diff options
| -rw-r--r-- | assets/boot/extlinux.conf | 5 | ||||
| -rw-r--r-- | assets/firewall/ferm.conf | 38 | ||||
| -rw-r--r-- | assets/fstab | 3 | ||||
| -rw-r--r-- | assets/modprobe/blacklist.conf | 2 | ||||
| -rw-r--r-- | assets/network/cloudstack-guest-setup | 30 | ||||
| -rw-r--r-- | assets/network/interfaces | 18 | ||||
| -rw-r--r-- | assets/package-manager/apt/apt-settings | 4 | ||||
| -rw-r--r-- | vps-builder.scm | 268 |
8 files changed, 368 insertions, 0 deletions
diff --git a/assets/boot/extlinux.conf b/assets/boot/extlinux.conf new file mode 100644 index 0000000..c340924 --- /dev/null +++ b/assets/boot/extlinux.conf @@ -0,0 +1,5 @@ +default linux +timeout 1 +label linux +kernel {KERNEL} +append initrd={RAMDISK} root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet
\ No newline at end of file diff --git a/assets/firewall/ferm.conf b/assets/firewall/ferm.conf new file mode 100644 index 0000000..e9a1e88 --- /dev/null +++ b/assets/firewall/ferm.conf @@ -0,0 +1,38 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +@def $PUBLIC_SERVICES=(ssh); +@def $BADGUYS=(); + +domain (ip ip6) table filter { + chain (INPUT OUTPUT FORWARD) { + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + } + + chain INPUT { + policy DROP; + + # drop blacklisted connections + saddr @ipfilter($BADGUYS) DROP; + + # allow local packet + interface lo ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + proto tcp dport $PUBLIC_SERVICES ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + + chain FORWARD { + policy DROP; + } +} diff --git a/assets/fstab b/assets/fstab new file mode 100644 index 0000000..703881b --- /dev/null +++ b/assets/fstab @@ -0,0 +1,3 @@ +# /etc/fstab: static file system information. +proc /proc proc nodev,noexec,nosuid 0 0 +/dev/vda1 / ext3 errors=remount-ro 0 1 diff --git a/assets/modprobe/blacklist.conf b/assets/modprobe/blacklist.conf new file mode 100644 index 0000000..4a36d77 --- /dev/null +++ b/assets/modprobe/blacklist.conf @@ -0,0 +1,2 @@ +# disable pc speaker +blacklist pcspkr
\ No newline at end of file diff --git a/assets/network/cloudstack-guest-setup b/assets/network/cloudstack-guest-setup new file mode 100644 index 0000000..3583afe --- /dev/null +++ b/assets/network/cloudstack-guest-setup @@ -0,0 +1,30 @@ +#!/bin/sh +# +# From https://github.com/shankerbalan/cloudstack-scripts +# Stripped out the non-Debian and Plesk stuff, the cron +# randomisation and the 127.0.1.1 removal in /etc/hosts. +# +# TODO: Rewrite in CHICKEN? +# +# /etc/dhcp/dhclient-exit-hooks.d/cloudstack-guest-setup (debian/ubuntu) +# runs on firstboot after acquiring DHCP lease + +if [ "$reason" != BOUND ] && [ "$reason" != RENEW ] && [ "$reason" != REBIND ] && [ "$reason" != REBOOT ]; then + return +fi + +# set hostname +logger -t "cloudstack" "Setting hostname to \"${new_host_name}\"" +hostname "$new_host_name" > /dev/null 2>&1 +echo "$new_host_name" > /etc/hostname + +# add hostname to /etc/hosts and remove previous localhost-style +sed -i "/127.0.0.1/a $new_ip_address $new_host_name.