ereuse/workbench-script
9
0
Fork 0
Code Issues 3 Pull requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: ereuse:main
Branches Tags
ereuse:main
ereuse:163-10-158-small-fixes
ereuse:inxi_archived
ereuse:isoc_f1__ssd_deletion
..
compare: ereuse:inxi_archived
Branches Tags
ereuse:163-10-158-small-fixes
ereuse:main
ereuse:inxi_archived
ereuse:isoc_f1__ssd_deletion

1 commit
main ... inxi_archi

Author SHA1 Message Date
Cayo Puigdefabregas ae5f9c341a add inxi in main 2024-11-15 11:05:24 +01:00
10 changed files with 67 additions and 236 deletions
Show stats Expand all files Collapse all files

16
Dockerfile
View file

@ -1,16 +0,0 @@
FROM debian:bookworm-slim
# detect DOCKER_BUILD condition/situation in install script
ENV DOCKER_BUILD true
# pre install sudo
RUN apt update && apt install sudo && rm -rf /var/lib/apt/lists/*
# Install dependencies
COPY ./install-dependencies.sh /
RUN /install-dependencies.sh \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /opt/workbench-script
ENTRYPOINT sh ./deploy-workbench.sh

5
Makefile
View file

@ -44,11 +44,6 @@ boot_iso_uefi_secureboot:
-drive file=deploy/iso/workbench_debug.iso,cache=none,if=virtio,format=raw,index=0,media=disk \
-boot menu=on
# when you change something, you need to refresh it this way
regenerate_pxe_install:
./deploy-workbench.sh
pxe/install-pxe.sh
es_gen:
$(MAKE) es_gen_po
$(MAKE) es_gen_mo

53
deploy-workbench.sh
View file

@ -197,15 +197,7 @@ create_persistence_partition() {
tmp_rw_mount="/tmp/${rw_img_name}"
${SUDO} umount -f -l "${tmp_rw_mount}" >/dev/null 2>&1 || true
mkdir -p "${tmp_rw_mount}"
# detect relative path, else absolute path
# TODO solve this situation better
# thanks https://unix.stackexchange.com/questions/256434/check-if-shell-variable-contains-an-absolute-path
if [ "${rw_img_path}" = "${rw_img_path#/}" ]; then
mount_rw_img_path="$(pwd)/${rw_img_path}"
else
mount_rw_img_path="${rw_img_path}"
fi
${SUDO} mount "${mount_rw_img_path}" "${tmp_rw_mount}"
${SUDO} mount "$(pwd)/${rw_img_path}" "${tmp_rw_mount}"
${SUDO} mkdir -p "${tmp_rw_mount}"
if [ ! -f "settings.ini" ]; then
${SUDO} cp -v settings.ini.example settings.ini
@ -332,11 +324,13 @@ END
echo 'Install requirements'
# Install debian requirements
# TODO converge more here with install-dependencies.sh
apt-get install -y --no-install-recommends \
sudo locales keyboard-configuration console-setup qrencode \
python-is-python3 python3 python3-dev python3-pip pipenv \
dmidecode smartmontools hwinfo pciutils lshw nfs-common inxi < /dev/null
dmidecode smartmontools hwinfo pciutils lshw nfs-common < /dev/null
# Install lshw B02.19 utility using backports (DEPRECATED in Debian 12)
#apt install -y -t ${VERSION_CODENAME}-backports lshw < /dev/null
echo 'Install sanitize requirements'
@ -438,10 +432,8 @@ if [ -z "${DEBUG:-}" ]; then
fi
# cleanup bash history
# https://stackoverflow.com/questions/3199893/howto-detect-bash-from-shell-script
if [ "\${BASH_VERSION}" ]; then
history -c
fi
history -c
CHROOT
}
@ -482,6 +474,31 @@ prepare_chroot_env() {
prepare_app
}
# thanks https://willhaley.com/blog/custom-debian-live-environment/
install_requirements() {
# Install requirements
eval "${decide_if_update_str}" && decide_if_update
image_deps='debootstrap
squashfs-tools
xorriso
mtools
dosfstools'
# secureboot:
# -> extra src https://wiki.debian.org/SecureBoot/
# -> extra src https://wiki.debian.org/SecureBoot/VirtualMachine
# -> extra src https://wiki.debian.org/GrubEFIReinstall
bootloader_deps='isolinux
syslinux-efi
grub-pc-bin
grub-efi-amd64-bin
ovmf
grub-efi-amd64-signed'
${SUDO} apt-get install -y \
${image_deps} \
${bootloader_deps}
}
# thanks https://willhaley.com/blog/custom-debian-live-environment/
create_base_dirs() {
mkdir -p "${ISO_PATH}"
@ -506,7 +523,7 @@ detect_user() {
echo "ERROR: this script needs root or sudo permissions (current user is not part of sudo group)"
exit 1
# detect user with sudo or already on sudo src https://serverfault.com/questions/568627/can-a-program-tell-it-is-being-run-under-sudo/568628#568628
elif [ ! "\${userid}" = 0 ] || [ -n "\${SUDO_USER:-}" ]; then
elif [ ! "\${userid}" = 0 ] || [ -n "\${SUDO_USER}" ]; then
SUDO='sudo'
# jump to current dir where the script is so relative links work
cd "\$(dirname "\${0}")"
@ -515,7 +532,7 @@ detect_user() {
# detect pure root
elif [ "\${userid}" = 0 ]; then
SUDO=''
ISO_PATH="/opt/workbench-script/iso"
ISO_PATH="/opt/workbench"
fi
}
END
@ -536,7 +553,7 @@ main() {
create_base_dirs
echo 'Assuming that you already executed ./install-dependencies.sh'
install_requirements
prepare_chroot_env

