149 lines
3.9 KiB
Plaintext
Executable File
149 lines
3.9 KiB
Plaintext
Executable File
# nix-shell -p gnumake jq openssh cac-api cac-panel
|
|
set -eufx
|
|
|
|
# 2 secrets are required:
|
|
|
|
krebs_cred=${krebs_cred-./cac.json}
|
|
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
|
|
|
|
clear_defer(){
|
|
echo "${trapstr:-exit}"
|
|
trap - INT TERM EXIT KILL
|
|
}
|
|
defer(){
|
|
if test -z "${debug:-}"; then
|
|
trapstr="$1;${trapstr:-exit}"
|
|
trap "$trapstr" INT TERM EXIT KILL
|
|
fi
|
|
}
|
|
|
|
# Sanity
|
|
if test ! -r "$krebs_cred";then
|
|
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
|
|
fi
|
|
if test ! -r "$retiolum_key";then
|
|
echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
|
|
fi
|
|
|
|
krebs_secrets=$(mktemp -d)
|
|
sec_file=$krebs_secrets/cac_config
|
|
krebs_ssh=$krebs_secrets/tempssh
|
|
export cac_resources_cache=$krebs_secrets/res_cache.json
|
|
export cac_servers_cache=$krebs_secrets/servers_cache.json
|
|
export cac_tasks_cache=$krebs_secrets/tasks_cache.json
|
|
export cac_templates_cache=$krebs_secrets/templates_cache.json
|
|
# we need to receive this key from buildmaster to speed up tinc bootstrap
|
|
defer "trap - INT TERM EXIT"
|
|
defer "rm -r $krebs_secrets"
|
|
|
|
cat > $sec_file <<EOF
|
|
cac_login="$(jq -r .email $krebs_cred)"
|
|
cac_key="$(cac-panel --config $krebs_cred settings | jq -r .apicode)"
|
|
EOF
|
|
|
|
export cac_secrets=$sec_file
|
|
cac-panel --config $krebs_cred add-api-ip
|
|
|
|
# test login:
|
|
cac-api update
|
|
cac-api servers
|
|
|
|
# preserve old trap
|
|
old_trapstr=$(clear_defer)
|
|
while true;do
|
|
# Template 26: CentOS7
|
|
# TODO: use cac-api templates to determine the real Centos7 template in case it changes
|
|
out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1)
|
|
if name=$(echo "$out" | jq -r .servername);then
|
|
id=servername:$name
|
|
echo "got a working machine, id=$id"
|
|
else
|
|
echo "Unable to build a virtual machine, retrying in 15 seconds" >&2
|
|
echo "Output of build program: $out" >&2
|
|
sleep 15
|
|
continue
|
|
fi
|
|
|
|
clear_defer >/dev/null
|
|
defer "cac-api delete $id"
|
|
|
|
# TODO: timeout?
|
|
|
|
wait_login_cac(){
|
|
# we wait for 30 minutes
|
|
for t in `seq 180`;do
|
|
# now we have a working cac-api server
|
|
if cac-api ssh $1 -o ConnectTimeout=10 \
|
|
cat /etc/redhat-release | \
|
|
grep CentOS ;then
|
|
return 0
|
|
fi
|
|
sleep 10
|
|
done
|
|
return 1
|
|
}
|
|
# die on timeout
|
|
if ! wait_login_cac $id;then
|
|
echo "unable to boot a working system within time frame, retrying..." >&2
|
|
echo "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)"
|
|
eval "$(clear_defer | sed 's/;exit//')"
|
|
sleep 15
|
|
else
|
|
echo "got a working system" >&2
|
|
break
|
|
fi
|
|
done
|
|
clear_defer >/dev/null
|
|
defer "cac-api delete $id;$old_trapstr"
|
|
|
|
mkdir -p shared/2configs/temp
|
|
cac-api generatenetworking $id > \
|
|
shared/2configs/temp/networking.nix
|
|
# new temporary ssh key we will use to log in after infest
|
|
ssh-keygen -f $krebs_ssh -N ""
|
|
cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
|
|
# we override the directories for secrets and stockholm
|
|
# additionally we set the ssh key we generated
|
|
ip=$(cac-api getserver $id | jq -r .ip)
|
|
|
|
cat > shared/2configs/temp/dirs.nix <<EOF
|
|
_: {
|
|
krebs.build.source.dir = {
|
|
secrets.path = "$krebs_secrets";
|
|
stockholm.path = "$(pwd)";
|
|
};
|
|
users.extraUsers.root.openssh.authorizedKeys.keys = [
|
|
"$(cat ${krebs_ssh}.pub)"
|
|
];
|
|
krebs.build.target = "$ip";
|
|
}
|
|
EOF
|
|
|
|
LOGNAME=shared make eval get=krebs.infest \
|
|
target=derp system=test-centos7 filter=json \
|
|
| sed -e "s#^ssh.*<<#cac-api ssh $id<<#" \
|
|
-e "/^rsync/a -e 'cac-api ssh $id' \\\\" \
|
|
-e "s#root.derp:#:#" > $krebs_secrets/infest
|
|
sh -x $krebs_secrets/infest
|
|
|
|
# TODO: generate secrets directory $krebs_secrets for nix import
|
|
cac-api powerop $id reset
|
|
|
|
wait_login(){
|
|
# timeout
|
|
for t in `seq 90`;do
|
|
# now we have a working cac-api server
|
|
if ssh -o StrictHostKeyChecking=no \
|
|
-o UserKnownHostsFile=/dev/null \
|
|
-i $krebs_ssh \
|
|
-o ConnectTimeout=10 \
|
|
-o BatchMode=yes \
|
|
root@$1 nixos-version ;then
|
|
return 0
|
|
fi
|
|
sleep 10
|
|
done
|
|
return 1
|
|
}
|
|
wait_login $ip
|