def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
# Nested virtualization:
create_file(
system_context,
"/etc/modprobe.d/kvm_amd.conf",
"options kvm_amd nested=1".encode("utf-8"),
)
# AMD ucode:
location.set_description("Install amd-ucode")
self._execute(location, system_context, "pacman", "amd-ucode")
initrd_parts = os.path.join(system_context.boot_directory,
"initrd-parts")
os.makedirs(initrd_parts, exist_ok=True)
self._execute(
location,
system_context,
"move",
"/boot/amd-ucode.img",
os.path.join(initrd_parts, "00-amd-ucode"),
to_outside=True,
)
def _setup_kubelet(location: Location, system_context: SystemContext, *,
master_ip: str, node_ip: str) -> None:
create_file(
system_context,
"/usr/lib/tmpfiles.d/kubelet.conf",
"d /var/lib/kubelet 0700 - - -".encode("utf-8"),
mode=0o644,
)
os.makedirs("/usr/lib/systemd/system/kubelet.service.d")
create_file(
system_context,
"/usr/lib/systemd/system/kubelet.service.d/override.conf",
textwrap.dedent("""\
[Service]
EnvironmentFile=
ExecStart=
ExecStart=/usr/bin/kubelet --logtostderr=true --v=0 \\
--master={master_ip} \\
--address={node_ip} --port 10250 \\
--api-servers=http://{master_ip}:8080/
""").format(master_ip=master_ip,
node_ip=node_ip).encode("utf-8"),
mode=0o644,
)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
file_name = args[0]
to_write = system_context.substitute(args[1]).encode("utf-8")
create_file(system_context, file_name, to_write, **kwargs)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, 'pacman', 'xorg-server',
'xorg-server-xwayland')
# Copy snippets from systems config folder:
copy(system_context,
self._config_directory(system_context) + '/*',
'/etc/X11/xorg.conf.d',
from_outside=True,
recursive=True)
chown(system_context, 0, 0, '/etc/X11/xorg.conf.d/*')
chmod(system_context, 0o644, '/etc/X11/xorg.conf.d/*')
create_file(system_context,
'/etc/X11/xinit/xinitrc.d/99-access-to-user.sh',
textwrap.dedent('''\
#!/usr/bin/bash
# Allow local access for the user:
xhost "+local:$$USER"
''').encode('utf-8'),
mode=0o755)
# Install some extra fonts:
self._execute(location.next_line(), system_context, 'pkg_fonts')
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, "pacman", "xorg-server",
"xorg-server-xwayland")
# Copy snippets from systems config folder:
copy(
system_context,
self._config_directory(system_context) + "/*",
"/etc/X11/xorg.conf.d",
from_outside=True,
recursive=True,
)
chown(system_context, 0, 0, "/etc/X11/xorg.conf.d/*")
chmod(system_context, 0o644, "/etc/X11/xorg.conf.d/*")
create_file(
system_context,
"/etc/X11/xinit/xinitrc.d/99-access-to-user.sh",
textwrap.dedent("""\
#!/usr/bin/bash
# Allow local access for the user:
xhost "+local:$$USER"
""").encode("utf-8"),
mode=0o755,
)
# Install some extra fonts:
self._execute(location.next_line(), system_context, "pkg_fonts")
def _install_mkinitcpio(
self, location: Location,
system_context: SystemContext) -> typing.Sequence[str]:
to_clean_up = [
"/etc/mkinitcpio.d", "/etc/mkinitcpio.conf", "/boot/vmlinu*"
]
location.set_description("Install mkinitcpio")
self._execute(location, system_context, "pacman", "mkinitcpio")
location.set_description("Fix up mkinitcpio.conf")
self._execute(
location.next_line(),
system_context,
"sed",
"/^HOOKS=/ "
"cHOOKS=(base systemd keyboard sd-vconsole "
"sd-encrypt block sd-lvm2 filesystems btrfs "
"sd-shutdown)",
"/etc/mkinitcpio.conf",
)
self._execute(
location.next_line(),
system_context,
"append",
"/etc/mkinitcpio.conf",
'COMPRESSION="cat"',
)
location.set_description("Create mkinitcpio presets")
create_file(
system_context,
"/etc/mkinitcpio.d/cleanroom.preset",
textwrap.dedent("""\
# mkinitcpio preset file for cleanroom
ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz"
PRESETS=('default')
#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs.img"
#default_options=""
""").encode("utf-8"),
)
self._execute(
location.next_line(),
