def make_inittab(): save_out = sys.stdout (tfd,tname) = tempfile.mkstemp() sys.stdout = os.fdopen(tfd,"w") for ifn in __inittab__.inittab_fns: ifn() sys.stdout.close(); sys.stdout = save_out dst="/ram/etc/inittab" if not os.path.isfile(dst) or not filecmp.cmp(tname,dst,False): os.rename(tname,dst) os.kill(1,signal.SIGHUP) slimlib.remove(tname)
def make_firewall():
save_out = sys.stdout
for ipv in ["4", "6"]:
(tfd, tname) = tempfile.mkstemp()
sys.stdout = os.fdopen(tfd, "w")
for ffn in __firewall__.fw_fns:
ffn(ipv)
sys.stdout.close()
if ipv == "4": cmd = "iptables"
else: cmd = "ip6tables"
dst = "/ram/etc/ip" + ipv + "tables.conf"
os.rename(tname, dst)
with open(dst, "r") as fd:
if subprocess.run(["/sbin/" + cmd + "-restore"], stdin=fd):
bz = dst + ".bz2"
slimlib.remove(bz)
subprocess.run(["/sbin/bzip2", dst])
sys.stdout = save_out
def make_dns_conf():
dnsbase=__opts__.opt_vals["dnsbase"]
(ux_fd,tname) = tempfile.mkstemp()
tfd = os.fdopen(ux_fd,"w")
print("""options {
listen-on {
127.0.0.1; // localhost
// The following address is node-dependent and should be set to
// something appropriate for the new AS112 node.
""",file=tfd)
with open("/ram/addrs","r") as fd:
lines=[ l.split()[2] for l in fd if l.startswith("4 ") ]
if len(lines) > 0: print("; ".join(lines),";",file=tfd)
if slimlib.opt_is_y("dnsWithAS112"):
print("""
// The following addresses are used to support Direct Delegation
// AS112 service and are the same for all AS112 nodes.
192.175.48.1; // prisoner.iana.org (anycast)
192.175.48.6; // blackhole-1.iana.org (anycast)
192.175.48.42; // blackhole-2.iana.org (anycast)
// The following address is used to support DNAME redirection
// AS112 service and is the same for all AS112 nodes.
192.31.196.1; // blackhole.as112.arpa (anycast)""",file=tfd)
print("""};
listen-on-v6 {
::1; // localhost
""",file=tfd)
if slimlib.opt_is_y("dnsWithAS112"):
print("""
// The following addresses are used to support Direct Delegation
// AS112 service and are the same for all AS112 nodes.
2620:4f:8000::1; // prisoner.iana.org (anycast)
2620:4f:8000::6; // blackhole-1.iana.org (anycast)
2620:4f:8000::42; // blackhole-2.iana.org (anycast)
// The following address is used to support DNAME redirection
// AS112 service and is the same for all AS112 nodes.
2001:4:112::1; // blackhole.as112.arpa (anycast)
""",file=tfd)
with open("/ram/addrs","r") as fd:
lines=[ l.strip() for l in fd if l.startswith("6 ") ]
if len(lines) > 0: print("; ".join(lines),";",file=tfd)
print("""
};
directory "/var/dns";
allow-update { none; };
allow-transfer { 127.0.0.0/8; };
notify no;
max-udp-size 4096;
edns-udp-size 4096;
""",file=tfd)
if slimlib.opt_is_y("dnsDNSSEC"):
print("dnssec-enable yes;",file=tfd)
else:
print("dnssec-enable no;",file=tfd)
if slimlib.opt_is_y("dnsResolver"):
print(" recursion yes;",file=tfd)
if "dnsResolverAllowed" in __opts__.opt_vals:
tfd.write(" allow-recursion { 127.0.0.0/8; ::1; ")
for svr in __opts__.opt_vals["dnsResolverAllowed"].split(): tfd.write(svr+"; ")
print("};",file=tfd)
else:
print(" recursion no; // authoritative-only server",file=tfd)
print(" }; ",file=tfd)
if slimlib.opt_is_y("dnsLogging"):
print("// dnsLogging = ",__opts__.opt_vals["dnsLogging"],file=tfd)
print("""
// Log queries, so that when people call us about unexpected
// answers to queries they did not realise they had sent, we
// have something to talk about. Note that activating this
// naively has the potential to create high CPU load and consume
// enormous amounts of disk space. This example retains 2 old
// versions at a maximum of 500 MB each before rotating out the
// oldest one.
