diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/3modules/bepasty-server.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/makefu/default.nix | 23 | ||||
-rw-r--r-- | krebs/4lib/infest/prepare.sh | 14 | ||||
-rw-r--r-- | krebs/5pkgs/test/infest-cac-centos7/default.nix | 7 | ||||
-rwxr-xr-x | krebs/5pkgs/test/infest-cac-centos7/notes | 78 |
5 files changed, 94 insertions, 36 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 9e777a5ef..cbf87b2a7 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -96,9 +96,13 @@ let wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; restartIfChanged = true; - environment = { + environment = let + penv = python.buildEnv.override { + extraLibs = [ bepasty gevent ]; + }; + in { BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; - PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages"; + PYTHONPATH= "${penv}/${python.sitePackages}/"; }; serviceConfig = { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ccf21c868..1fcf07b1e 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -221,17 +221,17 @@ with config.krebs.lib; ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + MIICCgKCAgEAs9bq++H4HF8EpZMfWGfoIsh/C+YNO2pg74UPBsP/tFFe71yzWwUn + U9LW0n3bBqCMQ/oDthbSMwCkS9JzcUi22QJEdjbQs/aay9gZR115b+UxWPocw0Ms + ZoREKo3Oe0hETk7Ing8NdBDI0kCBh9QnvqQ3iKd0rBae3DYvcWlDsY93GLGMddgA + 7E9oa3EHVYH/MPZaeJtTknaJduanBSbiEb/xQOqxTadHoQASKU6DQD1czMH3hLG2 + 8Wn4MBj9fgKBAoIy092tIzPtE2QwAHO73yz4mSW/3r190hREgVbjuEPiw4w5mEyQ + j+NeN3f3heFKx+GCgdWH9xPw6m6qPdqUiGUPq91KXMOhNa8lLcTp95mHdCMesZCF + TFj7hf6y+SVt17Vo+YUL7UqnMtAm3eZZmwyDu0DfKFrdgz6MtDD+5dQp9g8VHpqw + RfbaB1Srlr24EUYYoOBEF9CcIacFbsr+MKh+hQk5R0uEMSeAWARzxvvr69iMgdEC + zDiu0rrRLN+CrfgkDir7pkRKxeA1lz8KpySyIZRziNg6mSHjKjih4++Bbu4N2ack + 86h84qBrA8lq2xsub4+HgKZGH2l5Y8tvlr+rx0mQKEJkT6XDKCXZFPfl2N0QrWGT + Dv7l2vn0QMj9E6+BdRhYaO/m3+cIZ9faM851nRj/gq2OOtzW3ekrne0CAwEAAQ== -----END RSA PUBLIC KEY----- ''; }; @@ -272,6 +272,7 @@ with config.krebs.lib; addrs6 = ["42:f9f0::10"]; aliases = [ "omo.retiolum" + "omo.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index a217e7bed..e265b0e67 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -98,6 +98,19 @@ prepare_nixos_iso() { sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install } +get_nixos_install() { + echo "installing nixos-install" 2>&1 + c=$(mktemp) + + cat <<EOF > $c +{ fileSystems."/" = {}; + boot.loader.grub.enable = false; +} +EOF + export NIXOS_CONFIG=$c + nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>" + rm -v $c +} prepare_common() {( if ! getent group nixbld >/dev/null; then @@ -191,6 +204,7 @@ prepare_common() {( mount --rbind /mnt/"$target_path" "$target_path" fi + get_nixos_install mkdir -p bin rm -f bin/nixos-install cp "$(type -p nixos-install)" bin/nixos-install diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix index 3be4b1c41..ba3ff30b9 100644 --- a/krebs/5pkgs/test/infest-cac-centos7/default.nix +++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix @@ -1,9 +1,11 @@ -{ stdenv, coreutils,makeWrapper, cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, ... }: +{ stdenv, coreutils, makeWrapper, + cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, sshpass, + ... }: stdenv.mkDerivation rec { name = "${shortname}-${version}"; shortname = "infest-cac-centos7"; - version = "0.2.0"; + version = "0.2.6"; src = ./notes; @@ -21,6 +23,7 @@ stdenv.mkDerivation rec { gnused jq openssh + sshpass ]; installPhase = '' diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes index 6bb0258a9..5b8f08c31 100755 --- a/krebs/5pkgs/test/infest-cac-centos7/notes +++ b/krebs/5pkgs/test/infest-cac-centos7/notes @@ -1,10 +1,26 @@ -# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass -set -eufx +#! /bin/sh +# usage: user=makefu target_system=wry debug=true \ +# krebs_cred=~/secrets/cac.json \ +# retiolum_key=~/secrets/wry/retiolum.rsa_key.priv \ +# infest-cac-centos7 -# 2 secrets are required: +# IMPORTANT: set debug to TRUE if you want to actually keep the system + +# must be run in <stockholm> +set -euf +# 2 secrets are required: +# login to panel krebs_cred=${krebs_cred-./cac.json} +# tinc retiolum key for host retiolum_key=${retiolum_key-./retiolum.rsa_key.priv} +# build this host +user=${user:-shared} +target=${target_system:-test-centos7} + +log(){ + echo "[$(date +"%Y-%m-%d %T")] $@" 2>&1 +} clear_defer(){ echo "${trapstr:-exit}" @@ -14,9 +30,13 @@ defer(){ if test -z "${debug:-}"; then trapstr="$1;${trapstr:-exit}" trap "$trapstr" INT TERM EXIT KILL + else + log "ignored defer: $1" fi } +test -z "${debug:-}" && log "debug enabled, vm will not be deleted on error" + # Sanity if test ! -r "$krebs_cred";then echo "\$krebs_cred=$krebs_cred must be readable"; exit 1 @@ -25,6 +45,11 @@ if test ! -r "$retiolum_key";then echo "\$retiolum_key=$retiolum_key must be readable"; exit 1 fi +if test ! -r "${user}/1systems/${target}.nix" ;then + echo "cannot find ${user}/1systems/${target}.nix , not started in stockholm directory?" + exit 1 +fi + krebs_secrets=$(mktemp -d) sec_file=$krebs_secrets/cac_config krebs_ssh=$krebs_secrets/tempssh @@ -32,7 +57,7 @@ export cac_resources_cache=$krebs_secrets/res_cache.json export cac_servers_cache=$krebs_secrets/servers_cache.json export cac_tasks_cache=$krebs_secrets/tasks_cache.json export cac_templates_cache=$krebs_secrets/templates_cache.json -# we need to receive this key from buildmaster to speed up tinc bootstrap + defer "trap - INT TERM EXIT" defer "rm -r $krebs_secrets" @@ -42,10 +67,13 @@ cac_key="$(cac-panel --config $krebs_cred settings | jq -r .apicode)" EOF export cac_secrets=$sec_file +log "adding own ip to allowed ips via cac-panel" cac-panel --config $krebs_cred add-api-ip # test login: +log "updating cac-api state" cac-api update +log "list of cac servers:" cac-api servers # preserve old trap @@ -56,10 +84,10 @@ while true;do out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1) if name=$(echo "$out" | jq -r .servername);then id=servername:$name - echo "got a working machine, id=$id" + log "got a working machine, id=$id" else - echo "Unable to build a virtual machine, retrying in 15 seconds" >&2 - echo "Output of build program: $out" >&2 + elog "Unable to build a virtual machine, retrying in 15 seconds" + log "Output of build program: $out" sleep 15 continue fi @@ -74,22 +102,23 @@ while true;do for t in `seq 180`;do # now we have a working cac-api server if cac-api ssh $1 -o ConnectTimeout=10 \ - cat /etc/redhat-release | \ - grep CentOS ;then + cat /etc/redhat-release >/dev/null 2>&1 ;then return 0 fi + log "cac-api ssh $1 failed, retrying" sleep 10 done + log "cac-api ssh failed for 30 minutes, assuming something else broke. bailing ou.t" return 1 } # die on timeout if ! wait_login_cac $id;then - echo "unable to boot a working system within time frame, retrying..." >&2 - echo "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)" + log "unable to boot a working system within time frame, retrying..." + log "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)" eval "$(clear_defer | sed 's/;exit//')" sleep 15 else - echo "got a working system" >&2 + log "got a working system: $id" break fi done @@ -101,16 +130,16 @@ cac-api generatenetworking $id > \ shared/2configs/temp/networking.nix # new temporary ssh key we will use to log in after install ssh-keygen -f $krebs_ssh -N "" -cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv +cp "$retiolum_key" $krebs_secrets/retiolum.rsa_key.priv # we override the directories for secrets and stockholm # additionally we set the ssh key we generated ip=$(cac-api getserver $id | jq -r .ip) cat > shared/2configs/temp/dirs.nix <<EOF _: { - krebs.build.source.dir = { - secrets.path = "$krebs_secrets"; - stockholm.path = "$(pwd)"; + krebs.build.source = { + secrets = "$krebs_secrets"; + stockholm = "$(pwd)"; }; users.extraUsers.root.openssh.authorizedKeys.keys = [ "$(cat ${krebs_ssh}.pub)" @@ -118,14 +147,17 @@ _: { } EOF +log "starting prepare and installation" +# TODO: try harder make install \ - LOGNAME=shared \ + LOGNAME=${user} \ SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \ ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \ - system=test-centos7 \ + system=${target} \ target=$ip - -# TODO: generate secrets directory $krebs_secrets for nix import +log "finalizing installation" +cac-api ssh $id < ~/stockholm/krebs/4lib/infest/finalize.sh +log "reset $id" cac-api powerop $id reset wait_login(){ @@ -137,11 +169,15 @@ wait_login(){ -i $krebs_ssh \ -o ConnectTimeout=10 \ -o BatchMode=yes \ - root@$1 nixos-version ;then + root@$1 nixos-version >/dev/null 2>&1;then + log "login to host $1 successful" return 0 fi + log "unable to log into server, waiting" sleep 10 done + log "unable to log in after 15 minutes, bailing out" return 1 } +log "waiting for system to come up" wait_login $ip |