Revamp basic OS installation and settings for Alpine

This commit is contained in:
Disassembler 2017-12-18 22:16:21 +01:00
parent f0afd6e596
commit aa100397f1
15 changed files with 332 additions and 925 deletions

View File

@ -1,153 +1,51 @@
#!/bin/bash
#!/bin/sh
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
export DEBIAN_FRONTEND="noninteractive"
# Uninstall unnecessary packages
apt-get -y purge bsdmainutils dictionaries-common emacsen-common iamerican ibritish ienglish-common installation-report ispell laptop-detect nano os-prober task-english tasksel tasksel-data wamerican
# Install useful packages
apt-get -y update
apt-get -y --no-install-recommends install apt-transport-https bash-completion ca-certificates curl file git htop ntp openssl sudo tree unzip vim
######
# OpenSSH and user settings
#####
# Install OpenSSH server
apt-get -y --no-install-recommends install openssh-server
mkdir ~/.ssh
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
# Install packages
apk --no-cache add docker gettext git htop kbd-misc libressl openssh-server openssh-sftp-server postfix nginx
# Copy profile files and settings
mkdir /root/.ssh
mkdir -p /root/.config/htop
cp ${SOURCE_DIR}/root/.bashrc /root/.bashrc
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
cp ${SOURCE_DIR}/root/.config/htop/htoprc /root/.config/htop/htoprc
cp ${SOURCE_DIR}/root/.vimrc /root/.vimrc
# Remove default user
deluser --remove-all-files user 2>/dev/null
#####
# System boot
#####
# Rename encrypted partition
sed -i 's/sda2_crypt/system/' /etc/crypttab
dmsetup rename sda2_crypt system
# Suppress warnings during boot
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/lvm2 /usr/share/initramfs-tools/scripts/local-top/lvm2
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
# Set GRUB options
cp ${SOURCE_DIR}/etc/default/grub /etc/default/grub
# Set legal banner with URL + latin2 character set
cp ${SOURCE_DIR}/etc/default/console-setup /etc/default/console-setup
cp ${SOURCE_DIR}/etc/issue /etc/issue
dpkg-reconfigure console-setup
# Copy boot configuration
cp ${SOURCE_DIR}/boot/extlinux.conf /boot/extlinux.conf
# Forbid login on tty1, disable tty2-6
cp ${SOURCE_DIR}/lib/systemd/system/getty@.service /lib/systemd/system/getty@.service
systemctl mask getty-static
cp ${SOURCE_DIR}/etc/inittab /etc/inittab
# Update initramfs and GRUB
update-initramfs -u
update-grub
# Enable support for Czech characters
cp ${SOURCE_DIR}/etc/rc.conf /etc/rc.conf
cp ${SOURCE_DIR}/etc/conf.d/consolefont /etc/conf.d/consolefont
rc-update add consolefont boot
#####
# Postfix
#####
# Preconfigure
echo postfix postfix/main_mailer_type string "Satellite system" | debconf-set-selections
echo postfix postfix/mailname string "$(hostname -f)" | debconf-set-selections
echo postfix postfix/relayhost string "" | debconf-set-selections
# Install packages
apt-get -y --no-install-recommends install postfix
# Set legal banner with URL
cp ${SOURCE_DIR}/etc/issue.template /etc/issue.template
cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # TODO: Make executable
# Configure Postfix
cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
# Restart services
systemctl restart postfix
#####
# Docker
#####
# Add Docker repository
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list
wget https://download.docker.com/linux/debian/gpg -O - | apt-key add -
apt-get -y update
# Install packages
apt-get -y --no-install-recommends install docker-ce
# Install docker-compose
# wget https://github.com/docker/compose/releases/download/1.17.1/docker-compose-Linux-x86_64 -O /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
#####
# Nginx + uWSGI
#####
# Install packages
apt-get -y --no-install-recommends install nginx-light uwsgi uwsgi-plugin-python
# cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
# Create a self-signed certificate
mkdir /etc/ssl/private
openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)"
chgrp ssl-cert /etc/ssl/private/services.key
chmod 640 /etc/ssl/private/services.key
# Configure nginx
mkdir /etc/nginx/apps-available /etc/nginx/apps-enabled
cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
# Workaround for web2py shutdown problem, see https://github.com/web2py/web2py/issues/1769
sed -i 's|QUIT/30|QUIT/5|' /usr/share/uwsgi/init/specific_daemon
# cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
# cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
# Copy Portal resources
cp -r ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
cp ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
cp -r ${SOURCE_DIR}/srv/portal /srv/portal
chown -R www-data:www-data /srv/portal
# Restart
systemctl restart nginx
# Configure services
for SERVICE in docker nginx postfix sshd; do
rc-update add ${SERVICE} boot
service ${SERVICE} start
done
#####
# MariaDB
#####
# Install packages
apt-get -y --no-install-recommends install mariadb-server
# Enable query logging. Only if the DEBUG environment variable is set
if [ ${DEBUG:-0} -eq 1 ]; then
sed -i 's/#general_log/general_log/g' /etc/mysql/mariadb.conf.d/50-server.cnf
fi
# Restart
systemctl restart mysqld
#####
# Tomcat
#####
# Install packages
apt-get -y --no-install-recommends install libservlet3.1-java openjdk-8-jre-headless tomcat8
# Configure
cp ${SOURCE_DIR}/etc/tomcat8/server.xml /etc/tomcat8/server.xml
# Restart
systemctl restart tomcat8
# TODO: Hide OpenRC output

