From 3b0761df1a6ba541011435ff590620220d44431e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 19:49:34 +0200 Subject: refacter installer/debian/base to make future file verification easier --- roles/installer/debian/base/defaults/main.yml | 26 +++++-------------------- roles/installer/debian/base/tasks/main.yml | 28 ++++++++++----------------- roles/installer/debian/base/vars/main.yml | 13 +++++++++++++ roles/installer/debian/preseed/tasks/main.yml | 2 +- roles/installer/debian/usb/tasks/main.yml | 11 +++++------ 5 files changed, 34 insertions(+), 46 deletions(-) create mode 100644 roles/installer/debian/base/vars/main.yml (limited to 'roles') diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml index fe6d880d..eebc59bf 100644 --- a/roles/installer/debian/base/defaults/main.yml +++ b/roles/installer/debian/base/defaults/main.yml @@ -1,24 +1,8 @@ -debian_installer_distros: - - distro: debian - codename: stretch - arch: - - amd64 - - i386 - - distro: debian - codename: buster - arch: - - amd64 - - i386 - - - distro: ubuntu - codename: bionic - arch: - - amd64 - - i386 - - distro: ubuntu - codename: focal - arch: - - amd64 +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot debian_installer_force_download: no debian_installer_url: diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index f7841572..1984df2c 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -1,31 +1,23 @@ -- name: prepare directories for installer images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" +--- +- name: prepare directories for installer files file: - name: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" + name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" state: directory -- name: download installer kernel images - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" +- name: download installer kernel image get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" mode: 0644 force: "{{ debian_installer_force_download }}" - name: download installer initrd.gz - loop: "{{ debian_installer_distros | subelements('arch') }}" - loop_control: - label: "{{ item.0.distro }}/{{ item.0.codename }} {{ item.1 }}" get_url: - url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" - dest: "{{ installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" mode: 0644 force: "{{ debian_installer_force_download }}" ## TODO verfiy downloaded files using: -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/InRelease -## "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/{{ [item.0.distro, item.0.codename] | di_images_path }}/SHA256SUMS +## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/InRelease +## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS diff --git a/roles/installer/debian/base/vars/main.yml b/roles/installer/debian/base/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/base/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index 2934ca1b..3dd106e3 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,7 +2,7 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/initrd.gz" + src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" - name: Generate preseed file diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 8d2df387..79251fdf 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -12,11 +12,10 @@ - block: - name: download installer vars: - debian_installer_distros: - - distro: "{{ install_distro }}" - codename: "{{ install_codename }}" - arch: - - "{{ install.arch | default('amd64') }}" + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ install.arch | default('amd64') }}" + debian_installer_variant: netboot import_role: role: installer/debian/base @@ -44,7 +43,7 @@ - name: Copy linux kernel image to the USB drive copy: - src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}/linux" + src: "{{ global_cache_dir }}/debian-installer/{{ install_distro }}-{{ install_codename }}/{{ install.arch | default('amd64') }}-{{ debian_installer_variant }}/linux" dest: "{{ usb_install_path }}/" - name: Generate syslinux configuration for BIOS boot -- cgit v1.2.3 From 701383c4c177572521bf09abc9242cd1c3f8e2f1 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 21:45:43 +0200 Subject: debian installer file verification works now --- files/common/keyrings/debian-buster.gpg | Bin 0 -> 17541 bytes files/common/keyrings/debian-stretch.gpg | Bin 0 -> 14428 bytes files/common/keyrings/ubuntu-archive.gpg | Bin 0 -> 4909 bytes roles/installer/debian/base/tasks/main.yml | 42 ++++++++++++------- .../installer/debian/base/tasks/verify-debian.yml | 46 +++++++++++++++++++++ .../installer/debian/base/tasks/verify-ubuntu.yml | 35 ++++++++++++++++ roles/installer/debian/usb/tasks/main.yml | 1 + 7 files changed, 109 insertions(+), 15 deletions(-) create mode 100644 files/common/keyrings/debian-buster.gpg create mode 100644 files/common/keyrings/debian-stretch.gpg create mode 100644 files/common/keyrings/ubuntu-archive.gpg create mode 100644 roles/installer/debian/base/tasks/verify-debian.yml create mode 100644 roles/installer/debian/base/tasks/verify-ubuntu.yml (limited to 'roles') diff --git a/files/common/keyrings/debian-buster.gpg b/files/common/keyrings/debian-buster.gpg new file mode 100644 index 00000000..9abf7837 Binary files /dev/null and b/files/common/keyrings/debian-buster.gpg differ diff --git a/files/common/keyrings/debian-stretch.gpg b/files/common/keyrings/debian-stretch.gpg new file mode 100644 index 00000000..77016799 Binary files /dev/null and b/files/common/keyrings/debian-stretch.gpg differ diff --git a/files/common/keyrings/ubuntu-archive.gpg b/files/common/keyrings/ubuntu-archive.gpg new file mode 100644 index 00000000..9ad1e96e Binary files /dev/null and