def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
def SetupFail2ban():
utils.LogStep('Configure fail2ban')
# http://flexion.org/posts/2012-11-ssh-brute-force-defence.html
utils.Pacman(['-S', 'fail2ban'])
utils.WriteFile('/etc/fail2ban/jail.local', ETC_FAIL2BAN_JAIL_LOCAL)
utils.WriteFile('/etc/fail2ban/jail.d/sshd.conf',
ETC_FAIL2BAN_JAIL_D_SSHD_CONF)
utils.EnableService('syslog-ng')
utils.EnableService('fail2ban.service')
def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
# https://wiki.archlinux.org/index.php/Network_configuration#Reverting_to_traditional_device_names
utils.Symlink('/dev/null', '/etc/udev/rules.d/80-net-setup-link.rules')
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
def SetupSsh():
utils.LogStep('Configure SSH')
utils.WriteFile('/etc/ssh/sshd_not_to_be_run', 'GOOGLE')
utils.SecureDeleteFile('/etc/ssh/ssh_host_key')
utils.SecureDeleteFile('/etc/ssh/ssh_host_rsa_key*')
utils.SecureDeleteFile('/etc/ssh/ssh_host_dsa_key*')
utils.SecureDeleteFile('/etc/ssh/ssh_host_ecdsa_key*')
utils.WriteFile('/etc/ssh/ssh_config', ETC_SSH_SSH_CONFIG)
utils.Chmod('/etc/ssh/ssh_config', 644)
utils.WriteFile('/etc/ssh/sshd_config', ETC_SSH_SSHD_CONFIG)
utils.Chmod('/etc/ssh/sshd_config', 644)
utils.EnableService('sshd.service')
def SetupFileSystem(base_dir, image_mapping_path):
utils.LogStep('File Systems')
_, fstab_contents, _ = utils.Run(['genfstab', '-p', base_dir],
capture_output=True)
utils.WriteFile(os.path.join(base_dir, 'etc', 'fstab'), fstab_contents)
_, disk_uuid, _ = utils.Run(
['blkid', '-s', 'UUID', '-o', 'value', image_mapping_path],
capture_output=True)
disk_uuid = disk_uuid.strip()
utils.WriteFile(os.path.join(base_dir, 'etc', 'fstab'),
'UUID=%s / ext4 defaults 0 1' % disk_uuid)
utils.Run(['tune2fs', '-i', '1', '-U', disk_uuid, image_mapping_path])
return disk_uuid
def SetupNetwork():
utils.LogStep('Setup Networking')
utils.SecureDeleteFile('/etc/hostname')
utils.WriteFile('/etc/hosts', ETC_HOSTS)
utils.WriteFile('/etc/sysctl.d/70-disable-ipv6.conf',
ETC_SYSCTL_D_70_DISABLE_IPV6_CONF)
utils.EnableService('dhcpcd.service')
utils.EnableService('systemd-networkd.service')
utils.EnableService('systemd-networkd-wait-online.service')
# Set Google Compute specific MTU
# https://cloud.google.com/compute/docs/troubleshooting#packetfragmentation
utils.WriteFile('/etc/systemd/system/[email protected]', ETC_SYSTEM_D_SET_MTU)
utils.CreateDirectory('/etc/conf.d/')
utils.WriteFile('/etc/conf.d/setmtu', ETC_CONF_D_SET_MTU)
utils.EnableService('*****@*****.**')
def ConfigureSecurity():
utils.LogStep('Compute Engine Security Recommendations')
utils.WriteFile('/etc/sysctl.d/70-gce-security-strongly-recommended.conf',
ETC_SYSCTL_D_70_GCE_SECURITY_STRONGLY_RECOMMENDED_CONF)
utils.WriteFile('/etc/sysctl.d/70-gce-security-recommended.conf',
ETC_SYSCTL_D_70_GCE_SECURITY_RECOMMENDED_CONF)
utils.LogStep('Lock Root User Account')
utils.Run(['usermod', '-L', 'root'])
utils.LogStep('PAM Security Settings')
utils.WriteFile('/etc/pam.d/passwd', ETC_PAM_D_PASSWD)
utils.LogStep('Disable CAP_SYS_MODULE')
utils.WriteFile('/proc/sys/kernel/modules_disabled', '1')
utils.LogStep('Remove the kernel symbol table')
utils.SecureDeleteFile('/boot/System.map')
utils.LogStep('Sudo Access')
utils.WriteFile('/etc/sudoers.d/add-group-adm', ETC_SUDOERS_D_ADD_GROUP_ADM)
utils.Run(['chown', 'root:root', '/etc/sudoers.d/add-group-adm'])
utils.Run(['chmod', '0440', '/etc/sudoers.d/add-group-adm'])
def processTemplate(templateIp):
from template import Template
utils.outputFileName = ''
