#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
# Resetting GZ_IMAGE to something besides slash allows for simplified
# debugging of various global zone image configurations-- simply make
# an image somewhere with the appropriate interesting parameters.
#
GZ_IMAGE=${GZ_IMAGE:-/}
PKG_IMAGE=$GZ_IMAGE
export PKG_IMAGE
. /usr/lib/brand/ipkg/common.ksh
f_a_obs=$(gettext "-a publisher=uri option is obsolete, use -P instead.")
f_pkg5_missing=$(gettext "pkg(5) does not seem to be present on this system.\n")
f_no_pref_publisher=$(gettext "Unable to get global zone preferred publisher information, and none was supplied.\nYou must specify one using the -P option.")
f_key_file=$(gettext "Key file not allowed without -P")
f_cert_file=$(gettext "Cert file not allowed without -P")
f_img=$(gettext "failed to create image\n")
f_pkg=$(gettext "failed to install package\n")
f_interrupted=$(gettext "Installation cancelled due to interrupt.\n")
f_bad_publisher=$(gettext "Syntax error in publisher information.")
f_no_entire=$(gettext "Unable to find 'entire' incorporation in the global zone image.\n")
f_no_entire_in_pref=$(gettext "Unable to locate the incorporation '%s' in the preferred publisher '%s'.\nUse -P to supply a publisher which contains this package.\n")
f_key_prop=$(gettext "Unable to propagate key %s to %s")
f_cert_prop=$(gettext "Unable to propagate cert %s to %s")
f_get_secinfo=$(gettext "Failed to get key/cert information for publisher %s")
f_nosuch_key=$(gettext "Failed to find key %s")
f_nosuch_cert=$(gettext "Failed to find cert %s")
m_publisher=$(gettext " Publisher: Using %s (%s).")
m_cache=$(gettext " Cache: Using %s.")
m_image=$(gettext " Image: Preparing at %s.")
m_incorp=$(gettext "Sanity Check: Looking for 'entire' incorporation.\n")
m_key_prop=$(gettext " Credentials: Propagating %s\n")
m_cert_prop=$(gettext " Credentials: Propagating %s\n")
m_core=$(gettext " Installing: Core System (output follows)\n")
m_more=$(gettext " Installing: Additional Packages (output follows)\n")
m_smf=$(gettext " Postinstall: Copying SMF seed repository ...")
m_more_brokenness=$(gettext " Postinstall: Applying workarounds.")
m_mannote=$(gettext " Note: Man pages can be obtained by installing SUNWman")
m_usage=$(gettext "\n install [-h]\n install [-c certificate_file] [-k key_file] [-P publisher=uri]\n [-e extrapkg [...]]\n install {-a archive|-d path} {-p|-u} [-s|-v]")
m_done=$(gettext " done.")
trap_cleanup() {
print "$f_interrupted"
exit $int_code
}
int_code=$ZONE_SUBPROC_NOTCOMPLETE
trap trap_cleanup INT
extra_packages=""
ZONENAME=""
ZONEPATH=""
pub_and_url=""
# Setup i18n output
TEXTDOMAIN="SUNW_OST_OSCMD"
export TEXTDOMAIN
KEYDIR=/var/pkg/ssl
PKG=/usr/bin/pkg
#
# Just in case. This should probably be removed later.
#
[[ ! -x $PKG ]] && fail_incomplete "$f_pkg5_missing"
certfile="None"
keyfile="None"
unset install_archive
unset source_dir
unset msg
unset silent_mode
unset verbose_mode
while getopts "a:c:d:e:hk:P:pR:suvz:" opt; do
case $opt in
a) # We're expecting a path to an archive
if [[ ! -f $OPTARG ]]; then
# If old style 'pub=uri' parameter then error.
echo $OPTARG | egrep -s =
if (( $? == 0 )); then
fail_usage "$f_a_obs"
fi
fi
install_archive="-a $OPTARG";;
c) certfile="$OPTARG" ;;
d) source_dir="-d $OPTARG";;
e) extra_packages="$extra_packages $OPTARG" ;;
h) fail_usage "";;
k) keyfile="$OPTARG" ;;
P) pub_and_url="$OPTARG" ;;
p) preserve_zone="-p";;
R) ZONEPATH="$OPTARG" ;;
s) silent_mode=1;;
u) unconfig_zone="-u";;
v) verbose_mode="-v";;
z) ZONENAME="$OPTARG" ;;
*) fail_usage "";;
esac
done
shift $((OPTIND-1))
if [[ -z $ZONEPATH || -z $ZONENAME ]]; then
print -u2 "Brand error: No zone path or name"
exit $ZONE_SUBPROC_USAGE
fi
# XXX shared/common script currently uses lower case zonename & zonepath
zonename="$ZONENAME"
zonepath="$ZONEPATH"
is_brand_labeled
brand_labeled=$?
