#!/bin/bash # -------------------------------------------------------------------------- # # Copyright 2002-2019, OpenNebula Project, OpenNebula Systems # # # # Licensed under the Apache License, Version 2.0 (the "License"); you may # # not use this file except in compliance with the License. You may obtain # # a copy of the License at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # Unless required by applicable law or agreed to in writing, software # # distributed under the License is distributed on an "AS IS" BASIS, # # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # # limitations under the License. # #--------------------------------------------------------------------------- # # default parameters values VERSION='5.8' FORCE='no' VERBOSE='no' ASK='yes' PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c10) SSH_PUBKEY="" BRIDGE_INTERFACE='minionebr' NAT_INTERFACE='' VNET_ADDRESS='172.16.100.0' VNET_NETMASK='255.255.255.0' VNET_GATEWAY='172.16.100.1' VNET_AR_IP_START='172.16.100.2' VNET_AR_IP_COUNT='100' MARKET_APP_NAME='CentOS 7 - KVM' VM_PASSWORD='opennebula' LXD='no' SUNSTONE_PORT='80' NODE='yes' NETWORKING='yes' DELETE_ONEADMIN='yes' e() { SPACE_NUM=$(( 35+${#2}-${#1} )) printf "%s %${SPACE_NUM}s\n" "$1" "$2" } usage() { e "-h --help" "List of supported arguments" e "-v --verbose" "Be verbose" e "-f --force" "Skip non-fatal validation errors" e "--yes" "Don't ask" e "" e "--lxd" "Setup host to run LXD containers" e "--frontend" "Install only frontend, skip node setup," e "" "no networking configuration" e "" e "--password [random generated]" "Initial password for oneadmin" e "--ssh-pubkey [~/.ssh/id_rsa.pub]" "User ssh public key" e "--vm-password [${VM_PASSWORD}]" "Root password for virtual machine" e "--sunstone-port [${SUNSTONE_PORT}]" "Setup sunstone port" e "--marketapp-name [CentOS 7 - KVM]" "Name of Marketplace appliance to import" e "" e "--bridge-interface [${BRIDGE_INTERFACE}]" "Bridge interface for private networking" e "--nat-interface [first net device]" "Interface to configure for NAT" e "--vnet-address [${VNET_ADDRESS}]" "Virtual Network address" e "--vnet-netmask [${VNET_NETMASK}]" "Virtual Network netmask" e "--vnet-gateway [${VNET_GATEWAY}]" "Virtual Network gateway (i.e. bridge IP)" e "--vnet-ar-ip-start [${VNET_AR_IP_START}]" "Virtual Network AR start IP" e "--vnet-ar-ip-count [100]" "Virtual Network AR size" e "" e "--purge" "Only uninstall and exit" e "--preserve-user" "Dont't delete oneadmin user when purge" } #------------------------------------------------------------------------------- # COMMAND LINE PARSING #------------------------------------------------------------------------------- PARAMETERS=$(cat </dev/null) LIBVIRTD='libvirtd' ONE_WAIT_TIMEOUT=60 STAR_NET='' ONE_SERVICES='opennebula opennebula-sunstone opennebula-flow opennebula-gate' while true ; do case "$1" in -v|--verbose) VERBOSE="yes"; shift;; -f|--force) FORCE="yes"; shift;; --help) usage; exit 0;; --yes) ASK="no"; shift;; --frontend) NODE="no"; NETWORKING="no"; shift;; --version) VERSION="$2" ; shift 2;; --ssh-pubkey) SSH_PUBKEY="$2" ; shift 2;; --password) PASSWORD="$2" ; shift 2;; --bridge-interface) BRIDGE_INTERFACE="$2" ; shift 2;; --nat-interface) NAT_INTERFACE="$2" ; shift 2;; --vnet-address) VNET_ADDRESS="$2" ; shift 2;; --vnet-netmask) VNET_NETMASK="$2" ; shift 2;; --vnet-gateway) VNET_GATEWAY="$2" ; shift 2;; --vnet-ar-ip-start) VNET_AR_IP_START="$2" ; shift 2;; --vnet-ar-ip-count) VNET_AR_IP_COUNT="$2" ; shift 2;; --marketapp-name) MARKET_APP_NAME="$2" ; shift 2;; --vm-password-name) VM_PASSWORD="$2" ; shift 2;; --lxd) LXD="yes"; shift;; --sunstone-port) SUNSTONE_PORT="$2"; shift 2;; --purge) PURGE="yes"; shift;; --preserve-user) DELETE_ONEADMIN="no"; shift;; --) shift ; break ;; *) usage; exit 1 ;; esac done # Don't ask if there is no TTY on stdin [[ ! -t 0 ]] && ASK='no' #------------------------------------------------------------------------------- # Helpers and detection functions #------------------------------------------------------------------------------- title() { echo "" echo "### $*" } interface_exists() { local DEV=$1 ip link show dev "$DEV" >/dev/null } get_interface_name() { DEV=$(ip route | grep default | awk '{print $5}' 2>/dev/null) if [[ -z "${DEV}" ]]; then DEV=$(ip addr|grep '^[0-9]'|awk -F": " '{print $2}'|head -2|tail -1 2>/dev/null) fi echo "$DEV" } get_my_ip() { DEV=$(get_interface_name) IP=$(ip addr show dev "${DEV}" | grep inet | head -1 | awk '{print $2}') echo "${IP//\/[0-9]*/}" } get_distname_and_version() { local DIST local VER if type lsb_release >/dev/null 2>&1; then DIST=$(lsb_release -si 2>/dev/null) VER=$(lsb_release -sr 2>/dev/null) elif [ -f /etc/redhat-release ]; then DIST=$(cut -d ' ' -f1 < /etc/redhat-release) VER=$(sed -e 's/[^0-9\.]*//g' < /etc/redhat-release) elif [ -f /etc/os-release ]; then DIST=$(grep ^NAME= /etc/os-release | cut -d\" -f2) DIST=${DIST% Linux} VER=$(grep ^VERSION_ID= /etc/os-release | cut -d\" -f2) elif [ -f /etc/lsb-release ]; then DIST=$(grep ^DISTRIB_ID= /etc/lsb-release | cut -d= -f2) VER=$(grep ^DISTRIB_RELEASE= /etc/lsb-release | cut -d= -f2) elif [ -f /etc/debian_version ]; then DIST='Debian' VER=$(cat /etc/debian_version) elif [ -f /etc/SuSe-release ]; then DIST='SuSe' fi [[ "${DIST}" =~ CentOS|RedHat|Debian ]] && VER=$(echo "$VER" | cut -c1) echo "${DIST} ${VER}" } get_first_ssh_key() { shopt -s nullglob for K in "$HOME"/.ssh/*.pub; do echo "$K" return 0 done shopt -u nullglob return 1 } mask2cidr() { local X=${1##*255.} set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#X})*2 )) "${X%%.*}" X=${1%%$3*} echo $(( $2 + (${#X}/4) )) } yes_no() { read -r ANS while [[ "${ANS}" != yes && "${ANS}" != no ]]; do echo 'yes or no?' read -r ANS done [[ $ANS = no ]] && exit 0 } red() { echo -e "\e[31m${1}\e[0m"; } green() { echo -e "\e[32m${1}\e[0m"; } orange() { echo -e "\e[33m${1}\e[0m"; } check() { local COMMAND=$1 local TEXT=$2 local TRIES=${3:-1} local ON_FAIL=$4 local STDERR_TMP_FILE local STDOUT_TMP_FILE local RC=1 STDERR_TMP_FILE=$(mktemp) STDOUT_TMP_FILE=$(mktemp) [[ ${VERBOSE} = 'yes' ]] && echo -ne "${TEXT} " I=1 while [[ $I -le $TRIES && $RC -gt 0 ]]; do eval "${COMMAND}" 2>"${STDERR_TMP_FILE}" >"${STDOUT_TMP_FILE}" RC=$? if [ $RC -gt 0 ]; then [ "$ON_FAIL" = "" ] && echo -ne "retry $I " sleep 1 fi I=$((I + 1)) done STDERR=$(cat "$STDERR_TMP_FILE") STDOUT=$(cat "$STDOUT_TMP_FILE") unlink "${STDERR_TMP_FILE}" unlink "${STDOUT_TMP_FILE}" if [[ ${RC} = '0' ]]; then [[ ${VERBOSE} = 'yes' ]] && green "OK" return ${RC} else [[ ${VERBOSE} = 'no' ]] && echo -ne "${TEXT} " if [[ "$ON_FAIL" =~ "SKIP" ]]; then orange "${ON_FAIL}" return ${RC} elif [[ ${FORCE} = 'no' && -n "${ON_FAIL}" ]]; then red "FAILED" echo 'Consider running with "--force" to override' exit 1 elif [[ ${FORCE} = 'yes' && "${ON_FAIL}" =~ "IGNORE" ]]; then orange "${ON_FAIL}" return ${RC} else red "FAILED" if [[ -n "${ON_FAIL}" && ! "${ON_FAIL}" =~ "IGNORE" ]]; then echo "${ON_FAIL}" fi echo "${STDOUT}" if [[ -n "${STDERR}" ]]; then echo "--- STDERR ---" echo "${STDERR}" echo "--------------" fi exit 1 fi fi } run_and_print_if_failed() { eval "$@" >/dev/null local RC=$? local MSG=$* [ ! $RC -eq 0 ] && echo "$MSG" return $RC } centos() { [[ "$DISTNAME" =~ CentOS|RedHat ]] } redhat() { [[ "$DISTNAME" =~ RedHat ]] } debian() { [[ "$DISTNAME" =~ Ubuntu|Debian ]] } firewalld_running() { systemctl -q is-active firewalld } netplan() { [[ ! -s /run/network/ifstate && $(type netplan 2>/dev/null) ]] } kvm() { [[ $NODE == yes && $LXD == no ]] } lxd() { [[ $NODE == yes && $LXD == yes ]] } node() { [[ $NODE == yes ]] } networking() { [[ $NETWORKING == yes ]] } supported_dist_ver() { local DIST_VER_MATCH=$1 if [[ ! "${DISTNAME}${DISTVER} ${VERSION}" =~ $DIST_VER_MATCH ]]; then echo "\"${DISTNAME}${DISTVER} ${VERSION}\" not in ${DIST_VER_MATCH:2:-2}" >&2 return 2 fi } repo_exists() { if [[ ! "$DISTNAME" =~ CentOS|Ubuntu|Debian ]]; then echo "Currently only CentOS, Ubuntu or Debian are supported" >&2 return 1 else URL="${REPO_URL}/${VERSION}/${DISTNAME}/${DISTVER}" if type curl >/dev/null 2>&1; then run_and_print_if_failed "curl -f -s -S $URL" elif type wget >/dev/null 2>&1; then