-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathinitial-setup
executable file
·252 lines (208 loc) · 7.22 KB
/
initial-setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
#!/bin/bash
# Copyright 2016 Ryan Sawhill Aroha <[email protected]>
# License: Apache License 2.0 (see LICENSE or http://apache.org/licenses/LICENSE-2.0.html)
# Helper script for upvm
if [[ $(id -u) != 0 ]]; then
echo This script must be run as root
echo Aborting
exit 1
fi
if getenforce | egrep -sq '^(Permissive|Enforcing)$' && ! command -v semanage >/dev/null; then
echo This script requires the semanage command
echo Install policycoreutils-python package
echo Aborting
exit 1
fi
if getent group libvirt >/dev/null; then
libvirtGID=$(getent group libvirt | cut -d: -f3)
else
echo The libvirt system group is missing
echo This means you have not yet installed the libvirt-daemon
echo Try again once you have done that
echo Aborting
exit 1
fi
if getent passwd qemu >/dev/null; then
# This should always be 107 but let's not take any chances
qemuUID=$(getent passwd qemu | cut -d: -f3)
else
echo The qemu system user is missing
echo This means you have not yet installed qemu-common or libvirt-daemon-driver-qemu
echo Try again once you have done that
echo Aborting
exit 1
fi
if ! systemctl is-active libvirtd.service &>/dev/null; then
echo -e "\nStarting libvirtd.service ...\n"
systemctl start libvirtd.service
fi
if ! virt-host-validate; then
echo -e "\nvirt-host-validate command failed"
echo "You probably need to enable hardware virtualization in BIOS/UEFI"
exit 1
fi
prg=upvm
cacheDir="/var/cache/$prg"
imageDir="/var/lib/$prg"
domain=example.com
promptok() {
read -ep "Continue? [y/n] "
[[ $REPLY == y ]] || exit 1
}
cat <<EOF
This script is meant to be run once to make system-wide changes to ease use of
$prg and virsh/virt-install. That said, it can be safely run more than once.
A user must be in the libvirt group to use $prg with the default system-wide
cache/image locations, not to mention run virsh and virt-install commands.
Here's the only piece of this that requires your input:
You must specify a space-separated list of users to add to the libvirt group.
EOF
USERS=
read -ep '> ' USERS
if ! grep -qs '\S' <<<"$USERS"; then
echo No user specified
promptok
fi
for user in $USERS; do
if getent passwd "$user" >/dev/null; then
if usermod -aG libvirt "$user"; then
echo -e "\nSuccessfully added '$user' to the libvirt group"
else
echo -e "\nError adding '$user' to the libvirt group"
promptok
fi
else
echo -e "\nInvalid user: '$user'"
promptok
fi
done
if grep -qs '\S' <<<"$USERS"; then
echo -e "\nWARNING: If any specified users are currently logged in they will need to"
echo " log out or open a new session in order to use $prg."
read -ep "[Press Enter to acknowledge]"
fi
echo -e "\nCreating system-wide cache dir: $cacheDir"
mkdir -p "$cacheDir"
chgrp libvirt "$cacheDir"
chmod 2775 "$cacheDir"
xml=$(mktemp)
cat >$xml <<EOF
<pool type='dir'>
<name>$prg</name>
<target>
<path>$imageDir</path>
<permissions>
<mode>0770</mode>
<owner>$qemuUID</owner>
<group>$libvirtGID</group>
<label>system_u:object_r:virt_image_t:s0</label>
</permissions>
</target>
</pool>
EOF
echo -e "\nAdding $imageDir as storage pool writable by members of libvirt group ...\n"
{
virsh pool-define $xml
rm $xml
virsh pool-build $prg
virsh pool-start $prg
virsh pool-autostart $prg
} 2>/dev/null
echo "Permanently fixing SELinux context ..."
semanage fcontext -a -t virt_image_t "$imageDir(/.*)?"
restorecon -RF "$imageDir"
echo -e "\nAWESOME. All the critical stuff is done. You can go enjoy $prg."
echo "That said, there are 4 more optional things you can do."
cat <<EOF
1) Make sure that the users who use $prg have generated ssh keys
$prg automatically configures the root user (in the VMs it builds) to trust all
ssh keys found in ~/.ssh/id* along with ~/.ssh/authorized_keys.
