Once that is done, to to db-master (aka draghi) and add the account:
{{{
- ud-useradd -n
+ ud-useradd -g
}}}
+* note the -g, this is for guest accounts (doesn't prompt for -private etc.)
* enter fingerprint, account name, [fml] name and forwarding address.
-* do _not_ subscribe to -private (enter a space character)
-* keep uid number
-* use 60000 as gid number
-
-Then set an expire date for the user:
-{{{
- echo -n "userid of new user: " &&
- read uid &&
- ldapvi --encoding=ASCII -ZZ --ldap-conf -h db.debian.org -D uid=$USER,ou=users,dc=debian,dc=org "uid=$uid"
-}}}
-
-and set {{{shadowExpire}}} to today + 60 days ( {{{echo $(( `date +%s` / 3600 / 24 + 60 ))}}} ).
+* enter expiry date and hosts to allow access to, per the request.
echo -n "New hostname: " &&
export LC_ALL=C &&
read guest &&
- target=/mnt/target &&
+ target="/mnt/target-$guest" &&
mirror=`cat /etc/apt/sources.list /etc/apt/sources.list.d/debian.list 2>/dev/null | awk '/^deb.*debian/ {print $2; exit}'` &&
vgdefault=`vgdisplay -c | awk -F: '{print $1;exit}' | sed 's/ *//g'` &&
echo -n "Volume group? [$vgdefault]: " &&
dev_boot="/dev/mapper/$vg-$guest--boot" &&
echo "Root device will be $dev_root" &&
echo "Boot device will be $dev_boot" &&
- fs=ext3
+ fs=ext4
fi &&
dev_swap="/dev/mapper/$vg-$guest--swap" &&
echo -n "Use a /boot filesystem (strongly recommended)? [Y/n] " &&
rm -fv etc/apt/sources.list &&
( ! [ -e /etc/apt/sources.list ] || cp /etc/apt/sources.list etc/apt/sources.list)
(cp -v /etc/apt/sources.list.d/* etc/apt/sources.list.d/ || true ) &&
- cp -v /etc/apt/preferences etc/apt/ &&
+ ( ! [ -e /etc/apt/preferences ] || cp -v /etc/apt/preferences etc/apt/ ) &&
apt-key exportall | chroot . apt-key add - &&
chroot . apt-get update &&
echo "Apt::Install-Recommends 0;" > etc/apt/apt.conf.d/local-recommends &&
- chroot . apt-get install net-tools iproute ifupdown dialog vim netbase xfsprogs &&
+ chroot . apt-get install -y net-tools iproute ifupdown dialog vim netbase xfsprogs &&
cp -av `readlink -f $dev_root` dev/`basename $dev_root` &&
- DEBIAN_FRONTEND=noninteractive chroot . apt-get install grub2 &&
+ DEBIAN_FRONTEND=noninteractive chroot . apt-get install -y grub2 &&
cat > etc/kernel-img.conf << EOF &&
do_symlinks = no
do_initrd = yes
cp -av `readlink -f $dev_boot""1` dev/`basename $dev_boot`1 &&
chroot . grub-install --modules=part_msdos /dev/`basename $dev_boot` &&
# install a kernel image
- chroot . apt-get install linux-image-2.6-amd64 &&
+ chroot . apt-get install -y linux-image-2.6-amd64 &&
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' etc/default/grub &&
echo "(hd0) /dev/`basename $dev_boot`" > boot/grub/device.map &&
chroot . update-grub &&
echo "(hd0) /dev/`basename $dev_root`" > boot/grub/device.map &&
chroot . grub-install /dev/"`basename $dev_root`" &&
# install a kernel image
- chroot . apt-get install linux-image-2.6-amd64 &&
+ chroot . apt-get install -y linux-image-2.6-amd64 &&
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' etc/default/grub &&
chroot . update-grub
fi &&
# doesn't work: chroot . update-grub
rootuuid=`blkid -s UUID -o value "$dev_root"` &&
swapuuid=`blkid -s UUID -o value "$dev_swap"` &&
- if [ "$fs" = "ext3" ]; then
+ if [ "$fs" = "ext4" ]; then
rootopts="errors=remount-ro"
else
rootopts="defaults"
* run generate, or wait until cron runs it for you. Update DNS.
{{{
- : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate
+ : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo -H puppetd -t
: :: orff :: && sudo -H ud-replicate
}}}
: ::client:: && apt-get update &&
apt-get install --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release &&
/etc/init.d/puppet stop &&
- puppetd -w 5 -t
+ (puppetd -t || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: && echo &&
+ sha256sum $(hostname -f).pem &&
+ echo && echo && cd /
This will not overwrite anything yet, since handel has not signed the
client cert. Now is the time to abort if you are getting cold feet.
Compare incoming csr request:
-on handel:
-
- : __handel__ && echo -n 'Client name: ' && read client &&
- sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
-on new client:
-
- : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem
-
-If you're satisfied, sign the request on handel with:
-
- : __handel__ && puppetca --sign $client.debian.org
-
-bootstrap client knowledge of puppet ca:
-on handel:
-
- : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+on handel, paste the sha256output::
+
+ : __handel__ && echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppetca --sign $(basename "$filename" .pem) &&
+ echo && echo && echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
- echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
- cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
- echo 'EOF'
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ cd /
and execute this on the client.
Then run (this will change the configs in /etc):
- : ::client:: && puppetd -w 5 --debug -t
+ : ::client:: && puppetd -t
This run will start puppet after reconfiguring it, so if you are
unhappy with what just happened, you'll need to stop it again to do