Provisioned for NFS support for NetBoot Images

Added proxy support to SUS Commented out unused functions Moved firewall configuration to relevant component installs Fixed a bug with repo_sync status
jamf · Jun 19, 2017 · 3f96b56 · 3f96b56
1 parent 054bd34
commit 3f96b56
Show file tree

Hide file tree

Showing 13 changed files with 624 additions and 262 deletions.
diff --git a/LDAPProxy/LDAPProxyInstall.sh b/LDAPProxy/LDAPProxyInstall.sh
@@ -38,6 +38,25 @@ if [[ $(which yum 2>&-) != "" ]]; then
 	yum_install expect
 fi
 
+# Prepare the firewall in case it is enabled later
+if [[ $(which ufw 2>&-) != "" ]]; then
+	# LDAP
+	ufw allow 389/tcp >> $logFile
+elif [[ $(which firewall-cmd 2>&-) != "" ]]; then
+	# LDAP
+	firewall-cmd --zone=public --add-port=389/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=389/tcp --permanent >> $logFile 2>&1
+else
+	# LDAP
+	if iptables -L | grep DROP | grep -q 'tcp dpt:ldap' ; then
+		iptables -D INPUT -p tcp --dport 389 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:ldap' ; then
+		iptables -I INPUT -p tcp --dport 389 -j ACCEPT
+	fi
+	service iptables save >> $logFile 2>&1
+fi
+
 # Create appliance configuration directory
 if [ ! -d "/var/appliance/conf" ]; then
 	mkdir /var/appliance/conf

diff --git a/NetBoot/netbootInstall.sh b/NetBoot/netbootInstall.sh
@@ -30,7 +30,7 @@ if [[ $(which apt-get 2>&-) != "" ]]; then
 	apt_install tftpd-hpa
 	# apt_install openbsd-inetd
 	apt_install netatalk
-	# apt_install nfs-kernel-server
+	#apt_install nfs-kernel-server
 	apt_install python-configparser
 fi
 if [[ $(which yum 2>&-) != "" ]]; then
@@ -56,14 +56,165 @@ if [[ $(which yum 2>&-) != "" ]]; then
 		fi
 		sed -i 's/.*- -tcp -noddp -uamlist uams_dhx.so.*/- -tcp -noddp -uamlist uams_dhx.so,uams_dhx2_passwd.so/' /etc/netatalk/afpd.conf
 	fi
-	# yum_install nfs-utils
+	#yum_install nfs-utils
 	yum_install vim-common
 	chkconfig messagebus on >> $logFile 2>&1
 	chkconfig avahi-daemon on >> $logFile 2>&1
     service messagebus start >> $logFile 2>&1
     service avahi-daemon start >> $logFile 2>&1
 fi
 
