def rsync_mountpoints(src_inst, src_vol, src_mnt, dst_inst, dst_vol, dst_mnt,
encr=False):
"""Run `rsync` against mountpoints, copy disk label.
:param src_inst: source instance;
:param src_vol: source volume with label that will be copied to
dst_vol;
:param src_mnt: root or directory hierarchy to replicate;
:param dst_inst: destination instance;
:param dst_vol: destination volume, that will be marked with label
from src_vol;
:param dst_mnt: destination point where source hierarchy to place;
:param encr: True if volume is encrypted;
:type encr: bool."""
src_key_filename = config.get(src_inst.region.name, 'KEY_FILENAME')
dst_key_filename = config.get(dst_inst.region.name, 'KEY_FILENAME')
with config_temp_ssh(dst_inst.connection) as key_file:
with settings(host_string=dst_inst.public_dns_name,
key_filename=dst_key_filename):
wait_for_sudo('cp /root/.ssh/authorized_keys '
'/root/.ssh/authorized_keys.bak')
pub_key = local('ssh-keygen -y -f {0}'.format(key_file), True)
append('/root/.ssh/authorized_keys', pub_key, use_sudo=True)
if encr:
sudo('screen -d -m sh -c "nc -l 60000 | gzip -dfc | '
'sudo dd of={0} bs=16M"'
.format(get_vol_dev(dst_vol)), pty=False) # dirty magick
dst_ip = sudo(
'curl http://169.254.169.254/latest/meta-data/public-ipv4')
with settings(host_string=src_inst.public_dns_name,
key_filename=src_key_filename):
put(key_file, '.ssh/', mirror_local_mode=True)
dst_key_filename = os.path.split(key_file)[1]
if encr:
sudo('(dd if={0} bs=16M | gzip -cf --fast | nc -v {1} 60000)'
.format(get_vol_dev(src_vol), dst_ip))
else:
cmd = (
'rsync -e "ssh -i .ssh/{key_file} -o '
'StrictHostKeyChecking=no" -cahHAX --delete --inplace '
'--exclude /root/.bash_history '
'--exclude /home/*/.bash_history '
'--exclude /etc/ssh/moduli --exclude /etc/ssh/ssh_host_* '
'--exclude /etc/udev/rules.d/*persistent-net.rules '
'--exclude /var/lib/ec2/* --exclude=/mnt/* '
'--exclude=/proc/* --exclude=/tmp/* '
'{src_mnt}/ root@{rhost}:{dst_mnt}')
wait_for_sudo(cmd.format(
rhost=dst_inst.public_dns_name, dst_mnt=dst_mnt,
key_file=dst_key_filename, src_mnt=src_mnt))
label = sudo('e2label {0}'.format(get_vol_dev(src_vol)))
with settings(host_string=dst_inst.public_dns_name,
key_filename=dst_key_filename):
if not encr:
sudo('e2label {0} {1}'.format(get_vol_dev(dst_vol), label))
wait_for_sudo('mv /root/.ssh/authorized_keys.bak '
'/root/.ssh/authorized_keys')
wait_for_sudo('sync', shell=False)
wait_for_sudo('for i in {1..20}; do sync; sleep 1; done &')
def attach_snap_to_inst(inst, snap):
"""Cleanup volume(s)."""
wait_for(inst, 'running')
try:
vol, volumes = force_snap_attach(inst, snap)
if encr:
mnt = None
else:
mnt = mount_volume(vol)
yield vol, mnt
except BaseException as err:
logger.exception(str(err))
raise
finally:
key_filename = config.get(inst.region.name, 'KEY_FILENAME')
with settings(host_string=inst.public_dns_name,
key_filename=key_filename):
if not encr:
try:
wait_for_sudo('umount {0}'.format(mnt))
except:
pass
for vol in volumes:
if vol.status != 'available':
vol.detach(force=True)
wait_for(vol, 'available', limit=DETACH_TIME)
logger.info('Deleting {vol} in {vol.region}.'.format(vol=vol))
vol.delete()
def rsync_mountpoints(src_inst, src_vol, src_mnt, dst_inst, dst_vol, dst_mnt,
encr=False):
"""Run `rsync` against mountpoints, copy disk label.