logging {
channel "querylog" {
file "/var/log/query.log" versions 2 size 500m;
print-time yes;
};
category queries { querylog; };
};""",file=tfd)
if os.path.isfile("/opt/config/rndc.conf"):
shutil.copy2("/opt/config/rndc.conf","/ram/etc/rndc.conf")
elif "dnsRndcKey" in __opts__.opt_vals:
print("key \"rndc-key\" { algorithm hmac-md5; secret \""+__opts__.opt_vals["dnsRndcKey"]+"\"; };",file=tfd)
print("controls {",file=tfd)
print(" inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { \"rndc-key\"; };",file=tfd)
if ( "dnsRndcAllow" in __opts__.opt_vals
and not __opts__.opt_vals["dnsRndcAllow"] == "127.0.0.1"
):
addrs = __opts__.opt_vals["dnsRndcAllow"].split()
for ipv in ["4","6"]:
with open("/ram/addrs","r") as afd:
lines=[ l.strip() for l in afd if l.startswith(ipv+" ") ]
for l in lines:
print("\tinet",l.split()[2],"port 953 allow {",file=tfd)
for a in addrs:
if slimlib.select_addr(a,ipv): tfd.write(a+"; ")
print("} keys { \"rndc-key\"; };",file=tfd)
print("};",file=tfd)
with open("/ram/etc/rndc.conf","w") as rfd:
print("key \"rndc-key\" { algorithm hmac-md5; secret \""+__opts__.opt_vals["dnsRndcKey"]+"\"; };",file=rfd)
print("options { default-key \"rndc-key\"; default-server 127.0.0.1; default-port 953; };",file=rfd)
if slimlib.opt_is_y("dnsWithAS112"):
print("""
// Direct Delegation AS112 Service
// RFC 1918
zone "10.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "16.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "17.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "18.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "19.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "20.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "21.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "22.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "23.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "24.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "25.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "26.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "27.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "28.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "29.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "30.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "31.172.in-addr.arpa" { type master; file "db.dd-empty"; };
zone "168.192.in-addr.arpa" { type master; file "db.dd-empty"; };
// RFC 6890
zone "254.169.in-addr.arpa" { type master; file "db.dd-empty"; };
// DNAME redirection AS112 Service
zone "empty.as112.arpa" { type master; file "db.dr-empty"; };
// Also answer authoritatively for the HOSTNAME.AS112.NET and
// HOSTNAME.AS112.ARPA zones, which contain data of operational
// relevance.
zone "hostname.as112.net" {
type master;
file "db.hostname.as112.net";
};
zone "hostname.as112.arpa" {
type master;
file "db.hostname.as112.arpa";
};
""",file=tfd)
if slimlib.opt_is_y("dnsWithSecondary"):
os.makedirs(dnsbase+"/slave",exist_ok=True)
shutil.chown(dnsbase+"/slave","nobody","nobody")
with open(__opts__.syscfg,"r") as sysfd:
lines = [ l.strip()[13:].strip('"').strip("'") for l in sysfd if l.startswith("dnsSecondary=") ]
for l in lines:
a = l.split()
file=a[0].replace("/","_").replace(":","_")
tfd.write("zone \""+a[0]+"\" { type slave; file \"/slave/"+file+"\";\n\tmasters {")
del a[0]
tfd.write("; ".join(a))
print("; }; };\n",file=tfd)
if slimlib.opt_is_y("dnsWithPrimary"):
os.makedirs(dnsbase+"/master",exist_ok=True)
shutil.chown(dnsbase+"/slave","nobody","nobody")
with open(__opts__.syscfg,"r") as sysfd:
lines = [ l.strip()[11:].strip('"').strip("'") for l in sysfd if l.startswith("dnsPrimary=") ]
for l in lines:
a = l.split()
file=a[0].replace("/","_").replace(":","_")
tfd.write("zone \""+a[0]+"\" { type master; notify explicit; file \"/slave/"+file+"\";\n\tmasters {")
