1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
#!/bin/bash
#
# This file and its contents are supplied under the terms of the
# Common Development and Distribution License ("CDDL"), version 1.0.
# You may only use this file in accordance with the terms of version
# 1.0 of the CDDL.
#
# A full copy of the text of the CDDL should have accompanied this
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
#
# Copyright (c) 2018, Joyent, Inc.
#
export PS4='[\D{%FT%TZ}] ${BASH_SOURCE}:${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
set -o xtrace
. /lib/svc/share/smf_include.sh
. /lib/sdc/config.sh
# Make sure working directory is / to prevent unmounting problems.
cd /
PATH=/usr/sbin:/usr/bin; export PATH
wait_and_clear()
{
while [ true ]; do
# It seems like jobs -p can miscount if we don't run jobs first
jobs >/dev/null
local cnt=`jobs -p | wc -l`
[ $cnt -eq 0 ] && break
for s in `svcs -x | nawk '{
if ($1 ~ /^svc:/) nm=$1
if ($1 == "State:" && $2 == "maintenance") print nm
}'`
do
svcadm clear $s
done
sleep 1
done
}
# Sets the default firewall rules for a node (unless they're already set)
set_default_fw_rules() {
local fw_default_v
if [[ -f /var/fw/.default_rules_setup ]]; then
read fw_default_v < /var/fw/.default_rules_setup
else
fw_default_v=0
fi
# Handle empty files from before we started versioning default rules
if [[ -z $fw_default_v ]]; then
fw_default_v=1
fi
if [[ $fw_default_v -lt 1 ]]; then
/usr/sbin/fwadm add -f - <<RULES
{
"rules": [
{
"description": "allow all ICMPv4 types",
"rule": "FROM any TO all vms ALLOW icmp type all",
"enabled": true,
"global": true
}
]
}
RULES
[[ $? -ne 0 ]] && return 1
echo 1 > /var/fw/.default_rules_setup
fi
if [[ $fw_default_v -lt 2 ]]; then
/usr/sbin/fwadm add -f - <<RULES
{
"rules": [
{
"description": "allow all ICMPv6 types",
"rule": "FROM any TO all vms ALLOW icmp6 type all",
"enabled": true,
"global": true
}
]
}
RULES
[[ $? -ne 0 ]] && return 1
echo 2 > /var/fw/.default_rules_setup
fi
}
configure_fwadm()
{
if [[ ! -d /var/log/fw/logs ]]; then
mkdir -p /var/log/fw/logs
mv /var/log/fw/*-*.log /var/log/fw/logs
fi
# See also OS-2635
if [[ -f /var/log/fw/fw.log.0 ]]; then
for file in /var/log/fw/fw.log.[0-9]*; do
mv ${file} "/var/log/fw/fwadm_$(uname -n)_$(stat -c "%y" ${file} | cut -d'.' -f1 | tr ' ' 'T').log"
done
fi
if [[ -f /var/log/fw/fw.log ]]; then
mv /var/log/fw/fw.log /var/log/fw/fwadm.log
fi
if [[ ! -e /var/log/fw/fwadm.log ]]; then
touch /var/log/fw/fwadm.log
fi
}
configure_vmadm()
{
# ensure /var/log/vm exists for VM.log logs
mkdir -p /var/log/vm/logs
# See also OS-2635
if [[ -f /var/log/vm/vm.log.0 ]]; then
for file in /var/log/vm/vm.log.[0-9]*; do
mv ${file} "/var/log/vm/vmadm_$(uname -n)_$(stat -c "%y" ${file} | cut -d'.' -f1 | tr ' ' 'T').log"
done
fi
if [[ -f /var/log/vm/vm.log ]]; then
mv /var/log/vm/vm.log /var/log/vm/vmadm.log
fi
# need to create this file so rotation works
if [[ ! -e /var/log/vm/vmadm.log ]]; then
touch /var/log/vm/vmadm.log
fi
}
update_root_password()
{
enc_password=`nawk -F= '{
if ($1 == "root_shadow")
print substr($2, 2, length($2) - 2)
}' /opt/smartdc/config/node.config`
[[ -z "$enc_password" ]] && return 0
sed -e "s|^root:[^\:]*:|root:${enc_password}:|" /etc/shadow \
>/etc/shadow.new \
&& chmod 400 /etc/shadow.new \
&& mv /etc/shadow.new /etc/shadow
}
# Loads config file for the node. These are the config values from the headnode
# plus authorized keys and anything else we want.
# This function is only invoked on a compute node.
install_config()
{
# On standalone machines we don't do this update
[[ -n $(/usr/bin/bootparams | grep "^standalone=true") ]] && return 0
load_sdc_config
curl -k -o /tmp/node.config --silent \
"http://${CONFIG_assets_admin_ip}/extra/joysetup/node.config"
[[ ! -f /tmp/node.config ]] && return 0
grep datacenter_name /tmp/node.config >/dev/null 2>&1
if [ $? != 0 ]; then
# There is no valid config file served by the assets zone
rm -f /tmp/node.config
return 0
fi
# Install the file if the local copy is different
diff /tmp/node.config /opt/smartdc/config/node.config >/dev/null 2>&1
if [ $? != 0 ]; then
printf "Updating config file\n" >/dev/console
mkdir -p /opt/smartdc/config
mv /tmp/node.config /opt/smartdc/config
update_root_password
else
rm -f /tmp/node.config
fi
}
case "$1" in
'start')
# Always setup socket filter no matter what happens next.
/sbin/soconfig -F datafilt datafilt prog '2:2:0,2:2:6,26:2:0,26:2:6'
USBMOUNT=
# If we're not importing the pools, we shouldn't try to setup as a headnode
# (since there'll be no zpool)
if /bin/bootparams | grep "^noimport=true" > /dev/null 2>&1; then
exit $SMF_EXIT_OK
fi
# If we're a headnode, we'll not have AMQP args on the cmdline, and we want
# to run an initial_script first anyway.
if /bin/bootparams | grep "^headnode=true" > /dev/null 2>&1; then
USBMOUNT=/mnt/`svcprop -p joyentfs/usb_mountpoint svc:/system/filesystem/smartdc:default`
# No config file (e.g. user quit during interactive configuration), so
# treat as if "noimport=true".
[[ ! -f $USBMOUNT/config ]] && exit $SMF_EXIT_OK
initial_script=${USBMOUNT}/$(grep "^initial_script=" $USBMOUNT/config.inc/generic 2>/dev/null | cut -d'=' -f2-)
if [ -n ${initial_script} ] && [ -e ${initial_script} ]; then
# Execute the script
${initial_script}
result=$?
if [ ${result} -eq 2 ]; then
# we're rebooting, no need to start ur
echo "REBOOTING!" >> /dev/console
enable_ur="false"
elif [ ${result} -ne 0 ]; then
echo "WARNING: initial_script failed with exit code [${result}]."
exit $SMF_EXIT_ERR_FATAL
fi
fi
elif /bin/bootparams | grep "^smartos=true" > /dev/null 2>&1; then
set_default_fw_rules
else
install_config
fi
configure_fwadm
configure_vmadm
if /bin/bootparams | grep "^headnode=true" > /dev/null 2>&1; then
/usr/sbin/umount $USBMOUNT
fi
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
exit $SMF_EXIT_ERR_FATAL
;;
esac
exit $SMF_EXIT_OK
|