:param src_inst: source instance;
:param src_vol: source volume with label that will be copied to
dst_vol;
:param src_mnt: root or directory hierarchy to replicate;
:param dst_inst: destination instance;
:param dst_vol: destination volume, that will be marked with label
from src_vol;
:param dst_mnt: destination point where source hierarchy to place;
:param encr: True if volume is encrypted;
:type encr: bool."""
src_key_filename = config.get(src_inst.region.name, 'KEY_FILENAME')
dst_key_filename = config.get(dst_inst.region.name, 'KEY_FILENAME')
with config_temp_ssh(dst_inst.connection) as key_file:
with settings(host_string=dst_inst.public_dns_name,
key_filename=dst_key_filename):
wait_for_sudo('cp /root/.ssh/authorized_keys '
'/root/.ssh/authorized_keys.bak')
pub_key = local('ssh-keygen -y -f {0}'.format(key_file), True)
append('/root/.ssh/authorized_keys', pub_key, use_sudo=True)
if encr:
sudo('screen -d -m sh -c "nc -l 60000 | gzip -dfc | '
'sudo dd of={0} bs=16M"'
.format(get_vol_dev(dst_vol)), pty=False) # dirty magick
dst_ip = sudo(
'curl http://169.254.169.254/latest/meta-data/public-ipv4')
with settings(host_string=src_inst.public_dns_name,
key_filename=src_key_filename):
put(key_file, '.ssh/', mirror_local_mode=True)
dst_key_filename = os.path.split(key_file)[1]
if encr:
sudo('(dd if={0} bs=16M | gzip -cf --fast | nc -v {1} 60000)'
.format(get_vol_dev(src_vol), dst_ip))
else:
cmd = (
'rsync -e "ssh -i .ssh/{key_file} -o '
'StrictHostKeyChecking=no" -cahHAX --delete --inplace '
'--exclude /root/.bash_history '
'--exclude /home/*/.bash_history '
'--exclude /etc/ssh/moduli --exclude /etc/ssh/ssh_host_* '
'--exclude /etc/udev/rules.d/*persistent-net.rules '
'--exclude /var/lib/ec2/* --exclude=/mnt/* '
'--exclude=/proc/* --exclude=/tmp/* '
'{src_mnt}/ root@{rhost}:{dst_mnt}')
wait_for_sudo(cmd.format(
rhost=dst_inst.public_dns_name, dst_mnt=dst_mnt,
key_file=dst_key_filename, src_mnt=src_mnt))
label = sudo('e2label {0}'.format(get_vol_dev(src_vol)))
with settings(host_string=dst_inst.public_dns_name,
key_filename=dst_key_filename):
if not encr:
sudo('e2label {0} {1}'.format(get_vol_dev(dst_vol), label))
wait_for_sudo('mv /root/.ssh/authorized_keys.bak '
'/root/.ssh/authorized_keys')
wait_for_sudo('sync', shell=False)
wait_for_sudo('for i in {1..20}; do sync; sleep 1; done &')
def attach_snap_to_inst(inst, snap):
"""Cleanup volume(s)."""
wait_for(inst, 'running')
try:
vol, volumes = force_snap_attach(inst, snap)
if encr:
mnt = None
else:
mnt = mount_volume(vol)
yield vol, mnt
except BaseException as err:
logger.exception(str(err))
raise
finally:
key_filename = config.get(inst.region.name, 'KEY_FILENAME')
with settings(host_string=inst.public_dns_name,
key_filename=key_filename):
if not encr:
try:
wait_for_sudo('umount {0}'.format(mnt))
except:
pass
for vol in volumes:
if vol.status != 'available':
vol.detach(force=True)
wait_for(vol, 'available', limit=DETACH_TIME)
logger.info('Deleting {vol} in {vol.region}.'.format(vol=vol))
vol.delete()
def freeze_volume():
key_filename = config.get(inst.region.name, 'KEY_FILENAME')
try:
_user = config.get('SYNC', 'USERNAME')
except:
_user = username
with settings(host_string=inst.public_dns_name,
key_filename=key_filename, user=_user):
wait_for_sudo('sync', shell=False)
run('for i in {1..20}; do sudo sync; sleep 1; done &')
def freeze_volume():
key_filename = config.get(inst.region.name, 'KEY_FILENAME')
try:
_user = config.get('SYNC', 'USERNAME')
except:
_user = USERNAME
with settings(host_string=inst.public_dns_name,
key_filename=key_filename, user=_user):
wait_for_sudo('sync', shell=False)
run('for i in {1..20}; do sudo sync; sleep 1; done &')
def mount_volume(vol, mkfs=False):
"""Mount the device by SSH. Return mountpoint on success.