system_context,
"sed",
"s%/initramfs-linux.*.img%/initrd%",
"/etc/mkinitcpio.d/cleanroom.preset",
)
return to_clean_up
def _persistent_known_hosts(self, location: Location,
system_context: SystemContext) -> None:
if not exists(system_context, "/usr/lib/tmpfiles.d/ssh.conf"):
create_file(
system_context,
"/usr/lib/tmpfiles.d/ssh.conf",
textwrap.dedent("""\
d /var/etc/ssh 644 root root - -
f /var/etc/ssh/ssh_known_hosts 644 root root -
L /etc/ssh/ssh_known_hosts - - - - /var/etc/ssh/ssh_known_hosts
""").encode("utf-8"),
mode=0o644,
)
def _setup_kube_proxy(location: Location, system_context: SystemContext, *,
master_ip: str) -> None:
os.makedirs('/usr/lib/systemd/system/kube-proxy.service.d')
create_file(system_context,
'/usr/lib/systemd/system/kube-proxy.service.d/override.conf',
textwrap.dedent('''\
[Service]
EnvironmentFile=
ExecStart=
ExecStart=/usr/bin/kube-proxy --logtostderr=true --v=0 \\
--master={master_ip}
''').format(master_ip=master_ip).encode('utf-8'),
mode=0o644)
def _setup_kube_proxy(location: Location, system_context: SystemContext, *,
master_ip: str) -> None:
os.makedirs("/usr/lib/systemd/system/kube-proxy.service.d")
create_file(
system_context,
"/usr/lib/systemd/system/kube-proxy.service.d/override.conf",
textwrap.dedent(f"""\
[Service]
EnvironmentFile=
ExecStart=
ExecStart=/usr/bin/kube-proxy --logtostderr=true --v=0 \\
--master={master_ip}
""").encode("utf-8"),
mode=0o644,
)
def _setup_docker(location: Location, system_context: SystemContext) -> None:
os.makedirs(
system_context.file_name('/usr/lib/systemd/system/docker.service.d'))
create_file(system_context,
'/usr/lib/systemd/system/docker.service.d/override.conf',
textwrap.dedent('''\
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// \\
--bridge=cb0 \\
--iptables=false \\
--ip-masq=false \\
--insecure-registry 10.0.0.0/8
''').encode('utf-8'),
mode=0o644)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
# Nested virtualization:
create_file(system_context, '/etc/modprobe.d/kvm_amd.conf',
'options kvm_amd nested=1'.encode('utf-8'))
# AMD ucode:
location.set_description('Install amd-ucode')
self._execute(location, system_context, 'pacman', 'amd-ucode')
initrd_parts = os.path.join(system_context.boot_directory,
'initrd-parts')
os.makedirs(initrd_parts, exist_ok=True)
self._execute(location, system_context, 'move', '/boot/amd-ucode.img',
os.path.join(initrd_parts, '00-amd-ucode'),
to_outside=True)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, 'pacman', 'usbguard')
# Do setup:
# enable the daemon (actually set up socket activation)
self._execute(location.next_line(), system_context, 'systemd_enable',
'usbguard-dbus.service')
create_file(
system_context, '/usr/lib/tmpfiles.d/usbguard.conf',
textwrap.dedent('''\
d /var/log/usbguard 0750 root root - -
d /var/lib/usbguard 0750 root root - -
d /var/lib/usbguard/IPCAccessControl.d 0755 root root - -
f /var/lib/usbguard/rules.conf 0600 root root - -
''').encode('utf-8'))
self._execute(
location.next_line(), system_context, 'sed',
'/RuleFile=\/etc/ cRuleFile=/var/lib/usbguard/rules.conf',
'/etc/usbguard/usbguard-daemon.conf')
self._execute(
location.next_line(), system_context, 'sed',
'/IPCAccessControlFiles=\/etc/ cIPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d',
'/etc/usbguard/usbguard-daemon.conf')
remove(system_context,
'/etc/usbguard/rules.conf',
'/etc/usbguard/IPCAccessControl.d',
recursive=True)
# Fix for https://github.com/USBGuard/usbguard/issues/287
makedirs(system_context, '/usr/lib/systemd/system/usbguard.service.d')
create_file(
system_context,
'/usr/lib/systemd/system/usbguard.service.d/bugfix.conf',
textwrap.dedent('''\
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/var/lib/usbguard/rules.conf
''').encode('utf-8'))
def _install_mkinitcpio(
self, location: Location,
system_context: SystemContext) -> typing.Sequence[str]:
to_clean_up = [
