#!/bin/bash # -------------------------------------------------------------------------- # # Copyright 2002-2019, OpenNebula Project, OpenNebula Systems # # # # Licensed under the Apache License, Version 2.0 (the "License"); you may # # not use this file except in compliance with the License. You may obtain # # a copy of the License at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # Unless required by applicable law or agreed to in writing, software # # distributed under the License is distributed on an "AS IS" BASIS, # # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # # limitations under the License. # #--------------------------------------------------------------------------- # # default parameters values VERSION='5.8' FORCE='no' VERBOSE='no' ASK='yes' PASSWORD=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c10) SSH_PUBKEY="" BRIDGE_INTERFACE='minionebr' NAT_INTERFACE='' VNET_ADDRESS='172.16.100.0' VNET_NETMASK='255.255.255.0' VNET_GATEWAY='172.16.100.1' VNET_AR_IP_START='172.16.100.1' VNET_AR_IP_COUNT='100' MARKET_APP_NAME='CentOS 7 - KVM' VM_PASSWORD='opennebula' LXD='no' SUNSTONE_PORT='80' PURGE_ONLY='no' usage() { echo "-h --help List of supported arguments" echo "--version [$VERSION] Specify OpenNebula version" echo "-f --force Skip non-fatal validation errors" echo " (e.g., traces of existing inst.)" echo "-v --verbose Be verbose" echo "--yes Don't ask" echo "--password [random generated] Initial password for oneadmin" echo "--ssh-pubkey [~/.ssh/id_rsa.pub] User ssh public key" echo "--bridge-interface [${BRIDGE_INTERFACE}] Bridge interface for private networking" echo "--nat-interface [first net device] Interface to configure for NAT" echo "--vnet-address [${VNET_ADDRESS}] Virtual Network address" echo "--vnet-netmask [${VNET_NETMASK}] Virtual Network netmask" echo "--vnet-gateway [${VNET_GATEWAY}] Virtual Network gateway (i.e. bridge IP)" echo "--vnet-ar-ip-start [${VNET_AR_IP_START}] Virtual Network AR start IP" echo "--vnet-ar-ip-count [100] Virtual Network AR size" echo "--marketapp-name [CentOS 7 - KVM] Name of Marketplace appliance to import" echo "--vm-password [${VM_PASSWORD}] Root password for virtual machine" echo "--lxd Setup host to run LXD containers" echo "--sunstone-port [${SUNSTONE_PORT}] Setup sunstone port" echo "--purge Only uninstall and exit" } #------------------------------------------------------------------------------- # COMMAND LINE PARSING #------------------------------------------------------------------------------- PARAMETERS='help,version:,force,verbose,yes,password:,ssh-pubkey:,\ bridge-interface:,nat-interface:,vnet-address:,vnet-netmask:,\ vnet-gateway:,vnet-ar-ip-start:,vnet-ar-ip-count:,marketapp-name:,\ vm-password,lxd,sunstone-port:,purge' OPTS=`getopt -o "hvf" -l "$PARAMETERS" -n 'minione' -- "$@"` if [ $? != 0 ] ; then usage exit 1 fi eval set -- "$OPTS" # global vars SUPPORTED_MAP='^(CentOS7 5.6|CentOS7 5.8|Debian9 5.8|Ubuntu16.04 5.8|Ubuntu18.04 5.8|Ubuntu18.10 5.8)$' SUPPORTED_LXD_MAP='^(Ubuntu18.04 5.8|Ubuntu18.10 5.8)$' PURGE='no' DISABLE_SELINUX='no' ENABLED_APPARMOR='no' MISSING_PKGS='' USE_QEMU='no' APPS_URL='https://marketplace.opennebula.systems/appliance' REPO_URL='https://downloads.opennebula.org/repo' JSON_HEADERS='Accept: application/json' FORWARD=$(sysctl -n net.ipv4.ip_forward 2>/dev/null) LIBVIRTD='libvirtd' ONE_WAIT_TIMEOUT=60 STAR_NET='' while true ; do case "$1" in -v|--verbose) VERBOSE="yes"; shift;; -f|--force) FORCE="yes"; shift;; --help) usage; exit 0;; --yes) ASK="no"; shift;; --version) VERSION="$2" ; shift 2;; --ssh-pubkey) SSH_PUBKEY="$2" ; shift 2;; --password) PASSWORD="$2" ; shift 2;; --bridge-interface) BRIDGE_INTERFACE="$2" ; shift 2;; --nat-interface) NAT_INTERFACE="$2" ; shift 2;; --vnet-address) VNET_ADDRESS="$2" ; shift 2;; --vnet-netmask) VNET_NETMASK="$2" ; shift 