summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rwxr-xr-xserver/bin/checkperms4
-rwxr-xr-xserver/bin/getRepoIface9
-rwxr-xr-xserver/bin/oglivecli23
-rwxr-xr-xserver/bin/setclientmode90
-rwxr-xr-xserver/bin/setserveraddr1
-rwxr-xr-xserver/bin/setsmbpass2
-rwxr-xr-xserver/bin/setsslkey127
-rwxr-xr-xserver/bin/settoken83
-rwxr-xr-xserver/lib/ogfunctions.sh31
-rwxr-xr-xserver/lib/security-config40
-rw-r--r--server/tftpboot/grub/default65
-rw-r--r--server/tftpboot/grub/grub.cfg9
-rw-r--r--server/tftpboot/grub/templates/00unknown30
-rw-r--r--server/tftpboot/grub/templates/106
-rw-r--r--server/tftpboot/grub/templates/114
-rw-r--r--server/tftpboot/grub/templates/124
-rw-r--r--server/tftpboot/grub/templates/19pxeADMIN22
-rw-r--r--server/tftpboot/grub/templates/21UEFIpxe7
-rw-r--r--server/tftpboot/grub/templates/pxe37
-rw-r--r--server/tftpboot/menu.lst/templates/10 (renamed from server/tftpboot/menu.lst/templates/01)2
-rw-r--r--server/tftpboot/menu.lst/templates/114
-rw-r--r--server/tftpboot/menu.lst/templates/124
22 files changed, 535 insertions, 69 deletions
diff --git a/server/bin/checkperms b/server/bin/checkperms
index 5c558c45..3f79e2d3 100755
--- a/server/bin/checkperms
+++ b/server/bin/checkperms
@@ -44,6 +44,8 @@ find $OPENGNSYS_DIR/images -maxdepth 1 -exec chown :$OPENGNSYS_USER {} \;
find $OPENGNSYS_DIR/images -maxdepth 1 -type d -exec chmod 775 {} \;
find $OPENGNSYS_DIR/images -maxdepth 1 -type f -exec chmod 664 {} \;
find $OPENGNSYS_DIR/client/{interfaceAdm,scripts} ! -name "*.txt" -exec chmod +x {} \;
+chown -R $OPENGNSYS_USER:$OPENGNSYS_USER $OPENGNSYS_DIR/client/etc/ssl/private
+chmod -R go-rwx $OPENGNSYS_DIR/client/etc/ssl/private
chown $OPENGNSYS_USER:$OPENGNSYS_USER $OPENGNSYS_DIR/client/interfaceAdm/CambiarAcceso
chmod 700 $OPENGNSYS_DIR/client/interfaceAdm/CambiarAcceso
chown root:root $OPENGNSYS_DIR/etc/{ogAdmServer,ogAdmAgent}*.cfg
@@ -53,7 +55,7 @@ chmod 640 $OPENGNSYS_DIR/{www/controlacceso*.php,etc/ogAdmRepo*.cfg}
chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/www/images/{fotos,iconos}
mkdir -p $OPENGNSYS_DIR/www/{api,tmp}
chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/www/{api,tmp}
-chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/tftpboot/menu.lst
+chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/tftpboot/{menu.lst,grub}
chown -R :$OPENGNSYS_USER $OPENGNSYS_DIR/tftpboot/ogLive*
find -L $OPENGNSYS_DIR/tftpboot -type d -exec chmod 755 {} \;
find -L $OPENGNSYS_DIR/tftpboot -type f -exec chmod 644 {} \;
diff --git a/server/bin/getRepoIface b/server/bin/getRepoIface
new file mode 100755
index 00000000..2ce208be
--- /dev/null
+++ b/server/bin/getRepoIface
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This script takes the IPlocal variable of the repository
+# and returns the system interface
+# Alfredo Luque <aluque@soleta.eu>
+
+source /opt/opengnsys/etc/ogAdmRepo.cfg
+
+ip addr show | grep $IPlocal | cut -f2 | awk '{ print $NF }'
diff --git a/server/bin/oglivecli b/server/bin/oglivecli
index 451c3c12..ca8ac0f9 100755
--- a/server/bin/oglivecli
+++ b/server/bin/oglivecli
@@ -14,13 +14,14 @@
# Global constants definition.
-PROG=$(basename "$(realpath "$0")")
-OPENGNSYS=/opt/opengnsys
-DOWNLOADDIR=$OPENGNSYS/lib
-DOWNLOADURL="https://opengnsys.es/trac/downloads"
-TFTPDIR=$OPENGNSYS/tftpboot
-DEFOGLIVE="ogLive"
-INFOFILE=$OPENGNSYS/etc/ogliveinfo.json
+PROG=$(basename "$(realpath "$0")") # Program name.
+OPENGNSYS=/opt/opengnsys # OpenGnsys main directory.
+DOWNLOADDIR=$OPENGNSYS/lib # Directory to store ogLive images.
+DOWNLOADURL="https://opengnsys.es/trac/downloads" # Download URL.
+TFTPDIR=$OPENGNSYS/tftpboot # TFTP directory.
+DEFOGLIVE="ogLive" # Default ogLive directory.
+MINREL=20190601 # Mininum ogLive compatibility release.
+INFOFILE=$OPENGNSYS/etc/ogliveinfo.json # Configuration file.
# Auxiliar functions.
@@ -154,6 +155,7 @@ ogLive download URL: $DOWNLOADURL
ogLive download directory: $DOWNLOADDIR
ogLive installation directory: $TFTPDIR
Default ogLive name: $DEFOGLIVE
+Mainimum compatibility release: r$MINREL
EOT
;;
1) # Show specified parameter.
