now qemu and ssh use local configurations
This commit is contained in:
parent
e1dd6180a2
commit
546ce6e73c
105
cbox-build.sh
105
cbox-build.sh
|
@ -41,23 +41,25 @@ CONFIG="dfs.cbox.conf"
|
||||||
# the build directory (will be ERASED without warning)
|
# the build directory (will be ERASED without warning)
|
||||||
BUILDDIR="_builddir/cd1"
|
BUILDDIR="_builddir/cd1"
|
||||||
# image directory created by dfsbuild
|
# image directory created by dfsbuild
|
||||||
IMAGEDIR_ORIG="$BUILDDIR/image"
|
IMAGE_DIR_ORIG="$BUILDDIR/image"
|
||||||
# a working copy of the image directory
|
# a working copy of the image directory
|
||||||
IMAGEDIR="$BUILDDIR/image-working"
|
IMAGE_DIR="$BUILDDIR/image-working"
|
||||||
# template directory for cryptobox specific configuration
|
# template directory for cryptobox specific configuration
|
||||||
TEMPLATEDIR="cryptobox.conf.d"
|
TEMPLATE_DIR="cryptobox.conf.d"
|
||||||
# the iso image
|
# the iso image
|
||||||
IMAGEFILE="$BUILDDIR/cryptobox.iso"
|
IMAGE_FILE="$BUILDDIR/cryptobox.iso"
|
||||||
# temporary directory
|
# temporary directory
|
||||||
TMPDIR="/tmp/`basename $0`-$$"
|
TMP_DIR="/tmp/`basename $0`-$$"
|
||||||
HD_IMAGE="/tmp/`basename $0`-testplatte.img"
|
HD_IMAGE="/tmp/`basename $0`-testplatte.img"
|
||||||
# mkisofs options (the option "-U" is not clean, but it prevents long filenames from getting mapped)
|
# mkisofs options (the option "-U" is not clean, but it prevents long filenames from getting mapped)
|
||||||
MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
|
MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
|
||||||
CHROOTSTART="/usr/lib/cryptobox/chroot-start.sh"
|
CHROOTSTART="/usr/lib/cryptobox/chroot-start.sh"
|
||||||
CDWRITER="0,0,0"
|
CDWRITER="0,0,0"
|
||||||
|
LOCALCONF_DIR=local.conf.d
|
||||||
# for development diffs and merges from a running cryptobox
|
# for development diffs and merges from a running cryptobox
|
||||||
REMOTE_COMMAND="ssh -l root `cat \"$TEMPLATEDIR/usr/share/cryptobox/defaults/ip\"` /usr/lib/cryptobox/devel-features.sh"
|
SSH_CONFIG_FILE="$LOCALCONF_DIR/ssh-options"
|
||||||
REMOTE_COPY_DEST="root@`cat \"$TEMPLATEDIR/usr/share/cryptobox/defaults/ip\"`:/tmp/mirror/"
|
SSH_HOST=cryptobox
|
||||||
|
REMOTE_COMMAND="/usr/lib/cryptobox/devel-features.sh"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -71,63 +73,80 @@ function run_dfsbuild()
|
||||||
function create_iso()
|
function create_iso()
|
||||||
{
|
{
|
||||||
echo "Creating the iso ..."
|
echo "Creating the iso ..."
|
||||||
mkisofs $MKISOFS_OPTIONS -o "$IMAGEFILE" "$IMAGEDIR"
|
mkisofs $MKISOFS_OPTIONS -o "$IMAGE_FILE" "$IMAGE_DIR"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function qemu_boot()
|
function qemu_boot()
|
||||||
{
|
{
|
||||||
|
# create a virtual harddisk image file
|
||||||
if [ ! -e "$HD_IMAGE" ]
|
if [ ! -e "$HD_IMAGE" ]
|
||||||
then echo "Creating temporary harddisk image ..."
|
then echo "Creating temporary harddisk image ..."
