From 46b82fea6cb66f7a9e312fa281fb00570ffd63e2 Mon Sep 17 00:00:00 2001 From: Yan Date: Sat, 26 Oct 2024 22:00:56 -0700 Subject: [PATCH 1/6] moving 'dojo init' functionality from dojo to dojo-init --- Dockerfile | 2 +- dojo/dojo | 15 +++------------ dojo/dojo-init | 4 ++++ 3 files changed, 8 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index fa1a5b90..5c048eb8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,4 +58,4 @@ RUN find /opt/pwn.college/dojo -type f -exec ln -s {} /usr/bin/ \; EXPOSE 22 EXPOSE 80 EXPOSE 443 -CMD ["dojo", "init"] +CMD ["dojo-init"] diff --git a/dojo/dojo b/dojo/dojo index 1cd4dc99..d985b6b4 100755 --- a/dojo/dojo +++ b/dojo/dojo @@ -13,13 +13,13 @@ fi DOCKER_ARGS=${DOCKER_ARGS:--i} [ -t 0 ] && DOCKER_ARGS="-t $DOCKER_ARGS" -if [ "$ACTION" != "init" ] && [ -f /data/config.env ]; then - . /data/config.env -fi +[ -f /data/config.env ] && . /data/config.env case "$ACTION" in # HELP: up: bring the dojo up "up") + echo "[+] Starting the dojo. If this is the first start, the challenge" + echo "[+} container will be built, which will take a very long time." dojo sync dojo compose up -d --build --remove-orphans "$@" ;; @@ -142,15 +142,6 @@ case "$ACTION" in done ;; - # HELP: init: main entry point for the docker image - "init") - echo "[+] Initializing dojo." - dojo-init - echo "[+] Starting systemd. If this is the first start, the challenge container" - echo " will be built, which will take a very long time." - exec /usr/bin/systemd - ;; - # HELP: help: displays this help "help") echo "Usage: $0 COMMAND [ ARG ]" diff --git a/dojo/dojo-init b/dojo/dojo-init index 50c14a69..123f8d52 100755 --- a/dojo/dojo-init +++ b/dojo/dojo-init @@ -114,3 +114,7 @@ iptables -I DOCKER-USER -i workspace_net -s 10.0.0.0/24 -m conntrack --ctstate N iptables -I DOCKER-USER -i workspace_net -d 10.0.0.0/8 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -I DOCKER-USER -i workspace_net -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -I DOCKER-USER -i workspace_net -d 192.168.42.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +echo "[+] Starting systemd. If this is the first start, the challenge container" +echo " will be built, which will take a very long time." +exec /usr/bin/systemd From a07b9efdee1ffda47601799e357e5f11f5975487 Mon Sep 17 00:00:00 2001 From: Yan Date: Sat, 26 Oct 2024 22:08:58 -0700 Subject: [PATCH 2/6] more status output in dojo-init --- dojo/dojo-init | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/dojo/dojo-init b/dojo/dojo-init index 123f8d52..f5b559aa 100755 --- a/dojo/dojo-init +++ b/dojo/dojo-init @@ -1,5 +1,6 @@ #!/bin/sh +echo "[+] Checking /data mount properties..." data_mnt_opts="$(findmnt -n -o OPTIONS /data)" if [ "$?" -ne 0 ]; then echo '[!] Data mount does not exist. Please start the dojo with a data mount (`-v /data:/data`).' @@ -65,12 +66,15 @@ define MAC_USERNAME define MAC_KEY_FILE define MAC_GUEST_CONTROL_FILE +echo "[+] Sourcing config.env..." mv /data/.config.env /data/config.env . /data/config.env +echo "[+] Creating workspace directories..." mkdir -p /data/workspace/nix mkdir -p /data/workspacefs/bin +echo "[+] Configuring homes..." mkdir -p /data/homes if [ "$(findmnt -n -o FSTYPE /data/homes)" != "btrfs" ] && [ "$(findmnt -n -o FSTYPE /data)" != "btrfs" ]; then if [ ! -f /data/homes/btrfs.img ]; then @@ -82,6 +86,7 @@ if [ "$(findmnt -n -o FSTYPE /data/homes)" != "btrfs" ] && [ "$(findmnt -n -o FS fi btrfs quota enable /data/homes +echo "[+] Configuring ssh..." if [ ! -d /data/ssh_host_keys ]; then mkdir -p /data/ssh_host_keys rm /etc/ssh/ssh_host_*_key* @@ -95,16 +100,20 @@ for file in $(ls /data/ssh_host_keys/*); do cp -a $file /etc/ssh done +echo "[+] Configuring backup keys..." if [ ! -z ${BACKUP_AES_KEY_FILE+x} ] && [ ! -f ${BACKUP_AES_KEY_FILE} ] then openssl rand 214 > "${BACKUP_AES_KEY_FILE}" fi +echo "[+] Setting kernel parameters..." sysctl -w kernel.pty.max=1048576 echo core > /proc/sys/kernel/core_pattern +echo "[+] Configuring dojo nodes..." dojo-node refresh +echo "[+] Configuring firewalling..." iptables -N DOCKER-USER iptables -I DOCKER-USER -i workspace_net -j DROP for host in $(cat /opt/pwn.college/user_firewall.allowed); do From 94fe39a81b68e0abfaf476753834d61fb3c008be Mon Sep 17 00:00:00 2001 From: Yan Date: Sat, 26 Oct 2024 22:28:50 -0700 Subject: [PATCH 3/6] go all-in on systemd managing the launching of the dojo --- Dockerfile | 4 +++- dojo/dojo-init | 4 ---- etc/systemd/system/pwn.college.init.service | 12 ++++++++++++ etc/systemd/system/pwn.college.service | 1 + 4 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 etc/systemd/system/pwn.college.init.service diff --git a/Dockerfile b/Dockerfile index 5c048eb8..ff796e0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ RUN echo 'tmpfs /run/dojofs tmpfs defaults,mode=755,shared 0 0' > /etc/fstab && echo '/data/homes /run/homefs none defaults,bind,nosuid 0 0' >> /etc/fstab RUN ln -s /opt/pwn.college/etc/systemd/system/pwn.college.service /etc/systemd/system/pwn.college.service && \ + ln -s /opt/pwn.college/etc/systemd/system/pwn.college.init.service /etc/systemd/system/pwn.college.init.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.backup.service /etc/systemd/system/pwn.college.backup.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.backup.timer /etc/systemd/system/pwn.college.backup.timer && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cachewarmer.service /etc/systemd/system/pwn.college.cachewarmer.service && \ @@ -44,6 +45,7 @@ RUN ln -s /opt/pwn.college/etc/systemd/system/pwn.college.service /etc/systemd/s ln -s /opt/pwn.college/etc/systemd/system/pwn.college.imagepuller.timer /etc/systemd/system/pwn.college.imagepuller.timer && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cloud.backup.service /etc/systemd/system/pwn.college.cloud.backup.service && \ ln -s /opt/pwn.college/etc/systemd/system/pwn.college.cloud.backup.timer /etc/systemd/system/pwn.college.cloud.backup.timer && \ + ln -s /etc/systemd/system/pwn.college.init.service /etc/systemd/system/multi-user.target.wants/pwn.college.init.service && \ ln -s /etc/systemd/system/pwn.college.service /etc/systemd/system/multi-user.target.wants/pwn.college.service && \ ln -s /etc/systemd/system/pwn.college.backup.timer /etc/systemd/system/timers.target.wants/pwn.college.backup.timer && \ ln -s /etc/systemd/system/pwn.college.cachewarmer.timer /etc/systemd/system/timers.target.wants/pwn.college.cachewarmer.timer && \ @@ -58,4 +60,4 @@ RUN find /opt/pwn.college/dojo -type f -exec ln -s {} /usr/bin/ \; EXPOSE 22 EXPOSE 80 EXPOSE 443 -CMD ["dojo-init"] +CMD ["/usr/bin/systemd"] diff --git a/dojo/dojo-init b/dojo/dojo-init index f5b559aa..66d64d5c 100755 --- a/dojo/dojo-init +++ b/dojo/dojo-init @@ -123,7 +123,3 @@ iptables -I DOCKER-USER -i workspace_net -s 10.0.0.0/24 -m conntrack --ctstate N iptables -I DOCKER-USER -i workspace_net -d 10.0.0.0/8 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -I DOCKER-USER -i workspace_net -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -I DOCKER-USER -i workspace_net -d 192.168.42.