From 532de19c1043d36df96622034a3fb1fe898e641f Mon Sep 17 00:00:00 2001 From: Masahiro Fujiwara Date: Fri, 30 Oct 2015 19:37:44 +0900 Subject: [PATCH] proto typing image building script. --- vmimages/.gitignore | 2 + vmimages/README.md | 8 + vmimages/README.qemu-build.md | 120 +++++++++++ vmimages/bin/alt-b | 26 +++ vmimages/bin/qemu-build | 192 ++++++++++++++++++ vmimages/bin/screen-watch | 88 ++++++++ vmimages/build.sh | 27 +++ vmimages/centos-7.1.1503-x86_64/ks.cfg | 57 ++++++ .../post-scripts/disable-selinux.sh | 1 + .../post-scripts/grub2.el7.sh | 8 + .../post-scripts/serial-console.el7.sh | 6 + .../post-scripts/sshd_config.sh | 1 + .../post-scripts/teardown.sh | 1 + .../post-scripts/udev_clean.sh | 1 + .../centos-7.1.1503-x86_64/qemu-build.conf | 13 ++ vmimages/post-scripts/disable-selinux.sh | 13 ++ vmimages/post-scripts/login_user.sh | 16 ++ vmimages/post-scripts/sshd_config.sh | 77 +++++++ vmimages/post-scripts/teardown.sh | 20 ++ vmimages/post-scripts/udev_clean.sh | 5 + 20 files changed, 682 insertions(+) create mode 100644 vmimages/.gitignore create mode 100644 vmimages/README.md create mode 100644 vmimages/README.qemu-build.md create mode 100755 vmimages/bin/alt-b create mode 100755 vmimages/bin/qemu-build create mode 100755 vmimages/bin/screen-watch create mode 100755 vmimages/build.sh create mode 100644 vmimages/centos-7.1.1503-x86_64/ks.cfg create mode 120000 vmimages/centos-7.1.1503-x86_64/post-scripts/disable-selinux.sh create mode 100644 vmimages/centos-7.1.1503-x86_64/post-scripts/grub2.el7.sh create mode 100644 vmimages/centos-7.1.1503-x86_64/post-scripts/serial-console.el7.sh create mode 120000 vmimages/centos-7.1.1503-x86_64/post-scripts/sshd_config.sh create mode 120000 vmimages/centos-7.1.1503-x86_64/post-scripts/teardown.sh create mode 120000 vmimages/centos-7.1.1503-x86_64/post-scripts/udev_clean.sh create mode 100644 vmimages/centos-7.1.1503-x86_64/qemu-build.conf create mode 100755 vmimages/post-scripts/disable-selinux.sh create mode 100644 vmimages/post-scripts/login_user.sh create mode 100755 vmimages/post-scripts/sshd_config.sh create mode 100755 vmimages/post-scripts/teardown.sh create mode 100644 vmimages/post-scripts/udev_clean.sh diff --git a/vmimages/.gitignore b/vmimages/.gitignore new file mode 100644 index 000000000..cc20cc5ff --- /dev/null +++ b/vmimages/.gitignore @@ -0,0 +1,2 @@ +packer/ +packer_cache/ diff --git a/vmimages/README.md b/vmimages/README.md new file mode 100644 index 000000000..f031f0458 --- /dev/null +++ b/vmimages/README.md @@ -0,0 +1,8 @@ +# Building Image + +Run the ``build.sh`` with target OS name that you want. + +``` +$ ./build.sh centos-7.1-x86_64 +``` + diff --git a/vmimages/README.qemu-build.md b/vmimages/README.qemu-build.md new file mode 100644 index 000000000..8603f5c5c --- /dev/null +++ b/vmimages/README.qemu-build.md @@ -0,0 +1,120 @@ +# qemu-build + +``qemu-build`` is an image building script inspired by packer-qemu driver. +This program run the following tasks. Similar to ``packer`` but it is more simplified. + +1. Download iso image from remote site. +2. Run ``qemu`` with the .iso and FD image and boot installer from the .iso. +3. Send boot command to console then the unattended install is kicked. + Configuration files for the installer are supplied from FD image. +4. Shutdown ``qemu`` from guest once all done. + +## How to use + +Basic usage: + +``` +% qemu-build build.conf +``` + +``build.conf`` has set of shell variables to build new OS image from iso installer. + +``` +target_image=centos7.img +kickstart_file="ks.cfg" +iso_checksum="d07ab3e615c66a8b2e9a50f4852e6a77" +iso_urls=( + http://ftp.riken.jp/Linux/centos/7.1.1503/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso +) +# "textks=hd:fd0:/ks.cfg" +boot_commands=(tab t e x t spc