9nbd: copy all keys into root keyring

chaos · Aug 21, 2014 · b4da383 · b4da383
1 parent 859f3c8
commit b4da383
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/dracut.nbd9/9nbdroot b/dracut.nbd9/9nbdroot
@@ -74,16 +74,28 @@ while [ ! -b /dev/nbd0 ]; do
     i=$(( $i + 1))
 done
 
-keydir=/tftpboot/keys/munge
+# If auth=munge is set, first we load all the keys from keydir into the
+# root user's keyring so that the booted system can extract them later.
+# (This may include keys not related to auth=munge but convenient to bootstrap
+# here as well).  Next, we extract the munge key, roughly synchronize dates
+# with the diod server, and temporarily start munged so we can authenticate
+# root.  A pre-pivot hook will kill munged later.
+# N.B. presumes that the server is exporting keydir with noauth,privport,
+# and has configured auth_required_ctl = 0 (for dioddate).
+keydir=/tftpboot/keys
+mungekey=munge.key
 if [[ "$nbdopts" =~ "auth=munge" ]]; then
-    umask 077
-    diodcat -p -s "$nbdserver" -a "$keydir" munge.key >/tmp/munge.key || exit 1
-    umask 022
+    for key in $(diodls -p -s "$nbdserver" -a "$keydir"); do
+        diodcat -p -s "$nbdserver" -a "$keydir" $key | base64 \
+			| keyctl padd user $key @u
+    done
+    keyid=$(keyctl search @u user $mungekey) || exit 1
+    keyctl pipe $keyid | base64 -d >/tmp/$mungekey
+    chmod 600 /tmp/$mungekey
     mkdir -p /var/run/munge /var/lib/munge /var/log/munge
     dioddate -S -s "$nbdserver"
-    munged --key /tmp/munge.key -f || exit 1
+    munged --key /tmp/$mungekey -f || exit 1
     echo "create user munge * |/usr/bin/munge" >/etc/request-key.conf
-    echo "MUNGE started"
 fi
 
 echo mount.diod ${nbdopts:+-o$nbdopts} -a "$nbdserver:$nbdpath" /dev/nbd0

diff --git a/dracut.nbd9/xinstall b/dracut.nbd9/xinstall
@@ -1,10 +1,13 @@
 #!/bin/bash
 inst mount.diod
+inst diodls
 inst diodcat
 inst dioddate
 inst munged
 inst munge
 inst request-key
+inst keyctl
+inst base64
 inst_hook cmdline 90 "$moddir/parse-9nbdroot.sh"
 inst_hook pre-pivot 90 "$moddir/munge-cleanup.sh"
 

diff --git a/nfsroot.spec.in b/nfsroot.spec.in
@@ -10,7 +10,9 @@ Requires: syslinux
 Requires: memtest86+
 Requires: dracut-network
 Requires: rsync, nfs-utils, gzip, cpio, tar, kexec-tools, kernel
-# Requires: munge keyutils diod 1.0.15 kmod-v9fs
+# Requires: munge keyutils
+# Requires: diod >= 1.0.20
+# Requires: kmod-v9fs
 Requires(post): syslinux
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}