'/etc/mkinitcpio.d', '/etc/mkinitcpio.conf', '/boot/vmlinu*'
]
location.set_description('Install mkinitcpio')
self._execute(location, system_context, 'pacman', 'mkinitcpio')
location.set_description('Fix up mkinitcpio.conf')
self._execute(
location.next_line(), system_context, 'sed', '/^HOOKS=/ '
'cHOOKS="base systemd keyboard sd-vconsole '
'sd-encrypt block sd-lvm2 filesystems btrfs '
'sd-check-bios sd-stateless sd-verity '
'sd-volatile sd-boot-image '
'sd-shutdown"', '/etc/mkinitcpio.conf')
location.set_description('Create mkinitcpio presets')
create_file(
system_context, '/etc/mkinitcpio.d/cleanroom.preset',
textwrap.dedent('''\
# mkinitcpio preset file for cleanroom
ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz"
PRESETS=('default')
#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs.img"
#default_options=""
''').encode('utf-8'))
self._execute(location.next_line(), system_context, 'sed',
's%/initramfs-linux.*.img%/initrd%',
'/etc/mkinitcpio.d/cleanroom.preset')
return to_clean_up
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description("Validate keys")
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError("Private key blob is not a private key.",
location=location)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError("Public key blob is not a public key.",
location=location)
# enable the daemon (actually set up socket activation)
location.set_description("Enableing homed service")
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"systemd-homed.service",
)
# Install keys into /usr:
location.set_description("Setup keys")
makedirs(system_context,
"/usr/share/factory/var/lib/systemd/home",
mode=0o700)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.private",
private_key.encode("utf-8"),
mode=0o600,
)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.public",
public_key.encode("utf-8"),
mode=0o600,
)
chmod(system_context, 0o600,
"/usr/share/factory/var/lib/systemd/home/*")
chown(system_context, 0, 0,
"/usr/share/factory/var/lib/systemd/home/*")
# Set up copying of keys to var:
create_file(
system_context,
"/usr/lib/tmpfiles.d/systemd-homed.conf",
textwrap.dedent("""\
C /var/lib/systemd/home - - - -
""").encode("utf-8"),
mode=0o644,
)
def _create_systemd_units(
self, location: Location,
system_context: SystemContext) -> typing.Sequence[str]:
location.set_description("Install extra systemd units")
to_clean_up = [
"/usr/lib/systemd/system/initrd-check-bios.service",
"/usr/lib/systemd/system/initrd-sysroot-setup.service",
"/usr/lib/systemd/system/initrd-find-root-lv-partitions.service",
"/usr/lib/systemd/system/images.mount",
"/usr/lib/systemd/system/initrd-find-image-partitions.service",
]
create_file(
system_context,
"/usr/lib/systemd/system/initrd-check-bios.service",
textwrap.dedent("""\
[Unit]
Description=Print TPM configuration
DefaultDependencies=no
Requires=sysroot.mount
After=sysroot.mount systemd-volatile-root.service
Before=initrd-root-fs.target shutdown.target
Conflicts=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/initrd-check-bios.sh
StandardOutput=journal+console
[Install]
WantedBy=initrd-root-device.target
""").encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/usr/lib/systemd/system/initrd-sysroot-setup.service",
textwrap.dedent("""\
[Unit]
Description=Set up root fs in /sysroot
DefaultDependencies=no
ConditionPathExists=/sysroot/usr/lib/boot/root-fs.tar
Requires=sysroot.mount
After=sysroot.mount systemd-volatile-root.service
Before=initrd-root-fs.target shutdown.target
Conflicts=shutdown.target
AssertPathExists=/etc/initrd-release
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/tar -C /sysroot -xf /sysroot/usr/lib/boot/root-fs.tar
""").encode("utf-8"),
mode=0o644,
)
if self._vg is not None:
device_name = "dev-{}-{}".format(self._vg, self._full_name)
create_file(
system_context,
"/usr/lib/systemd/system/initrd-find-root-lv-partitions.service",
