#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u ${TRACE:+-x}
- # -e: erreur si une commande non testée échoue.
- # -f: désactive les jokers dans les chemins.
- # -u: erreur si une variable non-définie est utilisée.
- # -x: affiche les commandes exécutées sur la sortie d'erreur standard.
+set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
. "$tool"/env.sh
Voir \`$tool/ateliers_hosted' pour les utilitaires côté VM hébergée.
SYNTAX: $0 \$RULE \${RULE}_SYNTAX
RULES:
- $(sed -ne 's/^rule_\([^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
+ $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
ENVIRONMENT:
+ TRACE # affiche les commandes avant leur exécution
$(sed -ne 's/^readonly \([^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
EOF
}
-readonly dev_disk="/dev/xvda"
-readonly dev_disk_boot="${dev_disk}1"
-readonly dev_disk_swap="${dev_disk}5"
-readonly dev_disk_root="${dev_disk}6"
-readonly dev_disk_var="${dev_disk}7"
-readonly dev_disk_home="${dev_disk}8"
+readonly vm_dev_disk="/dev/xvda"
+readonly vm_dev_disk_boot="${vm_dev_disk}1"
+readonly vm_dev_disk_swap="${vm_dev_disk}5"
+readonly vm_dev_disk_root="${vm_dev_disk}6"
+readonly vm_dev_disk_var="${vm_dev_disk}7"
+readonly vm_dev_disk_home="${vm_dev_disk}8"
rule_xen_config_init () {
- tee /etc/xen/$vm_fqdn.cfg <<-EOF
+ sudo tee /etc/xen/$vm_fqdn.cfg <<-EOF
# -*- mode: python; -*-
import os, re
- name = "$vm"
+ name = "$vm_fqdn"
arch = os.uname()[4]
memory = 2048
vcpus = 1
sudo xm shutdown $vm_fqdn.cfg
}
-rule_disk_mount () {
- # Montage du disque de la VM depuis l'hôte
- test ! -e $vm_dev_disk
+rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte
+ test -e $vm_dev_disk ||
sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w
+ # NOTE: on pourrait utiliser kpartx à la place je pense ; détail.
}
-rule_disk_unmount () {
- # Démontage du disque de la VM depuis l'hôte
- test -e $vm_dev_disk
- ! mountpoint /mnt/$vm_fqdn
+rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte
+ mountpoint /mnt/$vm_fqdn ||
sudo xm block-detach 0 $vm_dev_disk
}
-rule_disk_part () {
- # Partitionage du disque de la VM
+rule_disk_part () { # DESCRIPTION: partitionage du disque de la VM
# NOTE: on fait le choix de ne pas utiliser LVM sur la machine virtuelle car :
# - pour l'extension de mémoire:
# 1. on créera une nouvelle partition sur le LVM de l'hôte
# 1. sauvegarde au niveau applicatif (pgdump, mysqldump)
# 2. sauvegarde des configurations (etckeeper, git)
# 3. sauvegarde incrémentale et chiffrée des autres fichiers (duplicity)
- # NOTE:
sudo sfdisk -d $vm_dev_disk <<-EOF
# partition table of $vm_dev_disk
unit: sectors
EOF
}
-rule_boot_format () {
- mount | grep -q "^$vm_dev_disk_boot "
- sudo mkfs.ext2 -m 0 -T small -L "boot" $vm_dev_disk_boot
- }
-rule_boot_mount () {
- ! mountpoint /mnt/$vm_fqdn/boot
- sudo mount -v $vm_dev_disk_boot /mnt/$vm_fqdn/boot
- }
-rule_boot_unmount () {
- mountpoint /mnt/$vm_fqdn/boot
- sudo unmount -v /mnt/$vm_fqdn/boot
- }
-
-rule_part_clean () {
- # NOTE: long, optionnel
- # Déjà fait à la main histoire de pouvoir créer la machine virtuelle plus
- # rapidement le jour venu.
- part=$1
+rule_part_randomize () { # SYNTAX: $part # NOTE: à anticiper
+ local part=$1
eval "sudo dd if=/dev/urandom of=\$vm_dev_disk_$part"
}
-rule_part_clean_stat () {
- # USE: exécuter cette fonction dans un shell distinct de rule_part_clean()
- # lui fait afficher sa progression.
