DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th February 2011
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 797
Thanked 36 Times in 32 Posts
Default siteXX.tgz and install.site

Even though, I have OpenBSD installed on at least half dozen machines at any given time so far I have infrequently used siteXX.tgz and install.site due to the heterogeneous nature of my hardware and use of machines. However, I got permission to install OpenBSD on 30 desktops at the place of my employment. The hardware is almost identical (i-386) but not really suitable for dump and restore installation. I am looking to do minimal intervention installation on these machines.

Can people kindly share the typical content of their siteXX.tgz files and even more importantly their install.site scripts. I would like "automatically" to replace all files in /etc/ /var with the edited once as well to run the script which will automatically add packages from the local repository as well as dot files.

Thank You,
OKO
Reply With Quote
  #2   (View Single Post)  
Old 9th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

I am in process of documenting my install.site/siteXXX.tgz framework. See my PM to you
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 10th February 2011
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 797
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by J65nko View Post
I am in process of documenting my install.site/siteXXX.tgz framework. See my PM to you
Thanks a million!!! I am not in a big hurry so I could wait a bit before writing my own (which is going to look fairly complicated). I have seen your posts before. Besides the things you are outlying in those posts I really need to have install.site preform couple additional things.

1. Appending and replacing bunch of files at /etc/ as pf.conf, rc.conf.local, group, dhcpd.conf, sudoers, resolv.conf, sysctl.conf, printcap as well as foomatic directory populated by PPDs for printers.

2. I also need to upload scanner firmware into
/usr/local/share/sane/snapscan

3. The permissions for printers, scanners and USBs have to be adjusted so that users can use them

4. Packages should install and configure automatically.

5. dotfiles should install automatically per user.

What I am really after is a standard security harden desktop which can be installed with minimal human intervention in 20-30 minutes.

Most Kind Regards,
OKO
Reply With Quote
  #4   (View Single Post)  
Old 18th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,185
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by Oko View Post
...... I really need to have install.site preform couple additional things.

1. Appending and replacing bunch of files at /etc/ as pf.conf, rc.conf.local, group, dhcpd.conf, sudoers, resolv.conf, sysctl.conf, printcap as well as foomatic directory populated by PPDs for printers.
Appending to existing files is a typical task for the 'install.site' script. You also can patch files within 'install.site' as this example dating back from 2007 shows:

Code:
echo --- patch script for: sysctl.conf --- BEGIN
# ---  edit the following line if needed
FILE=./sysctl.conf
FILE=/etc/sysctl.conf

# --- patch it !
cat <<END_OF_PATCH | patch -b -p0 ${FILE}
--- ORIG/sysctl.conf    Wed Aug  8 14:19:57 2007
+++ NEW/sysctl.conf     Wed Aug  8 14:59:26 2007
@@ -4,7 +4,7 @@
 # boot time.  See sysctl(3) and sysctl(8) for more information on
 # the many available variables.
 #
-#net.inet.ip.forwarding=1      # 1=Permit forwarding (routing) of IPv4 packets
+net.inet.ip.forwarding=1       # 1=Permit forwarding (routing) of IPv4 packets
 #net.inet.ip.mforwarding=1     # 1=Permit forwarding (routing) of IPv4 multicast packets
 #net.inet.ip.multipath=1       # 1=Enable IP multipath routing
 #net.inet6.ip6.forwarding=1    # 1=Permit forwarding (routing) of IPv6 packets
END_OF_PATCH
echo  --- patch script for: sysctl.conf --- END
This kind of script snippet I generate with the script I described at http://www.daemonforums.org/showthread.php?t=4257

To replace complete files, you create a 'shadow' file system, populate this file sytem with whatever you want to overwrite the original ones.
Code:
# pwd
/root/SITEXX

# ls -lR FILES
drwxr-xr-x  2 root  wheel  512 Feb 14 06:53 etc
drwx------  2 root  wheel  512 Feb 14 06:57 root

FILES/etc:
-rw-------  1 root  wheel  18 Feb 14 06:53 pf.conf

FILES/root:
-rw-r-----  1 root  wheel  1590 Mar  8  2010 PKGenv
-rw-r-----  1 root  wheel   244 Mar 14  2010 _boot-bsd.rd
-rw-r-----  1 root  wheel   764 Jan 31  2010 _serialconsole
-rw-r-----  1 root  wheel  1126 Jan 27  2010 format_fstab
Now a customizable Makefile will tar up this shadow filesystem:
Code:
# make sitexx

WARNING: No  install.site !!!

tar cvzf site49.tgz -C FILES .
.
./etc
./etc/pf.conf
./root
./root/format_fstab
./root/_serialconsole
./root/_boot-bsd.rd
./root/PKGenv
The "-C FILES" option makes that the files in the tarball have the suitable path to overwrite the existing files.
Normally it will also add an 'install.site' script. Because in this case it did not exist, a warning is issued.
Quote:
2. I also need to upload scanner firmware into
/usr/local/share/sane/snapscan
Put the firmware file in the corresponding shadow file directory to be tarred up with all other files.

Besides the 'siteXX.tgz' file, the OpenBSD installer also automagically untars a file called 'siteXX-HOSTNAME.tgz' for host/box specific files.