6
basic/boot/extlinux.conf Normal file
View File

@ -0,0 +1,6 @@
DEFAULT vm
SAY Startuji SpotterVM...
LABEL vm
LINUX vmlinuz-virthardened
INITRD initramfs-virthardened
APPEND root=/dev/vg0/root modules=sd-mod,usb-storage,ext4 pax_nouderef quiet rootfstype=ext4 cryptroot=/dev/sda2 cryptdm=system

View File

@ -0,0 +1,11 @@
# The consolefont service is not activated by default. If you need to
# use it, you should run "rc-update add consolefont boot" as root.
#
# consolefont specifies the default font that you'd like Linux to use on the
# console. You can find a good selection of fonts in /usr/share/consolefonts;
consolefont="lat2-sun16.psfu.gz"
# consoletranslation is the charset map file to use. Leave commented to use
# the default one. Have a look in /usr/share/consoletrans for a selection of
# map files you can use.
consoletranslation="8859-2_to_uni.trans"

View File

@ -1,16 +0,0 @@
# CONFIGURATION FILE FOR SETUPCON
# Consult the console-setup(5) manual page.
ACTIVE_CONSOLES="/dev/tty[1-6]"
CHARMAP="UTF-8"
CODESET="Lat2"
FONTFACE="Fixed"
FONTSIZE="8x16"
VIDEOMODE=
# The following is an example how to use a braille font
# FONT='lat9w-08.psf.gz brl-8x8.psf'

View File

@ -1,34 +0,0 @@
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT=0
GRUB_RECORDFAIL_TIMEOUT=0
GRUB_FORCE_HIDDEN_MENU="true"
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=0"
GRUB_CMDLINE_LINUX=""
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

26
basic/etc/inittab Normal file
View File

@ -0,0 +1,26 @@
# /etc/inittab
::sysinit:/sbin/openrc sysinit
::sysinit:/sbin/openrc boot
::wait:/sbin/openrc default
# Set up a couple of getty's
::wait:/sbin/issue-gen
tty1::respawn:/sbin/getty -l /sbin/nologin 38400 tty1
#tty2::respawn:/sbin/getty 38400 tty2
#tty3::respawn:/sbin/getty 38400 tty3
#tty4::respawn:/sbin/getty 38400 tty4
#tty5::respawn:/sbin/getty 38400 tty5
#tty6::respawn:/sbin/getty 38400 tty6
# Put a getty on the serial port
#ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
# Stuff to do for the 3-finger salute
::ctrlaltdel:/sbin/reboot
# Stuff to do before rebooting
::shutdown:/sbin/openrc shutdown
# enable login on alternative console
#ttyS0::respawn:/sbin/getty -L 115200 ttyS0 vt100

View File

@ -1,11 +1,11 @@
 _____ _ _ _____ _ _
/ ____| | | | | / ____| | | |
| (___ _ __ ___ | |_| |_ ___ _ __ | | | |_ _ ___| |_ ___ _ __
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__| | | | | | | / __| __/ _ \\ '__|
____) | |_) | (_) | |_| || __/ | | |____| | |_| \\__ \\ || __/ |
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\_____|_|\\__,_|___/\\__\\___|_|
| |
 _____ _ _ __ ____ __
/ ____| | | | | \\ \\ / / \\/ |
| (___ _ __ ___ | |_| |_ ___ _ _\\ \\ / /| \\ / |
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__\\ \\/ / | |\\/| |
____) | |_) | (_) | |_| || __/ | \\ / | | | |
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\/ |_| |_|
| |
|_|
@ -25,7 +25,7 @@
Pro přístup k aplikacím otevřete URL https://\4/ ve Vašem
Pro přístup k aplikacím otevřete URL https://${URL}/ ve Vašem
internetovém prohlížeči.