b/files/common/keyrings/ubuntu-archive.gpg differ diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index 1984df2c..65110c91 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -4,20 +4,32 @@ name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" state: directory -- name: download installer kernel image - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" - mode: 0644 - force: "{{ debian_installer_force_download }}" +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" -- name: download installer initrd.gz - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" - mode: 0644 - force: "{{ debian_installer_force_download }}" + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 -## TODO verfiy downloaded files using: -## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/InRelease -## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/base/tasks/verify-debian.yml b/roles/installer/debian/base/tasks/verify-debian.yml new file mode 100644 index 00000000..5a890b1d --- /dev/null +++ b/roles/installer/debian/base/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ global_files_dir }}/common/keyrings/debian-{{ install_codename }}.gpg" + --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/tasks/verify-ubuntu.yml b/roles/installer/debian/base/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..f2b75492 --- /dev/null +++ b/roles/installer/debian/base/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 79251fdf..4ff03611 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -37,6 +37,7 @@ always: - name: Cleanup temporary workdir + when: tmpdir.path is defined file: path: "{{ tmpdir.path }}" state: absent -- cgit v1.2.3 From df591d76be13bb90ec82d9d2c5da9cf1d9fcd31e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 22:00:08 +0200 Subject: move openwrt keyring file to common location --- chaos-at-home/ch-ap.yml | 2 ++ chaos-at-home/ch-router.yml | 2 ++ chaos-at-home/mz-ap.yml | 2 ++ chaos-at-home/mz-router.yml | 2 ++ dan/ele-ap.yml | 2 ++ dan/ele-dolmetsch-ctl.yml | 2 ++ dan/ele-orpheum.yml | 2 ++ dan/ele-router.yml | 2 ++ dan/ele-tub.yml | 2 ++ dan/ele-ups.yml | 2 ++ files/common/keyrings/openwrt.gpg | Bin 0 -> 10385 bytes roles/openwrt/image/openwrt-keyring.gpg | Bin 10385 -> 0 bytes roles/openwrt/image/tasks/fetch.yml | 9 ++++++--- 13 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 files/common/keyrings/openwrt.gpg delete mode 100644 roles/openwrt/image/openwrt-keyring.gpg (limited to 'roles') diff --git a/chaos-at-home/ch-ap.yml b/chaos-at-home/ch-ap.yml index 1d3c8903..5dcb5ea2 100644 --- a/chaos-at-home/ch-ap.yml +++ b/chaos-at-home/ch-ap.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: chaos-at-home-ap connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/ch-router.yml b/chaos-at-home/ch-router.yml index f61feb15..6543ce8c 100644 --- a/chaos-at-home/ch-router.yml +++ b/chaos-at-home/ch-router.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ch-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/mz-ap.yml b/chaos-at-home/mz-ap.yml index ccae1763..869f051d 100644 --- a/chaos-at-home/mz-ap.yml +++ b/chaos-at-home/mz-ap.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: mz-ap connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/chaos-at-home/mz-router.yml b/chaos-at-home/mz-router.yml index 301da764..94646991 100644 --- a/chaos-at-home/mz-router.yml +++ b/chaos-at-home/mz-router.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: mz-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-ap.yml b/dan/ele-ap.yml index 42c00522..1bccdc57 100644 --- a/dan/ele-ap.yml +++ b/dan/ele-ap.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: ele-ap connection: local + gather_facts: no + roles: - role: openwrt/image # post_tasks: diff --git a/dan/ele-dolmetsch-ctl.yml b/dan/ele-dolmetsch-ctl.yml index 717def3f..c9d47ea8 100644 --- a/dan/ele-dolmetsch-ctl.yml +++ b/dan/ele-dolmetsch-ctl.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-dolmetsch-ctl connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-orpheum.yml b/dan/ele-orpheum.yml index 97b77edb..140d4fef 100644 --- a/dan/ele-orpheum.yml +++ b/dan/ele-orpheum.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-orpheum connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-router.yml b/dan/ele-router.yml index 098b82b3..ebb8f8bd 100644 --- a/dan/ele-router.yml +++ b/dan/ele-router.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-router connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-tub.yml b/dan/ele-tub.yml index c8bbe912..01668916 100644 --- a/dan/ele-tub.yml +++ b/dan/ele-tub.yml @@ -2,5 +2,7 @@ - name: Basic Setup hosts: ele-tub connection: local + gather_facts: no + roles: - role: openwrt/image diff --git a/dan/ele-ups.yml b/dan/ele-ups.yml index fa780eaf..de4efce7 100644 --- a/dan/ele-ups.yml +++ b/dan/ele-ups.yml @@ -2,6 +2,8 @@ - name: Basic Setup hosts: ele-ups connection: local + gather_facts: no + roles: - role: openwrt/image # post_tasks: diff --git a/files/common/keyrings/openwrt.gpg b/files/common/keyrings/openwrt.gpg new file mode 100644 index 00000000..7dc3d397 Binary files /dev/null and b/files/common/keyrings/openwrt.gpg differ diff --git a/roles/openwrt/image/openwrt-keyring.gpg b/roles/openwrt/image/openwrt-keyring.gpg deleted file mode 100644 index 7dc3d397..00000000 Binary files a/roles/openwrt/image/openwrt-keyring.gpg and /dev/null differ diff --git a/roles/openwrt/image/tasks/fetch.yml b/roles/openwrt/image/tasks/fetch.yml index 05d2ad6e..e68e2da5 100644 --- a/roles/openwrt/image/tasks/fetch.yml +++ b/roles/openwrt/image/tasks/fetch.yml @@ -22,11 +22,14 @@ - name: Check OpenPGP signature command: >- - gpg --no-options --no-default-keyring --secret-keyring /dev/null - --verify --keyring "{{ role_path }}/openwrt-keyring.gpg" - --trust-model always + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --verify --keyring "{{ global_files_dir }}/common/keyrings/openwrt.gpg" "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc" changed_when: False + register: openwrt_image_gpg_result + + - debug: + var: openwrt_image_gpg_result.stderr_lines - name: Extract SHA256 hash of the imagebuilder archive command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256" -- cgit v1.2.3 From 77328526cf59b3b16d0e398c9cca24da41096542 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 22:38:14 +0200 Subject: openbsd installer: move to single version per invocation --- roles/installer/openbsd/base/defaults/main.yml | 13 +++------ roles/installer/openbsd/base/tasks/main.yml | 37 +++++++++----------------- roles/installer/openbsd/base/vars/main.yml | 7 +++++ 3 files changed, 23 insertions(+), 34 deletions(-) create mode 100644 roles/installer/openbsd/base/vars/main.yml (limited to 'roles') diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml index 10e9c840..eeeaf2d0 100644 --- a/roles/installer/openbsd/base/defaults/main.yml +++ b/roles/installer/openbsd/base/defaults/main.yml @@ -1,13 +1,6 @@ -openbsd_versions: - - version: 6.7 - arch: - - amd64 - - i386 - -openbsd_signing_keys: - 6.7: | - untrusted comment: openbsd 6.7 base public key - RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 openbsd_installer_force_download: no openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index 2d6e905e..df3db107 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -7,46 +7,35 @@ state: present - name: prepare directories for installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" file: - name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" + name: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory - name: download installer iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" mode: 0644 force: "{{ openbsd_installer_force_download }}" - name: download signed sha256 files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" get_url: - url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig" + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" mode: 0644 force: "{{ openbsd_installer_force_download }}" - name: create signing key files - loop: "{{ openbsd_versions }}" - loop_control: - label: "openbsd-{{ item.version }}" copy: - content: "{{ openbsd_signing_keys[item.version] }}" - dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub" + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" - name: verfiy downloaded iso files - loop: "{{ openbsd_versions | subelements('arch') }}" - loop_control: - label: "openbsd-{{ item.0.version }} {{ item.1 }}" - command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso" + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" args: - chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" + chdir: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/base/vars/main.yml b/roles/installer/openbsd/base/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/base/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj -- cgit v1.2.3 From c9df5dcce462af13685236bf7a1d4dd896b1406b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 23:42:23 +0200 Subject: major refactoring of installer roles --- chaos-at-home/ch-atlas.yml | 5 ++- chaos-at-home/ch-gnocchi.yml | 4 +- common/usb-install.yml | 3 +- dan/sk-2019vm.yml | 2 +- dan/sk-tomnext.yml | 2 +- inventory/group_vars/kvmhosts/main.yml | 2 +- roles/installer/debian/base/defaults/main.yml | 12 ------ roles/installer/debian/base/filter_plugins/main.py | 27 ------------- roles/installer/debian/base/tasks/main.yml | 43 ++++++-------------- .../installer/debian/base/tasks/verify-debian.yml | 46 ---------------------- .../installer/debian/base/tasks/verify-ubuntu.yml | 35 ---------------- roles/installer/debian/base/vars/main.yml | 13 ------ roles/installer/debian/fetch/defaults/main.yml | 12 ++++++ .../installer/debian/fetch/filter_plugins/main.py | 27 +++++++++++++ roles/installer/debian/fetch/tasks/main.yml | 35 ++++++++++++++++ .../installer/debian/fetch/tasks/verify-debian.yml | 46 ++++++++++++++++++++++ .../installer/debian/fetch/tasks/verify-ubuntu.yml | 35 ++++++++++++++++ roles/installer/debian/fetch/vars/main.yml | 13 ++++++ roles/installer/debian/preseed/tasks/main.yml | 2 +- roles/installer/debian/usb/tasks/main.yml | 2 +- roles/installer/openbsd/autoinstall/tasks/main.yml | 2 +- roles/installer/openbsd/base/defaults/main.yml | 6 --- roles/installer/openbsd/base/tasks/main.yml | 34 ---------------- roles/installer/openbsd/base/vars/main.yml | 7 ---- roles/installer/openbsd/fetch/defaults/main.yml | 6 +++ roles/installer/openbsd/fetch/tasks/main.yml | 34 ++++++++++++++++ roles/installer/openbsd/fetch/vars/main.yml | 7 ++++ roles/vm/define/templates/libvirt-domain.xml.j2 | 2 +- roles/vm/host/tasks/main.yml | 4 +- roles/vm/install/tasks/installer-debian.yml | 20 ++++++++++ roles/vm/install/tasks/installer-openbsd.yml | 16 ++++++++ roles/vm/install/tasks/main.yml | 18 +-------- 32 files changed, 283 insertions(+), 239 deletions(-) delete mode 100644 roles/installer/debian/base/defaults/main.yml delete mode 100644 roles/installer/debian/base/filter_plugins/main.py delete mode 100644 roles/installer/debian/base/tasks/verify-debian.yml delete mode 100644 roles/installer/debian/base/tasks/verify-ubuntu.yml delete mode 100644 roles/installer/debian/base/vars/main.yml create mode 100644 roles/installer/debian/fetch/defaults/main.yml create mode 100644 roles/installer/debian/fetch/filter_plugins/main.py create mode 100644 roles/installer/debian/fetch/tasks/main.