diff options
author | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:42:07 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:42:07 +0200 |
commit | c188d4ac1713506c3028b4501730713cfda0ed36 (patch) | |
tree | e056a15d599981f963f20365848d4032aa792191 /roles/installer/debian | |
parent | preseed/partman: nicer error text for not-enough-space (diff) | |
parent | openbsd installer: improve image verification (diff) |
Merge branch 'topic/debian-installer-verification'
Diffstat (limited to 'roles/installer/debian')
-rw-r--r-- | roles/installer/debian/base/defaults/main.yml | 28 | ||||
-rw-r--r-- | roles/installer/debian/base/tasks/main.yml | 39 | ||||
-rw-r--r-- | roles/installer/debian/fetch/defaults/main.yml | 12 | ||||
-rw-r--r-- | roles/installer/debian/fetch/filter_plugins/main.py (renamed from roles/installer/debian/base/filter_plugins/main.py) | 0 | ||||
-rw-r--r-- | roles/installer/debian/fetch/tasks/main.yml | 35 | ||||
-rw-r--r-- | roles/installer/debian/fetch/tasks/verify-debian.yml | 46 | ||||
-rw-r--r-- | roles/installer/debian/fetch/tasks/verify-ubuntu.yml | 35 | ||||
-rw-r--r-- | roles/installer/debian/fetch/vars/main.yml | 13 | ||||
-rw-r--r-- | roles/installer/debian/preseed/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/installer/debian/preseed/tasks/main.yml | 6 | ||||
-rw-r--r-- | roles/installer/debian/usb/tasks/main.yml | 16 |
11 files changed, 168 insertions, 67 deletions
diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml deleted file mode 100644 index fe6d880d..00000000 --- a/roles/installer/debian/base/defaults/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -debian_installer_distros: - - distro: debian - codename: stretch - arch: - - amd64 - - i386 - - distro: debian - codename: buster - arch: - - amd64 - - i386 - - - distro: ubuntu - codename: bionic - arch: - - amd64 - - i386 - - distro: ubuntu - codename: focal - arch: - - amd64 - -debian_installer_force_download: no -debian_installer_url: -# debian: "https://debian.ffgraz.net/debian" -# ubuntu: "https://debian.ffgraz.net/ubuntu" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index f7841572..119b3670 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -1,31 +1,18 @@ -- name: prepare directories for installer images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" +--- +- name: prepare directory keyrings file: - name: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" + name: "{{ installer_base_path }}/keyrings" state: directory -- name: download installer kernel images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" - get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" - mode: 0644 - force: "{{ debian_installer_force_download }}" - -- name: download installer initrd.gz - loop: "{{ debian_installer_distros | subelements('arch') }}" +- name: copy debian keyring files + loop: "{{ lookup('fileglob', global_files_dir+'/common/keyrings/debian-*.gpg', wantlist=True) }}" loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" - get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" - mode: 0644 - force: "{{ debian_installer_force_download }}" + label: "{{ item | basename }}" + copy: + src: "{{ item }}" + dest: "{{ installer_base_path }}/keyrings/{{ item | basename }}" -## TODO verfiy downloaded files using: -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/InRelease -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/SHA256SUMS +- name: copy ubuntu keyring file + copy: + src: "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + dest: "{{ installer_base_path }}/keyrings/ubuntu-archive.gpg" diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml new file mode 100644 index 00000000..eebc59bf --- /dev/null +++ b/roles/installer/debian/fetch/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot + +debian_installer_force_download: no +debian_installer_url: +# debian: "https://debian.ffgraz.net/debian" +# ubuntu: "https://debian.ffgraz.net/ubuntu" + debian: "http://deb.debian.org/debian" + ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py index 298e7efd..298e7efd 100644 --- a/roles/installer/debian/base/filter_plugins/main.py +++ b/roles/installer/debian/fetch/filter_plugins/main.py diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml new file mode 100644 index 00000000..dc87655f --- /dev/null +++ b/roles/installer/debian/fetch/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: prepare directories for installer files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: directory + +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" + + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml new file mode 100644 index 00000000..6846451d --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..e7cff3ae --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/fetch/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/preseed/defaults/main.yml b/roles/installer/debian/preseed/defaults/main.yml index cfdef902..b5aad35c 100644 --- a/roles/installer/debian/preseed/defaults/main.yml +++ b/roles/installer/debian/preseed/defaults/main.yml @@ -1,7 +1,8 @@ --- -#preseed_tmpdir: +# preseed_orig_initrd +# preseed_tmpdir: -#preseed_force_net_ifnames_policy: path +# preseed_force_net_ifnames_policy: path preseed_no_netplan: no preseed_virtual_machine: no diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index 2934ca1b..2d229aa8 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,8 +2,8 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/initrd.gz" - dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" + src: "{{ preseed_orig_initrd }}" + dest: "{{ preseed_tmpdir }}/initrd.{{ install_hostname }}.gz" - name: Generate preseed file template: @@ -42,7 +42,7 @@ NamePolicy={{ preseed_force_net_ifnames_policy }} - name: Inject files into initramfs - shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' + shell: cpio -H newc -o | gzip -9 >> 'initrd.{{ install_hostname }}.gz' args: chdir: "{{ preseed_tmpdir }}" stdin: | diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 8d2df387..44f793e9 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -12,13 +12,12 @@ - block: - name: download installer vars: - debian_installer_distros: - - distro: "{{ install_distro }}" - codename: "{{ install_codename }}" - arch: - - "{{ install.arch | default('amd64') }}" + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ install.arch | default('amd64') }}" + debian_installer_variant: netboot import_role: - role: installer/debian/base + role: installer/debian/fetch - name: Create temporary workdir tempfile: @@ -33,18 +32,19 @@ - name: Copy the preseed initramfs to the usb drive copy: - src: "{{ tmpdir.path }}/initrd.preseed.gz" + src: "{{ tmpdir.path }}/initrd.{{ install_hostname }}.gz" dest: "{{ usb_install_path }}/initrd.{{ install_hostname }}.gz" always: - name: Cleanup temporary workdir + when: tmpdir.path is defined file: path: "{{ tmpdir.path }}" state: absent - name: Copy linux kernel image to the USB drive copy: - src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}/linux" + src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}-{{ debian_installer_variant }}/linux" dest: "{{ usb_install_path }}/" - name: Generate syslinux configuration for BIOS boot |