vol
volume to be mounted on the instance it is attached to."""
wait_for(vol, 'attached', ['attach_data', 'status'])
inst = get_inst_by_id(vol.region.name, vol.attach_data.instance_id)
key_filename = config.get(vol.region.name, 'KEY_FILENAME')
with settings(host_string=inst.public_dns_name, key_filename=key_filename):
dev = get_vol_dev(vol)
mountpoint = dev.replace('/dev/', '/media/')
wait_for_sudo('mkdir -p {0}'.format(mountpoint))
if mkfs:
sudo('mkfs.ext3 {dev}'.format(dev=dev))
sudo('mount {dev} {mnt}'.format(dev=dev, mnt=mountpoint))
if mkfs:
sudo('chown -R {user}:{user} {mnt}'.format(user=env.user,
mnt=mountpoint))
logger.debug('Mounted {0} to {1} at {2}'.format(vol, inst, mountpoint))
return mountpoint
def mount_volume(vol, mkfs=False):
"""Mount the device by SSH. Return mountpoint on success.
vol
volume to be mounted on the instance it is attached to."""
wait_for(vol, 'attached', ['attach_data', 'status'])
inst = get_inst_by_id(vol.region.name, vol.attach_data.instance_id)
key_filename = config.get(vol.region.name, 'KEY_FILENAME')
with settings(host_string=inst.public_dns_name, key_filename=key_filename):
dev = get_vol_dev(vol)
mountpoint = dev.replace('/dev/', '/media/')
wait_for_sudo('mkdir -p {0}'.format(mountpoint))
if mkfs:
sudo('mkfs.ext3 {dev}'.format(dev=dev))
sudo('mount {dev} {mnt}'.format(dev=dev, mnt=mountpoint))
if mkfs:
sudo('chown -R {user}:{user} {mnt}'.format(user=env.user,
mnt=mountpoint))
logger.debug('Mounted {0} to {1} at {2}'.format(vol, inst, mountpoint))
return mountpoint
def make_encrypted_ubuntu(host_string, key_filename, user,
architecture, dev, name, release, pw1, pw2):
with settings(host_string=host_string, user=user,
key_filename=key_filename):
data = '/home/' + user + '/data'
page = 'https://uec-images.ubuntu.com/releases/' \
+ release + '/release/'
image = release + '-server-uec-' + architecture + '.img'
bootlabel = "bootfs"
def check(message, program, sums):
with hide('running', 'stdout'):
options = '--keyring=' + data + '/encrypted_root/uecimage.gpg'
logger.info('{0}'.format(message))
sudo('curl -fs "{page}/{sums}.gpg" > "{data}/{sums}.gpg"'
.format(page=page, sums=sums, data=data))
try:
sudo('curl -fs "{page}/{sums}" > "{data}/{sums}"'
.format(page=page, sums=sums, data=data))
except:
logger.exception('N/A')
try:
sudo('gpgv {options} "{data}/{sums}.gpg" '
'"{data}/{sums}" 2> /dev/null'
.format(options=options, sums=sums, data=data))
except:
logger.exception('Evil.')
try:
sudo('grep "{file}" "{data}/{sums}" | (cd {data};'
' {program} --check --status)'
.format(file=file, sums=sums, data=data,
program=program))
except:
logger.exception('Failed.')
logger.info('Ok')
with hide('running', 'stdout'):
while pw1 == pw2:
pw1 = prompt('Type in first password for enryption: ')
pw2 = prompt('Type in second password for enryption: ')
if pw1 == pw2:
logger.info('\nPasswords can\'t be the same.\n')
logger.info('Installing cryptsetup.....')
wait_for_sudo('apt-get -y install cryptsetup')
sudo('mkdir -p {0}'.format(data))
try:
logger.info('Downloading releases list.....')
