Добавлен скрипт для подключения ресурсов, скрипт инициализации сервера,

скрипт добавления данных для подключения

Makefile

@@ -0,0 +1,13 @@
+# Makefile
+INSTALL = install
+
+EXES = all
+
+all:
+
+install: all
+	@${INSTALL} -D -m 0755 init.d/access ${DESTDIR}/etc/init.d/access
+	@${INSTALL} -D -m 0755 scripts/cl-access-setup ${DESTDIR}/usr/sbin/cl-access-setup
+	@${INSTALL} -D -m 0755 scripts/cl-access-add ${DESTDIR}/usr/sbin/cl-access-add
+	@${INSTALL} -D -d access ${DESTDIR}/usr/share/calculate
+

access/bin/access-shell

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+access() {
+	host=$1
+	tar  -cPjf - -C storage/$host --transform='s,\.\./,,' ../start $(cd storage/$host;ls -d [0-9]*)
+}
+
+case "$SSH_ORIGINAL_COMMAND" in
+	access)
+		access $1
+		;;
+esac
+

access/storage/start

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+
+for mountdata in /dev/shm/access/{0..9} /dev/shm/access{10..99}
+do
+	if ! [[ -d $mountdata ]]
+	then
+		break
+	fi
+	if [[ -f $mountdata/partuuid ]]
+	then
+		dev=$(blkid -t PARTUUID="$(cat $mountdata/partuuid)" -o device)
+	else
+		dev=$(cat $mountdata/dev)
+	fi
+	mountpoint=$(cat $mountdata/mountpoint)
+	if [[ -z $dev ]] || [[ -z $mountpoint ]]
+	then
+		echo "Failed device detect" 1>&2
+		exit 1
+	else
+		cryptdev="$(basename $dev)_crypt" 
+	fi
+	if [[ -f $mountdata/header ]]
+	then
+		headerpart="--header $mountdata/header"
+	fi
+	/sbin/cryptsetup $headerpart -d $mountdata/key luksOpen $dev $cryptdev
+	res=$?
+	if [[ $res -ne 0 ]]
+	then
+		exit $res
+	fi
+	echo "/sbin/cryptsetup luksClose $cryptdev"
+
+	mount /dev/mapper/${cryptdev} $mountpoint
+	res=$?
+	if [[ $res -ne 0 ]]
+	then
+		exit $res
+	fi
+	echo "/bin/umount $mountpoint"
+done | tac >/dev/shm/access/stop
+chmod 700 /dev/shm/access/stop
+exit ${PIPESTATUS[0]}

init.d/access

@@ -0,0 +1,56 @@
+# Calculate chmod=0755 ini(system.access)==on
+#!/sbin/openrc-run
+
+extra_commands="check add_hostkey"
+
+depend()
+{
+        before checkfs fsck libvirtd
+        after modules device-mapper
+}
+
+ask_keystore() {
+	what=$1
+	strict=${2:-yes}
+	/usr/bin/ssh -o KbdInteractiveAuthentication=no \
+		-o ControlPath=none \
+		-o ControlMaster=no \
+		-o StrictHostKeyChecking=${strict} \
+		-o PasswordAuthentication=no \
+		-o BatchMode=yes \
+		-o PreferredAuthentications=publickey \
+		access@access.dmz $what
+}
+
+add_hostkey() {
+	ask_keystore "" no
+}
+
+check() {
+	ask_keystore access | tar tjf -
+}
+
+start() {
+	ebegin "Starting access" 
+	if [[ -d /dev/shm/access ]]
+	then
+		rm -rf /dev/shm/access
+	fi
+	mkdir /dev/shm/access
+	ask_keystore access | tar xjf - -C /dev/shm/access 2>/dev/null
+	chmod 0700 /dev/shm/access
+	/bin/bash /dev/shm/access/start
+	res=$?
+	rm -rf /dev/shm/access/start /dev/shm/access/[0-9]*
+	eend $res "Failed to start access" 
+}
+
+stop() {
+	ebegin "Stopping access" 
+	if [[ -f /dev/shm/access/stop ]]
+	then
+		/bin/bash /dev/shm/access/stop
+	fi
+	rm -rf /dev/shm/access
+	eend 0 "Failed to stop access" 
+}

