Initial version bosh-stemcell.configure

Change-Id: Ia7dd7ccf3d94c2e4ad2e608ea2cf3bc78299014e

7 files changed, 446 insertions, 0 deletions

diff --git a/extensions/bosh-stemcell.configure b/extensions/bosh-stemcell.configure
new file mode 100644
index 00000000..171accde
--- /dev/null
+++ b/extensions/bosh-stemcell.configure
@@ -0,0 +1,252 @@
+#!/bin/sh
+# Copyright (C) 2015  Codethink Limited
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.5
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+set -e
+
+ROOT="$1"
+
+bosh_app_dir=/var/vcap
+bosh_dir=$bosh_app_dir/bosh
+
+
+##############
+# cron       #
+##############
+
+
+cat >> "$ROOT"/usr/lib/systemd/system/cron.service << 'EOF'
+[Unit]
+Description=Cron Service
+
+[Service]
+ExecStart=/usr/sbin/crond -f -c /etc/cron.d
+Restart=always
+EOF
+
+ln -sf "/usr/lib/systemd/system/cron.service" \
+    "$ROOT/usr/lib/systemd/system/multi-user.target.wants/cron.service"
+
+
+mkdir -p "$ROOT"/etc/cron.d
+mkdir -p "$ROOT"/etc/cron.hourly
+mkdir -p "$ROOT"/etc/cron.daily
+mkdir -p "$ROOT"/etc/cron.weekly
+mkdir -p "$ROOT"/etc/cron.monthly
+mkdir -p "$ROOT"/var/spool/cron
+
+cat >> "$ROOT"/etc/cron.d/root << 'EOF'
+SHELL=/bin/bash
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=root HOME=/
+# run-parts
+01 * * * * run-parts /etc/cron.hourly
+02 4 * * * run-parts /etc/cron.daily
+22 4 * * 0 run-parts /etc/cron.weekly
+42 4 1 * * run-parts /etc/cron.monthly
+EOF
+
+##################
+# logrotate cron #
+##################
+
+cat >> "$ROOT"/etc/cron.daily/logrotate << 'EOF'
+#!/bin/sh
+
+# Clean non existent log file entries from status file
+cd /var/lib/logrotate
+test -e status || touch status
+head -1 status > status.clean
+sed 's/"//g' status | while read logfile date
+do
+    [ -e "$logfile" ] && echo "\"$logfile\" $date"
+done >> status.clean
+mv status.clean status
+
+test -x /usr/sbin/logrotate || exit 0
+/usr/sbin/logrotate /etc/logrotate.conf
+EOF
+
+
+##################
+# logrotate conf #
+##################
+
+cat >> "$ROOT"/etc/logrotate.conf << 'EOF'
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+
+# keep 4 weeks worth of backlogs
+rotate 4
+
+# create new (empty) log files after rotating old ones
+create
+
+# uncomment this if you want your log files compressed
+#compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp, or btmp -- we'll rotate them here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
+
+# system-specific logs may be configured here
+EOF
+
+
+############
+# base_ssh #
+############
+# Configure sshd appropriately
+# adapted from `bosh/stemcell_builder/stages/base_ssh/apply.sh`
+
+chmod 0600 "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *Banner/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'Banner /etc/issue.net' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *UseDNS/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'UseDNS no' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *PermitRootLogin/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'PermitRootLogin no' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *X11Forwarding/d" -i "$ROOT"/etc/ssh/sshd_config
+sed "/^ *X11DisplayOffset/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'X11Forwarding no' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *MaxAuthTries/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'MaxAuthTries 3' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *PermitEmptyPasswords/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'PermitEmptyPasswords no' >> "$ROOT"/etc/ssh/sshd_config
+
+sed "/^ *Protocol/d" -i "$ROOT"/etc/ssh/sshd_config
+echo 'Protocol 2' >> "$ROOT"/etc/ssh/sshd_config
+
+# protect against as-shipped sshd_config that has no newline at end
+echo "" >> "$ROOT"/etc/ssh/sshd_config
+
+# There should be some configuration for the CBC
+
+
+##################
+# bosh_sysctl    #
+##################
+# We need some configuration in sysctl
+cp extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf "$ROOT"/etc/sysctl.d/
+
+
+##################
+# bosh_users     #
+##################
+
+# Add vcap user for BOSH, with password 'c1oudc0w'
+echo 'vcap:x:1023:1023:BOSH System User:/home/vcap:/bin/bash' >> "$ROOT/etc/passwd"
+echo 'vcap:$6$FonTEWpp$SE7SXe5TrpileI13kEpPANSf2hjoINNdvKWtUd124oRKjlYN.TrWpDiN0ftXouce0OMvZB55u.QCaYl.MhXIs.:16624:0:99999:7:::' >> "$ROOT/etc/shadow"
+# Set root password to 'c1oudc0w'
+sed -i -e 's/root::/root:$6$CdiM3U53$u9lUT9N7jHqJAZp.cHD28W1rUMKpdPMZOzVJ7F\/iuRC6Fe7XzLtOaFJNHMM0VmwhJdeHjiiDQtPuFjwf7ew9Q\/:/g' $ROOT/etc/shadow
+echo 'vcap:x:1023:' >> "$ROOT/etc/group"
+mkdir -p "$ROOT/home/vcap"
+chown -R 1023:1023 "$ROOT/home/vcap"
+
+
+# Set up groups for vcap
+vcap_user_groups='admin adm audio cdrom dialout floppy video dip'
+for group in "$vcap_user_groups"; do
+    sed -i '/^'"$group"':/ s/$/,vcap/' "$ROOT/etc/group"
+done
+sed -i 's/:,/:/' "$ROOT/etc/group"
+
+
+# Setup SUDO
+cp extensions/bosh-stemcell/sudoers "$ROOT"/etc/sudoers
+
+# Add $bosh_dir/bin to $PATH
+echo "export PATH=$bosh_dir/bosh/bin:\$PATH" >> $ROOT/root/.bashrc
+echo "export PATH=$bosh_dir/bin:\$PATH" >> $ROOT/home/vcap/.bashrc
+
+cat > $ROOT/root/.profile <<EOS
+if [ "\$BASH" ]; then
+  if [ -f ~/.bashrc ]; then
+    . ~/.bashrc
+  fi
+fi
+EOS
+
+##################
+# bosh_sudoers   #
+##################
+
+echo '#includedir /etc/sudoers.d' >> $ROOT/etc/sudoers
+
+##################
+# rsyslog_config #
+##################
+
+#FIXME: I've modified this file to not need syslog user or adm group. Bear in mind if something doesn't work
+cp extensions/bosh-stemcell/rsyslog.conf "$ROOT"/etc/rsyslog.conf
+mkdir -p "$ROOT"/etc/logrotate.d
+cp extensions/bosh-stemcell/rsyslog_logrotate.conf "$ROOT"/etc/logrotate.d/rsyslog
+
+ln -sf "/lib/systemd/system/rsyslog.service" \
+    "$ROOT/etc/systemd/system/multi-user.target.wants/rsyslog.service"
+
+mkdir -p "$ROOT"/etc/rsyslog.d
+cp extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf "$ROOT"/etc/rsyslog.d/enable-kernel-logging.conf
+cp extensions/bosh-stemcell/rsyslog_50-default.conf "$ROOT"/etc/rsyslog.d/50-default.conf
+
+
+##################
+# bosh_sysstat   #
+##################
+
+# FIXME: Appending instead of replacing. They are creating this file in
+# /etc/default/sysstat, but I don't know if that will work in Baserock
+cat >> $ROOT/etc/sysconfig/sysstat << 'EOF'
+#
+# Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
+# and /etc/cron.daily/sysstat files
+#
+
+# Should sadc collect system activity informations? Valid values
+# are "true" and "false". Please do not put other values, they
+# will be overwritten by debconf!
+ENABLED="true"
+
+# Additional options passed to sa1 by /etc/init.d/sysstat
+# and /etc/cron.d/sysstat
+# By default contains the `-S DISK' option responsible for
+# generating disk statisitcs.
+SA1_OPTIONS="-S DISK"
+
+# Additional options passed to sa2 by /etc/cron.daily/sysstat.
