def SetupSsh():
utils.LogStep('Configure SSH')
utils.WriteFile('/etc/ssh/sshd_not_to_be_run', 'GOOGLE')
utils.SecureDeleteFile('/etc/ssh/ssh_host_key')
utils.SecureDeleteFile('/etc/ssh/ssh_host_rsa_key*')
utils.SecureDeleteFile('/etc/ssh/ssh_host_dsa_key*')
utils.SecureDeleteFile('/etc/ssh/ssh_host_ecdsa_key*')
utils.WriteFile('/etc/ssh/ssh_config', ETC_SSH_SSH_CONFIG)
utils.Chmod('/etc/ssh/ssh_config', 644)
utils.WriteFile('/etc/ssh/sshd_config', ETC_SSH_SSHD_CONFIG)
utils.Chmod('/etc/ssh/sshd_config', 644)
utils.EnableService('sshd.service')
def InstallGoogleCloudSdk():
# TODO: There's a google-cloud-sdk in AUR which should be used
# but it's not optimal for cloud use. The image is too large.
utils.LogStep('Install Google Cloud SDK')
usr_share_google = '/usr/share/google'
archive = os.path.join(usr_share_google, 'google-cloud-sdk.zip')
unzip_dir = os.path.join(usr_share_google, 'google-cloud-sdk')
utils.CreateDirectory(usr_share_google)
utils.DownloadFile(
'https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.zip',
archive)
utils.Run(['unzip', archive, '-d', usr_share_google])
utils.AppendFile('/etc/bash.bashrc',
'export CLOUDSDK_PYTHON=/usr/bin/python2')
utils.Run([
os.path.join(unzip_dir, 'install.sh'), '--usage-reporting', 'false',
'--bash-completion', 'true', '--disable-installation-options',
'--rc-path', '/etc/bash.bashrc', '--path-update', 'true'
],
cwd=unzip_dir,
env={'CLOUDSDK_PYTHON': '/usr/bin/python2'})
utils.Symlink(os.path.join(unzip_dir, 'bin/gcloud'), '/usr/bin/gcloud')
utils.Symlink(os.path.join(unzip_dir, 'bin/gcutil'), '/usr/bin/gcutil')
utils.Symlink(os.path.join(unzip_dir, 'bin/gsutil'), '/usr/bin/gsutil')
utils.SecureDeleteFile(archive)
def InstallComputeImagePackages(packages_dir):
utils.LogStep('Install compute-image-packages')
utils.Run([
"egrep -lRZ 'python' %s | "
"xargs -0 -l sed -i -e '/#!.*python/c\#!/usr/bin/env python2'" %
packages_dir
],
shell=True)
utils.CopyFiles(os.path.join(packages_dir, 'google-daemon', '*'), '/')
utils.CopyFiles(os.path.join(packages_dir, 'google-startup-scripts', '*'),
'/')
utils.SecureDeleteFile('/README.md')
# TODO: Fix gcimagebundle does not work with Arch yet.
#InstallGcimagebundle(packages_dir)
# Patch Google services to run after the network is actually available.
PatchGoogleSystemdService(
'/usr/lib/systemd/system/google-startup-scripts.service')
PatchGoogleSystemdService(
'/usr/lib/systemd/system/google-accounts-manager.service')
PatchGoogleSystemdService(
'/usr/lib/systemd/system/google-address-manager.service')
PatchGoogleSystemdService('/usr/lib/systemd/system/google.service')
utils.EnableService('google-accounts-manager.service')
utils.EnableService('google-address-manager.service')
utils.EnableService('google.service')
utils.EnableService('google-startup-scripts.service')
utils.DeleteDirectory(packages_dir)
def UploadImage(image_path, gs_path, make_public=False):
utils.LogStep('Upload Image to Cloud Storage')
utils.SecureDeleteFile('~/.gsutil/*.url')
utils.Run(['gsutil', 'rm', gs_path])
utils.Run(['gsutil', 'cp', image_path, gs_path])
if make_public:
utils.Run(['gsutil', 'acl', 'set', 'public-read', gs_path])
def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
def UploadImage(image_path, gs_path, make_public=False):
utils.LogStep('Upload Image to Cloud Storage')
utils.SecureDeleteFile('~/.gsutil/*.url')
utils.Run(['gsutil', 'rm', gs_path],
env={'CLOUDSDK_PYTHON': '/usr/bin/python2'})
utils.Run(['gsutil', 'cp', image_path, gs_path],
env={'CLOUDSDK_PYTHON': '/usr/bin/python2'})
if make_public:
utils.Run(['gsutil', 'acl', 'set', 'public-read', gs_path],
env={'CLOUDSDK_PYTHON': '/usr/bin/python2'})
def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
# https://wiki.archlinux.org/index.php/Network_configuration#Reverting_to_traditional_device_names
utils.Symlink('/dev/null', '/etc/udev/rules.d/80-net-setup-link.rules')
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
# Set Google Compute specific MTU
# https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation
utils.WriteFile('/etc/systemd/system/[email protected]', ETC_SYSTEM_D_SET_MTU)
utils.CreateDirectory('/etc/conf.d/')
utils.WriteFile('/etc/conf.d/setmtu', ETC_CONF_D_SET_MTU)
utils.EnableService('*****@*****.**')
def ConfigureSecurity():
utils.LogStep('Compute Engine Security Recommendations')
utils.WriteFile('/etc/sysctl.d/70-gce-security-strongly-recommended.conf',
ETC_SYSCTL_D_70_GCE_SECURITY_STRONGLY_RECOMMENDED_CONF)
utils.WriteFile('/etc/sysctl.d/70-gce-security-recommended.conf',
ETC_SYSCTL_D_70_GCE_SECURITY_RECOMMENDED_CONF)
utils.LogStep('Lock Root User Account')
utils.Run(['usermod', '-L', 'root'])
utils.LogStep('PAM Security Settings')
utils.WriteFile('/etc/pam.d/passwd', ETC_PAM_D_PASSWD)
utils.LogStep('Disable CAP_SYS_MODULE')
utils.WriteFile('/proc/sys/kernel/modules_disabled', '1')
utils.LogStep('Remove the kernel symbol table')
utils.SecureDeleteFile('/boot/System.map')
utils.LogStep('Sudo Access')
utils.WriteFile('/etc/sudoers.d/add-group-adm', ETC_SUDOERS_D_ADD_GROUP_ADM)
utils.Run(['chown', 'root:root', '/etc/sudoers.d/add-group-adm'])
utils.Run(['chmod', '0440', '/etc/sudoers.d/add-group-adm'])