- part=$1
+rule_part_randomize_stat () { # SYNTAX: $part # DESCRIPTION: fait afficher la progression de rule_part_clean
+ local part=$1
eval "pkill -USR1 -f \"^dd if=/dev/urandom of=\$vm_dev_disk_$part\""
}
-rule_part_format_root () {
- # DECRIPTION: Formatage de /
- part="root"
- eval dev="\$vm_dev_disk_$part"
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --key-file=- \
- --cipher=aes-xts-essiv:sha256 --align-payload=8 $dev
- sudo cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered
- sudo mkfs.ext4 -m 5 -T ext4 -L ${vm}_$part -E stripe_width=32,resize=15G \
- /dev/mapper/${vm}_${part}_deciphered
- }
-rule_format_part () {
- # DESCRIPTION: formatage d'une partition distincte de /
+rule__part_encrypted_format () { # SYNTAX: $part # DESCRIPTION: formatage d'une partition distincte de /
# NOTE: la clef de chiffrement est dérivée de celle de /,
# / doit être déchiffrée pour que cela fonctionne.
- part=$1
- eval dev="\$vm_dev_disk_$part"
- test -e /dev/mapper/${vm}_root_deciphered
+ local part=$1
+ eval "local dev=\$vm_dev_disk_$part"
+ test ! -e /dev/mapper/${vm}_root_deciphered ||
sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
- sudo cryptsetup luksFormat --key-file=- --hash=sha512 --key-size=512 --cipher=aes-xts-essiv:sha256 $dev
+ sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \
+ --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev
}
-rule_mount_part () {
- part=$1
- eval dev="\$vm_dev_disk_$part"
- test -e /dev/mapper/${vm}_root_deciphered
+rule__part_encrypted_mount () { # SYNTAX: $part
+ local part=$1
+ eval "local dev=\$vm_dev_disk_$part"
+ test ! -e /dev/mapper/${vm}_root_deciphered ||
sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
sudo cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered
}
-rule_unmount_part () {
- part=$1
- eval dev="\$vm_dev_disk_$part"
+rule__part_encrypted_umount () { # SYNTAX: $part
+ local part=$1
+ eval "local dev=\$vm_dev_disk_$part"
+ test ! -e /dev/mapper/${vm}_${part}_deciphered ||
sudo cryptsetup luksClose ${vm}_${part}_deciphered
}
-rule_part_format_swap () {
- part="swap"
- rule_format_part $part
- rule_mount_part $part
- sudo mkswap -f -L ${vm}_swap /dev/mapper/${vm}_${part}_deciphered
- rule_unmount_part $part
- }
-rule_part_format_var () {
- part="var"
- rule_format_part $part
- rule_mount_part $part
- sudo mkfs.ext4 -m 5 -T ext4 -L ${vm}_$part -E stripe_width=32,resize=5G /dev/mapper/${vm}_${part}_deciphered
- rule_unmount_part $part
- }
-rule_part_format_home () {
- part="home"
- rule_format_part $part
- rule_mount_part $part
- sudo mkfs.ext4 -m 5 -T ext4 -L ${vm}_$part -E stripe_width=32,resize=200G /dev/mapper/${vm}_${part}_deciphered
- rule_unmount_part $part
+rule_part_root_format () {
+ if ! mount | grep -q "^$vm_dev_disk_root "
+ then
+ sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \
+ --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $vm_dev_disk_root
+ sudo cryptsetup luksOpen --key-file=- $vm_dev_disk_root ${vm}_root_deciphered
+ sudo mkfs.ext4 -m 5 -T ext4 -L ${vm}_root -E stripe_width=32,resize=15G \
+ /dev/mapper/${vm}_root_deciphered
+ ! mountpoint /mnt/$vm_fqdn
+ sudo mount -v /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/boot
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/dev
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/home
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/proc
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/sys
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/var