@@ -163,6 +165,7 @@ EOT
download-dir) echo "$DOWNLOADDIR" ;;
install-dir) echo "$TFTPDIR" ;;
default-name) echo "$DEFOGLIVE" ;;
+ min-release) echo "r$MINREL" ;;
*) raiseError notfound "$1" ;;
esac
;;
@@ -208,6 +211,8 @@ function check() {
[ $DOWNLOADDIR/$DEF -nt $TFTPDIR/$INST ] && echo "$DEF"
done)
[ -n "$AUX" ] && echo "Some ISOs are downloaded after installation: ${AUX//$'\n'/, }" && let ERR++
+ AUX=$(jq -r '.oglive[] as $og | if ($og.revision[1:9] | tonumber) < '$MINREL' then $og.directory else "" end' $INFOFILE 2>/dev/null)
+ [ -n "$AUX" ] && echo "Some installed ogLive aren't fully compatible: ${AUX//$'\n'/, }" && let ERR++
# Print result.
[ $ERR -eq 0 ] && echo "OK!" || echo "Problems detected: $ERR"
return $ERR
@@ -253,7 +258,7 @@ function search() {
# Show a menu to select and download an ogLive ISO image from the OpenGnsys website.
function download() {
local OGLIVE NISOS i SOURCELENGTH TARGETFILE
- local ISOREL MINREL=5000 # Mininum compatibility release.
+ local ISOREL
[ $# -gt 1 ] && raiseError usage
[ ! -d $DOWNLOADDIR ] && raiseError notfound "Download directory"
[ ! -w $DOWNLOADDIR ] && raiseError access "Download directory"
@@ -268,7 +273,7 @@ function download() {
echo "Available downloads (+ = installed, * = full compatibility):"
for i in $(seq 1 $NISOS); do
[ -e $DOWNLOADDIR/${OGLIVE[i-1]} ] && OGLIVE[i-1]="(+) ${OGLIVE[i-1]}"
- ISOREL=${OGLIVE[i-1]##*-r}; ISOREL=${ISOREL%.*}
+ ISOREL=${OGLIVE[i-1]##*-r}; ISOREL=${ISOREL%%.*}
[ $ISOREL -ge $MINREL ] && OGLIVE[i-1]="(*) ${OGLIVE[i-1]}"
done
select opt in "${OGLIVE[@]}"; do
diff --git a/server/bin/setclientmode b/server/bin/setclientmode
index 855ae4a6..4004e932 100755
--- a/server/bin/setclientmode
+++ b/server/bin/setclientmode
@@ -22,41 +22,58 @@
#@version 1.1.0a - El server siempre es el servidor PXE. El segundo parámetro de la IP es el SERVER. La asignación del ogLive siempre es el server. (ticket #859).
#@author Antonio J. Doblas Viso, Universidad de Malaga
#@date 2018-07-11
+#@version 1.1.1 - Crea configuración PXE para BIOS y UEFI. Permite pasar los datos acceso a la base de datos por variables de entorno. (ticket #802)
+#@author Irina Gomez, ETSII Universidad de Sevilla
+#@date 2019-02-13
#*/ ##
-
# Variables.
PROG=$(basename $0)
OPENGNSYS=${OPENGNSYS:-"/opt/opengnsys"}
SERVERCONF=$OPENGNSYS/etc/ogAdmServer.cfg
-PXEDIR=$OPENGNSYS/tftpboot/menu.lst
+PXEDIR[0]=$OPENGNSYS/tftpboot/menu.lst
+PXEDIR[1]=$OPENGNSYS/tftpboot/grub
LOGFILE=$OPENGNSYS/log/opengnsys.log
MYCNF=/tmp/.my.cnf.$$
+
# Control básico de errores.
if [ $# -ne 3 ]; then
echo "$PROG: Error de ejecución"
echo "Formato: $PROG PLANTILLA [NOMBRE_PC|NOMBRE_AULA] MODO"
exit 1
fi
-if [ ! -r $SERVERCONF ]; then
- echo "$PROG: Sin acceso a fichero de configuración"
- exit 2
+
+# Comprobar si el usuario es "root" o el del servicio web.
+WEBUSER=$(ps axho user,comm|awk '!/root/ && /httpd|apache/ {print $1; exit;}')
+if [ "$USER" != "root" -a "$USER" != "$WEBUSER" ]; then
+ echo "$PROG: Need to be root. (The console can also call the script)." >&2
+ exit 1
+fi
+
+# El acceso a mysql por las variables pasadas o por el fichero de configuarción.
+if [ -z "$USUARIO" ] || [ -z "$PASSWORD" ] || [ -z "$CATALOG" ]; then
+ if [ -r "$SERVERCONF" ]; then
+ source $SERVERCONF
+ else
+ echo "$PROG: Sin acceso a fichero de configuración"
+ exit 2
+ fi
fi
-TEMPLATE=$(grep -l "^#.* $1 *$" $PXEDIR/templates/*)
-if [ -z "$TEMPLATE" ]; then
+TEMPLATE[0]=$(grep -l "^#.* $1 *$" ${PXEDIR[0]}/templates/*)
+TEMPLATE[1]=$(grep -l "^#.* $1 *$" ${PXEDIR[1]}/templates/*)
+if [ -z "${TEMPLATE[0]}" -a -z "${TEMPLATE[1]}" ]; then
echo "No existe archivo platilla: $1"
exit
fi
-case "$3" in
+
+case "${3^^}" in
0|TEMP) MODE="TEMP" ;;
1|PERM) MODE="PERM" ;;
*) echo "$PROG: Modo desconodido: 0, TEMP (temporal), 1, PERM (permanente)"
exit 1 ;;
esac
-# Obtener datos de acceso a la Base de datos.
