diff --git a/Anvil/Tools.pm b/Anvil/Tools.pm index 64ce97a9..1e74af0e 100755 --- a/Anvil/Tools.pm +++ b/Anvil/Tools.pm @@ -768,6 +768,7 @@ sub _set_defaults "alert_sent", "states", ], + failed_connection_log_level => 1, local_lock_active => 0, local_uuid => "", locking_reap_age => 300, diff --git a/Anvil/Tools/Database.pm b/Anvil/Tools/Database.pm index 04c4a700..90e97e6f 100755 --- a/Anvil/Tools/Database.pm +++ b/Anvil/Tools/Database.pm @@ -799,7 +799,8 @@ sub connect { # Didn't ping and 'database::::ping' not set. Record this # in the failed connections array. - $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 1, priority => "alert", key => "log_0063", variables => { + my $debug_level = $anvil->data->{sys}{database}{failed_connection_log_level} ? $anvil->data->{sys}{database}{failed_connection_log_level} : 1; + $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => $debug_level, priority => "alert", key => "log_0063", variables => { host => $port ? $host.":".$port : $host, name => $name, uuid => $uuid, diff --git a/anvil.conf b/anvil.conf index 67465976..cf128905 100644 --- a/anvil.conf +++ b/anvil.conf @@ -47,7 +47,7 @@ # # To protect against the potential of using too much disk space, archives are off by default. Under normal # behaviour, old records are simple removed. To enable the archive function, set this to '1'. -#sys::database::archive::save_to_disk = 1 +#sys::database::archive::save_to_disk = 1 # # When archiving to disk is enabled, to protect against large memory use or long archive times in the case # where the number of records to archive are particularly large, the 'division' value is used to break up the @@ -64,16 +64,17 @@ # # NOTE: If the archive directory doesn't exist, Anvil! will create it # automatically the first time it is needed. -#sys::database::archive::compress = 1 -#sys::database::archive::count = 50000 -#sys::database::archive::directory = /usr/local/anvil/archives/ -#sys::database::archive::division = 60000 -#sys::database::archive::trigger = 100000 +#sys::database::archive::compress = 1 +#sys::database::archive::count = 50000 +#sys::database::archive::directory = /usr/local/anvil/archives/ +#sys::database::archive::division = 60000 +#sys::database::archive::trigger = 100000 # This puts a limit on how many queries (writes, generally) to make in a single batch transaction. This is # useful when doing very large transacions, like resync'ing a large table, by limiting how long a given # transaction can take and how much memory is used. -#sys::database::maximum_batch_size = 25000 +#sys::database::maximum_batch_size = 25000 + ### Apache stuff # By default, we try to determine the host type using the host name. The rules used for this can be seen in @@ -82,47 +83,54 @@ # the host type of this host only. You will need to set this appropriately on other hosts. # # Normally, you should not need to set this. -#sys::host_type = node +#sys::host_type = node # This configuration file provides a way to override Anvil::Tools' built-in defaults. # This controls the default language. The value is the ISO code of the country's language you want to use by # default. Note that the logging language is set with 'defaults::log::language' below. # NOTE: Be sure the language exists before changing it! -#defaults::languages::output = en_CA +#defaults::languages::output = en_CA # This controls how many loops Anvil::Tools::Words is allow to make while processing a string. This acts as a # mechanism to exit infinite loops, and generally should not need to be changed. -#defaults::limits::string_loops = 1000 +#defaults::limits::string_loops = 1000 + ### Logging options # This controls whether all database transactions are recorded or not. Genreally this should be left off # unless you are debugging the program. # WARNING: This ignores 'secure', and will always be logged. Be