wiki:solaris

Configure new zones

#!/bin/bash

export PATH;PATH=/opt/openssl/bin/:$PATH
export LD_LIBRARY_PATH;LD_LIBRARY_PATH=/opt/openssl/bin/:$LD_LIBRARY_PATH

######################################################################
# Find out that Zone is prepared in LDAP
######################################################################
#
# Tue Jul  7 16:14:56 CEST 2015 by battila
#
#       fix 1: number of command line argument check
#       fix 2: check if an interface is related in the LDAP for the network range

if [ $# -ne 1 ]; then
  echo "Usage $0 [HOSTNAME]"
  exit 2
fi

#
### Find out what LDAP host to use... igb0 is admin interface on many hosts
LDAP_HOST="$(ifconfig igb0|tail -1|cut -f2 -d' '|cut -d'.' -f1-2).0.99"
if test -e /var/ldap/ldap_client_file
then
  LDAP_HOST=$(pfexec grep NS_LDAP_SERVERS /var/ldap/ldap_client_file|cut -f2 -d'='|cut -f1 -d',')
fi
LDAP_HOST=10.2.0.99
###
#

#
### what object host are we looking at?
object="$1"
OPATH="/rpool/zones/$object/root"
###
#


#
### Default SEARCH Command and some basic information...
SEARCH="ldapsearch -h $LDAP_HOST -1 -T "
echo "$SEARCH -b dc=pribas,dc=com cn=$object dn"
cn=$($SEARCH -b dc=pribas,dc=com cn=$object dn|cut -f2 -d' ')
type=$($SEARCH -b $cn cn=$object o|grep -v "dn:"|\
         cut -f2 -d' '|cut -f1 -d','|cut -f2 -d'='|tr [A-Z] [a-z])
ip=$($SEARCH -b $cn cn=$object ipHostNumber|grep -v "dn:"|\
         cut -f2 -d' '|cut -f1 -d','|cut -f2 -d'=')
global=$($SEARCH -b $cn cn=$object seeAlso|grep -v "dn:"|\
         cut -f2 -d' '|cut -f1 -d','|cut -f2 -d'=')
description=$($SEARCH -b $cn cn=$object description|grep -v "dn:")

echo "Info from $LDAP_HOST: Type of $object($ip,$global) is $(echo $type)"
###
#

#
### Ensure that basic settings are well known...
test -z "$ip" && echo "IP-Adress not specified in LDAP, exiting" && exit 1
test "$global" != "$(hostname)" && echo "Installing on wrong host, exiting" && exit 1
## Manipulat typ, as it is not set in many cases
test -z "$type" && type="stage" 
test -z "$type" && echo "Type not specified in LDAP, exiting" && exit 1
###
#

######################################################################
# Setting up bare zone 
######################################################################

#
### Setup Zone configuration if it does not yes exist
if zoneadm list -c|grep $object 2>&1 1>/dev/null
then
  echo "Zone exists..."

  #
  # ToDo: Consider work on changes as e.g. 
  # - Directories to be passed through, 
  # - IP-Address changes
  # - Autoboot siwtched on?
  # etc., even if zone is NOT actually set up
  #
  zone_state=$(zoneadm list -cv|grep $object|awk '{print $3}')
  test "$zone_state" = "installed" && pfexec zoneadm -z $object boot
else
  echo "Zone is going to be set up..."
  #
  ###  Find out some more details for the setup...
  ip_cut="$(echo $ip|cut -f1-3 -d'.').0"
  gateway=$($SEARCH -b ou=Networks,dc=pribas,dc=com ipNetworkNumber=$ip_cut ipHostNumber|grep -v "dn:"|\
         cut -f2 -d' '|cut -f1 -d','|cut -f2 -d'=')
  test -z gateway && echo "Unable to determine gateway, exiting." && exit 1
  net_cn=$($SEARCH -b ou=Networks,dc=pribas,dc=com ipNetworkNumber=$ip_cut dn|grep "dn:"|\
         cut -f2 -d' ')
  interface=$($SEARCH -b cn=$global,ou=Global,ou=Hosts,dc=pribas,dc=com -1  seeAlso=$net_cn cn|grep -v "dn:"|\
         cut -f2 -d' '|cut -f1 -d','|cut -f2 -d'=')
  if [ -z "$interface" ]; then
        echo "No interface defined in the LDAP for this ip range under the host"
        exit 2
  fi
  test -z interface && echo "Unable to determine interface, exiting." && exit 1
  if test -n "$(echo $description|tr '[A-Z]' '[a-z]'|grep log)"
  then
    DIRS="$(cat<<EOF 
    $DIRS
    add fs
    set dir=/logs
    set special=/tank/logs/$object
    set type=lofs
    add options rw
    add options nodevice
    end
EOF
  )"

  test -d "/tank/logs/$object" && echo "LOG directory already exists!"
  test ! -d "/tank/logs/$object" && echo "LOG directory being created!" && pfexec mkdir /tank/logs/$object
  fi