-source $SERVERCONF
# Sustituir caracteres ' por \' para evitar inyección SQL.
BOOTMODE="${1//\'/\'}"
RESOURCE="${2//\'/\'}"
@@ -87,9 +104,9 @@ NPC=0
for MAC in $ETHERNET; do
date +"%b %d %T $PROG: Detectada ethernet \"$MAC\" en \"$2\"" | tee -a $LOGFILE
MACFILE="${MAC^^}"
- PXEFILE=$PXEDIR/01-${MACFILE:0:2}-${MACFILE:2:2}-${MACFILE:4:2}-${MACFILE:6:2}-${MACFILE:8:2}-${MACFILE:10:2}
- # Renombra el fichero PXE original
- [ -e $PXEFILE ] && mv $PXEFILE $PXEFILE.netboot
+ PXEFILE[0]=01-${MACFILE:0:2}-${MACFILE:2:2}-${MACFILE:4:2}-${MACFILE:6:2}-${MACFILE:8:2}-${MACFILE:10:2}
+ MACFILE="${MAC,,}"
+ PXEFILE[1]=01-${MACFILE:0:2}:${MACFILE:2:2}:${MACFILE:4:2}:${MACFILE:6:2}:${MACFILE:8:2}:${MACFILE:10:2}
if [ "$1" != "default" ]; then
# Si no está definida la variable LANG, usar idioma inglés por defecto.
[ -z "$LANG" -o "$LANG" == "C" ] && LANG="en"
@@ -130,30 +147,49 @@ for MAC in $ETHERNET; do
[[ "$DATOS" =~ (vga|video) ]] || DATOS="$DATOS vga=788"
# Obtener directorio ogLive a partir de los datos.
OGLIVEDIR=$(echo "$DATOS" | awk -F= 'BEGIN {RS=" "} $1=="oglivedir" {print $2}')
- # Comprobar si existe "oglivedir" en la plantilla para evitar duplicados.
- if grep -q "oglivedir=" $TEMPLATE 2>/dev/null; then
- DATOS="${DATOS/oglivedir=$OGLIVEDIR/}"
- fi
- # Crear fichero PXE a partir de la plantilla con los datos obtenidos en la BD.
- sed -e "s,vga=[0-9]*,,g; s,INFOHOST,${DATOS//,/\\,},g; s,set ISODIR=.*,set ISODIR=$OGLIVEDIR,g" $TEMPLATE >$PXEFILE
- # Ponemos como propietario al usuario y grupo de Apache para que se pueda cambiar desde la consola web.
- PERMS=$(ps axho user,group,comm|awk '!/root/ && /httpd|apache/ {u=$1; g=$2} END {if (g) printf "%s:%s",u,g}')
- [ -n "$PERMS" ] && chown $PERMS $PXEFILE
+
+ # Pondremos como propietario al usuario y grupo de Apache para que se pueda cambiar desde la consola web.
+ WEBGROUP=$(ps axho group,comm|awk '!/root/ && /httpd|apache/ {print $1; exit;}')
+ for BOOTTYPE in 0 1; do
+ # Si no existe la plantilla borramos el archivo PXE anterior continuamos
+ if [ -z "${TEMPLATE[$BOOTTYPE]}" ]; then
+ rm ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}
+ continue
+ fi
+ # Comprobar si existe "oglivedir" en la plantilla para evitar duplicados.
+ if grep -q "oglivedir=" ${TEMPLATE[$BOOTTYPE]} 2>/dev/null; then
+ DATOSAUX="${DATOS/oglivedir=$OGLIVEDIR/}"
+ fi
+ # Renombra el fichero PXE original
+ [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ] && mv ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot
+
+ # Crear fichero PXE a partir de la plantilla con los datos obtenidos en la BD.