careful about exposing sensitive data! -#sys::database::log_transactions = 1 +#sys::database::log_transactions = 1 + +# By default, if a configured database is not accessible, a log level 1 alert is registered. This can cause a +# lot of log traffic. If you want to silence these log alerts, you can set the value below to be higher than +# your current active log level (default is '1', so set to '2' or '3' to silence). +# NOTE: It's important to only use this temporarily. +#sys::database::failed_connection_log_level = 1 # This controls what log facility to use by default. # NOTE: This will always be 'authpriv' when a log entry is marked as secure. -#defaults::log::facility = local0 +#defaults::log::facility = local0 # This controls what language logs are recorded in. Be sure that the language exists before changing it! -#defaults::log::language = en_CA +#defaults::log::language = en_CA # This controls the default log level. See 'perldoc Anvil::Tools::Logs' for details. -#defaults::log::level = 1 +#defaults::log::level = 1 # This controls whether sensitive log entries are logged or not. Generally, this should be left disabled! -#defaults::log::secure = 0, +#defaults::log::secure = 0, # THis sets the default log server to send the log entries to. Leave it blank in most cases. -#defaults::log::server = +#defaults::log::server = # This sets the default log tag used when logging an entry. Most programs will likely override this. -#defaults::log::tag = anvil +#defaults::log::tag = anvil ### Templates # This sets the default template used when rendering HTML pages. It must be the same as the directory name # under /var/www/html/skins/ -#defaults::template::html = alteeve +#defaults::template::html = alteeve diff --git a/notes b/notes index 998c2a66..38dd8d32 100644 --- a/notes +++ b/notes @@ -1,3 +1,143 @@ +Firewall config stuff. +==== +---- Files +[root@f28-striker01 zones]# cat /etc/firewalld/zones/BCN1.xml + + + BCN1 + Back-Channel Network #1 - Used for all inter-machine communication in the Anvil!, as well as communication for foundation pack devices. Should be VLAN-isolated from the IFN and, thus, trusted. + + + + + + + + + + +[root@f28-striker01 zones]# cat /etc/firewalld/zones/IFN1.xml + + + IFN1 + Internet/Intranet-Facing Network #1 - Used for all client/user facing traffic. Likely connected to a semi-trusted network only. + + + + + + + + +[root@f28-striker01 zones]# cat /etc/firewalld/zones/SN1.xml + + + SN1 + Storage Network #1 - Used for DRBD communication between nodes and DR hosts. Should be VLAN-isolated from the IFN and, thus, trusted. + + +---- +Reload; +firewall-cmd --reload + +### These are permanent +# Put the interfaces under the appropriate zones. +firewall-cmd --zone=IFN1 --change-interface=ifn1_bond1 +firewall-cmd --zone=BCN1 --change-interface=bcn1_bond1 +firewall-cmd --set-default-zone=IFN1 + +### These are temporary unless --permanent is used +# Allow routing/masq'ing through the IFN +firewall-cmd --zone=IFN1 --add-masquerade + +# Check +firewall-cmd --zone=IFN1 --query-masquerade +yes + +# Disable +# NOTE: Doesn't break existing connections +firewall-cmd --zone=IFN1 --remove-masquerade + + + +- Notes; +firewall-cmd --state [running (rc: 0),not running (rc:252)] + +- Paths +If we want to create services or helpers later, look under - /usr/lib/firewalld/ +Core firewalld configs, including defaults zones, etc - /etc/firewalld/ + +- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7 + +* Zones are meant to deal with dynamic environments and aren't that useful in mostly static server environments +** Seem to be pre-configured sets of what is/isn't allowed. 'public' for IFN, 'work' for SN/BCN? 