forked from mokote/openvz-tools
/
prep-jessie.sh
executable file
·273 lines (238 loc) · 8.92 KB
/
prep-jessie.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/bin/bash
# Copyright © 2090 Alexey Maximov <amax@mail.ru>
# Copyright © 2014-2016 Roman Ovchinnikov <coolthecold@gmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the BSD License
#
#####################################################################################################################
#
# check user input for correct values
#
if [ -z "$1" ] ; then
echo "Usage: $0 <arch> <path>";
echo "<arch> should be i386 or amd64"
echo "<path> default to /tmp"
echo "you can set MIRROR variable which will override hardcoded one"
echo "examples to run:"
echo "$0 i386 /var/tmp"
echo "MIRROR=http://mirror.yandex.ru/ $0 amd64 /var/tmp"
exit 1
fi
#####################################################################################################################
#
# define local variables
#
#export http_proxy="http://192.168.0.1:3128/"
VZ="/var/lib/vz"
RELEASE="jessie"
REPOS="main contrib non-free"
MIRROR=${MIRROR:-"http://ftp.de.debian.org"} #allowing override from the shell
MINBASE="netbase,net-tools,ifupdown,procps,locales,nano,iputils-ping,sudo,less,vim-nox,tcpdump,tcpflow,mc,iptraf,psmisc,zip,unzip,bzip2,openssh-server,telnet,dialog"
ARCH="$1"
#MY_SSH_KEYS[1]="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAsOPDZ+dZ9h3WVXZjU0S9x8412ZifCRYA0dZVW/uUH8ZyuboKxkQe91R0UAPP8LMl5UgqiXeajkA9q0nBeFhwfJUI7qphiMM0fNrfDH/BEzXCcvQC8II5AtnLwQvFis9F0zEiplju6nUiyBzOUpQyFsgl4wfaNLcJgxnJXHs05xc= rsa-key-20101024"
TIMEZONE="Europe/Moscow"
BASE_PKG="rsyslog wget cron iptables traceroute logrotate exim4-daemon-light exim4-config bsd-mailx iproute"
#exit 1
VE=$(mktemp -d)
if [ ! -z "$2" ] ; then
VE=$(TMPDIR="$2" mktemp -d)
fi
#####################################################################################################################
#
# create new minimal VE
#
if ! [ -x /usr/sbin/debootstrap ];then
echo "/usr/sbin/debootstrap not found or not executable, consider installing debootstrap package"
exit 1
fi
debootstrap --arch=$ARCH --variant=minbase --include=$MINBASE $RELEASE $VE $MIRROR/debian
if [ $? -ne 0 ];then
echo "deboostrap failed, process aborted, removing $VE"
echo rm -rf $VE
exit 1
fi
cp /etc/resolv.conf $VE/etc/
#disabling autostart - https://jpetazzo.github.io/2013/10/06/policy-rc-d-do-not-start-services-automatically/
cat << EOF > $VE/usr/sbin/policy-rc.d
#!/bin/sh
exit 101
EOF
chmod +x $VE/usr/sbin/policy-rc.d
mount -t proc proc $VE/proc
mount -t devpts devpts $VE/dev/pts -o rw,noexec,nosuid,gid=5,mode=620
#####################################################################################################################
#
# Prepare locale settings
#
echo "LANG=en_US.UTF-8" > $VE/etc/default/locale
cat << EOF > $VE/etc/locale.gen
en_US.UTF-8 UTF-8
ru_RU.CP1251 CP1251
ru_RU.UTF-8 UTF-8
ru_RU.KOI8-R KOI8-R
EOF
echo -n > $VE/etc/locale.alias
chroot $VE sh -c "locale-gen"
#####################################################################################################################
#
# tune VE settings
#
chroot $VE sh -c "ln -sf /usr/share/zoneinfo/$TIMEZONE /etc/localtime"
chroot $VE sh -c "ln -sf /proc/mounts /etc/mtab"
echo "APT::Install-Recommends \"false\";" > $VE/etc/apt/apt.conf.d/00InstallRecommends
chmod 700 $VE/root
echo "disabling getty-static.service"
chroot $VE sh -c "systemctl mask getty-static.service && systemctl disable getty@tty2.service"
#not needed anymore
#sed -i -e "s:RAMRUN=no:RAMRUN=yes:g" $VE/etc/default/rcS
#not needed anymore - default is yes
#sed -i -e "s:RAMLOCK=no:RAMLOCK=yes:g" $VE/etc/default/rcS
echo "HWCLOCKACCESS=no" >> $VE/etc/default/hwclock
#looks like this is now not needed as
# openvz uses --ram/--swap for overall memory management (if properly configured) and doesn't count shared memory separataly
#looks like this is now not needed as
#1) defaults are sane
#2) openvz uses --ram/--swap for overall memory management (if properly configured) and doesn't count shared memory separataly