+ sed -e "s,vga=[0-9]*,,g; s,INFOHOST,${DATOSAUX//,/\\,},g; s,set ISODIR=.*,set ISODIR=$OGLIVEDIR,g" ${TEMPLATE[$BOOTTYPE]} >${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}
+ [ -n "$WEBUSER" ] && chown $WEBUSER:$WEBGROUP ${PXEDIR[$BOOTTYPE]}/${PXEFILEE[$BOOTTYPE]}
+ done
+
+
# Si el modo de trabajo es temporal (0) mete un retardo, restaura el fichero PXE a su estado original y no toca la base de datos
if [ "$MODE" == "TEMP" ]; then
sleep 60
- rm $PXEFILE
- [ -e $PXEFILE.netboot ] && mv $PXEFILE.netboot $PXEFILE
+ for BOOTTYPE in 0 1; do
+ [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ] && rm ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}
+ [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot ] && mv ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}
+ done
fi
+
# Si el modo de trabajo es permanente (1) borra el fichero PXE.netboot si existe y graba los datos en la base de datos
if [ "$MODE" == "PERM" ]; then
- [ -e $PXEFILE.netboot ] && rm $PXEFILE.netboot
+ [ -e ${PXEDIR[0]}/${PXEFILE[0]}.netboot ] && rm ${PXEDIR[0]}/${PXEFILE[0]}.netboot
+ [ -e ${PXEDIR[1]}/${PXEFILE[1]}.netboot ] && rm ${PXEDIR[1]}/${PXEFILE[1]}.netboot
+ # Si no existe la plantilla de tipo BIOS tomo el nombre de la UEFI
+ [ -z "${TEMPLATE[0]}" ] && TEMPLATE[0]=${TEMPLATE[1]}
+
mysql --defaults-extra-file=$MYCNF -D "$CATALOG" -e \
- "UPDATE ordenadores SET arranque='$(basename $TEMPLATE)' WHERE mac='$MAC';"
+ "UPDATE ordenadores SET arranque='$(basename ${TEMPLATE[0]})' WHERE mac='$MAC';"
fi
fi
let NPC=NPC+1
done
date +"%b %d %T $PROG: $NPC equipo(s) configurado(s)" | tee -a $LOGFILE
-
diff --git a/server/bin/setserveraddr b/server/bin/setserveraddr
index eb52d64d..cca279b8 100755
--- a/server/bin/setserveraddr
+++ b/server/bin/setserveraddr
@@ -120,6 +120,7 @@ if [ -n "$SERVERIP" ]; then
if [ "$RUN_OGADMREPO" == "yes" ]; then
REPOKEY=$(php -r 'echo md5(uniqid(rand(), true));')
sed -i -e "s/ApiToken=.*/ApiToken=$REPOKEY/" $OPENGNSYS/etc/ogAdmRepo.cfg
+ sed -i -e "s/APITOKEN=.*/APITOKEN=$REPOKEY/" $OPENGNSYS/etc/ogAdmServer.cfg
fi
# If OpenGnsys Server is active, updating the database.
if [ "$RUN_OGADMSERVER" == "yes" ]; then
diff --git a/server/bin/setsmbpass b/server/bin/setsmbpass
index 2162b3be..efd90eec 100755
--- a/server/bin/setsmbpass
+++ b/server/bin/setsmbpass
@@ -105,7 +105,7 @@ for OGLIVE in $LIST; do
done
if [[ $CHANGES != 0 ]]; then
# Ticket 565, preparar acceso Rsync servidor.
- echo "$SAMBAUSER:$SAMBAPASS" > /etc/rsyncd.secrets
+ [ -e /etc/rsyncd.secrets ] && sed -i -n -e "/^$SAMBAUSER:/!p" -e "$ a$SAMBAUSER:$SAMBAPASS" /etc/rsyncd.secrets || echo "$SAMBAUSER:$SAMBAPASS" > /etc/rsyncd.secrets
chown root.root /etc/rsyncd.secrets
chmod 600 /etc/rsyncd.secrets
# Cambiar clave Samba.
diff --git a/server/bin/setsslkey b/server/bin/setsslkey
new file mode 100755
index 00000000..9652f006
--- /dev/null
+++ b/server/bin/setsslkey
@@ -0,0 +1,127 @@
+#!/bin/bash
+
+#/**
+# setsslkey
+#@file setsslkey [NEW] [ogLive]
+#@brief Configura las claves públicas en los ogLive para que puedan autenticarse entre ellos.
+#@param $1 crear_key [NEW] (opcional). Crear la pareja de claves ssl. Por defecto toma la del oglive por defecto.
+#@param $2 ogLive (opcional). ogLive al que se le incluyen las claves públicas, por defecto a todos.
+#@warning Se modifica el Initrd del cliente.
+#@version 1.1.2 - Versión inicial - Basado en setserveraddr
+#@author Irina Gómez - ETSII Universidad Sevilla
+#@date 2019-09-25
+#*/ ##
+
+
+# Variables.
+PROG=$(basename "$0")
+PATH=$PATH:$(dirname "$(realpath "$0")")
+OPENGNSYS=${OPENGNSYS:-"/opt/opengnsys"}
+TFTPDIR=$OPENGNSYS/tftpboot
+INITRD=oginitrd.img
+TMPDIR=/tmp/oglive$$
+let CHANGES=0
+
+# Control básico de errores.
+if [ "$USER" != "root" ]; then
+ echo "$PROG: Error: solo ejecutable por root" >&2
+ exit 1
+fi
+
+# Regenerar las claves públicas aunque existan
+[ "${1^^}" == "NEW" ] && NEWKEY="NEW" && shift
+
+case $# in
+ 0) # Cambios en todos los clientes ogLive instalados.
+ if which oglivecli &>/dev/null; then
+ LIST=$(oglivecli list | awk '{print $2}')
+ else
+ LIST="ogclient"
+ fi ;;
+ 1) # Cambios en único ogLive (AVISO: puede crear inconsistencias con otros ogLive).
+ LIST="$1" ;;
+ *) # Error de formato.