wget "$URL" else echo "Missing curl/wget to check repository" >&2 return 2 fi fi } disk_free() { local LIMIT=$1 local WHERE=$2 read -r AVAIL TARGET <<<"$(df -BG --output=avail,target "$WHERE" | tail -1)" AVAIL=${AVAIL%G} if [[ "${AVAIL}" -lt "${LIMIT}" ]]; then echo "Insufficient disk space, expected at least ${LIMIT}G on" \ "\"${TARGET}\" filesystem" return 1 fi } #------------------------------------------------------------------------------- # Install functions #------------------------------------------------------------------------------- disable_selinux() { setenforce 0 >/dev/null || return 1 sed -ie 's/^SELINUX=.*$/SELINUX=disabled/' /etc/sysconfig/selinux >/dev/null 2>&1 } modify_apparmor() { if ! grep '/var/lib/one/datastores' /etc/apparmor.d/abstractions/libvirt-qemu >/dev/null 2>&1; then echo ' /var/lib/one/datastores/** rwk,' >> /etc/apparmor.d/abstractions/libvirt-qemu systemctl reload apparmor else if [[ "$1" = 'purge' ]]; then sed -i '/\/var\/lib\/one\/datastores/d' /etc/apparmor.d/abstractions/libvirt-qemu > /dev/null 2>&1 fi fi } install() { if centos; then run_and_print_if_failed "yum -y install $*" elif debian; then export DEBIAN_FRONTEND=noninteractive run_and_print_if_failed "apt-get -q -y install $*" RC=$? unset DEBIAN_FRONTEND return $RC fi } create_bridge() { if centos; then if [[ $1 = purge ]]; then rm -f /etc/sysconfig/network-scripts/ifcfg-minionebr ip link set down dev "${BRIDGE_INTERFACE}" || true brctl delbr "${BRIDGE_INTERFACE}" || true else cat > /etc/sysconfig/network-scripts/ifcfg-minionebr<< EOF DEVICE=${BRIDGE_INTERFACE} TYPE=Bridge IPADDR=${VNET_GATEWAY} NETMASK=${VNET_NETMASK} ONBOOT=yes BOOTPROTO=none IPV6INIT=NO IPV6_AUTOCONF=no NM_CONTROLLED=no EOF fi elif debian; then if netplan; then if [[ $1 = purge ]]; then rm -f /etc/systemd/network/minionebr-nic.netdev rm -f /etc/netplan/minione.yaml ip link delete minionebr-nic || true ip link set down dev "${BRIDGE_INTERFACE}" || true brctl delbr "${BRIDGE_INTERFACE}" || true else cat > /etc/systemd/network/minionebr-nic.netdev<< EOF [NetDev] Name=minionebr-nic Kind=dummy EOF cat > /etc/netplan/minione.yaml<< EOF network: version: 2 renderer: networkd ethernets: minionebr-nic: {} bridges: minionebr: addresses: [ ${VNET_GATEWAY}/${NETMASK_BITS} ] interfaces: [ minionebr-nic ] EOF fi else if [[ $1 = purge ]]; then rm -f /etc/network/interfaces.d/tap.cfg rm -f /etc/network/interfaces.d/minionebr.cfg ip link set down dev "${BRIDGE_INTERFACE}" || true brctl delbr "${BRIDGE_INTERFACE}" || true else brctl addbr "${BRIDGE_INTERFACE}" || return 1 mkdir /etc/network/interfaces.d 2>/dev/null cat > /etc/network/interfaces.d/tap.cfg<< EOF iface tap0 inet manual pre-up ip tuntap add tap0 mode tap user root EOF cat > /etc/network/interfaces.d/minionebr.cfg<< EOF auto minionebr iface minionebr inet static address ${VNET_GATEWAY} network ${VNET_ADDRESS} netmask ${VNET_NETMASK} bridge_stp off bridge_fd 0 bridge_maxwait 0 bridge_ports tap0 EOF # add source for interfaces.d/*.cfg if missing FILE='/etc/network/interfaces' if grep -qE -e "^ *source */etc/network/interfaces.d/\*\.cfg" -e "^ *source-directory /etc/network/interfaces.d" $FILE ; then true # already present else echo 'source /etc/network/interfaces.d/*.cfg' >> $FILE fi fi fi fi } ifup_bridge() { if netplan; then netplan apply else debian && ifup tap0 ifup "${BRIDGE_INTERFACE}" fi } disable_invalid_net_cfg() { # This is mainly to hack-around packet vanila Centos images # containig ifcfg- file for non-existing device cd /etc/sysconfig/network-scripts || return 1 ip link >/dev/null || return 1 CHANGED='' for FILE in ifcfg-*; do # skip interfaces disabled "on boot" if grep -q -i '^ONBOOT=["'\'']no' "$FILE"; then continue fi # get interface name from configuration or filename IFACE=$(awk -F= 'toupper($1) ~ /(DEVICE|NAME)/ { gsub("['\''\"]", "", $2); print $2; exit }' "${FILE}") IFACE=${IFACE:-${FILE##ifcfg-}} # if interface does not exist, disable configuration if ! ip link show "${IFACE}" >/dev/null 2>&1; then CHANGED=yes mv "${FILE}" disabled-"${FILE}" fi done if [ -n "${CHANGED}" ] && systemctl