* Starting work on adding "Install Target" function (will likely rename this, but basic same function as IT in m2).

* Added 'sys::database::failed_connection_log_level' to allow silencing of log messages when a Striker peer database is not available.
* Started updating the .spec for the new release to add supported packages needed for PXE/dhcp/tftpboot.
* Added to repo tftpboot files as pulling them out of the packages and moving them into the right place relative to the modest size of adding them directly to our source wasn't justified.
* Created the still very very early 'tools/anvil-manage-firewall' tool.

Signed-off-by: Digimer <digimer@alteeve.ca>
main
Digimer 6 years ago
parent 9a4cefe3fb
commit 07c3b405ad
  1. 1
      Anvil/Tools.pm
  2. 3
      Anvil/Tools/Database.pm
  3. 8
      anvil.conf
  4. 248
      notes
  5. BIN
      pxe/tftpboot/bios/ldlinux.c32
  6. BIN
      pxe/tftpboot/bios/libcom32.c32
  7. BIN
      pxe/tftpboot/bios/libutil.c32
  8. BIN
      pxe/tftpboot/bios/pxelinux.0
  9. BIN
      pxe/tftpboot/bios/vesamenu.c32
  10. 9
      pxe/tftpboot/pxelinux.cfg/default
  11. 16
      pxe/tftpboot/pxelinux/uefi
  12. BIN
      pxe/tftpboot/uefi/grubx64.efi
  13. BIN
      pxe/tftpboot/uefi/shim.efi
  14. 15
      rpm/SPECS/anvil.spec
  15. 2
      share/words.xml
  16. 2
      tools/anvil-daemon
  17. 45
      tools/anvil-manage-firewall

@ -768,6 +768,7 @@ sub _set_defaults
"alert_sent", "alert_sent",
"states", "states",
], ],
failed_connection_log_level => 1,
local_lock_active => 0, local_lock_active => 0,
local_uuid => "", local_uuid => "",
locking_reap_age => 300, locking_reap_age => 300,

@ -799,7 +799,8 @@ sub connect
{ {
# Didn't ping and 'database::<uuid>::ping' not set. Record this # Didn't ping and 'database::<uuid>::ping' not set. Record this
# in the failed connections array. # in the failed connections array.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 1, priority => "alert", key => "log_0063", variables => { my $debug_level = $anvil->data->{sys}{database}{failed_connection_log_level} ? $anvil->data->{sys}{database}{failed_connection_log_level} : 1;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => $debug_level, priority => "alert", key => "log_0063", variables => {
host => $port ? $host.":".$port : $host, host => $port ? $host.":".$port : $host,
name => $name, name => $name,
uuid => $uuid, uuid => $uuid,

@ -75,6 +75,7 @@
# transaction can take and how much memory is used. # transaction can take and how much memory is used.
#sys::database::maximum_batch_size = 25000 #sys::database::maximum_batch_size = 25000
### Apache stuff ### Apache stuff
# By default, we try to determine the host type using the host name. The rules used for this can be seen in # By default, we try to determine the host type using the host name. The rules used for this can be seen in
# 'perldoc Anvil::Tools::System -> determine_host_type'. If you are using non-standard host names, or for some # 'perldoc Anvil::Tools::System -> determine_host_type'. If you are using non-standard host names, or for some
@ -94,12 +95,19 @@
# mechanism to exit infinite loops, and generally should not need to be changed. # mechanism to exit infinite loops, and generally should not need to be changed.
#defaults::limits::string_loops = 1000 #defaults::limits::string_loops = 1000
### Logging options ### Logging options
# This controls whether all database transactions are recorded or not. Genreally this should be left off # This controls whether all database transactions are recorded or not. Genreally this should be left off
# unless you are debugging the program. # unless you are debugging the program.
# WARNING: This ignores 'secure', and will always be logged. Be careful about exposing sensitive data! # WARNING: This ignores 'secure', and will always be logged. Be careful about exposing sensitive data!
#sys::database::log_transactions = 1 #sys::database::log_transactions = 1
# By default, if a configured database is not accessible, a log level 1 alert is registered. This can cause a
# lot of log traffic. If you want to silence these log alerts, you can set the value below to be higher than
# your current active log level (default is '1', so set to '2' or '3' to silence).
# NOTE: It's important to only use this temporarily.
#sys::database::failed_connection_log_level = 1
# This controls what log facility to use by default. # This controls what log facility to use by default.
# NOTE: This will always be 'authpriv' when a log entry is marked as secure. # NOTE: This will always be 'authpriv' when a log entry is marked as secure.
#defaults::log::facility = local0 #defaults::log::facility = local0

