summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2020-07-11 01:42:07 +0200
committerChristian Pointner <equinox@spreadspace.org>2020-07-11 01:42:07 +0200
commitc188d4ac1713506c3028b4501730713cfda0ed36 (patch)
treee056a15d599981f963f20365848d4032aa792191 /roles
parentpreseed/partman: nicer error text for not-enough-space (diff)
parentopenbsd installer: improve image verification (diff)
Merge branch 'topic/debian-installer-verification'
Diffstat (limited to 'roles')
-rw-r--r--roles/installer/debian/base/defaults/main.yml28
-rw-r--r--roles/installer/debian/base/tasks/main.yml39
-rw-r--r--roles/installer/debian/fetch/defaults/main.yml12
-rw-r--r--roles/installer/debian/fetch/filter_plugins/main.py (renamed from roles/installer/debian/base/filter_plugins/main.py)0
-rw-r--r--roles/installer/debian/fetch/tasks/main.yml35
-rw-r--r--roles/installer/debian/fetch/tasks/verify-debian.yml46
-rw-r--r--roles/installer/debian/fetch/tasks/verify-ubuntu.yml35
-rw-r--r--roles/installer/debian/fetch/vars/main.yml13
-rw-r--r--roles/installer/debian/preseed/defaults/main.yml5
-rw-r--r--roles/installer/debian/preseed/tasks/main.yml6
-rw-r--r--roles/installer/debian/usb/tasks/main.yml16
-rw-r--r--roles/installer/openbsd/autoinstall/defaults/main.yml5
-rw-r--r--roles/installer/openbsd/autoinstall/tasks/main.yml4
-rw-r--r--roles/installer/openbsd/autoinstall/vars/main.yml2
-rw-r--r--roles/installer/openbsd/base/defaults/main.yml13
-rw-r--r--roles/installer/openbsd/base/tasks/main.yml45
-rw-r--r--roles/installer/openbsd/fetch/defaults/main.yml6
-rw-r--r--roles/installer/openbsd/fetch/tasks/main.yml51
-rw-r--r--roles/installer/openbsd/fetch/vars/main.yml7
-rw-r--r--roles/openwrt/image/openwrt-keyring.gpgbin10385 -> 0 bytes
-rw-r--r--roles/openwrt/image/tasks/fetch.yml9
-rw-r--r--roles/vm/define/templates/libvirt-domain.xml.j26
-rw-r--r--roles/vm/host/tasks/main.yml4
-rw-r--r--roles/vm/install/tasks/installer-debian.yml21
-rw-r--r--roles/vm/install/tasks/installer-openbsd.yml19
-rw-r--r--roles/vm/install/tasks/main.yml36
26 files changed, 300 insertions, 163 deletions
diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml
deleted file mode 100644
index fe6d880d..00000000
--- a/roles/installer/debian/base/defaults/main.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-debian_installer_distros:
- - distro: debian
- codename: stretch
- arch:
- - amd64
- - i386
- - distro: debian
- codename: buster
- arch:
- - amd64
- - i386
-
- - distro: ubuntu
- codename: bionic
- arch:
- - amd64
- - i386
- - distro: ubuntu
- codename: focal
- arch:
- - amd64
-
-debian_installer_force_download: no
-debian_installer_url:
-# debian: "https://debian.ffgraz.net/debian"
-# ubuntu: "https://debian.ffgraz.net/ubuntu"
- debian: "http://deb.debian.org/debian"
- ubuntu: "http://archive.ubuntu.com/ubuntu"
diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml
index f7841572..119b3670 100644
--- a/roles/installer/debian/base/tasks/main.yml
+++ b/roles/installer/debian/base/tasks/main.yml
@@ -1,31 +1,18 @@
-- name: prepare directories for installer images
- loop: "{{ debian_installer_distros | subelements('arch') }}"
- loop_control:
- label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}"
+---
+- name: prepare directory keyrings
file:
- name: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}"
+ name: "{{ installer_base_path }}/keyrings"
state: directory
-- name: download installer kernel images
- loop: "{{ debian_installer_distros | subelements('arch') }}"
- loop_control:
- label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}"
- get_url:
- url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux"
- dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux"
- mode: 0644
- force: "{{ debian_installer_force_download }}"
-
-- name: download installer initrd.gz
- loop: "{{ debian_installer_distros | subelements('arch') }}"
+- name: copy debian keyring files
+ loop: "{{ lookup('fileglob', global_files_dir+'/common/keyrings/debian-*.gpg', wantlist=True) }}"
loop_control:
- label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}"
- get_url:
- url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz"
- dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz"
- mode: 0644
- force: "{{ debian_installer_force_download }}"
+ label: "{{ item | basename }}"
+ copy:
+ src: "{{ item }}"
+ dest: "{{ installer_base_path }}/keyrings/{{ item | basename }}"
-## TODO verfiy downloaded files using:
-## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/InRelease
-## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/SHA256SUMS
+- name: copy ubuntu keyring file
+ copy:
+ src: "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg"
+ dest: "{{ installer_base_path }}/keyrings/ubuntu-archive.gpg"
diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml
new file mode 100644
index 00000000..eebc59bf
--- /dev/null
+++ b/roles/installer/debian/fetch/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+# debian_installer_distro: debian
+# debian_installer_codename: buster
+debian_installer_arch: amd64
+# debian_installer_variant: netboot
+
+debian_installer_force_download: no
+debian_installer_url:
+# debian: "https://debian.ffgraz.net/debian"
+# ubuntu: "https://debian.ffgraz.net/ubuntu"
+ debian: "http://deb.debian.org/debian"
+ ubuntu: "http://archive.ubuntu.com/ubuntu"
diff --git a/roles/installer/debian/base/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py
index 298e7efd..298e7efd 100644
--- a/roles/installer/debian/base/filter_plugins/main.py
+++ b/roles/installer/debian/fetch/filter_plugins/main.py
diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml
new file mode 100644
index 00000000..dc87655f
--- /dev/null
+++ b/roles/installer/debian/fetch/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: prepare directories for installer files
+ file:
+ name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}"
+ state: directory
+
+- name: download and verify installer files
+ block:
+ - name: fetch and verify installer checksums
+ include_tasks: "verify-{{ install_distro }}.yml"
+
+ - name: download installer kernel image
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}"
+ dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}"
+ checksum: "{{ debian_installer_kernel_checksum }}"
+ force: "{{ debian_installer_force_download }}"
+ mode: 0644
+
+ - name: download installer initrd.gz
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz"
+ dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz"
+ checksum: "{{ debian_installer_initrd_checksum }}"
+ force: "{{ debian_installer_force_download }}"
+ mode: 0644
+
+ rescue:
+ - name: remove all downloaded files
+ file:
+ name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}"
+ state: absent
+
+ - fail:
+ msg: "download/verification of installer files failed"
diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml
new file mode 100644
index 00000000..6846451d
--- /dev/null
+++ b/roles/installer/debian/fetch/tasks/verify-debian.yml
@@ -0,0 +1,46 @@
+---
+- name: download Release and Signature file
+ loop:
+ - Release
+ - Release.gpg
+ get_url:
+ url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}"
+ dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}"
+
+- name: verfiy signature of Release file
+ command: >-
+ gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null
+ --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg"
+ --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg"
+ "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release"
+ changed_when: False
+ register: debian_installer_gpg_result
+
+- debug:
+ var: debian_installer_gpg_result.stderr_lines
+
+- name: extract checksum file hash from Release file
+ command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release"
+ changed_when: false
+ register: debian_installer_inrelease_sha256
+
+- name: download SHA256SUMS
+ get_url:
+ url: "{{ debian_installer_base_url }}/SHA256SUMS"
+ dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}"
+
+- name: extract kernel image hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_kernel
+
+- name: extract inital ramdisk hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_initrd
+
+- name: set checksum variables
+ set_fact:
+ debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}"
+ debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}"
diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml
new file mode 100644
index 00000000..e7cff3ae
--- /dev/null
+++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml
@@ -0,0 +1,35 @@
+---
+- name: download SHA256SUMS and signature file
+ loop:
+ - SHA256SUMS
+ - SHA256SUMS.gpg
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ item }}"
+ dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}"
+
+- name: verfiy signature of SHA256SUMS.gpg file
+ command: >-
+ gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null
