From 59f4204d561b533f725bbc714604c9ca91c037fa Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 19 Feb 2013 20:18:53 +0100 Subject: [PATCH] Modification : polissage et log --- lib/functions.sh | 1 + lib/log.sh | 42 ++++-- lib/mk.sh | 8 +- lib/rule.sh | 9 ++ vm_host | 95 ++++++------ vm_hosted | 383 +++++++++++++++++++++++------------------------ vm_remote | 16 +- 7 files changed, 288 insertions(+), 266 deletions(-) create mode 100644 lib/rule.sh diff --git a/lib/functions.sh b/lib/functions.sh index b661a15..16c62b5 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -2,3 +2,4 @@ . "$tool"/lib/mk.sh . "$tool"/lib/log.sh +. "$tool"/lib/rule.sh diff --git a/lib/log.sh b/lib/log.sh index af89e5b..9a3316b 100644 --- a/lib/log.sh +++ b/lib/log.sh @@ -1,39 +1,49 @@ #!/bin/sh export TERM=${TERM:-linux} -tput_rev=${nocolor:-$(tput rev)} -tput_sgr0=${nocolor:-$(tput sgr0)} -tput_bold=${nocolor:-$(tput bold)} -tput_setaf_0=${nocolor:-$(tput setaf 0)} -tput_setaf_2=${nocolor:-$(tput setaf 2)} +readonly tput_rev=${nocolor:-$(tput rev)} +readonly tput_sgr0=${nocolor:-$(tput sgr0)} +readonly tput_bold=${nocolor:-$(tput bold)} +readonly tput_setaf_0=${nocolor:-$(tput setaf 0)} +readonly tput_setaf_1=${nocolor:-$(tput setaf 1)} +readonly tput_setaf_2=${nocolor:-$(tput setaf 2)} +readonly tput_setaf_3=${nocolor:-$(tput setaf 3)} info () { - set=$(set +o | grep '^set .o xtrace$') + local - set +x printf >&2 "%sINFO%s" "$tput_setaf_2" "$tput_sgr0" - comment=$1 + local comment="$1" shift + local var for var in "$@" do - val=$(eval printf %s "\"\${$var:-}\"" || false) || false + local val="$(eval printf %s "\"\${$var:-}\"" || false)" || false printf >&2 ": %s%s%s=%s%s%s" "$tput_bold$tput_setaf_0" "$var" "$tput_sgr0" "$tput_bold$tput_setaf_0" "$val" "$tput_sgr0" done printf >&2 ": %s%s%s\n" "$tput_rev" "$comment" "$tput_sgr0" - $set } error () { - set=$(set +o | grep '^set .o xtrace$') + local - set +x - printf >&2 "%sERROR%s" "$tput_setaf_2" "$tput_sgr0" - errno=$1 - comment=$2 + printf >&2 "%sERROR%s" "$tput_setaf_1" "$tput_sgr0" + local errno="$1" + local comment="$2" shift 2 + local var for var in "$@" do - val=$(eval printf %s "\"\${$var:-}\"" || false) || false + local val="$(eval printf %s "\"\${$var:-}\"" || false)" || false printf >&2 ": %s%s%s=%s%s%s" "$tput_bold$tput_setaf_0" "$var" "$tput_sgr0" "$tput_bold$tput_setaf_0" "$val" "$tput_sgr0" done printf >&2 ": %s%s%s\n" "$tput_rev" "$comment" "$tput_sgr0" - $set - exit $1 + exit $errno + } +assert () { + local - + set +x + local eval="$1"; shift + local type="assertion failure" + eval "$eval" || + error $? "$eval" type "$@" } diff --git a/lib/mk.sh b/lib/mk.sh index 03912eb..91ebc13 100644 --- a/lib/mk.sh +++ b/lib/mk.sh @@ -1,6 +1,8 @@ #!/bin/sh mk_dir () { + local mk="dir" + info "$*" mk local mod=${1#mod=}; shift local own=${1#own=}; shift sudo mkdir -p "$@" @@ -8,6 +10,8 @@ mk_dir () { ! [ ${own:+set} ] || sudo chown $own "$@" } mk_reg () { + local mk="reg" + info "$*" mk local mod=${1#mod=}; shift local own=${1#own=}; shift local append @@ -15,10 +19,12 @@ mk_reg () { then append='-a'; shift else append='' fi - sudo tee >&2 $append "$@" + sudo tee ${TRACE:+/dev/stderr} >/dev/null $append "$@" ! [ ${mod:+set} ] || sudo chmod $mod "$@" ! [ ${own:+set} ] || sudo chown $own "$@" } mk_lnk () { + local mk="lnk" + info "$*" mk sudo ln -fns "$@" } diff --git a/lib/rule.sh b/lib/rule.sh new file mode 100644 index 0000000..b30218d --- /dev/null +++ b/lib/rule.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +rule () { + local - + local rule="$1"; shift + info "$*" rule + ${TRACE:+set -x} + rule_$rule "$@" + } diff --git a/vm_host b/vm_host index 0a2649d..f5c6eaf 100755 --- a/vm_host +++ b/vm_host @@ -12,10 +12,10 @@ rule_help () { Voir \`$tool/vm_hosted' pour les utilitaires côté VM hébergée. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/etc/vm.