  if test -n "$(echo $description|tr '[A-Z]' '[a-z]'|grep data)"
  then
    DIRS="$(cat<<EOF 
    $DIRS
    add fs
    set dir=/data
    set special=/tank/data/$object
    set type=lofs
    add options rw
    add options nodevice
    end
EOF
  )"
  test -d "/tank/data/$object" && echo "DATA directory already exists!"
  test ! -d "/tank/data/$object" && echo "DATA directory being created!" && pfexec mkdir /tank/data/$object
  fi
  if test -n "$(echo $description|tr '[A-Z]' '[a-z]'|grep memory)"
  then
    DIRS="$(cat<<EOF
    $DIRS
    add capped-memory
    set physical=500m
    set swap=1000m
    set locked=100m
    end
EOF
  )"
  fi
  ###
  #

  pfexec zonecfg -z $object <<EOF
    create -b
    set zonepath=/rpool/zones/$object
    set autoboot=true
    set ip-type=shared
    add inherit-pkg-dir
    set dir=/lib
    end
    add inherit-pkg-dir
    set dir=/platform
    end
    add inherit-pkg-dir
    set dir=/sbin
    end
    add inherit-pkg-dir
    set dir=/usr
    end 
    $DIRS
    add net
    set address=$ip/24
    set physical=$interface
    set defrouter=$gateway
    end
    commit
    exit
EOF
  if pfexec zoneadm -z $object install 
  then
    cat >/tmp/tmp.sysidcfg <<EOF
    system_locale=C
    terminal=xterm
    network_interface=primary {
      hostname=$object
    }
    security_policy=NONE
    name_service=NONE
    nfs4_domain=dynamic
    timezone=Europe/Berlin
    root_password=AxHACyHmuCY0A
EOF
    pfexec mv /tmp/tmp.sysidcfg $OPATH/etc/sysidcfg
    pfexec zoneadm -z $object boot
  else
    echo "Zone initialisation failed, exiting." && exit 1
  fi
fi
###
#

#
### Waiting for initilization of zone
echo -n "Waiting for initilization of zone"
while test "$(pfexec zlogin $object svcs multi-user|grep multi-user|awk '{print $1}')" != "online" 
do
echo -n "."; sleep 2
done
###
#
echo " complete."

######################################################################
# Setting up basic configuration and security settings
######################################################################

echo -n "$object: prof "

if pfexec grep "Prim" $OPATH/etc/security/prof_attr >/dev/null
then
  echo -n "ok  exec "
else
  echo -n "nok exec "
  pfexec awk '{print}/All:::Execute any command as the user or role:help=RtAll.html/{print "Primary Administrator:::Can perform all administrative tasks:auths=solaris.*,solaris.grant;help=RtPriAdmin.html"}' $OPATH/etc/security/prof_attr>prof_attr.$zone
  pfexec mv prof_attr.$zone $OPATH/etc/security/prof_attr
fi

if pfexec grep "Prim" $OPATH/etc/security/exec_attr >/dev/null
then
  echo "ok"
else
  echo "nok"
  pfexec awk '{print}/All/{print "Primary Administrator:suser:cmd:::*:uid=0;gid=0"}' $OPATH/etc/security/exec_attr>exec_attr.$zone
  pfexec mv exec_attr.$zone $OPATH/etc/security/exec_attr
fi


pfexec test ! -e $OPATH/etc/issue && \
  banner "$object">/tmp/tmp.issue && pfexec mv /tmp/tmp.issue $OPATH/etc/issue 
pfexec cat $OPATH/etc/ssh/sshd_config|\
  sed -e 's/^#Protocol 2/Protocol 2/' -e 's/^Protocol 2,1/#Protocol 2,1/' \
  -e 's/#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' -e 's/^ListenAddress ::/#ListenAddress ::/' \
  -e 's/#MaxStartups 10:30:60/MaxStartups 10:30:60/' -e 's/#Banner \/etc\/issue/Banner \/etc\/issue/' \
  -e 's/PasswordAuthentication yes/PasswordAuthentication no/' \
  -e 's/PAMAuthenticationViaKBDInt yes/PAMAuthenticationViaKBDInt no/' > /tmp/tmp.sshd.config
pfexec mv /tmp/tmp.sshd.config $OPATH/etc/ssh/sshd_config

pfexec zlogin $object svcadm disable wbem sendmail rpc_ticotsord rusers rstat finger autofs stdiscover \
    telnet nfs/client rquota ktkt_warn ftp stlisten rlogin gss stosreg nlockmgr cbd mapid nfs/status \
    bind network/shell:default sac inetd autoreg