k s equal h d shift-semicolon f d 0 shift-semicolon slash k s dot c f g ret) +qemu_args="-m 1G" +post_scripts=(./post-scripts/*.sh) +``` + +``` +# yum install -y $(qemu-build --show-deps) +``` + +## Config Parameters + +Path information is calculated from the location of config file. + +Required: + +``iso_checksum`` + +``iso_urls`` is shell array to supply the list of OS installer image file on remote site. It continues to +try next urls until fetching succeeds. + +``install_iso`` is path string to the installer image which you already have. ``iso_urls`` is skipped if this +parameter is set. + +``target_image`` the path to image file to generate. + +Optional: + +``kickstart_file`` the file is copied to FD image. + +``boot_commands`` are sent to qemu guest over ``sendkey`` monitor interface while the OS installer prompts +and waits for typing keys. ``sendkey`` emulates keyboard so it can only pass one character at a time. See +the sendkey character list pasted from ``qemu``. + +``qemu_args`` extra command options for ``qemu`` if you need. + +``qemu_binary`` path to ``qemu`` binary. + +``post_scripts`` an array of script path(s) to run at post stage in qemu guest. The files are just copied +to FD image. unattended installation must be organized to call them. + +``local_scripts`` an array of command line which run at qemu host. They are called after sending ``boot_commands`` +so helps to handle post process on host side until the installation completes. + + +### Local Script + +Bundled local scripts: + +``screen-watch`` monitors qemu screen updates. It supports +to detect if updates happens within a period time and kill +qemu if the installation process is likely to be stopped. + +``alt-b`` is just sends alt-b key sequence to qemu. It is +useful to signal CentOS graphical installer to proceed. + + +### ``sendkey`` character table + + +``` +# discover the supported keys by doing: +# telnet 127.0.0.1 4567 +# sendkey +# Here is the result: +(qemu) sendkey +0 1 2 3 4 +5 6 7 8 9 +a again alt alt_r altgr +altgr_r apostrophe asterisk b backslash +backspace bracket_left bracket_right c caps_lock +comma compose copy ctrl ctrl_r +cut d delete dot down +e end equal esc f +f1 f10 f11 f12 f2 +f3 f4 f5 f6 f7 +f8 f9 find front g +grave_accent h help home i +insert j k kp_0 kp_1 +kp_2 kp_3 kp_4 kp_5 kp_6 +kp_7 kp_8 kp_9 kp_add kp_decimal +kp_divide kp_enter kp_multiply kp_subtract l +left less lf m menu +meta_l meta_r minus n num_lock +o open p paste pause +pgdn pgup print props q +r ret right s scroll_lock +semicolon shift shift_r slash spc +stop sysrq t tab u +undo unmapped up v w +x y z +``` diff --git a/vmimages/bin/alt-b b/vmimages/bin/alt-b new file mode 100755 index 000000000..ac49f1239 --- /dev/null +++ b/vmimages/bin/alt-b @@ -0,0 +1,26 @@ +#!/bin/bash + +# NOTE: Sometimes all the keys above are typed OK and the ks.cfg file +# is read in OK, but the installation does not start until the user +# clicks on the "Begin" button. One possible cause could be the VNC +# windows being open and some UI events being sent to the graphical +# installer, which senses the human there and politely asks for +# confirmation. + +# Update: Nope. Did not work even with no vncviewer connected. Looks like +# alt-B will select that button. Seems to take at least 20 seconds to get +# to that screen so.... + +if [[ $# -eq 1 ]]; + sleep $1 +else + sleep 60 +fi + +echo sendkey alt-b | nc 127.0.0.1 4567 + +echo +echo "Just sent an extra alt-b just in case" +echo "it is stuck on the confirm install screen" +echo + diff --git a/vmimages/bin/qemu-build b/vmimages/bin/qemu-build new file mode 100755 index 000000000..353bf4231 --- /dev/null +++ b/vmimages/bin/qemu-build @@ -0,0 +1,192 @@ +#!/bin/bash + +set -e -o pipefail + +# Environment variables +ISO_CACHE_DIR=${ISO_CACHE_DIR:-"."