+ echo "$PROG: Error de ejecución" >&2
+ echo "Formato: $PROG ogLive"
+ exit 1 ;;
+esac
+
+# Si me salgo con error borro el directorio temporal
+trap "rm -rf $TMPDIR 2>/dev/null" 1 2 3 6 9 15
+
+# ogLive por defecto
+OGLIVEDEFAULT=$(oglivecli list |awk -v NUM=$(oglivecli get-default) '{if ($1 == NUM) print $2}')
+
+if [ "$NEWKEY" != "NEW" ]; then
+ # Comprobamos si el ogLive por defecto contiene la clave
+ CLIENTINITRD="$TFTPDIR/$OGLIVEDEFAULT/$INITRD"
+ if [ -r "$CLIENTINITRD" ]; then
+ mkdir -p $TMPDIR
+ cd $TMPDIR || exit 3
+ gzip -dc "$CLIENTINITRD" | cpio -im
+ if [ -r scripts/ssl/id_rsa ]; then
+ PRIVKEY=$(cat scripts/ssl/id_rsa |grep -v '\-\-\-')
+ PUBLICKEY=$(cat scripts/ssl/id_rsa.pub)
+ else
+ NEWKEY="NEW"
+ fi
+ rm -fr $TMPDIR
+ else
+ NEWKEY="NEW"
+ fi
+fi
+
+# Genero nueva clave
+if [ "$NEWKEY" == "NEW" ]; then
+ [ -d $TMPDIR ] && rm -rf $TMPDIR
+ mkdir $TMPDIR
+ ssh-keygen -N "" -f $TMPDIR/id_rsa
+ PRIVKEY=$(cat $TMPDIR/id_rsa |grep -v "\-\-\-")
+ PUBLICKEY=$(cat $TMPDIR/id_rsa.pub)
+ rm -rf $TMPDIR
+fi
+
+# Buscar todos los clients ogLive instalados.
+for OGLIVE in $LIST; do
+ # Si no hay generar nueva clave ssl no hay que modificar el ogLive por defecto
+ [ "$NEWKEY" != "NEW" ] && [ "$OGLIVE" == "$OGLIVEDEFAULT" ] && continue
+
+ # Crear clave para usuario de acceso a los recursos.
+ CLIENTINITRD="$TFTPDIR/$OGLIVE/$INITRD"
+ if [ -r "$CLIENTINITRD" ]; then
+ # Editar la parte de acceso del cliente:
+ # descomprimir Initrd, sustituir clave y recomprimir Initrd).
+ echo "Configurando cliente \"$OGLIVE\" ..."
+ mkdir -p $TMPDIR
+ cd $TMPDIR || exit 3
+ gzip -dc "$CLIENTINITRD" | cpio -im
+
+ # Genero archivos de claves
+ [ -d $TMPDIR/scripts/ssl ] || mkdir -p $TMPDIR/scripts/ssl
+
+ echo "-----BEGIN RSA PRIVATE KEY-----" > $TMPDIR/scripts/ssl/id_rsa
+ echo $PRIVKEY |sed s/" "/\\n/g >> $TMPDIR/scripts/ssl/id_rsa
+ echo "-----END RSA PRIVATE KEY-----" >> $TMPDIR/scripts/ssl/id_rsa
+
+ echo $PUBLICKEY > $TMPDIR/scripts/ssl/id_rsa.pub
+ echo $PUBLICKEY > $TMPDIR/scripts/ssl/authorized_keys
+
+ chmod 400 $TMPDIR/scripts/ssl/id_rsa
+ chmod 400 $TMPDIR/scripts/ssl/authorized_keys
+
+ # Generar Initrd del cliente.
+ find . | cpio -H newc -oa | gzip -9c > "$CLIENTINITRD"
+
+ rm -fr $TMPDIR
+ # Calcular suma de comprobación.
+ md5sum "$CLIENTINITRD" | cut -f1 -d" " > "$CLIENTINITRD.sum"
+ let CHANGES++
+ else
+ echo "$PROG: Cliente \"$OGLIVE\" no accesible."
+ fi
+done
+if [[ $CHANGES != 0 ]]; then
+ echo "$PROG: Se ha modificado la pareja de claves ssl en $CHANGES clientes."
+else
+ echo "$PROG: Aviso: no se ha modificado la clave de ningún cliente."
+fi
diff --git a/server/bin/settoken b/server/bin/settoken
new file mode 100755
index 00000000..dd98f06a
--- /dev/null
+++ b/server/bin/settoken
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+#/**
+#@file settoken
+#@brief Generate a new security token for the specified service.
+#@usage settoken [-f] [Service]
+#@param -f: force server restart without prompting (ask by default)
+#@param Service: may be "server", "repo" or "both" (by default)
+#@warning This script uses "php" command.
+#@version 1.1.2 - Initial version.
+#@author Ramón M. Gómez - ETSII Univ. Sevilla
+#@date 2019-09-25
+#*/ ##
+
+# Global constants definition.
+PROG=$(basename "$(realpath "$0")") # Program name.
+OPENGNSYS=/opt/opengnsys # OpenGnsys main directory.
+SERVERCFG=$OPENGNSYS/etc/ogAdmServer.cfg # Configuration files.
+REPOCFG=$OPENGNSYS/etc/ogAdmRepo.cfg
+
+# Functions.
+source $OPENGNSYS/lib/ogfunctions.sh
+
+# Error control.
+[ "$USER" != "root" ] && raiseError access "Need to by root"
+if [ "$1" == "-f" ]; then
+ FORCE=1
+ shift
+fi
+[ $# -gt 1 ] && raiseError usage
+case "${1,,}" in
+ help)
+ help ;;
+ server)
+ SERVER=1 ;;
+ repo)
+ REPO=1 ;;
+ ""|both)
+ SERVER=1; REPO=1 ;;
+ *)
+ raiseError notfound "Unknown service"
+esac
+[ -w $SERVERCFG ] || raiseError access "Server configuration file"
+
+# Update server token.
+if [ "$SERVER" ]; then
+ # Confirm action (server will be restarted).
+ if [ ! "$FORCE" ]; then
+ read -rp "It will be necessary to restart ogAdmServer service. Continue? [y/N]: " ANSWER
+ [ "${ANSWER,,}" != "y" ] && raiseError cancel "API tokens not updated"
+ fi
+ APIKEY=$(php -r 'echo md5(uniqid(rand(), true));')
+ sed -i "s/^APITOKEN=.*/APITOKEN=$APIKEY/" $SERVERCFG || raiseError access "Cannot update server file"
+fi
+
+# Update repository token.