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-debian.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-ubuntu.yml create mode 100644 roles/installer/debian/fetch/vars/main.yml delete mode 100644 roles/installer/openbsd/base/defaults/main.yml delete mode 100644 roles/installer/openbsd/base/vars/main.yml create mode 100644 roles/installer/openbsd/fetch/defaults/main.yml create mode 100644 roles/installer/openbsd/fetch/tasks/main.yml create mode 100644 roles/installer/openbsd/fetch/vars/main.yml create mode 100644 roles/vm/install/tasks/installer-debian.yml create mode 100644 roles/vm/install/tasks/installer-openbsd.yml (limited to 'roles') diff --git a/chaos-at-home/ch-atlas.yml b/chaos-at-home/ch-atlas.yml index fe76af09..34fa1141 100644 --- a/chaos-at-home/ch-atlas.yml +++ b/chaos-at-home/ch-atlas.yml @@ -5,4 +5,7 @@ - role: core/sshd - role: core/zsh - role: vm/host -# - role: installer/debian/base + ## gpg on this host is too old to open the keyrings. + ## to work around this problem the files have been manually converted + ## applying the role would break this again!! + # - role: installer/debian/base diff --git a/chaos-at-home/ch-gnocchi.yml b/chaos-at-home/ch-gnocchi.yml index 27a01839..fd519bfd 100644 --- a/chaos-at-home/ch-gnocchi.yml +++ b/chaos-at-home/ch-gnocchi.yml @@ -8,8 +8,8 @@ - role: core/zsh - role: core/cpu-microcode - role: vm/host -# - role: installer/debian/base -# - role: installer/openbsd/base + - role: installer/debian/base + - role: installer/openbsd/base post_tasks: # you need to reboot for changes to take effect - name: install network interface config diff --git a/common/usb-install.yml b/common/usb-install.yml index 27633c15..1776f75b 100644 --- a/common/usb-install.yml +++ b/common/usb-install.yml @@ -11,7 +11,8 @@ roles: - role: installer/debian/usb - installer_path: "{{ global_cache_dir }}/debian-installer" + installer_base_path: "{{ global_cache_dir }}/debian-installer" + installer_keyrings_path: "{{ global_files_dir }}/common/keyrings" post_tasks: - name: Make the USB disk bootable diff --git a/dan/sk-2019vm.yml b/dan/sk-2019vm.yml index a50c1ca1..8859a3c2 100644 --- a/dan/sk-2019vm.yml +++ b/dan/sk-2019vm.yml @@ -13,7 +13,7 @@ - role: apt-repo/spreadspace - role: zfs/sanoid - role: vm/host -# - role: installer/debian/base + - role: installer/debian/base tasks: - name: install post-boot script copy: diff --git a/dan/sk-tomnext.yml b/dan/sk-tomnext.yml index 23c181e7..b6c3b95a 100644 --- a/dan/sk-tomnext.yml +++ b/dan/sk-tomnext.yml @@ -13,7 +13,7 @@ - role: apt-repo/spreadspace - role: zfs/sanoid - role: vm/host -# - role: installer/debian/base + - role: installer/debian/base tasks: - name: install post-boot script copy: diff --git a/inventory/group_vars/kvmhosts/main.yml b/inventory/group_vars/kvmhosts/main.yml index 917b41eb..36a5be1d 100644 --- a/inventory/group_vars/kvmhosts/main.yml +++ b/inventory/group_vars/kvmhosts/main.yml @@ -1,2 +1,2 @@ --- -installer_path: /srv/installer +installer_base_path: /srv/installer diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml deleted file mode 100644 index eebc59bf..00000000 --- a/roles/installer/debian/base/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# debian_installer_distro: debian -# debian_installer_codename: buster -debian_installer_arch: amd64 -# debian_installer_variant: netboot - -debian_installer_force_download: no -debian_installer_url: -# debian: "https://debian.ffgraz.net/debian" -# ubuntu: "https://debian.ffgraz.net/ubuntu" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/filter_plugins/main.py b/roles/installer/debian/base/filter_plugins/main.py deleted file mode 100644 index 298e7efd..00000000 --- a/roles/installer/debian/base/filter_plugins/main.py +++ /dev/null @@ -1,27 +0,0 @@ -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - -from ansible import errors - - -def di_images_path(data): - try: - if data[0] != 'ubuntu': - return 'images' - - if data[1] in ['xenial', 'bionic']: - return 'images' - - return 'legacy-images' - except Exception as e: - raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e)) - - -class FilterModule(object): - - filter_map = { - 'di_images_path': di_images_path, - } - - def filters(self): - return self.filter_map diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index 65110c91..119b3670 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -1,35 +1,18 @@ --- -- name: prepare directories for installer files +- name: prepare directory keyrings file: - name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + name: "{{ installer_base_path }}/keyrings" state: directory -- name: download and verify installer files - block: - - name: fetch and verify installer checksums - include_tasks: "verify-{{ install_distro }}.yml" +- name: copy debian keyring files + loop: "{{ lookup('fileglob', global_files_dir+'/common/keyrings/debian-*.gpg', wantlist=True) }}" + loop_control: + label: "{{ item | basename }}" + copy: + src: "{{ item }}" + dest: "{{ installer_base_path }}/keyrings/{{ item | basename }}" - - name: download installer kernel image - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" - checksum: "{{ debian_installer_kernel_checksum }}" - force: "{{ debian_installer_force_download }}" - mode: 0644 - - - name: download installer initrd.gz - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" - checksum: "{{ debian_installer_initrd_checksum }}" - force: "{{ debian_installer_force_download }}" - mode: 0644 - - rescue: - - name: remove all downloaded files - file: - name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" - state: absent - - - fail: - msg: "download/verification of installer files failed" +- name: copy ubuntu keyring file + copy: + src: "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + dest: "{{ installer_base_path }}/keyrings/ubuntu-archive.gpg" diff --git a/roles/installer/debian/base/tasks/verify-debian.yml b/roles/installer/debian/base/tasks/verify-debian.yml deleted file mode 100644 index 5a890b1d..00000000 --- a/roles/installer/debian/base/tasks/verify-debian.