[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, squeeze, updated. 0.6-15-gbeab8b2

Andreas B. Mundt andi at debian.org
Sun Sep 2 07:01:26 UTC 2012 

The following commit has been merged in the squeeze branch:
commit beab8b2f20891857680c0460e78640557c9a5a41
Author: Andreas B. Mundt <andi at debian.org>
Date:   Thu Aug 30 18:32:26 2012 +0200

    Implement automatic kerberos keytab distribution during installation.
    
    The script periodically tries to copy an available and unused keytab
    to the client during installation.  If this succeeds, the keytab is
    marked with a time stamp.
    
    The script is triggered by the DHCPd for all known machines except
    diskless clients.  To install a machine, it is necessary to add the
    hardware (MAC) address to the DHCPd configuration (done by running
    'debian-lan add2dhcp' for example).  After that, no more activation is
    needed anymore.

diff --git a/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
new file mode 100644
index 0000000..f9fb280
--- /dev/null
+++ b/fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+#  Send kerberos keytab to machines during PXE installation.
+#  Called by dhcpd on lease.
+#
+
+set -e
+
+DATADIR="/root/installation/"
+NFSROOT="/srv/fai/nfsroot/live/filesystem.dir/"
+
+MACHINE=$1
+WAIT=60
+
+if [ ! -e $DATADIR/${MACHINE}.keytab ] ; then
+    ## The keytab is missing or in use already, exit.
+    exit 0
+elif [ "$2" != "go" ]; then
+    ## Fork to the background and run script.
+    $0 "$1" go >> /var/log/`basename ${0}`.log 2>&1 &
+    exit 0
+fi
+
+## Only one process:
+STAMP=/tmp/`basename ${0}`_$MACHINE
+if [ -e $STAMP ] ; then
+    exit 0
+else
+    touch $STAMP
+    trap "rm -f $STAMP" ERR SIGHUP SIGINT SIGTERM
+fi
+
+cleanup(){
+    echo $1
+    rm -f $STAMP
+    exit 0
+}
+
+## Make chroot accessible to root:
+if [ ! -e ${NFSROOT}/root/.ssh/authorized_keys ] ; then
+    echo $MACHINE `date`
+    mkdir -vp ${NFSROOT}/root/.ssh/
+    for KEY in `ls /root/.ssh/*.pub` ; do
+	cat $KEY >> ${NFSROOT}/root/.ssh/authorized_keys
+    done
+fi
+
+sleep $WAIT
+for i in `seq 8` ; do
+    echo $MACHINE `date`
+    echo "Copying keytab to $MACHINE: $i try."
+    ## Do not check host ID and do not add the host ID to known_hosts,
+    ## as the host will have a differen ID after installation:
+    if ! scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=\"$STAMP\" -p \
+	$DATADIR/${MACHINE}.keytab root@${MACHINE}:/target/etc/krb5.keytab ; then
+        echo "Copying failed, sleeping $WAIT s."
+        sleep $WAIT
+	ping -c 2 $MACHINE > /dev/null || cleanup "Cannot ping $MACHINE, exiting."
+        continue
+    fi
+    echo "$DATADIR/${MACHINE}.keytab copied to ${MACHINE}."
+    DATE=`date +%F`
+    mv -v $DATADIR/${MACHINE}.keytab $DATADIR/${MACHINE}.keytab_$DATE
+    MUNIN_CONFDIR='/etc/munin/munin-conf.d/'
+    if [ -d $MUNIN_CONFDIR ] && ! grep -sq ${MACHINE} $MUNIN_CONFDIR/nodes.conf ; then
+        cat >> $MUNIN_CONFDIR/nodes.conf <<EOF
+[${MACHINE}.intern]
+     address ${MACHINE}
+
+EOF
+        echo "${MACHINE} will be monitored by munin from now on."
+    else
+        echo "$MUNIN_CONFDIR does not exist or machine already present in $MUNIN_CONFDIR/nodes.conf."
+    fi
+    cleanup "Success! ${MACHINE} activated."
+done
+
+cleanup "Failed to activate ${MACHINE}.  Run 'debian-lan addmachine ${MACHINE}' manually."
diff --git a/fai/config/scripts/FAISERVER/40-dhcp b/fai/config/scripts/FAISERVER/40-dhcp
index b527d3d..c0fd4aa 100755
--- a/fai/config/scripts/FAISERVER/40-dhcp
+++ b/fai/config/scripts/FAISERVER/40-dhcp
@@ -38,6 +38,11 @@ group {
    server-name faiserver;
    next-server faiserver;
    filename "fai/pxelinux.0";
+
+   on commit {
+        execute("/usr/local/sbin/dhcpd-keytab", host-decl-name);
+   }
+
 EOF
 
 PREFIX=`echo $SUBNET | cut -d "." --fields=1,2,3`
@@ -49,7 +54,15 @@ for IPADDR in `seq $WS_RANGE` ; do
 	>> $target/etc/dhcp/dhcpd.conf
     NUM=$(($NUM+1))
 done
-echo >> $target/etc/dhcp/dhcpd.conf
+echo "}" >> $target/etc/dhcp/dhcpd.conf
+cat >> $target/etc/dhcp/dhcpd.conf <<EOF
+
+group {
+   server-name faiserver;
+   next-server faiserver;
+   filename "fai/pxelinux.0";
+
+EOF
 NUM=0
 for IPADDR in `seq $DL_RANGE` ; do
     NUMSTR=`printf "%02d" $NUM`
@@ -58,3 +71,4 @@ for IPADDR in `seq $DL_RANGE` ; do
     NUM=$(($NUM+1))
 done
 echo "}" >> $target/etc/dhcp/dhcpd.conf
+

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list