+ sudo umount -v /mnt/$vm_fqdn
+ fi
+ }
+rule_part_root_mount () {
+ test -e /dev/mapper/${vm}_root_deciphered ||
+ sudo cryptsetup luksOpen $vm_dev_disk_root ${vm}_root_deciphered
+ ! mountpoint /mnt/$vm_fqdn ||
+ sudo mount -v /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn
+ }
+rule_part_root_umount () {
+ ! mountpoint /mnt/$vm_fqdn ||
+ sudo umount -v /mnt/$vm_fqdn
+ ! test -e /dev/mapper/${vm}_root_deciphered ||
+ sudo cryptsetup luksClose ${vm}_root_deciphered
+ }
+rule_part_swap_format () {
+ rule__part_encrypted_format swap
+ rule__part_encrypted_mount swap
+ sudo mkswap -f -L ${vm}_swap /dev/mapper/${vm}_swap_deciphered
+ rule__part_encrypted_umount swap
+ }
+rule_part_boot_format () {
+ mount | grep -q "^$vm_dev_disk_boot " ||
+ sudo mkfs.ext2 -m 0 -T small -L ${vm}_boot $vm_dev_disk_boot
+ }
+rule_part_boot_mount () {
+ mountpoint /mnt/$vm_fqdn
+ test -d /mnt/$vm_fqdn/boot
+ mountpoint /mnt/$vm_fqdn/boot ||
+ sudo mount -v $vm_dev_disk_boot /mnt/$vm_fqdn/boot
+ }
+rule_part_boot_umount () {
+ ! mountpoint /mnt/$vm_fqdn/boot ||
+ sudo umount -v /mnt/$vm_fqdn/boot
+ }
+rule_part_var_format () {
+ rule__part_encrypted_format var
+ rule__part_encrypted_mount var
+ sudo mkfs.ext4 -m 5 -T ext4 -L ${vm}_var -E stripe_width=32,resize=5G \
+ /dev/mapper/${vm}_${part}_deciphered
+ rule__part_encrypted_umount var
+ }
+rule_part_var_mount () {
+ rule__part_encrypted_mount var
+ mountpoint /mnt/$vm_fqdn/var ||
+ sudo mount -v /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var
+ }
+rule_part_var_umount () {
+ ! mountpoint /mnt/$vm_fqdn/var ||
+ sudo umount -v /mnt/$vm_fqdn/var
+ rule__part_encrypted_umount var
+ }
+rule_part_home_format () {
+ rule__part_encrypted_format home
+ rule__part_encrypted_mount home
+ sudo mkfs.ext4 -m 0 -T ext4 -L ${vm}_home -E stripe_width=32,resize=200G \
+ /dev/mapper/${vm}_home_deciphered
+ rule__part_encrypted_umount home
+ }
+rule_part_home_mount () {
+ rule__part_encrypted_mount home
+ mountpoint /mnt/$vm_fqdn/home ||
+ sudo mount -v /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home
+ }
+rule_part_home_umount () {
+ ! mountpoint /mnt/$vm_fqdn/home ||
+ sudo umount -v /mnt/$vm_fqdn/home
+ rule__part_encrypted_umount home
}
-rule_install_debian () {
+rule_debian_install () {
sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ debootstrap \
--arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
--exclude=vim-tiny \
initramfs-tools \
kbd \
less \
+ mosh \
ncurses-term \
openssh-client \
openssh-server \
wget \
zsh \
) \
- $vm_lsb_name /mnt/$vm_fqdn/ http://ftp.fr.debian.org/debian/
+ $vm_lsb_name /mnt/$vm_fqdn/ \
+ http://ftp.fr.debian.org/debian/
}
rule_chroot () {
- mountpoint /mnt/$vm_fqdn
- mountpoint /mnt/$vm_fqdn/boot
+ rule_part_boot_mount
+ rule_part_root_mount
+ rule_part_var_mount
+ #rule_part_home_mount
+ mountpoint /mnt/$vm_fqdn/proc ||
+ mount -t proc proc /mnt/$vm_fqdn/proc
+ mountpoint /mnt/$vm_fqdn/sys ||
+ mount -t sysfs sys /mnt/$vm_fqdn/sys
+ mountpoint /mnt/$vm_fqdn/dev ||
mount --bind /dev /mnt/$vm_fqdn/dev
- sudo chroot /mnt/$vm_fqdn /bin/bash
- umount /mnt/$vm_fqdn/dev
+ sudo chroot /mnt/$vm_fqdn /bin/bash || true
+ rule__chroot_clean
+ }
+rule__chroot_clean () {
+ umount -v /mnt/$vm_fqdn/dev
+ umount -v /mnt/$vm_fqdn/sys
+ umount -v /mnt/$vm_fqdn/proc
+ #rule_part_home_umount
+ rule_part_var_umount
+ rule_part_root_umount
+ rule_part_boot_umount
}
rule=${1:-help}
${1+shift}
+set "${TRACE:+-x}"
rule_$rule "$@"
dépôts / lhc / ateliers.git / blobdiff