From be527409cb405a47b7352041d41b745908c7f5d8 Mon Sep 17 00:00:00 2001 From: Christian Wagner Date: Sat, 7 Sep 2019 20:46:36 +0800 Subject: [PATCH] initial commit. work in progress. --- alpine-3.10-x86_64-proxmox/LICENSE | 202 ++++++++++++++++++ alpine-3.10-x86_64-proxmox/README.md | 81 +++++++ .../alpine-3.10-x86_64-proxmox.json | 96 +++++++++ alpine-3.10-x86_64-proxmox/build.conf | 12 ++ alpine-3.10-x86_64-proxmox/http/answers | 16 ++ alpine-3.10-x86_64-proxmox/notes-commands.md | 32 +++ .../playbook/ansible.cfg | 7 + .../playbook/requirements.yml | 2 + .../playbook/server-template-vars.yml | 8 + .../playbook/server-template.yml | 16 ++ alpine-3.10-x86_64-proxmox/scripts/00base.sh | 11 + .../scripts/01alpine.sh | 11 + .../scripts/01networking.sh | 5 + alpine-3.10-x86_64-proxmox/scripts/02sshd.sh | 11 + .../scripts/04sudoers.sh | 27 +++ .../scripts/70random.sh | 6 + .../scripts/80cloudinit.sh | 45 ++++ .../scripts/90showip.sh | 22 ++ .../scripts/99minimize.sh | 11 + 19 files changed, 621 insertions(+) create mode 100644 alpine-3.10-x86_64-proxmox/LICENSE create mode 100644 alpine-3.10-x86_64-proxmox/README.md create mode 100644 alpine-3.10-x86_64-proxmox/alpine-3.10-x86_64-proxmox.json create mode 100644 alpine-3.10-x86_64-proxmox/build.conf create mode 100644 alpine-3.10-x86_64-proxmox/http/answers create mode 100644 alpine-3.10-x86_64-proxmox/notes-commands.md create mode 100644 alpine-3.10-x86_64-proxmox/playbook/ansible.cfg create mode 100644 alpine-3.10-x86_64-proxmox/playbook/requirements.yml create mode 100644 alpine-3.10-x86_64-proxmox/playbook/server-template-vars.yml create mode 100644 alpine-3.10-x86_64-proxmox/playbook/server-template.yml create mode 100644 alpine-3.10-x86_64-proxmox/scripts/00base.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/01alpine.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/01networking.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/02sshd.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/04sudoers.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/70random.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/80cloudinit.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/90showip.sh create mode 100644 alpine-3.10-x86_64-proxmox/scripts/99minimize.sh diff --git a/alpine-3.10-x86_64-proxmox/LICENSE b/alpine-3.10-x86_64-proxmox/LICENSE new file mode 100644 index 0000000..8f71f43 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/alpine-3.10-x86_64-proxmox/README.md b/alpine-3.10-x86_64-proxmox/README.md new file mode 100644 index 0000000..1fec859 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/README.md @@ -0,0 +1,81 @@ +## [Alpine Linux](http://alpinelinux.org) Packer Template using QEMU Builder to build a KVM cloud image usable in Proxmox or Openstack + +* this creates a cloud image with cloud-init to be used on Proxmox and possibly Openstack + +### Prerequisites +- qemu-system-x86_64 +- packer + +### Usage notes + +```sh +cd alpine3.10-qemu +sudo packer build alpine-3.10-x86_64-qemu.json +``` +- The image is output as `alpine-310-cloudimg-amd64.qcow2` in the current directory + +- Test the image locally: + +```sh +genisoimage -output cloud-data.iso -volid cidata -joliet -rock user-data meta-data + +sudo qemu-system-x86_64 alpine-310-cloudimg-amd64.qcow2 -netdev user,id=user.0,hostfwd=tcp::2222-:22 -device virtio-net,netdev=user.0 -cdrom cloud-data.iso + +ssh -i alpine_id_rsa -p 2222 alpine@localhost +``` +- To install the image as a template on Proxmox, the following script can be used: +- [Script to download a cloud image and create a Proxmox 6 template](https://gist.github.com/chriswayg/43fbea910e024cbe608d7dcb12cb8466) + +### Features +- default user alpine +- SSH login only via SHH key +- passwordless sudo +- no root login via console or ssh +- add user-data via image drive + +### cloud-init on Alpine +- is not quite complete + +#### Working +- getting user and