13
docker-compose.yaml
View file

@ -1,13 +0,0 @@
services:
build-iso:
init: true
build: .
# this is needed to mount inside docker
privileged: true
# uncomment next two lines to test this
environment:
- DEBUG=true
volumes:
- .:/opt/workbench-script:ro
- ./iso:/opt/workbench-script/iso:rw

50
install-dependencies.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2024 pangea.org Associació Pangea - Coordinadora Comunicació per a la Cooperació
# Copyright (c) 2024 Pedro <copyright@cas.cat>
# SPDX-License-Identifier: AGPL-3.0-or-later
set -e
@ -9,53 +9,7 @@ set -u
set -x
main() {
sudo apt update
# system dependencies
host_deps='sudo'
# thanks https://stackoverflow.com/questions/23513045/how-to-check-if-a-process-is-running-inside-docker-container
if [ ! "${DOCKER_BUILD}" ]; then
host_deps="${host_deps} qemu-system"
fi
# workbench deploy/builder image dependencies
image_deps='debootstrap
squashfs-tools
xorriso
mtools
dosfstools'
# workbench deploy/builder bootloader dependencies
# thanks https://willhaley.com/blog/custom-debian-live-environment/
# secureboot:
# -> extra src https://wiki.debian.org/SecureBoot/
# -> extra src https://wiki.debian.org/SecureBoot/VirtualMachine
# -> extra src https://wiki.debian.org/GrubEFIReinstall
bootloader_deps='isolinux
syslinux-efi
syslinux-common
grub-pc-bin
grub-efi-amd64-bin
ovmf
shim-signed
grub-efi-amd64-signed'
# workbench-script client dependencies
client_deps='smartmontools
lshw
hwinfo
dmidecode
inxi
python3
pipenv
qrencode'
# install all
sudo apt install --no-install-recommends -y \
${host_deps} \
${image_deps} \
${bootloader_deps} \
${client_deps}
sudo apt install smartmontools lshw hwinfo dmidecode
}
main "${@}"

5
pxe/.env.example
View file

@ -1,5 +1,4 @@
# assuming server_ip using qemu
server_ip=10.0.2.1
nfs_allowed_lan=10.0.2.0/24
server_ip=192.168.1.2
nfs_allowed_lan=192.168.1.0/24
tftp_path='/srv/pxe-tftp'
nfs_path='/srv/pxe-nfs'

6
pxe/Makefile
View file

@ -1,8 +1,2 @@
.PHONY: test_pxe
test_pxe:
qemu-system-x86_64 -m 1G -boot n -netdev user,id=mynet0,tftp=/srv/pxe-tftp,bootfile=pxelinux.0 -device virtio-net,netdev=mynet0
# TODO not very convinced on having this, but ok right now
.PHONY: install_pxe_debug
install_pxe_debug:
DEBUG=true ./install-pxe.sh

3
pxe/install-pxe.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2024 pangea.org Associació Pangea - Coordinadora Comunicació per a la Cooperació
# Copyright (c) 2024 Pedro <copyright@cas.cat>
# SPDX-License-Identifier: AGPL-3.0-or-later
set -e
@ -93,7 +93,6 @@ pxe-service=x86PC,"Network Boot",pxelinux
enable-tftp
tftp-root=${tftp_path}
END
sudo systemctl restart dnsmasq || true
}
install_netboot() {