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: download Release and Signature file - loop: - - Release - - Release.gpg - get_url: - url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" - -- name: verfiy signature of Release file - command: >- - gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null - --keyring "{{ global_files_dir }}/common/keyrings/debian-{{ install_codename }}.gpg" - --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" - "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" - changed_when: False - register: debian_installer_gpg_result - -- debug: - var: debian_installer_gpg_result.stderr_lines - -- name: extract checksum file hash from Release file - command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" - changed_when: false - register: debian_installer_inrelease_sha256 - -- name: download SHA256SUMS - get_url: - url: "{{ debian_installer_base_url }}/SHA256SUMS" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" - -- name: extract kernel image hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_kernel - -- name: extract inital ramdisk hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_initrd - -- name: set checksum variables - set_fact: - debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" - debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/tasks/verify-ubuntu.yml b/roles/installer/debian/base/tasks/verify-ubuntu.yml deleted file mode 100644 index f2b75492..00000000 --- a/roles/installer/debian/base/tasks/verify-ubuntu.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: download SHA256SUMS and signature file - loop: - - SHA256SUMS - - SHA256SUMS.gpg - get_url: - url: "{{ debian_installer_base_url }}/{{ item }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" - -- name: verfiy signature of SHA256SUMS.gpg file - command: >- - gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null - --keyring "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" - --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" - "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: False - register: debian_installer_gpg_result - -- debug: - var: debian_installer_gpg_result.stderr_lines - -- name: extract kernel image hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_kernel - -- name: extract inital ramdisk hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_initrd - -- name: set checksum variables - set_fact: - debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" - debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/vars/main.yml b/roles/installer/debian/base/vars/main.yml deleted file mode 100644 index 404b571a..00000000 --- a/roles/installer/debian/base/vars/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" - -_debian_installer_variant_path_: - netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" - hd-media: "hd-media" - -_debian_installer_variant_kernel_image_name_: - netboot: "linux" - hd-media: "vmlinuz" - -debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" -debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml new file mode 100644 index 00000000..eebc59bf --- /dev/null +++ b/roles/installer/debian/fetch/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot + +debian_installer_force_download: no +debian_installer_url: +# debian: "https://debian.ffgraz.net/debian" +# ubuntu: "https://debian.ffgraz.net/ubuntu" + debian: "http://deb.debian.org/debian" + ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/fetch/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py new file mode 100644 index 00000000..298e7efd --- /dev/null +++ b/roles/installer/debian/fetch/filter_plugins/main.py @@ -0,0 +1,27 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible import errors + + +def di_images_path(data): + try: + if data[0] != 'ubuntu': + return 'images' + + if data[1] in ['xenial', 'bionic']: + return 'images' + + return 'legacy-images' + except Exception as e: + raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e)) + + +class FilterModule(object): + + filter_map = { + 'di_images_path': di_images_path, + } + + def filters(self): + return self.filter_map diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml new file mode 100644 index 00000000..dc87655f --- /dev/null +++ b/roles/installer/debian/fetch/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: prepare directories for installer files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: directory + +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" + + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml new file mode 100644 index 00000000..6846451d --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..e7cff3ae --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/fetch/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index 3dd106e3..f0dc56cd 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,7 +2,7 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" + src: "{{ installer_base_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" - name: Generate preseed file diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 4ff03611..478e0d33 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -17,7 +17,7 @@ debian_installer_arch: "{{ install.arch | default('amd64') }}" debian_installer_variant: netboot import_role: - role: installer/debian/base + role: installer/debian/fetch - name: Create temporary workdir tempfile: diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml index b8e88b53..86f543ee 100644 --- a/roles/installer/openbsd/autoinstall/tasks/main.yml +++ b/roles/installer/openbsd/autoinstall/tasks/main.yml @@ -29,7 +29,7 @@ - "INSTALL.