summaryrefslogtreecommitdiffstats
path: root/krebs/5pkgs/krebs-ci/notes
blob: f6f3da8db2aebae491db438600f8678043b9c879 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#! /bin/sh

# nix-shell -p gnumake jq openssh cac cacpanel
set -eufx

# 2 secrets are required:

krebs_cred=${krebs_cred-./cac.json}
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}

# Sanity
if test ! -r "$krebs_cred";then
  echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
fi
if test ! -r "$retiolum_key";then
  echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
fi

krebs_secrets=$(mktemp -d)
sec_file=$krebs_secrets/cac_config
krebs_ssh=$krebs_secrets/tempssh
cac_resources_cache=$krebs_secrets/res_cache.json
cac_servers_cache=$krebs_secrets/servers_cache.json
cac_tasks_cache=$krebs_secrets/tasks_cache.json
cac_templates_cache=$krebs_secrets/templates_cache.json
# we need to receive this key from buildmaster to speed up tinc bootstrap
TRAP="rm -r $krebs_secrets;exit"
trap "$TRAP" INT TERM EXIT

cat > $sec_file <<EOF
cac_login="$(jq -r .email $krebs_cred)"
cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)"
EOF

export cac_secrets=$sec_file
cac-cli panel --config $krebs_cred update-api-ip

# test login:
cac update
cac servers

# Template 26: CentOS7
# TODO: use cac templates to determine the real Centos7 template in case it changes
name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\
  | jq -r .servername)

id=servername:$name
trap "cac delete $id;$TRAP" INT TERM EXIT
# TODO: timeout?
# cac_always_update=true cac waitstatus $id "Powered On"

wait_login_cac(){
  # timeout
  for t in `seq 180`;do
    # now we have a working cac server
    if cac ssh $1 cat /etc/redhat-release | \
      grep CentOS ;then
      return 0
    fi
    sleep 10
  done
  return 1
}
# die on timeout
wait_login_cac $id

mkdir -p shared/2configs/temp
cac generatenetworking $id > \
  shared/2configs/temp/networking.nix
# new temporary ssh key we will use to log in after infest
ssh-keygen -f $krebs_ssh -N ""
cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
# we override the directories for secrets and stockholm
# additionally we set the ssh key we generated
ip=$(cac getserver $id | jq -r .ip)

cat > shared/2configs/temp/dirs.nix <<EOF
_: {
  krebs.build.source.dir = {
    secrets.path = "$krebs_secrets";
    stockholm.path = "$(pwd)";
  };
  users.extraUsers.root.openssh.authorizedKeys.keys = [
    "$(cat ${krebs_ssh}.pub)"
  ];
  krebs.build.target = "$ip";
}
EOF

LOGNAME=shared make eval get=krebs.infest \
  target=derp system=test-centos7 filter=json \
  | sed -e "s#^ssh.*<<#cac ssh $id<<#" \
        -e "/^rsync/a -e 'cac ssh $id' \\\\"  \
        -e "s#root.derp:#:#" > $krebs_secrets/infest
sh -x $krebs_secrets/infest

# TODO: generate secrets directory $krebs_secrets for nix import
cac powerop $id reset

wait_login(){
  # timeout
  for t in `seq 20`;do
    # now we have a working cac server
    if ssh -o StrictHostKeyChecking=no \
           -o UserKnownHostsFile=/dev/null \
           -i $krebs_ssh \
           -o ConnectTimeout=10 \
           -o BatchMode=yes \
           root@$1 nixos-version ;then
      return 0
    fi
    sleep 10
  done
  return 1
}
wait_login $ip