update scripts and make note about BTRFS

Author: jasoncolburne

src/core-switch/scripts/build-sme-kernel.sh

@@ -8,21 +8,17 @@ sudo apt-get -y build-dep linux
 mkdir -p ~/kernel
 cd ~/kernel
 
-rm -rf linux-${LINUX_VERSION}
+rm -rf linux-* linux_*
 apt source linux
-cd linux-${LINUX_VERSION}
+cd linux-*
 
 cat > debian/config/amd64/config.sme << EOF
 CONFIG_AMD_MEM_ENCRYPT=y
 CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS=n
 CONFIG_MODULE_COMPRESS_ZSTD=y
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_ALL=n
 CONFIG_MODULE_SIG_FORCE=n
-CONFIG_MODULE_SIG_HASH="sha256"
-CONFIG_MODULE_SIG_KEY="/var/lib/shim-signed/mok/MOK.bundle.pem"
-CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
-CONFIG_MODULE_SIG_SHA256=y
 CONFIG_SYSTEM_TRUSTED_KEYS="/var/lib/shim-signed/mok/MOK.pem"
 EOF
 
@@ -51,8 +47,13 @@ configs:
  amd64/config.sme
 
 [sme-amd64_build]
-signed-code: true
+signed-code: false
 EOF
 
 debian/bin/gencontrol.py
 fakeroot make -f debian/rules.gen binary-arch_amd64_none_sme-amd64 -j$(nproc)
+
+cd ~
+rm kernel/*dbg*.deb
+
+tar czvf kernel.tgz kernel/linux-image-*-sme-amd64_*_amd64.deb kernel/linux-headers-*-sme-amd64_*_amd64.deb

src/core-switch/scripts/collect.sh

@@ -19,6 +19,7 @@ sudo tar czvf ~/install.bundle/configuration.tgz \
   etc/network/interfaces \
   etc/ssh/sshd_config.d/10-no-passwords.conf \
   etc/sysctl.d/10-disable-ipv6.conf \
+  opt/nomad/docker.json
 
 sudo tar czvf ~/install.bundle/mok.tgz \
   var/lib/shim-signed/mok
@@ -31,7 +32,8 @@ tar czvf ~/install.bundle/$USER.tgz \
   .zshenv \
   .p10k.zsh \
 
-cp -v ~/install{,.bundle}/linux-5.10.0-15-sme-amd64.tgz
+cp -v ~{,/install.bundle}/secrets.tgz
+cp -v ~{,/install.bundle}/kernel.tgz
 cp -v ~/install{,.bundle}/ldap.tgz
 cp -vR ~/install{,.bundle}/patch
 cp -vR ~/install{,.bundle}/scripts

src/core-switch/scripts/dockerhub-login.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/bash
+
+if [[ "$DEBUG" == "1" ]]
+then
+  set -euxo pipefail
+else
+  set -euo pipefail
+fi
+
+echo $(vault kv get -mount=secret -field=value dockerhub_read_token) | \
+docker login \
+  --username $(vault kv get -mount=secret -field=value dockerhub_username) \
+  --password-stdin 

src/core-switch/scripts/install-sme-kernel.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/bash
+
+set -euo pipefail
+
+sudo apt-get -y install sbsigntool
+
+cd ~
+tar xzvf kernel.tgz
+
+cd ~/kernel
+sudo apt-get -y install ./linux-image-*-sme-amd64_*_amd64.deb
+sudo apt-get -y install ./linux-headers-*-sme-amd64_*_amd64.deb
+
+VERSION=$(echo linux-image-*-sme-amd64_*_amd64.deb | sed -E 's/linux-image-(.+-sme-amd64)_.+_amd64\.deb/\1/')
+SHORT_VERSION=$(echo $VERSION | cut -d'.' -f1-2)
+MODULES_DIR=/lib/modules/${VERSION}
+
+PATH_VERSION=$(echo linux-image-*-sme-amd64_*_amd64.deb | sed -E 's/linux-image-.+-sme-amd64_(.+)-.+_amd64\.deb/\1/')
+
+echo -n "Enter MOK passphrase: "
+read -s KBUILD_SIGN_PIN
+export KBUILD_SIGN_PIN
+
+for MODULE in $(find ${MODULES_DIR} -type f -name '*.ko*'); do
+    (modinfo "${MODULE}" | rg "signer:\s+core") || \
+    (echo "signing ${MODULE}"; sudo --preserve-env=KBUILD_SIGN_PIN ${MODULES_DIR}/build/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "${MODULE}")
+done
+
+sudo grub-set-default "Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux ${VERSION}"
+sudo update-grub
+
+cd /var/lib/shim-signed/mok
+sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-${VERSION}" --output "/boot/vmlinuz-${VERSION}.tmp"
+cd ~
+sudo mv "/boot/vmlinuz-${VERSION}.tmp" "/boot/vmlinuz-${VERSION}"
+sudo dracut -f --regenerate-all -v
+
+echo "now you'll need to reboot and configure/update clevis/luks, after typing your passwords"
+echo "for example,"
+echo "  sudo clevis luks bind -d /dev/sda3 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"
+echo "  sudo clevis luks bind -d /dev/sda4 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"
+echo "  sudo clevis luks bind -d /dev/md0 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"
+echo "or"
+echo "  sudo clevis luks unbind -d /dev/sda3 -s 1"
+echo "  sudo clevis luks unbind -d /dev/sda4 -s 1"
+echo "  sudo clevis luks unbind -d /dev/md0 -s 1"
+echo "  sudo clevis luks bind -d /dev/sda3 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"
+echo "  sudo clevis luks bind -d /dev/sda4 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"
+echo "  sudo clevis luks bind -d /dev/md0 tpm2 '{\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,6,7\"}'"