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - -echo "[+] Starting systemd. If this is the first start, the challenge container" -echo " will be built, which will take a very long time." -exec /usr/bin/systemd diff --git a/etc/systemd/system/pwn.college.init.service b/etc/systemd/system/pwn.college.init.service new file mode 100644 index 00000000..3958901e --- /dev/null +++ b/etc/systemd/system/pwn.college.init.service @@ -0,0 +1,12 @@ +[Unit] +Description=pwn.college initialization service +Before=docker.service + +[Service] +Type=oneshot +RemainAfterExit=true +WorkingDirectory=/opt/pwn.college +ExecStart=/usr/bin/dojo-init + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/pwn.college.service b/etc/systemd/system/pwn.college.service index b6ce0be3..e00e51c6 100644 --- a/etc/systemd/system/pwn.college.service +++ b/etc/systemd/system/pwn.college.service @@ -2,6 +2,7 @@ Description=pwn.college docker compose service Requires=docker.service After=docker.service +After=pwn.college.init.service [Service] Type=oneshot From 50cf5d7d68c8df1cd844aea8231c07be05259075 Mon Sep 17 00:00:00 2001 From: Yan Date: Sun, 27 Oct 2024 01:44:33 -0700 Subject: [PATCH 4/6] dojo script changes: log all the pwn.college* services, sleep before wait --- dojo/dojo | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/dojo b/dojo/dojo index d985b6b4..06e57520 100755 --- a/dojo/dojo +++ b/dojo/dojo @@ -124,11 +124,12 @@ case "$ACTION" in # HELP: logs: display dojo logs "logs") - journalctl -u pwn.college -f --no-tail + journalctl -u pwn.college.* -f --no-tail ;; # HELP: wait: wait for the dojo to finish starting "wait") + sleep 10 dojo logs | while IFS= read -r line; do echo "$line" case "$line" in From 6f27d938f9f89b16fd106595545124d14f7c4412 Mon Sep 17 00:00:00 2001 From: Yan Date: Sun, 27 Oct 2024 02:31:41 -0700 Subject: [PATCH 5/6] i think this is as early as it gets --- etc/systemd/system/pwn.college.init.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/systemd/system/pwn.college.init.service b/etc/systemd/system/pwn.college.init.service index 3958901e..509f7316 100644 --- a/etc/systemd/system/pwn.college.init.service +++ b/etc/systemd/system/pwn.college.init.service @@ -1,6 +1,9 @@ [Unit] Description=pwn.college initialization service Before=docker.service +Before=containerd.service +Before=sysinit.target +DefaultDependencies=no [Service] Type=oneshot @@ -9,4 +12,4 @@ WorkingDirectory=/opt/pwn.college ExecStart=/usr/bin/dojo-init [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target From 54922a3f7f7ff48c7bb4caac632e8fc7e408d547 Mon Sep 17 00:00:00 2001 From: Yan Shoshitaishvili Date: Wed, 30 Oct 2024 20:46:54 -0700 Subject: [PATCH 6/6] escape systemd unit in `dojo logs` --- dojo/dojo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/dojo b/dojo/dojo index 06e57520..d153bf96 100755 --- a/dojo/dojo +++ b/dojo/dojo @@ -124,7 +124,7 @@ case "$ACTION" in # HELP: logs: display dojo logs "logs") - journalctl -u pwn.college.* -f --no-tail + journalctl -u "pwn.college.*" -f --no-tail ;; # HELP: wait: wait for the dojo to finish starting