251
basic/etc/rc.conf Normal file
View File

@ -0,0 +1,251 @@
# Global OpenRC configuration settings
# Set to "YES" if you want the rc system to try and start services
# in parallel for a slight speed improvement. When running in parallel we
# prefix the service output with its name as the output will get
# jumbled up.
# WARNING: whilst we have improved parallel, it can still potentially lock
# the boot process. Don't file bugs about this unless you can supply
# patches that fix it without breaking other things!
#rc_parallel="NO"
# Set rc_interactive to "YES" and you'll be able to press the I key during
# boot so you can choose to start specific services. Set to "NO" to disable
# this feature. This feature is automatically disabled if rc_parallel is
# set to YES.
#rc_interactive="YES"
# If we need to drop to a shell, you can specify it here.
# If not specified we use $SHELL, otherwise the one specified in /etc/passwd,
# otherwise /bin/sh
# Linux users could specify /sbin/sulogin
#rc_shell=/bin/sh
# Do we allow any started service in the runlevel to satisfy the dependency
# or do we want all of them regardless of state? For example, if net.eth0
# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
# both will be started, but services that depend on 'net' will work if either
# one comes up. With rc_depend_strict="YES" we would require them both to
# come up.
#rc_depend_strict="YES"
# rc_hotplug controls which services we allow to be hotplugged.
# A hotplugged service is one started by a dynamic dev manager when a matching
# hardware device is found.
# Hotplugged services appear in the "hotplugged" runlevel.
# If rc_hotplug is set to any value, we compare the name of this service
# to every pattern in the value, from left to right, and we allow the
# service to be hotplugged if it matches a pattern, or if it matches no
# patterns. Patterns can include shell wildcards.
# To disable services from being hotplugged, prefix patterns with "!".
#If rc_hotplug is not set or is empty, all hotplugging is disabled.
# Example - rc_hotplug="net.wlan !net.*"
# This allows net.wlan and any service not matching net.* to be hotplugged.
# Example - rc_hotplug="!net.*"
# This allows services that do not match "net.*" to be hotplugged.
# rc_logger launches a logging daemon to log the entire rc process to
# /var/log/rc.log
# NOTE: Linux systems require the devfs service to be started before
# logging can take place and as such cannot log the sysinit runlevel.
#rc_logger="NO"
# Through rc_log_path you can specify a custom log file.
# The default value is: /var/log/rc.log
#rc_log_path="/var/log/rc.log"
# If you want verbose output for OpenRC, set this to yes. If you want
# verbose output for service foo only, set it to yes in /etc/conf.d/foo.
#rc_verbose=no
# By default we filter the environment for our running scripts. To allow other
# variables through, add them here. Use a * to allow all variables through.
#rc_env_allow="VAR1 VAR2"
# By default we assume that all daemons will start correctly.
# However, some do not - a classic example is that they fork and return 0 AND
# then child barfs on a configuration error. Or the daemon has a bug and the
# child crashes. You can set the number of milliseconds start-stop-daemon
# waits to check that the daemon is still running after starting here.
# The default is 0 - no checking.
#rc_start_wait=100
# rc_nostop is a list of services which will not stop when changing runlevels.
# This still allows the service itself to be stopped when called directly.
#rc_nostop=""
# rc will attempt to start crashed services by default.
# However, it will not stop them by default as that could bring down other
# critical services.
#rc_crashed_stop=NO
#rc_crashed_start=YES
# Set rc_nocolor to yes if you do not want colors displayed in OpenRC
# output.
#rc_nocolor=NO
##############################################################################
# MISC CONFIGURATION VARIABLES
# There variables are shared between many init scripts
# Set unicode to YES to turn on unicode support for keyboards and screens.
#unicode="NO"
unicode="YES"
# This is how long fuser should wait for a remote server to respond. The
# default is 60 seconds, but it can be adjusted here.
#rc_fuser_timeout=60
# Below is the default list of network fstypes.
#
# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs
# nfs nfs4 ocfs2 shfs smbfs
#
# If you would like to add to this list, you can do so by adding your
# own fstypes to the following variable.
#extra_net_fs_list=""
##############################################################################
# SERVICE CONFIGURATION VARIABLES
# These variables are documented here, but should be configured in
# /etc/conf.d/foo for service foo and NOT enabled here unless you
# really want them to work on a global basis.
# If your service has characters in its name which are not legal in
# shell variable names and you configure the variables for it in this
# file, those characters should be replaced with underscores in the
# variable names as shown below.
# Some daemons are started and stopped via start-stop-daemon.
# We can set some things on a per service basis, like the nicelevel.
#SSD_NICELEVEL="-19"
# Or the ionice level. The format is class[:data] , just like the
# --ionice start-stop-daemon parameter.
#SSD_IONICELEVEL="2:2"
# Pass ulimit parameters
# If you are using bash in POSIX mode for your shell, note that the
# ulimit command uses a block size of 512 bytes for the -c and -f
# options
#rc_ulimit="-u 30"
# It's possible to define extra dependencies for services like so
#rc_config="/etc/foo"
#rc_need="openvpn"
#rc_use="net.eth0"
#rc_after="clock"
#rc_before="local"
#rc_provide="!net"
# You can also enable the above commands here for each service. Below is an
# example for service foo.
#rc_foo_config="/etc/foo"
#rc_foo_need="openvpn"
#rc_foo_after="clock"
# Below is an example for service foo-bar. Note that the '-' is illegal
# in a shell variable name, so we convert it to an underscore.
# example for service foo-bar.
#rc_foo_bar_config="/etc/foo-bar"
#rc_foo_bar_need="openvpn"
#rc_foo_bar_after="clock"
# You can also remove dependencies.
# This is mainly used for saying which services do NOT provide net.
#rc_net_tap0_provide="!net"
# This is the subsystem type.
# It is used to match against keywords set by the keyword call in the
# depend function of service scripts.
#
# It should be set to the value representing the environment this file is
# PRESENTLY in, not the virtualization the environment is capable of.
# If it is commented out, automatic detection will be used.
#
# The list below shows all possible settings as well as the host
# operating systems where they can be used and autodetected.
#
# "" - nothing special
# "docker" - Docker container manager (Linux)
# "jail" - Jail (DragonflyBSD or FreeBSD)
# "lxc" - Linux Containers
# "openvz" - Linux OpenVZ
# "prefix" - Prefix
# "rkt" - CoreOS container management system (Linux)
# "subhurd" - Hurd subhurds (to be checked)
# "systemd-nspawn" - Container created by systemd-nspawn (Linux)
# "uml" - Usermode Linux
# "vserver" - Linux vserver
# "xen0" - Xen0 Domain (Linux and NetBSD)
# "xenU" - XenU Domain (Linux and NetBSD)
#rc_sys=""
# on Linux and Hurd, this is the number of ttys allocated for logins
# It is used in the consolefont, keymaps, numlock and termencoding
# service scripts.
rc_tty_number=12
##############################################################################
# LINUX CGROUPS RESOURCE MANAGEMENT
# If you have cgroups turned on in your kernel, this switch controls
# whether or not a group for each controller is mounted under
# /sys/fs/cgroup.
# None of the other options in this section work if this is set to "NO".
#rc_controller_cgroups="YES"
# The following settings allow you to set up values for the cgroup
# controllers for your services.
# They can be set in this file;, however, if you do this, the settings
# will apply to all of your services.
# If you want different settings for each service, place the settings in
# /etc/conf.d/foo for service foo.
# The format is to specify the names of the settings followed by their
# values. Each variable can hold multiple settings.
# For example, you would use this to set the cpu.shares setting in the
# cpu controller to 512 for your service.
# rc_cgroup_cpu="
# cpu.shares 512
# "
#
#For more information about the adjustments that can be made with
#cgroups, see Documentation/cgroups/* in the linux kernel source tree.
# Set the blkio controller settings for this service.
#rc_cgroup_blkio=""
# Set the cpu controller settings for this service.
#rc_cgroup_cpu=""
# Add this service to the cpuacct controller (any value means yes).
#rc_cgroup_cpuacct=""
# Set the cpuset controller settings for this service.
#rc_cgroup_cpuset=""
# Set the devices controller settings for this service.
#rc_cgroup_devices=""
# Set the hugetlb controller settings for this service.
#rc_cgroup_hugetlb=""
# Set the memory controller settings for this service.
#rc_cgroup_memory=""
# Set the net_cls controller settings for this service.
#rc_cgroup_net_cls=""
# Set the net_prio controller settings for this service.
#rc_cgroup_net_prio=""
# Set the pids controller settings for this service.
#rc_cgroup_pids=""
# Set this to YES if you want all of the processes in a service's cgroup
# killed when the service is stopped or restarted.
# This should not be set globally because it kills all of the service's
# child processes, and most of the time this is undesirable. Please set
# it in /etc/conf.d/<service>.
# To perform this cleanup manually for a stopped service, you can
# execute cgroup_cleanup with /etc/init.d/<service> cgroup_cleanup or
# rc-service <service> cgroup_cleanup.
# rc_cgroup_cleanup="NO"