} + +# Configuration parameters in .conf. +install_iso= +kickstart_file= +target_image= +qemu_binary="qemu-kvm" +iso_checksum_type="md5" +iso_checksum= +declare -a iso_urls=() +declare -a boot_commands= +declare -a post_scripts=() +declare -a local_scripts=() + +# option parameters +is_overwrite_image= + +reportfailed() +{ + echo "Script failed...exiting. ($*)" 1>&2 + exit 255 +} + +usage_deps() { + cat < + +Options: + --force,-f : Overwrite existing image file. + +Install dependencies: +yum install -y \$($0 --show-deps) +END +} + +while [[ $# -gt 0 ]]; do + case $1 in + --help|-h) + usage + exit + ;; + --show-deps) + usage_deps + exit + ;; + --force|-f) + is_overwrite_image=1 + shift + ;; + *) + break + ;; + esac +done + +# Load .conf +if [[ $# -eq 1 && -f $1 ]]; then + CONF_PATH=$1 + shopt -s nullglob + . $CONF_PATH + shopt -u nullglob +else + reportfailed "Unknown conf path: $1" +fi + +cd $(dirname $CONF_PATH) + +# Minimal parameter checking to catch typos: +if [[ -z $install_iso ]]; then + [[ -n $iso_checksum ]] || reportfailed "iso_checksum not found." + [[ -n $iso_checksum_type ]] || reportfailed "iso_checksum_type not found." + + if [[ -f "${ISO_CACHE_DIR}/${iso_checksum}.iso" ]]; then + install_iso="${ISO_CACHE_DIR}/${iso_checksum}.iso" + else + for u in ${iso_urls[@]} + do + curl --show-error -L -o "${ISO_CACHE_DIR}/${iso_checksum}.iso" "$u" + if [[ $? -eq 0 ]]; then + sum_val=$("${iso_checksum_type}sum" "${ISO_CACHE_DIR}/${iso_checksum}.iso" | cut -f 1 -d ' ') + if [[ "${sum_val}" == "${iso_checksum}" ]]; then + install_iso="${ISO_CACHE_DIR}/${iso_checksum}.iso" + break + else + rm -f "${ISO_CACHE_DIR}/${iso_checksum}.iso" + fi + fi + done + fi +fi +[ -f "$install_iso" ] || reportfailed "Iso ($install_iso) not found." + +[ -f "$kickstart_file" ] || reportfailed " ($kickstart_file) not found." + +if [[ -z "$is_overwrite_image" ]]; then + [ -f "$target_image" ] && reportfailed "$target_image already exists" +fi + +# Make sure it is writable +touch "$target_image" || reportfailed "Could not create '$target_image' (the third parameter)" + +TARGET_DIR="$(cd "$(dirname "$(readlink -f "$target_dir")")" && pwd -P)" || reportfailed + +WORK_DIR=$(mktemp -d) +trap "rm -rf $WORK_DIR" EXIT + +# Variables can be referenced from child processes. +export WORK_DIR CONF_PATH TARGET_DIR KVM_PID + +( + rm -f "$target_image" + qemu-img create -f qcow2 "$target_image" 10000M +) || reportfailed "Problem while creating empty qcow2 image" + +KSFPY="$WORK_DIR/kickstart_floppy.img" + +( + dd if=/dev/zero of="$KSFPY" count=1440 bs=1k + /sbin/mkfs.msdos "$KSFPY" + if [[ -f $kickstart_file ]]; then + mcopy -i "$KSFPY" "$kickstart_file" ::/ks.cfg + fi + if [[ ${#post_scripts} -gt 0 ]]; then + for src in ${post_scripts[@]} + do + mcopy -i "$KSFPY" "$src" ::/$(basename $src) + done + fi + mdir -i "$KSFPY" +) || reportfailed "Problem while creating floppy with kickstart file" + + +kvmcmdline=( + $qemu_binary + -name ksvm + + -fda "$KSFPY" + -drive "file=$target_image,if=virtio,cache=writeback,discard=ignore" + + -machine type=pc,accel=kvm + + -netdev user,id=user.0,hostfwd=tcp::2224-:22 + -device virtio-net,netdev=user.0 + -monitor telnet:0.0.0.0:4567,server,nowait + -vnc 0.0.0.0:47 + $qemu_args + ) + +#echo "${kvmcmdline[@]}" >runscript.sh +#chmod +x runscript.sh + +echo "${kvmcmdline[@]}" -boot once=d -cdrom "$install_iso" +if ! type $qemu_binary > /dev/null 2>&1; then + reportfailed "Not found $qemu_binary" +fi +"${kvmcmdline[@]}" -boot once=d -cdrom "$install_iso" >"$WORK_DIR/kvm.stdout" 2>"$WORK_DIR/kvm.stderr" & +KVM_PID=$! +echo "$KVM_PID" >"$WORK_DIR/kvm.pid" +echo "Qemu launched ($KVM_PID)" + +sleep 15 + +if [[ ${#boot_commands} -gt 0 ]]; then + echo "Sending boot command..." + echo ${boot_commands[@]} + for k in ${boot_commands[@]} + do + echo sendkey $k + done | nc 127.0.0.1 4567 > $WORK_DIR/boot_command.log +fi + +if [[ ${#local_scripts} -gt 0 ]]; then + for i in "${local_scripts[@]}" + do + echo "Local script: $i" + $i + done +fi + +echo "Now waiting for kvm to exit. (FYI, ^c will kill KVM)" +wait diff --git a/vmimages/bin/screen-watch b/vmimages/bin/screen-watch new file mode 100755 index 000000000..4a73998f4 --- /dev/null +++ b/vmimages/bin/screen-watch @@ -0,0 +1,88 @@ +#!/bin/bash +# Watch qemu screen and detect stall during installation. + +set -e -o pipefail + +WORK_DIR=${WORK_DIR:?"ERROR WORK_DIR not found"} +KVM_PID=${KVM_PID:?"ERROR KVM_PID not found"} + +function detect_stall_screen() { + local stall_sec=$1 + # Checks if $max_hits continuous lines have same checksums. + tac $WORK_DIR/screen-watch.log | awk ' + BEGIN {count=0} + count > max_hits { print "STALL"; exit; } + { if($2 == csum){ count++; } + csum=$2; } + ' max_hits=$(($stall_sec / $option_poll_sec)) +} + +option_save_last= +option_poll_sec=10 +option_stall_sec=600 +option_kill_qemu= + +while [[ $# -gt 0 ]] +do + case $1 in + --save-last) + option_save_last=1 + shift; + ;; + --stall-sec) + option_stall_sec=$2 + shift; shift; + ;; + --kill-qemu) + option_kill_qemu=1 + shift; + ;; + --poll-sec) + option_poll_sec=$2 + shift; shift; + ;; + *) + echo "ERROR: Unknown option $1" > /dev/stderr + exit 1 + ;; + esac +done + +if [[ $option_stall_sec -lt $option_poll_sec ]]; then + echo "ERROR: --stall-sec must be larger than --poll-sec" > /dev/stderr + exit 1 +fi + +cat </dev/null || : + # log format: $SECONDSMD5SUMPATH.ppm + # $SECONDS is bash built-in. + echo $SECONDS $(md5sum $dump_path) >> $WORK_DIR/screen-watch.log + if [[ $(detect_stall_screen "$option_stall_sec") == "STALL" ]]; then + echo "ERROR: Qemu (${KVM_PID}) seems to be stalled over $option_stall_sec sec" > /dev/stderr + + if [[ -n $option_save_last ]]; then + cp $dump_path $TARGET_DIR/stalled-screen.ppm + fi + if [[ -n $option_kill_qemu ]]; then + echo "Terminating qemu (${KVM_PID})..." + kill ${KVM_PID} + exit 2 + fi + fi + rm -f $dump_path + sleep $option_poll_sec +done +) & +echo $! > $WORK_DIR/screen-watch.pid diff --git a/vmimages/build.sh b/vmimages/build.sh new file mode 100755 index 000000000..88a3d5079 --- /dev/null +++ b/vmimages/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +set -e + +function abort() { + local msg=$1 + echo "$msg" >&2 + exit 1 +} + +function qemu_build() { + echo "Start to build $(basename $(pwd))" + qemu-build qemu-build.conf +} + +export PATH="$PATH:$(pwd)/bin" + +TARGET_DIR=${1:?"ERROR: Unknown target"} + +if [[ ! -d $TARGET_DIR ]]; then + abort "ERROR: Can't find target: $TARGET_DIR" +fi + +( + cd $TARGET_DIR + qemu_build +) diff --git a/vmimages/centos-7.1.1503-x86_64/ks.cfg b/vmimages/centos-7.1.1503-x86_64/ks.cfg new file mode 100644 index 000000000..925d876ed --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/ks.cfg @@ -0,0 +1,57 @@ +install +cdrom +url --url http://mirror.centos.org/centos-7/7.1.1503/os/x86_64/ + +unsupported_hardware +lang en_US.UTF-8 +keyboard us +auth --enableshadow --passalgo=sha256 +#network --bootproto=dhcp --device=eth0 --hostname=centos7 --activate +rootpw vagrant +services --disabled="sendmail,postfix" --enabled="sshd,ntpd,ntpdate" + +firewall --ssh +selinux --disabled +timezone Asia/Tokyo +bootloader --location=mbr + +text +skipx +zerombr + +clearpart --all +part / --fstype=xfs --ondisk=vda --grow --label=root + +firstboot --disabled +shutdown + +%packages --nobase --ignoremissing +@Core +openssh +openssh-clients +opejssh-server +dhclient +sudo +curl +ntp +ntpdate +acpid +%end + +%post --erroronfail +#!