git clone <source_repo> <folder>
cd <folder>
git remote set-url origin <new_repo>
git push --all
git push --tags
or
git clone --mirror <source_repo>
git push --mirror <dest_repo>
2023年8月15日 星期二
2023年7月4日 星期二
encrypt disk using tpm
#!/bin/sh
mdadm --stop /dev/md125
mdadm --stop /dev/md126
mdadm --stop /dev/md127
mdadm --zero-superblock /dev/nvme0n1p1
mdadm --zero-superblock /dev/nvme0n1p2
mdadm --zero-superblock /dev/nvme1n1p1
mdadm --zero-superblock /dev/nvme1n1p2
sgdisk -Z /dev/nvme0n1
sgdisk -n 1::1024MiB /dev/nvme0n1
sgdisk -n 2:: /dev/nvme0n1
sgdisk -Z /dev/nvme1n1
sleep 5
for i in {1..5};do
partprobe /dev/nvme0n1
partprobe /dev/nvme1n1
sleep 1
done
cat << EOF >/etc/yum.repos.d/local.repo
[BaseOS]
name=BaseOS
enabled=1
gpgcheck=0
baseurl=file:///run/install/repo/BaseOS
[AppStream]
enabled=1
gpgcheck=0
baseurl=file:///run/install/repo/AppStream
EOF
dnf install -y clevis clevis-dracut clevis-luks clevis-systemd clevis-udisks2 tpm-tools tpm2-tools >/dev/null 2>&1
mkfs.vfat -i 72D5B376 -n boot /dev/nvme0n1p1
echo "callmedaddy"|cryptsetup -q luksFormat /dev/nvme0n1p2 --uuid=2503da23-fdce-47c1-8f55-d1608edfb532
cryptsetup luksOpen /dev/nvme0n1p2 root <<< 'callmedaddy'
mkfs.xfs -f -m uuid=ced49972-bd15-400b-b130-babc43008ec0 -L rootfs /dev/mapper/root
sleep 5
mkdir /dev/shm/boot
mkdir /dev/shm/root
umount /dev/shm/boot
umount /dev/shm/root
mount -L boot /dev/shm/boot
mount -L rootfs /dev/shm/root
curl http://deploy.kido.idv.tw/encryt_disk/boot.tar.gz|tar zxf - -C /dev/shm/boot
curl http://deploy.kido.idv.tw/encryt_disk/root.tar.gz|tar zxf - -C /dev/shm/root
sync
tpm2_dictionarylockout -c
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,7"}' <<< 'callmedaddy'
manually create Linux software raid system
1: stop md
mdadm --stop /dev/md124
2: zap disk
sgdisk -Z /dev/sda
3: creat partition
sgdisk -n 1::1024MiB /dev/sda
sgdisk -n 2:: /dev/sda
4: update partition information
partprobe /dev/sda
5: zero-superbolock
mdadm --zero-superblock /dev/sda1
6: create sw raid -> use metadata 1.2 for data, 0.9 for boot
echo yes| mdadm --create /dev/md127 --force --level=1 --raid-devices=2 --name=root--uuid=1f975454:e7eb215d:e5a8a80e:43d5a964 --metadata=1.2 /dev/sda2 /dev/sdb2
echo yes| mdadm --create /dev/md/boot --force --level=1 --raid-devices=2 --uuid=2fd35b47:0866ab39:7a1ebdb9:dcc7dd0f --metadata=0.90 --name=boot-efi /dev/sda1 /dev/sdb1
7: wait resync to be ready
while [ 1 ];do
sts_resync=$(cat /proc/mdstat|grep resync|wc -l)
if [ $sts_resync -ne 0 ];then
echo "syncing"
else
echo "rsync ready"
break
fi
sleep 5
done
2021年7月22日 星期四
RHOCP Baremetal IPI
Please note, below deployment happened in a virtual environment. vbmc or sushy-tools may be used per your preference. vbmc and sushy-tools can be installed using pip3 install <module> command.
Prerequisite:
Each node should equip with 2 network ports. One should be able to route to internet. The other one is for provisioning purpose.