|
||||||
dd if=/dev/zero of="$HD_IMAGE" bs=1M count=20
|
dd if=/dev/zero of="$HD_IMAGE" bs=1M count=20
|
||||||
fi
|
fi
|
||||||
|
# create default qemu-ifup
|
||||||
|
if [ ! -e "$LOCALCONF_DIR/qemu-ifup" ]
|
||||||
|
then [ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR"
|
||||||
|
cp "misc/qemu-ifup.default" "$LOCALCONF_DIR/qemu-ifup"
|
||||||
|
fi
|
||||||
echo "Starting qemu ..."
|
echo "Starting qemu ..."
|
||||||
qemu -cdrom "$IMAGEFILE" -m 64 -hda "$IMAGEFILE" -boot d -n misc/qemu-ifup || true
|
qemu -cdrom "$IMAGE_FILE" -m 64 -hda "$IMAGE_FILE" -boot d -n "$LOCALCONF_DIR/qemu-ifup" || true
|
||||||
# remove iptables rules
|
# remove iptables rules
|
||||||
misc/qemu-ifup stop
|
"$LOCALCONF_DIR/qemu-ifup" stop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function init_working_directory()
|
function init_working_directory()
|
||||||
{
|
{
|
||||||
cat /proc/mounts | grep -q "`basename $IMAGEDIR`/proc" && umount "$IMAGEDIR/proc"
|
cat /proc/mounts | grep -q "`basename $IMAGE_DIR`/proc" && umount "$IMAGE_DIR/proc"
|
||||||
[ -e "$IMAGEDIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGEDIR"
|
[ -e "$IMAGE_DIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGE_DIR"
|
||||||
echo "Copying the dfsbuild-image ..."
|
echo "Copying the dfsbuild-image ..."
|
||||||
cp -a "$IMAGEDIR_ORIG" "$IMAGEDIR"
|
cp -a "$IMAGE_DIR_ORIG" "$IMAGE_DIR"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function configure_cb()
|
function configure_cb()
|
||||||
{
|
{
|
||||||
if [ ! -e "$IMAGEDIR" ]; then
|
if [ ! -e "$IMAGE_DIR" ]; then
|
||||||
echo -e "Directory \"$IMAGEDIR\" not found!"
|
echo -e "Directory \"$IMAGE_DIR\" not found!"
|
||||||
echo -e "Did you run \"$0 dfsbuild\"?"
|
echo -e "Did you run \"$0 dfsbuild\"?"
|
||||||
echo -e "Otherwise try \"$0 revert\" to fix this."
|
echo -e "Otherwise try \"$0 revert\" to fix this."
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Copying files into the box ..."
|
echo "Copying files into the box ..."
|
||||||
[ -e "$TMPDIR" ] && rm -rf "$TMPDIR"
|
[ -e "$TMP_DIR" ] && rm -rf "$TMP_DIR"
|
||||||
cp -dr "$TEMPLATEDIR/." "$TMPDIR"
|
cp -dr "$TEMPLATE_DIR/." "$TMP_DIR"
|
||||||
rm -rf `find "$TMPDIR" -type d -name ".svn"`
|
rm -rf `find "$TMP_DIR" -type d -name ".svn"`
|
||||||
cp -dr "$TMPDIR/." "$IMAGEDIR"
|
cp -dr "$TMP_DIR/." "$IMAGE_DIR"
|
||||||
rm -rf "$TMPDIR"
|
rm -rf "$TMP_DIR"
|
||||||
|
|
||||||
echo "Configuring the cryptobox ..."
|
echo "Configuring the cryptobox ..."