sudo('curl -fs "{0}" > "{1}/release.html"'.format(page, data))
except:
logger.exception('Invalid system: {0}'.format(release))
logger.info('Uploading uecimage.gpg.....')
encr_root = resource_stream(pkg_name, 'encrypted_root.tar.gz')
put(encr_root, data + '/encrypted_root.tar.gz', use_sudo=True,
mirror_local_mode=True)
sudo('cd {data}; tar -xf {data}/encrypted_root.tar.gz'
.format(data=data))
file = sudo('pattern=\'<a href="([^"]*-{arch}\.tar\.gz)">'
'\\1</a>\'; perl -ne "m[$pattern] && "\'print "$1\\n'
'"\' "{data}/release.html"'
.format(data=data, arch=architecture))
logger.info('Downloading ubuntu image.....')
sudo('wget -P "{data}" "{page}{file}"'
.format(data=data, page=page, file=file))
check('Checking SHA256...', 'sha256sum', 'SHA256SUMS')
check('Checking SHA1.....', 'sha1sum', 'SHA1SUMS')
check('Checking MD5......', 'md5sum', 'MD5SUMS')
work = sudo('mktemp --directory')
sudo('touch {work}/{image}'.format(work=work, image=image))
logger.info('Unpacking ubuntu image.....')
sudo('tar xfz "{data}/{file}" -C "{work}" {image}'
.format(data=data, file=file, work=work, image=image))
sudo('mkdir "{work}/ubuntu"'.format(work=work))
logger.info('Mounting ubuntu image to working directory.....')
sudo('mount -o loop,ro "{work}/{image}" "{work}/ubuntu"'
.format(image=image, work=work))
logger.info('Creating separate boot volume.....')
sudo('echo -e "0 1024 83 *\n;\n" | /sbin/sfdisk -uM {dev}'
.format(dev=dev))
logger.info('Formatting boot volume.....')
sudo('/sbin/mkfs -t ext3 -L "{bootlabel}" "{dev}1"'
.format(bootlabel=bootlabel, dev=dev))
sudo('touch {work}/pw2.txt | echo -n {pw1} > "{work}/pw1.txt" | '
'chmod 700 "{work}/pw1.txt"'
.format(pw1=pw1, work=work))
sudo('touch {work}/pw2.txt | echo -n {pw2} > "{work}/pw2.txt" | '
'chmod 700 "{work}/pw2.txt"'
.format(pw2=pw2, work=work))
logger.info('Creating luks encrypted volume.....')
sudo('cryptsetup luksFormat -q --key-size=256 {dev}2 "{work}/'
'pw1.txt"'.format(dev=dev, work=work))
logger.info('Adding second key to encrypted volume.....')
sudo('cryptsetup luksAddKey -q --key-file="{work}/pw1.txt" '
'{dev}2 "{work}/pw2.txt"'.format(work=work, dev=dev))
logger.info('Opening luks encrypted volume.....')
sudo('cryptsetup luksOpen --key-file="{work}/pw1.txt" '
'{dev}2 {name}'.format(work=work, dev=dev, name=name))
sudo('shred --remove "{work}/pw1.txt"; shred --remove'
' "{work}/pw2.txt"'.format(work=work))
fs_type = sudo('df -T "{work}/ubuntu" | tail -1 | cut -d " " -f 5'
.format(work=work))
logger.info('Creating filesystem on luks encrypted volume.....')
sudo('mkfs -t {fs_type} "/dev/mapper/{name}"'
.format(fs_type=fs_type, name=name))
sudo('/sbin/e2label "/dev/mapper/{name}" "uec-rootfs"'
.format(name=name))
logger.info('Mounting luks encrypted volume.....')