+# Prepare the firewall in case it is enabled later
+if [[ $(which ufw 2>&-) != "" ]]; then
+	# HTTP
+	ufw allow 80/tcp >> $logFile
+	# SMB
+	ufw allow 139/tcp >> $logFile
+	ufw allow 445/tcp >> $logFile
+	# AFP
+	ufw allow 548/tcp >> $logFile
+	# DHCP
+	ufw allow 67/udp >> $logFile
+	# TFTP
+	ufw allow 69/udp >> $logFile
+	# NFS
+	#ufw allow 111/tcp >> $logFile
+	#ufw allow 111/udp >> $logFile
+	#ufw allow 892/tcp >> $logFile
+	#ufw allow 892/udp >> $logFile
+	#ufw allow 2049/tcp >> $logFile
+	#ufw allow 2049/udp >> $logFile
+	#ufw allow 32769/udp >> $logFile
+	#ufw allow 32803/tcp >> $logFile
+elif [[ $(which firewall-cmd 2>&-) != "" ]]; then
+	# HTTP
+	firewall-cmd --zone=public --add-port=80/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=80/tcp --permanent >> $logFile 2>&1
+	# SMB
+	firewall-cmd --zone=public --add-port=139/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=139/tcp --permanent >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=445/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=445/tcp --permanent >> $logFile 2>&1
+	# AFP
+	firewall-cmd --zone=public --add-port=548/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=548/tcp --permanent >> $logFile 2>&1
+	# DHCP
+	firewall-cmd --zone=public --add-port=67/udp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=67/udp --permanent >> $logFile 2>&1
+	# TFTP
+	firewall-cmd --zone=public --add-port=69/udp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=69/udp --permanent >> $logFile 2>&1
+	# NFS
+	#firewall-cmd --zone=public --add-port=111/tcp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=111/tcp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=111/udp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=111/udp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=892/tcp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=892/tcp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=892/udp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=892/udp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=2049/tcp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=2049/tcp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=2049/udp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=2049/udp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=32769/udp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=32769/udp --permanent >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=32803/tcp >> $logFile 2>&1
+	#firewall-cmd --zone=public --add-port=32803/tcp --permanent >> $logFile 2>&1
+else
+	# HTTP
+	if iptables -L | grep DROP | grep -v 'tcp dpt:https' | grep -q 'tcp dpt:http' ; then
+		iptables -D INPUT -p tcp --dport 80 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -v 'tcp dpt:https' | grep -q 'tcp dpt:http' ; then
+		iptables -I INPUT -p tcp --dport 80 -j ACCEPT
+	fi
+	# SMB
+	if iptables -L | grep DROP | grep -q 'tcp dpt:netbios-ssn' ; then
+		iptables -D INPUT -p tcp --dport 139 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:netbios-ssn' ; then
+		iptables -I INPUT -p tcp --dport 139 -j ACCEPT
+	fi
+	if iptables -L | grep DROP | grep -q 'tcp dpt:microsoft-ds' ; then
+		iptables -D INPUT -p tcp --dport 445 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:microsoft-ds' ; then
+		iptables -I INPUT -p tcp --dport 445 -j ACCEPT
+	fi
+	# AFP
+	if iptables -L | grep DROP | grep -q 'tcp dpt:afpovertcp' ; then
+		iptables -D INPUT -p tcp --dport 548 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:afpovertcp' ; then
+		iptables -I INPUT -p tcp --dport 548 -j ACCEPT
+	fi
+	# DHCP
+	if iptables -L | grep DROP | grep -q 'udp dpt:bootps' ; then
+		iptables -D INPUT -p udp --dport 67 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:bootps' ; then
+		iptables -I INPUT -p udp --dport 67 -j ACCEPT
+	fi
+	# TFTP
+	if iptables -L | grep DROP | grep -q 'udp dpt:tftp' ; then
+		iptables -D INPUT -p udp --dport 69 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:tftp' ; then
+		iptables -I INPUT -p udp --dport 69 -j ACCEPT
+	fi
+	# NFS
+	#if iptables -L | grep DROP | grep -q 'tcp dpt:sunrpc' ; then
+	#	iptables -D INPUT -p tcp --dport 111 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:sunrpc' ; then
+	#	iptables -I INPUT -p tcp --dport 111 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'udp dpt:sunrpc' ; then
+	#	iptables -D INPUT -p udp --dport 111 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:sunrpc' ; then
+	#	iptables -I INPUT -p udp --dport 111 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'tcp dpt:892' ; then
+	#	iptables -D INPUT -p tcp --dport 892 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:892' ; then
+	#	iptables -I INPUT -p tcp --dport 892 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'udp dpt:892' ; then
+	#	iptables -D INPUT -p udp --dport 892 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:892' ; then
+	#	iptables -I INPUT -p udp --dport 892 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'tcp dpt:nfs' ; then
+	#	iptables -D INPUT -p tcp --dport 2049 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:nfs' ; then
+	#	iptables -I INPUT -p tcp --dport 2049 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'udp dpt:nfs' ; then
+	#	iptables -D INPUT -p udp --dport 2049 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:nfs' ; then
+	#	iptables -I INPUT -p udp --dport 2049 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'udp dpt:filenet-rpc' ; then
+	#	iptables -D INPUT -p udp --dport 32769 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'udp dpt:filenet-rpc' ; then
+	#	iptables -I INPUT -p udp --dport 32769 -j ACCEPT
+	#fi
+	#if iptables -L | grep DROP | grep -q 'tcp dpt:32803' ; then
+	#	iptables -D INPUT -p tcp --dport 32803 -j DROP
+	#fi
+	#if ! iptables -L | grep ACCEPT | grep -q 'tcp dpt:32803' ; then
+	#	iptables -I INPUT -p tcp --dport 32803 -j ACCEPT
+	#fi
+	service iptables save >> $logFile 2>&1
+fi
+
 # Configure tftp
 if [ -f "/etc/default/tftpd-hpa" ]; then
 	sed -i 's:/var/lib/tftpboot:/srv/NetBoot/NetBootSP0:' /etc/default/tftpd-hpa
@@ -189,9 +340,34 @@ if [ ! -d "/home/afpuser" ]; then
 fi
 
