsync -aH --fileflags --inplace "$UFSTARGET/." "$ZFSTARGET"
 
-curl -L "$ONE_CONTEXT_PKG_URL" -o /mnt/one-context.txz
-env ASSUME_ALWAYS_YES=YES pkg -c /mnt add one-context.txz
-rm /mnt/one-context.txz
+sysrc -f "$UFSTARGET/boot/loader.conf" -x zfs_load
+sysrc -f "$UFSTARGET/etc/rc.conf" -x zfs_enable
+printf '# Device\tMountpoint\tFStype\tOptions\t\tDump\tPass#\n' \
+	>"$ZFSTARGET/etc/fstab"
+printf '# Device\tMountpoint\tFStype\tOptions\t\tDump\tPass#\n%s\t%s\t\t%s\t%s\t%s\t%s\n' \
+	/dev/gpt/rootfs / ufs rw,noatime 1 1 \
+	>"$UFSTARGET/etc/fstab"
+sync ||:
+zfs inherit compression "$ZPOOL_TMP/ROOT/default"
 
-fetch -m -o "$dist_dir/ports.txz" "$PORTS_BASE/ports.txz"
-tar -C /mnt -xJf "$dist_dir/ports.txz"
-
-cleanup
 trap : EXIT
+cleanup
 
 mkdir -p "$ARCH"
-qemu-img convert -f raw -O qcow2 "$disk" "$IMAGE_PATH"
-rm "$disk"
+qemu-img convert -f raw -O qcow2 "$zfsdisk" "$ARCH/$IMAGE_PATH_ZFS"
+qemu-img convert -f raw -O qcow2 "$ufsdisk" "$ARCH/$IMAGE_PATH_UFS"
+rm "$zfsdisk" "$ufsdisk"
 
 # Filesystem will be enlarged by growfs(7) on next startup
-qemu-img resize "$IMAGE_PATH" "$IMAGE_SIZE"
+qemu-img resize "$ARCH/$IMAGE_PATH_ZFS" "$IMAGE_SIZE"
+qemu-img resize "$ARCH/$IMAGE_PATH_UFS" "$IMAGE_SIZE"

opennebula-images/ubuntu-build-opennebula-image.sh

@@ -9,14 +9,14 @@ set -e
 set -x
 
 # XXX: Handle command-line arguments?
-RELEASE=groovy # 20.10
+RELEASE=jammy # 22.04 LTS
 ARCH=amd64
 IMAGE_PATH=ubuntu-$RELEASE-$(date --iso-8601).img.qcow2
 IMAGE_SIZE=10G
 NBD_DEVICE=/dev/nbd0
 
 # TODO: find the package definition and built ourself, publish in some RPM repository.
-ONE_CONTEXT_DEB_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v5.10.0/one-context_5.10.0-1.deb"
+ONE_CONTEXT_DEB_URL="https://github.com/OpenNebula/addon-context-linux/releases/download/v6.4.0/one-context_6.4.0-1.deb"
 ONE_CONTEXT_DEB_PATH=/root/one-context.deb
 
 cleanup() {

openwrt/openwrt-add-ipv4-vpn.sh

@@ -24,10 +24,10 @@ public_key=$(echo $private_key | wg pubkey)
 
 case $my_wireguard_ip in
     185.155.29.*)
-        vpn_endpoint_pubkey=6BRnQ+dmeFzVCH9RbM1pbJ7u3y3qrl+zUzzYCmC88kE=
+        vpn_endpoint_pubkey="6BRnQ+dmeFzVCH9RbM1pbJ7u3y3qrl+zUzzYCmC88kE="
     ;;
     185.155.30.*)
-        vpn_endpoint_pubkey=5ach7pUQ57aa402LHz1MYh7lyBZS0GvBEw2PC6dMHW4=
+        vpn_endpoint_pubkey="5ach7pUQ57aa402LHz1MYh7lyBZS0GvBEw2PC6dMHW4="
         ;;
     *)
         echo "Unknown VPN host for IP $my_wireguard_ip" >&2
@@ -77,4 +77,12 @@ uci commit
 
 EOF
 
-echo "Host ${my_ip} uses ip ${my_wireguard_ip} with public key ${public_key}"
+echo "Host ${my_ip} uses ip ${my_wireguard_ip} with public key ${public_key}:"
+
+cat <<EOF
+
+#
+[Peer]
+PublicKey = ${public_key}
+AllowedIPs = ${my_wireguard_ip}/32
+EOF

vnc_console_connection/db_export.py

@@ -1,5 +1,14 @@
 import psycopg2 as pg2
 from config import config
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+file_handler = logging.FileHandler('/var/log/desktop.log')
+file_handler.setFormatter(formatter)
+logger.addHandler(file_handler)
+
 