sudo('mkdir -p "{work}/root"; mount /dev/mapper/{name}'
' "{work}/root"'.format(work=work, name=name))
logger.info('Starting syncronisation of working dir with image')
sudo('rsync --archive --hard-links "{work}/ubuntu/"'
' "{work}/root/"'.format(work=work))
boot_device = 'LABEL=' + bootlabel
root_device = 'UUID=$(cryptsetup luksUUID ' + dev + '2)'
sudo('mkdir "{work}/boot"; mount "{dev}1" "{work}/boot"'
.format(work=work, dev=dev))
sudo('rsync --archive "{work}/root/boot/" "{work}/boot"'
.format(work=work))
sudo('rm -rf "{work}/root/boot/"*'.format(work=work))
sudo('mount --move "{work}/boot" "{work}/root/boot"'
.format(work=work))
sudo('echo "{boot_device} /boot ext3" >> "{work}/root/etc/fstab"'
.format(boot_device=boot_device, work=work))
sudo('sed -i -e \'s/(hd0)/(hd0,0)/\' "{work}/root/boot/grub/menu.'
'lst"'.format(work=work))
bozo_target = work + '/root/etc/initramfs-tools/boot'
sudo('mkdir -p {bozo_target}'.format(bozo_target=bozo_target))
logger.info('Copying files for preboot web-auth.....')
sudo('cp {data}/encrypted_root/cryptsetup '
'{work}/root/etc/initramfs-tools/hooks/cryptsetup'
.format(data=data, work=work))
places = {'data': data, 'bozo_target': bozo_target}
for file_ in ['boot.key', 'boot.crt', 'cryptsetup.sh',
'index.html', 'activate.cgi', 'hiding.gif',
'make_bozo_dir.sh']:
sudo('cp {data}/encrypted_root/{file} {bozo_target}/{file}'
.format(file=file_, **places))
logger.info('Modifying scripts to match our volumes.....')
sudo('sed -i "s/\/dev\/sda2/{root_device}/" '
'{work}/root/etc/initramfs-tools/hooks/cryptsetup'.format(
root_device=root_device, work=work))
sudo('mkdir -p "{work}/root/etc/ec2"'.format(work=work))
if release == 'lucid':
logger.info('Adding apt entries for lucid.....')
listfile = work + '/root/etc/apt/sources.list'
sudo('grep "lucid main" {listfile} | sed "'
's/lucid/maverick/g" >> {work}/root/etc/'
'apt/sources.list.d/bozohttpd.list'
.format(listfile=listfile, work=work))
sudo('echo -e "Package: *\nPin: release a=lucid\nPin-Priority:'
' 600\n\nPackage: bozohttpd\nPin: release a=maverick\n'
'Pin-Priority: 1000\n\nPackage: libssl0.9.8\nPin: release'
' a=maverick\nPin-Priority: 1000\n\nPackage: *\n'
'Pin: release o=Ubuntu\nPin-Priority: -10\n" | tee '
'"{work}/root/etc/apt/preferences"'.format(work=work))
menufile = work + '/root/boot/grub/menu.lst'
initrd = sudo('grep "^initrd" "{menufile}" | head -1 | cut -f 3'
.format(menufile=menufile))
kernel = sudo('grep "^kernel" "{menufile}" | head -1 | cut -f 3 | '
'cut -d " " -f 1'.format(menufile=menufile))
sudo('rm -f "{work}/root/initrd.img.old";'
'rm -f "{work}/root/vmlinuz.old";'
'rm -f "{work}/root/initrd.img";'
'rm -f "{work}/root/vmlinuz"'.format(work=work))
logger.info('Creating symbolic links for kernel.....')
sudo('ln -s "{initrd}" "{work}/root/initrd.img";'
'ln -s "{kernel}" "{work}/root/vmlinuz"'
.format(initrd=initrd, kernel=kernel, work=work))
sudo('mv "{work}/root/etc/resolv.conf" '
'"{work}/root/etc/resolv.conf.old";cp "/etc/resolv.conf" '
'"{work}/root/etc/"'.format(work=work))
logger.info('Chrooting and installing needed apps..')
sudo('chroot "{work}/root" <<- EOT\n'
'set -e\n'
'mount -t devpts devpts /dev/pts/\n'
'mount -t proc proc /proc/\n'
'mount -t sysfs sysfs /sys/\n'
'localedef -f UTF-8 -i en_US --no-archive en_US.utf8\n'
'apt-get -y update\n'
'apt-get -y install ssl-cert\n'
'apt-get -y install update-inetd\n'
'mv /usr/sbin/update-inetd /usr/sbin/update-inetd.old\n'
'touch /usr/sbin/update-inetd\n'
'chmod a+x /usr/sbin/update-inetd\n'
'apt-get -y install bozohttpd\n'
'mv /usr/sbin/update-inetd.old /usr/sbin/update-inetd\n'
'EOT'.format(work=work))
logger.info('Fixing permissions and symlinking bozohttpd...')