View File

@ -1,169 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="9005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector address="127.0.0.1" port="9080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />
</Host>
</Engine>
</Service>
</Server>

View File

@ -1,53 +0,0 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Getty on %I
Documentation=man:agetty(8) man:systemd-getty-generator(8)
Documentation=http://0pointer.de/blog/projects/serial-console.html
After=systemd-user-sessions.service plymouth-quit-wait.service
After=rc-local.service
# If additional gettys are spawned during boot then we should make
# sure that this is synchronized before getty.target, even though
# getty.target didn't actually pull it in.
Before=getty.target
IgnoreOnIsolate=yes
# IgnoreOnIsolate causes issues with sulogin, if someone isolates
# rescue.target or starts rescue.service from multi-user.target or
# graphical.target.
Conflicts=rescue.service
Before=rescue.service
# On systems without virtual consoles, don't start any getty. Note
# that serial gettys are covered by serial-getty@.service, not this
# unit.
ConditionPathExists=/dev/tty0
[Service]
# the VT is cleared by TTYVTDisallocate
ExecStart=-/sbin/agetty -l /usr/sbin/nologin %I $TERM
Type=idle
Restart=always
RestartSec=0
UtmpIdentifier=%I
TTYPath=/dev/%I
TTYReset=yes
TTYVHangup=yes
TTYVTDisallocate=yes
KillMode=process
IgnoreSIGPIPE=no
SendSIGHUP=yes
# Unset locale for the console getty since the console has problems
# displaying some internationalized messages.
Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION=
[Install]
WantedBy=getty.target
DefaultInstance=tty1

View File

@ -1,25 +0,0 @@
shopt -s histappend
HISTSIZE=10000
HISTFILESIZE=20000
HISTTIMEFORMAT="(%F %T) "
PROMPT_COMMAND="history -a"
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H:\w\a\]$PS1"
;;
*)
;;
esac
eval "`dircolors`"
COLOR="--color=auto"
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
alias ls='ls --color=auto'
alias ll='ls -la --color=auto'
alias l='ls -a --color=auto'
alias grep='grep --color=auto'

View File

@ -1,2 +0,0 @@
runtime! defaults.vim
set mouse-=a

4
basic/sbin/issue-gen Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
export URL=$(ip route get 1 | awk '{print $NF;exit}')
envsubst </etc/issue.template >/etc/issue

