def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service')
def SetupFail2ban(): utils.LogStep('Configure fail2ban') # http://flexion.org/posts/2012-11-ssh-brute-force-defence.html utils.Pacman(['-S', 'fail2ban']) utils.WriteFile('/etc/fail2ban/jail.local', ETC_FAIL2BAN_JAIL_LOCAL) utils.WriteFile('/etc/fail2ban/jail.d/sshd.conf', ETC_FAIL2BAN_JAIL_D_SSHD_CONF) utils.EnableService('syslog-ng') utils.EnableService('fail2ban.service')
def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) # https://wiki.archlinux.org/index.php/Network_configuration#Reverting_to_traditional_device_names utils.Symlink('/dev/null', '/etc/udev/rules.d/80-net-setup-link.rules') utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service')
def SetupSsh(): utils.LogStep('Configure SSH') utils.WriteFile('/etc/ssh/sshd_not_to_be_run', 'GOOGLE') utils.SecureDeleteFile('/etc/ssh/ssh_host_key') utils.SecureDeleteFile('/etc/ssh/ssh_host_rsa_key*') utils.SecureDeleteFile('/etc/ssh/ssh_host_dsa_key*') utils.SecureDeleteFile('/etc/ssh/ssh_host_ecdsa_key*') utils.WriteFile('/etc/ssh/ssh_config', ETC_SSH_SSH_CONFIG) utils.Chmod('/etc/ssh/ssh_config', 644) utils.WriteFile('/etc/ssh/sshd_config', ETC_SSH_SSHD_CONFIG) utils.Chmod('/etc/ssh/sshd_config', 644) utils.EnableService('sshd.service')
def SetupFileSystem(base_dir, image_mapping_path): utils.LogStep('File Systems') _, fstab_contents, _ = utils.Run(['genfstab', '-p', base_dir], capture_output=True) utils.WriteFile(os.path.join(base_dir, 'etc', 'fstab'), fstab_contents) _, disk_uuid, _ = utils.Run( ['blkid', '-s', 'UUID', '-o', 'value', image_mapping_path], capture_output=True) disk_uuid = disk_uuid.strip() utils.WriteFile(os.path.join(base_dir, 'etc', 'fstab'), 'UUID=%s / ext4 defaults 0 1' % disk_uuid) utils.Run(['tune2fs', '-i', '1', '-U', disk_uuid, image_mapping_path]) return disk_uuid
def SetupNetwork(): utils.LogStep('Setup Networking') utils.SecureDeleteFile('/etc/hostname') utils.WriteFile('/etc/hosts', ETC_HOSTS) utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf', ETC_SYSCTL_D_70_DISABLE_IPV6_CONF) utils.EnableService('dhcpcd.service') utils.EnableService('systemd-networkd.service') utils.EnableService('systemd-networkd-wait-online.service') # Set Google Compute specific MTU # https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation utils.WriteFile('/etc/systemd/system/[email protected]', ETC_SYSTEM_D_SET_MTU) utils.CreateDirectory('/etc/conf.d/') utils.WriteFile('/etc/conf.d/setmtu', ETC_CONF_D_SET_MTU) utils.EnableService('*****@*****.**')
def ConfigureSecurity(): utils.LogStep('Compute Engine Security Recommendations') utils.WriteFile('/etc/sysctl.d/70-gce-security-strongly-recommended.conf', ETC_SYSCTL_D_70_GCE_SECURITY_STRONGLY_RECOMMENDED_CONF) utils.WriteFile('/etc/sysctl.d/70-gce-security-recommended.conf', ETC_SYSCTL_D_70_GCE_SECURITY_RECOMMENDED_CONF) utils.LogStep('Lock Root User Account') utils.Run(['usermod', '-L', 'root']) utils.LogStep('PAM Security Settings') utils.WriteFile('/etc/pam.d/passwd', ETC_PAM_D_PASSWD) utils.LogStep('Disable CAP_SYS_MODULE') utils.WriteFile('/proc/sys/kernel/modules_disabled', '1') utils.LogStep('Remove the kernel symbol table') utils.SecureDeleteFile('/boot/System.map') utils.LogStep('Sudo Access') utils.WriteFile('/etc/sudoers.d/add-group-adm', ETC_SUDOERS_D_ADD_GROUP_ADM) utils.Run(['chown', 'root:root', '/etc/sudoers.d/add-group-adm']) utils.Run(['chmod', '0440', '/etc/sudoers.d/add-group-adm'])