248
notes

@ -1,3 +1,143 @@
Firewall config stuff.
====
---- Files
[root@f28-striker01 zones]# cat /etc/firewalld/zones/BCN1.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>BCN1</short>
<description>Back-Channel Network #1 - Used for all inter-machine communication in the Anvil!, as well as communication for foundation pack devices. Should be VLAN-isolated from the IFN and, thus, trusted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<service name="postgresql"/>
<service name="http"/>
<service name="https"/>
<port port="80" protocol="tcp"/>
<port port="443" protocol="tcp"/>
</zone>
[root@f28-striker01 zones]# cat /etc/firewalld/zones/IFN1.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>IFN1</short>
<description>Internet/Intranet-Facing Network #1 - Used for all client/user facing traffic. Likely connected to a semi-trusted network only.</description>
<service name="ssh"/>
<service name="postgresql"/>
<service name="http"/>
<service name="https"/>
<port port="80" protocol="tcp"/>
<port port="443" protocol="tcp"/>
</zone>
[root@f28-striker01 zones]# cat /etc/firewalld/zones/SN1.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>SN1</short>
<description>Storage Network #1 - Used for DRBD communication between nodes and DR hosts. Should be VLAN-isolated from the IFN and, thus, trusted.</description>
<service name="ssh"/>
</zone>
----
Reload;
firewall-cmd --reload
### These are permanent
# Put the interfaces under the appropriate zones.
firewall-cmd --zone=IFN1 --change-interface=ifn1_bond1
firewall-cmd --zone=BCN1 --change-interface=bcn1_bond1
firewall-cmd --set-default-zone=IFN1
### These are temporary unless --permanent is used
# Allow routing/masq'ing through the IFN
firewall-cmd --zone=IFN1 --add-masquerade
# Check
firewall-cmd --zone=IFN1 --query-masquerade
yes
# Disable
# NOTE: Doesn't break existing connections
firewall-cmd --zone=IFN1 --remove-masquerade
- Notes;
firewall-cmd --state [running (rc: 0),not running (rc:252)]
- Paths
If we want to create services or helpers later, look under - /usr/lib/firewalld/
Core firewalld configs, including defaults zones, etc - /etc/firewalld/
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
* Zones are meant to deal with dynamic environments and aren't that useful in mostly static server environments
** Seem to be pre-configured sets of what is/isn't allowed. 'public' for IFN, 'work' for SN/BCN? 'external/internal' are for routing
** Configured in /etc/firewalld/zones/<zone>.xml - Create 'BCN', 'SN' and 'IFN'?
* Use 'firewall-cmd' WITHOUT '--permanent' for things like enabling the VNC port for a server. Use '--permanent' for everything else.
====
Striker as PXE server
====
dnf install dhcp tftp-server syslinux kernel-core
----
cat /etc/dhcp/dhcpd.conf
### Global options
option domain-name "alteeve.com"; # domain name
option domain-name-servers 8.8.8.8, 8.8.4.4; #
authoritative;
ddns-update-style none;
subnet 10.1.0.0 netmask 255.255.0.0 {
default-lease-time 600;
max-lease-time 7200;
range 10.1.14.1 10.1.14.254;
option routers 10.1.4.1;
}
----
# NOTE: We DON'T enable DHCP. We'll turn it on as needed.
systemctl start tftp.socket
systemctl enable tftp.socket
# Bootloader for BIOS
OS="fedora28"
mkdir /var/lib/tftpboot/
cp $(anvil source)/pxe/tftpboot/bios/* /var/lib/tftpboot/
# Bootloader for UEFI
cp $(anvil source)/pxe/tftpboot/uefi/* /var/lib/tftpboot/uefi/
# Copy kernel images for tftpboot downloads
mkdir -p /var/lib/tftpboot/${OS}
cp /lib/modules/$(uname -r)/vmlinuz /var/lib/tftpboot/${OS}/
mkinitrd /var/lib/tftpboot/${OS}/initrd.img $(uname -r)
# Configs from anvil source
rsync -av pxe/tftpboot/pxelinux.cfg/default root@f28-striker01:/var/lib/tftpboot/pxelinux.cfg/
rsync -av pxe/tftpboot/pxelinux/uefi root@f28-striker01:/var/lib/tftpboot/pxelinux/
====
Forewalld Router config
====
# Allow routing/masq'ing through the IFN
firewall-cmd --zone=IFN --add-masquerade
success
# Check
firewall-cmd --zone=IFN --query-masquerade
yes
# Disable
# NOTE: Doesn't break existing connections
firewall-cmd --zone=IFN --remove-masquerade