$new_domain_name $new_host_name" /etc/hosts > /dev/null 2>&1 + +# generate ssh host keys +logger -t "cloudstack" "Generating ssh host keys" +ssh-keygen -A && rm /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub +# remove self +rm /etc/dhcp/dhclient-exit-hooks.d/cloudstack-guest-setup > /dev/null 2>&1 + +exit 0 diff --git a/assets/network/interfaces b/assets/network/interfaces new file mode 100644 index 0000000..b40848c --- /dev/null +++ b/assets/network/interfaces @@ -0,0 +1,18 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# The normal eth0 +auto eth0 +iface eth0 inet dhcp + +# Maybe the VM has 2 NICs? +allow-hotplug eth1 +iface eth1 inet dhcp + +# Maybe the VM has 3 NICs? +allow-hotplug eth2 +iface eth2 inet dhcp diff --git a/assets/package-manager/apt/apt-settings b/assets/package-manager/apt/apt-settings new file mode 100644 index 0000000..32ee0c8 --- /dev/null +++ b/assets/package-manager/apt/apt-settings @@ -0,0 +1,4 @@ +// Avoid installing unnecessary packages, to keep a lean system. +// This is installed into /etc/apt/apt.conf.d/90custom-config +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; diff --git a/vps-builder.scm b/vps-builder.scm new file mode 100644 index 0000000..7c4b60f --- /dev/null +++ b/vps-builder.scm @@ -0,0 +1,268 @@ +;;; +;;; Lightweight VPS image builder, by Peter Bex. +;;; +;;; This program is hereby placed in the public domain. +;;; +;; +;; This provides a way of building custom images to run on VPSes which +;; can automatically configure themselves, without requiring +;; heavyweight, difficult to install solutions like Hashicorp's +;; "Packer" (which has no Debian package) and/or CloudInit (which in +;; Debian requires not one, but two versions of Python to be +;; installed!) +;; +;; Heavily inspired by Debian's "build-openstack-debian-image" shell +;; script, provided by the "openstack-debian-images" package. +;; +;; Currently only Debian Jessie and CloudStack are supported. +;; Auto-resizing is NOT supported at the moment, you'll need to know +;; in advance how big the VM's root disk will be. In fact, you'll +;; need to hack this script to change what it does. +;; +;; Maybe later, if I use this script more, it can be turned into +;; a proper customisable program/library. +;; +;; To run, this requires the following packges: +;; qemu-utils, kpartx, parted, mbr +;; +;; It depends on the "scsh-process" egg +;; +;; Before running it, you can create a "users" directory containing +;; the public keys of all the users you want to prepopulate the image +;; with. The names of these files need to be USER:GROUP1,... so for +;; example, to create a user "peter" who is a member of groups "sudo" +;; and "adm", copy his id_rsa.pub file to "users/peter:sudo,adm". + +(module vps-builder () + + (import chicken scheme) + (use data-structures extras files posix scsh-process) + + (define debug? #t) + + (reset-handler (lambda () #f)) + + ;; Might it be useful to put this in scsh-process? + (define-syntax run* + (syntax-rules () + ((_ ?pf ?redir ...) + (begin + (when debug? + (fprintf (current-error-port) "$ ~S\n" `?pf)) + (receive (status normal? pid) + (run ?pf ?redir ...) + (unless (and normal? (zero? status)) + (error (sprintf "Pipeline ~S exited abnormally, with code: ~A" + `(run ?pf ?redir ...) status)))))))) + + (define minimal-packages + `("sudo" "locales" "extlinux" "openssh-server" "file" "kbd" + ;; TODO: What about other architectures? + "linux-image-amd64")) + + ;; It's necessary to be root due to chroot and mount calls. + ;; TODO: Maybe support using sudo instead? For now, just call + ;; the whole script with sudo. Otherwise we'll need to mess + ;; with PATH and so on, too. + (define (check-privileges) + (unless (zero? (current-effective-user-id)) + (error "Sorry, you must be root to build an image!"))) + + (define (check-users) + (when (or (not (directory? "users")) (null? (glob "users/*:*"))) + (error (conc "You need to put public ssh keys in the " + "\"users\" directory, named like " + "USERNAME:GROUP1,...")))) + + (define (create-image-file raw-file size-in-gb) + (let ((size (sprintf "~AG" size-in-gb))) + (run* (qemu-img create ,raw-file ,size)))) + + (define (convert-to-qcow2 raw-file qcow-file) + ;; TODO: Figure out if compat option is really needed + (run* (qemu-img convert -c -f raw -O qcow2 -o compat=0.10 + ,raw-file ,qcow-file))) + + (define (partition-image image-file) + (run* (parted -s ,image-file mktable msdos)) + (run* (parted -s ,image-file -a optimal + mkpart primary ext3 1Mi 100%)) + (run* (parted -s ,image-file set 1 boot on)) + (run* (install-mbr ,image-file))) + + (define (prepare-image raw-image size-in-gb) + (create-image-file raw-image size-in-gb) + (partition-image raw-image)) + + (define (call-with-devmapped-image image-file proc) + (let ((kpartx-output #f)) + (dynamic-wind + (lambda () + ;; TODO: run/string doesn't (and can't) check exit status! + (set! kpartx-output (run/string (kpartx -asv ,image-file)))) + (lambda () + ;; Yeah this is stupid... + (let* ((parts (string-split kpartx-output " ")) + (loopback-dev (list-ref parts 2))) + (proc (make-pathname "/dev/mapper" loopback-dev)))) + (lambda () + (set! kpartx-output #f) + ;; For some reason kpartx will sometimes(?) fail + (handle-exceptions exn #f + (run* (kpartx -d ,image-file))))))) + + (define (prepare-filesystem device) + ;; Apparently, operating on ext2 is much faster than ext3, so we + ;; make it ext2, and convert to ext3 later + (run* (mkfs.ext2 ,device))) + + (define (finalize-filesystem device) + ;; Add journal, turning it into ext3 + (run* (tune2fs -j ,device))) + + (define (call-with-mounted-device device proc) + (let ((tempdir #f)) + (dynamic-wind + (lambda () + (set! tempdir (create-temporary-directory)) + (run* (mount -o loop ,device ,tempdir))) + (lambda () (proc tempdir)) + (lambda () + (run* (umount ,tempdir)) + (delete-directory tempdir #t) + (set! tempdir #f))))) + + ;; Create a very basic setup which allows running programs inside + ;; a chroot (mount essential filesystems). + (define (with-running-system root-dir thunk) + (dynamic-wind + (lambda () (run* (chroot ,root-dir mount /proc))) + (lambda () (thunk)) + (lambda () (run* (chroot ,root-dir umount /proc))))) + + (define (install-basic-system target-dir package-list) + (let ((include (sprintf "--include=~A" + (string-intersperse package-list ",")))) + (run* (debootstrap + --verbose ,include "jessie" ,target-dir + "http://ftp.surfnet.nl/os/Linux/distr/debian")))) + + (define (install-file root-dir source target owner group mode) + (let* ((full-path (make-pathname root-dir target)) + (full-path (if (directory? full-path) + (make-pathname full-path + (pathname-strip-directory source)) + full-path))) + (file-copy source full-path #t) ; allow clobber + ;; Must run in chroot to use correct passwd/group db + (run* (chroot ,root-dir chown ,(conc owner ":" group) ,target)) + (change-file-mode full-path mode))) + + (define (install-directory root-dir target owner group mode) + (let ((full-path (make-pathname root-dir target))) + (create-directory full-path) + ;; Must run in chroot to use correct passwd/group db + (run* (chroot ,root-dir chown ,(conc owner ":" group) ,target)) + (change-file-mode full-path mode))) + + (define (install-packages root-dir . packages) + (run* (chroot ,root-dir apt-get install -y ,@packages))) + + (define (configure-basic-system root-dir) + ;;;; Configure apt, FS and disable console bleeping (just in case) + (install-file root-dir "assets/package-manager/apt/apt-settings" + "/etc/apt/apt.conf.d/90custom-config" + "root" "root" #o644) + (install-file root-dir "assets/fstab" + "/etc/fstab" "root" "root" #o644) + (install-file root-dir "assets/modprobe/blacklist.conf" + "/etc/modprobe.d/blacklist.conf" "root" "root" #o644) + + ;;;; Setup network and related settings + (delete-file* (make-pathname + root-dir "etc/udev/rules.d/70-persistent-net.rules")) + (install-file root-dir "assets/network/interfaces" + "/etc/network/interfaces" "root" "root" #o644) + (install-file root-dir "assets/network/cloudstack-guest-setup" + "/etc/dhcp/dhclient-exit-hooks.d" "root" "root" #o644)) + + (define (update-packages root-dir) + (run* (chroot ,root-dir apt-get update)) + (run* (chroot ,root-dir apt-get upgrade -y))) + + (define (make-bootable root-dir) + + (define (rooted-glob dir pattern) + (let ((f (car (glob (make-pathname `(,root-dir ,dir) pattern))))) + (make-pathname `("/" ,dir) (pathname-strip-directory f)))) + + (let* ((kernel (rooted-glob "boot" "vmlinuz-*")) + (ramdisk (rooted-glob "boot" "initrd.img-*")) + (template (with-input-from-file + "assets/boot/extlinux.conf" read-string)) + (conf (string-translate* template + `(("{KERNEL}" . ,kernel) + ("{RAMDISK}" . ,ramdisk)))) + (tgt (make-pathname `(,root-dir "boot" "extlinux") + "extlinux.conf"))) + (install-directory root-dir "/boot/extlinux" "root" "root" #o755) + (with-output-to-file tgt (lambda () (write-string conf))) + (run* (extlinux --install ,(make-pathname root-dir "boot"))))) + + (define (setup-firewall root-dir) + (install-packages root-dir "ferm" "sshguard") + (install-file root-dir "assets/firewall/ferm.conf" + "/etc/ferm/ferm.conf" "root" "adm" #o644)) + + ;; Create user and copy matching users/*:* file to .ssh/authorized_keys + (define (create-users root-dir) + (for-each (lambda (pubkey) + (let* ((fn (pathname-strip-directory pubkey ":")) + (user+cs-groups (string-split fn)) + (user (car user+cs-groups)) + (cs-groups (cadr user+cs-groups)) + (.ssh (make-pathname `("/" "home" ,user) ".ssh")) + (keys (make-pathname .ssh "authorized_keys"))) + (run* (chroot ,root-dir useradd -m -G ,cs-groups ,user)) + (install-directory root-dir .ssh user user #o700) + (install-file root-dir pubkey keys user user #o600))) + (glob "users/*:*"))) + + (define (build-image image-base-name size-in-gb) + (let ((raw-image (make-pathname '() image-base-name ".raw")) + (qcow-image (make-pathname '() image-base-name ".qcow2"))) + (check-privileges) + (check-users) + (prepare-image raw-image size-in-gb) + + (call-with-devmapped-image + raw-image + (lambda (dev) + (prepare-filesystem dev) + + (call-with-mounted-device + dev + (lambda (mountpoint) + (install-basic-system mountpoint minimal-packages) + (configure-basic-system mountpoint) + + (with-running-system + mountpoint + (lambda () + (update-packages mountpoint) + (make-bootable mountpoint) + + (setup-firewall mountpoint) + + (create-users mountpoint))))) + + (finalize-filesystem dev))) + + (convert-to-qcow2 raw-image qcow-image) + (printf "Success! Images finished, raw: ~A, qcow2: ~A\n" + raw-image qcow-image))) + +;; Just do it! +(handle-exceptions exn (signal exn) ; re-throw, to unwind dynamic extents + (build-image "debian-jessie" 20)) +) |