DHCP: to assign static IP to the network port which is used for internet access
DNS: only 2 records are required.
Sample configuration is as below. (10.7.21.51 is the address of my DNS server)
$TTL 600
@ IN SOA test.ocp.qct. com.www.ocp.qct. (
2019052801 3H 15M 1W 1D ) ;
@ IN NS test.ocp.qct. ; DNS
test.ocp.qct. IN A 10.7.21.51
api.test.ocp.qct. IN A 10.102.17.10
*.apps.test.ocp.qct. IN A 10.102.17.15
(machineCIDR is the one used for internet access. two additional IPs are required for API and Ingress)
(the full FQDN is <metadaya>.<baseDomain>. in below example, the FQDN should be test.ocp.qct)
(provisioningNetworkInterface is the interface name used for node provisioning. the provisioning service will run on all controller/master node. the interface name should be aligned among all controller/master node.)
(compute replicas: when set to 0, all nodes will be provisioned to master/worker hybrid mode. each node will act as master and worker. )
apiVersion: v1
baseDomain: ocp.qct
metadata:
name: test
networking:
machineCIDR: 10.102.17.0/24
compute:
- name: worker
replicas: 0
controlPlane:
name: master
replicas: 3
platform:
baremetal: {}
platform:
baremetal:
apiVIP: 10.102.17.10
ingressVIP: 10.102.17.15
provisioningNetworkCIDR: 172.22.0.0/24
provisioningNetworkInterface: enp1s0
provisioningDHCPRange: 172.22.0.10,172.22.0.100
bootstrapOSImage: http://10.102.17.23:8080/rhcos-47.83.202105220305-0-qemu.x86_64.qcow2.gz?sha256=d3e6f4e1182789480dcb81fc8cdf37416ec9afa34b4be1056426b21b62272248
clusterOSImage: http://10.102.17.23:8080/rhcos-47.83.202105220305-0-openstack.x86_64.qcow2.gz?sha256=94058cc4cff50e63ebeba8e044215c1591d0a4daea2ffdb778836d013290868e
hosts:
- name: openshift-master-0
role: master
bmc:
address: ipmi://10.102.17.23:6235
username: admin
password: admin
bootMACAddress: 52:54:00:64:a1:ab
bootMode: legacy
rootDeviceHints:
minSizeGigabytes: 10
hardwareProfile: default
- name: openshift-master-1
role: master
bmc:
address: ipmi://10.102.17.23:6236
username: admin
password: admin
bootMACAddress: 52:54:00:eb:31:6f
bootMode: legacy
rootDeviceHints:
minSizeGigabytes: 10
hardwareProfile: default
- name: openshift-master-2
role: master
bmc:
address: ipmi://10.102.17.23:6237
username: admin
password: admin
bootMACAddress: 52:54:00:88:36:ca
bootMode: legacy
rootDeviceHints:
minSizeGigabytes: 10
hardwareProfile: default
- name: openshift-worker-0
role: worker
bmc:
address: ipmi://10.102.17.23:6245
username: admin
password: admin
bootMACAddress: 52:54:00:46:59:73
bootMode: legacy
rootDeviceHints:
minSizeGigabytes: 10
hardwareProfile: unknown
- name: openshift-worker-1
role: worker
bmc:
address: ipmi://10.102.17.23:6246
username: admin
password: admin
bootMACAddress: 52:54:00:f5:db:a0
bootMode: legacy
rootDeviceHints:
minSizeGigabytes: 10
hardwareProfile: unknown
pullSecret: ''
sshKey: ''
You may want to power off the machine after introspection. Simply issue following command to make it happen
oc -n openshift-machine-api patch bmh openshift-worker-2 -p '{"spec":{"online":false}}' --type=merge
Scale up/down
oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
2020年12月29日 星期二
Enable linux hostapd run on 5GHZ frequencies (also enable DFS support)
how to create virtual AP
1: create virtual wifi interface
iw dev wlp5s0 interface add wlan0_vap1 type __ap
2: change mac address for new created interface (please note, last 8 bits must be 0 and cannot be the same as other devices. the maximum number of AP that the chipset can support can refer to output of iw list)
channels <= 1 means that the chipset only support 1 frequency. All softap need to run on exactly the same frequency.
check supported frequencies: iw list
usually "no IR, radar detection" refers to the frequency cannot be used.
if the output includes "DFS state: usable", the frequency can be used only when kernel is supported.
