Hey All,
I finally got this working, it was a bit tricky getting sshd to stay open
and allow connections in the Ubuntu preseed environment. Here is what
worked for me;
d-i preseed/late_command string in-target wget
http://$http_server/xenial-sources.list
-O /etc/apt/sources.list ; \
mkdir -p /target/root/.ssh ; \
chmod 600 /target/root/.ssh ; \
echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' >
/target/root/.ssh/authorized_keys ; \
wget -O- http://$http_server/sshd.sh | chroot /target /bin/bash -s ; \
wget -O-
http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default
| chroot /target /bin/bash -s ; \
in-target killall /usr/sbin/sshd ;
sshd.sh is;
[root@cobbler ~]# cat /var/www/html/sshd.sh
mkdir -p /var/run/sshd
chmod 0755 /var/run/sshd
ssh-keygen -f /root/.ssh/id_rsa -t rsa -N ''
(/usr/sbin/sshd -D &)
Hope this helps others.
On Wed, Nov 2, 2016 at 3:52 PM, Tyler Wilson <kupo(a)linuxdigital.net> wrote:
Hello,
Thank you for the replies! I tried to replicate your setup with the
following;
[root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh
#!/bin/bash
/usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p
/root/chef.key ${3}:/root/chef.key
Using Ubuntu 16.04 preseed with the following post install commands;
d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f
/root/.ssh/id_rsa -t rsa -N '' ; \
echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' >
/target/root/.ssh/authorized_keys ; \
mkdir -p /target/var/run/sshd ; \
in-target /usr/sbin/sshd ; \
wget -O-
http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default
| chroot /target /bin/sh -s ; \
in-target wget http://$http_server/xenial-sources.list -O
/etc/apt/sources.list ;
However I am getting a lost connection whenever it tries to run the post
trigger;
Tue Nov 1 23:41:58 2016 - DEBUG | running shell triggers from
/var/lib/cobbler/triggers/install/post/*
Tue Nov 1 23:41:58 2016 - DEBUG | running shell trigger
/var/lib/cobbler/triggers/install/post/chef-key.sh
Tue Nov 1 23:41:58 2016 - INFO | running:
['/var/lib/cobbler/triggers/install/post/chef-key.sh',
'system', 'cobbler-test', '192.168.1.50']
Tue Nov 1 23:42:13 2016 - INFO | received on stdout:
Tue Nov 1 23:42:13 2016 - DEBUG | received on stderr:
ssh_exchange_identification: read: Connection reset by peer
lost connection
I inserted a sleep after the final post command and I could manually run
the scp command fine while the system was still in the "running preseed"
stage.
[root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh
system cobbler-test 192.168.1.50
...
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks.
chef.key
100% 1679 1.6KB/s 00:00
Thanks for your help!
On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski <orion(a)cora.nwra.com>
wrote:
> On 10/25/2016 09:49 PM, Tyler Wilson wrote:
>
>> Hey All,
>>
>> New Cobbler user here. What is the best method of ensuring deployed
>> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when
>> completed? Am I able to send them securely from the cobbler host somehow?
>>
>> Thanks for any and all tips!
>>
>
> I fire up sshd on my target system in %post:
>
> # Create temporary host key(s)
> # EL7
> /usr/sbin/sshd-keygen
> # Fedora
> /usr/libexec/openssh/sshd-keygen rsa
> # Start sshd so that we can copy over the ansible key in the cobbler
> post trigger
> /usr/sbin/sshd
>
> Then I have a cobbler install trigger copy the ssh key over:
>
> # cat /var/lib/cobbler/triggers/install/post/ansible_key
> #!/bin/bash
> [ "$1" = system ] &&
> /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no"
> -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible
>
>
> I suppose someone could the activate the trigger directly and receive the
> key, but this is the best that I was able to come up with.
>
>
> --
> Orion Poplawski
> Technical Manager 303-415-9701 x222
> NWRA/CoRA Division FAX: 303-415-9702
> 3380 Mitchell Lane orion(a)cora.nwra.com
> Boulder, CO 80301
http://www.cora.nwra.com
>
> _______________________________________________
> cobbler mailing list -- cobbler(a)lists.fedorahosted.org
> To unsubscribe send an email to cobbler-leave(a)lists.fedorahosted.org
>