'external/internal' are for routing +** Configured in /etc/firewalld/zones/.xml - Create 'BCN', 'SN' and 'IFN'? +* Use 'firewall-cmd' WITHOUT '--permanent' for things like enabling the VNC port for a server. Use '--permanent' for everything else. + +==== + + +Striker as PXE server +==== + +dnf install dhcp tftp-server syslinux kernel-core +---- +cat /etc/dhcp/dhcpd.conf +### Global options +option domain-name "alteeve.com"; # domain name +option domain-name-servers 8.8.8.8, 8.8.4.4; # +authoritative; +ddns-update-style none; + +subnet 10.1.0.0 netmask 255.255.0.0 { + default-lease-time 600; + max-lease-time 7200; + range 10.1.14.1 10.1.14.254; + option routers 10.1.4.1; +} +---- + +# NOTE: We DON'T enable DHCP. We'll turn it on as needed. + +systemctl start tftp.socket +systemctl enable tftp.socket + +# Bootloader for BIOS +OS="fedora28" +mkdir /var/lib/tftpboot/ +cp $(anvil source)/pxe/tftpboot/bios/* /var/lib/tftpboot/ + +# Bootloader for UEFI +cp $(anvil source)/pxe/tftpboot/uefi/* /var/lib/tftpboot/uefi/ + +# Copy kernel images for tftpboot downloads +mkdir -p /var/lib/tftpboot/${OS} +cp /lib/modules/$(uname -r)/vmlinuz /var/lib/tftpboot/${OS}/ +mkinitrd /var/lib/tftpboot/${OS}/initrd.img $(uname -r) + +# Configs from anvil source +rsync -av pxe/tftpboot/pxelinux.cfg/default root@f28-striker01:/var/lib/tftpboot/pxelinux.cfg/ +rsync -av pxe/tftpboot/pxelinux/uefi root@f28-striker01:/var/lib/tftpboot/pxelinux/ + +==== + +Forewalld Router config +==== +# Allow routing/masq'ing through the IFN +firewall-cmd --zone=IFN --add-masquerade +success + +# Check +firewall-cmd --zone=IFN --query-masquerade +yes + +# Disable +# NOTE: Doesn't break existing connections +firewall-cmd --zone=IFN --remove-masquerade +success +==== + + DB stuff; Dump; @@ -508,4 +648,112 @@ crm_resource --reprobe pcs resource manage srv01-c7 +https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#chapter-1-introduction + +==== Sample kickstart for Fedora28 netinstall +#version=DEVEL +ignoredisk --only-use=vda +# Partition clearing information +clearpart --none --initlabel +# Use graphical install +graphical +# Use network installation +url --url="http://10.1.4.1/fedora28/x86_64/iso/" +# Keyboard layouts +keyboard --vckeymap=us --xlayouts='us' +# System language +lang en_CA.UTF-8 + +# Network information +network --bootproto=dhcp --device=ens3 --ipv6=auto --activate +network --hostname=localhost.localdomain +# Root password +rootpw --iscrypted $6$fyAht.3wBVlRGgqG$5dqIv2NrBD87uA51fxuoic/t2G93pXPUjVlh27Avg20ZGY409SK8cMVgABswF.krJSVIyoHfIChXNfpP/qTjI1 +# Run the Setup Agent on first boot +firstboot --enable +# Do not configure the X Window System +skipx +# System services +services --enabled="chronyd" +# System timezone +timezone Etc/GMT --isUtc +# System bootloader configuration +bootloader --location=mbr --boot-drive=vda + +%packages +@^server-product-environment + +%end + +%addon com_redhat_kdump --disable --reserve-mb='128' + +%end + +%anaconda +pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty +pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok +pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty +%end ==== + +==== M3 Striker Kickstart +# Setion 1 +# Command section – Refer to Chapter 2 for a list of kickstart options. You must include the required options. + + +### NOTE: The %packages, %pre, %pre-install, %post, %onerror, and %traceback sections are all required to be closed with %end +# Section 2 +# The %packages section – Refer to Chapter 3 for details. + + +# Section 3: +# The %pre, %pre-install, %post, %onerror, and %traceback sections – These sections can be in any order and are not required. Refer to Chapter 4, Chapter 5, and Chapter 6 for details. +==== + + 0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/sdb | grep -e ID_PATH=) + 0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi +USB drive + 0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/sda | grep -e ID_PATH=) + 0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi +SATA