if utils.outputFileKeyword != '':
utils.outputFileName = utils.getFileName(
templateIp[utils.outputFileKeyword])
if utils.outputFile != '':
utils.outputFileName = utils.outputFileName + utils.outputFile
utils.outputFileName = utils.outputFileName + utils.outputFileExt
tt = Template({'EVAL_PYTHON': 1, 'AUTO_RESET': 1})
op = tt.process(utils.ttFileName, {'TemplateInputVar': templateIp})
utils.WriteFile(utils.outputDir, utils.outputFileName, op, utils.mode)
def main():
# Get Parameters
repo = utils.GetMetadataAttribute('google_cloud_repo',
raise_on_not_found=True)
release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True)
savelogs = utils.GetMetadataAttribute('el_savelogs',
raise_on_not_found=False)
savelogs = savelogs == 'true'
byol = utils.GetMetadataAttribute('rhel_byol', raise_on_not_found=False)
byol = byol == 'true'
sap_hana = utils.GetMetadataAttribute('rhel_sap_hana',
raise_on_not_found=False)
sap_hana = sap_hana == 'true'
sap_apps = utils.GetMetadataAttribute('rhel_sap_apps',
raise_on_not_found=False)
sap_apps = sap_apps == 'true'
sap = utils.GetMetadataAttribute('rhel_sap', raise_on_not_found=False)
sap = sap == 'true'
logging.info('EL Release: %s' % release)
logging.info('Google Cloud repo: %s' % repo)
logging.info('Build working directory: %s' % os.getcwd())
iso_file = 'installer.iso'
# Necessary libs and tools to build the installer disk.
utils.AptGetInstall(['dosfstools', 'rsync'])
# Build the kickstart file.
ks_content = ks_helpers.BuildKsConfig(release, repo, byol, sap, sap_hana,
sap_apps)
ks_cfg = 'ks.cfg'
utils.WriteFile(ks_cfg, ks_content)
# Write the installer disk. Write GPT label, create partition,
# copy installer boot files over.
logging.info('Writing installer disk.')
utils.Execute(['parted', '/dev/sdb', 'mklabel', 'gpt'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'fat32', '1MB',
'201MB'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'ext2', '201MB',
'100%'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'set', '1', 'esp', 'on'])
utils.Execute(['sync'])
utils.Execute(['mkfs.vfat', '-F', '32', '/dev/sdb1'])
utils.Execute(['sync'])
utils.Execute(['fatlabel', '/dev/sdb1', 'ESP'])
utils.Execute(['sync'])
utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb2'])
utils.Execute(['sync'])
utils.Execute(['mkdir', '-vp', 'iso', 'installer', 'boot'])
utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso'])
utils.Execute(['mount', '-t', 'vfat', '/dev/sdb1', 'boot'])
utils.Execute(['mount', '-t', 'ext2', '/dev/sdb2', 'installer'])
utils.Execute(['rsync', '-Pav', 'iso/EFI', 'iso/images', 'boot/'])
utils.Execute(['cp', iso_file, 'installer/'])
utils.Execute(['cp', ks_cfg, 'installer/'])
# Modify boot config.
with open('boot/EFI/BOOT/grub.cfg', 'r+') as f:
oldcfg = f.read()
cfg = re.sub(r'-l .RHEL.*', r"""-l 'ESP'""", oldcfg)
cfg = re.sub(r'timeout=60', 'timeout=1', cfg)
cfg = re.sub(r'set default=.*', 'set default="0"', cfg)
cfg = re.sub(r'load_video\n', r'serial --speed=38400 --unit=0 --word=8 '
'--parity=no\nterminal_input serial\nterminal_output '
'serial\n', cfg)
# Change boot args.
args = ' '.join([
'text', 'ks=hd:LABEL=INSTALLER:/%s' % ks_cfg,
'console=ttyS0,38400n8', 'inst.sshd=1', 'inst.gpt'
])
# Tell Anaconda not to store its logs in the installed image,
# unless requested to keep them for debugging.
if not savelogs:
args += ' inst.nosave=all'
cfg = re.sub(r'inst\.stage2.*', r'\g<0> %s' % args, cfg)
if release in ['centos7', 'rhel7', 'oraclelinux7']:
cfg = re.sub(r'LABEL=[^ :]+', 'LABEL=INSTALLER', cfg)
