-
Notifications
You must be signed in to change notification settings - Fork 2
/
pde-setup
executable file
·250 lines (196 loc) · 6.85 KB
/
pde-setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
#! /bin/bash
# ---------------------------------------------------------------------------
# pde-setup - Install TurnKey Portable Development Environment (PDE)
# Copyright 2018, John Carver <[email protected]>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License at (http://www.gnu.org/licenses/) for
# more details.
# Usage: pde-setup [-h|--help] [-u|--update] [-v|--version]
# Install version_resolver courtesy of Stefan Davis
# Harden container host using recommendations from lynis and openvas
# The TurnKey template, lxc-turnkey, requires an inithooks.conf and inserts it into the LXC container before startup. We will use the inithooks example file because we will be creating sharable images and we don't want to include private passwords. We put the default inithooks.conf in /etc where it can be read by non-privileged users.
# Revision history:
# 2018-01-11 Created by new-script ver. 3.1
# 2018-02-06 Released version 1.0
# 2018-03-17 Released version 1.1
# 2018-07-17 Released version 1.2
# ---------------------------------------------------------------------------
PROGNAME=$(basename $0)
BASEDIR=$(dirname $0)
VERSION="1.2"
UPDATE=false
version() { echo -e "$(basename $0) v.${VERSION}"; }
info() { echo -e "INFO [$(basename $0)]: $@"; }
warn() { echo -e "WARN [$(basename $0)]: $@" 1>&2; return 1; }
fatal() { echo -e "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
get_running() {
# get list of all lxd containers with state=RUNNING
lxc list -c ns --format=csv | awk -F, '/RUNNING/ { print $1 }'
}
is_running() {
# return true (0) if container exists and is running, false (1) otherwise
lxc info $1 > /dev/null 2>&1 || warn "Warning: container $1 does not exist."
lxc info $1 | grep -qc 'Status: Running'
}
copy() {
# copy file from ./overlay to root '/' while changing ownership
sudo cp -p ${BASEDIR}/overlay/$1 /$1
sudo chown root:root /$1
}
clean_up() { # Perform pre-exit housekeeping
sudo apt-get autoremove --yes --quiet
return
}
error_exit() {
echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
clean_up
exit 1
}
graceful_exit() {
clean_up
info "TurnKey GNU/Linux Portable Development Environment is now ready."
exit
}
signal_exit() { # Handle trapped signals
case $1 in
INT) error_exit "Program interrupted by user" ;;
TERM) echo -e "\n$PROGNAME: Program terminated" >&2 ; graceful_exit ;;
*) error_exit "$PROGNAME: Terminating on unknown signal" ;;
esac
}
usage() {
echo -e "Usage: $PROGNAME [-h|--help] [-u|--update] [-v|--version]"
}
help_message() {
cat <<- _EOF_
$PROGNAME ver. $VERSION
Install TurnKey Portable Development Environment (PDE)
$(usage)
Options:
-h, --help Display this help message and exit.
-u, --update Update installed files.
-v, --version Display version and exit.
_EOF_
return
}
# Trap signals
trap "signal_exit TERM" TERM HUP
trap "signal_exit INT" INT
# Parse command-line
while [[ -n $1 ]]; do
case $1 in
-h | --help) help_message; graceful_exit ;;
-u | --update) UPDATE=true; info "Updating installed files ..." ;;
-v | --version) version; exit ;;
-* | --*) usage; error_exit "Unknown option $1" ;;
*) echo "Argument $1 to process ..." ;;
esac
shift
done
# Main logic
export UPDATE=${UPDATE}
DISTRIBUTOR=$(lsb_release -si)
CODENAME=$(lsb_release -sc)
# Check for Ubuntu
[[ $DISTRIBUTOR == "Ubuntu" ]] || fatal "Currently only Ubuntu is supported by PDE"
# Get running containers
RUNNING="$(get_running)"
# Enable noninteractive mode
export DEBIAN_FRONTEND=noninteractive
# Enable backports
if [[ $CODENAME == "xenial" ]]; then
CONF="/etc/apt/sources.list"
if [ -e ${CONF} ]; then
info "Enabling ${CODENAME}-backports ..."
grep -q "${CODENAME}-backports" ${CONF}
if [ $? -eq 0 ]; then
# uncomment backports in sources.list
sudo sed -i "/${CODENAME}-backports/ s/^[# ]*//" ${CONF}
else
# add backports to sources.list
sudo sed -i "/\s${CODENAME}\s/{p;s/${CODENAME}/${CODENAME}-backports/}" ${CONF}
fi
sudo apt-get update --yes --quiet
else
info "${CONF} not found; skipping enable ${CODENAME}-backports"
fi
fi
# Add the TurnKey gpg release key to your keyring.
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xA16EB94D
# Copy the TurnKey gpg release key to /etc/apt/trusted.gpg.d/
sudo wget https://releases.turnkeylinux.org/release-key.txt -O /etc/apt/trusted.gpg.d/turnkey.gpg
# Install required packages
sudo apt-get install --yes --quiet dnsmasq-base dnsmasq-utils python-requests
#Note: Ubuntu package dnsmasq was not required. dnsmasq-base was sufficient.
#Package dnsmasq-utils may still be helpful.
# Install AppArmor profiles and utilities.
sudo apt-get install --yes --quiet apparmor-profiles apparmor-utils
# Stop running containers
for container in ${RUNNING}; do
info "Stopping $container ..."
lxc stop $container --force
done
# Install LXC and LXD
info "Installing LXC/LXD packages ..."
if [[ $CODENAME == "xenial" ]]; then
sudo apt-get install --yes --quiet -t xenial-backports lxc lxd lxd-tools aufs-tools
else
sudo apt-get install --yes --quiet lxc lxd lxd-tools
fi
# Initial install only
if [ ! ${UPDATE} = true ]; then
### Initialize LXD:
sudo lxd init --auto
# Create lxd bridged network
lxc network list | grep -q "lxdbr0"
if [ ! $? -eq 0 ]; then
info "Creating lxd bridged network"
lxc network create lxdbr0 \
ipv4.address=auto \
ipv4.nat=true \
ipv6.address=auto \
ipv6.nat=true
lxc network attach-profile lxdbr0 default
fi
fi
# Copy the overlay files to the root directory.
info "Copying overlay files ..."
for file in $(find ./overlay/ -type f -printf '%P\n'); do
copy ${file}
done
# Remove obsolete conference files
CONF="/etc/sysctl.d/90-lynis.conf"
if [ -e ${CONF} ]; then
info "Removing ${CONF} ..."
sudo rm -f ${CONF}
fi
CONF="/etc/sysctl.d/90-hardening.conf"
if [ -e ${CONF} ]; then
info "Removing ${CONF} ..."
sudo rm -f ${CONF}
fi
# Run the conf.d scripts
info "Running conf.d scripts ..."
run-parts --regex="^[a-zA-Z0-9_-]+$" ${BASEDIR}/conf.d
# Activate the apparmor profile.
info "Activating the apparmor profile ..."
sudo apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
sudo service apparmor restart
# Restart LXC and LXD
info "Restarting LXC/LXD ..."
sudo service lxc restart
sudo service lxd restart
# Restart containers if not already running
for container in ${RUNNING}; do
if ! is_running $container; then
info "Starting $container ..."
lxc start $container
fi
done
graceful_exit