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") EOF } @@ -78,7 +78,7 @@ rule_vm_init () { rule_vm_start () { test ! -e /dev/domU/$vm_fqdn-disk1 sudo xm create $vm_fqdn.cfg - rule_vm_attach + rule vm_attach } rule_vm_attach () { cat <<-EOF @@ -98,15 +98,15 @@ rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w } rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte - rule_part_boot_umount + rule part_boot_umount case $vm_use_lvm in (yes) - rule_part_lvm_umount + rule part_lvm_umount ;; (no) - rule_part_root_umount - rule_part_var_umount - rule_part_home_umount + rule part_root_umount + rule part_var_umount + rule part_home_umount ;; (*) exit 1;; esac @@ -171,7 +171,7 @@ rule_disk_format () { # DESCRIPTION: partitionnage du disque de la VM } rule_part_lvm_format () { - rule_part_lvm_umount + rule part_lvm_umount ! sudo vgs | grep -q "^ $vm_lvm_vg " || sudo vgremove $vm_lvm_vg sudo pvcreate --dataalignment 512k $vm_lvm_pv @@ -180,7 +180,7 @@ rule_part_lvm_format () { sudo lvcreate --contiguous y -n ${vm_lvm_lv}_root -L 15G $vm_lvm_vg sudo lvcreate --contiguous y -n ${vm_lvm_lv}_var -L 5G $vm_lvm_vg sudo lvcreate --contiguous y -n ${vm_lvm_lv}_home -l 99%FREE $vm_lvm_vg - rule_part_lvm_umount + rule part_lvm_umount } rule_part_lvm_mount () { case $vm_use_lvm in @@ -193,9 +193,9 @@ rule_part_lvm_mount () { rule_part_lvm_umount () { case $vm_use_lvm in (yes) - rule_part_root_umount - rule_part_var_umount - rule_part_home_umount + rule part_root_umount + rule part_var_umount + rule part_home_umount ! sudo vgs | grep -q "^ $vm_lvm_vg " || sudo vgchange -a n $vm_lvm_vg ;; @@ -276,11 +276,11 @@ rule_part_root_backup_luks () { sudo cryptsetup luksHeaderBackup $vm_dev_disk_root --header-backup-file ./root.luks } rule_part_swap_format () { - rule__part_encrypted_format swap - rule__part_encrypted_mount swap + rule _part_encrypted_format swap + rule _part_encrypted_mount swap sudo mkswap -f -L ${vm_lvm_lv}_swap \ /dev/mapper/${vm_lvm_lv}_swap_deciphered - rule__part_encrypted_umount swap + rule _part_encrypted_umount swap } rule_part_boot_format () { mount | grep -q "^$vm_dev_disk_boot " || @@ -299,51 +299,51 @@ rule_part_boot_umount () { sudo umount -v /mnt/$vm_fqdn/boot } rule_part_var_format () { - rule__part_encrypted_format var - rule__part_encrypted_mount var + rule _part_encrypted_format var + rule _part_encrypted_mount var sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ -E resize=10G${vm_e2fs_extended_options} \ -L ${vm_lvm_lv}_var \ /dev/mapper/${vm_lvm_lv}_var_deciphered - rule__part_encrypted_umount var + rule _part_encrypted_umount var } rule_part_var_mount () { - rule__part_encrypted_mount var + rule _part_encrypted_mount var mountpoint -q /mnt/$vm_fqdn/var || sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_var_deciphered /mnt/$vm_fqdn/var } rule_part_var_umount () { ! mountpoint -q /mnt/$vm_fqdn/var || sudo umount -v /mnt/$vm_fqdn/var - rule__part_encrypted_umount var + rule _part_encrypted_umount var } rule_part_home_format () { - rule__part_encrypted_format home - rule__part_encrypted_mount home + rule _part_encrypted_format home + rule _part_encrypted_mount home sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \ -E resize=400G${vm_e2fs_extended_options} \ -L ${vm_lvm_lv}_home \ /dev/mapper/${vm_lvm_lv}_home_deciphered # NOTE: -O quota pas supporté par e2fsprogs/squeeze - rule__part_encrypted_umount home + rule _part_encrypted_umount home } rule_part_home_mount () { - rule__part_encrypted_mount home + rule _part_encrypted_mount home mountpoint -q /mnt/$vm_fqdn/home || sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_home_deciphered /mnt/$vm_fqdn/home } rule_part_home_umount () { ! mountpoint -q /mnt/$vm_fqdn/home || sudo umount -v /mnt/$vm_fqdn/home - rule__part_encrypted_umount home + rule _part_encrypted_umount home } rule_debian_install () { - rule_disk_mount - rule_part_lvm_mount - rule_part_root_mount - rule_part_boot_mount - rule_part_var_mount + rule disk_mount + rule part_lvm_mount + rule part_root_mount + rule part_boot_mount + rule part_var_mount sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ LANG=C LC_CTYPE=C debootstrap \ --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ --exclude=vim-tiny \ @@ -388,17 +388,17 @@ rule_debian_install () { ) \ $vm_lsb_name /mnt/$vm_fqdn/ \ http://ftp.fr.debian.org/debian/ - rule_part_var_umount - rule_part_boot_umount - rule_part_root_umount + rule part_var_umount + rule part_boot_umount + rule part_root_umount } rule_chroot () { - rule_disk_mount - rule_part_lvm_mount - rule_part_root_mount - rule_part_boot_mount - rule_part_var_mount + rule disk_mount + rule part_lvm_mount + rule part_root_mount + rule part_boot_mount + rule part_var_mount #rule_part_home_mount mountpoint -q /mnt/$vm_fqdn/proc || sudo mount -t proc proc /mnt/$vm_fqdn/proc @@ -414,7 +414,7 @@ rule_chroot () { rsync -a "$tool"/ /mnt/$vm_fqdn/root/tool/vm fi sudo chroot /mnt/$vm_fqdn /bin/bash || true - rule__chroot_clean + rule _chroot_clean } rule__chroot_clean () { ! sudo mountpoint -q /mnt/$vm_fqdn/root/tool/vm || @@ -425,11 +425,11 @@ rule__chroot_clean () { sudo umount -v /mnt/$vm_fqdn/sys ! mountpoint -q /mnt/$vm_fqdn/proc || sudo umount -v /mnt/$vm_fqdn/proc - rule_part_home_umount - rule_part_var_umount - rule_part_boot_umount - rule_part_root_umount - rule_disk_umount + rule part_home_umount + rule part_var_umount + rule part_boot_umount + rule part_root_umount + rule disk_umount } rule=${1:-help} @@ -437,9 +437,8 @@ ${1+shift} case $rule in (help);; (*) - test "$(hostname --fqdn)" = "$vm_host" || - error 1 "mauvaise machine" + assert 'test "$(hostname --fqdn)" = "$vm_host"' vm_host ${TRACE:+set -x} ;; esac -rule_$rule "$@" +rule $rule "$@" diff --git a/vm_hosted b/vm_hosted index ebb930d..987fa6d 100755 --- a/vm_hosted +++ b/vm_hosted @@ -12,10 +12,10 @@ rule_help () { Voir \`$tool/vm_host' pour les utilitaires côté machine hôte. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/etc/vm.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") EOF } @@ -33,48 +33,7 @@ rule_chrooted () { . /etc/profile } -rule__etckeeper_init () { - mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF - VCS=git - GIT_COMMIT_OPTIONS="" - AVOID_DAILY_AUTOCOMMITS=1 - #AVOID_SPECIAL_FILE_WARNING=1 - AVOID_COMMIT_BEFORE_INSTALL=1 - HIGHLEVEL_PACKAGE_MANAGER=apt - LOWLEVEL_PACKAGE_MANAGER=dpkg - EOF - } -rule__locale_init () { - mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF - fr_FR.UTF-8 UTF-8 - EOF - sudo update-locale - } -rule__network_init () { - mk_reg mod= own= /etc/hostname <<-EOF - $vm - EOF - grep -q " $vm\$" /etc/hosts || - mk_reg mod= own= --append /etc/hosts <<-EOF - 127.0.0.1 $vm_fqdn $vm - EOF - mk_reg mod= own= /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - #mtu 1300 - post-up ip address add $vm_ipv4/32 dev \$IFACE - pre-down ip address delete $vm_ipv4/32 dev \$IFACE - EOF - } -rule__apt_init () { +rule_apt_init () { mk_reg mod= own= /etc/apt/sources.list <<-EOF deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free EOF @@ -94,7 +53,57 @@ rule__apt_init () { deb http://nightly.openerp.com/trunk/nightly/deb/ ./ EOF } -rule__filesystem_init () { +rule_apticron_init () { + sudo apt-get install --reinstall apticron + mk_reg mod=644 own=root:root /etc/default/grub <<-EOF + EMAIL="admin@heureux-cyclage.org" + # DIFF_ONLY="1" + # LISTCHANGES_PROFILE="apticron" + # ALL_FQDNS="1" + # SYSTEM="foobar.example.com" + # IPADDRESSNUM="1" + # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" + # NOTIFY_HOLDS="0" + # NOTIFY_NEW="0" + # NOTIFY_NO_UPDATES="0" + # CUSTOM_SUBJECT="" + # CUSTOM_NO_UPDATES_SUBJECT="" + # CUSTOM_FROM="root@ateliers.heureux-cyclage.org" + EOF + sudo service apticron restart + } +rule_boot_init () { + sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé ! + mk_dir mod=644 own=root:root /boot/grub + sudo apt-get install --reinstall linux-image-$vm_arch + mk_reg mod=644 own=root:root /etc/default/grub <<-EOF + GRUB_DEFAULT=0 + GRUB_TIMEOUT=5 + GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\` + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered" + GRUB_DISABLE_RECOVERY="true" + #GRUB_PRELOAD_MODULES="lvm" + EOF + mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF + (hd0) /dev/xvda + (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') + EOF + sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map + rule initramfs_init + } +rule_etckeeper_init () { + mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF + VCS=git + GIT_COMMIT_OPTIONS="" + AVOID_DAILY_AUTOCOMMITS=1 + #AVOID_SPECIAL_FILE_WARNING=1 + AVOID_COMMIT_BEFORE_INSTALL=1 + HIGHLEVEL_PACKAGE_MANAGER=apt + LOWLEVEL_PACKAGE_MANAGER=dpkg + EOF + } +rule_filesystem_init () { mk_reg mod=644 own=root:root /etc/fstab <<-EOF # LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 @@ -118,12 +127,81 @@ rule__filesystem_init () { vm.vfs_cache_pressure=50 EOF } -rule__login_init () { - grep -q hvc0 /etc/securetty || +rule_initramfs_init () { + mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF + MODULES=most + BUSYBOX=y + KEYMAP=y + COMPRESS=gzip + DEVICE=eth0 + EOF + mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF + alias eth0 xennet + alias scsi_hostadapter xenblk + EOF + mk_reg mod=644 own=root:root /etc/modules <<-EOF + sha1_generic + sha256_generic + sha512_generic + aes-x86_64 + xts + # NOTE: pour Xen en mode HVM : + #modprobe xen-platform-pci + EOF + mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF + EOF + sudo sed -e '/^configure_networking /s/ &$//' \ + -i /usr/share/initramfs-tools/scripts/init-premount/dropbear + # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. + sudo rm -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \ + /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub + ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | + ( while IFS= read -r line + do case $line in (*" RSA") return 0; break;; esac + done; return 1 ) || + sudo dropbearkey -t rsa -s 4096 -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key + ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | + ( while IFS= read -r line + do case $line in (*" DSA") return 0; break;; esac + done; return 1 ) || + sudo dropbearkey -t dss -s 1024 -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key + mk_dir mod=640 own=root:root \ + /etc/initramfs-tools/root \ + /etc/initramfs-tools/root/.ssh + getent group sudo | + while IFS=: read -r group x x users + do while test -n "$users" && IFS=, read -r user users <<-EOF + $users + EOF + do eval local home\; home="~$user" + cat "$home"/etc/ssh/authorized_keys + done + done | + mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys + sudo rm -f \ + /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ + /etc/initramfs-tools/root/.ssh/id_rsa.pub \ + /etc/initramfs-tools/root/.ssh/id_rsa + # NOTE: clefs générées par Debian + sudo update-initramfs -u + } +rule_locale_init () { + mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF + fr_FR.UTF-8 UTF-8 + EOF + sudo update-locale + } +rule_login_init () { + grep -q '^hvc0$' /etc/securetty || mk_reg mod= own= --append /etc/securetty <<-EOF hvc0 EOF - grep -q xvc0 /etc/securetty || + grep -q '^xvc0$' /etc/securetty || mk_reg mod= own= --append /etc/securetty <<-EOF xvc0 EOF @@ -212,148 +290,30 @@ rule__login_init () { session optional pam_umask.so EOF } -rule__user_root_init () { - mk_dir mod=750 own=root:root /root/etc - mk_dir mod=750 own=root:root /root/etc/ssh - mk_dir mod=750 own=root:root /root/etc/gpg - mk_lnk etc/gpg /root/.gnupg - mk_lnk etc/ssh /root/.ssh - getent group sudo | - while test -n "$users" && IFS=: read -r group x x users - do while IFS=, read -r user users <<-EOF - $users - EOF - do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys - done - done | - mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys - local key - for key in "$tool"/var/pub/openpgp/*.key - do sudo gpg --import "$key" - done - } -rule__initramfs_init () { - mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF - MODULES=most - BUSYBOX=y - KEYMAP=y - COMPRESS=gzip - DEVICE=eth0 - EOF - mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF - alias eth0 xennet - alias scsi_hostadapter xenblk - EOF - mk_reg mod=644 own=root:root /etc/modules <<-EOF - sha1_generic - sha256_generic - sha512_generic - aes-x86_64 - xts - # NOTE: pour Xen en mode HVM : - #modprobe xen-platform-pci - EOF - mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF - EOF - sudo sed -e '/^configure_networking /s/ &$//' \ - -i /usr/share/initramfs-tools/scripts/init-premount/dropbear - # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. - sudo rm -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub - ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" RSA") return 0; break;; esac - done; return 1 ) || - sudo dropbearkey -t rsa -s 4096 -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key - ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" DSA") return 0; break;; esac - done; return 1 ) || - sudo dropbearkey -t dss -s 1024 -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key - mk_dir mod=640 own=root:root \ - /etc/initramfs-tools/root \ - /etc/initramfs-tools/root/.ssh - getent group sudo | - while IFS=: read -r group x x users - do while test -n "$users" && IFS=, read -r user users <<-EOF - $users - EOF - do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys - done - done | - mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys - sudo rm -f \ - /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ - /etc/initramfs-tools/root/.ssh/id_rsa.pub \ - /etc/initramfs-tools/root/.ssh/id_rsa - # NOTE: clefs générées par Debian - sudo update-initramfs -u - } -rule__boot_init () { - sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé ! - mk_dir mod=644 own=root:root /boot/grub - sudo apt-get install --reinstall linux-image-$vm_arch - mk_reg mod=644 own=root:root /etc/default/grub <<-EOF - GRUB_DEFAULT=0 - GRUB_TIMEOUT=5 - GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\` - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered" - GRUB_DISABLE_RECOVERY="true" - #GRUB_PRELOAD_MODULES="lvm" +rule_network_init () { + mk_reg mod= own= /etc/hostname <<-EOF + $vm EOF - mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF - (hd0) /dev/xvda - (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') + grep -q " $vm\$" /etc/hosts || + mk_reg mod= own= --append /etc/hosts <<-EOF + 127.0.0.1 $vm_fqdn $vm EOF - sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map - rule__initramfs_init - } -rule_apticron_init () { - sudo apt-get install --reinstall apticron - mk_reg mod=644 own=root:root /etc/default/grub <<-EOF - EMAIL="admin@heureux-cyclage.org" - # DIFF_ONLY="1" - # LISTCHANGES_PROFILE="apticron" - # ALL_FQDNS="1" - # SYSTEM="foobar.example.com" - # IPADDRESSNUM="1" - # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" - # NOTIFY_HOLDS="0" - # NOTIFY_NEW="0" - # NOTIFY_NO_UPDATES="0" - # CUSTOM_SUBJECT="" - # CUSTOM_NO_UPDATES_SUBJECT="" - # CUSTOM_FROM="root@ateliers.heureux-cyclage.org" + mk_reg mod= own= /etc/network/interfaces <<-EOF + auto lo + iface lo inet loopback + + auto eth0=grenode + iface grenode inet static + address $vm_ipv4 + gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse + network $vm_ipv4 + broadcast $vm_ipv4 + netmask 255.255.255.255 + #mtu 1300 + post-up ip address add $vm_ipv4/32 dev \$IFACE + pre-down ip address delete $vm_ipv4/32 dev \$IFACE EOF - sudo service