def processTemplate(templateIp): from template import Template utils.outputFileName = '' if utils.outputFileKeyword != '': utils.outputFileName = utils.getFileName( templateIp[utils.outputFileKeyword]) if utils.outputFile != '': utils.outputFileName = utils.outputFileName + utils.outputFile utils.outputFileName = utils.outputFileName + utils.outputFileExt tt = Template({'EVAL_PYTHON': 1, 'AUTO_RESET': 1}) op = tt.process(utils.ttFileName, {'TemplateInputVar': templateIp}) utils.WriteFile(utils.outputDir, utils.outputFileName, op, utils.mode)
def main(): # Get Parameters repo = utils.GetMetadataAttribute('google_cloud_repo', raise_on_not_found=True) release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True) savelogs = utils.GetMetadataAttribute('el_savelogs', raise_on_not_found=False) savelogs = savelogs == 'true' byol = utils.GetMetadataAttribute('rhel_byol', raise_on_not_found=False) byol = byol == 'true' sap_hana = utils.GetMetadataAttribute('rhel_sap_hana', raise_on_not_found=False) sap_hana = sap_hana == 'true' sap_apps = utils.GetMetadataAttribute('rhel_sap_apps', raise_on_not_found=False) sap_apps = sap_apps == 'true' sap = utils.GetMetadataAttribute('rhel_sap', raise_on_not_found=False) sap = sap == 'true' logging.info('EL Release: %s' % release) logging.info('Google Cloud repo: %s' % repo) logging.info('Build working directory: %s' % os.getcwd()) iso_file = 'installer.iso' # Necessary libs and tools to build the installer disk. utils.AptGetInstall(['dosfstools', 'rsync']) # Build the kickstart file. ks_content = ks_helpers.BuildKsConfig(release, repo, byol, sap, sap_hana, sap_apps) ks_cfg = 'ks.cfg' utils.WriteFile(ks_cfg, ks_content) # Write the installer disk. Write GPT label, create partition, # copy installer boot files over. logging.info('Writing installer disk.') utils.Execute(['parted', '/dev/sdb', 'mklabel', 'gpt']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'fat32', '1MB', '201MB']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'ext2', '201MB', '100%']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'set', '1', 'esp', 'on']) utils.Execute(['sync']) utils.Execute(['mkfs.vfat', '-F', '32', '/dev/sdb1']) utils.Execute(['sync']) utils.Execute(['fatlabel', '/dev/sdb1', 'ESP']) utils.Execute(['sync']) utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb2']) utils.Execute(['sync']) utils.Execute(['mkdir', '-vp', 'iso', 'installer', 'boot']) utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso']) utils.Execute(['mount', '-t', 'vfat', '/dev/sdb1', 'boot']) utils.Execute(['mount', '-t', 'ext2', '/dev/sdb2', 'installer']) utils.Execute(['rsync', '-Pav', 'iso/EFI', 'iso/images', 'boot/']) utils.Execute(['cp', iso_file, 'installer/']) utils.Execute(['cp', ks_cfg, 'installer/']) # Modify boot config. with open('boot/EFI/BOOT/grub.cfg', 'r+') as f: oldcfg = f.read() cfg = re.sub(r'-l .RHEL.*', r"""-l 'ESP'""", oldcfg) cfg = re.sub(r'timeout=60', 'timeout=1', cfg) cfg = re.sub(r'set default=.*', 'set default="0"', cfg) cfg = re.sub(r'load_video\n', r'serial --speed=38400 --unit=0 --word=8 ' '--parity=no\nterminal_input serial\nterminal_output ' 'serial\n', cfg) # Change boot args. args = ' '.join([ 'text', 'ks=hd:LABEL=INSTALLER:/%s' % ks_cfg, 'console=ttyS0,38400n8', 'inst.sshd=1', 'inst.gpt' ]) # Tell Anaconda not to store its logs in the installed image, # unless requested to keep them for debugging. if not savelogs: args += ' inst.nosave=all' cfg = re.sub(r'inst\.stage2.*', r'\g<0> %s' % args, cfg) if release in ['centos7', 'rhel7', 'oraclelinux7']: cfg = re.sub(r'LABEL=[^ :]+', 'LABEL=INSTALLER', cfg) # Print out a the modifications. diff = difflib.Differ().compare(oldcfg.splitlines(1), cfg.splitlines(1)) logging.info('Modified grub.cfg:\n%s' % '\n'.join(diff)) f.seek(0) f.write(cfg) f.truncate() logging.info("Creating boot path file\n") utils.Execute(['mkdir', '-p', 'boot/EFI/Google/gsetup']) with open('boot/EFI/Google/gsetup/boot', 'w') as g: g.write("\\EFI\\BOOT\\BOOTX64.EFI\n") utils.Execute(['umount', 'installer']) utils.Execute(['umount', 'iso']) utils.Execute(['umount', 'boot'])