#cat << EOF > $VE/etc/default/tmpfs
## SHM_SIZE sets the maximum size (in bytes) that the /dev/shm tmpfs can use.
## If this is not set then the size defaults to the value of TMPFS_SIZE
## if that is set; otherwise to the kernel's default.
##
## The size will be rounded down to a multiple of the page size, 4096 bytes.
#SHM_SIZE=
#TMPFS_SIZE=
#RUN_SIZE=2M
#LOCK_SIZE=2M
#RW_SIZE=2M
#EOF
#
#####################################################################################################################
#
# create new VE sources.list
#
cat << EOF > $VE/etc/apt/sources.list
deb $MIRROR/debian $RELEASE $REPOS
#deb-src $MIRROR/debian $RELEASE $REPOS
deb http://security.debian.org/ $RELEASE/updates $REPOS
#deb-src http://security.debian.org/ $RELEASE/updates $REPOS
deb $MIRROR/debian $RELEASE-updates $REPOS
#deb-src $MIRROR/debian $RELEASE-updates $REPOS
EOF
#####################################################################################################################
#
# update VE
#
chroot $VE sh -c "DEBIAN_FRONTEND=noninteractive apt-get -y update"
chroot $VE sh -c "DEBIAN_FRONTEND=noninteractive apt-get -y upgrade"
chroot $VE sh -c "DEBIAN_FRONTEND=noninteractive apt-get -y install $BASE_PKG"
chroot $VE sh -c "DEBIAN_FRONTEND=noninteractive apt-get -y autoremove"
chroot $VE sh -c "DEBIAN_FRONTEND=noninteractive apt-get -y clean"
#####################################################################################################################
#
# final tune VE
#
sed -i -e "s:SHELL=/bin/sh:SHELL=/bin/bash:g" $VE/etc/default/useradd
cat << EOF >> $VE/etc/default/ssh
# OOM-killer adjustment for sshd (see
# linux/Documentation/filesystems/proc.txt; lower values reduce likelihood
# of being killed, while -17 means the OOM-killer will ignore sshd; set to
# the empty string to skip adjustment)
SSHD_OOM_ADJUST=-17
EOF
if [ -z "${!MY_SSH_KEYS[*]}" ];then
echo "SSH KEYS are empty, skipping..."
else
mkdir $VE/root/.ssh
chmod 0640 $VE/root/.ssh
echo -n > $VE/root/.ssh/authorized_keys
for I in ${!MY_SSH_KEYS[*]}; do
echo "${MY_SSH_KEYS[$I]}" >> $VE/root/.ssh/authorized_keys
done
chmod 0640 $VE/root/.ssh/authorized_keys
fi
#disabling exim autostart
chroot $VE sh -c "update-rc.d exim4 disable"
#setting basic exim configuration
cat << EOF > $VE/etc/exim4/update-exim4.conf.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# This is a Debian specific file
dc_eximconfig_configtype='satellite'
dc_other_hostnames='freshvz.local'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost='freshvz.local'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mailrelay.local'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
EOF
echo "freshvz.local" > $VE/etc/mailname
#####################################################################################################################
#
# Prepare ssh keys
#
cat << EOF > $VE/etc/init.d/ssh_gen_host_keys
#!/bin/sh
### BEGIN INIT INFO
# Provides: Generates new ssh host keys on first boot
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Generates new ssh host keys on first boot
# Description: Generates new ssh host keys on first boot
### END INIT INFO
[ -f /usr/bin/ssh-keygen ] || exit 0
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -t ed25519 -N ""
insserv -r /etc/init.d/ssh_gen_host_keys
rm -f \$0
EOF
chmod 755 $VE/etc/init.d/ssh_gen_host_keys
chroot $VE sh -c "insserv /etc/init.d/ssh_gen_host_keys"
#####################################################################################################################
#
# umount VE and prepare to bundle
#
rm -f $VE/usr/sbin/policy-rc.d
umount -f $VE/proc
umount -f $VE/dev/pts
#####################################################################################################################
#
# cleanup VE
#
echo -n > $VE/etc/motd.tail
echo -n > $VE/etc/resolv.conf
echo -n > $VE/etc/network/interfaces
rm -f $VE/etc/ssh/*key*
rm -f $VE/root/.bash_history
rm -rf $VE/var/log/news
rm -rf $VE/selinux
find $VE/tmp/ -type f -delete
find $VE/var/log/ -type f -delete
find $VE/var/run/ -type f -delete
find $VE/var/lock/ -type f -delete
find $VE/var/tmp/ -type f -delete
find $VE/var/lib/apt/lists/ -type f -delete
find $VE/var/cache/apt/ -type f -delete
find $VE/var/cache/debconf/ -type f -name \*-old -delete
# crap idea
#rm -rf $VE/etc/init.d/mountoverflowtmp
### compress image
( cd $VE && tar --numeric-owner --one-file-system -czf "$VZ/template/cache/debian-8.10-$ARCH-minimal.tar.gz" . )
if [ $? -eq 0 ];then
echo "template creation complete, new template can be found in $VZ/template/cache/"
else
echo "template creation failed ;("
fi