A sibling directory of the above mentioned directory FILES is FILES.plato
Code:
 # ls -lR FILES.plato
    
drwxr-xr-x  3 root  wheel  512 Feb 17 08:05 etc
-rw-r--r--  1 root  wheel   28 Feb 17 03:07 plato.txt

FILES.plato/etc:
-rw-------  1 root  wheel  1758 Feb 24  2010 pf.conf
drwxr-xr-x  2 root  wheel   512 Feb 17 08:04 skel

FILES.plato/etc/skel:
-rw--r--r--  1 root  wheel  118 Feb 17 08:04 .exrc
You now create the site49-plato.tgz file with:
Code:
# make sitebox
tar cvzf site49-plato.tgz -C FILES.plato .
.
./plato.txt
./etc
./etc/pf.conf
./etc/skel
./etc/skel/.exrc
Just like 'rc.conf.local' and 'rc.local' have the overrides for 'rc.conf', and 'rc', in a similar way 'site49-plato.tgz' overrides/overwrites 'site49.tgz'.

Quote:
3. The permissions for printers, scanners and USBs have to be adjusted so that users can use them
Another typical task for the 'install.site' script.

Quote:
4. Packages should install and configure automatically.
I use a shell script template for the 'pkg_add'.
Code:
# ---
export PKG_PATH="=pkg_path="

export PKG_CACHE=/home/packages
mkdir -p ${PKG_CACHE}

PACKAGES="=packages="

echo Installing the following packages from $PKG_PATH
echo $PACKAGES | tr ' ' '\n'
echo -------------------------------------------------
pkg_add -v $PACKAGES
echo ===End of 'pkg_add'===
The Makefile uses sed(1) to replace the placeholders =pkg_path= and =packages= with the real values.
These values are defined as Makefile variables, initialized with the contents of files. The 'patched' result is then appended to 'install.site'.

BTW I only install simple packages with not too many dependencies in the install.site.
No gnome, kde or even firefox. I do that when the system is being rebooted for the first time. Remember that during install time you have a rather limited environment.

Quote:
5. dotfiles should install automatically per user.
If the box or host 'plato' only has a single user, copy the .dotfile into the FILES.plato /etc/skel for inclusion in site49-plato.tgz.

Or use a simple shell snippet like '_exrc.root' for 'install.site':
Code:
#---------------------------------------- 
FILE=/root/.exrc
#FILE=$( basename ${FILE} )

echo Creating ${FILE}

cat <<END > ${FILE}
set showmode
set verbose
set ruler
set number
set autoindent
set prompt
set showmatch
set shiftwidth=4
set windowname
END
The install.site script is the result of throwing together a bunch of small tiny shell scripts:
Code:
# --- script building blocks ---

COMMON= \
        _ksh-prompt \
        _disable-inetd \
        _comment-inetd.conf \
        _user-j65nko-snap \
        _rootmail-to-j65nko \
        _sshpubkey-j65nko \
        _sshd-inet-noroot \
        _ssh_config-inet-protocol2 \
        _sudo-wheel \
        _PKGenv-i386

# -- individual blocks : parts.${BOX}

parts.apollo= \
        _ntp-server-192.168.222.10 \
        _start-ntpd \
        _softupdates_adefghi

parts.althusser= \
        _ntp-server-192.168.222.10 \
        _start-ntpd \
        _softupdates_a

# -- AMD64 board  
parts.hercules= \
        _ntp-server-192.168.222.10 \
        _enable_lpd \
        _softupdates_a \
        _PKGenv-amd64
The complet install.site is then defined with :
Code:
SCRIPT  =    ${COMMON} ${parts.${BOX}} sh.pkg
The BOX variable holds the hostname (initialized from a file unsurprisingliy called 'BOX') and 'sh.pkg' is the patched shell script snippet doing the pkg_add.

Now the makefile only has to do a :
Code:
cat ${SRIPT} >install.site
And voila, there is your customized post-installation script.

It is neither difficult nor complicated
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 10th February 2011
qmemo's Avatar
qmemo qmemo is offline
Shell Scout
 
Join Date: Jul 2008
Location: Egypt
Posts: 133
Thanked 0 Times in 0 Posts
Default

@J65nko

can you post it, I think people will make use of it
Reply With Quote
  #6   (View Single Post)  
Old 18th February 2011
qmemo's Avatar
qmemo qmemo is offline
Shell Scout
 
Join Date: Jul 2008
Location: Egypt
Posts: 133
Thanked 0 Times in 0 Posts
Default

@J65nko

I take the honour of being the first to say....thank you
Reply With Quote
  #7   (View Single Post)  
Old 2nd March 2011
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 797
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by qmemo View Post
@J65nko

I take the honor of being the first to say....thank you
+1

J65nko you are the MAN!!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Home connection site to site vpn setup badguy OpenBSD Security 3 25th October 2010 05:15 PM
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
OBSD 4.3 Customize site43 & install.site problems gamaliel OpenBSD Installation and Upgrading 7 3rd June 2008 03:25 PM
Bare Minimum Site-to-Site VPN on OpenBSD ai-danno Guides 0 20th May 2008 12:45 AM
Transferring away from the other site... s2scott Feedback and Suggestions 2 5th May 2008 09:47 AM


All times are GMT. The time now is 07:26 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick