sign and check signature on scripts for remote execution
This commit is contained in:
parent
223090c0e4
commit
85ca124520
|
@ -15,8 +15,9 @@ nginx / apache / lighttpd <br/>
|
||||||
openssh <br/>
|
openssh <br/>
|
||||||
php <br/>
|
php <br/>
|
||||||
socat <br/>
|
socat <br/>
|
||||||
sqlite3 / mariadb (only sqlite3 for now)<br/>
|
sqlite3 / mariadb (only sqlite3 for now) <br/>
|
||||||
usermode-utilities <br/>
|
usermode-utilities <br/>
|
||||||
|
openssl (for managing remote servers) <br/>
|
||||||
|
|
||||||
**Manual install:** <br/>
|
**Manual install:** <br/>
|
||||||
become root <br/>
|
become root <br/>
|
||||||
|
@ -28,5 +29,7 @@ ln -sf ${PWD}/nlvmi/wrap-nlvmi /usr/bin/ <br/>
|
||||||
ln -sf ${PWD}/nlvmi/web /var/www/localhost/htdocs/nlvmi <br/>
|
ln -sf ${PWD}/nlvmi/web /var/www/localhost/htdocs/nlvmi <br/>
|
||||||
chown root:nlvmi nlvmi/*nlvmi <br/>
|
chown root:nlvmi nlvmi/*nlvmi <br/>
|
||||||
chmod +s nlvmi/wrap-nlvmi <br/>
|
chmod +s nlvmi/wrap-nlvmi <br/>
|
||||||
|
|
||||||
|
#not yet implemented... <br/>
|
||||||
mkdir /etc/nginx/nlvmi <br/>
|
mkdir /etc/nginx/nlvmi <br/>
|
||||||
add an "include nlvmi/*.conf" statement within nginx.conf's server declaration. <br/>
|
add an "include nlvmi/*.conf" statement within nginx.conf's server declaration. <br/>
|
40
nlvmi
40
nlvmi
|
@ -34,7 +34,7 @@ function checkdb {
|
||||||
echo "error accessing sqlite!"
|
echo "error accessing sqlite!"
|
||||||
exit 1;
|
exit 1;
|
||||||
fi
|
fi
|
||||||
echo "sqlite ready to use";
|
echo "sqlite ready to use";
|
||||||
elif [ $DATABASETYPE == "mariadb" ]; then
|
elif [ $DATABASETYPE == "mariadb" ]; then
|
||||||
DBCON="mysql --disable-pager -u $MARIAUSER -p$MARIAPASS -h $MARIAHOST $MARIADB"
|
DBCON="mysql --disable-pager -u $MARIAUSER -p$MARIAPASS -h $MARIAHOST $MARIADB"
|
||||||
declare -a DBC=`echo "SHOW TABLES FROM $MARIADB; " | $DBCON | sed 1d`
|
declare -a DBC=`echo "SHOW TABLES FROM $MARIADB; " | $DBCON | sed 1d`
|
||||||
|
@ -134,6 +134,7 @@ function vmstart {
|
||||||
if [ ! -z ${array[6]} ]; then SMP="-smp ${array[6]}"; fi
|
if [ ! -z ${array[6]} ]; then SMP="-smp ${array[6]}"; fi
|
||||||
if [ ! -z ${array[7]} ]; then MEMORY="-m ${array[7]}"; fi
|
if [ ! -z ${array[7]} ]; then MEMORY="-m ${array[7]}"; fi
|
||||||
if [ ! -z ${array[8]} ]; then USBDEV="-usb -device usb-ehci,id=ehci -device usb-${array[8]},bus=usb-bus.0"; fi
|
if [ ! -z ${array[8]} ]; then USBDEV="-usb -device usb-ehci,id=ehci -device usb-${array[8]},bus=usb-bus.0"; fi
|
||||||
|
if [ ! -z ${array[9]} ]; then KB="-k ${array[9]}"; fi
|
||||||
if [ ! -z ${array[10]} ]; then CUSTOM="${array[10]}"; fi
|
if [ ! -z ${array[10]} ]; then CUSTOM="${array[10]}"; fi
|
||||||
if [ ! -z ${array[13]} ]; then DRIVE1="-drive file=${array[13]}"; echo "chown ${array[2]}:nlvmi ${array[13]}" >>$TMPF; fi
|
if [ ! -z ${array[13]} ]; then DRIVE1="-drive file=${array[13]}"; echo "chown ${array[2]}:nlvmi ${array[13]}" >>$TMPF; fi
|
||||||
if [ ! -z ${array[14]} ]; then FORMAT1=",format=${array[14]},if=virtio"; fi
|
if [ ! -z ${array[14]} ]; then FORMAT1=",format=${array[14]},if=virtio"; fi
|
||||||
|
@ -153,20 +154,22 @@ function vmstart {
|
||||||
if [ ! -z ${array[28]} ]; then BRDEV3="${array[28]}"; echo "brctl addif ${array[28]} ${array[26]}" >>$TMPF; fi
|
if [ ! -z ${array[28]} ]; then BRDEV3="${array[28]}"; echo "brctl addif ${array[28]} ${array[26]}" >>$TMPF; fi
|
||||||
if [ ! -z ${array[30]} ]; then WEBSOCK=",websocket=${array[30]}"; else WEBSOCK=""; fi
|
if [ ! -z ${array[30]} ]; then WEBSOCK=",websocket=${array[30]}"; else WEBSOCK=""; fi
|
||||||
if [ ! -z ${array[29]} ]; then VNCPORT="-vnc :${array[29]}$WEBSOCK,password"; fi
|
if [ ! -z ${array[29]} ]; then VNCPORT="-vnc :${array[29]}$WEBSOCK,password"; fi
|
||||||
COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV -k ${array[9]} -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\")
|
COMMAND=(su - ${array[2]} -s /bin/bash -c \"${array[4]} -enable-kvm $CUSTOM $CPUTYPE $MEMORY $SMP -boot ${array[11]} $USBDEV $KB -daemonize $DRIVE1$FORMAT1 $DRIVE2$FORMAT2 $DRIVE3$FORMAT3 $CDROM $MACADDR1 $TAPDEV1 $MACADDR2 $TAPDEV2 $MACADDR3 $TAPDEV3 $VNCPORT $CUSTOM -pidfile $RUNDIRECTORY/${array[1]}.pid -monitor unix:$RUNDIRECTORY/${array[1]}.mon,server,nowait\")
|
||||||
if [ $LOGLEVEL -gt "1" ]; then echo ${COMMAND[@]}; fi
|
if [ $LOGLEVEL -gt "1" ]; then echo ${COMMAND[@]}; fi
|
||||||
echo "${COMMAND[@]}" >>$TMPF
|
echo "${COMMAND[@]}" >>$TMPF
|
||||||
#Set VNC Password
|
#Set VNC Password
|
||||||
echo "echo \"change vnc password ${array[31]}\" | socat - unix-connect:$RUNDIRECTORY/${array[1]}.mon >/dev/null" >>$TMPF
|
echo "echo \"change vnc password ${array[31]}\" | socat - unix-connect:$RUNDIRECTORY/${array[1]}.mon >/dev/null" >>$TMPF
|
||||||
if [ ! -z "${array[34]}" ]; then
|
if [ ! -z "${array[34]}" ]; then
|
||||||
echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF
|
echo "chmod g+w $RUNDIRECTORY/${array[1]}.mon" >>$TMPF
|
||||||
su nlvmi -c "scp $TMPF ${array[34]}:/home/nlvmi/"
|
echo "chmod g+r $RUNDIRECTORY/${array[1]}.pid" >>$TMPF
|
||||||
su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\""
|
openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out /home/nlvmi/${array[1]}.tmp.sha512 $TMPF
|
||||||
su nlvmi -c "ssh ${array[34]} \"rm $TMPF\""
|
su nlvmi -c "scp $TMPF* ${array[34]}:/home/nlvmi/"
|
||||||
rm $TMPF
|
su nlvmi -c "ssh ${array[34]} \"/usr/bin/nlvmi remote $TMPF run\""
|
||||||
|
su nlvmi -c "ssh ${array[34]} \"rm $TMPF $TMPF.sha512\""
|
||||||
|
rm $TMPF $TMPF.sha512
|
||||||
else
|
else
|
||||||
/bin/bash $TMPF
|
/bin/bash $TMPF
|
||||||
rm $TMPF
|
rm $TMPF
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
export VMFOUND="yes"
|
export VMFOUND="yes"
|
||||||
|
@ -187,15 +190,20 @@ function vmstop {
|
||||||
STOPPED="no"
|
STOPPED="no"
|
||||||
COUNTER=0
|
COUNTER=0
|
||||||
while [ $STOPPED = "no" ]; do
|
while [ $STOPPED = "no" ]; do
|
||||||
if [ $COUNTER == 200 ]; then
|
if [ $COUNTER == 2 ]; then
|
||||||
if [ -z ${array[2]} ]; then
|
if [ -z ${array[2]} ]; then
|
||||||
kill `cat $RUNDIRECTORY/${array[1]}.pid`
|
kill `cat $RUNDIRECTORY/${array[1]}.pid`
|
||||||
echo "${array[1]} forcefully killed!";
|
echo "${array[1]} forcefully killed!";
|
||||||
STOPPED="yes"
|
STOPPED="yes"
|
||||||
else
|
else
|
||||||
su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\""
|
TMPF=/home/nlvmi/${array[1]}.tmp
|
||||||
|
echo "kill \$(<\"$RUNDIRECTORY/${array[1]}.pid\")" >$TMPF
|
||||||
|
openssl dgst -sha512 -sign "/nlvmi/nlvmi_priv.key" -out $TMPF.sha512 $TMPF
|
||||||
|
su nlvmi -c "scp $TMPF* ${array[2]}:/home/nlvmi/"
|
||||||
|
# su nlvmi -c "ssh ${array[2]} \"echo \\\"kill \\\$(<\\\"$RUNDIRECTORY/${array[1]}.pid\\\")\\\" >/home/nlvmi/${array[1]}.tmp\""
|
||||||
su nlvmi -c "ssh ${array[2]} \"/usr/bin/nlvmi remote /home/nlvmi/${array[1]}.tmp stop\""
|
su nlvmi -c "ssh ${array[2]} \"/usr/bin/nlvmi remote /home/nlvmi/${array[1]}.tmp stop\""
