[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, squeeze, updated. 0.6-15-gbeab8b2
Andreas B. Mundt
andi at debian.org
Sun Sep 2 07:01:26 UTC 2012
The following commit has been merged in the squeeze branch:
commit beab8b2f20891857680c0460e78640557c9a5a41
Author: Andreas B. Mundt <andi at debian.org>
Date: Thu Aug 30 18:32:26 2012 +0200
Implement automatic kerberos keytab distribution during installation.
The script periodically tries to copy an available and unused keytab
to the client during installation. If this succeeds, the keytab is
marked with a time stamp.
The script is triggered by the DHCPd for all known machines except
diskless clients. To install a machine, it is necessary to add the
hardware (MAC) address to the DHCPd configuration (done by running
'debian-lan add2dhcp' for example). After that, no more activation is
needed anymore.
diff --git a/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
new file mode 100644
index 0000000..f9fb280
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Send kerberos keytab to machines during PXE installation.
+# Called by dhcpd on lease.
+#
+
+set -e
+
+DATADIR="/root/installation/"
+NFSROOT="/srv/fai/nfsroot/live/filesystem.dir/"
+
+MACHINE=$1
+WAIT=60
+
+if [ ! -e $DATADIR/${MACHINE}.keytab ] ; then
+ ## The keytab is missing or in use already, exit.
+ exit 0
+elif [ "$2" != "go" ]; then
+ ## Fork to the background and run script.
+ $0 "$1" go >> /var/log/`basename ${0}`.log 2>&1 &
+ exit 0
+fi
+
+## Only one process:
+STAMP=/tmp/`basename ${0}`_$MACHINE
+if [ -e $STAMP ] ; then
+ exit 0
+else
+ touch $STAMP
+ trap "rm -f $STAMP" ERR SIGHUP SIGINT SIGTERM
+fi
+
+cleanup(){
+ echo $1
+ rm -f $STAMP
+ exit 0
+}
+
+## Make chroot accessible to root:
+if [ ! -e ${NFSROOT}/root/.ssh/authorized_keys ] ; then
+ echo $MACHINE `date`
+ mkdir -vp ${NFSROOT}/root/.ssh/
+ for KEY in `ls /root/.ssh/*.pub` ; do
+ cat $KEY >> ${NFSROOT}/root/.ssh/authorized_keys
+ done
+fi
+
+sleep $WAIT
+for i in `seq 8` ; do
+ echo $MACHINE `date`
+ echo "Copying keytab to $MACHINE: $i try."
+ ## Do not check host ID and do not add the host ID to known_hosts,
+ ## as the host will have a differen ID after installation:
+ if ! scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=\"$STAMP\" -p \
+ $DATADIR/${MACHINE}.keytab root@${MACHINE}:/target/etc/krb5.keytab ; then
+ echo "Copying failed, sleeping $WAIT s."
+ sleep $WAIT
+ ping -c 2 $MACHINE > /dev/null || cleanup "Cannot ping $MACHINE, exiting."
+ continue
+ fi
+ echo "$DATADIR/${MACHINE}.keytab copied to ${MACHINE}."
+ DATE=`date +%F`
+ mv -v $DATADIR/${MACHINE}.keytab $DATADIR/${MACHINE}.keytab_$DATE
+ MUNIN_CONFDIR='/etc/munin/munin-conf.d/'
+ if [ -d $MUNIN_CONFDIR ] && ! grep -sq ${MACHINE} $MUNIN_CONFDIR/nodes.conf ; then
+ cat >> $MUNIN_CONFDIR/nodes.conf <<EOF
+[${MACHINE}.intern]
+ address ${MACHINE}
+
+EOF
+ echo "${MACHINE} will be monitored by munin from now on."
+ else
+ echo "$MUNIN_CONFDIR does not exist or machine already present in $MUNIN_CONFDIR/nodes.conf."
+ fi
+ cleanup "Success! ${MACHINE} activated."
+done
+
+cleanup "Failed to activate ${MACHINE}. Run 'debian-lan addmachine ${MACHINE}' manually."
diff --git a/fai/config/scripts/FAISERVER/40-dhcp b/fai/config/scripts/FAISERVER/40-dhcp
index b527d3d..c0fd4aa 100755
--- a/fai/config/scripts/FAISERVER/40-dhcp
+++ b/fai/config/scripts/FAISERVER/40-dhcp
@@ -38,6 +38,11 @@ group {
server-name faiserver;
next-server faiserver;
filename "fai/pxelinux.0";
+
+ on commit {
+ execute("/usr/local/sbin/dhcpd-keytab", host-decl-name);
+ }
+
EOF
PREFIX=`echo $SUBNET | cut -d "." --fields=1,2,3`
@@ -49,7 +54,15 @@ for IPADDR in `seq $WS_RANGE` ; do
>> $target/etc/dhcp/dhcpd.conf
NUM=$(($NUM+1))
done
-echo >> $target/etc/dhcp/dhcpd.conf
+echo "}" >> $target/etc/dhcp/dhcpd.conf
+cat >> $target/etc/dhcp/dhcpd.conf <<EOF
+
+group {
+ server-name faiserver;
+ next-server faiserver;
+ filename "fai/pxelinux.0";
+
+EOF
NUM=0
for IPADDR in `seq $DL_RANGE` ; do
NUMSTR=`printf "%02d" $NUM`
@@ -58,3 +71,4 @@ for IPADDR in `seq $DL_RANGE` ; do
NUM=$(($NUM+1))
done
echo "}" >> $target/etc/dhcp/dhcpd.conf
+
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list