def ConfigMessageOfTheDay(): utils.LogStep('Configure Message of the Day') utils.WriteFile('/etc/motd', ETC_MOTD)
def InstallGcimagebundle(packages_dir): utils.WriteFile( os.path.join(packages_dir, 'gcimagebundle/gcimagebundlelib/arch.py'), GCIMAGEBUNDLE_ARCH_PY) utils.Run(['python2', 'setup.py', 'install'], cwd=os.path.join(packages_dir, 'gcimagebundle'))
def SetupNtpServer(): utils.LogStep('Configure NTP') utils.WriteFile('/etc/ntp.conf', 'server metadata.google.internal iburst')
def main(): # Get Parameters repo = utils.GetMetadataAttribute('google_cloud_repo', raise_on_not_found=True) release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True) savelogs = utils.GetMetadataAttribute('el_savelogs', raise_on_not_found=False) == 'true' byos = utils.GetMetadataAttribute('rhel_byos', raise_on_not_found=False) == 'true' sap = utils.GetMetadataAttribute('rhel_sap', raise_on_not_found=False) == 'true' nge = utils.GetMetadataAttribute('new_guest', raise_on_not_found=False) == 'true' logging.info('EL Release: %s' % release) logging.info('Google Cloud repo: %s' % repo) logging.info('Build working directory: %s' % os.getcwd()) iso_file = '/files/installer.iso' # Necessary libs and tools to build the installer disk. utils.AptGetInstall(['extlinux', 'rsync']) # Build the kickstart file. uefi = False ks_content = ks_helpers.BuildKsConfig(release, repo, byos, sap, uefi, nge) ks_cfg = 'ks.cfg' utils.WriteFile(ks_cfg, ks_content) # Write the installer disk. Write extlinux MBR, create partition, # copy installer ISO and ISO boot files over. logging.info('Writing installer disk.') utils.Execute(['parted', '/dev/sdb', 'mklabel', 'msdos']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', '1MB', '100%']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on']) utils.Execute(['sync']) utils.Execute(['dd', 'if=/usr/lib/EXTLINUX/mbr.bin', 'of=/dev/sdb']) utils.Execute(['sync']) utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb1']) utils.Execute(['sync']) utils.Execute(['mkdir', 'iso', 'installer']) utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso']) utils.Execute(['mount', '-t', 'ext2', '/dev/sdb1', 'installer']) utils.Execute( ['rsync', '-Pav', 'iso/images', 'iso/isolinux', 'installer/']) utils.Execute(['cp', iso_file, 'installer/']) utils.Execute(['cp', ks_cfg, 'installer/']) # Modify boot files on installer disk. utils.Execute(['mv', 'installer/isolinux', 'installer/extlinux']) utils.Execute([ 'mv', 'installer/extlinux/isolinux.cfg', 'installer/extlinux/extlinux.conf' ]) # Modify boot config. with open('installer/extlinux/extlinux.conf', 'r+') as f: oldcfg = f.read() cfg = re.sub(r'^default.*', r'default linux', oldcfg, count=1) # Change boot args. args = ' '.join([ 'text', 'ks=hd:/dev/sda1:/%s' % ks_cfg, 'console=ttyS0,38400n8', 'loglevel=debug' ]) # Tell Anaconda not to store its logs in the installed image, # unless requested to keep them for debugging. if not savelogs: args += ' inst.nosave=all' cfg = re.sub(r'append initrd=initrd\.img.*', r'\g<0> %s' % args, cfg) # Change labels to explicit partitions. if release.startswith(('centos7', 'rhel7', 'rhel-7', 'oraclelinux7', 'centos8', 'rhel8')): cfg = re.sub(r'LABEL=[^ ]+', 'LABEL=INSTALLER', cfg) # Print out a the modifications. diff = difflib.Differ().compare(oldcfg.splitlines(1), cfg.splitlines(1)) logging.info('Modified extlinux.conf:\n%s' % '\n'.join(diff)) f.seek(0) f.write(cfg) f.truncate() # Activate extlinux. utils.Execute(['extlinux', '--install', 'installer/extlinux'])
