diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2015-07-08 13:37:47 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2015-07-27 16:22:18 +0000 |
commit | 8202481dbe5f04c5191a05df6438877ad4e23597 (patch) | |
tree | f9ae84df28bab3e56cac7f7f3db4719e395f05db | |
parent | 473d22bc18e36dcf80e06562edbd25daeacfadae (diff) | |
download | definitions-8202481dbe5f04c5191a05df6438877ad4e23597.tar.gz |
Initial version bosh-stemcell.configure
Change-Id: Ia7dd7ccf3d94c2e4ad2e608ea2cf3bc78299014e
-rw-r--r-- | extensions/bosh-stemcell.configure | 252 | ||||
-rw-r--r-- | extensions/bosh-stemcell/rsyslog.conf | 50 | ||||
-rw-r--r-- | extensions/bosh-stemcell/rsyslog_50-default.conf | 68 | ||||
-rw-r--r-- | extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf | 13 | ||||
-rw-r--r-- | extensions/bosh-stemcell/rsyslog_logrotate.conf | 37 | ||||
-rw-r--r-- | extensions/bosh-stemcell/sudoers | 21 | ||||
-rw-r--r-- | extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf | 5 |
7 files changed, 446 insertions, 0 deletions
diff --git a/extensions/bosh-stemcell.configure b/extensions/bosh-stemcell.configure new file mode 100644 index 00000000..171accde --- /dev/null +++ b/extensions/bosh-stemcell.configure @@ -0,0 +1,252 @@ +#!/bin/sh +# Copyright (C) 2015 Codethink Limited +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License.5 +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +set -e + +ROOT="$1" + +bosh_app_dir=/var/vcap +bosh_dir=$bosh_app_dir/bosh + + +############## +# cron # +############## + + +cat >> "$ROOT"/usr/lib/systemd/system/cron.service << 'EOF' +[Unit] +Description=Cron Service + +[Service] +ExecStart=/usr/sbin/crond -f -c /etc/cron.d +Restart=always +EOF + +ln -sf "/usr/lib/systemd/system/cron.service" \ + "$ROOT/usr/lib/systemd/system/multi-user.target.wants/cron.service" + + +mkdir -p "$ROOT"/etc/cron.d +mkdir -p "$ROOT"/etc/cron.hourly +mkdir -p "$ROOT"/etc/cron.daily +mkdir -p "$ROOT"/etc/cron.weekly +mkdir -p "$ROOT"/etc/cron.monthly +mkdir -p "$ROOT"/var/spool/cron + +cat >> "$ROOT"/etc/cron.d/root << 'EOF' +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root HOME=/ +# run-parts +01 * * * * run-parts /etc/cron.hourly +02 4 * * * run-parts /etc/cron.daily +22 4 * * 0 run-parts /etc/cron.weekly +42 4 1 * * run-parts /etc/cron.monthly +EOF + +################## +# logrotate cron # +################## + +cat >> "$ROOT"/etc/cron.daily/logrotate << 'EOF' +#!/bin/sh + +# Clean non existent log file entries from status file +cd /var/lib/logrotate +test -e status || touch status +head -1 status > status.clean +sed 's/"//g' status | while read logfile date +do + [ -e "$logfile" ] && echo "\"$logfile\" $date" +done >> status.clean +mv status.clean status + +test -x /usr/sbin/logrotate || exit 0 +/usr/sbin/logrotate /etc/logrotate.conf +EOF + + +################## +# logrotate conf # +################## + +cat >> "$ROOT"/etc/logrotate.conf << 'EOF' +# see "man logrotate" for details +# rotate log files weekly +weekly + +# keep 4 weeks worth of backlogs +rotate 4 + +# create new (empty) log files after rotating old ones +create + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# no packages own wtmp, or btmp -- we'll rotate them here +/var/log/wtmp { + missingok + monthly + create 0664 root utmp + rotate 1 +} + +/var/log/btmp { + missingok + monthly + create 0660 root utmp + rotate 1 +} + +# system-specific logs may be configured here +EOF + + +############ +# base_ssh # +############ +# Configure sshd appropriately +# adapted from `bosh/stemcell_builder/stages/base_ssh/apply.sh` + +chmod 0600 "$ROOT"/etc/ssh/sshd_config + +sed "/^ *Banner/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'Banner /etc/issue.net' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *UseDNS/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'UseDNS no' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *PermitRootLogin/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'PermitRootLogin no' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *X11Forwarding/d" -i "$ROOT"/etc/ssh/sshd_config +sed "/^ *X11DisplayOffset/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'X11Forwarding no' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *MaxAuthTries/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'MaxAuthTries 3' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *PermitEmptyPasswords/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'PermitEmptyPasswords no' >> "$ROOT"/etc/ssh/sshd_config + +sed "/^ *Protocol/d" -i "$ROOT"/etc/ssh/sshd_config +echo 'Protocol 2' >> "$ROOT"/etc/ssh/sshd_config + +# protect against as-shipped sshd_config that has no newline at end +echo "" >> "$ROOT"/etc/ssh/sshd_config + +# There should be some configuration for the CBC + + +################## +# bosh_sysctl # +################## +# We need some configuration in sysctl +cp extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf "$ROOT"/etc/sysctl.d/ + + +################## +# bosh_users # +################## + +# Add vcap user for BOSH, with password 'c1oudc0w' +echo 'vcap:x:1023:1023:BOSH System User:/home/vcap:/bin/bash' >> "$ROOT/etc/passwd" +echo 'vcap:$6$FonTEWpp$SE7SXe5TrpileI13kEpPANSf2hjoINNdvKWtUd124oRKjlYN.TrWpDiN0ftXouce0OMvZB55u.QCaYl.MhXIs.:16624:0:99999:7:::' >> "$ROOT/etc/shadow" +# Set root password to 'c1oudc0w' +sed -i -e 's/root::/root:$6$CdiM3U53$u9lUT9N7jHqJAZp.cHD28W1rUMKpdPMZOzVJ7F\/iuRC6Fe7XzLtOaFJNHMM0VmwhJdeHjiiDQtPuFjwf7ew9Q\/:/g' $ROOT/etc/shadow +echo 'vcap:x:1023:' >> "$ROOT/etc/group" +mkdir -p "$ROOT/home/vcap" +chown -R 1023:1023 "$ROOT/home/vcap" + + +# Set up groups for vcap +vcap_user_groups='admin adm audio cdrom dialout floppy video dip' +for group in "$vcap_user_groups"; do + sed -i '/^'"$group"':/ s/$/,vcap/' "$ROOT/etc/group" +done +sed -i 's/:,/:/' "$ROOT/etc/group" + + +# Setup SUDO +cp extensions/bosh-stemcell/sudoers "$ROOT"/etc/sudoers + +# Add $bosh_dir/bin to $PATH +echo "export PATH=$bosh_dir/bosh/bin:\$PATH" >> $ROOT/root/.bashrc +echo "export PATH=$bosh_dir/bin:\$PATH" >> $ROOT/home/vcap/.bashrc + +cat > $ROOT/root/.profile <<EOS +if [ "\$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi +fi +EOS + +################## +# bosh_sudoers # +################## + +echo '#includedir /etc/sudoers.d' >> $ROOT/etc/sudoers + +################## +# rsyslog_config # +################## + +#FIXME: I've modified this file to not need syslog user or adm group. Bear in mind if something doesn't work +cp extensions/bosh-stemcell/rsyslog.conf "$ROOT"/etc/rsyslog.conf +mkdir -p "$ROOT"/etc/logrotate.d +cp extensions/bosh-stemcell/rsyslog_logrotate.conf "$ROOT"/etc/logrotate.d/rsyslog + +ln -sf "/lib/systemd/system/rsyslog.service" \ + "$ROOT/etc/systemd/system/multi-user.target.wants/rsyslog.service" + +mkdir -p "$ROOT"/etc/rsyslog.d +cp extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf "$ROOT"/etc/rsyslog.d/enable-kernel-logging.conf +cp extensions/bosh-stemcell/rsyslog_50-default.conf "$ROOT"/etc/rsyslog.d/50-default.conf + + +################## +# bosh_sysstat # +################## + +# FIXME: Appending instead of replacing. They are creating this file in +# /etc/default/sysstat, but I don't know if that will work in Baserock +cat >> $ROOT/etc/sysconfig/sysstat << 'EOF' +# +# Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat +# and /etc/cron.daily/sysstat