success
====
DB stuff; DB stuff;
Dump; Dump;
@ -508,4 +648,112 @@ crm_resource --reprobe
pcs resource manage srv01-c7 pcs resource manage srv01-c7
https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#chapter-1-introduction
==== Sample kickstart for Fedora28 netinstall
#version=DEVEL
ignoredisk --only-use=vda
# Partition clearing information
clearpart --none --initlabel
# Use graphical install
graphical
# Use network installation
url --url="http://10.1.4.1/fedora28/x86_64/iso/"
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_CA.UTF-8
# Network information
network --bootproto=dhcp --device=ens3 --ipv6=auto --activate
network --hostname=localhost.localdomain
# Root password
rootpw --iscrypted $6$fyAht.3wBVlRGgqG$5dqIv2NrBD87uA51fxuoic/t2G93pXPUjVlh27Avg20ZGY409SK8cMVgABswF.krJSVIyoHfIChXNfpP/qTjI1
# Run the Setup Agent on first boot
firstboot --enable
# Do not configure the X Window System
skipx
# System services
services --enabled="chronyd"
# System timezone
timezone Etc/GMT --isUtc
# System bootloader configuration
bootloader --location=mbr --boot-drive=vda
%packages
@^server-product-environment
%end
%addon com_redhat_kdump --disable --reserve-mb='128'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
==== ====
==== M3 Striker Kickstart
# Setion 1
# Command section – Refer to Chapter 2 for a list of kickstart options. You must include the required options.
### NOTE: The %packages, %pre, %pre-install, %post, %onerror, and %traceback sections are all required to be closed with %end
# Section 2
# The %packages section – Refer to Chapter 3 for details.
# Section 3:
# The %pre, %pre-install, %post, %onerror, and %traceback sections – These sections can be in any order and are not required. Refer to Chapter 4, Chapter 5, and Chapter 6 for details.
====
0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/sdb | grep -e ID_PATH=)
0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi
USB drive
0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/sda | grep -e ID_PATH=)
0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi
SATA drive
0 root@pulsar:/var/lib/libvirt/images# dev_PATH=$(udevadm info /dev/nvme0n1 | grep -e ID_PATH=)
0 root@pulsar:/var/lib/libvirt/images# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi
NVMe drive
[root@localhost ~]# dev_PATH=$(udevadm info /dev/sda | grep -e ID_PATH=)
[root@localhost ~]# if [[ $dev_PATH == *"usb"* ]]; then echo "USB drive"; elif [[ $dev_PATH == *"nvme"* ]]; then echo "NVMe drive"; elif [[ $dev_PATH == *"ata"* ]]; then echo "SATA drive"; elif [[ $dev_PATH == *"scsi"* ]]; then echo "SCSI drive"; fi
SCSI drive
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/model
Flash Disk
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/model
SanDisk SDSSDXPS
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/model
INTEL SSDPEKKW512G7
### Stuff only NVMe has
1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/subsysnqn
nqn.2014.08.org.nvmexpress:80868086BTPY63650FPG512F INTEL SSDPEKKW512G7
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/subsysnqn
cat: /sys/class/block/sda/device/subsysnqn: No such file or directory
1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/subsysnqn
cat: /sys/class/block/sdb/device/subsysnqn: No such file or directory
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/serial
BTPY63650FPG512F
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/serial
cat: /sys/class/block/sda/device/serial: No such file or directory
1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/serial
cat: /sys/class/block/sdb/device/serial: No such file or directory
1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/nvme0n1/device/transport
pcie
0 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sda/device/transport
cat: /sys/class/block/sda/device/transport: No such file or directory
1 root@pulsar:/var/lib/libvirt/images# cat /sys/class/block/sdb/device/transport
cat: /sys/class/block/sdb/device/transport: No such file or directory
Disk size:
/sys/class/block/sda/size * <block size>