{{ obsd_autoinstall_arch }}" - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}" iso_extract: - image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" + image: "{{ installer_base_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" dest: "{{ obsd_autoinstall_tmpdir }}/files" files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}" diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml deleted file mode 100644 index eeeaf2d0..00000000 --- a/roles/installer/openbsd/base/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# openbsd_installer_version: 6.7 -openbsd_installer_arch: amd64 - -openbsd_installer_force_download: no -openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index df3db107..412f3680 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -5,37 +5,3 @@ - genisoimage - signify-openbsd state: present - -- name: prepare directories for installer iso files - file: - name: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" - state: directory - -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: download signed sha256 files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: create signing key files - copy: - content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" - -- name: verfiy downloaded iso files - command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" - args: - chdir: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" - changed_when: false - register: openbsd_installer_signify_result - -- debug: - var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/base/vars/main.yml b/roles/installer/openbsd/base/vars/main.yml deleted file mode 100644 index dad9f064..00000000 --- a/roles/installer/openbsd/base/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" - -openbsd_installer_signing_keys: - "6.7": | - untrusted comment: openbsd 6.7 base public key - RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml new file mode 100644 index 00000000..eeeaf2d0 --- /dev/null +++ b/roles/installer/openbsd/fetch/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 + +openbsd_installer_force_download: no +openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..0ab9070c --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: download signed sha256 files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +- name: verfiy downloaded iso files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/fetch/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/define/templates/libvirt-domain.xml.j2 index c4c9e52a..5af12c00 100644 --- a/roles/vm/define/templates/libvirt-domain.xml.j2 +++ b/roles/vm/define/templates/libvirt-domain.xml.j2 @@ -7,7 +7,7 @@ hvm {% if vm_define_installer %} {% if install_distro == 'debian' or install_distro == 'ubuntu' %} - {{ installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/linux + {{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/linux {{ preseed_tmpdir }}/initrd.preseed.gz console=ttyS0,115200n8 DEBCONF_DEBUG=5 diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml index 390016a2..4c29970d 100644 --- a/roles/vm/host/tasks/main.yml +++ b/roles/vm/host/tasks/main.yml @@ -43,11 +43,11 @@ - name: mount filesytem mount: src: "/dev/mapper/{{ installer_lvm.vg | replace('-', '--') }}-{{ installer_lvm.lv | replace('-', '--') }}" - path: "{{ installer_path }}" + path: "{{ installer_base_path }}" fstype: "{{ installer_lvm.fs }}" state: mounted - name: make sure installer directory exists file: - name: "{{ installer_path }}" + name: "{{ installer_base_path }}" state: directory diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/install/tasks/installer-debian.yml new file mode 100644 index 00000000..29aae48f --- /dev/null +++ b/roles/vm/install/tasks/installer-debian.yml @@ -0,0 +1,20 @@ +--- +- name: fetch debian installer files + vars: + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + debian_installer_variant: netboot + import_role: + name: installer/debian/fetch + +- name: generate host specific initial ramdisk + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + preseed_tmpdir: "{{ tmpdir.path }}" + preseed_virtual_machine: yes + preseed_force_net_ifnames_policy: path + preseed_no_netplan: yes + install_interface: enp1s1 + import_role: + name: installer/debian/preseed diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/install/tasks/installer-openbsd.yml new file mode 100644 index 00000000..f3802afd --- /dev/null +++ b/roles/vm/install/tasks/installer-openbsd.yml @@ -0,0 +1,16 @@ +--- +- name: fetch openbsd installer files + vars: + openbsd_installer_version: "{{ install_codename }}" + openbsd_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + import_role: + name: installer/openbsd/fetch + +- name: generate host specific autoinstall iso + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" + obsd_autoinstall_serial_device: com0 + install_interface: vio0 + import_role: + name: installer/openbsd/autoinstall diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index 6b8f9ca7..7f102beb 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -35,24 +35,10 @@ register: tmpdir - when: install_distro in ['debian', 'ubuntu'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - preseed_tmpdir: "{{ tmpdir.path }}" - preseed_virtual_machine: yes - preseed_force_net_ifnames_policy: path - preseed_no_netplan: yes - install_interface: enp1s1 - import_role: - name: installer/debian/preseed + import_tasks: installer-debian.yml - when: install_distro in ['openbsd'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" - obsd_autoinstall_serial_device: com0 - install_interface: vio0 - import_role: - name: installer/openbsd/autoinstall + import_tasks: installer-openbsd.yml - name: Make installer workdir readable by qemu acl: -- cgit v1.2.3 From ed7afca113327383f1a0bd0435d7f859a45011de Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 00:46:48 +0200 Subject: installer: cleanup variables --- roles/installer/debian/preseed/defaults/main.yml | 5 +++-- roles/installer/debian/preseed/tasks/main.yml | 6 +++--- roles/installer/debian/usb/tasks/main.yml | 2 +- roles/installer/openbsd/autoinstall/defaults/main.yml | 5 +---- roles/installer/openbsd/autoinstall/tasks/main.yml | 4 ++-- roles/installer/openbsd/autoinstall/vars/main.yml | 2 ++ roles/vm/define/templates/libvirt-domain.xml.j2 | 4 ++-- roles/vm/install/tasks/installer-debian.yml | 3 ++- roles/vm/install/tasks/installer-openbsd.yml | 5 ++++- roles/vm/install/tasks/main.yml | 18 ++++++++++-------- 10 files changed, 30 insertions(+), 24 deletions(-) create mode 100644 roles/installer/openbsd/autoinstall/vars/main.yml (limited to 'roles') diff --git a/roles/installer/debian/preseed/defaults/main.yml b/roles/installer/debian/preseed/defaults/main.yml index cfdef902..b5aad35c 100644 --- a/roles/installer/debian/preseed/defaults/main.yml +++ b/roles/installer/debian/preseed/defaults/main.yml @@ -1,7 +1,8 @@ --- -#preseed_tmpdir: +# preseed_orig_initrd +# preseed_tmpdir: -#preseed_force_net_ifnames_policy: path +# preseed_force_net_ifnames_policy: path preseed_no_netplan: no preseed_virtual_machine: no diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index f0dc56cd..2d229aa8 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,8 +2,8 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_base_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" - dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" + src: "{{ preseed_orig_initrd }}" + dest: "{{ preseed_tmpdir }}/initrd.{{ install_hostname }}.gz" - name: Generate preseed file template: @@ -42,7 +42,7 @@ NamePolicy={{ preseed_force_net_ifnames_policy }} - name: Inject files into initramfs - shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' + shell: cpio -H newc -o | gzip -9 >> 'initrd.{{ install_hostname }}.gz' args: chdir: "{{ preseed_tmpdir }}" stdin: | diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 478e0d33..44f793e9 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -32,7 +32,7 @@ - name: Copy the preseed initramfs to the usb drive copy: - src: "{{ tmpdir.path }}/initrd.preseed.gz" + src: "{{ tmpdir.path }}/initrd.{{ install_hostname }}.gz" dest: "{{ usb_install_path }}/initrd.{{ install_hostname }}.gz" always: diff --git a/roles/installer/openbsd/autoinstall/defaults/main.yml b/roles/installer/openbsd/autoinstall/defaults/main.yml index 27f7221a..b166c191 100644 --- a/roles/installer/openbsd/autoinstall/defaults/main.yml +++ b/roles/installer/openbsd/autoinstall/defaults/main.yml @@ -1,10 +1,7 @@ --- +# obsd_autoinstall_orig_iso: # obsd_autoinstall_tmpdir: -obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" -obsd_autoinstall_version: "{{ install_codename }}" -obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" - # obsd_autoinstall_serial_device: com0 # obsd_autoinstall_serial_baudrate: 115200 diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml index 86f543ee..fc5f6194 100644 --- a/roles/installer/openbsd/autoinstall/tasks/main.yml +++ b/roles/installer/openbsd/autoinstall/tasks/main.yml @@ -29,7 +29,7 @@ - "INSTALL.{{ obsd_autoinstall_arch }}" - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}" iso_extract: - image: "{{ installer_base_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" + image: "{{ obsd_autoinstall_orig_iso }}" dest: "{{ obsd_autoinstall_tmpdir }}/files" files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}" @@ -45,7 +45,7 @@ dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz" - name: generate host specific installer image - command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' + command: 'genisoimage -RTLldDN -o "{{ install_hostname }}.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/' args: chdir: "{{ obsd_autoinstall_tmpdir }}/" diff --git a/roles/installer/openbsd/autoinstall/vars/main.yml b/roles/installer/openbsd/autoinstall/vars/main.yml new file mode 100644 index 00000000..c20909d1 --- /dev/null +++ b/roles/installer/openbsd/autoinstall/vars/main.yml @@ -0,0 +1,2 @@ +--- +obsd_autoinstall_version_short: "{{ obsd_autoinstall_version | replace('.', '') }}" diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/define/templates/libvirt-domain.xml.j2 index 5af12c00..ba0dcd5a 100644 --- a/roles/vm/define/templates/libvirt-domain.xml.j2 +++ b/roles/vm/define/templates/libvirt-domain.xml.j2 @@ -8,7 +8,7 @@ {% if vm_define_installer %} {% if install_distro == 'debian' or install_distro == 'ubuntu' %} {{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/linux - {{ preseed_tmpdir }}/initrd.preseed.gz + {{ installer_tmpdir }}/initrd.