metadata from image drive +- setting hostname (1st boot) +- setting up user (1st boot) +- copying SSH authorized keys (1st boot) +- automatically growing the disk drive with growpart + - `qm resize 8000 scsi0 +30G` upon restart + +#### Not working (apparently) +- writing of network config +- password for user (not entered into `/etc/shadow`) +- changed data on image-drive is not applied after 1st boot + +### Fulfills most Openstack requirements + +For a Linux-based image to have full functionality in an OpenStack Compute cloud, there are a few requirements. For some of these, you can fulfill the requirements by installing the [cloud-init](https://cloudinit.readthedocs.org/en/latest/) package. + +* Disk partitions and resize root partition on boot (cloud-init) +* No hard-coded MAC address information +* SSH server running +* Disable firewall +* Access instance using ssh public key (cloud-init) +* Process user data and other metadata (cloud-init) + +[OpenStack Docs: Image requirements](https://docs.openstack.org/image-guide/openstack-images.html) + +### Docs +- [Semi-Automatic Installation - Alpine Linux Documentation](https://beta.docs.alpinelinux.org/user-handbook/0.1a/Installing/manual.html) +- [OpenStack Docs: Create images manually](https://docs.openstack.org/image-guide/create-images-manually.html) + +### Build environment + +```sh +packer version && qemu-system-x86_64 -version && lsb_release -d + + Packer v1.4.3 + QEMU emulator version 2.11.1 + Ubuntu 18.04.3 LTS +``` + +### License and Credits +- Apache 2.0 Copyright 2019 Christian Wagner +- partially based on Matt Maier's [Packer Alpine Templates](https://github.com/maier/packer-templates) diff --git a/alpine-3.10-x86_64-proxmox/alpine-3.10-x86_64-proxmox.json b/alpine-3.10-x86_64-proxmox/alpine-3.10-x86_64-proxmox.json new file mode 100644 index 0000000..4d838c3 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/alpine-3.10-x86_64-proxmox.json @@ -0,0 +1,96 @@ +{ + "description": "Build Alpine Linux 3.10 x86_64 Proxmox template", + "variables": { + "proxmox_url": "{{env `proxmox_url`}}", + "proxmox_username": "root@pam", + "proxmox_password": "{{user `proxmox_password`}}", + "iso_filename": "{{user `iso_filename`}}", + "vm_id": "{{user `vm_id`}}", + "vm_name": "alpine310-tmpl", + "template_description": "Alpine Linux 3.10 x86_64 template built with packer. Username: {{env `vm_default_user`}}", + "vm_default_user": "{{env `vm_default_user`}}", + "vm_memory": "{{env `vm_memory`}}", + "ssh_username": "root", + "ssh_password": "{{user `ssh_password`}}" + }, + "sensitive-variables": ["proxmox_password", "ssh_password" ], + "provisioners": [ + { + "type": "shell", + "scripts": [ + "scripts/00base.sh", + "scripts/01alpine.sh", + "scripts/01networking.sh", + "scripts/02sshd.sh", + "scripts/04sudoers.sh", + "scripts/70random.sh", + "scripts/80cloudinit.sh", + "scripts/90showip.sh", + "scripts/99minimize.sh" + ] + } + ], + "builders": [ + { + "type": "proxmox", + "proxmox_url": "{{user `proxmox_url`}}", + "insecure_skip_tls_verify": true, + "username": "{{user `proxmox_username`}}", + "password": "{{user `proxmox_password`}}", + "vm_id": "{{user `vm_id`}}", + "vm_name": "{{user `vm_name`}}", + "template_description":"{{user `template_description`}}", + "memory": "{{user `vm_memory`}}", + "cores": "2", + "os": "l26", + "http_directory": "http", + + "node": "proxmox", + "network_adapters": [ + { + "model": "virtio", + "bridge": "vmbr1" + } + ], + "disks": [ + { + "type": "scsi", + "disk_size": "8G", + "storage_pool": "local", + "storage_pool_type": "directory", + "format": "qcow2" + } + ], + "ssh_username": "{{user `ssh_username`}}", + "ssh_password": "{{user `ssh_password`}}", + "ssh_timeout": "10m", + "iso_file": "local:iso/{{user `iso_filename`}}", + "unmount_iso": true, + "boot_wait": "20s", + "boot_command": [ + "root", + "ifconfig eth0 up && udhcpc -i eth0", + "wget http://{{ .HTTPIP }}:{{ .HTTPPort }}/answers", + "setup-alpine -f $PWD/answers", + "{{user `ssh_password`}}", + "{{user `ssh_password`}}", + "", + "y", + "", + "", + "rc-service sshd stop", + "mount /dev/sda2 /mnt", + "echo 'PermitRootLogin yes' >> /mnt/etc/ssh/sshd_config", + "umount /mnt", + "reboot" + ] + } + ], + "post-processors": [ + { + "type": "shell-local", + "inline_shebang": "/bin/bash -e", + "inline": ["qm set {{user `vm_id`}} --scsihw virtio-scsi-pci --serial0 socket --vga serial0"] + } + ] +} diff --git a/alpine-3.10-x86_64-proxmox/build.conf b/alpine-3.10-x86_64-proxmox/build.conf new file mode 100644 index 0000000..be2e0bc --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/build.conf @@ -0,0 +1,12 @@ +vm_default_user=alpine +vm_memory=1024 +default_vm_id=38000 # default VM ID for Alpine +proxmox_url=https://proxmox.lightinasia.site:8006/api2/json + +iso_url=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/x86_64/alpine-virt-3.10.1-x86_64.iso +iso_sha256_url=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/x86_64/alpine-virt-3.10.1-x86_64.iso.sha256 +iso_directory=/var/lib/vz/template/iso + + +# iso_url=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/x86_64/alpine-virt-3.10.2-x86_64.iso +# iso_sha256_url=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/x86_64/alpine-virt-3.10.2-x86_64.iso.sha256 diff --git a/alpine-3.10-x86_64-proxmox/http/answers b/alpine-3.10-x86_64-proxmox/http/answers new file mode 100644 index 0000000..6b36108 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/http/answers @@ -0,0 +1,16 @@ +KEYMAPOPTS="us us" +HOSTNAMEOPTS="-n alpine310" +INTERFACESOPTS="auto lo +iface lo inet loopback + +auto eth0 +iface eth0 inet dhcp + hostname alpine310 +" +DNSOPTS="-d local -n 1.1.1.1 1.0.0.1" +TIMEZONEOPTS="-z UTC" +PROXYOPTS="none" +APKREPOSOPTS="http://dl-cdn.alpinelinux.org/alpine/v3.10/main" +SSHDOPTS="-c openssh" +NTPOPTS="-c openntpd" +DISKOPTS="-s 0 -m sys /dev/sda" diff --git a/alpine-3.10-x86_64-proxmox/notes-commands.md b/alpine-3.10-x86_64-proxmox/notes-commands.md new file mode 100644 index 0000000..acebd34 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/notes-commands.md @@ -0,0 +1,32 @@ +## scratchpad + +# boot command: +openntpd missing (error) + +## Misc. Notes + +- Build Packer template +``` +cd /home/christian/developer/projects/packer-qemu-cloud/alpine3.10-qemu +sudo PACKER_LOG=1 packer build alpine-3.10-x86_64-qemu.json +``` + +- Alpine boot kernel 'virt' with randomness from CPU & info during boot for testing +``` +virt random.trust_cpu=1 debug +``` + +- start a VM with access via ssh -p 2222 root@127.0.0.1 for testing +``` +sudo qemu-system-x86_64 output-qemu/packer-qemu -netdev user,id=user.0,hostfwd=tcp::2222-:22 -device virtio-net,netdev=user.0 -cdrom config.iso +``` + +- apparently all device arguments have to be together to work +``` +"qemuargs": [ + [ "-device", "virtio-rng-pci" ], + [ "-device", "virtio-scsi-pci,id=scsi0" ], + [ "-device", "scsi-hd,bus=scsi0.0,drive=drive0" ], + [ "-device", "virtio-net,netdev=user.0" ] +], +``` diff --git a/alpine-3.10-x86_64-proxmox/playbook/ansible.cfg b/alpine-3.10-x86_64-proxmox/playbook/ansible.cfg new file mode 100644 index 0000000..99093a4 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/playbook/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +deprecation_warnings = False +host_key_checking = False +callback_whitelist = timer, profile_roles +stdout_callback = yaml +roles_path = ./roles +log_path = ./logs/server-template.log diff --git a/alpine-3.10-x86_64-proxmox/playbook/requirements.yml b/alpine-3.10-x86_64-proxmox/playbook/requirements.yml new file mode 100644 index 0000000..2c7317b --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/playbook/requirements.yml @@ -0,0 +1,2 @@ +- src: https://github.com/chriswayg/ansible-initial-server.git + version: v1.2 diff --git a/alpine-3.10-x86_64-proxmox/playbook/server-template-vars.yml