sudo('chroot "{work}/root" <<- EOT\n'
'chown root:ssl-cert /etc/initramfs-tools/boot/boot.key\n'
'chmod 640 /etc/initramfs-tools/boot/boot.key\n'
'ln -s /usr/sbin/bozohttpd /etc/initramfs-tools/boot/\n'
'ln -s . /boot/boot\n'
'EOT'.format(work=work))
logger.info('Instaling cryptsetup and unmounting.....')
sudo('chroot "{work}/root" <<- EOT\n'
'apt-get -y install cryptsetup\n'
'apt-get -y clean\n'
'update-initramfs -uk all\n'
'mv /etc/resolv.conf.old /etc/resolv.conf\n'
'umount /dev/pts\n'
'umount /proc\n'
'umount /sys\n'
'EOT'.format(work=work))
logger.info('Shutting down temporary instance')
sudo('shutdown -h now')
def make_encrypted_ubuntu(host_string, key_filename, user, architecture, dev,
name, release, pw1, pw2):
with settings(host_string=host_string,
user=user,
key_filename=key_filename):
data = '/home/' + user + '/data'
page = 'https://uec-images.ubuntu.com/releases/' \
+ release + '/release/'
image = release + '-server-uec-' + architecture + '.img'
bootlabel = "bootfs"
def check(message, program, sums):
with hide('running', 'stdout'):
options = '--keyring=' + data + '/encrypted_root/uecimage.gpg'
logger.info('{0}'.format(message))
sudo('curl -fs "{page}/{sums}.gpg" > "{data}/{sums}.gpg"'.
format(page=page, sums=sums, data=data))
try:
sudo('curl -fs "{page}/{sums}" > "{data}/{sums}"'.format(
page=page, sums=sums, data=data))
except:
logger.exception('N/A')
try:
sudo('gpgv {options} "{data}/{sums}.gpg" '
'"{data}/{sums}" 2> /dev/null'.format(options=options,
sums=sums,
data=data))
except:
logger.exception('Evil.')
try:
sudo('grep "{file}" "{data}/{sums}" | (cd {data};'
' {program} --check --status)'.format(
file=file, sums=sums, data=data, program=program))
except:
logger.exception('Failed.')
logger.info('Ok')
with hide('running', 'stdout'):
while pw1 == pw2:
pw1 = prompt('Type in first password for enryption: ')
pw2 = prompt('Type in second password for enryption: ')
if pw1 == pw2:
logger.info('\nPasswords can\'t be the same.\n')
logger.info('Installing cryptsetup.....')
wait_for_sudo('apt-get -y install cryptsetup')
sudo('mkdir -p {0}'.format(data))
try:
logger.info('Downloading releases list.....')
sudo('curl -fs "{0}" > "{1}/release.html"'.format(page, data))
except:
logger.exception('Invalid system: {0}'.format(release))
logger.info('Uploading uecimage.gpg.....')
encr_root = resource_stream(pkg_name, 'encrypted_root.tar.gz')
put(encr_root,
data + '/encrypted_root.tar.gz',
use_sudo=True,
mirror_local_mode=True)
sudo('cd {data}; tar -xf {data}/encrypted_root.tar.gz'.format(
data=data))
file = sudo('pattern=\'<a href="([^"]*-{arch}\.tar\.gz)">'
'\\1</a>\'; perl -ne "m[$pattern] && "\'print "$1\\n'
'"\' "{data}/release.html"'.format(data=data,
arch=architecture))
logger.info('Downloading ubuntu image.....')
sudo('wget -P "{data}" "{page}{file}"'.format(data=data,
page=page,
file=file))
check('Checking SHA256...', 'sha256sum', 'SHA256SUMS')
check('Checking SHA1.....', 'sha1sum', 'SHA1SUMS')
check('Checking MD5......', 'md5sum', 'MD5SUMS')
work = sudo('mktemp --directory')
sudo('touch {work}/{image}'.format(work=work, image=image))
logger.info('Unpacking ubuntu image.....')
