From: Martin Zobel-Helas Date: Sun, 27 Nov 2011 13:43:56 +0000 (+0100) Subject: Merge branch 'master' of git+ssh://db.debian.org/git/dsa-wiki X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=83e272296d6de9197df35a610e997082bebb040b;hp=cfdb4fcf7d43de9968bfc36f12e547cc3e100669;p=mirror%2Fdsa-wiki.git Merge branch 'master' of git+ssh://db.debian.org/git/dsa-wiki * 'master' of git+ssh://db.debian.org/git/dsa-wiki: per guest target dir for installs first puppetd -t will fail combine two blocks add -y to apt-get install when adding a new host, run puppet on draghi to update the firewall Update add-guest instructions do not wait for cert Update puppet howto: automate checksum checking, make domain independent Copy etc/apt/preferences only if it exists s/ext3/ext4/ --- diff --git a/input/howto/add-guest.creole b/input/howto/add-guest.creole index 43b6687..a569844 100644 --- a/input/howto/add-guest.creole +++ b/input/howto/add-guest.creole @@ -25,19 +25,9 @@ or whereever you keep the checkout. Then Once that is done, to to db-master (aka draghi) and add the account: {{{ - ud-useradd -n + ud-useradd -g }}} +* note the -g, this is for guest accounts (doesn't prompt for -private etc.) * enter fingerprint, account name, [fml] name and forwarding address. -* do _not_ subscribe to -private (enter a space character) -* keep uid number -* use 60000 as gid number - -Then set an expire date for the user: -{{{ - echo -n "userid of new user: " && - read uid && - ldapvi --encoding=ASCII -ZZ --ldap-conf -h db.debian.org -D uid=$USER,ou=users,dc=debian,dc=org "uid=$uid" -}}} - -and set {{{shadowExpire}}} to today + 60 days ( {{{echo $(( `date +%s` / 3600 / 24 + 60 ))}}} ). +* enter expiry date and hosts to allow access to, per the request. diff --git a/input/howto/install-kvm.creole b/input/howto/install-kvm.creole index 20752e7..02903e4 100644 --- a/input/howto/install-kvm.creole +++ b/input/howto/install-kvm.creole @@ -12,7 +12,7 @@ setup_env() { echo -n "New hostname: " && export LC_ALL=C && read guest && - target=/mnt/target && + target="/mnt/target-$guest" && mirror=`cat /etc/apt/sources.list /etc/apt/sources.list.d/debian.list 2>/dev/null | awk '/^deb.*debian/ {print $2; exit}'` && vgdefault=`vgdisplay -c | awk -F: '{print $1;exit}' | sed 's/ *//g'` && echo -n "Volume group? [$vgdefault]: " && @@ -35,7 +35,7 @@ setup_env() { dev_boot="/dev/mapper/$vg-$guest--boot" && echo "Root device will be $dev_root" && echo "Boot device will be $dev_boot" && - fs=ext3 + fs=ext4 fi && dev_swap="/dev/mapper/$vg-$guest--swap" && echo -n "Use a /boot filesystem (strongly recommended)? [Y/n] " && @@ -116,13 +116,13 @@ EOF rm -fv etc/apt/sources.list && ( ! [ -e /etc/apt/sources.list ] || cp /etc/apt/sources.list etc/apt/sources.list) (cp -v /etc/apt/sources.list.d/* etc/apt/sources.list.d/ || true ) && - cp -v /etc/apt/preferences etc/apt/ && + ( ! [ -e /etc/apt/preferences ] || cp -v /etc/apt/preferences etc/apt/ ) && apt-key exportall | chroot . apt-key add - && chroot . apt-get update && echo "Apt::Install-Recommends 0;" > etc/apt/apt.conf.d/local-recommends && - chroot . apt-get install net-tools iproute ifupdown dialog vim netbase xfsprogs && + chroot . apt-get install -y net-tools iproute ifupdown dialog vim netbase xfsprogs && cp -av `readlink -f $dev_root` dev/`basename $dev_root` && - DEBIAN_FRONTEND=noninteractive chroot . apt-get install grub2 && + DEBIAN_FRONTEND=noninteractive chroot . apt-get install -y grub2 && cat > etc/kernel-img.conf << EOF && do_symlinks = no do_initrd = yes @@ -132,7 +132,7 @@ EOF cp -av `readlink -f $dev_boot""1` dev/`basename $dev_boot`1 && chroot . grub-install --modules=part_msdos /dev/`basename $dev_boot` && # install