ZONEROOT=$ZONEPATH/root
secinfo=""
# An image install can't use both -a AND -d...
[[ -n "$install_archive" && -n "$source_dir" ]] &&
fail_usage "$f_incompat_options" "-a" "-d"
# The install can't be both verbose AND silent...
[[ -n $silent_mode && -n $verbose_mode ]] && \
fail_usage "$f_incompat_options" "-s" "-v"
# The install can't both preserve and unconfigure
[[ -n $unconfig_zone && -n $preserve_zone ]] && \
fail_usage "$f_incompat_options" "-u" "-p"
# IPS options aren't allowed when installing from a system image.
if [[ -n "$install_archive" || -n "$source_dir" ]]; then
[[ -n $pub_and_url ]] && fail_usage "$f_incompat_options" "-a|-d" "-P"
[[ -n "$extra_packages" ]] && \
fail_usage "$f_incompat_options" "-a|-d" "-e"
[[ "$certfile" != "None" ]] && \
fail_usage "$f_incompat_options" "-a|-d" "-c"
[[ "$keyfile" != "None" ]] && \
fail_usage "$f_incompat_options" "-a|-d" "-k"
fi
# p2v options aren't allowed when installing from a repo.
if [[ -z $install_archive && -z $source_dir ]]; then
[[ -n $preserve_zone || -n $unconfig_zone ]] && \
fail_usage "$f_incompat_options" "default" "-p|-u"
fi
#
# If the user didn't give us a publisher, and there's a preferred publisher set
# for the system, set that as the default.
#
propagate_secinfo=
propagate_extra=
if [[ -z $pub_and_url ]]; then
if [[ $keyfile != "None" ]]; then
fail_usage "$f_key_file"
fi
if [[ $certfile != "None" ]]; then
fail_usage "$f_cert_file"
fi
# We look for a preferred online origin.
tpub_and_url=`LC_ALL=C $PKG publisher -PH | \
awk '$2 == "origin" && $3 == "online" \
{printf "%s=%s\n", $1, $4; exit 0;}'`
[[ $? -eq 0 && -n $tpub_and_url ]] && pub_and_url="$tpub_and_url"
# Note that later we need to propagate key & cert.
propagate_secinfo=1
#
# since the user didn't specify a publisher, propagate all the
# publishers that don't have a key.
#
propagate_extra=1
fi
[[ -z $pub_and_url ]] && fail_usage "$f_no_pref_publisher"
# find the remaining publishers in the global zone
publishers_extra=""
if [[ -n $propagate_extra ]]; then
LC_ALL=C $PKG publisher -H | awk '
$2 == "origin" && $3 == "online" {printf "%s=%s\n", $1, $4}
END {exit(0)}
' | while IFS== read publisher publisherurl; do
[[ "$publisher=$publisherurl" = "$pub_and_url" ]] && continue
# skip extra publishers that need a key
[[ "`get_pub_secinfo $publisher`" != "None None" ]] && continue
if [[ -z "$publishers_extra" ]]; then
publishers_extra="$publisher=$publisherurl"
else
publishers_extra=`printf "%s\n%s" \
"$publisher=$publisherurl" "$publishers_extra"`
fi
done
fi
#
# Crack pub=url into two pieces.
#
echo $pub_and_url | IFS== read publisher publisherurl
if [[ -z $publisher || -z $publisherurl ]]; then
fail_usage "$f_bad_publisher"