sudo('tar xfz "{data}/{file}" -C "{work}" {image}'.format(
data=data, file=file, work=work, image=image))
sudo('mkdir "{work}/ubuntu"'.format(work=work))
logger.info('Mounting ubuntu image to working directory.....')
sudo('mount -o loop,ro "{work}/{image}" "{work}/ubuntu"'.format(
image=image, work=work))
logger.info('Creating separate boot volume.....')
sudo('echo -e "0 1024 83 *\n;\n" | /sbin/sfdisk -uM {dev}'.format(
dev=dev))
logger.info('Formatting boot volume.....')
sudo('/sbin/mkfs -t ext3 -L "{bootlabel}" "{dev}1"'.format(
bootlabel=bootlabel, dev=dev))
sudo('touch {work}/pw2.txt | echo -n {pw1} > "{work}/pw1.txt" | '
'chmod 700 "{work}/pw1.txt"'.format(pw1=pw1, work=work))
sudo('touch {work}/pw2.txt | echo -n {pw2} > "{work}/pw2.txt" | '
'chmod 700 "{work}/pw2.txt"'.format(pw2=pw2, work=work))
logger.info('Creating luks encrypted volume.....')
sudo('cryptsetup luksFormat -q --key-size=256 {dev}2 "{work}/'
'pw1.txt"'.format(dev=dev, work=work))
logger.info('Adding second key to encrypted volume.....')
sudo('cryptsetup luksAddKey -q --key-file="{work}/pw1.txt" '
'{dev}2 "{work}/pw2.txt"'.format(work=work, dev=dev))
logger.info('Opening luks encrypted volume.....')
sudo('cryptsetup luksOpen --key-file="{work}/pw1.txt" '
'{dev}2 {name}'.format(work=work, dev=dev, name=name))
sudo('shred --remove "{work}/pw1.txt"; shred --remove'
' "{work}/pw2.txt"'.format(work=work))
fs_type = sudo(
'df -T "{work}/ubuntu" | tail -1 | cut -d " " -f 5'.format(
work=work))
logger.info('Creating filesystem on luks encrypted volume.....')
sudo('mkfs -t {fs_type} "/dev/mapper/{name}"'.format(
fs_type=fs_type, name=name))
sudo('/sbin/e2label "/dev/mapper/{name}" "uec-rootfs"'.format(
name=name))
logger.info('Mounting luks encrypted volume.....')
sudo('mkdir -p "{work}/root"; mount /dev/mapper/{name}'
' "{work}/root"'.format(work=work, name=name))
logger.info('Starting syncronisation of working dir with image')
sudo('rsync --archive --hard-links "{work}/ubuntu/"'
' "{work}/root/"'.format(work=work))
boot_device = 'LABEL=' + bootlabel
root_device = 'UUID=$(cryptsetup luksUUID ' + dev + '2)'
sudo('mkdir "{work}/boot"; mount "{dev}1" "{work}/boot"'.format(
work=work, dev=dev))
sudo('rsync --archive "{work}/root/boot/" "{work}/boot"'.format(
work=work))
sudo('rm -rf "{work}/root/boot/"*'.format(work=work))
sudo('mount --move "{work}/boot" "{work}/root/boot"'.format(
work=work))
sudo('echo "{boot_device} /boot ext3" >> "{work}/root/etc/fstab"'.
format(boot_device=boot_device, work=work))
sudo('sed -i -e \'s/(hd0)/(hd0,0)/\' "{work}/root/boot/grub/menu.'