9
settings.ini.example
View file

@ -4,14 +4,7 @@ url = http://localhost:8000/api/v1/snapshot/
# sample token that works with default deployment such as the previous two urls
token = 5018dd65-9abd-4a62-8896-80f34ac66150
# Idhub
# wb_sign_token = 27de6ad7-cee2-4fe8-84d4-c7eea9c969c8
# url_wallet = http://localhost/webhook/sign/
# useful for development
# disable_qr = False
# path = /path/to/save
# device = your_device_name
# # erase = basic
# legacy = True
# legacy = true

143
workbench-script.py
View file

@ -1,12 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2024 pangea.org Associació Pangea - Coordinadora Comunicació per a la Cooperació
# SPDX-License-Identifier: AGPL-3.0-or-later
import os
import json
import uuid
import hashlib
import argparse
import configparser
import urllib.parse
@ -25,7 +21,7 @@ SNAPSHOT_BASE = {
'uuid': str(uuid.uuid4()),
'software': "workbench-script",
'version': "0.0.1",
'operator_id': "",
'token_hash': "",
'data': {},
'erase': []
}
@ -49,7 +45,6 @@ def exec_cmd(cmd):
logger.info(_('Running command `%s`'), cmd)
return os.popen(cmd).read()
@logs
def exec_cmd_erase(cmd):
logger.info(_('Running command `%s`'), cmd)
@ -68,13 +63,13 @@ def convert_to_legacy_snapshot(snapshot):
snapshot["schema_api"] = "1.0.0"
snapshot["settings_version"] = "No Settings Version (NaN)"
snapshot["timestamp"] = snapshot["timestamp"].replace(" ", "T")
snapshot["data"]["smart"] = json.loads(snapshot["data"]["smartctl"])
snapshot["data"].pop("smartctl")
snapshot["data"]["smart"] = snapshot["data"]["disks"]
snapshot["data"].pop("disks")
snapshot["data"].pop("inxi")
snapshot.pop("operator_id")
snapshot.pop("erase")
snapshot.pop("token_hash")
lshw = 'sudo lshw -json'
lshw = 'sudo lshw -xml'
hwinfo = 'sudo hwinfo --reallyall'
lspci = 'sudo lspci -vv'
@ -87,7 +82,7 @@ def convert_to_legacy_snapshot(snapshot):
## End Legacy Functions ##
## Command Functions ##
## Erase Functions ##
## Xavier Functions ##
@ -255,7 +250,7 @@ def smartctl(all_disks, disk=None):
data = exec_smart(disk['name'])
data_list.append(data)
return json.dumps(data_list)
return data_list
## End Command Functions ##
@ -267,7 +262,7 @@ def get_data(all_disks):
inxi = "sudo inxi -afmnGEMABD -x 3 --edid --output json --output-file print"
data = {
'smartctl': smartctl(all_disks),
'disks': smartctl(all_disks),
'dmidecode': exec_cmd(dmidecode),
'inxi': exec_cmd(inxi)
}
@ -310,96 +305,33 @@ def save_snapshot_in_disk(snapshot, path, snap_uuid):
logger.error(_("Could not save snapshot locally. Reason: Failed to write in fallback path:\n %s"), e)
def send_to_sign_credential(snapshot, token, url):
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
try:
cred = {
"type": "DeviceSnapshotV1",
"save": False,
"data": {
"operator_id": snapshot["operator_id"],
"dmidecode": snapshot["data"]["dmidecode"],
"inxi": snapshot["data"]["inxi"],
"smartctl": snapshot["data"]["smartctl"],
"uuid": snapshot["uuid"],
}
}
data = json.dumps(cred).encode('utf-8')
## TODO better debug
#with open('/tmp/pre-vc-test.json', "wb") as f:
# f.write(data)
request = urllib.request.Request(url, data=data, headers=headers)
with urllib.request.urlopen(request) as response:
status_code = response.getcode()
response_text = response.read().decode('utf-8')
if 200 <= status_code < 300:
logger.info(_("Credential successfully signed"))
res = json.loads(response_text)
if res.get("status") == "success" and res.get("data"):
return res["data"]
return json.dumps(snapshot)
else:
logger.error(_("Credential cannot signed in '%s'"), url)
return json.dumps(snapshot)
except Exception as e:
logger.error(_("Credential not remotely builded to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e)
return json.dumps(snapshot)
# apt install qrencode
def generate_qr_code(url, disable_qr):
"""Generate and print QR code for the given URL."""
if disable_qr:
return
qr_command = "echo {} | qrencode -t ANSI".format(url)
print(exec_cmd(qr_command))
# TODO sanitize url, if url is like this, it fails
# url = 'http://127.0.0.1:8000/api/snapshot/'
def send_snapshot_to_devicehub(snapshot, token, url, ev_uuid, legacy, disable_qr):
def send_snapshot_to_devicehub(snapshot, token, url):
