summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/bepasty-server.nix8
-rw-r--r--krebs/3modules/makefu/default.nix23
-rw-r--r--krebs/4lib/infest/prepare.sh14
-rw-r--r--krebs/5pkgs/test/infest-cac-centos7/default.nix7
-rwxr-xr-xkrebs/5pkgs/test/infest-cac-centos7/notes78
5 files changed, 94 insertions, 36 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 9e777a5ef..cbf87b2a7 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -96,9 +96,13 @@ let
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
- environment = {
+ environment = let
+ penv = python.buildEnv.override {
+ extraLibs = [ bepasty gevent ];
+ };
+ in {
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
- PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+ PYTHONPATH= "${penv}/${python.sitePackages}/";
};
serviceConfig = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index ccf21c868..1fcf07b1e 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -221,17 +221,17 @@ with config.krebs.lib;
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ
- rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4
- e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN
- sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v
- CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0
- PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V
- LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk
- DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW
- ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK
- jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5
- Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ==
+ MIICCgKCAgEAs9bq++H4HF8EpZMfWGfoIsh/C+YNO2pg74UPBsP/tFFe71yzWwUn
+ U9LW0n3bBqCMQ/oDthbSMwCkS9JzcUi22QJEdjbQs/aay9gZR115b+UxWPocw0Ms
+ ZoREKo3Oe0hETk7Ing8NdBDI0kCBh9QnvqQ3iKd0rBae3DYvcWlDsY93GLGMddgA
+ 7E9oa3EHVYH/MPZaeJtTknaJduanBSbiEb/xQOqxTadHoQASKU6DQD1czMH3hLG2
+ 8Wn4MBj9fgKBAoIy092tIzPtE2QwAHO73yz4mSW/3r190hREgVbjuEPiw4w5mEyQ
+ j+NeN3f3heFKx+GCgdWH9xPw6m6qPdqUiGUPq91KXMOhNa8lLcTp95mHdCMesZCF
+ TFj7hf6y+SVt17Vo+YUL7UqnMtAm3eZZmwyDu0DfKFrdgz6MtDD+5dQp9g8VHpqw
+ RfbaB1Srlr24EUYYoOBEF9CcIacFbsr+MKh+hQk5R0uEMSeAWARzxvvr69iMgdEC
+ zDiu0rrRLN+CrfgkDir7pkRKxeA1lz8KpySyIZRziNg6mSHjKjih4++Bbu4N2ack
+ 86h84qBrA8lq2xsub4+HgKZGH2l5Y8tvlr+rx0mQKEJkT6XDKCXZFPfl2N0QrWGT
+ Dv7l2vn0QMj9E6+BdRhYaO/m3+cIZ9faM851nRj/gq2OOtzW3ekrne0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
@@ -272,6 +272,7 @@ with config.krebs.lib;
addrs6 = ["42:f9f0::10"];
aliases = [
"omo.retiolum"
+ "omo.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index a217e7bed..e265b0e67 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -98,6 +98,19 @@ prepare_nixos_iso() {
sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
}
+get_nixos_install() {
+ echo "installing nixos-install" 2>&1
+ c=$(mktemp)
+
+ cat <<EOF > $c
+{ fileSystems."/" = {};
+ boot.loader.grub.enable = false;
+}
+EOF
+ export NIXOS_CONFIG=$c
+ nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>"
+ rm -v $c
+}
prepare_common() {(
if ! getent group nixbld >/dev/null; then
@@ -191,6 +204,7 @@ prepare_common() {(
mount --rbind /mnt/"$target_path" "$target_path"
fi
+ get_nixos_install
mkdir -p bin
rm -f bin/nixos-install
cp "$(type -p nixos-install)" bin/nixos-install
diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix
index 3be4b1c41..ba3ff30b9 100644
--- a/krebs/5pkgs/test/infest-cac-centos7/default.nix
+++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix
@@ -1,9 +1,11 @@
-{ stdenv, coreutils,makeWrapper, cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, ... }:
+{ stdenv, coreutils, makeWrapper,
+ cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, sshpass,
+ ... }:
stdenv.mkDerivation rec {
name = "${shortname}-${version}";
shortname = "infest-cac-centos7";
- version = "0.2.0";
+ version = "0.2.6";
src = ./notes;
@@ -21,6 +23,7 @@ stdenv.mkDerivation rec {
gnused
jq
openssh
+ sshpass
];
installPhase = ''
diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes
index 6bb0258a9..5b8f08c31 100755
--- a/krebs/5pkgs/test/infest-cac-centos7/notes
+++ b/krebs/5pkgs/test/infest-cac-centos7/notes
@@ -1,10 +1,26 @@
-# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass
-set -eufx
+#! /bin/sh
+# usage: user=makefu target_system=wry debug=true \
+# krebs_cred=~/secrets/cac.json \
+# retiolum_key=~/secrets/wry/retiolum.rsa_key.priv \
+# infest-cac-centos7
-# 2 secrets are required:
+# IMPORTANT: set debug to TRUE if you want to actually keep the system
+
+# must be run in <stockholm>
+set -euf
+# 2 secrets are required:
+# login to panel
krebs_cred=${krebs_cred-./cac.json}
+# tinc retiolum key for host
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
+# build this host
+user=${user:-shared}
+target=${target_system:-test-centos7}
+
+log(){
+ echo "[$(date +"%Y-%m-%d %T")] $@" 2>&1
+}
clear_defer(){
echo "${trapstr:-exit}"
@@ -14,9 +30,13 @@ defer(){
if test -z "${debug:-}"; then
trapstr="$1;${trapstr:-exit}"
trap "$trapstr" INT TERM EXIT KILL
+ else
+ log "ignored defer: $1"
fi
}
+test -z "${debug:-}" && log "debug enabled, vm will not be deleted on error"
+
# Sanity
if test ! -r "$krebs_cred";then
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
@@ -25,6 +45,11 @@ if test ! -r "$retiolum_key";then
echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
fi
+if test ! -r "${user}/1systems/${target}.nix" ;then
+ echo "cannot find ${user}/1systems/${target}.nix , not started in stockholm directory?"