'lst"'.format(work=work))
bozo_target = work + '/root/etc/initramfs-tools/boot'
sudo('mkdir -p {bozo_target}'.format(bozo_target=bozo_target))
logger.info('Copying files for preboot web-auth.....')
sudo('cp {data}/encrypted_root/cryptsetup '
'{work}/root/etc/initramfs-tools/hooks/cryptsetup'.format(
data=data, work=work))
places = {'data': data, 'bozo_target': bozo_target}
for file_ in [
'boot.key', 'boot.crt', 'cryptsetup.sh', 'index.html',
'activate.cgi', 'hiding.gif', 'make_bozo_dir.sh'
]:
sudo('cp {data}/encrypted_root/{file} {bozo_target}/{file}'.
format(file=file_, **places))
logger.info('Modifying scripts to match our volumes.....')
sudo('sed -i "s/\/dev\/sda2/{root_device}/" '
'{work}/root/etc/initramfs-tools/hooks/cryptsetup'.format(
root_device=root_device, work=work))
sudo('mkdir -p "{work}/root/etc/ec2"'.format(work=work))
if release == 'lucid':
logger.info('Adding apt entries for lucid.....')
listfile = work + '/root/etc/apt/sources.list'
sudo('grep "lucid main" {listfile} | sed "'
's/lucid/maverick/g" >> {work}/root/etc/'
'apt/sources.list.d/bozohttpd.list'.format(
listfile=listfile, work=work))
sudo('echo -e "Package: *\nPin: release a=lucid\nPin-Priority:'
' 600\n\nPackage: bozohttpd\nPin: release a=maverick\n'
'Pin-Priority: 1000\n\nPackage: libssl0.9.8\nPin: release'
' a=maverick\nPin-Priority: 1000\n\nPackage: *\n'
'Pin: release o=Ubuntu\nPin-Priority: -10\n" | tee '
'"{work}/root/etc/apt/preferences"'.format(work=work))
menufile = work + '/root/boot/grub/menu.lst'
initrd = sudo(
'grep "^initrd" "{menufile}" | head -1 | cut -f 3'.format(
menufile=menufile))
kernel = sudo('grep "^kernel" "{menufile}" | head -1 | cut -f 3 | '
'cut -d " " -f 1'.format(menufile=menufile))
sudo('rm -f "{work}/root/initrd.img.old";'
'rm -f "{work}/root/vmlinuz.old";'
'rm -f "{work}/root/initrd.img";'
'rm -f "{work}/root/vmlinuz"'.format(work=work))
logger.info('Creating symbolic links for kernel.....')
sudo('ln -s "{initrd}" "{work}/root/initrd.img";'
'ln -s "{kernel}" "{work}/root/vmlinuz"'.format(initrd=initrd,
kernel=kernel,
work=work))
sudo('mv "{work}/root/etc/resolv.conf" '
'"{work}/root/etc/resolv.conf.old";cp "/etc/resolv.conf" '
'"{work}/root/etc/"'.format(work=work))
logger.info('Chrooting and installing needed apps..')
sudo('chroot "{work}/root" <<- EOT\n'
'set -e\n'
'mount -t devpts devpts /dev/pts/\n'
'mount -t proc proc /proc/\n'
'mount -t sysfs sysfs /sys/\n'
'localedef -f UTF-8 -i en_US --no-archive en_US.utf8\n'
'apt-get -y update\n'
'apt-get -y install ssl-cert\n'
'apt-get -y install update-inetd\n'
'mv /usr/sbin/update-inetd /usr/sbin/update-inetd.old\n'
'touch /usr/sbin/update-inetd\n'
'chmod a+x /usr/sbin/update-inetd\n'
'apt-get -y install bozohttpd\n'
'mv /usr/sbin/update-inetd.old /usr/sbin/update-inetd\n'
'EOT'.format(work=work))
logger.info('Fixing permissions and symlinking bozohttpd...')
sudo('chroot "{work}/root" <<- EOT\n'
'chown root:ssl-cert /etc/initramfs-tools/boot/boot.key\n'
'chmod 640 /etc/initramfs-tools/boot/boot.key\n'
'ln -s /usr/sbin/bozohttpd /etc/initramfs-tools/boot/\n'
'ln -s . /boot/boot\n'
'EOT'.format(work=work))
logger.info('Instaling cryptsetup and unmounting.....')
sudo('chroot "{work}/root" <<- EOT\n'
'apt-get -y install cryptsetup\n'
'apt-get -y clean\n'
'update-initramfs -uk all\n'
'mv /etc/resolv.conf.old /etc/resolv.conf\n'
'umount /dev/pts\n'
'umount /proc\n'
'umount /sys\n'
'EOT'.format(work=work))
logger.info('Shutting down temporary instance')
sudo('shutdown -h now')