del a[0]
iplist = [ l.strip() for l in a if l.find("/") < 0 ]
tfd.write("\tallow-transfer { "+"; ".join(a)+"; 127.0.0.0/8; };\n")
tfd.write("\talso-notify { "+"; ".join(iplist)+"; };\n")
print("\t};\n",file=tfd)
tfd.close()
conf="/etc/dns.conf"
dst=dnsbase+conf
os.makedirs(dnsbase+"/etc",exist_ok=True)
tmp=dnsbase+conf+"_"+str(os.getpid())+"_"+str(random.randint(1,100000))
shutil.copy2(tname,tmp)
slimlib.remove(tname)
shutil.chown(tmp,"nobody","nobody")
os.chmod(tmp,0o400)
os.rename(tmp,dst)
if not subprocess.run(["/sbin/named-checkconf","-t",dnsbase,conf]).returncode == 0:
syslog.syslog("ERROR: \""+conf+"\" failed validation checks")
else:
subprocess.run(["/sbin/killall","-q","-HUP","named"])
def make_dev(path,major,minor): slimlib.remove(path) os.mknod(path,stat.S_IFCHR,device=os.makedev(major,minor)) os.chmod(path,0o666)
for dir in ["dev","var","etc"]: os.chmod(dir,0o755)
shutil.chown("var/dns","nobody","nobody")
if slimlib.opt_is_y("dnsWithAS112"):
import make_db_hostname_as112
shutil.copy2("/opt/dns/etc/db.as112.arpa","var/dns")
shutil.copy2("/opt/dns/etc/db.dd-empty","var/dns")
shutil.copy2("/opt/dns/etc/db.dr-empty","var/dns")
conf="/etc/dns.conf"
path=dnsbase+conf
if os.path.isfile("/opt/config/dns.conf"):
slimlib.remove(path)
shutil.copy2("opt/config/dns.conf",path)
os.chmod(path,0o600)
shutil.chown(path,"nobody","nobody")
else:
import dns_conf
dns_conf.make_dns_conf()
if not subprocess.run(["/sbin/named-checkconf","-t",dnsbase,conf]).returncode == 0:
syslog.syslog("dns.conf failed named-checkconf")
os.execl("/bin/sleep","/bin/sleep","911")
os.execl("/usr/sbin/named","/usr/sbin/named","-u","nobody","-t",dnsbase,"-f","-c",conf)
with open("/ram/ssh/moduli", "w") as fd:
subprocess.run(["/sbin/xz", "-dc", "/etc/moduli.xz"], stdout=fd)
store = "/opt/config/ssh"
if os.path.isdir(store):
slimlib.copytree(store, "/ram/ssh")
else:
subprocess.run(["/sbin/ssh-keygen", "-A"])
os.makedirs(store, exist_ok=True)
slimlib.copytree("/ram/ssh", store)
if not os.path.isdir("/opt/config/ssh/sshd_config"):
(tfd, tname) = tempfile.mkstemp()
myf = os.fdopen(tfd, "w")
if os.path.isdir("/etc/pam.d/."):
print("UsePAM yes", file=myf)
if slimlib.opt_is_y("allowRootSSH"):
print("PermitRootLogin Yes", file=myf)
print("PubkeyAcceptedKeyTypes=+ssh-dss,ssh-rsa", file=myf)
myf.close()
os.chmod(tname, stat.S_IRUSR)
os.rename(tname, "/ram/ssh/sshd_config")
slimlib.remove(tname)
os.execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-D")
#! /sbin/python # # (c) Copyright 2017-2018 James Stevens ([email protected]) - All Rights Reserved # see License.txt for details import os, subprocess import __opts__, opts, slimlib print("BOOT: 10_ethernet") subprocess.run(["/sbin/ip", "link", "set", "eth0", "up"]) dst = "/ram/addrs" slimlib.remove(dst) max_mask = {"4": 32, "6": 128} with open(__opts__.syscfg, "r") as sysfd: with open(dst, "w") as afd: lines = [ l.strip() for l in sysfd if l.startswith("static4IP=") or l.startswith("static6IP=") ] for l in lines: ipv = l[6] val = l[10:].strip('"').strip("'") ip = val.split("/") if len(ip) == 1: ip.append(max_mask[ipv]) sub = ip[0] + "/" + ip[1] print(ipv, sub, ip[0], ip[1], file=afd) subprocess.run( ["/sbin/ip", "-" + ipv, "addr", "add", sub, "dev", "eth0"])
#! /sbin/python # # (c) Copyright 2017-2018 James Stevens ([email protected]) - All Rights Reserved # see License.txt for details import time, os import slimlib, __opts__, opts slimlib.capture_entropy() slimlib.remove("/ram/just-booted") with open("/tmp/all_done.log", "w") as fd: print(time.ctime(), file=fd) with open("/dev/console", "w") as fd: if slimlib.opt_is_y("allowConsoleLogin"): print("--------------- Press Atl-F2 to Login ---------------", file=fd) else: print("------------------ Boot Complete ---------------------", file=fd)