is-failed network.service >/dev/null 2>&1; then ifdown ifcfg-* || : systemctl restart network.service || return 1 fi cd - ||: } disable_firewalld() { systemctl stop firewalld >/dev/null && \ systemctl disable firewalld >/dev/null } configure_nat() { ACTION='-A' [[ $1 = 'purge' ]] && ACTION='-D' IPTABLES_COMMAND=$(cat << EOF iptables --table nat $ACTION POSTROUTING \ -s ${VNET_ADDRESS}/${NETMASK_BITS} \ ! -d ${VNET_ADDRESS}/${NETMASK_BITS} -j MASQUERADE EOF ) run_and_print_if_failed "$IPTABLES_COMMAND" } start_dnsmasq() { if [[ $1 = 'purge' ]]; then if [[ -f /etc/dnsmasq.conf.bk ]]; then mv /etc/dnsmasq.conf.bk /etc/dnsmasq.conf else rm -f /etc/dnsmasq.conf systemct stop dnsmasq fi else cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bk 2>/dev/null cat << EOT > /etc/dnsmasq.conf || return 1 interface=${BRIDGE_INTERFACE},lo bind-interfaces EOT systemctl start dnsmasq fi } configure_repos() { if centos; then if [[ $1 = 'purge' ]]; then rm -f /etc/yum.repos.d/opennebula.repo else cat << EOT > /etc/yum.repos.d/opennebula.repo [opennebula] name=opennebula baseurl=https://downloads.opennebula.org/repo/${VERSION}/${DISTNAME}/${DISTVER}/x86_64 enabled=1 gpgkey=https://downloads.opennebula.org/repo/repo.key gpgcheck=1 EOT fi elif debian; then if [[ $1 = 'purge' ]]; then rm -f /etc/apt/sources.list.d/opennebula.list else ( wget -q -O- https://downloads.opennebula.org/repo/repo.key | \ apt-key add - >/dev/null ) || return 1 echo "deb https://downloads.opennebula.org/repo/${VERSION}/${DISTNAME}/${DISTVER} stable opennebula" \ > /etc/apt/sources.list.d/opennebula.list || return 1 fi fi } enable_rhel_extra_repos() { subscription-manager repos --enable rhel-7-server-optional-rpms && \ subscription-manager repos --enable rhel-7-server-extras-rpms >/dev/null } enable_epel() { if redhat; then rpm -ivh 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm' elif centos ; then install "epel-release" fi } install_opennebula_pkgs() { if centos; then install "opennebula-server opennebula-sunstone opennebula-ruby "\ "opennebula-gate opennebula-flow" || return 1 elif debian; then install "opennebula opennebula-sunstone opennebula-gate "\ "opennebula-flow" || return 1 fi systemctl daemon-reload } install_ruby_gems() { centos && { install redhat-lsb || return 1 gem install bundler --version '<2.0' >/dev/null || return 1 } OUT=$(mktemp) export DEBIAN_FRONTEND=noninteractive /usr/share/one/install_gems --yes > "$OUT" unset DEBIAN_FRONTEND RC=$? grep 'Could not' <"$OUT" >&2 return $RC } install_opennebula_kvm_pkgs() { if centos; then install opennebula-node-kvm || return 1 if redhat; then subscription-manager repos --enable \ rhel-7-server-rhv-4-mgmt-agent-rpms || return 1 install qemu-kvm-rhev || return 1 else run_and_print_if_failed \ "yum --quiet -y update centos-release" install centos-release-qemu-ev qemu-kvm-ev || return 1 fi elif debian; then install opennebula-node fi } install_opennebula_lxd_pkgs() { install lxd || return 1 systemctl start lxd.socket || return 1 install opennebula-node-lxd || return 1 } uninstall_opennebula_pkgs() { if centos; then yum --quiet -y remove opennebula-node-kvm opennebula-server \ opennebula-sunstone opennebula-ruby opennebula-gate \ opennebula-flow opennebula-common systemctl restart ${LIBVIRTD} || true if redhat; then yum --quiet -y remove qemu-kvm-rhev || true else yum --quiet -y remove qemu-kvm-ev >/dev/null || true fi elif debian; then apt-get purge -q -y opennebula-node opennebula \ opennebula-sunstone opennebula-gate opennebula-flow \ opennebula-common >/dev/null service ${LIBVIRTD} restart || true fi } # Initialize some usefull vars NETMASK_BITS=$(mask2cidr "${VNET_NETMASK}") read -r DISTNAME DISTVER <<<"$(get_distname_and_version)" [[ "${DISTNAME}${DISTVER}" =~ Ubuntu16.04|Ubuntu18.04 ]] && LIBVIRTD="libvirt-bin" #------------------------------------------------------------------------------- # Uninstall #------------------------------------------------------------------------------- purge() { echo "Really uninstall? [yes/no]:" [[ "${ASK}" = 'yes' ]] && yes_no FORCE='yes' title "Uninstalling" check "systemctl stop opennebula opennebula-sunstone" "Stopping OpenNebula" 1 "SKIP" [[ "${ENABLED_APPARMOR}" = 'yes' ]] && check "modify_apparmor" "Restoring AppArmor" check "uninstall_opennebula_pkgs" "Uninstalling OpenNebula packages" 1 "SKIP" check "start_dnsmasq purge" "Stopping DNSMasq" 1 "SKIP" check "configure_repos purge" "Unconfiguring repositories" check "configure_nat purge" "Unconfiguring NAT using iptables" 1 "SKIP" check "create_bridge purge" "Deleting bridge interface ${BRIDGE_INTERFACE}" check "rm -rf /etc/one $HOME/.one >/dev/null" "Deleting /etc/one" if [[ "${DELETE_ONEADMIN}" = 'yes' ]]; then check "userdel -r -f oneadmin>/dev/null" "Deleting oneadmin user" 1 "SKIP" check "rm -rf /var/lib/one >/dev/null" "Deleting /var/lib/one" fi } if [[ $PURGE = 'yes' ]]; then VERBOSE='yes' purge exit 0 fi clean() { [[ -d /var/lib/one/.one ]] && check \ 'rm -rf /var/lib/one/.one.old; mv /var/lib/one/.one /var/lib/one/.one.old' \ 'Move old oneadmin auth-dir away' [[ -f /var/lib/one/one.db ]] && check \ 'mv /var/lib/one/one.db /var/lib/one/one.db.old' \ "Move old db away" } #------------------------------------------------------------------------------- # Checks & detection #------------------------------------------------------------------------------- title "Checks & detection" # check Opennebula veriosn & distribution & version check "supported_dist_ver \"$SUPPORTED_MAP\"" \ "Checking distribution and version [${DISTNAME} ${DISTVER} ${VERSION}]" \ 1 "IGNORED Will try to install if repository exists" # check if repository exists check "repo_exists" "Checking if OpenNebula repository exists" 3 # check if lxd is available for given distribution and version lxd && check "supported_dist_ver \"$SUPPORTED_LXD_MAP\"" \ "Checking LXD support for given version" # check cpu flgas for virtualizaton capabilities kvm && { check 'grep flags /proc/cpuinfo | grep vmx\\\|svm > /dev/null' \ "Checking cpu virtualization capabilities" 1 \ "SKIP QEMU will be used" || USE_QEMU='yes'; } # check available disk space on /var check 'disk_free 20 /var' 'Checking free disk space' 1 'IGNORE' # check if given interface exists networking && { if [[ -n "${NAT_INTERFACE}" ]]; then check "interface_exists ${NAT_INTERFACE}" \ "Checking [${NAT_INTERFACE}] net device exists" else NAT_INTERFACE=$(get_interface_name) check "[[ -n \"${NAT_INTERFACE}\" ]]" \ "Checking local interface [${NAT_INTERFACE}]" fi } # check existing directories from previous installation check "[[ ! -e /etc/one && ! -e /var/lib/one ]]" \ "Checking directories from previous installation" 1 \ "IGNORED will be cleaned" || CLEAN='yes' # check existing user from previous installation check "! id oneadmin >/dev/null" \ "Checking user from previous installation" 1 "IGNORE" # check if sshd service is running check "service sshd status >/dev/null" \ "Checking sshd service is running" # check if we have bridge-utils networking && { check "type brctl >/dev/null 2>&1" "Checking bridge-utils are installed" 1 \ "SKIP will try to install" || MISSING_PKGS='bridge-utils' } # check if we have apt-transport-https if debian; then check "dpkg -L apt-transport-https >/dev/null 2>&1" \ "Checking apt-transport-https is installed" 1 \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} apt-transport-https" fi # check if gnupg is installed (required for apt-key add) if debian; then check "dpkg -L gnupg >/dev/null 2>&1" \ "Checking if gnupg is installed" 1 \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} gnupg" fi networking && { # check if we have iptables-persistent netfilter-persistent if debian; then check "dpkg -l iptables-persistent netfilter-persistent > /dev/null" \ "Checking (iptables|netfilter)-persistent are installed" 1 \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} iptables-persistent netfilter-persistent" fi #check if birdge iface is not already present check "! interface_exists ${BRIDGE_INTERFACE}" \ "Checking $BRIDGE_INTERFACE interface is not present" 1 "IGNORED" # check if given virtual network is already in routing table check "! ip route show ${VNET_ADDRESS}/${NETMASK_BITS} | grep dev >/dev/null" \ "Checking virtual network ${VNET_ADDRESS}/${NETMASK_BITS} is not routed" } # Check SELinux or AppArmor SELINUX=$(getenforce 2>/dev/null) centos && { check "[[ ! \"${SELINUX}\" = 'Enforcing' ]]" \ "Checking SELinux" 1 "SKIP will try to disable" || DISABLE_SELINUX='yes'; } debian && { check "! aa-status >/dev/null 2>&1" \ "Checking AppArmor" 1 "SKIP will try to modify" || ENABLED_APPARMOR='yes'; } # check for given ssh key if [[ -n "${SSH_PUBKEY}" ]]; then check "[[ -f \"${SSH_PUBKEY}\" ]]" \ "Checking ssh pub key ${SSH_PUBKEY} exists" # or take the first founc, or generate else SSH_PUBKEY=$(get_first_ssh_key) if ! check "[[ -f \"${SSH_PUBKEY}\" ]]" "Checking for present ssh key" 1 \ "SKIP" ; then if [[ ! -d "$HOME/.ssh" ]]; then mkdir "$HOME/.ssh/"; chmod 0700 "$HOME/.ssh/"; fi check "ssh-keygen -t rsa -P \"\" -f $HOME/.ssh/id_rsa >/dev/null"\ "Generating ssh keypair in $HOME/.ssh/id_rsa" SSH_PUBKEY="$HOME/.ssh/id_rsa.pub" fi fi node && { # check if the requested app name exists on market place if type curl >/dev/null 2>&1; then check "curl -s -H \"${JSON_HEADERS}\" ${APPS_URL} \ | grep '\"name\":\"${MARKET_APP_NAME}\"' >/dev/null" \ "Checking presence of the market app: \"$MARKET_APP_NAME\"" 3 "Not found" elif type wget > /dev/null 2>&1; then check "wget --quiet -O - --header \"${JSON_HEADERS}\" ${APPS_URL} \ | grep '\"name\":\"${MARKET_APP_NAME}\"' >/dev/null" \ "Checking presence of the market app: \"$MARKET_APP_NAME\"" 3 "Not found" else # Always fail, but continue with info when --force was given check "false" "Missing curl/wget to check market app" 1 "IGNORE Can't check" fi } #------------------------------------------------------------------------------- # Pre-installation report #------------------------------------------------------------------------------- title "Main deployment steps:" [[ "${CLEAN}" = yes ]] && echo "Clean oneadmin home" [[ "${DISABLE_SELINUX}" = yes ]] && echo "Disable SELinux" [[ -n "${MISSING_PKGS}" ]] && echo "Install ${MISSING_PKGS}" node && { centos && firewalld_running && echo "Disable_firewalld" echo "Configure bridge ${BRIDGE_INTERFACE} with IP ${VNET_GATEWAY}/${NETMASK_BITS}" echo "Enable NAT over ${NAT_INTERFACE}" [[ "${ENABLED_APPARMOR}" = yes ]] && echo "Modify AppArmor" echo "Install OpenNebula node version ${VERSION}" } echo "Using ssh public key ${SSH_PUBKEY}" echo "Install OpenNebula frontend version ${VERSION}" echo "" echo "Do you agree? [yes/no]:" [[ "${ASK}" = 'yes' ]] && yes_no title "Installation" VERBOSE='yes' [[ "${CLEAN}" = yes ]] && clean debian && check "apt-get -q -y update >/dev/null" "Updating APT cache" [[ "${DISABLE_SELINUX}" = 'yes' ]] && check "disable_selinux" "Disabling SELinux" [[ -n "${MISSING_PKGS}" ]] && check "install ${MISSING_PKGS}" "Install ${MISSING_PKGS}" 3 networking && { centos && check "disable_invalid_net_cfg" "Rename invalid network configs" check "create_bridge" "Creating bridge interface ${BRIDGE_INTERFACE}" check "ifup_bridge" "Bring bridge interfaces up" centos && firewalld_running && check "disable_firewalld" "Disabling firewalld" [[ "$FORWARD" = 0 ]] && check "sysctl -w net.ipv4.ip_forward=1 >/dev/null" "Enabling IPv4 forward" check "configure_nat" "Configuring NAT using iptables" centos && check "iptables-save > /etc/sysconfig/iptables" "Saving iptables changes" debian && check "netfilter-persistent save" "Saving iptables changes" check "install dnsmasq" "Installing DNSMasq" 3 check "start_dnsmasq" "Starting DNSMasq" } check "configure_repos" "Configuring repositories" debian && check "apt-get -q -y update >/dev/null" "Updating APT cache" redhat && check "enable_rhel_extra_repos" "Enabling RHEL 7 extra & opt repositories" centos && check "enable_epel" "Installing EPEL" check "install_opennebula_pkgs" "Installing OpenNebula packages" 3 if [[ ! -L /usr/share/one/gems ]]; then check "install_ruby_gems" "Installing Ruby gems" 3 fi if kvm; then check "install_opennebula_kvm_pkgs" "Installing OpenNebula node packages" 3 elif lxd; then check "install_opennebula_lxd_pkgs" "Installing