######################################################################
# verify user setup
######################################################################

if ! pfexec grep infra $OPATH/etc/group 2>&1 1>/dev/null
then
  pfexec mkdir -p $OPATH/export/home/infra/.ssh
  pfexec zlogin $object groupadd -g 200 infra
  pfexec zlogin $object useradd -g infra -u 200 -d /export/home/infra \
    -P "'Basic Solaris User,All,Primary Administrator'" infra

  b64=$($SEARCH -b ou=people,dc=pribas,dc=com uid=infra userCertificate|grep userCertificate|cut -d' ' -f2)
  test -z $b64 && echo "User does not exist or no certificate is stored in ldap"
  echo -e  "$(echo $b64|cut -c1-64)\n$(echo $b64|cut -c65-128)\n$(echo $b64|cut -c129-192)\n$(echo $b64|cut -c193-256)\n$(echo $b64|cut -c257-320)\n\
  $(echo $b64|cut -c321-384)\n$(echo $b64|cut -c385-448)\n$(echo $b64|cut -c 449-512)\n$(echo $b64|cut -c513-576)\n$(echo $b64|cut -c577-640)\n\
  $(echo $b64|cut -c641-704)\n$(echo $b64|cut -c705-768)\n$(echo $b64|cut -c 769-832)\n"|openssl enc -d -base64 -out /tmp/tmp.authorized_keys
  pfexec mv /tmp/tmp.authorized_keys $OPATH/export/home/infra/.ssh/authorized_keys
  pfexec zlogin $object /usr/bin/chown -R infra:infra /export/home/infra
  pfexec zlogin $object /usr/bin/passwd -u infra
fi

pfexec test ! -e $OPATH/var/ldap/ldap_client_file &&
  pfexec zlogin $object ldapclient init -a domainName=pribas -a profilename=fra.west \
    -a proxyDN=cn=solaris,ou=LDAPauth,dc=pribas,dc=com -a proxyPassword=SolarisRulz $LDAP_HOST

for user in $($SEARCH -b ou=people,dc=pribas,dc=com destinationIndicator=$object uid|grep 'uid:'|cut -d' ' -f2)
do
  dir=$($SEARCH -b ou=people,dc=pribas,dc=com uid=$user homeDirectory|grep homeDirectory|cut -d ' ' -f2)
  if test ! -d $OPATH/$dir
  then
    gid=$($SEARCH -b ou=people,dc=pribas,dc=com uid=$user gidNumber|grep gidNumber|cut -d ' ' -f2)
    test -z $dir || test -z $gid && echo "User does not exist or is not configured for unix account." && exit 1
    
    pfexec mkdir -p $OPATH/$dir/.ssh
    b64=$($SEARCH -b ou=people,dc=pribas,dc=com  -T uid=$user userCertificate|grep userCertificate|cut -d' ' -f2)
    test -z $b64 && echo "User does not exist or no certificate is stored in ldap"
    echo -e  "$(echo $b64|cut -c1-64)\n$(echo $b64|cut -c65-128)\n$(echo $b64|cut -c129-192)\n$(echo $b64|cut -c193-256)\n$(echo $b64|cut -c257-320)\n\
    $(echo $b64|cut -c321-384)\n$(echo $b64|cut -c385-448)\n$(echo $b64|cut -c 449-512)\n$(echo $b64|cut -c513-576)\n$(echo $b64|cut -c577-640)\n\
    $(echo $b64|cut -c641-704)\n$(echo $b64|cut -c705-768)\n$(echo $b64|cut -c 769-832)\n"openssl enc -d -base64 -out /tmp/tmp.authorized_keys
    pfexec mv /tmp/tmp.authorized_keys $OPATH/$dir/.ssh/authorized_keys
    pfexec zlogin $object /usr/bin/chown -R $user:$gid $dir
  fi
done

pfexec zoneadm -z $object reboot

Enable User

#!/bin/bash

if test -e /var/ldap/ldap_client_file
then
  LDAP_HOST=$(pfexec grep NS_LDAP_SERVERS /var/ldap/ldap_client_file|cut -f2 -d'='|cut -f1 -d','|sed -e 's/ //g')
else
  LDAP_HOST="$(ifconfig -a|tail -1|cut -f2 -d' '|cut -d'.' -f1-2|sed -e 's/ //g').0.99"
fi

DEFGID=1500

me="$(id|cut -d'(' -f2|cut -d')' -f1)"


dir=$(ldapsearch  -h $LDAP_HOST -b dc=pribas,dc=com uid=$1 homeDirectory|grep homeDirectory|cut -d ' ' -f2)
gid=$(ldapsearch  -h $LDAP_HOST -b dc=pribas,dc=com uid=$1 gidNumber|grep gidNumber|cut -d ' ' -f2)

test -z $dir && echo "User does not exist or is not configured for unix account - home directory missing" && exit 1
test -z $gid && echo "User does not exist or is not configured for unix account - group id missing" && gid=$DEFGID

pfexec mkdir -p $dir/.ssh
pfexec chown $me $dir/.ssh
key="$(ldapsearch  -h $LDAP_HOST -b dc=pribas,dc=com  -T -B -F ' ' uid=$1 userCertificate|grep userCertificate|cut -d' ' -f2-)"
test -z "$key" && echo "User does not exist or no certificate is stored in ldap"
echo "$key"> $dir/.ssh/authorized_keys
pfexec chown -R $1:$gid $dir
Last modified 5 months ago Last modified on Apr 16, 2018, 8:21:36 AM