-
Notifications
You must be signed in to change notification settings - Fork 0
/
rc.local
133 lines (106 loc) · 4.6 KB
/
rc.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/sh
touch /var/lock/subsys/local
# Ensure devpts is mounted to prevent ssh hang-ups
mount | grep devpts > /dev/null 2>&1
if [ $? -ne 0 ] ; then
devpts="none /dev/pts devpts gid=5,mode=620 0 0"
( grep -v "\#" /etc/fstab | grep devpts > /dev/null 2>&1 ) || echo $devpts >> /etc/fstab
mount -a >/dev/null 2>&1
fi
# Randomise the root password as the last operation
# We ideally have some more entropy at this stage
echo "-----RANDOMISING ROOT PASSWORD-----"|logger -s -t "ec2"
dd if=/dev/urandom count=128 2>/dev/null|md5sum|passwd --stdin root >/dev/null 2>&1
# Regenerate the host keys at this stage
# Having more entropy to work with
echo "-----TRIGGERING HOST KEYS REGENERATION-----"|logger -s -t "ec2"
ssh_dir=`ls -la /etc/ssh/`
echo "SSH directory contents:"|logger -s -t "ec2"
echo $ssh_dir|logger -s -t "ec2"
echo "Removing existing keys"|logger -s -t "ec2"
rm -f /etc/ssh/ssh_host_key.pub \
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub \
/etc/ssh/ssh_host_key \
/etc/ssh/ssh_host_rsa_key \
/etc/ssh/ssh_host_dsa_key
# =*Output ssh host keys to console*=
[ -f /etc/ssh/ssh_host_key ] || (ssh-keygen -f /etc/ssh/ssh_host_key -t rsa1 -C 'host' -N '' | logger -s -t "ec2")
[ -f /etc/ssh/ssh_host_rsa_key ] || (ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -C 'host' -N '' | logger -s -t "ec2")
[ -f /etc/ssh/ssh_host_dsa_key ] || (ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -C 'host' -N '' | logger -s -t "ec2")
echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" |logger -s -t "ec2"
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub |logger -s -t "ec2"
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub |logger -s -t "ec2"
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub |logger -s -t "ec2"
echo "-----END SSH HOST KEY FINGERPRINTS-----" |logger -s -t "ec2"
echo "Bouncing sshd to force regeneration"|logger -s -t "ec2"
/sbin/service sshd restart
echo "Setting sshd to start as a service"|logger -s -t "ec2"
/sbin/chkconfig --level 2345 sshd on
# Nimbus needs to have /root/.ssh created so that the create-keypair call will
# succeed - shouldn't hurt on an Amazon EC2 image
mkdir -p /root/.ssh
chmod 0700 /root/.ssh
chown root:root /root/.ssh
# We do this manually for root since boxgrinder will only append code to grab
# the key for ec2-user.
ATTEMPTS=5
FAILED=0
# Fetch public key using HTTP
while [ ! -f /root/.ssh/authorized_keys ]; do
key=`curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key 2>/dev/null`
if [ $? -eq 0 ]; then
actual_key=`echo $key | awk '{ print $2 }'`
echo $key >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chown root:root /root/.ssh/authorized_keys
echo "Successfully retrieved AWS public key from instance metadata:"|logger -s -t "ec2"
echo $key
else
FAILED=$(($FAILED + 1))
if [ $FAILED -ge $ATTEMPTS ]; then
echo "Failed to retrieve AWS public key after $FAILED attempts, quitting"|logger -s -t "ec2"
break
fi
echo "Could not retrieve AWS public key (attempt #$FAILED/$ATTEMPTS), retrying in 5 seconds..."|logger -s -t "ec2"
sleep 5
fi
done
echo "Installing supplementary SSH keys"|logger -s -t "ec2"
cat /root/authorized_keys >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chown root:root /root/.ssh/authorized_keys
rm -f /root/authorized_keys
# update to latest available certs
echo "Updating CA certificates"|logger -s -t "ec2"
yum update -y ca-policy-egi-core
# Start desired services
echo "Setting fetch-crl-cron to start as a service"|logger -s -t "ec2"
/sbin/service fetch-crl-cron start
#
# Ensure CVMFS running
echo "Setting /etc/hosts"|logger -s -t "ec2"
shorthostname=`grep 'HOSTNAME=' /etc/sysconfig/network | awk -F= '{print $2}' | awk -F. '{print $1}'`
ipnumber=`ifconfig eth0 | grep 'inet ' | awk '{print $2}' | awk -F: '{print $2}'`
echo "$ipnumber ${shorthostname}.cern.ch $shorthostname" >>/etc/hosts
echo "Setting gmond.conf"|logger -s -t "ec2"
cat /etc/ganglia/gmond.conf.template | sed \
-e "s/override_hostname =.*/override_hostname = \"${shorthostname}.cern.ch\"/" \
> /etc/ganglia/gmond.conf
# -e "s/override_ip =.*/override_ip = ${ipnumber}/" \
echo "Starting gmond"|logger -s -t "ec2"
/sbin/service gmond start
echo "Checking CVMFS access to CMS area..."|logger -s -t "ec2"
cd /cvmfs/cms.cern.ch
sleep 5
ls /cvmfs/cms.cern.ch/cmsset_default.sh
if
[ -e "/cvmfs/cms.cern.ch/cmsset_default.sh" ]
then
echo "/cvmfs/cms.cern.ch/cmsset_default.sh exists"|logger -s -t "ec2"
echo "CVMFS check passed"|logger -s -t "ec2"
exit
else
echo "CVMFS check failed"|logger -s -t "ec2"
# /sbin/poweroff
fi