textwrap.dedent("""\
[Unit]
Description=Find partitions in root LV
DefaultDependencies=no
ConditionPathExists=/dev/{1}/{2}
After={0}.device
BindsTo={0}.device
Requisite={0}.device
[Service]
WorkingDirectory=/
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/partprobe /dev/{1}/{2}
[Install]
WantedBy={0}.device
""").format(device_name, self._vg,
self._full_name).encode("utf-8"),
mode=0o644,
)
if self._image_device is not None:
create_file(
system_context,
"/usr/lib/systemd/system/images.mount",
textwrap.dedent("""\
[Unit]
Description=Mount /images in initrd
DefaultDependencies=no
[email protected]
[Mount]
What={}
Where=/images
Type={}
Options={}
""").format(self._image_device, self._image_fs,
self._image_options).encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/usr/lib/systemd/system/initrd-find-image-partitions.service",
textwrap.dedent("""\
[Unit]
Description=Find partitions in image files
DefaultDependencies=no
ConditionFileNotEmpty=/images/{0}
After=images.mount
BindsTo=images.mount
Requisite=images.mount
[Service]
WorkingDirectory=/
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/losetup --find --partscan /images/{0}
ExecStop=/usr/bin/losetup --detach-all
[Install]
WantedBy=images.mount
""").format(self._full_name).encode("utf-8"),
mode=0o644,
)
return to_clean_up
def _create_install_hook(location: Location, system_context: SystemContext,
name: str, contents: str) -> str:
location.set_description("install mkinitcpio install hook {}".format(name))
path = os.path.join("/usr/lib/initcpio/install", name)
create_file(system_context, path, contents.encode("utf-8"))
return path
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description('Validate keys')
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError("Private key blob is not a private key.",
location=location)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError("Public key blob is not a public key.",
location=location)
# enable the daemon (actually set up socket activation)
location.set_description('Enableing homed service')
self._execute(location.next_line(), system_context, 'systemd_enable',
'systemd-homed.service')
# Install keys into /usr:
location.set_description('Setup keys')
makedirs(system_context,
'/usr/share/factory/var/lib/systemd/home',
mode=0o700)
create_file(system_context,
'/usr/share/factory/var/lib/systemd/home/local.private',
private_key.encode('utf-8'),
mode=0o600)
create_file(system_context,
'/usr/share/factory/var/lib/systemd/home/local.public',
public_key.encode('utf-8'),
mode=0o600)
chmod(system_context, 0o600,
'/usr/share/factory/var/lib/systemd/home/*')
chown(system_context, 0, 0,
'/usr/share/factory/var/lib/systemd/home/*')
# Set up copying of keys to var:
create_file(system_context,
'/usr/lib/tmpfiles.d/systemd-homed.conf',
textwrap.dedent('''\
C /var/lib/systemd/home - - - -
''').encode('utf-8'),
mode=0o644)
# Fix up pam:
location.set_description('Setting up PAM for homed')
create_file(system_context,
'/etc/pam.d/system-auth',
textwrap.dedent('''\
#%PAM-1.0
auth [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
session required pam_unix.so
session optional pam_permit.so
''').encode('utf-8'),
mode=0o644,
force=True)
def _setup_network(location: Location, system_context: SystemContext, *,
cluster_name: str, cluster_id: int, node_id: int,
outside_match: str, cluster_match: str, gateway: str,
dns: str, ntp: str) -> None:
create_file(system_context,
'/usr/lib/systemd/network/20-cbr0-bridge.netdev',
textwrap.dedent('''\
[NetDev]
Description=Internal POD bridge
Name=cbr0
Kind=bridge
''').encode('utf-8'),
mode=0o644)
create_file(system_context,
'/usr/lib/systemd/network/10-extern.network',
textwrap.dedent('''\
[Match]
{outside_match}
[Network]
Description=Node network
Address=10.128.{cluster_id}.{node_id}/8
Gateway={gateway}
DNS={dns}
NTP={ntp}