# Print out a the modifications.
diff = difflib.Differ().compare(oldcfg.splitlines(1), cfg.splitlines(1))
logging.info('Modified grub.cfg:\n%s' % '\n'.join(diff))
f.seek(0)
f.write(cfg)
f.truncate()
logging.info("Creating boot path file\n")
utils.Execute(['mkdir', '-p', 'boot/EFI/Google/gsetup'])
with open('boot/EFI/Google/gsetup/boot', 'w') as g:
g.write("\\EFI\\BOOT\\BOOTX64.EFI\n")
utils.Execute(['umount', 'installer'])
utils.Execute(['umount', 'iso'])
utils.Execute(['umount', 'boot'])
def ConfigMessageOfTheDay():
utils.LogStep('Configure Message of the Day')
utils.WriteFile('/etc/motd', ETC_MOTD)
def InstallGcimagebundle(packages_dir):
utils.WriteFile(
os.path.join(packages_dir, 'gcimagebundle/gcimagebundlelib/arch.py'),
GCIMAGEBUNDLE_ARCH_PY)
utils.Run(['python2', 'setup.py', 'install'],
cwd=os.path.join(packages_dir, 'gcimagebundle'))
def SetupNtpServer():
utils.LogStep('Configure NTP')
utils.WriteFile('/etc/ntp.conf', 'server metadata.google.internal iburst')
def main():
# Get Parameters
repo = utils.GetMetadataAttribute('google_cloud_repo',
raise_on_not_found=True)
release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True)
savelogs = utils.GetMetadataAttribute('el_savelogs',
raise_on_not_found=False) == 'true'
byos = utils.GetMetadataAttribute('rhel_byos',
raise_on_not_found=False) == 'true'
sap = utils.GetMetadataAttribute('rhel_sap',
raise_on_not_found=False) == 'true'
nge = utils.GetMetadataAttribute('new_guest',
raise_on_not_found=False) == 'true'
logging.info('EL Release: %s' % release)
logging.info('Google Cloud repo: %s' % repo)
logging.info('Build working directory: %s' % os.getcwd())
iso_file = '/files/installer.iso'
# Necessary libs and tools to build the installer disk.
utils.AptGetInstall(['extlinux', 'rsync'])
# Build the kickstart file.
uefi = False
ks_content = ks_helpers.BuildKsConfig(release, repo, byos, sap, uefi, nge)
ks_cfg = 'ks.cfg'
utils.WriteFile(ks_cfg, ks_content)
# Write the installer disk. Write extlinux MBR, create partition,
# copy installer ISO and ISO boot files over.
logging.info('Writing installer disk.')
utils.Execute(['parted', '/dev/sdb', 'mklabel', 'msdos'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', '1MB', '100%'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on'])
utils.Execute(['sync'])
utils.Execute(['dd', 'if=/usr/lib/EXTLINUX/mbr.bin', 'of=/dev/sdb'])
utils.Execute(['sync'])
utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb1'])
utils.Execute(['sync'])
utils.Execute(['mkdir', 'iso', 'installer'])
utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso'])
utils.Execute(['mount', '-t', 'ext2', '/dev/sdb1', 'installer'])
utils.Execute(
['rsync', '-Pav', 'iso/images', 'iso/isolinux', 'installer/'])
utils.Execute(['cp', iso_file, 'installer/'])
utils.Execute(['cp', ks_cfg, 'installer/'])
# Modify boot files on installer disk.
utils.Execute(['mv', 'installer/isolinux', 'installer/extlinux'])
utils.Execute([
'mv', 'installer/extlinux/isolinux.cfg',
'installer/extlinux/extlinux.conf'
])
# Modify boot config.
with open('installer/extlinux/extlinux.conf', 'r+') as f:
oldcfg = f.read()
cfg = re.sub(r'^default.*', r'default linux', oldcfg, count=1)
# Change boot args.
args = ' '.join([
'text',
'ks=hd:/dev/sda1:/%s' % ks_cfg, 'console=ttyS0,38400n8',
'loglevel=debug'
])
# Tell Anaconda not to store its logs in the installed image,
# unless requested to keep them for debugging.
if not savelogs:
args += ' inst.nosave=all'
cfg = re.sub(r'append initrd=initrd\.img.*', r'\g<0> %s' % args, cfg)
# Change labels to explicit partitions.
if release.startswith(('centos7', 'rhel7', 'rhel-7', 'oraclelinux7',
'centos8', 'rhel8')):
cfg = re.sub(r'LABEL=[^ ]+', 'LABEL=INSTALLER', cfg)
# Print out a the modifications.
diff = difflib.Differ().compare(oldcfg.splitlines(1),
cfg.splitlines(1))
logging.info('Modified extlinux.conf:\n%s' % '\n'.join(diff))
f.seek(0)
f.write(cfg)
f.truncate()