a kernel image - chroot . apt-get install linux-image-2.6-amd64 && + chroot . apt-get install -y linux-image-2.6-amd64 && sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' etc/default/grub && echo "(hd0) /dev/`basename $dev_boot`" > boot/grub/device.map && chroot . update-grub && @@ -143,7 +143,7 @@ EOF echo "(hd0) /dev/`basename $dev_root`" > boot/grub/device.map && chroot . grub-install /dev/"`basename $dev_root`" && # install a kernel image - chroot . apt-get install linux-image-2.6-amd64 && + chroot . apt-get install -y linux-image-2.6-amd64 && sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' etc/default/grub && chroot . update-grub fi && @@ -158,7 +158,7 @@ And a fstab and a boot loader config # doesn't work: chroot . update-grub rootuuid=`blkid -s UUID -o value "$dev_root"` && swapuuid=`blkid -s UUID -o value "$dev_swap"` && - if [ "$fs" = "ext3" ]; then + if [ "$fs" = "ext4" ]; then rootopts="errors=remount-ro" else rootopts="defaults" diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole index 181bf3b..71e93a8 100644 --- a/input/howto/new-machine.creole +++ b/input/howto/new-machine.creole @@ -35,7 +35,7 @@ Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup * run generate, or wait until cron runs it for you. Update DNS. {{{ - : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate + : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo -H puppetd -t : :: orff :: && sudo -H ud-replicate }}} diff --git a/input/howto/puppet-setup.mdwn b/input/howto/puppet-setup.mdwn index 32a51e5..1d2ec88 100644 --- a/input/howto/puppet-setup.mdwn +++ b/input/howto/puppet-setup.mdwn @@ -15,33 +15,32 @@ adjusted. : ::client:: && apt-get update && apt-get install --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release && /etc/init.d/puppet stop && - puppetd -w 5 -t + (puppetd -t || true ) && + cd /var/lib/puppet/ssl/certificate_requests && + echo sha256sum output: && echo && + sha256sum $(hostname -f).pem && + echo && echo && cd / This will not overwrite anything yet, since handel has not signed the client cert. Now is the time to abort if you are getting cold feet. Compare incoming csr request: -on handel: - - : __handel__ && echo -n 'Client name: ' && read client && - sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem -on new client: - - : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem - -If you're satisfied, sign the request on handel with: - - : __handel__ && puppetca --sign $client.debian.org - -bootstrap client knowledge of puppet ca: -on handel: - - : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && +on handel, paste the sha256output:: + + : __handel__ && echo "paste sha256sum output now:" && + read sha256 filename && + cd /var/lib/puppet/ssl/ca/requests && + ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && + echo -e "$sha256 $filename" | sha256sum -c && + puppetca --sign $(basename "$filename" .pem) && + echo && echo && echo && + echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && cat /var/lib/puppet/ssl/certs/ca.pem && echo 'EOF' && - echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " && - cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem && - echo 'EOF' + echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && + cat /var/lib/puppet/ssl/ca/signed/$filename && + echo 'EOF' && + cd / and execute this on the client. @@ -52,7 +51,7 @@ although the config files should remain identical before and after. Then run (this will change the configs in /etc): - : ::client:: && puppetd -w 5 --debug -t + : ::client:: && puppetd -t This run will start puppet after reconfiguring it, so if you are unhappy with what just happened, you'll need to stop it again to do