|
||||||
su nlvmi -c "ssh ${array[2]} \"rm /home/nlvmi/${array[1]}.tmp\""
|
su nlvmi -c "ssh ${array[2]} \"rm $TMPF $TMPF.sha512\""
|
||||||
|
rm $TMPF $TMPF.sha512
|
||||||
echo "remotekill"
|
echo "remotekill"
|
||||||
STOPPED="yes"
|
STOPPED="yes"
|
||||||
fi
|
fi
|
||||||
|
@ -264,7 +272,7 @@ if [ $# -gt 0 ]; then
|
||||||
export "$VMFOUND"
|
export "$VMFOUND"
|
||||||
vmstart $arrays
|
vmstart $arrays
|
||||||
done
|
done
|
||||||
if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi)
|
if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi)
|
||||||
elif [ $1 == "stop" ]; then
|
elif [ $1 == "stop" ]; then
|
||||||
if [ -z $2 ]; then echo "stop needs a vmname!"; exit 1; fi
|
if [ -z $2 ]; then echo "stop needs a vmname!"; exit 1; fi
|
||||||
VMFOUND="no"
|
VMFOUND="no"
|
||||||
|
@ -278,9 +286,6 @@ if [ $# -gt 0 ]; then
|
||||||
if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi)
|
if [[ $VMFOUND == "no" ]]; then echo "no VM with that name found!"; exit 1; fi)
|
||||||
elif [ $1 == "stopall" ]; then
|
elif [ $1 == "stopall" ]; then
|
||||||
stopall
|
stopall
|
||||||
elif [ $1 == "checkvm" ]; then
|
|
||||||
if [ -z $2 ]; then echo "checkvm needs a vmname!"; exit 1; fi
|
|
||||||
if [ -e $RUNDIRECTORY/$2.mon ]; then echo $2 running; else echo $2 stopped; fi
|
|
||||||
elif [ $1 == "listdir" ]; then
|
elif [ $1 == "listdir" ]; then
|
||||||
if [ -z $2 ] || [ -z $3 ]; then echo listdir needs two more arguments; exit 1; fi
|
if [ -z $2 ] || [ -z $3 ]; then echo listdir needs two more arguments; exit 1; fi
|
||||||
listdir $2 $3
|
listdir $2 $3
|
||||||
|
@ -288,7 +293,8 @@ if [ $# -gt 0 ]; then
|
||||||
if [ ! -z $MASTERSERVER ]; then
|
if [ ! -z $MASTERSERVER ]; then
|
||||||
if `echo $SSH_CLIENT | grep "$MASTERSERVER " &>/dev/null`; then
|
if `echo $SSH_CLIENT | grep "$MASTERSERVER " &>/dev/null`; then
|
||||||
if [ -e $2 ]; then
|
if [ -e $2 ]; then
|
||||||
/bin/bash $2;
|
openssl dgst -sha512 -verify <(openssl x509 -in "/nlvmi/nlvmi_sign.crt" -pubkey -noout) -signature $2.sha512 $2 >/dev/null && /bin/bash $2 || echo "signature failed!!"
|
||||||
|
# /bin/bash $2;
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "not allowed";
|
echo "not allowed";
|
||||||
|
|
Binary file not shown.
|
@ -589,7 +589,7 @@ if (isset($_SESSION['username'])){
|
||||||
$button = "stop";
|
$button = "stop";
|
||||||
$buttonc = "btn-warning";
|
$buttonc = "btn-warning";
|
||||||
}
|
}
|
||||||
$vncport = sprintf("%02d", $row[vncport]);
|
$vncport = sprintf("%02d", $row['vncport']);
|
||||||
echo "<div class=col style=\"margin:5px;padding:5px;border:solid 1px;max-width:295px;\"><h3>$row[vmname]</h3>$row[server]</br>$row[cpus] CPUs, $row[memory] MB RAM</br>$row[drive1]</br>";
|
echo "<div class=col style=\"margin:5px;padding:5px;border:solid 1px;max-width:295px;\"><h3>$row[vmname]</h3>$row[server]</br>$row[cpus] CPUs, $row[memory] MB RAM</br>$row[drive1]</br>";
|
||||||
echo "VNC port: 59$vncport</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> ";
|
echo "VNC port: 59$vncport</br><a class=\"btn btn-primary\" href=# onclick=\"post('?', {edit: '$row[id]'});\">edit</a> ";
|
||||||
echo "<a href=# onclick=\"post('?', {'$button': '$row[vmname]'});\"class=\"btn $buttonc\">$button</a> ";
|
echo "<a href=# onclick=\"post('?', {'$button': '$row[vmname]'});\"class=\"btn $buttonc\">$button</a> ";
|
||||||
|
|
Loading…
Reference in New Issue