{{ install_hostname }}.gz console=ttyS0,115200n8 DEBCONF_DEBUG=5 {% elif install_distro == 'openbsd' %} @@ -44,7 +44,7 @@ {% if vm_define_installer and install_distro == 'openbsd' %} - + diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/install/tasks/installer-debian.yml index 29aae48f..e0492969 100644 --- a/roles/vm/install/tasks/installer-debian.yml +++ b/roles/vm/install/tasks/installer-debian.yml @@ -3,7 +3,7 @@ vars: debian_installer_distro: "{{ install_distro }}" debian_installer_codename: "{{ install_codename }}" - debian_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + debian_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" debian_installer_variant: netboot import_role: name: installer/debian/fetch @@ -11,6 +11,7 @@ - name: generate host specific initial ramdisk vars: ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + preseed_orig_initrd: "{{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/initrd.gz" preseed_tmpdir: "{{ tmpdir.path }}" preseed_virtual_machine: yes preseed_force_net_ifnames_policy: path diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/install/tasks/installer-openbsd.yml index f3802afd..afa17c45 100644 --- a/roles/vm/install/tasks/installer-openbsd.yml +++ b/roles/vm/install/tasks/installer-openbsd.yml @@ -2,14 +2,17 @@ - name: fetch openbsd installer files vars: openbsd_installer_version: "{{ install_codename }}" - openbsd_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + openbsd_installer_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" import_role: name: installer/openbsd/fetch - name: generate host specific autoinstall iso vars: ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + obsd_autoinstall_orig_iso: "{{ installer_base_path }}/openbsd-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/install{{ openbsd_installer_version_short }}.iso" obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" + obsd_autoinstall_version: "{{ install_codename }}" + obsd_autoinstall_arch: "{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}" obsd_autoinstall_serial_device: com0 install_interface: vio0 import_role: diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index 7f102beb..a4511459 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: create lvm-based disks for vm - loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}" + loop: "{{ hostvars[install_hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[install_hostname].install_cooked.disks.scsi | default({})) | dict2items | selectattr('value.type', 'eq', 'lvm') | list }}" loop_control: label: "{{ item.value.vg }} / {{ item.value.lv }} ({{ item.value.size }})" lvol: @@ -31,6 +31,8 @@ - block: - name: create a temporary workdir tempfile: + path: "{{ installer_base_path }}/" + prefix: ".{{ install_hostname }}." state: directory register: tmpdir @@ -48,11 +50,11 @@ etype: user permissions: rx - - import_role: - name: vm/define - vars: + - vars: vm_define_installer: yes - preseed_tmpdir: "{{ tmpdir.path }}" + installer_tmpdir: "{{ tmpdir.path }}" + import_role: + name: vm/define - debug: msg: "you can check on the status of the installer running this command 'virsh console {{ install_hostname }}' on host {{ inventory_hostname }}." @@ -80,7 +82,7 @@ path: "{{ tmpdir.path }}" state: absent -- import_role: - name: vm/define - vars: +- vars: vm_define_installer: no + import_role: + name: vm/define -- cgit v1.2.3 From 4eec4384e5408a87b6ad2b77b4819b65c500a3bc Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 01:18:15 +0200 Subject: openbsd installer: extract sha256 checksum from iso before downloading it --- roles/installer/openbsd/fetch/tasks/main.yml | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'roles') diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index 0ab9070c..d8f37018 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,13 +4,6 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - - name: download signed sha256 files get_url: url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" @@ -18,6 +11,27 @@ mode: 0644 force: "{{ openbsd_installer_force_download }}" +## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here +## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful +## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick +## us into booting the image. +## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially +## existing file without the need to query the server. This should speed up the installation process quite a bit +## and take care of spurious re-downloads. + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + - name: create signing key files copy: content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" -- cgit v1.2.3 From 8bfbc9b54f28cb5e25714e40e96f752f98f40568 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 01:37:51 +0200 Subject: openbsd installer: improve image verification --- roles/installer/openbsd/fetch/tasks/main.yml | 55 +++++++++++++++------------- 1 file changed, 29 insertions(+), 26 deletions(-) (limited to 'roles') diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index d8f37018..97e8fb57 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,31 +4,13 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download signed sha256 files +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here -## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful -## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick -## us into booting the image. -## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially -## existing file without the need to query the server. This should speed up the installation process quite a bit -## and take care of spurious re-downloads. - -- name: extract sha256 hash for iso file - command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - changed_when: false - register: openbsd_installer_sha256sum - -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" force: "{{ openbsd_installer_force_download }}" mode: 0644 @@ -37,8 +19,16 @@ content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" -- name: verfiy downloaded iso files - command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" args: chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" changed_when: false @@ -46,3 +36,16 @@ - debug: var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 -- cgit v1.2.3