* 5520 MHz [104] (23.0 dBm) (no IR, radar detection)
DFS state: usable (for 641 sec)
DFS CAC time: 60000 ms
To use DFS bands, ensure following kernel options are enabled.
"Configure standard kernel features (expert users)" under "General Setup"
"cfg80211 certification onus" under "Networking support" -> "Wireless"
"Ministrel 802.11ac support" under "Networking support" -> "Wireless"
"Atheros DFS support for certified platforms" under "Device Drivers" -> "Network device support" -> "Wireless LAN" -> "Atheros Wireless Cards"
"Atheros dynamic user regulatory hints" under "Device Drivers" -> "Network device support" -> "Wireless LAN" -> "Atheros Wireless Cards" (*)
"Atheros dynamic user regulatory testing" under "Device Drivers" -> "Network device support" -> "Wireless LAN" ->"Atheros Wireless Cards" (*)
Please note, crda package is required for DFS enablement.
to ignore regulation, apply openwrt patches to kernel.
1: download kernel source
2: download openwrt patches
3: change to extracted kernel source directoy
4: copy downloaded openwrt paches to working directory
patch -p1 <./mac80211/patches/ath/402-ath_regd_optional.patch
patch -p1 <./mac80211/patches/ath/404-regd_no_assoc_hints.patch
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
country_code=US
ieee80211d=1
ssid=uCPE1
channel=116
hw_mode=a
ieee80211h=1
ieee80211ac=1
ht_capab=[DSSS_CCK-40][LDPC][TX-STBC][RX-STBC-1][MAX-AMSDU-7935][HT40+][SHORT-GI-40][SHORT-GI-20]
wme_enabled=1
vht_oper_centr_freq_seg0_idx=122
vht_oper_chwidth=1
vht_capab=[TX-STBC-2BY1][RX-STBC-1][RXLDPC][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP-7][SHORT-GI-80]
ieee80211n=1
macaddr_acl=0
max_num_sta=100
wpa=2
rsn_pairwise=CCMP
auth_algs=1
wpa_passphrase=test12345
wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
tx_queue_data3_aifs=7
tx_queue_data3_cwmin=15
tx_queue_data3_cwmax=1023
tx_queue_data3_burst=0
tx_queue_data2_aifs=3
tx_queue_data2_cwmin=15
tx_queue_data2_cwmax=63
tx_queue_data2_burst=0
tx_queue_data1_aifs=1
tx_queue_data1_cwmin=7
tx_queue_data1_cwmax=15
tx_queue_data1_burst=3.0
tx_queue_data0_aifs=1
tx_queue_data0_cwmin=3
tx_queue_data0_cwmax=7
tx_queue_data0_burst=1.5
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
2020年11月2日 星期一
ipxe example
#!ipxe
#set QCTFILENAME http://10.5.15.10/test/echo.ipxe
#set bdf 0000:3d:00.3
#set QCTBDF 0000:00:08.0
#set QCTMAC 08:00:27:6b:53:eb
#set QCTMAC 08:00:27:89:ea:ad
set QCTIP 10.102.14.110
set QCTNETMASK 255.255.255.0
set QCTGATEWAY 10.102.14.1
set QCTFILENAME file:/utils/rhel8.2.ipxe
set QCTDNS 8.8.8.8
========================================================================
#!ipxe
imgfree
set base-url http://10.7.21.51/adt
initrd ${base-url}/rhel8.2/isolinux/initrd.img
chain ${base-url}/rhel8.2/isolinux/vmlinuz initrd=initrd.img ro fips=1 inst.sshd inst.ks=${base-url}/rhel8.php inst.stage2=${base-url}/rhel8.2/ ip=${ip}::${gateway}:${netmask}:::none::${mac}
訂閱:
文章 (Atom)