+if [ "$REPO" ]; then
+ [ -w $REPOCFG ] || raiseError access "Repository configuration file"
+ APIKEY=$(php -r 'echo md5(uniqid(rand(), true));')
+ sed -i "s/^ApiToken=.*/ApiToken=$APIKEY/" $REPOCFG || raiseError access "Cannot update repository file"
+ # If database is local, update it.
+ source $SERVERCFG
+ source $REPOCFG
+ if [ "$ServidorAdm" == "$IPlocal" ]; then
+ MYCNF=$(mktemp)
+ trap "rm -f $MYCNF" 0 1 2 3 6 9 15
+ chmod 600 $MYCNF
+ cat << EOT > $MYCNF
+[client]
+user=$USUARIO
+password=$PASSWORD
+host=$datasource
+EOT
+ mysql --defaults-extra-file="$MYCNF" --default-character-set=utf8 -D "$CATALOG" -e \
+ "UPDATE repositorios SET apikey='$APIKEY' WHERE ip='$IPlocal';" || raiseError access "Database error"
+ fi
+fi
+
+# Restart server, if needed.
+if [ "$SERVER" ]; then
+ restart opengnsys
+fi
+
diff --git a/server/lib/ogfunctions.sh b/server/lib/ogfunctions.sh
index 51de6b77..34b2ab7b 100755
--- a/server/lib/ogfunctions.sh
+++ b/server/lib/ogfunctions.sh
@@ -23,6 +23,9 @@ function raiseError() {
download)
echo "$PROG: Download error: $2" >&2
exit 4 ;;
+ cancel)
+ echo "$PROG: Operation cancelled: $2" >&2
+ exit 5 ;;
*)
echo "$PROG: Unknown error" >&2
exit 1 ;;
@@ -54,6 +57,20 @@ function help() {
exit 0
}
+# Functions to manage a service.
+function restart() {
+ _service restart "$1"
+}
+function start() {
+ _service start "$1"
+}
+function stop() {
+ _service stop "$1"
+}
+
+
+### Meta-functions and private functions.
+
# Metafunction to check if JSON result exists.
JQ=$(which jq 2>/dev/null) || raiseError notfound "Need to install \"jq\"."
function jq() {
@@ -63,3 +80,17 @@ function jq() {
echo "$OUTPUT"
}
+# Private function to acts on a service (do not use directly).
+function _service() {
+ local ACTION="$1"
+ local SERVICE="$2"
+ if which systemctl 2>/dev/null; then
+ systemctl "$ACTION" "$SERVICE"
+ elif which service 2>/dev/null; then
+ service "$SERVICE" "$ACTION"
+ elif [ -x /etc/init.d/"$SERVICE" ]; then
+ /etc/init.d/"$SERVICE" "$ACTION"
+ else
+ raiseError notfound "Service $SERVICE"
+ fi
+}
diff --git a/server/lib/security-config b/server/lib/security-config
index 11961758..6d53d198 100755
--- a/server/lib/security-config
+++ b/server/lib/security-config
@@ -23,16 +23,16 @@ if which ufw &>/dev/null; then
echo "Configuring UFW."
# Adding active services.
ufw allow "Apache Secure"
+ ufw allow from 127.0.0.1/8 to any port mysql proto tcp # MySQL from the loopback
ufw allow OpenSSH
ufw allow Samba
- ufw allow mysql
ufw allow rsync
ufw allow tftp
ufw allow 67,68/udp # DHCP
- ufw allow 2008/tcp # OpenGnsys service
+ ufw allow 2008,2009,2011/tcp # OpenGnsys services
ufw allow 6881:6999/udp # BitTorrent
ufw allow 9000/tcp # PHP-FPM
- ufw allow 9000:9051/udp # Multicast
+ ufw allow 9000:9101/udp # Multicast
# Applying configuration.
ufw enable
# FirewallD configuration.
@@ -42,9 +42,9 @@ elif which firewall-cmd &>/dev/null; then
python -c "
import firewall.core.io.service as ios
s=ios.Service()
-s.short = 'OpenGnsys Server'
-s.name = 'ogAdmServer'
-s.ports = [('2008', 'tcp')]
+s.short = 'OpenGnsys Services'
+s.name = 'opengnsys'
+s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')
s.name = 'php-fpm'
s.ports = [('9000', 'tcp')]
@@ -52,9 +52,9 @@ ios.service_writer(s, '/etc/firewalld/services')"
# Adding active services.
firewall-cmd --permanent --add-service=dhcp
firewall-cmd --permanent --add-service=https
- firewall-cmd --permanent --add-service=php-fpm
firewall-cmd --permanent --add-service=mysql --zone internal
- firewall-cmd --permanent --add-service=ogAdmServer
+ firewall-cmd --permanent --add-service=opengnsys
+ firewall-cmd --permanent --add-service=php-fpm
# Ubuntu 14.04 does not define "rsyncd" service.
firewall-cmd --permanent --add-service=rsyncd || \
firewall-cmd --permanent --add-port=873/tcp
@@ -73,16 +73,20 @@ fi
# SELinux configuration.
if which setsebool &>/dev/null; then
- echo "Configuring SELinux."
- # Configuring Apache.
- setsebool -P httpd_can_connect_ldap on
- semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
- # Configuring Samba.
- setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
- semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
- semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
- # Applying configuration.
