Merge branch 'master' into develop-snster

README.md

@@ -31,12 +31,13 @@ UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entrepris
 ```bash
 git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
 git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
-git switch develop-snster # dans les 2 cas
 cd kaz-vagrant/
+git switch develop-snster # dans les 2 cas
 ```
 * Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
 ```bash
 vagrant plugin install vagrant-disksize
+vagrant plugin install vagrant-vbguest
 ./init.sh  # vous pouvez laisser les choix par défaut
 ```
 * Pour créer tout l'univers Kaz il faut se placer dans le répertoire et lancer la commande :

files/snster-kaz/isp-a/group.yml

@@ -27,7 +27,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: isp-a.sns
 
   infra:
@@ -46,7 +46,7 @@ hosts:
           roots: p,100.100.1.10,2001:db8:a001::10
       - resolv:
           domain: isp-a.sns
-          ns: 100.120.1.2
+          ns: 100.100.100.100
 
   home:
     network:
@@ -59,4 +59,4 @@ hosts:
       - updatecaroots:
       - resolv:
           domain: isp-a.sns
-          ns: 100.120.1.2
+          ns: 100.100.100.100

files/snster-kaz/kaz/group.yml

@@ -26,7 +26,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: kaz.sns
 
   prod:

files/snster-kaz/kaz/prod/provision.sh

@@ -18,7 +18,7 @@ DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
 # KAZ specific things
 #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
 
-DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync fuse-overlayfs
+DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs 
 usermod -G docker debian
 # activation dans alias dans /root/.bashrc
 sed -i \
@@ -49,13 +49,23 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
 
 # On active fuse-overlayfs pour docker
 cat >> /etc/docker/daemon.json <<EOF
-{ "storage-driver": "fuse-overlayfs" }
+{ "storage-driver": "btrfs" }
 EOF
 service docker restart
 
-mknod -m 666 /dev/fuse c 10 229
-echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
-chmod +x /etc/rc.local
+#mknod -m 666 /dev/fuse c 10 229
+#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
+#chmod +x /etc/rc.local
+
+# lxc.cgroup2.devices.allow = b 7:* rwm
+# lxc.cgroup2.devices.allow = c 10:237 rwm
+#
+# mknod -m 666 /dev/loop0 b 7 0
+# mknod -m 666 /dev/loop-control c 10 237
+# truncate -s 30G /root/varlibdocker.img
+# mkfs.btrfs /root/varlibdocker.img
+# losetup -f /root/varlibdocker.img
+# mount /dev/loop0 /var/lib/docker
 
 # On place les certifs
 if  [ -d letsencrypt ]; then

files/snster-kaz/mica/group.yml

@@ -24,7 +24,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: mica.sns
 
   infra:

files/snster-kaz/opendns/group.yml

@@ -24,7 +24,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: opendns.sns
 
   resolver:

files/snster-kaz/opendns/resolver/provision.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+if [ -z $SNSTERGUARD ] ; then exit 1; fi
+DIR=`dirname $0`
+cd `dirname $0`
+
+mkdir -p /etc/unbound/unbound.conf.d/
+
+cat >> /etc/unbound/unbound.conf.d/unblockdns.conf <<EOF
+stub-zone:
+  name: "sns"
+  stub-addr: 100.100.20.10
+
+stub-zone:
+  name: "100.in-addr.arpa"
+  stub-addr: 100.100.1.10
+
+forward-zone:
+  name: "."
+  forward-addr: 100.64.0.1
+EOF
+
+# notes
+# apt install build-essential libnghttp2-dev libssl-dev libexpat-dev
+# wget https://nlnetlabs.nl/downloads/unbound/unbound-1.17.1.tar.gz
+# ./configure --with-libnghttp2
+# adduser unbound
+
+# fixdns.sh
+# SNSTER="snster -c /root/snster-kaz attach $1 -x"
+# $SNSTER "DEBIAN_FRONTEND=noninteractive apt-get install -y  nss-tlsd libnss-tls"
+# $SNSTER "sed -i -e 's/^hosts:\s*files/hosts:\tfiles tls/' /etc/nsswitch.conf"

files/snster-kaz/root-p/group.yml

@@ -24,7 +24,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: ns-root-p.sns
 
   rootns:

files/snster-kaz/tld-sns/group.yml

@@ -24,7 +24,7 @@ hosts:
           neighbors4: 100.64.0.1 as 30
           neighbors6: 2001:db8:b000::1 as 30
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: tld-sns.sns
 
   ns:

files/snster-kaz/transit-a/group.yml

@@ -23,5 +23,5 @@ hosts:
           neighbors4: 100.64.0.10 as 10;100.64.0.30 as 7;100.64.0.40 as 8; 100.64.0.20 as 6; 100.64.0.50 as 13; 100.64.0.110 as 20; 100.64.1.140 as 12
           neighbors6: 2001:db8:b000::10 as 10; 2001:db8:b000::30 as 7;2001:db8:b000::40 as 8; 2001:db8:b000::20 as 6; 2001:db8:b000::50 as 13; 2001:db8:b000::110 as 20; 2001:db8:b001::140 as 12
       - resolv:
-          nameserver: 100.100.100.100
+          ns: 100.100.100.100
           domain: transit-a.sns

files/snster-kaz/transit-a/router/provision.sh

@@ -33,3 +33,8 @@ protocol static {
 	route 0.0.0.0/0 via 100.64.0.1;
 }
 " >> /etc/bird.conf
+
+
+# Add dnsmasq for external dns
+apk add dnsmasq
+rc-update add dnsmasq

files/vm-provision.sh

@@ -40,7 +40,7 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
     DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
     DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
     DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
-    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick # could be with --no-install-recommends
+    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends
     DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
 
     ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
@@ -180,9 +180,21 @@ EOF
     cd
     git clone https://framagit.org/flesueur/snster.git
     cd snster
-    git checkout tags/v1.1.0
+    # git checkout tags/v1.1.0
+    git checkout fe59ef1f
     ./install.sh
 
+    # BTRFS avec hotfix sale de SNSTER
+    freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
+    btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
+    truncate -s ${btrsize}k /root/btrfs.img
+    mkfs.btrfs -f /root/btrfs.img
+    echo "/root/btrfs.img	/var/lib/lxc	btrfs	loop	0	0" >> /etc/fstab
+    mount /var/lib/lxc
+    #losetup -f /root/btrfs.img
+    #mount /dev/loop0 /var/lib/lxc
+    sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
+
     # SNSTER KAZ
     # cp -ar ${VAGRANT_SRC_DIR}/templates /root
     cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
@@ -191,10 +203,22 @@ EOF
     cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
     cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
 
+    # On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
+#    mkdir /kaz-prod /kaz
+#    echo "overlay	/kaz-prod	overlay	lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail  0 0" >> /etc/fstab
+#    echo "/kaz-prod/kaz /kaz  none  bind,nofail  0 0" >> /etc/fstab
+    ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
+    ln -s /kaz-prod/kaz /kaz
+
+    # On met le KAZGUARD pour la mise au point
+    echo "export KAZGUARD='true'" >> /root/.bashrc
+
     # Build SNSTER KAZ !
     snster -c /root/snster-kaz create
     cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
     chmod +x /root/vm-install-kaz.sh
+    cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
+    chmod +x /root/vm-upgrade.sh
     if [ "${NOKAZ}" == "true" ]; then
       echo "on ne fait pas l'install de kaz sur kaz-prod"
     else
@@ -202,14 +226,6 @@ EOF
       bash "/root/vm-install-kaz.sh"
     fi
 
-    # On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
-    mkdir /kaz-prod /kaz
-    echo "overlay	/kaz-prod	overlay	lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail  0 0" >> /etc/fstab
-    echo "/kaz-prod/kaz /kaz  none  bind,nofail  0 0" >> /etc/fstab
-
-    # On met le KAZGUARD pour la mise au point
-    echo "export KAZGUARD='true'" >> /root/.bashrc
-
     echo "########## ********** End Vagrant $(date +%D-%T)"
 )  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
 

files/vm-upgrade.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# Upgrade de tout sauf kaz-prod
+
+if [ -z "${KAZGUARD}" ] ; then
+    exit 1
+fi
+set -e
+
+# On met à jour SNSTER
+cd /root/snster
+git switch main
+git pull
+./install.sh
+# hotfix pour btrfs
+sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
+
+# On récupère le dernier kaz-vagrant
+cd /tmp
+git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git || (cd kaz-vagrant && git pull)
+cd /tmp/kaz-vagrant
+git switch develop-snster
+
+# On écrase les anciens fichiers
+cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
+# crypto keys
+cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
+cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
+
+# On détruit et reconstruit tout sauf kaz-prod
+SNSTER="snster -c /root/snster-kaz"
+$SNSTER destroy isp-a-home
+$SNSTER destroy isp-a-infra
+$SNSTER destroy isp-a-router
+$SNSTER destroy kaz-router
+$SNSTER destroy mica-router
+$SNSTER destroy mica-infra
+$SNSTER destroy opendns-router
+$SNSTER destroy opendns-resolver
+$SNSTER destroy root-p-router
+$SNSTER destroy root-p-rootns
+$SNSTER destroy tld-sns-router
+$SNSTER destroy tld-sns-ns
+$SNSTER destroy transit-a-router
+
+$SNSTER create
+
+$SNSTER start

sparsify.sh

@@ -3,14 +3,14 @@
 set -e
 
 # Get HD filename
-FILENAME=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
+FILENAME=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f2 | cut -d'(' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
 
 # Split the dir and filename
 DIR=`dirname "$FILENAME"`
 FILE=`basename "$FILENAME"`
 
 # Get HD UUID
-UUID=`vboxmanage showvminfo kaz-dev-amd64 | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
+UUID=`vboxmanage showvminfo kaz-vm | grep SATA | grep UUID | cut -d':' -f 3| cut -d')' -f1 | sed -e 's/^[ \t]*//' |  sed -e 's/[ \t]*$//'`
 
 # echo -e $DIR
 # echo -e $FILE

trim_enable.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Get HD UUID
+HDUUID=`vboxmanage showvminfo kaz-vm --machinereadable | grep ImageUUID | cut -d= -f2 | sed -e "s/\"//g"`
+
+# Get storage controller
+STCTRL=`vboxmanage showvminfo kaz-vm --machinereadable | grep storagecontrollername0 | cut -d= -f2 | sed -e "s/\"//g"`
+
+#echo -e $HDUUID
+#echo -e $STCTRL
+
+vboxmanage storageattach kaz-vm --medium="$HDUUID" --storagectl="${STCTRL}" --port=0 --discard=on --nonrotational=on
+
+echo "Trim enabled !"