2;; --vnet-gateway) VNET_GATEWAY="$2" ; shift 2;; --vnet-ar-ip-start) VNET_AR_IP_START="$2" ; shift 2;; --vnet-ar-ip-count) VNET_AR_IP_COUNT="$2" ; shift 2;; --marketapp-name) MARKET_APP_NAME="$2" ; shift 2;; --vm-password-name) VM_PASSWORD="$2" ; shift 2;; --lxd) LXD="yes"; shift;; --sunstone-port) SUNSTONE_PORT="$2"; shift 2;; --purge) PURGE_ONLY="yes"; PURGE="yes"; shift;; --) shift ; break ;; *) usage; exit 1 ;; esac done # Don't ask if there is no TTY on stdin [[ ! -t 0 ]] && ASK='no' #------------------------------------------------------------------------------- # Helpers and detection functions #------------------------------------------------------------------------------- title() { echo "" echo "### $@" } interface_exists() { local DEV=$1 ip link show dev $DEV >/dev/null } get_interface_name() { DEV=$(ip route | grep default | awk '{print $5}' 2>/dev/null) if [[ -z "${DEV}" ]]; then DEV=$(ip addr|grep '^[0-9]'|awk -F": " '{print $2}'|head -2|tail -1 2>/dev/null) fi echo "$DEV" } get_my_ip() { DEV=$(get_interface_name) IP=$(ip addr show dev ${DEV} | grep inet | head -1 | awk '{print $2}') echo ${IP//\/[0-9]*/} } get_distname_and_version() { local DIST local VER if type lsb_release >/dev/null 2>&1; then DIST=$(lsb_release -si 2>/dev/null) VER=$(lsb_release -sr 2>/dev/null) elif [ -f /etc/redhat-release ]; then DIST=$(cat /etc/redhat-release | cut -d ' ' -f1) VER=$(cat /etc/redhat-release | sed -e 's/[^0-9\.]*//g') elif [ -f /etc/os-release ]; then DIST=$(grep ^NAME= /etc/os-release | cut -d\" -f2) DIST=${DIST% Linux} VER=$(grep ^VERSION_ID= /etc/os-release | cut -d\" -f2) elif [ -f /etc/lsb-release ]; then DIST=$(grep ^DISTRIB_ID= /etc/lsb-release | cut -d= -f2) VER=$(grep ^DISTRIB_RELEASE= /etc/lsb-release | cut -d= -f2) elif [ -f /etc/debian_version ]; then DIST='Debian' VER=$(cat /etc/debian_version) elif [ -f /etc/SuSe-release ]; then DIST='SuSe' fi [[ "${DIST}" =~ CentOS|RedHat|Debian ]] && VER=$(echo $VER | cut -c1) echo "${DIST} ${VER}" } get_first_ssh_key() { shopt -s nullglob for K in $HOME/.ssh/*.pub; do echo $K return 0 done shopt -u nullglob return 1 } mask2cidr() { local X=${1##*255.} set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#X})*2 )) ${X%%.*} X=${1%%$3*} echo $(( $2 + (${#X}/4) )) } yes_no() { read ANS while [[ "${ANS}" != yes && "${ANS}" != no ]]; do echo 'yes or no?' read ANS done [[ $ANS = no ]] && exit 0 } red() { echo -e "\e[31m${1}\e[0m"; } green() { echo -e "\e[32m${1}\e[0m"; } orange() { echo -e "\e[33m${1}\e[0m"; } check() { local COMMAND=$1 local TEXT=$2 local ON_FAIL=$3 local STDERR_TMP_FILE=$(mktemp) local STDOUT_TMP_FILE=$(mktemp) [[ ${VERBOSE} = 'yes' ]] && echo -ne "${TEXT} " eval "${COMMAND}" 2>${STDERR_TMP_FILE} >${STDOUT_TMP_FILE} RC=$? STDERR=$(cat $STDERR_TMP_FILE) STDOUT=$(cat $STDOUT_TMP_FILE) unlink ${STDERR_TMP_FILE} unlink ${STDOUT_TMP_FILE} if [[ ${RC} = '0' ]]; then [[ ${VERBOSE} = 'yes' ]] && green "OK" return ${RC} else [[ ${VERBOSE} = 'no' ]] && echo -ne "${TEXT} " if [[ "$ON_FAIL" =~ "SKIP" ]]; then orange "${ON_FAIL}" return ${RC} elif [[ ${FORCE} = 'yes' && "${ON_FAIL}" =~ "IGNORE" ]]; then orange "${ON_FAIL}" echo "${STDOUT}" echo "--- STDERR ---" echo "${STDERR}" echo "--------------" return ${RC} else red "FAILED" if [[ -n "${ON_FAIL}" && ! "${ON_FAIL}" =~ "IGNORE" ]]; then echo "${ON_FAIL}" fi echo "${STDOUT}" if [[ -n "${STDERR}" ]]; then echo "--- STDERR ---" echo "${STDERR}" echo "--------------" fi exit 1 fi fi } run_and_print_if_failed() { $@ >/dev/null local RC=$? local MSG=$@ [ ! $RC -eq 0 ] && echo "$MSG" return $RC } centos?() { [[ "$DISTNAME" =~ CentOS|RedHat ]] } redhat?() { [[ "$DISTNAME" =~ RedHat ]] } debian?() { [[ "$DISTNAME" =~ Ubuntu|Debian ]] } firewalld_running?() { systemctl -q is-active firewalld } netplan?() { [[ ! -s /run/network/ifstate && $(type netplan 2>/dev/null) ]] } kvm?