src/core-switch/scripts/orchestration/docker/deploy.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/bash
+
+if [[ "$DEBUG" == "1" ]]
+then
+  set -euxo pipefail
+else
+  set -euo pipefail
+fi
+
+sudo apt-get update
+sudo apt-get -y install \
+  ca-certificates \
+  curl \
+  gnupg \
+  lsb-release
+
+sudo mkdir -p /etc/apt/keyrings
+if [[ ! -f /etc/apt/keyrings/docker.gpg ]]
+then
+  curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | \
+    sudo tee /etc/apt/sources.list.d/docker.list
+fi
+
+sudo mkdir -p /etc/docker
+sudo tee /etc/docker/daemon.json << EOF
+{
+  "bip": "10.1.0.1/16"
+}
+EOF
+
+sudo apt-get update
+sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin
+
+sudo iptables -I DOCKER-USER -j ACCEPT
+
+sudo tee /etc/iptables.up.rules << EOF
+*filter
+:DOCKER-USER - [0:0]
+-A DOCKER-USER -j ACCEPT
+COMMIT
+EOF
+
+sudo tee /etc/network/if-pre-up.d/iptables << EOF
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.up.rules
+EOF
+sudo chmod +x /etc/network/if-pre-up.d/iptables
+
+sudo sysctl fs.inotify.max_user_watches=65536
+sudo sysctl fs.inotify.max_user_instances=512
+
+sudo tee /etc/sysctl.d/25-inotify.conf << EOF
+fs.inotify.max_user_watches = 65536
+fs.inotify.max_user_instances = 512
+EOF