# Activate extlinux.
utils.Execute(['extlinux', '--install', 'installer/extlinux'])
def main():
# Get Parameters
repo = utils.GetMetadataAttribute('google_cloud_repo',
raise_on_not_found=True)
release = utils.GetMetadataAttribute('el_release', raise_on_not_found=True)
daisy_logs_path = utils.GetMetadataAttribute('daisy-logs-path',
raise_on_not_found=True)
savelogs = utils.GetMetadataAttribute('el_savelogs') == 'true'
byos = utils.GetMetadataAttribute('rhel_byos') == 'true'
sap = utils.GetMetadataAttribute('rhel_sap') == 'true'
logging.info('EL Release: %s' % release)
logging.info('Google Cloud repo: %s' % repo)
logging.info('Build working directory: %s' % os.getcwd())
iso_file = '/files/installer.iso'
utils.AptGetInstall(['rsync'])
# Build the kickstart file.
ks_content = ks_helpers.BuildKsConfig(release, repo, byos, sap)
ks_cfg = 'ks.cfg'
utils.WriteFile(ks_cfg, ks_content)
# Save the generated kickstart file to the build logs.
utils.UploadFile(ks_cfg, '%s/ks.cfg' % daisy_logs_path)
# Write the installer disk. Write GPT label, create partition,
# copy installer boot files over.
logging.info('Writing installer disk.')
utils.Execute(['parted', '/dev/sdb', 'mklabel', 'gpt'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'fat32', '1MB',
'1024MB'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'mkpart', 'primary', 'ext2', '1024MB',
'100%'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'set', '1', 'boot', 'on'])
utils.Execute(['sync'])
utils.Execute(['parted', '/dev/sdb', 'set', '1', 'esp', 'on'])
utils.Execute(['sync'])
utils.Execute(['mkfs.vfat', '-F', '32', '/dev/sdb1'])
utils.Execute(['sync'])
utils.Execute(['fatlabel', '/dev/sdb1', 'ESP'])
utils.Execute(['sync'])
utils.Execute(['mkfs.ext2', '-L', 'INSTALLER', '/dev/sdb2'])
utils.Execute(['sync'])
utils.Execute(['mkdir', '-vp', 'iso', 'installer', 'boot'])
utils.Execute(['mount', '-o', 'ro,loop', '-t', 'iso9660', iso_file, 'iso'])
utils.Execute(['mount', '-t', 'vfat', '/dev/sdb1', 'boot'])
utils.Execute(['mount', '-t', 'ext2', '/dev/sdb2', 'installer'])
utils.Execute(['rsync', '-Pav', 'iso/EFI', 'iso/images', 'boot/'])
utils.Execute(['cp', iso_file, 'installer/'])
utils.Execute(['cp', ks_cfg, 'installer/'])
# Modify boot config.
with open('boot/EFI/BOOT/grub.cfg', 'r+') as f:
oldcfg = f.read()
cfg = re.sub(r'-l .RHEL.*', r"""-l 'ESP'""", oldcfg)
cfg = re.sub(r'timeout=60', 'timeout=1', cfg)
cfg = re.sub(r'set default=.*', 'set default="0"', cfg)
cfg = re.sub(r'load_video\n',
r'serial --speed=38400 --unit=0 --word=8 --parity=no\n'
'terminal_input serial\nterminal_output serial\n', cfg)
# Change boot args.
args = ' '.join([
'text', 'ks=hd:LABEL=INSTALLER:/%s' % ks_cfg,
'console=ttyS0,38400n8', 'inst.gpt', 'loglevel=debug'
])
# Tell Anaconda not to store its logs in the installed image,
# unless requested to keep them for debugging.
if not savelogs:
args += ' inst.nosave=all'
cfg = re.sub(r'inst\.stage2.*', r'\g<0> %s' % args, cfg)
# Change labels to explicit partitions.
cfg = re.sub(r'LABEL=[^ ]+', 'LABEL=INSTALLER', cfg)
# Print out a the modifications.
diff = difflib.Differ().compare(
oldcfg.splitlines(1),
cfg.splitlines(1))
logging.info('Modified grub.cfg:\n%s' % '\n'.join(diff))
f.seek(0)
f.write(cfg)
f.truncate()
utils.Execute(['umount', 'installer'])
utils.Execute(['umount', 'iso'])
utils.Execute(['umount', 'boot'])
def lock_user(CONFIGFILE, DB, LOCKFILE):
msg, flag = utils.ReadConfigFile(CONFIGFILE, DB, LOCKFILE)
# print(msg)
if flag:
utils.WriteFile(msg, str(time.time()))
def lock_admin():
lock_init_time = time.time()
LOCK_FILE = utils.ReadConfigFile('conf.ini', 'LOG', 'LOGFILE')
utils.WriteFile(LOCK_FILE,lock_init_time)