+ --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg"
+ --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg"
+ "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: False
+ register: debian_installer_gpg_result
+
+- debug:
+ var: debian_installer_gpg_result.stderr_lines
+
+- name: extract kernel image hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_kernel
+
+- name: extract inital ramdisk hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_initrd
+
+- name: set checksum variables
+ set_fact:
+ debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}"
+ debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}"
diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml
new file mode 100644
index 00000000..404b571a
--- /dev/null
+++ b/roles/installer/debian/fetch/vars/main.yml
@@ -0,0 +1,13 @@
+---
+debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}"
+
+_debian_installer_variant_path_:
+ netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}"
+ hd-media: "hd-media"
+
+_debian_installer_variant_kernel_image_name_:
+ netboot: "linux"
+ hd-media: "vmlinuz"
+
+debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}"
+debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}"
diff --git a/roles/installer/debian/preseed/defaults/main.yml b/roles/installer/debian/preseed/defaults/main.yml
index cfdef902..b5aad35c 100644
--- a/roles/installer/debian/preseed/defaults/main.yml
+++ b/roles/installer/debian/preseed/defaults/main.yml
@@ -1,7 +1,8 @@
---
-#preseed_tmpdir:
+# preseed_orig_initrd
+# preseed_tmpdir:
-#preseed_force_net_ifnames_policy: path
+# preseed_force_net_ifnames_policy: path
preseed_no_netplan: no
preseed_virtual_machine: no
diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml
index 2934ca1b..2d229aa8 100644
--- a/roles/installer/debian/preseed/tasks/main.yml
+++ b/roles/installer/debian/preseed/tasks/main.yml
@@ -2,8 +2,8 @@
- name: Copy initramfs into position
copy:
remote_src: yes
- src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/initrd.gz"
- dest: "{{ preseed_tmpdir }}/initrd.preseed.gz"
+ src: "{{ preseed_orig_initrd }}"
+ dest: "{{ preseed_tmpdir }}/initrd.{{ install_hostname }}.gz"
- name: Generate preseed file
template:
@@ -42,7 +42,7 @@
NamePolicy={{ preseed_force_net_ifnames_policy }}
- name: Inject files into initramfs
- shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz'
+ shell: cpio -H newc -o | gzip -9 >> 'initrd.{{ install_hostname }}.gz'
args:
chdir: "{{ preseed_tmpdir }}"
stdin: |
diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml
index 8d2df387..44f793e9 100644
--- a/roles/installer/debian/usb/tasks/main.yml
+++ b/roles/installer/debian/usb/tasks/main.yml
@@ -12,13 +12,12 @@
- block:
- name: download installer
vars:
- debian_installer_distros:
- - distro: "{{ install_distro }}"
- codename: "{{ install_codename }}"
- arch:
- - "{{ install.arch | default('amd64') }}"
+ debian_installer_distro: "{{ install_distro }}"
+ debian_installer_codename: "{{ install_codename }}"
+ debian_installer_arch: "{{ install.arch | default('amd64') }}"
+ debian_installer_variant: netboot
import_role:
- role: installer/debian/base
+ role: installer/debian/fetch
- name: Create temporary workdir
tempfile:
@@ -33,18 +32,19 @@
- name: Copy the preseed initramfs to the usb drive
copy:
- src: "{{ tmpdir.path }}/initrd.preseed.gz"
+ src: "{{ tmpdir.path }}/initrd.{{ install_hostname }}.gz"
dest: "{{ usb_install_path }}/initrd.{{ install_hostname }}.gz"
always:
- name: Cleanup temporary workdir
+ when: tmpdir.path is defined
file:
path: "{{ tmpdir.path }}"
state: absent
- name: Copy linux kernel image to the USB drive
copy:
- src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}/linux"
+ src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}-{{ debian_installer_variant }}/linux"
dest: "{{ usb_install_path }}/"
- name: Generate syslinux configuration for BIOS boot
diff --git a/roles/installer/openbsd/autoinstall/defaults/main.yml b/roles/installer/openbsd/autoinstall/defaults/main.yml
index 27f7221a..b166c191 100644
--- a/roles/installer/openbsd/autoinstall/defaults/main.yml
+++ b/roles/installer/openbsd/autoinstall/defaults/main.yml
@@ -1,10 +1,7 @@
---
+# obsd_autoinstall_orig_iso:
# obsd_autoinstall_tmpdir:
-obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}"
-obsd_autoinstall_version: "{{ install_codename }}"
-obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}"
-