OpenNebula node packages" 3 fi if node; then [[ "${ENABLED_APPARMOR}" = 'yes' ]] && check "modify_apparmor" "Updating AppArmor" check "rm -f /etc/libvirt/qemu/networks/autostart/default.xml" \ "Disable default libvirtd networking" check "service ${LIBVIRTD} restart" "Restart libvirtd" fi #------------------------------------------------------------------------------- # Configuration #------------------------------------------------------------------------------- conf_change() { local KEY=$1 local VALUE=$2 if [ -z "$3" ]; then local CONF='/etc/one/oned.conf' else local CONF=$3 fi sed -i -e "s/^${KEY}/${VALUE}/" "${CONF}" >/dev/null } switch_to_qemu() { LINE_NUM=$(grep -n '^VM_MAD =' -A 10 /etc/one/oned.conf | \ grep -E '^[0-9]+-\s*TYPE' | grep kvm | awk -F- '{print $1}') sed -i "${LINE_NUM}s/kvm/qemu/" /etc/one/oned.conf } set_init_password() { [[ ! -d $HOME/.one ]] && { mkdir "$HOME"/.one || return 1; } echo "oneadmin:$PASSWORD" > "$HOME"/.one/one_auth || return 1 echo "oneadmin:$PASSWORD" > /var/lib/one/.one/one_auth } set_sunstone_port() { local PORT=$1 conf_change ":port: 9869" ":port: $PORT" /etc/one/sunstone-server.conf if [[ $PORT -lt 1024 ]]; then RUBY=$(readlink -f /usr/bin/ruby) setcap 'cap_net_bind_service=+ep' "$RUBY" fi } one_is_ready() { for I in $(seq $ONE_WAIT_TIMEOUT); do onehost list > /dev/null 2>&1 && return 0 sleep 1 done echo "OpenNebula did not start within the timeout" >&2 return 1 } deny_ssh_from_vnet() { STAR_NET=${VNET_ADDRESS} # 172.16.0.0 ~> 172.16.*.*, but 10.0.1.0~> 10.0.1.* for I in 1 2 3 4; do # shellcheck disable=SC2001 STAR_NET=$(echo "${STAR_NET}" |sed -e 's/\(.*\)\.0\([0\.\*]*\)$/\1.*\2/') done if grep -v "DenyUsers ${STAR_NET}" /etc/ssh/sshd_config >/dev/null; then echo "" >> /etc/ssh/sshd_config echo "DenyUsers ${STAR_NET}" >> /etc/ssh/sshd_config fi systemctl restart sshd } add_keys_to_known_hosts() { su oneadmin -c 'ssh-keyscan -H localhost > ~/.ssh/known_hosts' || return 1 HOSTNAME=$(hostname) su oneadmin -c "ssh-keyscan -H ${HOSTNAME} >> ~/.ssh/known_hosts" || return 1 FQDN=$(hostname -f 2>/dev/null) if [[ -n "$FQDN" && "$HOSTNAME" != "${FQDN}" ]]; then su oneadmin -c "ssh-keyscan -H ${FQDN} >> ~/.ssh/known_hosts" || return 1 fi } test_ssh_connection() { sudo -u oneadmin ssh localhost true /dev/null || return 1 } add_ssh_keys_to_oneadmin() { local TMP_FILE TMP_FILE=$(mktemp) || return 1 # put current template to the tempfile oneuser show 0 | \ sed '/USER TEMPLATE/,/VMS USAGE/!d;//d' > "${TMP_FILE}" ONEADMIN_OS_USER_KEY=$(cat /var/lib/one/.ssh/id*pub 2>/dev/null) SSH_PUBKEY_CONTENT=$(cat "${SSH_PUBKEY}" 2>/dev/null) cat >> "${TMP_FILE}"<< EOF SSH_PUBLIC_KEY="${ONEADMIN_OS_USER_KEY} ${SSH_PUBKEY_CONTENT}" EOF oneuser update 0 "${TMP_FILE}" || return 1 rm "${TMP_FILE}" } update_ssh_configs() { # allow VM addresses to be re-used touch /var/lib/one/.ssh/config || return 1 grep -q "Host ${STAR_NET}" /var/lib/one/.ssh/config || { cat >> /var/lib/one/.ssh/config << EOF || return 1 Host ${STAR_NET} StrictHostKeyChecking no UserKnownHostsFile=/dev/null EOF chown oneadmin:oneadmin /var/lib/one/.ssh/config || return 1 chmod 0600 /var/lib/one/.ssh/config || return 1 } touch ~/.ssh/config || return 1 grep -q "Host ${STAR_NET}" ~/.ssh/config || { cat >> ~/.ssh/config << EOF || return 1 Host ${STAR_NET} StrictHostKeyChecking no UserKnownHostsFile=/dev/null EOF chmod 0600 ~/.ssh/config } } title "Configuration" check "conf_change \"\#ONEGATE_ENDPOINT = .*\" \"ONEGATE_ENDPOINT = \\\"http:\/\/${VNET_GATEWAY}:5030\\\"\""\ "Switching OneGate endpoint in oned.conf" check "conf_change \":host: .*\" \":host: ${VNET_GATEWAY}\" \"/etc/one/onegate-server.conf\""\ "Switching OneGate endpoint in onegate-server.conf" check "conf_change \"SCHED_INTERVAL = .