def main(): # Get Parameters repo = utils.GetMetadataAttribute('google_cloud_repo', raise_on_not_found=True) release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True) daisy_logs_path = utils.GetMetadataAttribute('daisy-logs-path', raise_on_not_found=True) savelogs = utils.GetMetadataAttribute('el_savelogs') == 'true' byos = utils.GetMetadataAttribute('rhel_byos') == 'true' sap = utils.GetMetadataAttribute('rhel_sap') == 'true' logging.info('EL Release: %s' % release) logging.info('Google Cloud repo: %s' % repo) logging.info('Build working directory: %s' % os.getcwd()) iso_file = '/files/installer.iso' utils.AptGetInstall(['rsync']) # Build the kickstart file. ks_content = ks_helpers.BuildKsConfig(release, repo, byos, sap) ks_cfg = 'ks.cfg' utils.WriteFile(ks_cfg, ks_content) # Save the generated kickstart file to the build logs. utils.UploadFile(ks_cfg, '%s/ks.cfg' % daisy_logs_path) # Write the installer disk. Write GPT label, create partition, # copy installer boot files over. logging.info('Writing installer disk.') utils.Execute(['parted', '/dev/sdb', 'mklabel', 'gpt']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'fat32', '1MB', '1024MB']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'ext2', '1024MB', '100%']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on']) utils.Execute(['sync']) utils.Execute(['parted', '/dev/sdb', 'set', '1', 'esp', 'on']) utils.Execute(['sync']) utils.Execute(['mkfs.vfat', '-F', '32', '/dev/sdb1']) utils.Execute(['sync']) utils.Execute(['fatlabel', '/dev/sdb1', 'ESP']) utils.Execute(['sync']) utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb2']) utils.Execute(['sync']) utils.Execute(['mkdir', '-vp', 'iso', 'installer', 'boot']) utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso']) utils.Execute(['mount', '-t', 'vfat', '/dev/sdb1', 'boot']) utils.Execute(['mount', '-t', 'ext2', '/dev/sdb2', 'installer']) utils.Execute(['rsync', '-Pav', 'iso/EFI', 'iso/images', 'boot/']) utils.Execute(['cp', iso_file, 'installer/']) utils.Execute(['cp', ks_cfg, 'installer/']) # Modify boot config. with open('boot/EFI/BOOT/grub.cfg', 'r+') as f: oldcfg = f.read() cfg = re.sub(r'-l .RHEL.*', r"""-l 'ESP'""", oldcfg) cfg = re.sub(r'timeout=60', 'timeout=1', cfg) cfg = re.sub(r'set default=.*', 'set default="0"', cfg) cfg = re.sub(r'load_video\n', r'serial --speed=38400 --unit=0 --word=8 --parity=no\n' 'terminal_input serial\nterminal_output serial\n', cfg) # Change boot args. args = ' '.join([ 'text', 'ks=hd:LABEL=INSTALLER:/%s' % ks_cfg, 'console=ttyS0,38400n8', 'inst.gpt', 'loglevel=debug' ]) # Tell Anaconda not to store its logs in the installed image, # unless requested to keep them for debugging. if not savelogs: args += ' inst.nosave=all' cfg = re.sub(r'inst\.stage2.*', r'\g<0> %s' % args, cfg) # Change labels to explicit partitions. cfg = re.sub(r'LABEL=[^ ]+', 'LABEL=INSTALLER', cfg) # Print out a the modifications. diff = difflib.Differ().compare( oldcfg.splitlines(1), cfg.splitlines(1)) logging.info('Modified grub.cfg:\n%s' % '\n'.join(diff)) f.seek(0) f.write(cfg) f.truncate() utils.Execute(['umount', 'installer']) utils.Execute(['umount', 'iso']) utils.Execute(['umount', 'boot'])
def lock_user(CONFIGFILE, DB, LOCKFILE): msg, flag = utils.ReadConfigFile(CONFIGFILE, DB, LOCKFILE) # print(msg) if flag: utils.WriteFile(msg, str(time.time()))
def lock_admin(): lock_init_time = time.time() LOCK_FILE = utils.ReadConfigFile('conf.ini', 'LOG', 'LOGFILE') utils.WriteFile(LOCK_FILE,lock_init_time)