apticron restart } -rule__bin_init () { - mk_lnk "$tool"/vm_hosted /usr/local/sbin/ - } -rule_init () { - rule__etckeeper_init - rule__locale_init - rule__network_init - rule__apt_init - rule__filesystem_init - rule__login_init - rule__user_root_init - rule__boot_init - rule__bin_init - } - -rule_disk_key_change () { - sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root - } - rule_user_init () { mk_dir mod=750 own="root:adm" /etc/skel/etc mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2 @@ -439,6 +399,46 @@ rule_user_init () { 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac' EOF } +rule_user_root_init () { + mk_dir mod=750 own=root:root /root/etc + mk_dir mod=750 own=root:root /root/etc/ssh + mk_dir mod=750 own=root:root /root/etc/gpg + mk_lnk etc/gpg /root/.gnupg + mk_lnk etc/ssh /root/.ssh + getent group sudo | + while test -n "$users" && IFS=: read -r group x x users + do while IFS=, read -r user users <<-EOF + $users + EOF + do eval local home\; home="~$user" + cat "$home"/etc/ssh/authorized_keys + done + done | + mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys + local key + for key in "$tool"/var/pub/openpgp/*.key + do sudo gpg --import "$key" + done + } +rule__bin_init () { + mk_lnk "$tool"/vm_hosted /usr/local/sbin/ + } +rule_init () { + rule etckeeper_init + rule locale_init + rule network_init + rule apt_init + rule filesystem_init + rule login_init + rule user_root_init + rule boot_init + rule bin_init + } + +rule_disk_key_change () { + sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root + } + rule_user_admin_add () { # SYNTAX: $user local user=$1 id "$user" >/dev/null || @@ -448,8 +448,8 @@ rule_user_admin_add () { # SYNTAX: $user sudo adduser "$user" sudo mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \ <"$tool"/var/pub/ssh/"$user".key - rule__initramfs_init - rule__user_root_init + rule initramfs_init + rule user_root_init local key; local -; set +f for key in "$tool"/var/pub/openpgp/*.key do sudo -u "$user" gpg --import "$key" @@ -816,7 +816,7 @@ rule_user_mail_format () { mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF EOF } -rule_mail_install () { +rule_mail_init () { sudo apt-get install postfix postgrey dovecot } @@ -825,9 +825,8 @@ ${1+shift} case $rule in (help);; (*) - test "$(hostname --fqdn)" = "$vm_fqdn" || - error 1 "mauvaise machine" + assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn ${TRACE:+set -x} ;; esac -rule_$rule "$@" +rule $rule "$@" diff --git a/vm_remote b/vm_remote index 946706a..1a599dc 100755 --- a/vm_remote +++ b/vm_remote @@ -13,10 +13,10 @@ rule_help () { Voir \`$tool/vm_hosted' pour les utilitaires côté VM hébergée. SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: - $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/etc/vm.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0") + $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") EOF } @@ -26,7 +26,7 @@ rule_git_config () { git config remote.host.url >/dev/null || git remote add host $vm_host:tool/vm git config --replace remote.host HEAD:refs/heads/origin - git config remote.$vm.url >/dev/null || + git config remote.vm.url >/dev/null || git remote add vm root@$vm_fqdn:tool/vm git config --replace remote.$vm HEAD:refs/heads/origin ) @@ -57,7 +57,7 @@ rule_disk_key_backup () { for part in root var home do mkdir -p var/lib/luks - rule_ssh -l root ' \ + rule ssh -l root ' \ tmp=$(mktemp) cryptsetup luksHeaderBackup \ /dev/$vm_lvm_vg/${vm_lvm_lv}_${part} \ @@ -75,10 +75,8 @@ ${1+shift} case $rule in (help);; (*) - test ! "$(hostname --fqdn)" = "$vm_fqdn" && - test ! "$(hostname --fqdn)" = "$vm_host" || - error 1 "mauvaise machine" - ${TRACE:+set -x} + assert 'test ! "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn + assert 'test ! "$(hostname --fqdn)" = "$vm_host"' vm_host ;; esac -rule_$rule "$@" +rule $rule "$@" -- 2.20.1