/bin/bash + +set -e + +mkdir /mnt/fd +mount /dev/fd0 /mnt/fd + +( + shopt -s nullglob + for i in /mnt/fd/*.sh + do + echo "Applying $(basename $i) ..." + bash $i + done +) +%end diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/disable-selinux.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/disable-selinux.sh new file mode 120000 index 000000000..e3c6f5fec --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/disable-selinux.sh @@ -0,0 +1 @@ +../../post-scripts/disable-selinux.sh \ No newline at end of file diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/grub2.el7.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/grub2.el7.sh new file mode 100644 index 000000000..29a407160 --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/grub2.el7.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e -o pipefail + +# Disable biosdevname allows "ethX" traditional interface name. +sed -i 's/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX="crashkernel=auto vconsole.font=latarcyrheb-sun16 vconsole.keymap=us crashkernel=auto net.ifnames=0 biosdevname=0"/' /etc/default/grub +grub2-mkconfig -o /boot/grub2/grub.cfg + diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/serial-console.el7.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/serial-console.el7.sh new file mode 100644 index 000000000..1d13bd9bc --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/serial-console.el7.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e -o pipefail + +ln -s /usr/lib/systemd/system/getty@.service /etc/systemd/system/getty.target.wants/getty@ttyS0.service +egrep -w "^ttyS0" /etc/securetty || { echo ttyS0 >> /etc/securetty; } diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/sshd_config.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/sshd_config.sh new file mode 120000 index 000000000..ec8182224 --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/sshd_config.sh @@ -0,0 +1 @@ +../../post-scripts/sshd_config.sh \ No newline at end of file diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/teardown.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/teardown.sh new file mode 120000 index 000000000..e12ed9ae5 --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/teardown.sh @@ -0,0 +1 @@ +../../post-scripts/teardown.sh \ No newline at end of file diff --git a/vmimages/centos-7.1.1503-x86_64/post-scripts/udev_clean.sh b/vmimages/centos-7.1.1503-x86_64/post-scripts/udev_clean.sh new file mode 120000 index 000000000..f1d6a8487 --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/post-scripts/udev_clean.sh @@ -0,0 +1 @@ +../../post-scripts/udev_clean.sh \ No newline at end of file diff --git a/vmimages/centos-7.1.1503-x86_64/qemu-build.conf b/vmimages/centos-7.1.1503-x86_64/qemu-build.conf new file mode 100644 index 000000000..f834151e4 --- /dev/null +++ b/vmimages/centos-7.1.1503-x86_64/qemu-build.conf @@ -0,0 +1,13 @@ +target_image=centos7.img +kickstart_file="ks.cfg" +iso_checksum="d07ab3e615c66a8b2e9a50f4852e6a77" +iso_urls=( + http://ftp.riken.jp/Linux/centos/7.1.1503/isos/x86_64/CentOS-7-x86_64-Minimal-1503-01.iso +) +# "textks=hd:fd0:/ks.cfg" +boot_commands=(tab t e x t spc k s equal h d shift-semicolon f d 0 shift-semicolon slash k s dot c f g ret) +qemu_args="-m 1G" +post_scripts=(./post-scripts/*.sh) +#local_scripts=("../bin/screen-watch --kill-qemu --save-last") +local_scripts=("../bin/screen-watch --kill-qemu --stall-sec 30 --save-last") + diff --git a/vmimages/post-scripts/disable-selinux.sh b/vmimages/post-scripts/disable-selinux.sh new file mode 100755 index 000000000..c219153b6 --- /dev/null +++ b/vmimages/post-scripts/disable-selinux.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# +# requires: +# bash +# +set -e +set -o pipefail +set -x + +if [[ -f /etc/selinux/config ]]; then + sed -i "s/^\(SELINUX=\).