drive + 0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/nvme0n1 | grep -e ID_PATH=) + 0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi +NVMe drive +[root@localhost ~]# dev_PATH=$(udevadm info /dev/sda | grep -e ID_PATH=) +[root@localhost ~]# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi +SCSI drive + + +0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/model +Flash Disk + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/model +SanDisk SDSSDXPS + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/model +INTEL SSDPEKKW512G7 + +### Stuff only NVMe has + 1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/subsysnqn +nqn.2014.08.org.nvmexpress:80868086BTPY63650FPG512F INTEL SSDPEKKW512G7 + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/subsysnqn +cat: /sys/class/block/sda/device/subsysnqn: No such file or directory + 1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/subsysnqn +cat: /sys/class/block/sdb/device/subsysnqn: No such file or directory + + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/serial +BTPY63650FPG512F + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/serial +cat: /sys/class/block/sda/device/serial: No such file or directory + 1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/serial +cat: /sys/class/block/sdb/device/serial: No such file or directory + + 1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/transport +pcie + 0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/transport +cat: /sys/class/block/sda/device/transport: No such file or directory + 1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/transport +cat: /sys/class/block/sdb/device/transport: No such file or directory + + + +Disk size: +/sys/class/block/sda/size * diff --git a/pxe/tftpboot/bios/ldlinux.c32 b/pxe/tftpboot/bios/ldlinux.c32 new file mode 100644 index 00000000..36f585b5 Binary files /dev/null and b/pxe/tftpboot/bios/ldlinux.c32 differ diff --git a/pxe/tftpboot/bios/libcom32.c32 b/pxe/tftpboot/bios/libcom32.c32 new file mode 100644 index 00000000..659ae382 Binary files /dev/null and b/pxe/tftpboot/bios/libcom32.c32 differ diff --git a/pxe/tftpboot/bios/libutil.c32 b/pxe/tftpboot/bios/libutil.c32 new file mode 100644 index 00000000..4ef26eab Binary files /dev/null and b/pxe/tftpboot/bios/libutil.c32 differ diff --git a/pxe/tftpboot/bios/pxelinux.0 b/pxe/tftpboot/bios/pxelinux.0 new file mode 100644 index 00000000..d3cc2635 Binary files /dev/null and b/pxe/tftpboot/bios/pxelinux.0 differ diff --git a/pxe/tftpboot/bios/vesamenu.c32 b/pxe/tftpboot/bios/vesamenu.c32 new file mode 100644 index 00000000..56a8103b Binary files /dev/null and b/pxe/tftpboot/bios/vesamenu.c32 differ diff --git a/pxe/tftpboot/pxelinux.cfg/default b/pxe/tftpboot/pxelinux.cfg/default new file mode 100644 index 00000000..20aebb59 --- /dev/null +++ b/pxe/tftpboot/pxelinux.cfg/default @@ -0,0 +1,9 @@ +default vesamenu.c32 +prompt 1 +timeout 600 + +label linux +menu label ^Install Anvil! M3 - Striker +menu default +kernel fedora28/vmlinuz +append initrd=fedora28/initrd.img inst.stage2=http://10.1.4.1/fedora28/x86_64/iso/ ip=dhcp ks=http://10.1.4.1/fedora28/x86_64/kickstart/striker.ks diff --git a/pxe/tftpboot/pxelinux/uefi b/pxe/tftpboot/pxelinux/uefi new file mode 100644 index 00000000..0a7b5856 --- /dev/null +++ b/pxe/tftpboot/pxelinux/uefi @@ -0,0 +1,16 @@ +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio + +menuentry 'Install Anvil! M3 - Striker' --class fedora --class gnu-linux --class gnu --class os { + linuxefi fedora28/vmlinuz ip=dhcp inst.repo=http://10.1.4.1/fedora28/x86_64/iso/ + initrdefi fedora28/initrd.img +} diff --git a/pxe/tftpboot/uefi/grubx64.efi b/pxe/tftpboot/uefi/grubx64.efi new file mode 100755 index 00000000..189c5ced Binary files /dev/null and b/pxe/tftpboot/uefi/grubx64.efi differ diff --git a/pxe/tftpboot/uefi/shim.efi