fi
if [[ -n $propagate_secinfo ]]; then
#
# Get the global zone's cert and key (if any) so that we can propagate
# them into the new image.
#
get_pub_secinfo $publisher | read keyfile certfile
if [[ $? -ne 0 ]]; then
fail_usage "$f_get_secinfo" $publisher
fi
fi
#
# Do some sanity checks on key and cert.
#
[[ $keyfile != "None" && ! -f $keyfile ]] && \
fail_usage "$f_nosuch_key" $keyfile
[[ $certfile != "None" && ! -f $certfile ]] && \
fail_usage "$f_nosuch_cert" $certfile
#
# Look for the 'entire' incorporation's FMRI in the current image; due to users
# doing weird machinations with their publishers, we strip off the publisher
# from the FMRI if it is present.
#
raw_entire_fmri=$($PKG list -Hv entire | nawk '{print $1}')
entire_fmri=$(echo $raw_entire_fmri | sed 's@^pkg://[^/]*/@@')
entire_fmri=$(echo $entire_fmri | sed 's@^pkg:/@@')
if [[ -z $entire_fmri ]]; then
fail_incomplete "$f_no_entire"
fi
#
# Before installing the zone, set up ZFS dataset hierarchy for the zone root
# dataset.
#
create_active_ds
#
# If we're installing from an image, branch off to that installer.
#
if [[ -n $install_archive || -n $source_dir ]]; then
/usr/lib/brand/ipkg/image_install $ZONENAME $ZONEPATH \
$install_archive $source_dir $verbose_mode $silent_mode \
$unconfig_zone $preserve_zone
ii_result=$?
if (( $ii_result != 0 )); then
exit $ZONE_SUBPROC_NOTCOMPLETE
fi
exit $ZONE_SUBPROC_OK
fi
printf "$m_publisher\n" $publisher $publisherurl
echo "$publishers_extra" | while IFS== read publisher publisherurl; do
[ -z "$publisher" ] && break
printf "$m_publisher\n" $publisher $publisherurl
done
printf "$m_image\n" $ZONEROOT
#
# We copy the credentials from the global zone into the new image
# we're about to create.
#
if [[ $keyfile != "None" ]]; then
newkeylocation="$KEYDIR/$(basename $keyfile)"
secinfo="$secinfo -k $newkeylocation"
printf "$m_key_prop\n" $(basename $keyfile)
mkdir -p -m 755 $ZONEROOT/$KEYDIR || fail_fatal "$f_key_prop"
cp $keyfile $ZONEROOT/$newkeylocation || fail_fatal "$f_key_prop"
chmod 644 $ZONEROOT/$newkeylocation
chown -h root:root $ZONEROOT/$newkeylocation
fi
if [[ $certfile != "None" ]]; then
newcertlocation="$KEYDIR/$(basename $certfile)"
secinfo="$secinfo -c $newcertlocation"
printf "$m_cert_prop\n" $(basename $certfile)
mkdir -p -m 755 $ZONEROOT/$KEYDIR || fail_fatal "$f_cert_prop"
cp $certfile $ZONEROOT/$newcertlocation || fail_fatal "$f_cert_prop"
chmod 644 $ZONEROOT/$newkeylocation
chown -h root:root $ZONEROOT/$newkeylocation
fi
#
# Regrettably, since we already copied the key information into place,
# we must pass the -f (force) option to image-create, since it thinks that
# something must be wrong, as the image exists.
#
# XXX in the future, we can create the image --no-refresh, then
# set the publisher. But image-create --no-refresh is broken right now.
#
$PKG image-create -f --zone --full -p "$pub_and_url" $secinfo $ZONEROOT || \
fail_incomplete "$f_img"
PKG_IMAGE="$ZONEROOT"
export PKG_IMAGE
# add extra publishers
echo "$publishers_extra" | while IFS== read publisher publisherurl; do
[ -z "$publisher" ] && break
$PKG set-publisher -O $publisherurl $publisher ||
fail_incomplete "$f_img"