url_components = urllib.parse.urlparse(url)
ev_path = f"evidence/{ev_uuid}"
components = (url_components.scheme, url_components.netloc, ev_path, '', '', '')
ev_path = "evidence/{}".format(snapshot["uuid"])
components = (url_components.schema, url_components.netloc, ev_path, '', '', '')
ev_url = urllib.parse.urlunparse(components)
# apt install qrencode
qr = "echo {} | qrencode -t ANSI".format(ev_url)
print(exec_cmd(qr))
print(ev_url)
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
try:
data = snapshot.encode('utf-8')
data = json.dumps(snapshot).encode('utf-8')
request = urllib.request.Request(url, data=data, headers=headers)
with urllib.request.urlopen(request) as response:
status_code = response.getcode()
response_text = response.read().decode('utf-8')
#response_text = response.read().decode('utf-8')
if 200 <= status_code < 300:
logger.info(_("Snapshot successfully sent to '%s'"), url)
if legacy:
try:
response = json.loads(response_text)
public_url = response.get('public_url')
dhid = response.get('dhid')
if public_url:
generate_qr_code(public_url, disable_qr)
print("url: {}".format(public_url))
if dhid:
print("dhid: {}".format(dhid))
except Exception:
logger.error(response_text)
else:
generate_qr_code(ev_url, disable_qr)
print("url: {}".format(ev_url))
else:
logger.error(_("Snapshot %s not remotely sent to URL '%s'. Server responded with error:\n %s"), ev_uuid, url, response_text)
logger.error(_("Snapshot cannot sent to '%s'"), url)
except Exception as e:
logger.error(_("Snapshot not remotely sent to URL '%s'. Do you have internet? Is your server up & running? Is the url token authorized?\n %s"), url, e)
@ -424,13 +356,10 @@ def load_config(config_file="settings.ini"):
device = config.get('settings', 'device', fallback=None)
erase = config.get('settings', 'erase', fallback=None)
legacy = config.get('settings', 'legacy', fallback=None)
url_wallet = config.get('settings', 'url_wallet', fallback=None)
wb_sign_token = config.get('settings', 'wb_sign_token', fallback=None)
disable_qr = config.get('settings', 'disable_qr', fallback=None)
else:
logger.error(_("Config file '%s' not found. Using default values."), config_file)
path = os.path.join(os.getcwd())
url, token, device, erase, legacy, url_wallet, wb_sign_token, disable_qr = (None,)*8
url, token, device, erase, legacy = None, None, None, None, None
return {
'path': path,
@ -438,10 +367,7 @@ def load_config(config_file="settings.ini"):
'token': token,
'device': device,
'erase': erase,
'legacy': legacy,
'wb_sign_token': wb_sign_token,
'url_wallet': url_wallet,
'disable_qr': disable_qr
'legacy': legacy
}
def parse_args():
@ -495,7 +421,6 @@ def main():
config_file = args.config
config = load_config(config_file)
legacy = config.get("legacy")
# TODO show warning if non root, means data is not complete
# if annotate as potentially invalid snapshot (pending the new API to be done)
@ -506,38 +431,22 @@ def main():
snapshot = gen_snapshot(all_disks)
snap_uuid = snapshot["uuid"]
if config['erase'] and config['device'] and not legacy:
if config['erase'] and config['device'] and not config.get("legacy"):
snapshot['erase'] = gen_erase(all_disks, config['erase'], user_disk=config['device'])
elif config['erase'] and not legacy:
elif config['erase'] and not config.get("legacy"):
snapshot['erase'] = gen_erase(all_disks, config['erase'])
if legacy:
if config.get("legacy"):
convert_to_legacy_snapshot(snapshot)
snapshot = json.dumps(snapshot)
else:
url_wallet = config.get("url_wallet")
wb_sign_token = config.get("wb_sign_token")
if wb_sign_token:
tk = wb_sign_token.encode("utf8")
snapshot["operator_id"] = hashlib.sha3_256(tk).hexdigest()
if url_wallet and wb_sign_token:
snapshot = send_to_sign_credential(snapshot, wb_sign_token, url_wallet)
else:
snapshot = json.dumps(snapshot)
snapshot = json.dumps(snapshot)
save_snapshot_in_disk(snapshot, config['path'], snap_uuid)
if config['url']:
send_snapshot_to_devicehub(
snapshot,
config['token'],
config['url'],
snap_uuid,
legacy,
config['disable_qr']
)
send_snapshot_to_devicehub(snapshot, config['token'], config['url'])
logger.info(_("END"))