IPForward=yes
IPMasquerade=yes
''').format(outside_match=outside_match,
cluster_id=cluster_id,
node_id=node_id,
gateway=gateway,
dns=dns,
ntp=ntp).encode('utf-8'),
mode=0o644)
create_file(system_context,
'/usr/lib/systemd/network/30-cbr.network',
textwrap.dedent('''\
[Match]
Name=cbr0
[Network]
Description={cluster_name} pod bridge setup
Address=10.{cluster_offset}.{node_id}.1/16
''').format(cluster_name=cluster_name,
cluster_offset=cluster_id + 128,
node_id=node_id).encode('utf-8'),
mode=0o644)
create_file(system_context,
'/usr/lib/systemd/network/40-cbr-outside-if.network',
textwrap.dedent('''\
[Match]
{cluster_match}
[Network]
Description={cluster_name} pod bridge outside connectivity
Bridge=cbr0
''').format(cluster_name=cluster_name,
cluster_match=cluster_match).encode('utf-8'),
mode=0o644)
def __call__(
self,
location: Location,
system_context: SystemContext,
*args: typing.Any,
**kwargs: typing.Any
) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description("Validate keys")
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError(
"Private key blob is not a private key.", location=location
)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError(
"Public key blob is not a public key.", location=location
)
# enable the daemon (actually set up socket activation)
location.set_description("Enableing homed service")
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"systemd-homed.service",
)
# Install keys into /usr:
location.set_description("Setup keys")
makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.private",
private_key.encode("utf-8"),
mode=0o600,
)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.public",
public_key.encode("utf-8"),
mode=0o600,
)
chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*")
chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*")
# Set up copying of keys to var:
create_file(
system_context,
"/usr/lib/tmpfiles.d/systemd-homed.conf",
textwrap.dedent(
"""\
C /var/lib/systemd/home - - - -
"""
).encode("utf-8"),
mode=0o644,
)
# Fix up pam:
location.set_description("Setting up PAM for homed")
create_file(
system_context,
"/etc/pam.d/nss-auth",
textwrap.dedent(
"""\
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient pam_systemd_home.so
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_systemd_home.so
account required pam_deny.so
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_systemd_home.so
password required pam_deny.so
"""
).encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/etc/pam.d/system-auth",
textwrap.dedent(
"""\
#%PAM-1.0
auth substack nss-auth
auth optional pam_permit.so
auth required pam_env.so
account substack nss-auth
account optional pam_permit.so
account required pam_time.so
password substack nss-auth
password optional pam_permit.so
session required pam_limits.so
session optional pam_systemd_home.so
session required pam_unix.so
session optional pam_permit.so
"""
).encode("utf-8"),
mode=0o644,
force=True,
)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, "pacman", "usbguard")
# Do setup:
# enable the daemon (actually set up socket activation)
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"usbguard-dbus.service",
)
create_file(
system_context,
"/usr/lib/tmpfiles.d/usbguard.conf",
textwrap.dedent("""\
d /var/log/usbguard 0750 root root - -
d /var/etc/usbguard 0750 root root - -
C /var/etc/usbguard - - - - -
""").encode("utf-8"),
)
self._execute(
location.next_line(),
system_context,
"sed",
"/RuleFile=\\/etc/ cRuleFile=/var/etc/usbguard/rules.conf",
"/etc/usbguard/usbguard-daemon.conf",
)
self._execute(
location.next_line(),
system_context,
"sed",
"/IPCAccessControlFiles=\\/etc/ cIPCAccessControlFiles=/var/etc/usbguard/IPCAccessControl.d",
"/etc/usbguard/usbguard-daemon.conf",
)
self._execute(
location.next_line(),
system_context,
"sed",
"/ImplicitPolicyTarget=/ cImplicitPolicyTarget=allow",