EOF
read -ep "[Press Enter to acknowledge]"
cat <<EOF
2) Add $domain domain to the libvirt default network
This makes it so that DNS queries to *.$domain made from inside the default
private network (i.e., inside the virtual machines) will be answered by
libvirt's dnsmasq DNS server. This is a good thing.
EOF
promptok
if virsh net-info default &>/dev/null; then
virsh net-dumpxml default >$xml
else
cat >$xml <<-EOF
<network>
<name>default</name>
<bridge name="virbr0"/>
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
<domain name='$domain' localOnly='yes'/>
</network>
EOF
fi
if grep -q 'domain name=' $xml; then
currentDomainName=$(egrep -o 'domain name=\S+' $xml | cut -d\" -f2 | cut -d\' -f2)
echo -e "\ndefault network already has 'domain name=$currentDomainName' set; skipping"
else
sed -i "s,ip>,&\n <domain name='$domain' localOnly='yes'/>," $xml
virsh net-destroy default
virsh net-undefine default
virsh net-define $xml
virsh net-start default
virsh net-autostart default
fi
libvirtIPADDR=$(egrep -o 'ip address=\S+' $xml | cut -d\" -f2 | cut -d\' -f2)
cat <<EOF
3) Make the host system able to also query libvirt's dnsmasq DNS server
Do you want the option to ssh to your new $domain VMs by name without
looking up their IPs? Of course you do. Who wouldn't. To do this, we tell
NetworkManager to kick off its own instance of dnsmasq for DNS caching but we
also have it point to libvirt's dnsmasq @ $libvirtIPADDR for *.$domain
queries.
(Warning: this requires RHEL 7.2+)
EOF
promptok
if [[ -n $currentDomainName && $currentDomainName != example.com ]]; then
echo -e "\nNOTE: You already had 'domain name=$currentDomainName' set for your libvirt network"
echo " Using that instead of $domain"
domain=$currentDomainName
fi
mkdir -p /etc/NetworkManager/dnsmasq.d
if [[ -f /etc/NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf ]]; then
echo -e "\n/etc/NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf already exists; skipping"
else
echo -e "\nWriting 'server=/$domain/$libvirtIPADDR' to /etc/NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf"
echo "server=/$domain/$libvirtIPADDR" >/etc/NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf
fi
if [[ -f /etc/NetworkManager/conf.d/99-enable-dnsmasq.conf ]]; then
echo -e "\n/etc/NetworkManager/conf.d/99-enable-dnsmasq.conf already exists; skipping"
else
echo
echo "Writing '[main]\ndns=dnsmasq' to /etc/NetworkManager/conf.d/99-enable-dnsmasq.conf"
echo -e "[main]\ndns=dnsmasq" >/etc/NetworkManager/conf.d/99-enable-dnsmasq.conf
fi
echo -e "\nRestarting NetworkManager"
systemctl restart NetworkManager
cat <<EOF
4) Make it easier to ssh to VMs -- no need to type "root@" or ".$domain"
This requires adding 5 lines to /etc/ssh/ssh_config and takes effect
immediately. This is the final optional piece of this script.
EOF
promptok
if grep -q "CanonicalDomains $domain" /etc/ssh/ssh_config; then
echo -e "\nThe 'CanonicalDomains $domain' setting is already present in ssh_config; skipping"
else
echo -e "\nAppending to /etc/ssh/ssh_config ..."
cat >>/etc/ssh/ssh_config <<-EOF
# Added by $prg:
Host *
CanonicalDomains $domain
CanonicalizeHostname yes
Host *.$domain
User root
EOF
fi
echo -e "\nALL DONE! Have fun with $prg!"