|
||||||
# "harden" removes /etc/issue ...
|
# "harden" removes /etc/issue ...
|
||||||
if [ -e "$IMAGEDIR/etc/issue" ]
|
if [ -e "$IMAGE_DIR/etc/issue" ]
|
||||||
then sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
|
then sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGE_DIR/etc/issue"
|
||||||
else echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGEDIR/etc/issue"
|
else echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGE_DIR/etc/issue"
|
||||||
fi
|
fi
|
||||||
fetch_revision >"$IMAGEDIR/etc/cryptobox/revision"
|
fetch_revision >"$IMAGE_DIR/etc/cryptobox/revision"
|
||||||
chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
|
chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function fetch_revision()
|
function fetch_revision()
|
||||||
{
|
{
|
||||||
svn -R info| grep ^Revision| cut -f2 -d " " | sort | tail -1
|
svn -R info| grep ^Revision| cut -f2 -d " " | sort | tail -1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function check_ssh_defaults()
|
||||||
|
{
|
||||||
|
if [ ! -e "$SSH_CONFIG_FILE" ]
|
||||||
|
then [ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR"
|
||||||
|
cp misc/ssh-options.default "$SSH_CONFIG_FILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
function upload2devel()
|
function upload2devel()
|
||||||
# upload local files to a development cryptobox
|
# upload local files to a development cryptobox
|
||||||
# this is necessary to use an "old" development cd with
|
# this is necessary to use an "old" development cd with
|
||||||
|
@ -137,18 +156,19 @@ function upload2devel()
|
||||||
# of course, only the directories that are mapped to tmpfs can
|
# of course, only the directories that are mapped to tmpfs can
|
||||||
# be updated this way
|
# be updated this way
|
||||||
{
|
{
|
||||||
|
check_ssh_defaults
|
||||||
local DIRS="var/www usr/share/cryptobox usr/lib/cryptobox"
|
local DIRS="var/www usr/share/cryptobox usr/lib/cryptobox"
|
||||||
[ -e "$TMPDIR" ] || mkdir -p "$TMPDIR"
|
[ -e "$TMP_DIR" ] || mkdir -p "$TMP_DIR"
|
||||||
for a in $DIRS
|
for a in $DIRS
|
||||||
do mkdir -p "$TMPDIR/$a"
|
do mkdir -p "$TMP_DIR/$a"
|
||||||
cp -r "$TEMPLATEDIR/$a/." "$TMPDIR/$a"
|
cp -r "$TEMPLATE_DIR/$a/." "$TMP_DIR/$a"
|
||||||
done
|
done
|
||||||
find "$TMPDIR" -type d -name '\.svn' | while read a
|
find "$TMP_DIR" -type d -name '\.svn' | while read a
|
||||||
do rm -rf "$a"
|
do rm -rf "$a"
|
||||||
done
|
done
|
||||||
scp -rpq "$TMPDIR/." "$REMOTE_COPY_DEST"
|
scp -F "$SSH_CONFIG_FILE" -rpq "$TMP_DIR/." cryptobox:/tmp/mirror
|
||||||
rm -rf "$TMPDIR"
|
rm -rf "$TMP_DIR"
|
||||||
$REMOTE_COMMAND set_diff_base
|
ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND set_diff_base
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -156,14 +176,14 @@ function merge_from_devel()
|
||||||
# merge a diff from a running development cryptobox into
|
# merge a diff from a running development cryptobox into
|
||||||
# this working directory
|
# this working directory
|
||||||
{
|
{
|
||||||
cd "$TEMPLATEDIR"
|
check_ssh_defaults
|
||||||
echo "Check for collisions ... (dry-run)"
|
echo "Check for collisions ... (dry-run)"
|
||||||
if $REMOTE_COMMAND diff | patch --dry-run -p1
|
if ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff | patch --dry-run -p1 -d "$TEMPLATE_DIR"
|
||||||
then echo
|
then echo
|
||||||
echo "Applying diff ..."
|
echo "Applying diff ..."
|
||||||
$REMOTE_COMMAND diff | patch -p1
|
ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff | patch -p1 -d "$TEMPLATE_DIR"
|
||||||
# set the base for the next diff to present state
|
# set the base for the next diff to present state
|
||||||
$REMOTE_COMMAND set_diff_base
|
ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND set_diff_base
|
||||||
else echo "Merging will fail - do it manually!"