- restorecon -R $OPENGNSYS
+ if selinuxenabled; then
+ echo "Configuring SELinux."
+ # Configuring Apache.
+ setsebool -P httpd_can_connect_ldap on
+ semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
+ # Configuring Samba.
+ setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
+ semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
+ semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
+ # Applying configuration.
+ restorecon -R $OPENGNSYS
+ else
+ echo "$PROG: Warning: SELinux is disabled, it won't be configured."
+ fi
else
echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
fi
diff --git a/server/tftpboot/grub/default b/server/tftpboot/grub/default
new file mode 100644
index 00000000..6c505de6
--- /dev/null
+++ b/server/tftpboot/grub/default
@@ -0,0 +1,65 @@
+# Busca cargadores existentes por orden de prioridad e
+# inicia el primero que encuentra.
+# Si no existe ningún cargador de arranque muestre mensaje de error.
+set timeout=5
+
+set detectado='no'
+# Compruebo si existen distintos cargadores.
+echo "Searching rEFInd"
+search --file --set rootRefind /EFI/refind/shimx64.efi.signed
+if [ "$rootRefind" != "" ]; then
+ set detectado='si'
+ menuentry "rEFInd" {
+ root="$rootRefind"
+ chainloader /EFI/refind/shimx64.efi.signed
+}
+fi
+
+echo "Searching Part-01-02"
+search --file --set rootP2 /EFI/Part-01-02/Boot/ogloader.efi
+if [ "$rootP2" != "" ]; then
+ set detectado='si'
+ menuentry "Part-01-02" {
+ root="$rootP2"
+ chainloader /EFI/Part-01-02/Boot/ogloader.efi
+ }
+fi
+
+echo "Searching Part-01-03"
+search --file --set rootP3 /EFI/Part-01-03/Boot/ogloader.efi
+if [ "$rootP3" != "" ]; then
+ set detectado='si'
+ menuentry "Part-01-03" {
+ root="$rootP3"
+ chainloader /EFI/Part-01-03/Boot/ogloader.efi
+ }
+fi
+
+echo "Searching Microsoft"
+search --file --set rootMS /EFI/Microsoft/Boot/bootmgfw.efi
+if [ "$rootMS" != "" ]; then
+ set detectado='si'
+ menuentry "Microsoft" {
+ root="$rootMS"
+ chainloader /EFI/Microsoft/Boot/bootmgfw.efi
+ }
+fi
+
+echo "Searching Ubuntu"
+search --file --set rootUb /EFI/ubuntu/grubx64.efi
+if [ "$rootUb" != "" ]; then
+ set detectado='si'
+ menuentry "Ubuntu"
+ root="$rootUb"
+ chainloader /EFI/ubuntu/grubx64.efi
+ }
+fi
+
+
+# Si no hay ningún sistam operativo muestro mensaje.
+if [ $detectado == 'no' ]; then
+ menuentry "OpenGnsys no ha detectado ningún sistema operativo" {
+ # para evitar mensajes de error.
+ set root="(hd0,gpt1)"
+ }
+fi
diff --git a/server/tftpboot/grub/grub.cfg b/server/tftpboot/grub/grub.cfg
index 53db4d84..56f19639 100644
--- a/server/tftpboot/grub/grub.cfg
+++ b/server/tftpboot/grub/grub.cfg
@@ -1,2 +1,9 @@
-source "$prefix/$net_default_mac"
+# Cargo configuración PC
+configfile=$prefix/01-$net_default_mac
+source "$configfile"
+# Si no existe anterior cargo configuracion por defecto
+# Lo compruebo buscando variables más usuales
+if [ "$timeout" == "" -a "$default" == "" ]; then
+ source "$prefix/default"
+fi
diff --git a/server/tftpboot/grub/templates/00unknown b/server/tftpboot/grub/templates/00unknown
new file mode 100644
index 00000000..3352a965
--- /dev/null
+++ b/server/tftpboot/grub/templates/00unknown
@@ -0,0 +1,30 @@
+##NO-TOCAR-ESTA-LINEA Sin-designar
+set default="0"
+set timeout="30"
+
+menuentry 'ogLive' {
+set ISODIR=ogLive
+linux (tftp)/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST
+initrd (tftp)/$ISODIR/oginitrd.img
+boot
+}
+menuentry 'ReFind' {
+ root='hd0,gpt1'
+ chainloader /EFI/refind/shimx64.efi
+ boot
+}
+menuentry 'Part-01-02' {
+ root='hd0,gpt1'
+ chainloader /EFI/Part-01-02/Boot/ogloader.efi
+ boot
+}
+menuentry 'Windows' {
+ root='hd0,gpt1'
+ chainloader /EFI/Microsoft/Boot/bootmgfw.efi
+ boot
+}
+menuentry 'Ubuntu' {
+ root='hd0,gpt1'
+ chainloader /EFI/ubuntu/grubx64.efi
+ boot
+}
diff --git a/server/tftpboot/grub/templates/10 b/server/tftpboot/grub/templates/10
new file mode 100644
index 00000000..82c44464
--- /dev/null
+++ b/server/tftpboot/grub/templates/10
@@ -0,0 +1,6 @@
+##NO-TOCAR-ESTA-LINEA 1hd
+echo "rEFInd"
+
+root='hd0,gpt1'