 # Configure nfs
-# sed -i "/NetBootSP0/d" /etc/exports
-# echo "/srv/NetBoot/NetBootSP0 *(ro,no_subtree_check,no_root_squash,insecure)" >> "/etc/exports"
-# exportfs -a
+#if [ -f "/etc/default/nfs-kernel-server" ]; then
+#	sed -i 's/.*RPCMOUNTDOPTS.*/RPCMOUNTDOPTS="--port 892"/' /etc/default/nfs-kernel-server
+#	touch /etc/modprobe.d/lockd.conf
+#	sed -i '/^lockd/d' /etc/modules
+#	echo "lockd" >> /etc/modules
+#fi
+#if [ -f "/etc/sysconfig/nfs" ]; then
+#	if grep -q LOCKD_TCPPORT /etc/sysconfig/nfs; then
+#		sed -i 's/.*LOCKD_TCPPORT.*/LOCKD_TCPPORT=32803/' /etc/sysconfig/nfs
+#		sed -i 's/.*LOCKD_UDPPORT.*/LOCKD_UDPPORT=32769/' /etc/sysconfig/nfs
+#		sed -i 's/.*MOUNTD_PORT.*/MOUNTD_PORT=892/' /etc/sysconfig/nfs
+#	else
+#		sed -i 's/.*RPCMOUNTDOPTS.*/RPCMOUNTDOPTS="-p 892"/' /etc/sysconfig/nfs
+#	fi
+#fi
+#if [ -f "/etc/modprobe.d/lockd.conf" ]; then
+#	if ! grep -q nlm_tcpport /etc/modprobe.d/lockd.conf; then
+#		echo "options lockd nlm_tcpport=32803" >> /etc/modprobe.d/lockd.conf
+#	fi
+#	sed -i 's/.*nlm_tcpport.*/options lockd nlm_tcpport=32803/' /etc/modprobe.d/lockd.conf
+#	if ! grep -q nlm_udpport /etc/modprobe.d/lockd.conf; then
+#		echo "options lockd nlm_udpport=32769" >> /etc/modprobe.d/lockd.conf
+#	fi 
+#	sed -i 's/.*nlm_udpport.*/options lockd nlm_udpport=32769/' /etc/modprobe.d/lockd.conf
+#fi
+#sed -i "/NetBootSP0/d" /etc/exports
+#echo "/srv/NetBoot/NetBootSP0 *(ro,no_subtree_check,no_root_squash,insecure)" >> "/etc/exports"
+#exportfs -a
 
 # Configure samba
 # Change SMB setting for guest access

diff --git a/NetBoot/var/appliance/configurefornetboot b/NetBoot/var/appliance/configurefornetboot
@@ -22,9 +22,9 @@
 
 ip=`ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }'`
 ipdec=`awk -v dec=${ip} 'BEGIN{n=split(dec,d,".");for(i=1;i<=n;i++) printf ":%02X",d[i];print ""}'`
-imageid=`cat /etc/dhcpd.conf | grep "option vendor-encapsulated-options 01:01:01:04:02:FF:FF:07:04" | sed 's/option vendor-encapsulated-options 01:01:01:04:02:FF:FF:07:04://g' | sed 's/ //g' | sed 's/'$'\t''//g' | cut -c1-11`
-curafp=`cat /etc/dhcpd.conf | grep "01:01:02:08:04:.*.:80" | sed 's/option vendor-encapsulated-options 01:01:02:08:04:.*.:80:.*:61:66:70:75:73:65:72:3A://g' | awk -F40 '{print $1}' | tr -d ' ' | sed 's/\(.*\)./\1/'`
-afppw=`cat /etc/dhcpd.conf | grep "01:01:02:08:04:.*.:80" | sed 's/option vendor-encapsulated-options 01:01:02:08:04:.*.:80:.*:61:66:70:75:73:65:72:3A://g' | sed 's/://g' | awk -F40 '{print $1}' | tr -d ' ' | wc -c`
+imageid=`grep 'FF:FF:07:04' /etc/dhcpd.conf | sed 's/.*FF:FF:07:04://g' | cut -c1-11`
+curafp=`grep "01:01:02:08:04:.*.:80" /etc/dhcpd.conf | sed 's/option vendor-encapsulated-options 01:01:02:08:04:.*.:80:.*:61:66:70:75:73:65:72:3A://g' | awk -F40 '{print $1}' | tr -d ' ' | sed 's/\(.*\)./\1/'`
+afppw=`grep "01:01:02:08:04:.*.:80" /etc/dhcpd.conf | sed 's/option vendor-encapsulated-options 01:01:02:08:04:.*.:80:.*:61:66:70:75:73:65:72:3A://g' | sed 's/://g' | awk -F40 '{print $1}' | tr -d ' ' | wc -c`
 afppwlen=`expr ${afppw} / 2`
 iphex=`echo ${ip} | xxd -c 1 -ps -u | tr '\n' ':' | sed 's/0A://g' | sed 's/\(.*\)./\1/'`
 num=`echo ${iphex} | sed 's/://g' | wc -c`
@@ -34,11 +34,12 @@ num=`expr ${num} + ${afppwlen}`
 lengthhex=`awk -v dec=${num} 'BEGIN { n=split(dec,d,"."); for(i=1;i<=n;i++) printf ":%02X",d[i]; print "" }'`
 