*\" \"SCHED_INTERVAL = 10\" \"/etc/one/sched.conf\""\ "Switching scheduler interval to 10sec" lxd && check "conf_change \"\s*:command: \\/bin\\/login\" \" :command: \\/bin\\/bash\" \"/var/lib/one/remotes/etc/vmm/lxd/lxdrc\""\ "Switching VNC command to /bin/bash in lxdrc" lxd && check "conf_change \"\s*:command => '\\/bin\\/login'\" \" :command => '\\/bin\\/bash'\" \"/var/lib/one/remotes/vmm/lxd/opennebula_vm.rb\""\ "Switching VNC command to /bin/bash in opennebula_vm.rb" [[ ${USE_QEMU} = 'yes' ]] && check "switch_to_qemu" "Switching to QEMU emulation" check "set_init_password" "Setting initial password for current user and oneadmin" [[ ${SUNSTONE_PORT} != 9869 ]] && check "set_sunstone_port ${SUNSTONE_PORT}"\ "Changing WebUI to listen on port ${SUNSTONE_PORT}" check "systemctl start $ONE_SERVICES" \ "Starting OpenNebula services" check "systemctl enable $ONE_SERVICES" \ "Enabling OpenNebula servcies" check "one_is_ready" "Checking OpenNebula is working" check "deny_ssh_from_vnet" "Disabling ssh from virtual network" check "add_keys_to_known_hosts" "Adding localhost ssh key to known_hosts" check "test_ssh_connection" "Testing ssh connection to localhost" check "add_ssh_keys_to_oneadmin" "Add ssh key to oneadmin user" check "update_ssh_configs" "Update ssh configs to allow VM addresses reusig" #------------------------------------------------------------------------------- # Bootstrap #------------------------------------------------------------------------------- onecli_cmd_tmpl() { local COMMAND=$1 local DATA=$2 local TMP_FILE TMP_FILE=$(mktemp) || return 1 cat > "${TMP_FILE}"<< EOF ${DATA} EOF $COMMAND "$TMP_FILE" RC=$? rm "${TMP_FILE}" return ${RC} } update_datastores() { TEMPLATE=$(cat << EOF EOF ) onecli_cmd_tmpl "onedatastore update 0" "${TEMPLATE}" >/dev/null ||return 1 onecli_cmd_tmpl "onedatastore update 1" "${TEMPLATE}" >/dev/null } create_vnet() { SIZE=$((VNET_AR_IP_COUNT - 1)) TEMPLATE=$(cat << EOF NAME = "vnet" BRIDGE = "${BRIDGE_INTERFACE}" DNS = "${VNET_GATEWAY}" GATEWAY = "${VNET_GATEWAY}" PHYDEV = "" SECURITY_GROUPS = "0" VN_MAD = "fw" AR = [ IP = ${VNET_AR_IP_START}, SIZE = ${SIZE}, TYPE = IP4 ] EOF ) onecli_cmd_tmpl "onevnet create" "${TEMPLATE}" >/dev/null 2>&1 } poll_for_marketplace() { APP_COUNT=$(onemarketapp list | wc -l) for I in $(seq 30); do sleep 5 NEW_APP_COUNT=$(onemarketapp list | wc -l) if [[ "${NEW_APP_COUNT}" = "${APP_COUNT}" && "${APP_COUNT}" -gt 20 ]]; then return 0 fi APP_COUNT=${NEW_APP_COUNT} done return 1 } export_marketapp() { poll_for_marketplace ID=$(onemarketapp list --filter NAME="${MARKET_APP_NAME}" \ --csv | tail -1 | awk -F, '{print $1}') || return 1 # onemarketapp always return 0 and prints to STDOUT OUT=$(mktemp) onemarketapp export "${ID}" "${MARKET_APP_NAME}" --datastore 1 > "$OUT" IMG_LIST=$(oneimage list --csv) if [ "$IMG_LIST" = "" ]; then cat "$OUT" >&2 return 1 fi } update_template() { local TMP_FILE TMP_FILE=$(mktemp) 2>/dev/null || return 1 # Add root password, report_ready and token setting to context onetemplate show 0 | grep CONTEXT -A1000 \ | sed -e "s/CONTEXT=\[/CONTEXT=[ PASSWORD=\"${VM_PASSWORD}\",/" \ | sed -e "s/CONTEXT=\[/CONTEXT=[ REPORT_READY=\"YES\",/" \ | sed -e "s/CONTEXT=\[/CONTEXT=[ TOKEN=\"YES\",/" \ > "${TMP_FILE}" # Add network echo 'NIC=[ NETWORK="vnet", NETWORK_UNAME="oneadmin", SECURITY_GROUPS="0" ]' >> "${TMP_FILE}" # Add LXD_SECURITY_PRIVILEGED="true" lxd && echo 'LXD_SECURITY_PRIVILEGED="true"' >> "${TMP_FILE}" onetemplate update 0 "${TMP_FILE}" >/dev/null RC=$? rm "${TMP_FILE}" return ${RC} } check "update_datastores" "Updating datastores, TM_MAD=qcow2, SHARED=yes" kvm && check "onehost create -i kvm -v kvm localhost >/dev/null 2>&1" \ "Creating KVM host" lxd && check "onehost create -i lxd -v lxd localhost >/dev/null 2>&1" \ "Creating LXD host" check "create_vnet" "Creating virtual network" check "export_marketapp" \ "Exporting [${MARKET_APP_NAME}] from Marketplace to local datastore" check "update_template" "Updating template" #------------------------------------------------------------------------------- # Report #------------------------------------------------------------------------------- [[ $SUNSTONE_PORT != 80 ]] && PORT_STR=":$SUNSTONE_PORT" title 'Report' echo "OpenNebula ${VERSION} was installed" echo "Sunstone (the webui) is runninng on:" echo " http://$(get_my_ip)${PORT_STR}/" echo "Use following to login:" echo " user: oneadmin" echo " password: ${PASSWORD}"