Fix orchestrator heredoc vars and add nftables SSH safety

root · root · commit 5c50d7138da2 · 2026-01-09T11:49:27.000-05:00
diff --git a/docs/perfsonar/tools_scripts/perfSONAR-install-nftables.sh b/docs/perfsonar/tools_scripts/perfSONAR-install-nftables.sh
@@ -94,6 +94,7 @@ PY
 
 # Colors
 GREEN='\033[0;32m'
+RED='\033[0;31m'
 NC='\033[0m'
 
 usage() {
@@ -627,6 +628,42 @@ derive_subnets_and_hosts_from_config() {
 
     log "Derived SUBNETS: ${SUBNETS[*]:-none}"
     log "Derived HOSTS: ${HOSTS[*]:-none}"
+    
+    # Safety check: warn if no SSH access will be allowed
+    if [ "${#SUBNETS[@]}" -eq 0 ] && [ "${#HOSTS[@]}" -eq 0 ]; then
+        log ""
+        log "${RED}WARNING: No SSH access subnets or hosts configured!${NC}"
+        log "${RED}This will BLOCK all SSH access to this host.${NC}"
+        log ""
+        log "The nftables rules derive SSH access from /etc/perfSONAR-multi-nic-config.conf"
+        log "No valid IPv4/IPv6 addresses with subnets were found in the configuration."
+        log ""
+        log "To allow SSH access, you must either:"
+        log "  1. Configure /etc/perfSONAR-multi-nic-config.conf with proper IP addresses and prefixes"
+        log "  2. Manually edit /etc/nftables.d/perfsonar.nft after it's created"
+        log "  3. Use --dry-run to preview without applying changes"
+        log ""
+        log "If you proceed, SSH will be BLOCKED and you may lose access to this host!"
+        log "Ensure you have console access before continuing."
+        log ""
+        
+        if [ "$AUTO_YES" != true ]; then
+            read -r -p "Do you want to proceed anyway? [y/N]: " ans
+            case "$ans" in
+                [Yy]|[Yy][Ee][Ss]) 
+                    log "User confirmed proceeding despite SSH lockout risk"
+                    ;;
+                *) 
+                    log "Aborted by user to prevent SSH lockout"
+                    exit 1
+                    ;;
+            esac
+        else
+            log "${RED}AUTO_YES enabled but no SSH access configured - ABORTING to prevent lockout${NC}"
+            log "Configure /etc/perfSONAR-multi-nic-config.conf first or run without --yes"
+            exit 1
+        fi
+    fi
 }
 
 confirm_or_exit() {
diff --git a/docs/perfsonar/tools_scripts/perfSONAR-orchestrator.sh b/docs/perfsonar/tools_scripts/perfSONAR-orchestrator.sh
@@ -208,13 +208,13 @@ step_auto_update_compose() {
 set -e
 COMPOSE_DIR=/opt/perfsonar-tp
 LOGFILE=/var/log/perfsonar-auto-update.log
-log() { echo \"$(date -Iseconds) $*\" | tee -a \"$LOGFILE\"; }
-cd \"$COMPOSE_DIR\"
+log() { echo \"\$(date -Iseconds) \$*\" | tee -a \"\$LOGFILE\"; }
+cd \"\$COMPOSE_DIR\"
 log \"Checking for image updates...\"
 # Pull latest images and detect if any were actually updated
-if podman-compose pull 2>&1 | tee -a \"$LOGFILE\" | grep -q -E 'Downloaded newer image|Pulling from'; then
+if podman-compose pull 2>&1 | tee -a \"\$LOGFILE\" | grep -q -E 'Downloaded newer image|Pulling from'; then
   log \"New images found - recreating containers...\"
-  podman-compose up -d 2>&1 | tee -a \"$LOGFILE\"
+  podman-compose up -d 2>&1 | tee -a \"\$LOGFILE\"
   log \"Containers updated successfully\"
 else
   log \"No updates available\"
diff --git a/docs/personas/quick-deploy/install-perfsonar-testpoint.md b/docs/personas/quick-deploy/install-perfsonar-testpoint.md
@@ -24,7 +24,7 @@ If replacing an existing instance, you may want to back up `/etc/perfsonar/` fil
 `lsregistrationdaemon.conf`, and any container volumes. We have a script named`perfSONAR-update-lsregistration.sh` to
 extract/save/restore registration config that you may want to use.
 
-??? info "Quick capture of existing lsregistration config (if you have a src)"
+??? info "Quick capture of existing lsregistration config (if you have a prior installation)"
     
     Download a temp copy:   
     ```bash
@@ -33,10 +33,17 @@ extract/save/restore registration config that you may want to use.
       -o /tmp/update-lsreg.sh
     chmod 0755 /tmp/update-lsreg.sh
     ```
-    Use the downloaded tool to extract a restore script:
+    
+    **For container-based installations (testpoint):**
     ```bash
     /tmp/update-lsreg.sh extract --output /root/restore-lsreg.sh
     ```
+    
+    **For RPM-based/local installations (toolkit or older hosts):**
+    ```bash
+    /tmp/update-lsreg.sh extract --output /root/restore-lsreg.sh --local
+    ```
+    
     Note: Repository clone instructions are in Step 2.
     **Note:** All shell commands assume an interactive root shell.
     
@@ -123,14 +130,22 @@ chmod 0755 /tmp/perfSONAR-orchestrator.sh
 
 **Flags:**
 
-- `--option {A|B}` — A = testpoint only; B = testpoint + Let's Encrypt
-- `--fqdn NAME` — primary FQDN for certificates (Option B)
-- `--email ADDRESS` — email for Let's Encrypt (Option B)
+- `--option {A|B}` — **Deployment mode:** A = testpoint only (default); B = testpoint with Let's Encrypt certificate automation
+- `--fqdn NAME` — primary FQDN for certificates (required for `--option B`)
+- `--email ADDRESS` — email for Let's Encrypt notifications (required for `--option B`)
 - `--non-interactive` — skip pauses, auto-confirm
 - `--yes` — auto-confirm internal script prompts
 - `--dry-run` — preview steps without executing
 - `--auto-update` — install and enable a systemd timer that pulls container images daily and restarts containers only if updated (creates `/usr/local/bin/perfsonar-auto-update.sh`, a systemd service and timer)
 
+!!! tip "Deployment Mode Terminology"
+    The orchestrator uses `--option A` or `--option B` to select the deployment mode:
+    
+    - **Option A**: Testpoint only (no automatic certificate management)
+    - **Option B**: Testpoint with Let's Encrypt automation (requires `--fqdn` and `--email`)
+    
+    This is the same as "Path A" and "Path B" mentioned in other sections of this guide.
+
 **If you choose this path, skip to [Step 7](#step-7-register-and-configure-with-wlcgosg)** (the orchestrator completes Steps 2–6 for you).
 
 ---