() { [[ $LXD == no ]] } lxd?() { [[ $LXD == yes ]] } supported_dist_ver() { local DIST_VER_MATCH=$1 if [[ ! "${DISTNAME}${DISTVER} ${VERSION}" =~ $DIST_VER_MATCH ]]; then echo "\"${DISTNAME}${DISTVER} ${VERSION}\" not in ${DIST_VER_MATCH:2:-2}" >&2 return 2 fi } repo_exists() { if [[ ! "$DISTNAME" =~ CentOS|Ubuntu|Debian ]]; then echo "Currently only CentOS, Ubuntu or Debian are supported" >&2 return 1 else URL="${REPO_URL}/${VERSION}/${DISTNAME}/${DISTVER}" if type curl >/dev/null 2>&1; then run_and_print_if_failed "curl -f -s -S $URL" elif type wget >/dev/null 2>&1; then wget $URL else echo "Missing curl/wget to check repository" >&2 return 2 fi fi } disk_free() { local LIMIT=$1 local WHERE=$2 read -r AVAIL TARGET <<<$(df -BG --output=avail,target $WHERE | tail -1) AVAIL=${AVAIL%G} if [[ "${AVAIL}" -lt "${LIMIT}" ]]; then echo "Insufficient disk space, expected at least ${LIMIT}G on" \ "\"${TARGET}\" filesystem" return 1 fi } #------------------------------------------------------------------------------- # Install functions #------------------------------------------------------------------------------- disable_selinux() { setenforce 0 >/dev/null || return 1 sed -ie 's/^SELINUX=.*$/SELINUX=disabled/' /etc/sysconfig/selinux >/dev/null 2>&1 } modify_apparmor() { if ! grep '/var/lib/one/datastores' /etc/apparmor.d/abstractions/libvirt-qemu >/dev/null 2>&1; then echo ' /var/lib/one/datastores/** rwk,' >> /etc/apparmor.d/abstractions/libvirt-qemu systemctl reload apparmor else if [[ "$1" = 'purge' ]]; then sed -i '/\/var\/lib\/one\/datastores/d' /etc/apparmor.d/abstractions/libvirt-qemu > /dev/null 2>&1 fi fi } install() { if centos?; then run_and_print_if_failed "yum -y install $@" elif debian?; then export DEBIAN_FRONTEND=noninteractive run_and_print_if_failed "apt-get -q -y install $@" unset DEBIAN_FRONTEND fi } create_bridge() { if centos?; then if [[ $1 = purge ]]; then rm -f /etc/sysconfig/network-scripts/ifcfg-minionebr ip link set down dev ${BRIDGE_INTERFACE} || true brctl delbr ${BRIDGE_INTERFACE} || true else cat > /etc/sysconfig/network-scripts/ifcfg-minionebr<< EOF DEVICE=${BRIDGE_INTERFACE} TYPE=Bridge IPADDR=${VNET_AR_IP_START} NETMASK=${VNET_NETMASK} ONBOOT=yes BOOTPROTO=none IPV6INIT=NO IPV6_AUTOCONF=no NM_CONTROLLED=no EOF fi elif debian?; then if netplan?; then if [[ $1 = purge ]]; then rm -f /etc/systemd/network/minionebr-nic.netdev rm -f /etc/netplan/minione.yaml ip link delete minionebr-nic || true ip link set down dev ${BRIDGE_INTERFACE} || true brctl delbr ${BRIDGE_INTERFACE} || true else cat > /etc/systemd/network/minionebr-nic.netdev<< EOF [NetDev] Name=minionebr-nic Kind=dummy EOF cat > /etc/netplan/minione.yaml<< EOF network: version: 2 renderer: networkd ethernets: minionebr-nic: {} bridges: minionebr: addresses: [ ${VNET_AR_IP_START}/${NETMASK_BITS} ] interfaces: [ minionebr-nic ] EOF fi else if [[ $1 = purge ]]; then rm -f /etc/network/interfaces.d/tap.cfg rm -f /etc/network/interfaces.d/minionebr.cfg ip link set down dev ${BRIDGE_INTERFACE} || true brctl delbr ${BRIDGE_INTERFACE} || true else brctl addbr ${BRIDGE_INTERFACE} || return 1 mkdir /etc/network/interfaces.d 2>/dev/null cat > /etc/network/interfaces.d/tap.cfg<< EOF iface tap0 inet manual pre-up ip tuntap add tap0 mode tap user root EOF cat > /etc/network/interfaces.d/minionebr.cfg<< EOF auto minionebr iface minionebr inet static address ${VNET_AR_IP_START} network ${VNET_ADDRESS} netmask ${VNET_NETMASK} bridge_stp off bridge_fd 0 bridge_maxwait 0 bridge_ports tap EOF ip link set up dev ${BRIDGE_INTERFACE} fi fi fi } ping_from_bridge() { sleep 3 run_and_print_if_failed "ping -W 3 -c 1 -I ${VNET_AR_IP_START} 8.8.8.8 -q" } restart_network() { if centos?; then service network restart >/dev/null else if netplan?; then netplan apply else service networking restart > /dev/null fi fi } disable_firewalld() { systemctl stop firewalld >/dev/null && \ systemctl disable firewalld >/dev/null } configure_nat() { ACTION='-A' [[ $1 = 'purge' ]] && ACTION='-D' IPTABLES_COMMAND=$(cat << EOF iptables --table nat $ACTION POSTROUTING \ -s ${VNET_ADDRESS}/${NETMASK_BITS} \ ! -d ${VNET_ADDRESS}/${NETMASK_BITS} -j MASQUERADE EOF ) run_and_print_if_failed "$IPTABLES_COMMAND" } start_dnsmasq() { if [[ $1 = 'purge' ]]; then if [[ -f /etc/dnsmasq.conf.bk ]]; then mv /etc/dnsmasq.conf.bk /etc/dnsmasq.conf else rm -f /etc/dnsmasq.conf systemct stop dnsmasq fi else cp /etc/dnsmasq.conf /etc/dnsmasq.conf.bk 2>/dev/null cat << EOT > /etc/dnsmasq.conf || return 1 interface=${BRIDGE_INTERFACE} except-interface=lo bind-interfaces EOT systemctl start dnsmasq fi } configure_repos() { if centos?; then if [[ $1 = 'purge' ]]; then rm -f /etc/yum.repos.d/opennebula.repo else cat << EOT > /etc/yum.repos.d/opennebula.repo [opennebula] name=opennebula baseurl=https://downloads.opennebula.org/repo/${VERSION}/${DISTNAME}/${DISTVER}/x86_64 enabled=1 gpgkey=https://downloads.opennebula.org/repo/repo.key gpgcheck=1 EOT fi elif debian?; then if [[ $1 = 'purge' ]]; then rm -f /etc/apt/sources.list.d/opennebula.list else ( wget -q -O- https://downloads.opennebula.org/repo/repo.key | \ apt-key add - >/dev/null ) || return 1 echo "deb https://downloads.opennebula.org/repo/${VERSION}/${DISTNAME}/${DISTVER} stable opennebula" \ > /etc/apt/sources.list.d/opennebula.list || return 1 fi fi } enable_rhel_extra_repos() { subscription-manager repos --enable rhel-7-server-optional-rpms && \ subscription-manager repos --enable rhel-7-server-extras-rpms >/dev/null } enable_epel() { if redhat?; then rpm -ivh 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm' elif centos? ; then install "epel-release" fi } install_opennebula_pkgs() { if centos?; then install "opennebula-server opennebula-sunstone opennebula-ruby "\ "opennebula-gate opennebula-flow" || return 1 elif debian?; then install "opennebula opennebula-sunstone opennebula-gate "\ "opennebula-flow" || return 1 fi systemctl daemon-reload } install_ruby_gems() { centos? && { install redhat-lsb || return 1 gem install bundler --version '<2.0' >/dev/null || return 1 } OUT=(mktemp) /usr/share/one/install_gems --yes > $OUT RC=$? cat $OUT | grep 'Could not' >&2 return $RC } install_opennebula_kvm_pkgs() { if centos?; then install opennebula-node-kvm || return 1 systemctl restart ${LIBVIRTD} || return 1 if redhat?; then subscription-manager repos --enable \ rhel-7-server-rhv-4-mgmt-agent-rpms || return 1 install qemu-kvm-rhev || return 1 else run_and_print_if_failed \ "yum --quiet -y update centos-release" install centos-release-qemu-ev qemu-kvm-ev || return 1 fi elif debian?; then run_and_print_if_failed \ "apt-get install -y opennebula-node" || return 1 service ${LIBVIRTD} restart || return 1 fi } install_opennebula_lxd_pkgs() { install opennebula-node-lxd return 1 } uninstall_opennebula_pkgs() { if centos?; then yum --quiet -y remove opennebula-node-kvm opennebula-server \ opennebula-sunstone opennebula-ruby opennebula-gate \ opennebula-flow systemctl restart ${LIBVIRTD} || true if redhat?; then yum --quiet -y remove qemu-kvm-rhev || true else yum --quiet -y remove qemu-kvm-ev >/dev/null || true fi elif debian?; then apt-get purge -q -y opennebula-node opennebula \ opennebula-sunstone opennebula-gate opennebula-flow \ opennebula-common >/dev/null service ${LIBVIRTD} restart || true fi } # Initialize some usefull vars NETMASK_BITS=$(mask2cidr ${VNET_NETMASK}) read -r DISTNAME DISTVER <<<$(get_distname_and_version) [[ "${DISTNAME}${DISTVER}" =~ Ubuntu16.04|Ubuntu18.04 ]] && LIBVIRTD="libvirt-bin" #------------------------------------------------------------------------------- # Uninstall #------------------------------------------------------------------------------- purge() { echo "Really uninstall? [yes/no]:" [[ "${ASK}" = 'yes' ]] && yes_no FORCE='yes' title "Uninstalling" check "systemctl stop opennebula opennebula-sunstone" "Stopping OpenNebula" "SKIP" [[ "${ENABLED_APPARMOR}" = 'yes' ]] && check "modify_apparmor" "Restoring AppArmor" check "uninstall_opennebula_pkgs" "Uninstalling OpenNebula packages" "SKIP" check "start_dnsmasq purge" "Stopping DNSMasq" "SKIP" check "configure_repos purge" "Unconfiguring repositories" check "configure_nat purge" "Unconfiguring nat using iptables" "SKIP" check "create_bridge purge" "Deleting bridge interface ${BRIDGE_INTERFACE}" check "restart_network" "Restarting network" check "rm -rf /etc/one /var/lib/one $HOME/.one >/dev/null" "Deleting /etc/one /var/lib/one" check "userdel -r -f oneadmin>/dev/null" "Deleting oneadmin user" "SKIP" } if [[ $PURGE_ONLY = 'yes' ]]; then VERBOSE='yes' purge exit 0 fi #------------------------------------------------------------------------------- # Checks & detection #------------------------------------------------------------------------------- title "Checks & detection" # check Opennebula veriosn & distribution & version check "supported_dist_ver \"$SUPPORTED_MAP\"" \ "Checking distribution and version [${DISTNAME} ${DISTVER} ${VERSION}]" \ "IGNORED Will try to install if repository exists" # check if repository exists check "repo_exists" "Checking if OpenNebula repository exists" # check if lxd is available for given distribution and version lxd? && check "supported_dist_ver \"$SUPPORTED_LXD_MAP\"" \ "Checking LXD support for given version" # check cpu flgas for virtualizaton capabilities kvm? && { check 'grep flags /proc/cpuinfo | grep vmx\\\|svm > /dev/null' \ "Checking cpu virtualization capabilities" \ "SKIP QEMU will be used" || USE_QEMU='yes'; } # check available disk space on /var check 'disk_free 20 /var' 'Checking free disk space' 'IGNORE' # check if given interface exists if [[ -n "${NAT_INTERFACE}" ]]; then check "interface_exists ${NAT_INTERFACE}" \ "Checking [${NAT_INTERFACE}] net device exists" else NAT_INTERFACE=$(get_interface_name) check "[[ -n \"${NAT_INTERFACE}\" ]]" \ "Checking local interface [${NAT_INTERFACE}]" fi # check existing directories from previous installation check "[[ ! -e /etc/one && ! -e /var/lib/one ]]" \ "Checking directories from previous installation" \ "IGNORED will be deleted" || PURGE='yes' # check existing user from previous installation check "! id oneadmin >/dev/null" \ "Checking user from previous installation" \ "IGNORED will be deleted" || PURGE='yes' # check if sshd service is running check "service sshd status >/dev/null" \ "Checking sshd service is running" # check if we have bridge-utils check "type brctl >/dev/null 2>&1" "Checking bridge-utils are installed" \ "SKIP will try to install" || MISSING_PKGS='bridge-utils' # check if we have apt-transport-https if debian?; then check "dpkg -L apt-transport-https >/dev/null 2>&1" \ "Checking apt-transport-https is installed" \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} apt-transport-https" fi # check if gnupg is installed (required for apt-key add) if debian?; then check "dpkg -L gnupg >/dev/null 2>&1" \ "Checking if gnupg is installed" \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} gnupg" fi # check if we have iptables-persistent netfilter-persistent if debian?; then check "dpkg -l iptables-persistent netfilter-persistent > /dev/null" \ "Checking (iptables|netfilter)-persistent are installed" \ "SKIP will try to install" || \ MISSING_PKGS="${MISSING_PKGS} iptables-persistent netfilter-persistent" fi #check if birdge iface is not already present check "! interface_exists ${BRIDGE_INTERFACE}" \ "Checking $BRIDGE_INTERFACE interface is not present" "IGNORED" # check if given virtual network is already in