 
-sed -i "s/01:01:02:08:04:${imageid}:80:.*/01:01:02:08:04:${imageid}:80${lengthhex}:61:66:70:3A:2F:2F:61:66:70:75:73:65:72:3A:${curafp}:40:${iphex}:2F:4E:65:74:42:6F:6F:74:81:11:4E:65:74:42:6F:6F:74:30:30:31:2F:53:68:61:64:6F:77;/g" /etc/dhcpd.conf
+sed -i "s/01:01:02:08:04:${imageid}:80:.*/01:01:02:08:04:${imageid}:80${lengthhex}:61:66:70:3A:2F:2F:61:66:70:75:73:65:72:3A:${curafp}:40:${iphex}:2F:4E:65:74:42:6F:6F:74:81:11:4E:65:74:42:6F:6F:74:30:30:31:2F:53:68:61:64:6F:77;/" /etc/dhcpd.conf
 sed -i "s/7, 12) = 08:04:${imageid}:03:04.*)/7, 12) = 08:04:${imageid}:03:04${ipdec})/g" /etc/dhcpd.conf
 sed -i "s/7, 12) = 03:04.*:08:04:${imageid})/7, 12) = 03:04${ipdec}:08:04:${imageid})/g" /etc/dhcpd.conf
 sed -i "s/next-server.*;/next-server ${ip};/g" /etc/dhcpd.conf
-sed -i "s/http:\/\/.*\/NetBoot\/NetBootSP0\//http:\/\/${ip}\/NetBoot\/NetBootSP0\//g" /etc/dhcpd.conf
+sed -i "s|nfs:.*:/srv/NetBoot/NetBootSP0:|nfs:${ip}:/srv/NetBoot/NetBootSP0:|" /etc/dhcpd.conf
+sed -i "s|http://.*/NetBoot/NetBootSP0/|http://${ip}/NetBoot/NetBootSP0/|" /etc/dhcpd.conf
 
 
 killall dhcpd

diff --git a/SUS/susInstall.sh b/SUS/susInstall.sh
@@ -34,6 +34,25 @@ if [[ $(which yum 2>&-) != "" ]]; then
 	yum_install php-xml
 fi
 
+# Prepare the firewall in case it is enabled later
+if [[ $(which ufw 2>&-) != "" ]]; then
+	# HTTP
+	ufw allow 80/tcp >> $logFile
+elif [[ $(which firewall-cmd 2>&-) != "" ]]; then
+	# HTTP
+	firewall-cmd --zone=public --add-port=80/tcp >> $logFile 2>&1
+	firewall-cmd --zone=public --add-port=80/tcp --permanent >> $logFile 2>&1
+else
+	# HTTP
+	if iptables -L | grep DROP | grep -v 'tcp dpt:https' | grep -q 'tcp dpt:http' ; then
+		iptables -D INPUT -p tcp --dport 80 -j DROP
+	fi
+	if ! iptables -L | grep ACCEPT | grep -v 'tcp dpt:https' | grep -q 'tcp dpt:http' ; then
+		iptables -I INPUT -p tcp --dport 80 -j ACCEPT
+	fi
+	service iptables save >> $logFile 2>&1
+fi
+
 # Create SUS directories
 if [ ! -d "/var/appliance" ]; then
 	mkdir /var/appliance

diff --git a/base/NetSUSInstaller.sh b/base/NetSUSInstaller.sh
@@ -175,17 +175,22 @@ if [[ $(which update-rc.d 2>&-) != "" ]]; then
   if [[ $(which systemctl 2>&-) != "" ]]; then
     update-rc.d smbd disable >> $logFile 2>&1
     update-rc.d tftpd-hpa disable >> $logFile 2>&1
+    #systemctl disable nfs-server >> $logFile 2>&1
     # systemctl disable openbsd-inetd >> $logFile 2>&1
+    #service nfs-server stop >> $logFile 2>&1
   else
     echo manual > /etc/init/smbd.override
     echo manual > /etc/init/tftpd-hpa.override
+    #update-rc.d nfs-kernel-server disable >> $logFile 2>&1
     # update-rc.d openbsd-inetd disable >> $logFile 2>&1
+    #service nfs-kernel-server stop >> $logFile 2>&1
   fi
   log "If you are installing NetSUSLP for the first time, please follow the documentation for setup instructions."
 fi
 if [[ $(which chkconfig 2>&-) != "" ]]; then
   service httpd restart >> $logFile 2>&1
   chkconfig tftp off >> $logFile 2>&1
+  #chkconfig nfs off > /dev/null 2>&1
   #if [ -f "/etc/sysconfig/xinetd" ]; then
   #  service xinetd restart >> $logFile 2>&1
   #fi