|
else echo "Merging will fail - do it manually!"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -172,7 +192,7 @@ function merge_from_devel()
|
||||||
function blanknburn_cdrw()
|
function blanknburn_cdrw()
|
||||||
{
|
{
|
||||||
cdrecord -v dev=$CDWRITER blank=fast
|
cdrecord -v dev=$CDWRITER blank=fast
|
||||||
cdrecord -v dev=$CDWRITER $IMAGEFILE
|
cdrecord -v dev=$CDWRITER $IMAGE_FILE
|
||||||
}
|
}
|
||||||
################ do it! ######################
|
################ do it! ######################
|
||||||
|
|
||||||
|
@ -198,22 +218,23 @@ while [ $# -gt 0 ]
|
||||||
;;
|
;;
|
||||||
diff )
|
diff )
|
||||||
# get a diff from a running development cryptobox
|
# get a diff from a running development cryptobox
|
||||||
$REMOTE_COMMAND diff
|
check_ssh_defaults
|
||||||
|
ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff
|
||||||
;;
|
;;
|
||||||
merge )
|
merge )
|
||||||
merge_from_devel
|
merge_from_devel
|
||||||
;;
|
;;
|
||||||
harden )
|
harden )
|
||||||
chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
|
chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
|
||||||
;;
|
;;
|
||||||
upload )
|
upload )
|
||||||
upload2devel
|
upload2devel
|
||||||
;;
|
;;
|
||||||
chroot )
|
chroot )
|
||||||
if [ ! -x "$IMAGEDIR/$CHROOTSTART" ]
|
if [ ! -x "$IMAGE_DIR/$CHROOTSTART" ]
|
||||||
then echo "the chroot init script ("$IMAGEDIR/$CHROOTSTART") is not executable"
|
then echo "the chroot init script ("$IMAGE_DIR/$CHROOTSTART") is not executable"
|
||||||
echo "maybe you should run '`basename $0` cb-config' first"
|
echo "maybe you should run '`basename $0` cb-config' first"
|
||||||
else chroot "$IMAGEDIR" "$CHROOTSTART"
|
else chroot "$IMAGE_DIR" "$CHROOTSTART"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
burn )
|
burn )
|
||||||
|
|
|
@ -1,92 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
set -u
|
|
||||||
|
|
||||||
## http://www2.goldfisch.at/knowledge/142 beschreibt's recht gut
|
|
||||||
|
|
||||||
|
|
||||||
CA_DIR="CA/"
|
|
||||||
# enthaelt das Verzeichnis "demoCA" (siehe unten: CA-Erzeugung)
|
|
||||||
|
|
||||||
KEYSIZE=1024
|
|
||||||
CONFIG="openssl.conf"
|
|
||||||
TIME="365"
|
|
||||||
|
|
||||||
TMPREQ="/tmp/mein-apache-cert.req"
|
|
||||||
TMPRAN="/tmp/mein-apache-cert.random"
|
|
||||||
CSR_FILE=$1.csr
|
|
||||||
KEY_FILE1=$1-temp.key
|
|
||||||
KEY_FILE2=$1.key
|
|
||||||
CRT_FILE=$1.crt
|
|
||||||
|
|
||||||
|
|
||||||
if test -z "$1";
|
|
||||||
then echo "Syntax: $0 ZERTIFIKATS-DATEI [CA-Datei]"
|
|
||||||
echo " (die Dateienedungen (key, csr, crt) werden automatisch angefuegt)"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Erzeuge Zufallszahlen ..."
|
|
||||||
echo "-----------------------------------------------"
|
|
||||||
# erzeugt eine große menge an zufallszahlen abhängig von keysize
|
|
||||||
dd if=/dev/urandom of=$TMPRAN bs=$KEYSIZE count=$KEYSIZE || exit 2
|
|
||||||
sleep 1
|
|
||||||
|
|
||||||
echo -e "\nErzeuge den Schluessel ..."
|
|
||||||
echo "-----------------------------------------------"
|
|
||||||
openssl genrsa -rand $TMPRAN $KEYSIZE > $KEY_FILE1 || exit 3
|
|
||||||
# z.B.: -des3 um Verschluesselung des Zertifikats zu aktivieren
|
|
||||||
|
|
||||||
# found that way in http://www.rpatrick.com/tech/makecert/
|
|
||||||
openssl rsa -in $KEY_FILE1 -out $KEY_FILE2
|
|
||||||
chmod go-rwx $KEY_FILE2
|
|
||||||
|
|
||||||
echo -e "\nErzeuge die X509-Informationen ..."