+chainloader /EFI/refind/shimx64.efi.signed
+boot
diff --git a/server/tftpboot/grub/templates/11 b/server/tftpboot/grub/templates/11
new file mode 100644
index 00000000..06b34088
--- /dev/null
+++ b/server/tftpboot/grub/templates/11
@@ -0,0 +1,4 @@
+##NO-TOCAR-ESTA-LINEA 1hd-1os
+root='hd0,gpt1'
+chainloader /EFI/Part-01-02/Boot/ogloader.efi
+boot
diff --git a/server/tftpboot/grub/templates/12 b/server/tftpboot/grub/templates/12
new file mode 100644
index 00000000..6f22fc30
--- /dev/null
+++ b/server/tftpboot/grub/templates/12
@@ -0,0 +1,4 @@
+##NO-TOCAR-ESTA-LINEA 1hd-2os
+root='hd0,gpt1'
+chainloader /EFI/Part-01-03/Boot/ogloader.efi
+boot
diff --git a/server/tftpboot/grub/templates/19pxeADMIN b/server/tftpboot/grub/templates/19pxeADMIN
new file mode 100644
index 00000000..211a543b
--- /dev/null
+++ b/server/tftpboot/grub/templates/19pxeADMIN
@@ -0,0 +1,22 @@
+##NO-TOCAR-ESTA-LINEA ogLiveAdmin
+set timeout=0
+set timeout_style=hidden
+
+set ISODIR=ogLive
+set default=0;
+
+echo "OgLive $ISODIR"
+menuentry "OgLive $ISODIR" {
+ # Si no existe el ogLive de ISODIR en la red, inicio ogLive por defecto
+ for DIR in $ISODIR ogLive; do
+ if linux (tftp)/$DIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=true ogdebug=true ogtmpfs=15 oglivedir=$ISODIR INFOHOST ; then
+ set DIR=$DIR
+ break
+ else
+ echo "OgLive default"
+ fi
+ done
+
+ initrd (tftp)/$DIR/oginitrd.img
+ boot
+}
diff --git a/server/tftpboot/grub/templates/21UEFIpxe b/server/tftpboot/grub/templates/21UEFIpxe
deleted file mode 100644
index 7892a495..00000000
--- a/server/tftpboot/grub/templates/21UEFIpxe
+++ /dev/null
@@ -1,7 +0,0 @@
-##NO-TOCAR-ESTA-LINEA UEFI-pxe
-set ISODIR=ogLive
-linux (tftp)/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST
-initrd (tftp)/$OGLIVE/oginitrd.img
-boot
-
-
diff --git a/server/tftpboot/grub/templates/pxe b/server/tftpboot/grub/templates/pxe
new file mode 100644
index 00000000..1a67fc25
--- /dev/null
+++ b/server/tftpboot/grub/templates/pxe
@@ -0,0 +1,37 @@
+##NO-TOCAR-ESTA-LINEA ogLive
+set timeout=0
+set timeout_style=hidden
+
+set ISODIR=ogLive
+
+# Si existe ogLive en CACHE lo inicio, si no el de la red
+set root=''
+echo "OgLive CACHE"
+search --file --set root /boot/$ISODIR/ogvmlinuz
+if [ "$root" == "" ]; then
+ echo "OgLive $ISODIR"
+ set default=1;
+else
+ set default=0;
+fi
+
+menuentry "OgLive CACHE" {
+ linux /boot/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogupdateinitrd=true ogtmpfs=15 oglivedir=$ISODIR INFOHOST
+ initrd /boot/$ISODIR/oginitrd.img
+ boot
+}
+
+menuentry "OgLive $ISODIR" {
+ # Si no existe el ogLive de ISODIR en la red, inicio ogLive por defecto
+ for DIR in $ISODIR ogLive; do
+ if linux (tftp)/$DIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST ; then
+ set DIR=$DIR
+ break
+ else
+ echo "OgLive default"
+ fi
+ done
+
+ initrd (tftp)/$DIR/oginitrd.img
+ boot
+}
diff --git a/server/tftpboot/menu.lst/templates/01 b/server/tftpboot/menu.lst/templates/10
index db7a3ee7..96d0f500 100644
--- a/server/tftpboot/menu.lst/templates/01
+++ b/server/tftpboot/menu.lst/templates/10
@@ -1,4 +1,4 @@
-##NO-TOCAR-ESTA-LINEA MBR
+##NO-TOCAR-ESTA-LINEA 1hd
timeout 1
title MBR
chainloader (hd0)+1
diff --git a/server/tftpboot/menu.lst/templates/11 b/server/tftpboot/menu.lst/templates/11
index 6ff6b10b..c1492b57 100644
--- a/server/tftpboot/menu.lst/templates/11
+++ b/server/tftpboot/menu.lst/templates/11
@@ -1,6 +1,6 @@
-##NO-TOCAR-ESTA-LINEA 1hd-1partition
+##NO-TOCAR-ESTA-LINEA 1hd-1os
timeout 1
-title FirstHardDisk-FirstPartition
+title FirstDisk-FirstOperatingSystem
root (hd0,0)
chainloader (hd0,0)+1
boot
diff --git a/server/tftpboot/menu.lst/templates/12 b/server/tftpboot/menu.lst/templates/12
index 0843c3b1..0db966b7 100644
--- a/server/tftpboot/menu.lst/templates/12
+++ b/server/tftpboot/menu.lst/templates/12
@@ -1,6 +1,6 @@
-##NO-TOCAR-ESTA-LINEA 1hd-2partition
+##NO-TOCAR-ESTA-LINEA 1hd-2os
timeout 1
-title FirstHardDisk-SecondPartition
+title FirstHardDisk-SecondOperatingSystem
root (hd0,1)
chainloader (hd0,1)+1
boot