+SA2_OPTIONS=""
+
+EOF
diff --git a/extensions/bosh-stemcell/rsyslog.conf b/extensions/bosh-stemcell/rsyslog.conf
new file mode 100644
index 00000000..df05efcd
--- /dev/null
+++ b/extensions/bosh-stemcell/rsyslog.conf
@@ -0,0 +1,50 @@
+#  /etc/rsyslog.conf    Configuration file for rsyslog.
+#
+#           For more information see
+#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+#
+#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad omrelp
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# Filter duplicated messages
+$RepeatedMsgReduction on
+
+$MaxMessageSize 4k
+#
+# Set the default permissions for all log files.
+#
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
diff --git a/extensions/bosh-stemcell/rsyslog_50-default.conf b/extensions/bosh-stemcell/rsyslog_50-default.conf
new file mode 100644
index 00000000..983914d3
--- /dev/null
+++ b/extensions/bosh-stemcell/rsyslog_50-default.conf
@@ -0,0 +1,68 @@
+#  Default rules for rsyslog.
+#
+#                       For more information see rsyslog.conf(5) and /etc/rsyslog.conf
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*                 /var/log/auth.log
+*.*;auth,authpriv.none          -/var/log/syslog
+#cron.*                         /var/log/cron.log
+daemon.*                        -/var/log/daemon.log
+kern.*                          -/var/log/kern.log
+lpr.*                           -/var/log/lpr.log
+mail.*                          -/var/log/mail.log
+user.*                          -/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info                       -/var/log/mail.info
+mail.warn                       -/var/log/mail.warn
+mail.err                        /var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit                       /var/log/news/news.crit
+news.err                        /var/log/news/news.err
+news.notice                     -/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+        auth,authpriv.none;\
+        news.none;mail.none     -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        mail,news.none          -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                         :omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#       news.=crit;news.=err;news.=notice;\
+#       *.=debug;*.=info;\
+#       *.=notice;*.=warn       /dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+        news.err;\
+        *.=debug;*.=info;\
+        *.=notice;*.=warn       |/dev/xconsole
diff --git a/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf b/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf
new file mode 100644
index 00000000..073682bd
--- /dev/null
+++ b/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf
@@ -0,0 +1,13 @@
+#  enable-kernel-logging.conf
+#
+#  This module enables kernel logging
+#
+#        For more information see
+#        /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imklog
diff --git a/extensions/bosh-stemcell/rsyslog_logrotate.conf b/extensions/bosh-stemcell/rsyslog_logrotate.conf
new file mode 100644
index 00000000..637c8692
--- /dev/null
+++ b/extensions/bosh-stemcell/rsyslog_logrotate.conf
@@ -0,0 +1,37 @@
+/var/log/syslog
+{
+    rotate 7
+    size 5M
+    missingok
+    notifempty
+    delaycompress
+    compress
+    postrotate
+        reload rsyslog >/dev/null 2>&1 || true
+    endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+    rotate 4
+    size 5M
+    missingok
+    notifempty
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        reload rsyslog >/dev/null 2>&1 || true
+    endscript
+}
diff --git a/extensions/bosh-stemcell/sudoers b/extensions/bosh-stemcell/sudoers
new file mode 100644
index 00000000..03c1f371
--- /dev/null
+++ b/extensions/bosh-stemcell/sudoers
@@ -0,0 +1,21 @@
+# /etc/sudoers
+# This file MUST be edited with the 'visudo' command as root.
+# See the man page for details on how to write a sudoers file.
+# Defaults
+
+Defaults        !lecture,tty_tickets,!fqdn
+
+# Uncomment to allow members of group sudo to not need a password
+# %sudo ALL=NOPASSWD: ALL
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL) ALL
+
+# Members of the admin group may gain root privileges
+%admin ALL=(ALL) ALL
diff --git a/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf b/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf
new file mode 100644
index 00000000..46d09cb3
--- /dev/null
+++ b/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf
@@ -0,0 +1,5 @@
+# Actively delete stale entries from the neighbor table regardless of its size
+# (Kernel started using this value in GC loop in commit 2724680).
+# http://wiki.wireshark.org/Gratuitous_ARP
+# http://linux-ip.net/html/ether-arp.html
+net.ipv4.neigh.default.gc_thresh1=0