 db_name = config['db']['db_name']
 db_user = config['db']['db_user']
@@ -10,15 +19,15 @@ db_port = config['db']['db_port']
 def setconn(u_id, vm_num, vm_port,vm_host):
     conn = pg2.connect("host = localhost dbname={} user={} password={} port={}".format(db_name,db_user,db_password,db_port))
     conn.autocommit = True
-    cur = conn.cursor() 
+    cur = conn.cursor()
     cur.execute("SELECT entity_id FROM guacamole_entity WHERE name = '{}'".format(u_id))
     row = cur.fetchone()
     if row == None:
-        cur.execute("INSERT INTO guacamole_entity (name, type) VALUES ('{}','USER')".format(u_id))    
+        cur.execute("INSERT INTO guacamole_entity (name, type) VALUES ('{}','USER')".format(u_id))
         cur.execute("SELECT entity_id FROM guacamole_entity WHERE name = '{}'".format(u_id))
         row = cur.fetchone()
         en_id = row[0]
-        cur.execute("INSERT INTO guacamole_user(entity_id, password_hash, password_date) VALUES ('{}', '\x74657374', now())".format(en_id)) 
+        cur.execute("INSERT INTO guacamole_user(entity_id, password_hash, password_date) VALUES ('{}', '\x74657374', now())".format(en_id))
         print("create user : " , u_id)
     else:
         en_id = row[0]
@@ -43,7 +52,9 @@ def setconn(u_id, vm_num, vm_port,vm_host):
         #clipboard-encoding
         cur.execute("INSERT INTO guacamole_connection_parameter VALUES ('{}','clipboard-encoding','UTF-8')".format(cn_id))
         print("create connection")
-    else:    
+        log = "create connection : " + cn
+        logging.info(log)
+    else:
         cur.execute("SELECT MAX(connection_id) FROM guacamole_connection WHERE connection_name = '{}' AND parent_id IS NULL".format(cn))
         temp_cn_id = cur.fetchone()
         cn_id = temp_cn_id[0]
@@ -52,4 +63,30 @@ def setconn(u_id, vm_num, vm_port,vm_host):
         #cur.execute("UPDATE guacamole_connection_parameter SET parameter_value='UTF-8' where connection_id='{}' and parameter_name='clipboard-encoding'".format(cn_id))
         print("no connection")
     conn.close()
-    return None
+    return None
+
+
+def delconn(u_id, vm_num):
+    conn2 = pg2.connect("host = localhost dbname={} user={} password={} port={}".format(db_name,db_user,db_password,db_port))
+    conn2.autocommit = True
+    cur2 = conn2.cursor()
+    cur2.execute("SELECT entity_id FROM guacamole_entity WHERE name = '{}'".format(u_id))
+    row2 = cur2.fetchone()
+    if row2 == None:
+        print("no user : " , u_id)
+    else:
+        cn2 = "{}{}".format(u_id,vm_num)
+        cur2.execute("SELECT connection_id FROM guacamole_connection WHERE connection_name = '{}'".format(cn2))
+        row2 = cur2.fetchone()
+        if row2 != None:
+            print("cn_id : ", row2[0])
+            #delete connection
+            cur2.execute("SELECT connection_id from guacamole_connection_permission where connection_id = '{}'".format(row2[0]))
+            row2 = cur2.fetchone()
+            if row2 != None:
+                print("delete connection : ",row2[0])
+                cur2.execute("delete from guacamole_connection_permission where connection_id = '{}'".format(row2[0]))
+                log = "delete connection : " + cn2
+                logging.info(log)
+    conn2.close()
+    

vnc_console_connection/get_info.py

@@ -6,6 +6,7 @@ from xmltodict import parse
 from config import config
 from ldap_list import vm_list
 from db_export import setconn
+from db_export import delconn
 
 # Constants
 ALL_VM_STATES = -1
@@ -61,6 +62,22 @@ class VM:
         }
 
 
+class tVM:
+    def __init__(self, tvm: dict):
+        self.id = vm.get('ID', None)
+        self.owner = {
+            'id': vm.get('UID', None),
+            'name': vm.get('UNAME', None),
+            'gname': vm.get('GNAME', None)
+        }
+        self.name = vm.get('NAME', None)
+        self.status = vm.get('STATE', None)
+        if self.status:
+            self.status = VMState(int(self.status)).name.lower()
+
+        template = vm['TEMPLATE']
+
+
 def main():
     with RPCClient(opnserver) as rpc_client:
         success, response, *_ = rpc_client.one.vmpool.infoextended(
@@ -74,15 +91,33 @@ def main():
                     vm_user = vm['UNAME']
                     vm_id = vm['ID']
                     vm_port = vm['TEMPLATE']['GRAPHICS'].get('PORT')
-                    vm_host = vm['HISTORY_RECORDS']['HISTORY']['HOSTNAME'] 
+                    vm_host = vm['HISTORY_RECORDS']['HISTORY']['HOSTNAME']
                     if vm['UNAME'] == temp_uname:
-                        #print(entry.uid, vm_id, vm_port, vm_host)
+                        print(entry.uid, vm_id, vm_port, vm_host)
                         setconn(entry.uid, vm_id, vm_port, vm_host)
-                          
+
         else:
             print(response)
 
+    with RPCClient(opnserver) as rpc_client2:
+        success, response, *_ = rpc_client2.one.vmpool.infoextended(
+                 session_string , VmFilterFlag.AllResources.value, START_ID, END_ID, VMState.DONE.value
+        )
+        if success:
+            vms2 = json.loads(json.dumps(parse(response)))['VM_POOL']['VM']
+            for entry in vm_list.entries:
+                temp_uname = entry.uid
+                for i, tvm in enumerate(vms2):
+                    vm_user = tvm['UNAME']
+                    vm_id = tvm['ID']
+                    if tvm['UNAME'] == temp_uname:
+                        print("terminated VM : ", entry.uid, vm_id)
+                        delconn(entry.uid, vm_id)
+
+        else:
+            print(response)
 
 if __name__ == "__main__":
     main()
 
+