From fbf8808f0a2ec1d1964af2c2243224d5ebffeb29 Mon Sep 17 00:00:00 2001 From: erkin Date: Thu, 16 Dec 2021 18:47:01 +0300 Subject: remote: T3356: Backport remote module use to Equuleus --- scripts/install/install-image | 110 ++++++++++++------------------------------ 1 file changed, 31 insertions(+), 79 deletions(-) (limited to 'scripts/install/install-image') diff --git a/scripts/install/install-image b/scripts/install/install-image index f59f3475..b4b9cfba 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -98,102 +98,55 @@ PART_FILE='' # Temp directory for downloaded ISO TEMP_DIR="/var/tmp/install-image.$$" +download_file () +{ + (REMOTE_USERNAME=$USERNAME \ + REMOTE_PASSWORD=$PASSWORD \ + ip vrf exec $VRF python3 -c "import vyos.remote; vyos.remote.friendly_download('$1', '$2')") +} + # Try to fetch the ISO file using a URL provided by the user. # If successful, we leave $NEW_ISO pointing to the ISO file that # was downloaded. fetch_iso_by_url () { mkdir $TEMP_DIR - echo "Trying to fetch ISO file from $NEW_ISO" - - if [ -n "$USERNAME" ]; then - AUTH="-u $USERNAME:$PASSWORD" - else - AUTH="" - fi - - # This is for statistics collection - vyos_version=`cat /opt/vyatta/etc/version | awk '{print $2}'` - filename="${TEMP_DIR}/${NEW_ISO##*/}" - ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o $filename $NEW_ISO - curlerror=$? - if [ $curlerror -eq 51 ]; then - host=${NEW_ISO##scp://} - host=${host%%/*} - rsa_key=$(ssh-keyscan -t rsa $host 2>/dev/null) - if [[ $VYATTA_PROCESS_CLIENT == "gui2_rest" ]]; then - response="yes" - else - echo "The authenticity of host '$host' can't be established." - echo "RSA key fingerprint is $(ssh-keygen -lf /dev/stdin <<<$rsa_key \ - | awk {' print $2 '} ) ." - echo "Are you sure you want to continue connecting (yes/no) [yes]?" - response=$(get_response "Yes" "Yes No Y N") - fi - if [[ "$response" == "yes" || "$response" == "y" ]]; then - mkdir -p ~/.ssh/ - echo $rsa_key >> ~/.ssh/known_hosts - ip vrf exec $VRF curl $AUTH -f -o $filename $NEW_ISO - curlerror=$? - fi - fi - if [ $curlerror -ne 0 ]; then - echo "Unable to fetch ISO from $NEW_ISO" - rm -f $filename - exit 1 - fi - if [ ! -e $filename ]; then - echo "Download of $NEW_ISO failed" - exit 1 + + echo "Trying to fetch ISO file from $NEW_ISO..." + download_file "$filename" "$NEW_ISO" + if [ $? -ne 0 ]; then + fail_exit 'Failed to download the ISO file.' fi - echo "ISO download succeeded." + echo "Done." echo "Checking for digital signature file..." - # XXX: T2108: We will first download and try to verify the image using the - # generated minisign signature. If this fails, we try to retrieve the GPG - # signature file. - ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.minisig ${NEW_ISO}.minisig + download_file "${filename}.minisig" "${NEW_ISO}.minisig" if [ $? -ne 0 ]; then - ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc + download_file "${filename}.asc" "${NEW_ISO}.asc" fi if [ $? -ne 0 ]; then - echo "Unable to fetch digital signature file." echo -n "Do you want to continue without signature check? (yes/no) [yes] " - response=$(get_response "Yes" "Yes No Y N") - if [ "$response" == "no" ] || [ "$response" == "n" ]; then - rm -f $filename - fail_exit 'OK. Installation will not be performed.' - fi # In case signature file was partially downloaded... rm -f ${filename}.asc ${filename}.minisig - fi - if [ -e ${filename}.minisig ]; then - echo "Found it. Checking digital signature..." - minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig - if [ $? -ne 0 ]; then - echo "Signature check FAILED, trying BACKUP key..." - minisign -V -q -p /usr/share/vyos/keys/vyos-backup.minisign.pub -m ${filename} -x ${filename}.minisig + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' fi - if [ $? -ne 0 ]; then - echo "Signature check FAILED." - echo -n "Do you want to continue anyway? (yes/no) [no] " - response=$(get_response "No" "Yes No Y N") - if [ "$response" == "no" ] || [ "$response" == "n" ]; then - fail_exit 'OK. Installation will not be performed.' + else + echo "Checking digital signature..." + if [ -f ${filename}.minisig ]; then + minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig + if [ $? -ne 0 ]; then + echo "Signature check FAILED, trying BACKUP key..." + minisign -V -q -p /usr/share/vyos/keys/vyos-backup.minisign.pub -m ${filename} -x ${filename}.minisig fi - - echo "OK. Proceeding with installation anyway." - else - echo "Digital signature is valid." fi - fi - - if [ -e ${filename}.asc ]; then - echo "Found it. Checking digital signature..." - gpg --verify ${filename}.asc ${filename} >/dev/null 2>&1 + if [ -f ${filename}.asc ]; then + gpg --verify ${filename}.asc ${filename} >/dev/null 2>&1 + fi if [ $? -ne 0 ]; then echo "Signature check FAILED." echo -n "Do you want to continue anyway? (yes/no) [no] " @@ -201,7 +154,6 @@ fetch_iso_by_url () if [ "$response" == "no" ] || [ "$response" == "n" ]; then fail_exit 'OK. Installation will not be performed.' fi - echo "OK. Proceeding with installation anyway." else echo "Digital signature is valid." @@ -219,7 +171,7 @@ set_up_new_iso () if [ "$url_scheme" != "$NEW_ISO" ]; then if [ "$url_scheme" = "http" -o "$url_scheme" = "https" -o \ "$url_scheme" = "ftp" -o "$url_scheme" = "tftp" -o \ - "$url_scheme" = "scp" ]; then + "$url_scheme" = "scp" -o "$url_scheme" = "sftp" ]; then fetch_iso_by_url fi fi @@ -314,10 +266,10 @@ install_existing () } if [ -z "$USERNAME" ] && [ -n "$PASSWORD" ]; then - fail_exit "Password can not be specified without username" + fail_exit "Password cannot be specified without username." fi if [ -n "$USERNAME" ] && [ -z "$PASSWORD" ]; then - fail_exit "Username can not be specified without password" + fail_exit "Username cannot be specified without password." fi if [ $(id -u) != 0 ]; then fail_exit "Image installation requires root privileges!" -- cgit v1.2.3