b/pxe/tftpboot/uefi/shim.efi new file mode 100755 index 00000000..73d2e346 Binary files /dev/null and b/pxe/tftpboot/uefi/shim.efi differ diff --git a/rpm/SPECS/anvil.spec b/rpm/SPECS/anvil.spec index a34106b6..34d88209 100644 --- a/rpm/SPECS/anvil.spec +++ b/rpm/SPECS/anvil.spec @@ -3,7 +3,7 @@ %define anvilgroup admin Name: anvil Version: 3.0 -Release: 18%{?dist} +Release: 19%{?dist} Summary: Alteeve Anvil! complete package. License: GPLv2+ @@ -63,13 +63,17 @@ Common base libraries required for the Anvil! system. %package striker Summary: Alteeve's Anvil! Striker dashboard package -Requires: httpd Requires: anvil-core +Requires: createrepo +Requires: dhcp +Requires: firefox Requires: httpd +Requires: kernel-core Requires: nmap Requires: perl-CGI Requires: postgresql-server -Requires: firefox +Requires: syslinux +Requires: tftp-server Requires: virt-manager ### Desktop stuff Requires: aajohan-comfortaa-fonts @@ -393,6 +397,11 @@ firewall-cmd --add-service=postgresql --permanent %changelog +* Madison Kelly 3.0-19 +- Added packages to anvil-striker to support PXE server / install target + functions. +- + * Sat Oct 06 2018 Madison Kelly 3.0-18 - Updated the source to resolve a major bug introduced by the code in the .17 release. diff --git a/share/words.xml b/share/words.xml index 25f4ec43..f7617a9d 100644 --- a/share/words.xml +++ b/share/words.xml @@ -275,7 +275,7 @@ The database connection error was: About to query: [#!variable!query!#] Entering method: [#!variable!method!#] Exiting method: [#!variable!method!#] - Firewalld was not running, re-enabling it. If you do not want this behaviour, please set 'sys::daemons::restart_firewalld = 0' in the configuration file for this program (or in 'tools.conf'). + Firewalld was not running, re-enabling it. If you do not want this behaviour, please set 'sys::daemons::restart_firewalld = 0' in: [#!data!path::configs::anvil.conf!#]. Firewalld was not running, and 'sys::daemons::restart_firewalld = 0' is set. NOT starting it. ]]> diff --git a/tools/anvil-daemon b/tools/anvil-daemon index 79e54b6e..1d461364 100755 --- a/tools/anvil-daemon +++ b/tools/anvil-daemon @@ -113,6 +113,8 @@ my $check_if_database_is_configured = 0; while(1) { # Reload defaults, re-read the config and then connect to the database(s) + $anvil->_set_paths(); + $anvil->_set_defaults(); $anvil->Storage->read_config({force_read => 1, file => $anvil->data->{path}{configs}{'anvil.conf'}}); $anvil->Database->connect({check_if_configured => $check_if_database_is_configured}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0132"}); diff --git a/tools/anvil-manage-firewall b/tools/anvil-manage-firewall new file mode 100755 index 00000000..e48d96a4 --- /dev/null +++ b/tools/anvil-manage-firewall @@ -0,0 +1,45 @@ +#!/usr/bin/perl +# +# This manages the firewall on the host. +# +# Examples; +# +# +# Exit codes; +# 0 = Normal exit. +# +# + +use strict; +use warnings; +use Anvil::Tools; + +# Disable buffering +$| = 1; + +my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0]; +my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0]; +if (($running_directory =~ /^\./) && ($ENV{PWD})) +{ + $running_directory =~ s/^\./$ENV{PWD}/; +} + +my $anvil = Anvil::Tools->new({log_level => 2, log_secure => 1}); + +$anvil->Storage->read_config({file => $anvil->data->{path}{configs}{'anvil.conf'}}); +$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 1, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); + +# Read switches +$anvil->data->{switches}{'y'} = ""; +$anvil->Get->switches; + + + +# We're done +$anvil->nice_exit({exit_code => 0}); + + +############################################################################################################# +# Private functions. # +############################################################################################################# +