def SetupSsh(): utils.LogStep('Configure SSH') utils.WriteFile('/etc/ssh/sshd_not_to_be_run', 'GOOGLE') utils.SecureDeleteFile('/etc/ssh/ssh_host_key') utils.SecureDeleteFile('/etc/ssh/ssh_host_rsa_key*') utils.SecureDeleteFile('/etc/ssh/ssh_host_dsa_key*') utils.SecureDeleteFile('/etc/ssh/ssh_host_ecdsa_key*') utils.WriteFile('/etc/ssh/ssh_config', ETC_SSH_SSH_CONFIG) utils.Chmod('/etc/ssh/ssh_config', 644) utils.WriteFile('/etc/ssh/sshd_config', ETC_SSH_SSHD_CONFIG) utils.Chmod('/etc/ssh/sshd_config', 644) utils.EnableService('sshd.service')
def InstallGoogleCloudSdk(): # TODO: There's a google-cloud-sdk in AUR which should be used # but it's not optimal for cloud use. The image is too large. utils.LogStep('Install Google Cloud SDK') usr_share_google = '/usr/share/google' archive = os.path.join(usr_share_google, 'google-cloud-sdk.zip') unzip_dir = os.path.join(usr_share_google, 'google-cloud-sdk') utils.CreateDirectory(usr_share_google) utils.DownloadFile( 'https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.zip', archive) utils.Run(['unzip', archive, '-d', usr_share_google]) utils.AppendFile('/etc/bash.bashrc', 'export CLOUDSDK_PYTHON=/usr/bin/python2') utils.Run([ os.path.join(unzip_dir, 'install.sh'), '--usage-reporting', 'false', '--bash-completion', 'true', '--disable-installation-options', '--rc-path', '/etc/bash.bashrc', '--path-update', 'true' ], cwd=unzip_dir, env={'CLOUDSDK_PYTHON': '/usr/bin/python2'}) utils.Symlink(os.path.join(unzip_dir, 'bin/gcloud'), '/usr/bin/gcloud') utils.Symlink(os.path.join(unzip_dir, 'bin/gcutil'), '/usr/bin/gcutil') utils.Symlink(os.path.join(unzip_dir, 'bin/gsutil'), '/usr/bin/gsutil') utils.SecureDeleteFile(archive)
def InstallComputeImagePackages(packages_dir): utils.LogStep('Install compute-image-packages') utils.Run([ "egrep -lRZ 'python' %s | " "xargs -0 -l sed -i -e '/#!.*python/c\#!/usr/bin/env python2'" % packages_dir ], shell=True) utils.CopyFiles(os.path.join(packages_dir, 'google-daemon', '*'), '/') utils.CopyFiles(os.path.join(packages_dir, 'google-startup-scripts', '*'), '/') utils.SecureDeleteFile('/README.md') # TODO: Fix gcimagebundle does not work with Arch yet. #InstallGcimagebundle(packages_dir) # Patch Google services to run after the network is actually available. PatchGoogleSystemdService( '/usr/lib/systemd/system/google-startup-scripts.service') PatchGoogleSystemdService( '/usr/lib/systemd/system/google-accounts-manager.service') PatchGoogleSystemdService( '/usr/lib/systemd/system/google-address-manager.service') PatchGoogleSystemdService('/usr/lib/systemd/system/google.service') utils.EnableService('google-accounts-manager.service') utils.EnableService('google-address-manager.service') utils.EnableService('google.service') utils.EnableService('google-startup-scripts.service') utils.DeleteDirectory(packages_dir)
def UploadImage(image_path, gs_path, make_public=False): utils.LogStep('Upload Image to Cloud Storage') utils.SecureDeleteFile('~/.gsutil/*.url') utils.Run(['gsutil', 'rm', gs_path]) utils.Run(['gsutil', 'cp', image_path, gs_path]) if make_public: utils.Run(['gsutil', 'acl', 'set', 'public-read', gs_path])
def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service')
def UploadImage(image_path, gs_path, make_public=False): utils.LogStep('Upload Image to Cloud Storage') utils.SecureDeleteFile('~/.gsutil/*.url') utils.Run(['gsutil', 'rm', gs_path], env={'CLOUDSDK_PYTHON': '/usr/bin/python2'}) utils.Run(['gsutil', 'cp', image_path, gs_path], env={'CLOUDSDK_PYTHON': '/usr/bin/python2'}) if make_public: utils.Run(['gsutil', 'acl', 'set', 'public-read', gs_path], env={'CLOUDSDK_PYTHON': '/usr/bin/python2'})
def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) # https://wiki.archlinux.org/index.php/Network_configuration#Reverting_to_traditional_device_names utils.Symlink('/dev/null', '/etc/udev/rules.d/80-net-setup-link.rules') utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service')
def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service') # Set Google Compute specific MTU # https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation utils.WriteFile('/etc/systemd/system/[email protected]', ETC_SYSTEM_D_SET_MTU) utils.CreateDirectory('/etc/conf.d/') utils.WriteFile('/etc/conf.d/setmtu', ETC_CONF_D_SET_MTU) utils.EnableService('*****@*****.**')
def ConfigureSecurity(): utils.LogStep('Compute Engine Security Recommendations') utils.WriteFile('/etc/sysctl.d/70-gce-security-strongly-recommended.conf', ETC_SYSCTL_D_70_GCE_SECURITY_STRONGLY_RECOMMENDED_CONF) utils.WriteFile('/etc/sysctl.d/70-gce-security-recommended.conf', ETC_SYSCTL_D_70_GCE_SECURITY_RECOMMENDED_CONF) utils.LogStep('Lock Root User Account') utils.Run(['usermod', '-L', 'root']) utils.LogStep('PAM Security Settings') utils.WriteFile('/etc/pam.d/passwd', ETC_PAM_D_PASSWD) utils.LogStep('Disable CAP_SYS_MODULE') utils.WriteFile('/proc/sys/kernel/modules_disabled', '1') utils.LogStep('Remove the kernel symbol table') utils.SecureDeleteFile('/boot/System.map') utils.LogStep('Sudo Access') utils.WriteFile('/etc/sudoers.d/add-group-adm', ETC_SUDOERS_D_ADD_GROUP_ADM) utils.Run(['chown', 'root:root', '/etc/sudoers.d/add-group-adm']) utils.Run(['chmod', '0440', '/etc/sudoers.d/add-group-adm'])