# obsd_autoinstall_serial_device: com0
# obsd_autoinstall_serial_baudrate: 115200
diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml
index b8e88b53..fc5f6194 100644
--- a/roles/installer/openbsd/autoinstall/tasks/main.yml
+++ b/roles/installer/openbsd/autoinstall/tasks/main.yml
@@ -29,7 +29,7 @@
- "INSTALL.{{ obsd_autoinstall_arch }}"
- "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}"
iso_extract:
- image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso"
+ image: "{{ obsd_autoinstall_orig_iso }}"
dest: "{{ obsd_autoinstall_tmpdir }}/files"
files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}"
@@ -45,7 +45,7 @@
dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz"
- name: generate host specific installer image
- command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/'
+ command: 'genisoimage -RTLldDN -o "{{ install_hostname }}.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/'
args:
chdir: "{{ obsd_autoinstall_tmpdir }}/"
diff --git a/roles/installer/openbsd/autoinstall/vars/main.yml b/roles/installer/openbsd/autoinstall/vars/main.yml
new file mode 100644
index 00000000..c20909d1
--- /dev/null
+++ b/roles/installer/openbsd/autoinstall/vars/main.yml
@@ -0,0 +1,2 @@
+---
+obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}"
diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml
deleted file mode 100644
index 10e9c840..00000000
--- a/roles/installer/openbsd/base/defaults/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-openbsd_versions:
- - version: 6.7
- arch:
- - amd64
- - i386
-
-openbsd_signing_keys:
- 6.7: |
- untrusted comment: openbsd 6.7 base public key
- RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj
-
-openbsd_installer_force_download: no
-openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml
index 2d6e905e..412f3680 100644
--- a/roles/installer/openbsd/base/tasks/main.yml
+++ b/roles/installer/openbsd/base/tasks/main.yml
@@ -5,48 +5,3 @@
- genisoimage
- signify-openbsd
state: present
-
-- name: prepare directories for installer iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- file:
- name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
- state: directory
-
-- name: download installer iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- get_url:
- url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
- dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
- mode: 0644
- force: "{{ openbsd_installer_force_download }}"
-
-- name: download signed sha256 files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- get_url:
- url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
- dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
- mode: 0644
- force: "{{ openbsd_installer_force_download }}"
-
-- name: create signing key files
- loop: "{{ openbsd_versions }}"
- loop_control:
- label: "openbsd-{{ item.version }}"
- copy:
- content: "{{ openbsd_signing_keys[item.version] }}"
- dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub"
-
-- name: verfiy downloaded iso files
- loop: "{{ openbsd_versions | subelements('arch') }}"
- loop_control:
- label: "openbsd-{{ item.0.version }} {{ item.1 }}"
- command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso"
- args:
- chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
- changed_when: false
diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml
new file mode 100644
index 00000000..eeeaf2d0
--- /dev/null
+++ b/roles/installer/openbsd/fetch/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# openbsd_installer_version: 6.7
+openbsd_installer_arch: amd64
+
+openbsd_installer_force_download: no
+openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml
new file mode 100644
index 00000000..97e8fb57
--- /dev/null
+++ b/roles/installer/openbsd/fetch/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- name: prepare directories for installer iso files
+ file:
+ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+ state: directory
+
+- name: download signed sha256 and buildinfo files
+ loop:
+ - SHA256.sig
+ - BUILDINFO
+ get_url:
+ url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+ force: "{{ openbsd_installer_force_download }}"
+ mode: 0644
+
+- name: create signing key files
+ copy:
+ content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"
+
+## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
+## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
+## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
+## hundreds of megabytes is not fun.
+## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
+## to verfiy the signature.
+## This process should speed up the installation quite a bit and make the overall image download process more solid.
+
+- name: verify downloaded files
+ command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
+ args:
+ chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+ changed_when: false
+ register: openbsd_installer_signify_result
+
+- debug:
+ var: openbsd_installer_signify_result.stdout_lines
+
+- name: extract sha256 hash for iso file
+ command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
+ changed_when: false
+ register: openbsd_installer_sha256sum
+
+- name: download installer iso file
+ get_url:
+ url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+ dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+ checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
+ force: "{{ openbsd_installer_force_download }}"
+ mode: 0644
diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml
new file mode 100644
index 00000000..dad9f064
--- /dev/null
+++ b/roles/installer/openbsd/fetch/vars/main.yml
@@ -0,0 +1,7 @@
+---
+openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}"
+
+openbsd_installer_signing_keys:
+ "6.7": |
+ untrusted comment: openbsd 6.7 base public key
+ RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj
diff --git a/roles/openwrt/image/openwrt-keyring.gpg b/roles/openwrt/image/openwrt-keyring.gpg
deleted file mode 100644
index 7dc3d397..00000000
--- a/roles/openwrt/image/openwrt-keyring.gpg
+++ /dev/null
Binary files differ
diff --git a/roles/openwrt/image/tasks/fetch.yml b/roles/openwrt/image/tasks/fetch.yml
index 05d2ad6e..e68e2da5 100644
--- a/roles/openwrt/image/tasks/fetch.yml
+++ b/roles/openwrt/image/tasks/fetch.yml
@@ -22,11 +22,14 @@
- name: Check OpenPGP signature
command: >-
- gpg --no-options --no-default-keyring --secret-keyring /dev/null
- --verify --keyring "{{ role_path }}/openwrt-keyring.gpg"
- --trust-model always
+ gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null
+ --verify --keyring "{{ global_files_dir }}/common/keyrings/openwrt.gpg"
"{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
changed_when: False
+ register: openwrt_image_gpg_result
+
+ - debug:
+ var: openwrt_image_gpg_result.stderr_lines
- name: Extract SHA256 hash of the imagebuilder archive
command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/define/templates/libvirt-domain.xml.j2
index c4c9e52a..ba0dcd5a 100644
--- a/roles/vm/define/templates/libvirt-domain.xml.j2
+++ b/roles/vm/define/templates/libvirt-domain.xml.j2
@@ -7,8 +7,8 @@
<type arch='x86_64' machine='pc-0.12'>hvm</type>
{% if vm_define_installer %}
{% if install_distro == 'debian' or install_distro == 'ubuntu' %}
- <kernel>{{ installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/linux</kernel>
- <initrd>{{ preseed_tmpdir }}/initrd.preseed.gz</initrd>
+ <kernel>{{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/linux</kernel>
+ <initrd>{{ installer_tmpdir }}/initrd.{{ install_hostname }}.gz</initrd>
<cmdline>console=ttyS0,115200n8 DEBCONF_DEBUG=5</cmdline>
<boot dev='hd'/>
{% elif install_distro == 'openbsd' %}
@@ -44,7 +44,7 @@
{% if vm_define_installer and install_distro == 'openbsd' %}
<disk type='file' device='cdrom'>
<driver name='qemu'/>
- <source file='{{ obsd_autoinstall_tmpdir }}/install.iso'/>
+ <source file='{{ installer_tmpdir }}/{{ install_hostname }}.iso'/>
<target dev='hdc' bus='ide'/>
<readonly/>
</disk>
diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml
index 390016a2..4c29970d 100644
--- a/roles/vm/host/tasks/main.yml
+++ b/roles/vm/host/tasks/main.yml
@@ -43,11 +43,11 @@
- name: mount filesytem
mount:
src: "/dev/mapper/{{ installer_lvm.vg | replace('-', '--') }}-{{ installer_lvm.lv | replace('-', '--') }}"
- path: "{{ installer_path }}"
+ path: "{{ installer_base_path }}"
fstype: "{{ installer_lvm.fs }}"
state: mounted
- name: make sure installer directory exists
file:
- name: "{{ installer_path }}"
+ name: "{{ installer_base_path }}"
state: directory
diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/install/tasks/installer-debian.yml
new file mode 100644
index 00000000..e0492969
--- /dev/null
+++ b/roles/vm/install/tasks/installer-debian.yml
@@ -0,0 +1,21 @@
+---
+- name: fetch debian installer files
+ vars:
+ debian_installer_distro: "{{ install_distro }}"
+ debian_installer_codename: "{{ install_codename }}"
+ debian_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}"
+ debian_installer_variant: netboot
+ import_role:
+ name: installer/debian/fetch
+
+- name: generate host specific initial ramdisk
+ vars:
+ ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}"
+ preseed_orig_initrd: "{{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/initrd.gz"
+ preseed_tmpdir: "{{ tmpdir.path }}"
+ preseed_virtual_machine: yes
+ preseed_force_net_ifnames_policy: path
+ preseed_no_netplan: yes
+ install_interface: enp1s1
+ import_role:
+ name: installer/debian/preseed
diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/install/tasks/installer-openbsd.yml
new file mode 100644
index 00000000..afa17c45
--- /dev/null
+++ b/roles/vm/install/tasks/installer-openbsd.yml
@@ -0,0 +1,19 @@
+---
+- name: fetch openbsd installer files
+ vars:
+ openbsd_installer_version: "{{ install_codename }}"
+ openbsd_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}"
+ import_role:
+ name: installer/openbsd/fetch
+
+- name: generate host specific autoinstall iso
+ vars:
+ ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}"
+ obsd_autoinstall_orig_iso: "{{ installer_base_path }}/openbsd-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/install{{ openbsd_installer_version_short }}.iso"
+ obsd_autoinstall_tmpdir: "{{ tmpdir.path }}"
+ obsd_autoinstall_version: "{{ install_codename }}"
+ obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}"
+ obsd_autoinstall_serial_device: com0
+ install_interface: vio0
+ import_role:
+ name: installer/openbsd/autoinstall
diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml
index 6b8f9ca7..a4511459 100644
--- a/roles/vm/install/tasks/main.yml
+++ b/roles/vm/install/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: create lvm-based disks for vm
- loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}"
+ loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}"
loop_control:
label: "{{ item.value.vg }} / {{ item.value.lv }} ({{ item.value.size }})"
lvol:
@@ -31,28 +31,16 @@
- block:
- name: create a temporary workdir
tempfile:
+ path: "{{ installer_base_path }}/"
+ prefix: ".{{ install_hostname }}."
state: directory
register: tmpdir
- when: install_distro in ['debian', 'ubuntu']
- vars:
- ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}"
- preseed_tmpdir: "{{ tmpdir.path }}"
- preseed_virtual_machine: yes
- preseed_force_net_ifnames_policy: path
- preseed_no_netplan: yes
- install_interface: enp1s1
- import_role:
- name: installer/debian/preseed
+ import_tasks: installer-debian.yml
- when: install_distro in ['openbsd']
- vars:
- ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}"
- obsd_autoinstall_tmpdir: "{{ tmpdir.path }}"
- obsd_autoinstall_serial_device: com0
- install_interface: vio0
- import_role:
- name: installer/openbsd/autoinstall
+ import_tasks: installer-openbsd.yml
- name: Make installer workdir readable by qemu
acl:
@@ -62,11 +50,11 @@
etype: user
permissions: rx
- - import_role:
- name: vm/define
- vars:
+ - vars:
vm_define_installer: yes
- preseed_tmpdir: "{{ tmpdir.path }}"
+ installer_tmpdir: "{{ tmpdir.path }}"
+ import_role:
+ name: vm/define
- debug:
msg: "you can check on the status of the installer running this command 'virsh console {{ install_hostname }}' on host {{ inventory_hostname }}."
@@ -94,7 +82,7 @@
path: "{{ tmpdir.path }}"
state: absent
-- import_role:
- name: vm/define
- vars:
+- vars:
vm_define_installer: no
+ import_role:
+ name: vm/define
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 07:35:16 +0000