|
|
||||||
echo "-----------------------------------------------"
|
|
||||||
# wichtige parameter werden aus der config gelesen
|
|
||||||
openssl req -new -x509 -key $KEY_FILE2 -config $CONFIG > $TMPREQ || exit 4
|
|
||||||
#openssl req -new -x509 -key $KEY_FILE -config $CONFIG > $TMPREQ || exit 4
|
|
||||||
chmod go-rwx $TMPREQ
|
|
||||||
|
|
||||||
echo -e "\nFuege das Zertifikat zusammen ..."
|
|
||||||
echo "-----------------------------------------------"
|
|
||||||
cat $TMPREQ $KEY_FILE2 >$CSR_FILE || exit 5
|
|
||||||
chmod go-rwx $CSR_FILE
|
|
||||||
|
|
||||||
echo -e "\nLoesche temporaere Dateien ..."
|
|
||||||
echo "-----------------------------------------------"
|
|
||||||
rm $TMPRAN $TMPREQ $KEY_FILE1
|
|
||||||
|
|
||||||
echo -e "\nDie Signierungsanforderung $CSR_FILE wurde erzeugt!"
|
|
||||||
|
|
||||||
test -e "$CA_DIR" || exit 0
|
|
||||||
|
|
||||||
# nun wird per CA zertifiziert ...
|
|
||||||
# die CA wird erstmalig durch das Skript CA.sh mit dem Parameter "-newca" erstellt
|
|
||||||
|
|
||||||
AKT_DIR=`pwd`
|
|
||||||
|
|
||||||
echo -e "\nDiese wird nun von der CA signiert ...\n"
|
|
||||||
|
|
||||||
echo "--kopiere"
|
|
||||||
cp $CSR_FILE ${CA_DIR}newreq.pem
|
|
||||||
|
|
||||||
[ -f newcert.pem ] && rm newcert.pem
|
|
||||||
echo "--signiere"
|
|
||||||
openssl x509 -x509toreq -in ${CA_DIR}newreq.pem -days $TIME -signkey ${CA_DIR}newreq.pem -out ${CA_DIR}tmp.pem || exit 6
|
|
||||||
echo "-signiere"
|
|
||||||
openssl ca -config $CONFIG -policy policy_anything -days $TIME -out ${CA_DIR}newcert.pem -infiles ${CA_DIR}tmp.pem || exit 7
|
|
||||||
echo "foo"
|
|
||||||
[ -f tmp.pem ] && rm tmp.pem && echo "tmp.pem gloescht"
|
|
||||||
|
|
||||||
if [ ! -s newcert.pem ];
|
|
||||||
then echo "Fehler: das neue Zertifikat wurde nicht erstellt!"
|
|
||||||
exit 8
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm newreq.pem
|
|
||||||
echo $AKT_DIR
|
|
||||||
mv newcert.pem ${AKT_DIR}/$CRT_FILE || echo "fehla 9" && exit 9
|
|
||||||
cd $AKT_DIR
|
|
||||||
rm $CSR_FILE
|
|
||||||
|
|
||||||
echo -e "\nFertig!"
|
|
13
misc/ssh-options.default
Normal file
13
misc/ssh-options.default
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
Host cryptobox
|
||||||
|
|
||||||
|
# change this part according to your needs
|
||||||
|
HostName 192.168.0.23
|
||||||
|
Port 22
|
||||||
|
|
||||||
|
# this should be valid for everyone
|
||||||
|
User root
|
||||||
|
CheckHostIP no
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
|
||||||
|
# nice for frequently changing server key due to a rebuild of the base system
|
||||||
|
UserKnownHostsFile /tmp/cryptobox-ssh-known_hosts
|
Loading…
Reference in a new issue