diff --git a/Dockerfile b/Dockerfile index fa1a5b90..ff796e0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ RUN echo 'tmpfs /run/dojofs tmpfs defaults,mode=755,shared 0 0' > /etc/fstab && echo '/data/homes /run/homefs none defaults,bind,nosuid 0 0' >> /etc/fstab RUN ln -s /opt/pwn.college/etc/systemd/system/pwn.college.service /etc/systemd/system/pwn.college.service && \ + ln -s /opt/pwn.college/etc/systemd/system/pwn.college.init.service /etc/systemd/system/pwn.college.init.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.backup.service /etc/systemd/system/pwn.college.backup.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.backup.timer /etc/systemd/system/pwn.college.backup.timer && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cachewarmer.service /etc/systemd/system/pwn.college.cachewarmer.service && \ @@ -44,6 +45,7 @@ RUN ln -s /opt/pwn.college/etc/systemd/system/pwn.college.service /etc/systemd/s ln -s /opt/pwn.college/etc/systemd/system/pwn.college.imagepuller.timer /etc/systemd/system/pwn.college.imagepuller.timer && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cloud.backup.service /etc/systemd/system/pwn.college.cloud.backup.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cloud.backup.timer /etc/systemd/system/pwn.college.cloud.backup.timer && \ + ln -s /etc/systemd/system/pwn.college.init.service /etc/systemd/system/multi-user.target.wants/pwn.college.init.service && \ ln -s /etc/systemd/system/pwn.college.service /etc/systemd/system/multi-user.target.wants/pwn.college.service && \ ln -s /etc/systemd/system/pwn.college.backup.timer /etc/systemd/system/timers.target.wants/pwn.college.backup.timer && \ ln -s /etc/systemd/system/pwn.college.cachewarmer.timer /etc/systemd/system/timers.target.wants/pwn.college.cachewarmer.timer && \ @@ -58,4 +60,4 @@ RUN find /opt/pwn.college/dojo -type f -exec ln -s {} /usr/bin/ \; EXPOSE 22 EXPOSE 80 EXPOSE 443 -CMD ["dojo", "init"] +CMD ["/usr/bin/systemd"] diff --git a/dojo/dojo b/dojo/dojo index 1cd4dc99..d153bf96 100755 --- a/dojo/dojo +++ b/dojo/dojo @@ -13,13 +13,13 @@ fi DOCKER_ARGS=${DOCKER_ARGS:--i} [ -t 0 ] && DOCKER_ARGS="-t $DOCKER_ARGS" -if [ "$ACTION" != "init" ] && [ -f /data/config.env ]; then - . /data/config.env -fi +[ -f /data/config.env ] && . /data/config.env case "$ACTION" in # HELP: up: bring the dojo up "up") + echo "[+] Starting the dojo. If this is the first start, the challenge" + echo "[+} container will be built, which will take a very long time." dojo sync dojo compose up -d --build --remove-orphans "$@" ;; @@ -124,11 +124,12 @@ case "$ACTION" in # HELP: logs: display dojo logs "logs") - journalctl -u pwn.college -f --no-tail + journalctl -u "pwn.college.*" -f --no-tail ;; # HELP: wait: wait for the dojo to finish starting "wait") + sleep 10 dojo logs | while IFS= read -r line; do echo "$line" case "$line" in @@ -142,15 +143,6 @@ case "$ACTION" in done ;; - # HELP: init: main entry point for the docker image - "init") - echo "[+] Initializing dojo." - dojo-init - echo "[+] Starting systemd. If this is the first start, the challenge container" - echo " will be built, which will take a very long time." - exec /usr/bin/systemd - ;; - # HELP: help: displays this help "help") echo "Usage: $0 COMMAND [ ARG ]" diff --git a/dojo/dojo-init b/dojo/dojo-init index 50c14a69..66d64d5c 100755 --- a/dojo/dojo-init +++ b/dojo/dojo-init @@ -1,5 +1,6 @@ #!/bin/sh +echo "[+] Checking /data mount properties..." data_mnt_opts="$(findmnt -n -o OPTIONS /data)" if [ "$?" -ne 0 ]; then echo '[!] Data mount does not exist. Please start the dojo with a data mount (`-v /data:/data`).' @@ -65,12 +66,15 @@ define MAC_USERNAME define MAC_KEY_FILE define MAC_GUEST_CONTROL_FILE +echo "[+] Sourcing config.env..." mv /data/.config.env /data/config.env . /data/config.env +echo "[+] Creating workspace directories..." mkdir -p /data/workspace/nix mkdir -p /data/workspacefs/bin +echo "[+] Configuring homes..." mkdir -p /data/homes if [ "$(findmnt -n -o FSTYPE /data/homes)" != "btrfs" ] && [ "$(findmnt -n -o FSTYPE /data)" != "btrfs" ]; then if [ ! -f /data/homes/btrfs.img ]; then @@ -82,6 +86,7 @@ if [ "$(findmnt -n -o FSTYPE /data/homes)" != "btrfs" ] && [ "$(findmnt -n -o FS fi btrfs quota enable /data/homes +echo "[+] Configuring ssh..." if [ ! -d /data/ssh_host_keys ]; then mkdir -p /data/ssh_host_keys rm /etc/ssh/ssh_host_*_key* @@ -95,16 +100,20 @@ for file in $(ls /data/ssh_host_keys/*); do cp -a $file /etc/ssh done +echo "[+] Configuring backup keys..." if [ ! -z ${BACKUP_AES_KEY_FILE+x} ] && [ ! -f ${BACKUP_AES_KEY_FILE} ] then openssl rand 214 > "${BACKUP_AES_KEY_FILE}" fi +echo "[+] Setting kernel parameters..." sysctl -w kernel.pty.max=1048576 echo core > /proc/sys/kernel/core_pattern +echo "[+] Configuring dojo nodes..." dojo-node refresh +echo "[+] Configuring firewalling..." iptables -N DOCKER-USER iptables -I DOCKER-USER -i workspace_net -j DROP for host in $(cat /opt/pwn.college/user_firewall.allowed); do diff --git a/etc/systemd/system/pwn.college.init.service b/etc/systemd/system/pwn.college.init.service new file mode 100644 index 00000000..509f7316 --- /dev/null +++ b/etc/systemd/system/pwn.college.init.service @@ -0,0 +1,15 @@ +[Unit] +Description=pwn.college initialization service +Before=docker.service +Before=containerd.service +Before=sysinit.target +DefaultDependencies=no + +[Service] +Type=oneshot +RemainAfterExit=true +WorkingDirectory=/opt/pwn.college +ExecStart=/usr/bin/dojo-init + +[Install] +WantedBy=sysinit.target diff --git a/etc/systemd/system/pwn.college.service b/etc/systemd/system/pwn.college.service index b6ce0be3..e00e51c6 100644 --- a/etc/systemd/system/pwn.college.service +++ b/etc/systemd/system/pwn.college.service @@ -2,6 +2,7 @@ Description=pwn.college docker compose service Requires=docker.service After=docker.service +After=pwn.college.init.service [Service] Type=oneshot