X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=ateliers_host;h=46ef94024ed1e0c7407ec3a8ae7eebb147dae1c0;hp=f671a97ebcb88e5b6119daadf3d9c8eaf1ea797b;hb=e58848826c6f91c60902c1a095407e1a5e2d1255;hpb=7e0958f585dd35e2d242b138f5632f3902c4d051 diff --git a/ateliers_host b/ateliers_host index f671a97..46ef940 100755 --- a/ateliers_host +++ b/ateliers_host @@ -3,6 +3,7 @@ set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} . "$tool"/env.sh +. "$tool"/inc.sh rule_help () { cat >&2 <<-EOF @@ -12,14 +13,14 @@ rule_help () { Voir \`$tool/ateliers_hosted' pour les utilitaires côté VM hébergée. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0") EOF } -readonly vm_dev_disk="/dev/xvda" +readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g') readonly vm_dev_disk_boot="${vm_dev_disk}1" rule_xen_config_init () { @@ -62,8 +63,8 @@ rule_xen_off () { } rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte - sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w - # NOTE: on pourrait utiliser kpartx à la place je pense ; détail. + sudo kpartx -a -v /dev/domU/$vm_fqdn-disk + #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w } rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte rule_part_boot_umount @@ -78,27 +79,32 @@ rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôt ;; (*) exit 1;; esac - sudo xm block-detach 0 $vm_dev_disk + sudo kpartx -d -v /dev/domU/$vm_fqdn-disk + #sudo xm block-detach 0 $vm_dev_disk + # XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé : + # utiliser xm block-detach 0 $vm_dev_disk --force ; + # ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ; + # ôter les mappages concernés dans /etc/lvm/cache/.cache, + # et pour bien trouver tous les mappages : + # % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk + # enfin, ôter l'éventuel verrou dans /var/lock/lvm/ } case $vm_use_lvm in -(no) + (no) readonly vm_dev_disk_swap="${vm_dev_disk}5" readonly vm_dev_disk_root="${vm_dev_disk}6" readonly vm_dev_disk_var="${vm_dev_disk}7" readonly vm_dev_disk_home="${vm_dev_disk}8" ;; -(yes) + (yes) readonly vm_lvm_pv="${vm_dev_disk}2" - readonly vm_lvm_vg=$vm - readonly vm_lvm_dev=$(printf %s $vm_lvm_vg | sed -e 's/-/--/g') - readonly vm_lvm_lv=$vm - readonly vm_dev_disk_swap=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_swap - readonly vm_dev_disk_root=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_root - readonly vm_dev_disk_var=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_var - readonly vm_dev_disk_home=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}home + readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap + readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root + readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var + readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home ;; -(*) + (*) exit 1;; esac @@ -130,7 +136,8 @@ rule_disk_format () { # DESCRIPTION: partitionnage du disque de la VM ;; (*) exit 1;; esac - sudo partprobe $vm_dev_disk + #sudo partprobe $vm_dev_disk + sudo kpartx -u -v /dev/domU/$vm_fqdn-disk } rule_part_lvm_format () { @@ -174,16 +181,16 @@ rule__part_encrypted_format () { # SYNTAX: $part # DESCRIPTION: formatage d'une local part=$1 eval "local dev=\$vm_dev_disk_$part" test ! -e /dev/mapper/${vm}_root_deciphered || - sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | - sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \ - --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev + sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | + cryptsetup luksFormat --hash=sha512 --key-size=512 \ + --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev" } rule__part_encrypted_mount () { # SYNTAX: $part local part=$1 eval "local dev=\$vm_dev_disk_$part" - test ! -e /dev/mapper/${vm}_root_deciphered || - sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | - sudo cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered + test -e /dev/mapper/${vm}_${part}_deciphered || + sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered | + cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered" } rule__part_encrypted_umount () { # SYNTAX: $part local part=$1 @@ -199,7 +206,7 @@ rule_part_root_format () { --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $vm_dev_disk_root sudo cryptsetup luksOpen --key-file=- $vm_dev_disk_root ${vm}_root_deciphered sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ - -E resize=15G${vm_e2fs_extended_options} \ + -E resize=30G${vm_e2fs_extended_options} \ -L ${vm}_root \ /dev/mapper/${vm}_root_deciphered ! mountpoint -q /mnt/$vm_fqdn @@ -210,14 +217,18 @@ rule_part_root_format () { mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/proc mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/sys mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/var + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool + mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool/ateliers sudo umount -v /mnt/$vm_fqdn + sudo cryptsetup luksClose ${vm}_root_deciphered fi } rule_part_root_mount () { test -e /dev/mapper/${vm}_root_deciphered || sudo cryptsetup luksOpen $vm_dev_disk_root ${vm}_root_deciphered - ! mountpoint -q /mnt/$vm_fqdn || - sudo mount -v /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn + mountpoint -q /mnt/$vm_fqdn || + sudo mount -v -t ext4 /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn } rule_part_root_umount () { ! mountpoint -q /mnt/$vm_fqdn || @@ -225,6 +236,9 @@ rule_part_root_umount () { ! test -e /dev/mapper/${vm}_root_deciphered || sudo cryptsetup luksClose ${vm}_root_deciphered } +rule_part_root_backup_luks () { + sudo cryptsetup luksHeaderBackup $vm_dev_disk_root --header-backup-file ./root.luks + } rule_part_swap_format () { rule__part_encrypted_format swap rule__part_encrypted_mount swap @@ -240,8 +254,8 @@ rule_part_boot_format () { rule_part_boot_mount () { mountpoint -q /mnt/$vm_fqdn test -d /mnt/$vm_fqdn/boot - mountpoint -q /mnt/$vm_fqdn/boot || - sudo mount -v $vm_dev_disk_boot /mnt/$vm_fqdn/boot + mountpoint -q /mnt/$vm_fqdn/boot || + sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot } rule_part_boot_umount () { ! mountpoint -q /mnt/$vm_fqdn/boot || @@ -259,7 +273,7 @@ rule_part_var_format () { rule_part_var_mount () { rule__part_encrypted_mount var mountpoint -q /mnt/$vm_fqdn/var || - sudo mount -v /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var + sudo mount -v -t ext4 /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var } rule_part_var_umount () { ! mountpoint -q /mnt/$vm_fqdn/var || @@ -271,15 +285,15 @@ rule_part_home_format () { rule__part_encrypted_mount home sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \ -E resize=400G${vm_e2fs_extended_options} \ - -O quota \ -L ${vm}_home \ /dev/mapper/${vm}_home_deciphered + # NOTE: -O quota pas supporté par e2fsprogs/squeeze rule__part_encrypted_umount home } rule_part_home_mount () { rule__part_encrypted_mount home mountpoint -q /mnt/$vm_fqdn/home || - sudo mount -v /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home + sudo mount -v -t ext4 /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home } rule_part_home_umount () { ! mountpoint -q /mnt/$vm_fqdn/home || @@ -288,6 +302,9 @@ rule_part_home_umount () { } rule_debian_install () { + rule_part_root_mount + rule_part_boot_mount + rule_part_var_mount sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ debootstrap \ --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ --exclude=vim-tiny \ @@ -329,27 +346,34 @@ rule_debian_install () { http://ftp.fr.debian.org/debian/ } rule_chroot () { - rule_part_boot_mount rule_part_root_mount + rule_part_boot_mount rule_part_var_mount #rule_part_home_mount mountpoint -q /mnt/$vm_fqdn/proc || - mount -t proc proc /mnt/$vm_fqdn/proc + sudo mount -t proc proc /mnt/$vm_fqdn/proc mountpoint -q /mnt/$vm_fqdn/sys || - mount -t sysfs sys /mnt/$vm_fqdn/sys + sudo mount -t sysfs sys /mnt/$vm_fqdn/sys mountpoint -q /mnt/$vm_fqdn/dev || - mount --bind /dev /mnt/$vm_fqdn/dev - sudo chroot /mnt/$vm_fqdn /bin/bash || true + sudo mount --bind /dev /mnt/$vm_fqdn/dev + mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers || + sudo mount --bind "$tool" /mnt/$vm_fqdn/root/tool/ateliers + sudo chroot /mnt/$vm_fqdn /bin/dash || true rule__chroot_clean } rule__chroot_clean () { - umount -v /mnt/$vm_fqdn/dev - umount -v /mnt/$vm_fqdn/sys - umount -v /mnt/$vm_fqdn/proc - #rule_part_home_umount + ! sudo mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers || + sudo umount -v /mnt/$vm_fqdn/root/tool/ateliers + ! mountpoint -q /mnt/$vm_fqdn/dev || + sudo umount -v /mnt/$vm_fqdn/dev + ! mountpoint -q /mnt/$vm_fqdn/sys || + sudo umount -v /mnt/$vm_fqdn/sys + ! mountpoint -q /mnt/$vm_fqdn/proc || + sudo umount -v /mnt/$vm_fqdn/proc + rule_part_home_umount rule_part_var_umount - rule_part_root_umount rule_part_boot_umount + rule_part_root_umount } rule=${1:-help}