*/\1disabled/" /etc/selinux/config + egrep ^SELINUX= /etc/selinux/config +fi diff --git a/vmimages/post-scripts/login_user.sh b/vmimages/post-scripts/login_user.sh new file mode 100644 index 000000000..b997ba729 --- /dev/null +++ b/vmimages/post-scripts/login_user.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e -o pipefail + +USERNAME=${USERNAME:-centos} + +# account:vagrant +groupadd $USERNAME +useradd -g $USERNAME -s /bin/bash -m $USERNAME +echo umask 022 >> /home/$USERNAME/.bashrc +echo $USERNAME:$USERNAME | chpasswd +usermod -L root + +echo "vagrant ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +sed -i "s/^\(^Defaults\s*requiretty\).*/# \1/" /etc/sudoers + diff --git a/vmimages/post-scripts/sshd_config.sh b/vmimages/post-scripts/sshd_config.sh new file mode 100755 index 000000000..6d751b1cb --- /dev/null +++ b/vmimages/post-scripts/sshd_config.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# +# requires: +# bash +# +set -e +set -o pipefail +set -x + +function config_sshd_config() { + local sshd_config_path=$1 keyword=$2 value=$3 + [[ -a "${sshd_config_path}" ]] || { echo "[ERROR] file not found: ${sshd_config_path} (${BASH_SOURCE[0]##*/}:${LINENO})" >&2; return 1; } + [[ -n "${keyword}" ]] || { echo "[ERROR] Invalid argument: keyword:${keyword} (${BASH_SOURCE[0]##*/}:${LINENO})" >&2; return 1; } + [[ -n "${value}" ]] || { echo "[ERROR] Invalid argument: value:${value} (${BASH_SOURCE[0]##*/}:${LINENO})" >&2; return 1; } + + egrep -q -w "^${keyword}" ${sshd_config_path} && { + # enabled + sed -i "s,^${keyword}.*,${keyword} ${value}," ${sshd_config_path} + } || { + # commented parameter is "^#keyword value". + # therefore this case should *not* be included white spaces between # and keyword. + egrep -q -w "^#${keyword}" ${sshd_config_path} && { + # disabled + sed -i "s,^#${keyword}.*,${keyword} ${value}," ${sshd_config_path} + } || { + # no match + echo "${keyword} ${value}" >> ${sshd_config_path} + } + } + + egrep -q -w "^${keyword} ${value}" ${sshd_config_path} +} + +{ + while read param value; do + config_sshd_config /etc/ssh/sshd_config ${param} ${value} + done < <(cat <<-EOS | egrep -v '^#|^$' + # + # "Top 20 OpenSSH Server Best Security Practices" + # * http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html + # + + # 02: Only Use SSH Protocol 2 + Protocol 2 + + # 03: Limit Users SSH Access + DenyUsers root + + # 04: Configure Idle Log Out Timeout Interval + ClientAliveInterval 0 + ClientAliveCountMax 3 + + # 05: Disable .rhosts Files + IgnoreRhosts yes + + # 06: Disable Host-Based Authentication + HostbasedAuthentication no + + # 07: Disable root Login via SSH + PermitRootLogin no + + # 09: Change SSH Port and Limit IP Binding + Port 22 + + # 11: Use Public Key Based Authentication + PasswordAuthentication no + + # 15: Disable Empty Passwords + PermitEmptyPasswords no + + # Others + StrictModes yes + X11Forwarding no + UseDNS no + EOS + ) +} diff --git a/vmimages/post-scripts/teardown.sh b/vmimages/post-scripts/teardown.sh new file mode 100755 index 000000000..69e62fe52 --- /dev/null +++ b/vmimages/post-scripts/teardown.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# +# requires: +# bash +# +set -e +set -o pipefail +set -x + +if [[ -f /etc/yum.repos.d/CentOS-Base.repo.saved ]]; then + mv /etc/yum.repos.d/CentOS-Base.repo.saved /etc/yum.repos.d/CentOS-Base.repo +fi + +rm -f /etc/ssh/ssh_host_* + +while read varlog; do + cp /dev/null ${varlog} +done < <(find /var/log/ -type f) + +history -c diff --git a/vmimages/post-scripts/udev_clean.sh b/vmimages/post-scripts/udev_clean.sh new file mode 100644 index 000000000..2179f5e09 --- /dev/null +++ b/vmimages/post-scripts/udev_clean.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# udev +rm -f /etc/udev/rules.d/70-persistent-net.rules +ln -s /dev/null /etc/udev/rules.d/70-persistent-net.rules