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

@ -0,0 +1,9 @@
default vesamenu.c32
prompt 1
timeout 600
label linux
menu label ^Install Anvil! M3 - Striker
menu default
kernel fedora28/vmlinuz
append initrd=fedora28/initrd.img inst.stage2=http://10.1.4.1/fedora28/x86_64/iso/ ip=dhcp ks=http://10.1.4.1/fedora28/x86_64/kickstart/striker.ks

@ -0,0 +1,16 @@
function load_video {
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
insmod all_video
}
load_video
set gfxpayload=keep
insmod gzio
menuentry 'Install Anvil! M3 - Striker' --class fedora --class gnu-linux --class gnu --class os {
linuxefi fedora28/vmlinuz ip=dhcp inst.repo=http://10.1.4.1/fedora28/x86_64/iso/
initrdefi fedora28/initrd.img
}

Binary file not shown.

Binary file not shown.

@ -3,7 +3,7 @@
%define anvilgroup admin %define anvilgroup admin
Name: anvil Name: anvil
Version: 3.0 Version: 3.0
Release: 18%{?dist} Release: 19%{?dist}
Summary: Alteeve Anvil! complete package. Summary: Alteeve Anvil! complete package.
License: GPLv2+ License: GPLv2+
@ -63,13 +63,17 @@ Common base libraries required for the Anvil! system.
%package striker %package striker
Summary: Alteeve's Anvil! Striker dashboard package Summary: Alteeve's Anvil! Striker dashboard package
Requires: httpd
Requires: anvil-core Requires: anvil-core
Requires: createrepo
Requires: dhcp
Requires: firefox
Requires: httpd Requires: httpd
Requires: kernel-core
Requires: nmap Requires: nmap
Requires: perl-CGI Requires: perl-CGI
Requires: postgresql-server Requires: postgresql-server
Requires: firefox Requires: syslinux
Requires: tftp-server
Requires: virt-manager Requires: virt-manager
### Desktop stuff ### Desktop stuff
Requires: aajohan-comfortaa-fonts Requires: aajohan-comfortaa-fonts
@ -393,6 +397,11 @@ firewall-cmd --add-service=postgresql --permanent
%changelog %changelog
* Madison Kelly <mkelly@alteeve.ca> 3.0-19
- Added packages to anvil-striker to support PXE server / install target
functions.
-
* Sat Oct 06 2018 Madison Kelly <mkelly@alteeve.ca> 3.0-18 * Sat Oct 06 2018 Madison Kelly <mkelly@alteeve.ca> 3.0-18
- Updated the source to resolve a major bug introduced by the code in the .17 - Updated the source to resolve a major bug introduced by the code in the .17
release. release.

@ -275,7 +275,7 @@ The database connection error was:
<key name="log_0124">About to query: [#!variable!query!#]</key> <key name="log_0124">About to query: [#!variable!query!#]</key>
<key name="log_0125">Entering method: [#!variable!method!#]</key> <key name="log_0125">Entering method: [#!variable!method!#]</key>
<key name="log_0126">Exiting method: [#!variable!method!#]</key> <key name="log_0126">Exiting method: [#!variable!method!#]</key>
<key name="log_0127">Firewalld was not running, re-enabling it. If you do not want this behaviour, please set 'sys::daemons::restart_firewalld = 0' in the configuration file for this program (or in 'tools.conf').</key> <key name="log_0127">Firewalld was not running, re-enabling it. If you do not want this behaviour, please set 'sys::daemons::restart_firewalld = 0' in: [#!data!path::configs::anvil.conf!#].</key>
<key name="log_0128">Firewalld was not running, and 'sys::daemons::restart_firewalld = 0' is set. NOT starting it.</key> <key name="log_0128">Firewalld was not running, and 'sys::daemons::restart_firewalld = 0' is set. NOT starting it.</key>
<key name="log_0129"><![CDATA[<all>]]></key> <!-- Used when logging DB writes to all DBs --> <key name="log_0129"><![CDATA[<all>]]></key> <!-- Used when logging DB writes to all DBs -->
<key name="log_0130"><![CDATA[[ Error ] - The method: [#!variable!method!#] was called and the parameter: [#!variable!parameter!#] was passed an invalid UUID: [#!variable!uuid!#].]]></key> <key name="log_0130"><![CDATA[[ Error ] - The method: [#!variable!method!#] was called and the parameter: [#!variable!parameter!#] was passed an invalid UUID: [#!variable!uuid!#].]]></key>

@ -113,6 +113,8 @@ my $check_if_database_is_configured = 0;
while(1) while(1)
{ {
# Reload defaults, re-read the config and then connect to the database(s) # Reload defaults, re-read the config and then connect to the database(s)
$anvil->_set_paths();
$anvil->_set_defaults();
$anvil->Storage->read_config({force_read => 1, file => $anvil->data->{path}{configs}{'anvil.conf'}}); $anvil->Storage->read_config({force_read => 1, file => $anvil->data->{path}{configs}{'anvil.conf'}});
$anvil->Database->connect({check_if_configured => $check_if_database_is_configured}); $anvil->Database->connect({check_if_configured => $check_if_database_is_configured});
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0132"}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0132"});

@ -0,0 +1,45 @@
#!/usr/bin/perl
#
# This manages the firewall on the host.
#
# Examples;
#
#
# Exit codes;
# 0 = Normal exit.
#
#
use strict;
use warnings;
use Anvil::Tools;
# Disable buffering
$| = 1;
my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0];
my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0];
if (($running_directory =~ /^\./) && ($ENV{PWD}))
{
$running_directory =~ s/^\./$ENV{PWD}/;
}
my $anvil = Anvil::Tools->new({log_level => 2, log_secure => 1});
$anvil->Storage->read_config({file => $anvil->data->{path}{configs}{'anvil.conf'}});
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 1, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }});
# Read switches
$anvil->data->{switches}{'y'} = "";
$anvil->Get->switches;
# We're done
$anvil->nice_exit({exit_code => 0});
#############################################################################################################
# Private functions. #
#############################################################################################################
Loading…
Cancel
Save