+ exit 1
+fi
+
krebs_secrets=$(mktemp -d)
sec_file=$krebs_secrets/cac_config
krebs_ssh=$krebs_secrets/tempssh
@@ -32,7 +57,7 @@ export cac_resources_cache=$krebs_secrets/res_cache.json
export cac_servers_cache=$krebs_secrets/servers_cache.json
export cac_tasks_cache=$krebs_secrets/tasks_cache.json
export cac_templates_cache=$krebs_secrets/templates_cache.json
-# we need to receive this key from buildmaster to speed up tinc bootstrap
+
defer "trap - INT TERM EXIT"
defer "rm -r $krebs_secrets"
@@ -42,10 +67,13 @@ cac_key="$(cac-panel --config $krebs_cred settings | jq -r .apicode)"
EOF
export cac_secrets=$sec_file
+log "adding own ip to allowed ips via cac-panel"
cac-panel --config $krebs_cred add-api-ip
# test login:
+log "updating cac-api state"
cac-api update
+log "list of cac servers:"
cac-api servers
# preserve old trap
@@ -56,10 +84,10 @@ while true;do
out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1)
if name=$(echo "$out" | jq -r .servername);then
id=servername:$name
- echo "got a working machine, id=$id"
+ log "got a working machine, id=$id"
else
- echo "Unable to build a virtual machine, retrying in 15 seconds" >&2
- echo "Output of build program: $out" >&2
+ elog "Unable to build a virtual machine, retrying in 15 seconds"
+ log "Output of build program: $out"
sleep 15
continue
fi
@@ -74,22 +102,23 @@ while true;do
for t in `seq 180`;do
# now we have a working cac-api server
if cac-api ssh $1 -o ConnectTimeout=10 \
- cat /etc/redhat-release | \
- grep CentOS ;then
+ cat /etc/redhat-release >/dev/null 2>&1 ;then
return 0
fi
+ log "cac-api ssh $1 failed, retrying"
sleep 10
done
+ log "cac-api ssh failed for 30 minutes, assuming something else broke. bailing ou.t"
return 1
}
# die on timeout
if ! wait_login_cac $id;then
- echo "unable to boot a working system within time frame, retrying..." >&2
- echo "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)"
+ log "unable to boot a working system within time frame, retrying..."
+ log "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)"
eval "$(clear_defer | sed 's/;exit//')"
sleep 15
else
- echo "got a working system" >&2
+ log "got a working system: $id"
break
fi
done
@@ -101,16 +130,16 @@ cac-api generatenetworking $id > \
shared/2configs/temp/networking.nix
# new temporary ssh key we will use to log in after install
ssh-keygen -f $krebs_ssh -N ""
-cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
+cp "$retiolum_key" $krebs_secrets/retiolum.rsa_key.priv
# we override the directories for secrets and stockholm
# additionally we set the ssh key we generated
ip=$(cac-api getserver $id | jq -r .ip)
cat > shared/2configs/temp/dirs.nix <<EOF
_: {
- krebs.build.source.dir = {
- secrets.path = "$krebs_secrets";
- stockholm.path = "$(pwd)";
+ krebs.build.source = {
+ secrets = "$krebs_secrets";
+ stockholm = "$(pwd)";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"$(cat ${krebs_ssh}.pub)"
@@ -118,14 +147,17 @@ _: {
}
EOF
+log "starting prepare and installation"
+# TODO: try harder
make install \
- LOGNAME=shared \
+ LOGNAME=${user} \
SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \
ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
- system=test-centos7 \
+ system=${target} \
target=$ip
-
-# TODO: generate secrets directory $krebs_secrets for nix import
+log "finalizing installation"
+cac-api ssh $id < ~/stockholm/krebs/4lib/infest/finalize.sh
+log "reset $id"
cac-api powerop $id reset
wait_login(){
@@ -137,11 +169,15 @@ wait_login(){
-i $krebs_ssh \
-o ConnectTimeout=10 \
-o BatchMode=yes \
- root@$1 nixos-version ;then
+ root@$1 nixos-version >/dev/null 2>&1;then
+ log "login to host $1 successful"
return 0
fi
+ log "unable to log into server, waiting"
sleep 10
done
+ log "unable to log in after 15 minutes, bailing out"
return 1
}
+log "waiting for system to come up"
wait_login $ip