"/etc/usbguard/usbguard-daemon.conf",
)
makedirs(system_context,
"/usr/share/factory/var/etc/usbguard/IPCaccessControl.d")
move(
system_context,
"/etc/usbguard/usbguard-daemon.conf",
"/usr/share/factory/var/etc/usbguard",
)
create_file(
system_context,
"/usr/share/factory/var/etc/usbguard/rules.conf",
b"",
mode=0o600,
)
remove(
system_context,
"/etc/usbguard",
recursive=True,
)
# Fix for https://github.com/USBGuard/usbguard/issues/287
makedirs(system_context, "/usr/lib/systemd/system/usbguard.service.d")
create_file(
system_context,
"/usr/lib/systemd/system/usbguard.service.d/bugfix.conf",
textwrap.dedent("""\
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/var/etc/usbguard/rules.conf
ExecStart=
ExecStart=/usr/bin/usbguard-daemon -k -c /var/etc/usbguard/usbguard-daemon.conf
""").encode("utf-8"),
)
def _setup_network(
location: Location,
system_context: SystemContext,
*,
cluster_name: str,
cluster_id: int,
node_id: int,
outside_match: str,
cluster_match: str,
gateway: str,
dns: str,
ntp: str,
) -> None:
create_file(
system_context,
"/usr/lib/systemd/network/20-cbr0-bridge.netdev",
textwrap.dedent("""\
[NetDev]
Description=Internal POD bridge
Name=cbr0
Kind=bridge
""").encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/usr/lib/systemd/network/10-extern.network",
textwrap.dedent(f"""\
[Match]
{outside_match}
[Network]
Description=Node network
Address=10.128.{cluster_id}.{node_id}/8
Gateway={gateway}
DNS={dns}
NTP={ntp}
IPForward=yes
IPMasquerade=yes
""").encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/usr/lib/systemd/network/30-cbr.network",
textwrap.dedent(f"""\
[Match]
Name=cbr0
[Network]
Description={cluster_name} pod bridge setup
Address=10.{cluster_offset}.{node_id}.1/16
""").encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/usr/lib/systemd/network/40-cbr-outside-if.network",
textwrap.dedent(f"""\
[Match]
{cluster_match}
[Network]
Description={cluster_name} pod bridge outside connectivity
Bridge=cbr0
""").encode("utf-8"),
mode=0o644,
)
def __call__(
self,
location: Location,
system_context: SystemContext,
*args: typing.Any,
**kwargs: typing.Any,
) -> None:
"""Execute command."""
password = kwargs.get("password", "")
self._execute(location, system_context, "pacman", "postgresql",
"postgresql-old-upgrade")
self._execute(
location.next_line(),
system_context,
"mkdir",
"/usr/lib/systemd/system/postgresql.service.d/",
mode=0o755,
)
self._execute(
location.next_line(),
system_context,
"systemd_harden_unit",
"postgresql.service",
)
create_file(
system_context,
"/usr/local/bin/setup-postgresql.sh",
textwrap.dedent("""\
#!/usr/bin/bash
DATADIR="$$1"
test "x$$DATADIR" = "x" && exit 2
USER=postgres
PASSWD=$$(cat /home/postgres/.pgpass | cut -d':' -f5)
if test ! -d "$${DATADIR}" ; then
su $${USER} -c "/usr/bin/initdb -D $${DATADIR} --encoding UTF8 --locale C" || exit 1
su $${USER} -c "/usr/bin/postgres --single -D $${DATADIR}" <<EOF > /dev/null 2>&1
ALTER USER $${USER} PASSWORD "$${PASSWD}";
EOF
echo >> "$${DATADIR}/postgresql.conf"
echo "listen_addresses = '*' # Listen everywhere!" >> "$${DATADIR}/postgresql.conf"
cat << END_OF_CONFIG > "$${DATADIR}/pg_hba.conf"
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 172.17.0.0/16 md5
# IPv6 local connections:
host all all ::1/128 md5
END_OF_CONFIG
fi
""").encode("utf-8"),
mode=0o755,
)
self._execute(
location.next_line(),
system_context,
"usermod",
"postgres",
shell="/usr/bin/bash",
home="/home/postgres",
)
self._execute(
location.next_line(),
system_context,
"mkdir",
"/home/postgres",
mode=0o755,
user="******",
group="postgres",
)
if password:
create_file(
system_context,
"/home/postgres/.pgpass",
f"*:*:*:*:{password}".encode("utf-8"),
mode=0o600,
user="******",
group="postgres",
)
def __call__(
self,
location: Location,
system_context: SystemContext,
*args: typing.Any,
**kwargs: typing.Any
) -> None:
"""Execute command."""