b/alpine-3.10-x86_64-proxmox/playbook/server-template-vars.yml new file mode 100644 index 0000000..9924095 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/playbook/server-template-vars.yml @@ -0,0 +1,8 @@ +--- + +iserver_hostname: alpine310-kvm +iserver_sshkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK1zNq5zsVbbN/gLdYqxlb5CROsR1dBNBgRFzzCJUL3ncU2dDHLHWi0L/FafwWt6MQ7vePu7catLDegY2fs1QB0KYvy21fD3+9ONBs7KcFlmuyqjLJ9VAoLWW5Tv3I9eZNgpd9k6CvYphKa1Owq43ye+quQRI4J+2nb7Zhl2WTQ1N2WBwZbmf0ErTHwa+mC7frTRBYh6ddyXp9KRULH89y/6cVpL6uQyFzIr6yWowUbJ8lX3fA9e7RAxkG76X54sMa65oq3Bog04ylJ4n/xZCXO449BZjAZHcJuDcFLXrwIo52t+Q6gIEnXInTiii26/ZWbnzzheggjkpQ77tCg03t christian@Chris-GigaMac.local" +iserver_is_template: true + +iserver_user_profile: | + # no-op diff --git a/alpine-3.10-x86_64-proxmox/playbook/server-template.yml b/alpine-3.10-x86_64-proxmox/playbook/server-template.yml new file mode 100644 index 0000000..e7e71a7 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/playbook/server-template.yml @@ -0,0 +1,16 @@ +--- +# Any remote_user defined in tasks will be ignored. +# Packer will always connect with the user given in the json config for this provisioner. +# https://www.packer.io/docs/provisioners/ansible.html + +# TODO: For unclear reasons, I could only get it to work with the root user in Packer +# 'become' in playbook or role tasks seem to be ignored by Packer Ansible + +- name: Initial configuration of a server. + hosts: all + vars_files: + - server-template-vars.yml + roles: + - role: ansible-initial-server + vars: + iserver_user: "{{ vm_default_user }}" diff --git a/alpine-3.10-x86_64-proxmox/scripts/00base.sh b/alpine-3.10-x86_64-proxmox/scripts/00base.sh new file mode 100644 index 0000000..240b557 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/00base.sh @@ -0,0 +1,11 @@ +set -ux + +apk upgrade -U --available + +source /etc/os-release + +cat > /etc/motd << "EOF" + + $PRETTY_NAME ($VERSION_ID) Cloud Server + +EOF diff --git a/alpine-3.10-x86_64-proxmox/scripts/01alpine.sh b/alpine-3.10-x86_64-proxmox/scripts/01alpine.sh new file mode 100644 index 0000000..de6724d --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/01alpine.sh @@ -0,0 +1,11 @@ +set -ux + +# adding repositories needed for cloud-init +echo "http://nl.alpinelinux.org/alpine/v3.10/community" >> /etc/apk/repositories +echo "@edge http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories +echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +echo "@edgecommunity http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories + +# update all packages, including the kernel. +apk update +apk upgrade diff --git a/alpine-3.10-x86_64-proxmox/scripts/01networking.sh b/alpine-3.10-x86_64-proxmox/scripts/01networking.sh new file mode 100644 index 0000000..058441d --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/01networking.sh @@ -0,0 +1,5 @@ +set -ux + +# nothing special required + +exit 0 \ No newline at end of file diff --git a/alpine-3.10-x86_64-proxmox/scripts/02sshd.sh b/alpine-3.10-x86_64-proxmox/scripts/02sshd.sh new file mode 100644 index 0000000..4557900 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/02sshd.sh @@ -0,0 +1,11 @@ +set -eux + +# RootLogin without password was permitted in order to allow packer ssh access +# to provision the system. Its removed here to make the server more secure. +sed -i "/^PermitRootLogin/c\PermitRootLogin no" /etc/ssh/sshd_config + +# UseDNS value is No which avoids login delays when the remote client's DNS cannot be resolved +sed -i "/^UseDNS/c\UseDNS no" /etc/ssh/sshd_config + +# disable ssh password authentication +sed -i "/^PasswordAuthentication/c\PasswordAuthentication no" /etc/ssh/sshd_config diff --git a/alpine-3.10-x86_64-proxmox/scripts/04sudoers.sh b/alpine-3.10-x86_64-proxmox/scripts/04sudoers.sh new file mode 100644 index 0000000..9a039bd --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/04sudoers.sh @@ -0,0 +1,27 @@ +set -eux + +# this configuration allows the alpine account to sudo su - without needing a password + +# Install sudo +apk add sudo shadow + +# Create Initial User +adduser -D alpine -G wheel + +# # allow sudo without password +# echo "Defaults exempt_group=wheel" > /etc/sudoers +# echo "%wheel ALL=NOPASSWD:ALL" >> /etc/sudoers + +echo 'alpine ALL=(ALL:ALL) NOPASSWD: ALL' >> /target/etc/sudoers.d/default-user +chmod 440 /target/etc/sudoers.d/default-user + +# # allows ssh login without the user being locked +# # https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut +# usermod -p '*' alpine + +# the root user is also being blocked from ssh login in sshd_config +# remove root password +usermod -p '*' root + +# lock root account +#passwd -l root diff --git a/alpine-3.10-x86_64-proxmox/scripts/70random.sh b/alpine-3.10-x86_64-proxmox/scripts/70random.sh new file mode 100644 index 0000000..bf8eb05 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/70random.sh @@ -0,0 +1,6 @@ +set -eux + +# Fixes: Boot delay/issues because of limited entropy +# https://gitlab.alpinelinux.org/alpine/aports/issues/9960 +apk add haveged +rc-update add haveged boot diff --git a/alpine-3.10-x86_64-proxmox/scripts/80cloudinit.sh b/alpine-3.10-x86_64-proxmox/scripts/80cloudinit.sh new file mode 100644 index 0000000..26c34df --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/80cloudinit.sh @@ -0,0 +1,45 @@ +set -eux + +# install missing dependencies +apk add eudev + +# needed for 'growpart' +apk add cloud-utils@testing + +# install utils +apk add acpi +apk add nano + +# apk add cloud-init@testing + +# # make sure CD drive with cloud-init config data gets mounted +# # /dev/sr0 /media/cdrom iso9660 ro 0 0 +# sed -i 's/\/dev\/cdrom/\/dev\/sr0/g' /etc/fstab +# sed -i 's/noauto,ro/ro/g' /etc/fstab + +# # writing of network config is not implemented in alpine cloud-init +# #apk add iproute2 ifupdown +# echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg + +# # Start Cloud-Init on Boot +# rc-update add cloud-init default + +# enable automatically growing the partition +cat > /etc/cloud/cloud.cfg.d/10_growpart.cfg << "EOF" +growpart: + mode: growpart + devices: ["/dev/sda2"] + ignore_growroot_disabled: false + +# the above settings do not seem to get used, thus run growpart here +bootcmd: + - growpart /dev/sda 2 +EOF + +# activate serial console +# it is buggy, as it makes it hard to log in + +# sed -i 's/quiet/console=ttyS0,9600/g' /etc/update-extlinux.conf +# update-extlinux +# +# sed -i 's/#ttyS0/ttyS0/g' /etc/inittab diff --git a/alpine-3.10-x86_64-proxmox/scripts/90showip.sh b/alpine-3.10-x86_64-proxmox/scripts/90showip.sh new file mode 100644 index 0000000..0927a32 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/90showip.sh @@ -0,0 +1,22 @@ +# show SSH key fingerprint and IP address on console + +cp /etc/issue /etc/issue-standard + +# Creates a script which will run when the network comes up +cat > /etc/network/if-up.d/show-ip-address << "EOF" +#!/bin/sh +if [ "$METHOD" = loopback ]; then + exit 0 +fi + +# Only run from ifup. +if [ "$MODE" != start ]; then + exit 0 +fi + +cp /etc/issue-standard /etc/issue +printf "ECDSA key fingerprint:\n$(ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub)\n" >> /etc/issue +printf "\nSSH user: alpine Server IP: $(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')\n\n" >> /etc/issue +EOF + +chmod +x /etc/network/if-up.d/show-ip-address diff --git a/alpine-3.10-x86_64-proxmox/scripts/99minimize.sh b/alpine-3.10-x86_64-proxmox/scripts/99minimize.sh new file mode 100644 index 0000000..fca5d93 --- /dev/null +++ b/alpine-3.10-x86_64-proxmox/scripts/99minimize.sh @@ -0,0 +1,11 @@ +set -ux + +dd if=/dev/zero of=/EMPTY bs=1M +rm -f /EMPTY +# Block until the empty file has been removed, otherwise, Packer +# will try to kill the box while the disk is still full and that's bad +sync +sync +sync + +exit 0