done
if [ -d /var/pkg/download ]; then
PKG_CACHEDIR=/var/pkg/download
export PKG_CACHEDIR
printf "$m_cache\n" $PKG_CACHEDIR
fi
#
# Check to see if the user's choice of preferred publisher contains the
# version of the 'entire' incorporation needed. This helps us to prevent
# mishaps in the event the user selected some weirdo publisher as their
# preferred one, or passed a preferred pub on the command line which doesn't
# have a suitable 'entire' in it.
#
# n.b. it would be nice to do this before we provision the zfs dataset, etc.
# but since the publisher specified by the user might not be known to
# the system, we can't do this test without first configuring the image.
#
printf "$m_incorp\n"
echo $pub_and_url | IFS== read publisher publisherurl
$PKG list -a pkg://$publisher/$entire_fmri > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
fail_fatal "$f_no_entire_in_pref" $entire_fmri $publisher
fi
printf "$m_core\n"
#
# We have to take baby steps here: first, by installing entire, to
# constrain everything. Then, SUNWcsd, to lay down device files which
# are subsequently needed by driver actions. Then SUNWcs to lay down
# /etc/passwd, /etc/group, etc so that subsequent user and group actions
# work. This can all hopefully go away once "primordial" actions
# arrive.
#
$PKG install -q --no-refresh --no-index $entire_fmri || fail_fatal "$f_pkg"
$PKG install -q --no-refresh --no-index SUNWcsd || fail_fatal "$f_pkg"
$PKG install --no-refresh --no-index SUNWcs || fail_fatal "$f_pkg"
printf "$m_more\n"
pkglist=""
pkglist="$pkglist SUNWcnetr SUNWesu SUNWadmr SUNWadmap SUNWbzip SUNWgzip"
#
# Workaround: For now, SUNWipkg has no dependency on python, so we supply it.
#
pkglist="$pkglist SUNWPython SUNWipkg"
#
# Get some diagnostic tools, truss, dtrace, etc.
#
pkglist="$pkglist SUNWtoo SUNWdtrc SUNWrcmdc SUNWbip"
#
# Get at least one sensible shell, and vi
#
pkglist="$pkglist SUNWbash SUNWvim"
#
# Get ssh and sshd.
#
pkglist="$pkglist SUNWsshcu SUNWssh SUNWsshd"
#
# Get some name services.
#
pkglist="$pkglist SUNWnis SUNWlldap"
#
# Get nfs client and autofs; it's a pain not to have them.
#
pkglist="$pkglist SUNWnfsc SUNWatfs"
#
# Get routing daemons. They're required for useful exclusive stack zones.
#
pkglist="$pkglist SUNWroute"
#
# Get packages for TX zones if appropriate.
#
(( $brand_labeled == 1 )) && pkglist="$pkglist system/trusted/trusted-nonglobal"
#
# Get man(1) but not the man pages
#
pkglist="$pkglist SUNWdoc"
#
# Add in any extra packages requested by the user.
#
pkglist="$pkglist $extra_packages"
#
# Do the install; we just refreshed on image-create, so skip that. We
# also skip indexing here, as that is also what the LiveCD does.
#
$PKG install --no-index --no-refresh $pkglist || fail_fatal "$f_pkg"
printf "\n$m_mannote\n"
printf "$m_smf"
ln -s ns_files.xml $ZONEROOT/var/svc/profile/name_service.xml
ln -s generic_limited_net.xml $ZONEROOT/var/svc/profile/generic.xml
ln -s inetd_generic.xml $ZONEROOT/var/svc/profile/inetd_services.xml
ln -s platform_none.xml $ZONEROOT/var/svc/profile/platform.xml
# This was formerly done in i.manifest
repfile=$ZONEROOT/etc/svc/repository.db
cp $ZONEROOT/lib/svc/seed/nonglobal.db $repfile
chmod 0600 $repfile
chown root:sys $repfile
printf "$m_done\n"
# Clean up root as a role and jack if needed
if grep "^root::::type=role;" $ZONEROOT/etc/user_attr >/dev/null 2>&1; then
printf "$m_brokenness\n"
#
# Remove "jack" user.
#
print "/^jack:/d\nw" | ed -s $ZONEROOT/etc/passwd
chmod u+w $ZONEROOT/etc/shadow
print "/^jack:/d\nw" | ed -s $ZONEROOT/etc/shadow
chmod u-w $ZONEROOT/etc/shadow
#
# Set root from a role back to... not a role. Grr.
#
print "s/^root::::type=role;/root::::/\nw" |
ed -s $ZONEROOT/etc/user_attr
fi
#
# Make sure sysidtools run; we manually poke in the SSH action
# so that we get an SSH key. Yes, this is seriously borken.
# See http://defect.opensolaris.org/bz/show_bug.cgi?id=741
#
printf "$m_more_brokenness\n"
/usr/sbin/sysidconfig -b $ZONEROOT -a /lib/svc/method/sshd
touch $ZONEROOT/etc/.UNCONFIGURED
printf "$m_complete\n\n" ${SECONDS}
if (( $brand_labeled == 0 )); then
printf "$m_postnote\n"
printf "$m_postnote2\n"
else
# Umount the dataset on the root.
umount $ZONEROOT || printf "$f_zfs_unmount" "$ZONEPATH/root"
fi
exit $ZONE_SUBPROC_OK