self._execute(location, system_context, "pacman", "nginx")
# Do setup:
# Fix missing symlink:
create_file(
system_context,
"/etc/nginx/dhparams.pem",
textwrap.dedent(
"""\
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAtiVyRgTKjub6YmPwk7YTp+CL6OG2zHFdUBMEUcGEsfHjPB/OXxQV
iv4tHQeOxVSoiwZi9u/zWbbttpHsAXMTJsq9EzDi7uQie8iBlOOHjK7hx7LNIABJ
BkWSliZgemdY/XwdH9ckZlDpVsqdQNftfPxPZL+HpKeSFDTNGWrp8DgcoINi0Vzt
thVUhHF8961VGsjb66z3GJyuLtpRTfpV6eji87Njy06jOwbS0gdq1mOPptxBNfmA
w4oadWDreQXxTjaq0kowz9hTk/eRgnnpb0NwZb4fTJ8oYo8m0yTHoeIWFrEDhBGR
30DFtTj6OKkkfz4tKJbcIr5+uJQZuqoXSwIBAg==
-----END DH PARAMETERS-----
"""
).encode("utf-8"),
mode=0o640,
)
create_file(
system_context,
"/etc/nginx/nginx.conf",
textwrap.dedent(
"""\
user html;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types_hash_max_size 4096;
#log_format main '$$remote_addr - $$remote_user [$$time_local] "$$request" '
# '$$status $$body_bytes_sent "$$http_referer" '
# '"$$http_user_agent" "$$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include sites-enabled/*;
}
"""
).encode("utf-8"),
mode=0o644,
force=True,
)
os.makedirs(system_context.file_name("/usr/lib/systemd/system/nginx.service.d"))
self._execute(
location.next_line(),
system_context,
"systemd_harden_unit",
"nginx.service",
CapabilityBoundingSet="IGNORE",
NoNewPrivileges=False,
PrivateUsers=False,
)
os.makedirs(system_context.file_name("/etc/nginx/sites-available"))
os.makedirs(system_context.file_name("/etc/nginx/sites-enabled"))
if kwargs.get("https", True):
os.makedirs(system_context.file_name("/etc/nginx/ssl"))
# enable the daemon (actually set up socket activation)
self._execute(
location.next_line(), system_context, "systemd_enable", "nginx.service"
)
# Open the firewall for it:
if kwargs.get("http", False):
self._execute(
location.next_line(),
system_context,
"net_firewall_open_port",
"80",
protocol="tcp",
comment="Nginx",
)
if kwargs.get("https", True):
self._execute(
location.next_line(),
system_context,
"net_firewall_open_port",
"443",
protocol="tcp",
comment="Nginx",
)
self._add_hook(
location.next_line(),
system_context,
"_teardown",
"chown",
"/etc/nginx/ssl",
recursive=True,
user="******",
group="root",
)
self._add_hook(
location.next_line(),
system_context,
"_teardown",
"chmod",
0o644,
"/etc/nginx/ssl/*-cert.pem",
)
self._add_hook(
location.next_line(),
system_context,
"_teardown",
"chmod",
0o640,
"/etc/nginx/ssl/*-key.pem",
)