routing table check "! ip route show ${VNET_ADDRESS}/${NETMASK_BITS} | grep dev >/dev/null" \ "Checking virtual network ${VNET_ADDRESS}/${NETMASK_BITS} is not routed" # Check SELinux or AppArmor SELINUX=$(getenforce 2>/dev/null) centos? && { check "[[ ! \"${SELINUX}\" = 'Enforcing' ]]" \ "Checking SELinux" "SKIP will try to disable" || DISABLE_SELINUX='yes'; } debian? && { check "! aa-status >/dev/null 2>&1" \ "Checking AppArmor" "SKIP will try to modify" || ENABLED_APPARMOR='yes'; } # check for given ssh key if [[ -n "${SSH_PUBKEY}" ]]; then check "[[ -f \"${SSH_PUBKEY}\" ]]" \ "Checking ssh pub key ${SSH_PUBKEY} exists" # or take the first founc, or generate else SSH_PUBKEY=$(get_first_ssh_key) if ! check "[[ -f \"${SSH_PUBKEY}\" ]]" "Checking for present ssh key" "SKIP" ; then if [[ ! -d "$HOME/.ssh" ]]; then mkdir "$HOME/.ssh/"; chmod 0700 "$HOME/.ssh/"; fi check "ssh-keygen -t rsa -P \"\" -f $HOME/.ssh/id_rsa >/dev/null"\ "Generating ssh keypair in $HOME/.ssh/id_rsa" SSH_PUBKEY="$HOME/.ssh/id_rsa.pub" fi fi # check if the requested app name exists on market place if type curl >/dev/null 2>&1; then check "curl -s -H \"${JSON_HEADERS}\" ${APPS_URL} \ | grep '\"name\":\"${MARKET_APP_NAME}\"' >/dev/null" \ "Checking presence of the market app: \"$MARKET_APP_NAME\"" "Not found" elif type wget > /dev/null 2>&1; then check "wget --quiet -O - --header \"${JSON_HEADERS}\" ${APPS_URL} \ | grep '\"name\":\"${MARKET_APP_NAME}\"' >/dev/null" \ "Checking presence of the market app: \"$MARKET_APP_NAME\"" "Not found" else # Always fail, but continue with info when --force was given check "false" "Missing curl/wget to check market app" "IGNORE Can't check" fi #------------------------------------------------------------------------------- # Pre-installation report #------------------------------------------------------------------------------- title "Main deployment steps:" [[ "${PURGE}" = yes ]] && echo "Purge previous installation" [[ "${DISABLE_SELINUX}" = yes ]] && echo "Disable SELinux" [[ -n "${MISSING_PKGS}" ]] && echo "Install ${MISSING_PKGS}" centos? && firewalld_running? && echo "Disable_firewalld" echo "Configure bridge ${BRIDGE_INTERFACE} with IP ${VNET_GATEWAY}/${NETMASK_BITS}" echo "Enable NAT over ${NAT_INTERFACE}" echo "Using ssh public key ${SSH_PUBKEY}" echo "Install OpenNebula version ${VERSION}" [[ "${ENABLED_APPARMOR}" = yes ]] && echo "Modify AppArmor" echo "" echo "Do you agree? [yes/no]:" [[ "${ASK}" = 'yes' ]] && yes_no title "Installation" VERBOSE='yes' [[ "${PURGE}" = yes ]] && purge debian? && check "apt-get -q -y update >/dev/null" "Updating apt cache" [[ "${DISABLE_SELINUX}" = 'yes' ]] && check "disable_selinux" "Disabling SELinux" [[ -n "${MISSING_PKGS}" ]] && check "install ${MISSING_PKGS}" "Install ${MISSING_PKGS}" check "create_bridge" "Creating bridge interface ${BRIDGE_INTERFACE}" check "restart_network" "Restarting network" centos? && firewalld_running? && check "disable_firewalld" "Disabling firewalld" [[ "$FORWARD" = 0 ]] && check "sysctl -w net.ipv4.ip_forward=1 >/dev/null" "Enabling ipv4 forward" check "configure_nat" "Configuring nat using iptables" check "ping_from_bridge" "Verify bridge by ping from it" centos? && check "iptables-save > /etc/sysconfig/iptables" "Saving iptables changes" debian? && check "netfilter-persistent save" "Saving iptables changes" check "install dnsmasq" "Installing DNSMasq" check "start_dnsmasq" "Starting DNSMasq" check "configure_repos" "Configuring repositories" debian? && check "apt-get -q -y update >/dev/null" "Updating apt cache" redhat? && check "enable_rhel_extra_repos" "Enabling RHEL 7 extra & opt repositories" centos? && check "enable_epel" "Installing epel" check "install_opennebula_pkgs" "Installing OpenNebula packages" check "install_ruby_gems" "Installing ruby gems" kvm? && check "install_opennebula_kvm_pkgs" "Installing OpenNebula node packages" lxd? && check "install_opennebula_lxd_pkgs" "Installing OpenNebula node packages" [[ "${ENABLED_APPARMOR}" = 'yes' ]] && check "modify_apparmor" "Updating AppArmor" #------------------------------------------------------------------------------- # Configuration #------------------------------------------------------------------------------- conf_change() { local KEY=$1 local VALUE=$2 if [ -z "$3" ]; then local CONF='/etc/one/oned.conf' else local CONF=$3 fi sed -i -e "s/^${KEY}/${VALUE}/" ${CONF} >/dev/null } switch_to_qemu() { LINE_NUM=$(grep -n '^VM_MAD =' -A 10 /etc/one/oned.conf | \ grep -E '^[0-9]+-\s*TYPE' | grep kvm | awk -F\- '{print $1}') sed -i "${LINE_NUM}s/kvm/qemu/" /etc/one/oned.conf } set_init_password() { [[ ! -d $HOME/.one ]] && mkdir $HOME/.one || return 1 echo "oneadmin:$PASSWORD" > $HOME/.one/one_auth || return 1 echo "oneadmin:$PASSWORD" > /var/lib/one/.one/one_auth } set_sunstone_port() { local PORT=$1 conf_change ":port: 9869" ":port: $PORT" /etc/one/sunstone-server.conf if [[ $PORT -lt 1024 ]]; then RUBY=$(readlink -f /usr/bin/ruby) setcap 'cap_net_bind_service=+ep' $RUBY fi } one_is_ready() { for I in `seq $ONE_WAIT_TIMEOUT`; do onehost list > /dev/null 2>&1 && return 0 sleep 1 done echo "OpenNebula did not start within the timeout" >&2 return 1 } deny_ssh_from_vnet() { STAR_NET=${VNET_ADDRESS} # 172.16.0.0 ~> 172.16.*.*, but 10.0.1.0~> 10.0.1.* for I in 1 2 3 4; do STAR_NET=$(echo ${STAR_NET} |sed -e 's/\(.*\)\.0\([0\.\*]*\)$/\1.*\2/') done if grep -v "DenyUsers ${STAR_NET}" /etc/ssh/sshd_config >/dev/null; then echo "DenyUsers ${STAR_NET}" >> /etc/ssh/sshd_config fi systemctl restart sshd } add_keys_to_known_hosts() { su oneadmin -c 'ssh-keyscan -H localhost > ~/.ssh/known_hosts' || return 1 HOSTNAME=$(hostname) su oneadmin -c "ssh-keyscan -H ${HOSTNAME} >> ~/.ssh/known_hosts" || return 1 FQDN=$(hostname -f 2>/dev/null) if [[ -n "$FQDN" && "$HOSTNAME" != "${FQDN}" ]]; then su oneadmin -c "ssh-keyscan -H ${FQDN} >> ~/.ssh/known_hosts" || return 1 fi } test_ssh_connection() { sudo -u oneadmin ssh localhost true /dev/null || return 1 } add_ssh_keys_to_oneadmin() { local TMP_FILE=$(mktemp) || return 1 ONEADMIN_OS_USER_KEY=$(cat /var/lib/one/.ssh/id*pub 2>/dev/null) SSH_PUBKEY_CONTENT=$(cat ${SSH_PUBKEY} 2>/dev/null) cat > ${TMP_FILE}<< EOF SSH_PUBLIC_KEY="${ONEADMIN_OS_USER_KEY} ${SSH_PUBKEY_CONTENT}" EOF oneuser update 0 ${TMP_FILE} || return 1 rm ${TMP_FILE} } update_ssh_configs() { # allow VM addresses to be re-used touch /var/lib/one/.ssh/config || return 1 grep -q "Host ${STAR_NET}" /var/lib/one/.ssh/config || { cat >> /var/lib/one/.ssh/config << EOF || return 1 Host ${STAR_NET} StrictHostKeyChecking no UserKnownHostsFile=/dev/null EOF chown oneadmin:oneadmin /var/lib/one/.ssh/config || return 1 chmod 0600 /var/lib/one/.ssh/config || return 1 } touch ~/.ssh/config || return 1 grep -q "Host ${STAR_NET}" ~/.ssh/config || { cat >> ~/.ssh/config << EOF || return 1 Host ${STAR_NET} StrictHostKeyChecking no UserKnownHostsFile=/dev/null EOF chmod 0600 ~/.ssh/config } } title "Configuration" check "conf_change \"\#ONEGATE_ENDPOINT = .*\" \"ONEGATE_ENDPOINT = 'http:\/\/${VNET_AR_IP_START}:5030'\""\ "Switching onegate endpoint in oned.conf" check "conf_change \"SCHED_INTERVAL = .