scripts/cl-access-add

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+infile=$1
+id=$2
+
+error() {
+	echo $* 1>&2
+	return 1
+}
+
+die() {
+	error $*
+	exit 1
+}
+
+unpack_data() {
+	datafile=$1
+	tar xf $infile -C $STORAGE || die "Failed to unpack data"
+}
+
+check_publickey() {
+	local publickey=$STORAGE/id_rsa.pub
+	if ! [[ -f $publickey ]]
+	then
+		error "Failed to found public key $publickey"
+		return 1
+	fi
+	return 0
+}
+
+check_header() {
+	local datadir=$1
+	local header=$datadir/header
+	if ! [[ -f $header ]]
+	then
+		error "Crypt header for $(basename $datadir) not found"
+		return 1
+	fi
+	if ! cryptsetup isLuks $header
+	then
+		error "Crypt header for $(basename $datadir) is wrong"
+		return 1
+	fi
+}
+
+check_key() {
+	local datadir=$1
+	local key=$datadir/key
+	if ! [[ -f $key ]]
+	then
+		error "Crypt key for $(basename $datadir) not found"
+		return 1
+	fi
+}
+
+check_mountpoint() {
+	local datadir=$1
+	local mp=$datadir/mountpoint
+	if ! [[ -f $mp ]]
+	then
+		error "Mount point for $(basename $datadir) not found"
+		return 1
+	fi
+}
+
+check_partuuid() {
+	local datadir=$1
+	local uuid=$datadir/partuuid
+	if ! [[ -f $uuid ]]
+	then
+		error "UUID for $(basename $datadir) not found"
+		return 1
+	fi
+}
+
+check_mountdata() {
+	for dn in $STORAGE/*
+	do
+		if [[ -d $dn ]]
+		then
+			check_header $dn || return 1
+			check_key $dn || return 1
+			check_mountpoint $dn || return 1
+			check_partuuid $dn || return 1
+		fi
+	done
+}
+
+check_data() {
+	check_publickey || return 1
+	check_mountdata || return 1
+}
+
+prepare_authorized() {
+	local publickey=$STORAGE/id_rsa.pub
+	cat >>$ACCESSDIR/.ssh/authorized_keys <<EOF
+command="~/bin/access-shell $id",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa $(cat $publickey)
+EOF
+}
+
+if [[ -z $infile ]] || [[ -z $id ]]
+then
+	echo "Usage: $0 DATAFILE ID" 1>&2
+	exit 2
+fi
+
+ACCESSDIR=/var/lib/calculate/calculate-access/
+STORAGE=$ACCESSDIR/storage/$id
+
+if [[ -e $STORAGE ]]
+then
+	die "ID $id already exists!" 
+else
+	unpack_data
+	if ! check_data
+	then
+		rm -rf $STORAGE
+		die "Failed to append data"
+	else
+		prepare_authorized $id
+	fi
+fi
+
+echo "Access data appended"

scripts/cl-access-setup

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+ACCESSDIR=/var/lib/calculate/calculate-access/
+SKELDIR=/usr/share/calculate/access
+USERNAME=access
+
+die() {
+	echo $* 1>&2
+	exit 1
+}
+
+create_user() {
+	useradd -d $ACCESSDIR -m $USERNAME -k $SKELDIR
+}
+
+is_user_exists() {
+	id $USERNAME &>/dev/null || return 1
+}
+
+is_homedir_exists() {
+	[[ -d $ACCESSDIR ]] | return 1
+}
+
+prepare_homedir() {
+	mkdir -p $ACCESSDIR
+	rsync -a $SKELDIR/ $ACCESSDIR/
+	chmod 700 $ACCESSDIR
+	chown access. -R $ACCESSDIR
+}
+
+if is_user_exists
+then
+	if is_homedir_exists
+	then
+		echo "Access configured already"
+		exit 0
+	else
+		if prepare_homedir
+		then
+			echo "Access configured successful!"
+			exit 0
+		else
+			die "Failed to prepare $ACCESSDIR"
+		fi
+	fi
+else
+	if is_homedir_exists
+	then
+		echo "Failed to configure access. Directory $ACCESSDIR is not empty"
+		exit 1
+	else
+		if create_user
+		then
+			echo "Access configured successful!"
+			exit 0
+		else
+			die "Failed to prepare $ACCESSDIR"
+		fi
+	fi
+fi
+