src/core-switch/scripts/orchestration/hashicorp/consul/deploy.sh

@@ -0,0 +1,142 @@
+#!/usr/bin/bash
+
+if [[ "$DEBUG" == "1" ]]
+then
+  set -euxo pipefail
+else
+  set -euo pipefail
+fi
+
+sudo apt-get -y install consul
+
+sudo tee /etc/sysctl.d/20-bridge-iptables.conf << EOF
+net.bridge.bridge-nf-call-arptables = 1
+net.bridge.bridge-nf-call-iptables = 1
+EOF
+
+sudo sysctl net.bridge.bridge-nf-call-arptables=1
+sudo sysctl net.bridge.bridge-nf-call-iptables=1
+
+cd ~/src
+go install github.com/containernetworking/cni/cnitool@latest
+curl -L -o cni-plugins.tgz "https://github.com/containernetworking/plugins/releases/download/v1.0.0/cni-plugins-linux-$( [ $(uname -m) = aarch64 ] && echo arm64 || echo amd64)"-v1.0.0.tgz
+sudo mkdir -p /opt/cni/bin
+sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
+
+sudo tee /etc/consul.d/consul.hcl << EOF
+# Full configuration options can be found at https://www.consul.io/docs/agent/config
+
+# datacenter
+# This flag controls the datacenter in which the agent is running. If not provided,
+# it defaults to "dc1". Consul has first-class support for multiple datacenters, but 
+# it relies on proper configuration. Nodes in the same datacenter should be on a 
+# single LAN.
+datacenter = "dc1"
+
+# data_dir
+# This flag provides a data directory for the agent to store state. This is required
+# for all agents. The directory should be durable across reboots. This is especially
+# critical for agents that are running in server mode as they must be able to persist
+# cluster state. Additionally, the directory must support the use of filesystem
+# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
+# not be suitable.
+data_dir = "/opt/consul"
+
+# client_addr
+# The address to which Consul will bind client interfaces, including the HTTP and DNS
+# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
+# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
+# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
+client_addr = "127.0.0.1"
+
+# ui
+# Enables the built-in web UI server and the required HTTP routes. This eliminates
+# the need to maintain the Consul web UI files separately from the binary.
+# Version 1.10 deprecated ui=true in favor of ui_config.enabled=true
+ui_config{
+  enabled = false
+}
+
+# server
+# This flag is used to control if an agent is in server or client mode. When provided,
+# an agent will act as a Consul server. Each Consul cluster must have at least one
+# server and ideally no more than 5 per datacenter. All servers participate in the Raft
+# consensus algorithm to ensure that transactions occur in a consistent, linearizable
+# manner. Transactions modify cluster state, which is maintained on all server nodes to
+# ensure availability in the case of node failure. Server nodes also participate in a
+# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
+# other datacenters and forward traffic as appropriate.
+server = true
+
+# Bind addr
+# You may use IPv4 or IPv6 but if you have multiple interfaces you must be explicit.
+#bind_addr = "[::]" # Listen on all IPv6
+#bind_addr = "0.0.0.0" # Listen on all IPv4
+bind_addr = "127.0.0.1"
+#
+# Advertise addr - if you want to point clients to a different address than bind or LB.
+advertise_addr = "127.0.0.1"
+
+# Enterprise License
+# As of 1.10, Enterprise requires a license_path and does not have a short trial.
+#license_path = "/etc/consul.d/consul.hclic"
+
+# bootstrap_expect
+# This flag provides the number of expected servers in the datacenter. Either this value
+# should not be provided or the value must agree with other servers in the cluster. When
+# provided, Consul waits until the specified number of servers are available and then
+# bootstraps the cluster. This allows an initial leader to be elected automatically.
+# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
+# -server mode.
+#bootstrap_expect=1
+
+# encrypt
+# Specifies the secret key to use for encryption of Consul network traffic. This key must
+# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
+# use consul keygen. All nodes within a cluster must share the same encryption key to
+# communicate. The provided key is automatically persisted to the data directory and loaded
+# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
+# protocol, this option only needs to be provided once on each agent's initial startup
+# sequence. If it is provided after Consul has been initialized with an encryption key,
+# then the provided key is ignored and a warning will be displayed.
+#encrypt = "..."
+
+# retry_join
+# Similar to -join but allows retrying a join until it is successful. Once it joins 
+# successfully to a member in a list of members it will never attempt to join again.
+# Agents will then solely maintain their membership via gossip. This is useful for
+# cases where you know the address will eventually be available. This option can be
+# specified multiple times to specify multiple agents to join. The value can contain
+# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
+# template. If Consul is running on the non-default Serf LAN port, this must be specified
+# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
+# tried and retried in the order listed until the first succeeds. Here are some examples:
+#retry_join = ["consul.domain.internal"]
+#retry_join = ["10.0.4.67"]
+#retry_join = ["[::1]:8301"]
+#retry_join = ["consul.domain.internal", "10.0.4.67"]
+# Cloud Auto-join examples:
+# More details - https://www.consul.io/docs/agent/cloud-auto-join
+#retry_join = ["provider=aws tag_key=... tag_value=..."]
+#retry_join = ["provider=azure tag_name=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."]
+#retry_join = ["provider=gce project_name=... tag_value=..."]
+
+ports {
+  grpc = 8502
+}
+
+connect {
+  enabled = true
+}
+EOF
+
+sudo tee /etc/consul.d/consul-acl.hcl << EOF
+acl {
+  enabled        = true
+  default_policy = "deny"
+  down_policy    = "extend-cache"
+  tokens {
+    agent = "AGENT_TOKEN"
+  }
+}
+EOF

src/core-switch/scripts/orchestration/hashicorp/consul/policy/agent.hcl

@@ -0,0 +1,7 @@
+node_prefix "" {
+   policy = "write"
+}
+service_prefix "" {
+   policy = "read"
+}
+

src/core-switch/scripts/orchestration/hashicorp/consul/policy/nomad-client.hcl

@@ -0,0 +1,15 @@
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+
+key_prefix "" {
+  policy = "read"
+}

src/core-switch/scripts/orchestration/hashicorp/consul/policy/nomad-server.hcl

@@ -0,0 +1,13 @@
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+
+acl = "write"

src/core-switch/scripts/orchestration/hashicorp/consul/policy/vault-service.hcl

@@ -0,0 +1,4 @@
+service "vault" { policy = "write" }
+key_prefix "vault/" { policy = "write" }
+agent_prefix "" { policy = "read" }
+session_prefix "" { policy = "write" }