*\" \"SCHED_INTERVAL = 10\" \"/etc/one/sched.conf\""\ "Switching scheduler interval to 10sec" lxd? && check "conf_change \"\s*:command: \\/bin\\/login\" \" :command: \\/bin\\/bash\" \"/var/lib/one/remotes/etc/vmm/lxd/lxdrc\""\ "Switching vnc command to /bin/bash in lxdrc" lxd? && check "conf_change \"\s*:command => '\\/bin\\/login'\" \" :command => '\\/bin\\/bash'\" \"/var/lib/one/remotes/vmm/lxd/opennebula_vm.rb\""\ "Switching vnc command to /bin/bash in opennebula_vm.rb" [[ ${USE_QEMU} = 'yes' ]] && check "switch_to_qemu" "Switching to QEMU emulation" check "set_init_password" "Setting initial password for current user and oneadmin" [[ ${SUNSTONE_PORT} != 9869 ]] && check "set_sunstone_port ${SUNSTONE_PORT}"\ "Changing WebUI to listen on port ${SUNSTONE_PORT}" check "systemctl start opennebula opennebula-sunstone >/dev/null 2>&1"\ "Starting opennebula services" check "one_is_ready" "Checking OpenNebula is working" check "deny_ssh_from_vnet" "Disabling ssh from virtual network" check "add_keys_to_known_hosts" "Adding localhost ssh key to known_hosts" check "test_ssh_connection" "Testing ssh connection to localhost" check "add_ssh_keys_to_oneadmin" "Add ssh key to oneadmin user" check "update_ssh_configs" "Update ssh configs to allow VM addresses reusig" #------------------------------------------------------------------------------- # Bootstrap #------------------------------------------------------------------------------- onecli_cmd_tmpl() { local COMMAND=$1 local DATA=$2 local TMP_FILE=$(mktemp) || return 1 cat > ${TMP_FILE}<< EOF ${DATA} EOF $COMMAND $TMP_FILE RC=$? rm ${TMP_FILE} return ${RC} } update_datastores() { TEMPLATE=$(cat << EOF EOF ) onecli_cmd_tmpl "onedatastore update 0" "${TEMPLATE}" >/dev/null ||return 1 onecli_cmd_tmpl "onedatastore update 1" "${TEMPLATE}" >/dev/null } next_ip(){ local IP=$1 IP_HEX=$(printf '%.2X%.2X%.2X%.2X\n' `echo $IP | sed -e 's/\./ /g'`) NEXT_IP_HEX=$(printf %.8X `echo $(( 0x$IP_HEX + 1 ))`) NEXT_IP=$(printf '%d.%d.%d.%d\n' `echo $NEXT_IP_HEX | sed -r 's/(..)/0x\1 /g'`) echo "$NEXT_IP" } create_vnet() { FIRST_IP=$(next_ip ${VNET_AR_IP_START}) SIZE=$((${VNET_AR_IP_COUNT} - 1)) TEMPLATE=$(cat << EOF NAME = "vnet" BRIDGE = "${BRIDGE_INTERFACE}" DNS = "${VNET_GATEWAY}" GATEWAY = "${VNET_GATEWAY}" PHYDEV = "" SECURITY_GROUPS = "0" VN_MAD = "fw" AR = [ IP = ${FIRST_IP}, SIZE = ${SIZE}, TYPE = IP4 ] EOF ) onecli_cmd_tmpl "onevnet create" "${TEMPLATE}" >/dev/null 2>&1 } poll_for_marketplace() { APP_COUNT=$(onemarketapp list | wc -l) for I in $(seq 30); do sleep 5 NEW_APP_COUNT=$(onemarketapp list | wc -l) if [[ "${NEW_APP_COUNT}" = "${APP_COUNT}" && "${APP_COUNT}" -gt 20 ]]; then return 0 fi APP_COUNT=${NEW_APP_COUNT} done return 1 } export_marketapp() { poll_for_marketplace ID=$(onemarketapp list --filter NAME="${MARKET_APP_NAME}" \ --csv | tail -1 | awk -F, '{print $1}') || return 1 onemarketapp export ${ID} "${MARKET_APP_NAME}" --datastore 1 >/dev/null } update_template() { local TMP_FILE=$(mktemp) 2>/dev/null || return 1 # Add root password setting to context onetemplate show 0 | grep CONTEXT -A1000 \ | sed -e "s/CONTEXT=\[/CONTEXT=[ PASSWORD=\"${VM_PASSWORD}\",/" \ > ${TMP_FILE} # Add network echo 'NIC=[ NETWORK="vnet", NETWORK_UNAME="oneadmin", \ SECURITY_GROUPS="0" ]' >> ${TMP_FILE} # Add LXD_SECURITY_PRIVILEGED="true" lxd? && echo 'LXD_SECURITY_PRIVILEGED="true"' >> ${TMP_FILE} onetemplate update 0 ${TMP_FILE} >/dev/null RC=$? rm ${TMP_FILE} return ${RC} } check "update_datastores" "Updating datastores, TM_MAD=qcow2, SHARED=yes" kvm? && check "onehost create -i kvm -v kvm localhost >/dev/null 2>&1" \ "Creating kvm host" lxd? && check "onehost create -i lxd -v lxd localhost >/dev/null 2>&1" \ "Creating lxd host" check "create_vnet" "Creating virtual network" check "export_marketapp" \ "Exporting [${MARKET_APP_NAME}] from marketplace to local datastore" check "update_template" "Updating template" #------------------------------------------------------------------------------- # Report #------------------------------------------------------------------------------- [[ $SUNSTONE_PORT != 80 ]] && PORT_STR=":$SUNSTONE_PORT" title 'Report' echo "OpenNebula ${VERSION} was installed" echo "Sunstone (the webui) is runninng on:" echo " http://$(get_my_ip)${PORT_STR}/" echo "Use following to login:" echo " user: oneadmin" echo " password: ${PASSWORD}"