files +# + +# Should sadc collect system activity informations? Valid values +# are "true" and "false". Please do not put other values, they +# will be overwritten by debconf! +ENABLED="true" + +# Additional options passed to sa1 by /etc/init.d/sysstat +# and /etc/cron.d/sysstat +# By default contains the `-S DISK' option responsible for +# generating disk statisitcs. +SA1_OPTIONS="-S DISK" + +# Additional options passed to sa2 by /etc/cron.daily/sysstat. +SA2_OPTIONS="" + +EOF diff --git a/extensions/bosh-stemcell/rsyslog.conf b/extensions/bosh-stemcell/rsyslog.conf new file mode 100644 index 00000000..df05efcd --- /dev/null +++ b/extensions/bosh-stemcell/rsyslog.conf @@ -0,0 +1,50 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html +# +# Default logging rules can be found in /etc/rsyslog.d/50-default.conf + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad omrelp +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# Filter duplicated messages +$RepeatedMsgReduction on + +$MaxMessageSize 4k +# +# Set the default permissions for all log files. +# +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/extensions/bosh-stemcell/rsyslog_50-default.conf b/extensions/bosh-stemcell/rsyslog_50-default.conf new file mode 100644 index 00000000..983914d3 --- /dev/null +++ b/extensions/bosh-stemcell/rsyslog_50-default.conf @@ -0,0 +1,68 @@ +# Default rules for rsyslog. +# +# For more information see rsyslog.conf(5) and /etc/rsyslog.conf + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole diff --git a/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf b/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf new file mode 100644 index 00000000..073682bd --- /dev/null +++ b/extensions/bosh-stemcell/rsyslog_enable-kernel-logging.conf @@ -0,0 +1,13 @@ +# enable-kernel-logging.conf +# +# This module enables kernel logging +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imklog diff --git a/extensions/bosh-stemcell/rsyslog_logrotate.conf b/extensions/bosh-stemcell/rsyslog_logrotate.conf new file mode 100644 index 00000000..637c8692 --- /dev/null +++ b/extensions/bosh-stemcell/rsyslog_logrotate.conf @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + size 5M + missingok + notifempty + delaycompress + compress + postrotate + reload rsyslog >/dev/null 2>&1 || true + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + size 5M + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + reload rsyslog >/dev/null 2>&1 || true + endscript +} diff --git a/extensions/bosh-stemcell/sudoers b/extensions/bosh-stemcell/sudoers new file mode 100644 index 00000000..03c1f371 --- /dev/null +++ b/extensions/bosh-stemcell/sudoers @@ -0,0 +1,21 @@ +# /etc/sudoers +# This file MUST be edited with the 'visudo' command as root. +# See the man page for details on how to write a sudoers file. +# Defaults + +Defaults !lecture,tty_tickets,!fqdn + +# Uncomment to allow members of group sudo to not need a password +# %sudo ALL=NOPASSWD: ALL + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL) ALL + +# Members of the admin group may gain root privileges +%admin ALL=(ALL) ALL diff --git a/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf b/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf new file mode 100644 index 00000000..46d09cb3 --- /dev/null +++ b/extensions/bosh-stemcell/sysctl.d/60-bosh-sysctl-neigh-fix.conf @@ -0,0 +1,5 @@ +# Actively delete stale entries from the neighbor table regardless of its size +# (Kernel started using this value in GC loop in commit 2724680). +# http://wiki.wireshark.org/Gratuitous_ARP +# http://linux-ip.net/html/ether-arp.html +net.ipv4.neigh.default.gc_thresh1=0 |