[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.6-34-g26195d5

Andreas B. Mundt andi at debian.org
Thu Aug 30 16:55:51 UTC 2012


The following commit has been merged in the master branch:
commit 26195d508e65b22d0b1c4cbcae9c55d8e88ff169
Author: Andreas B. Mundt <andi at debian.org>
Date:   Thu Aug 30 18:32:26 2012 +0200

    Implement automatic kerberos keytab distribution during installation.
    
    The script periodically tries to copy an available and unused keytab
    to the client during installation.  If this succeeds, the keytab is
    marked with a time stamp.
    
    The script is triggered by the DHCPd for all known machines except
    diskless clients.  To install a machine, it is necessary to add the
    hardware (MAC) address to the DHCPd configuration (done by running
    'debian-lan add2dhcp' for example).  After that, no more activation is
    needed anymore.

diff --git a/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
new file mode 100644
index 0000000..f9fb280
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+#  Send kerberos keytab to machines during PXE installation.
+#  Called by dhcpd on lease.
+#
+
+set -e
+
+DATADIR="/root/installation/"
+NFSROOT="/srv/fai/nfsroot/live/filesystem.dir/"
+
+MACHINE=$1
+WAIT=60
+
+if [ ! -e $DATADIR/${MACHINE}.keytab ] ; then
+    ## The keytab is missing or in use already, exit.
+    exit 0
+elif [ "$2" != "go" ]; then
+    ## Fork to the background and run script.
+    $0 "$1" go >> /var/log/`basename ${0}`.log 2>&1 &
+    exit 0
+fi
+
+## Only one process:
+STAMP=/tmp/`basename ${0}`_$MACHINE
+if [ -e $STAMP ] ; then
+    exit 0
+else
+    touch $STAMP
+    trap "rm -f $STAMP" ERR SIGHUP SIGINT SIGTERM
+fi
+
+cleanup(){
+    echo $1
+    rm -f $STAMP
+    exit 0
+}
+
+## Make chroot accessible to root:
+if [ ! -e ${NFSROOT}/root/.ssh/authorized_keys ] ; then
+    echo $MACHINE `date`
+    mkdir -vp ${NFSROOT}/root/.ssh/
+    for KEY in `ls /root/.ssh/*.pub` ; do
+	cat $KEY >> ${NFSROOT}/root/.ssh/authorized_keys
+    done
+fi
+
+sleep $WAIT
+for i in `seq 8` ; do
+    echo $MACHINE `date`
+    echo "Copying keytab to $MACHINE: $i try."
+    ## Do not check host ID and do not add the host ID to known_hosts,
+    ## as the host will have a differen ID after installation:
+    if ! scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=\"$STAMP\" -p \
+	$DATADIR/${MACHINE}.keytab root@${MACHINE}:/target/etc/krb5.keytab ; then
+        echo "Copying failed, sleeping $WAIT s."
+        sleep $WAIT
+	ping -c 2 $MACHINE > /dev/null || cleanup "Cannot ping $MACHINE, exiting."
+        continue
+    fi
+    echo "$DATADIR/${MACHINE}.keytab copied to ${MACHINE}."
+    DATE=`date +%F`
+    mv -v $DATADIR/${MACHINE}.keytab $DATADIR/${MACHINE}.keytab_$DATE
+    MUNIN_CONFDIR='/etc/munin/munin-conf.d/'
+    if [ -d $MUNIN_CONFDIR ] && ! grep -sq ${MACHINE} $MUNIN_CONFDIR/nodes.conf ; then
+        cat >> $MUNIN_CONFDIR/nodes.conf <<EOF
+[${MACHINE}.intern]
+     address ${MACHINE}
+
+EOF
+        echo "${MACHINE} will be monitored by munin from now on."
+    else
+        echo "$MUNIN_CONFDIR does not exist or machine already present in $MUNIN_CONFDIR/nodes.conf."
+    fi
+    cleanup "Success! ${MACHINE} activated."
+done
+
+cleanup "Failed to activate ${MACHINE}.  Run 'debian-lan addmachine ${MACHINE}' manually."
diff --git a/fai/config/scripts/FAISERVER/40-dhcp b/fai/config/scripts/FAISERVER/40-dhcp
index b527d3d..c0fd4aa 100755
--- a/fai/config/scripts/FAISERVER/40-dhcp
+++ b/fai/config/scripts/FAISERVER/40-dhcp
@@ -38,6 +38,11 @@ group {
    server-name faiserver;
    next-server faiserver;
    filename "fai/pxelinux.0";
+
+   on commit {
+        execute("/usr/local/sbin/dhcpd-keytab", host-decl-name);
+   }
+
 EOF
 
 PREFIX=`echo $SUBNET | cut -d "." --fields=1,2,3`
@@ -49,7 +54,15 @@ for IPADDR in `seq $WS_RANGE` ; do
 	>> $target/etc/dhcp/dhcpd.conf
     NUM=$(($NUM+1))
 done
-echo >> $target/etc/dhcp/dhcpd.conf
+echo "}" >> $target/etc/dhcp/dhcpd.conf
+cat >> $target/etc/dhcp/dhcpd.conf <<EOF
+
+group {
+   server-name faiserver;
+   next-server faiserver;
+   filename "fai/pxelinux.0";
+
+EOF
 NUM=0
 for IPADDR in `seq $DL_RANGE` ; do
     NUMSTR=`printf "%02d" $NUM`
@@ -58,3 +71,4 @@ for IPADDR in `seq $DL_RANGE` ; do
     NUM=$(($NUM+1))
 done
 echo "}" >> $target/etc/dhcp/dhcpd.conf
+

-- 
Debian-LAN development and packaging



More information about the debian-lan-devel mailing list