View File

@ -1,425 +0,0 @@
#!/bin/sh
PREREQ="cryptroot-prepare"
#
# Standard initramfs preamble
#
prereqs()
{
# Make sure that cryptroot is run last in local-top
for req in $(dirname $0)/*; do
script=${req##*/}
if [ $script != cryptroot ]; then
echo $script
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# source for log_*_msg() functions, see LP: #272301
. /scripts/functions
#
# Helper functions
#
message()
{
if [ -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="$@"
else
echo "$@" >&2
fi
return 0
}
udev_settle()
{
# Wait for udev to be ready, see https://launchpad.net/bugs/85640
if command -v udevadm >/dev/null 2>&1; then
udevadm settle --timeout=30
elif command -v udevsettle >/dev/null 2>&1; then
udevsettle --timeout=30
fi
return 0
}
parse_options()
{
local cryptopts
cryptopts="$1"
if [ -z "$cryptopts" ]; then
return 1
fi
# Defaults
cryptcipher=aes-cbc-essiv:sha256
cryptsize=256
crypthash=ripemd160
crypttarget=cryptroot
cryptsource=""
cryptheader=""
cryptlvm=""
cryptkeyscript=""
cryptkey="" # This is only used as an argument to an eventual keyscript
cryptkeyslot=""
crypttries=3
crypttcrypt=""
cryptveracrypt=""
cryptrootdev=""
cryptdiscard=""
CRYPTTAB_OPTIONS=""
local IFS=" ,"
for x in $cryptopts; do
case $x in
hash=*)
crypthash=${x#hash=}
;;
size=*)
cryptsize=${x#size=}
;;
cipher=*)
cryptcipher=${x#cipher=}
;;
target=*)
crypttarget=${x#target=}
export CRYPTTAB_NAME="$crypttarget"
;;
source=*)
cryptsource=${x#source=}
if [ ${cryptsource#UUID=} != $cryptsource ]; then
cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')"
fi
export CRYPTTAB_SOURCE="$cryptsource"
;;
header=*)
cryptheader=${x#header=}
if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then
cryptheader="/conf/conf.d/cryptheader/$cryptheader"
fi
export CRYPTTAB_HEADER="$cryptheader"
;;
lvm=*)
cryptlvm=${x#lvm=}
;;
keyscript=*)
cryptkeyscript=${x#keyscript=}
;;
key=*)
if [ "${x#key=}" != "none" ]; then
cryptkey=${x#key=}
fi
export CRYPTTAB_KEY="$cryptkey"
;;
keyslot=*)
cryptkeyslot=${x#keyslot=}
;;
tries=*)
crypttries="${x#tries=}"
case "$crypttries" in
*[![:digit:].]*)
crypttries=3
;;
esac
;;
tcrypt)
crypttcrypt="yes"
;;
veracrypt)
cryptveracrypt="--veracrypt"
;;
rootdev)
cryptrootdev="yes"
;;
discard)
cryptdiscard="yes"
;;
esac
PARAM="${x%=*}"
if [ "$PARAM" = "$x" ]; then
VALUE="yes"
else
VALUE="${x#*=}"
fi
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
done
export CRYPTTAB_OPTIONS
if [ -z "$cryptsource" ]; then
message "cryptsetup ($crypttarget): source parameter missing"
return 1
fi
return 0
}
activate_vg()
{
# Sanity checks
if [ ! -x /sbin/lvm ]; then
message "cryptsetup ($crypttarget): lvm is not available"
return 1
fi
# Detect and activate available volume groups
/sbin/lvm vgscan >/dev/null 2>&1
/sbin/lvm vgchange -a y --sysinit >/dev/null 2>&1
return $?
}
setup_mapping()
{
local opts count cryptopen cryptremove NEWROOT
opts="$1"
if [ -z "$opts" ]; then
return 0
fi
parse_options "$opts" || return 1
if [ -z "$cryptkeyscript" ]; then
if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then
# UUIDs are not very helpful
diskname="$crypttarget"
else
diskname="$cryptsource ($crypttarget)"
fi
cryptkeyscript="/lib/cryptsetup/askpass"
cryptkey="Please unlock disk $diskname: "
elif ! type "$cryptkeyscript" >/dev/null; then
message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing"
return 1
fi
if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then
# skip the mapping if the root FS is not mounted yet
sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1
# substitute the "/root" prefix by the real root FS mountpoint otherwise
cryptkey="${rootmnt}/${cryptkey#/root/}"
fi
if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then
message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing"
return 1
fi
# The same target can be specified multiple times
# e.g. root and resume lvs-on-lvm-on-crypto
if [ -e "/dev/mapper/$crypttarget" ]; then
return 0
fi
modprobe -q dm_crypt
# Make sure the cryptsource device is available
if [ ! -e $cryptsource ]; then
activate_vg
fi
# If the encrypted source device hasn't shown up yet, give it a
# little while to deal with removable devices
# the following lines below have been taken from
# /usr/share/initramfs-tools/scripts/local, as suggested per
# https://launchpad.net/bugs/164044
if [ ! -e "$cryptsource" ]; then
log_begin_msg "Waiting for encrypted source device..."
# Default delay is 180s
if [ -z "${ROOTDELAY}" ]; then
slumber=180
else
slumber=${ROOTDELAY}
fi
slumber=$(( ${slumber} * 10 ))
while [ ! -e "$cryptsource" ]; do
# retry for LVM devices every 10 seconds
if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then
activate_vg
fi
/bin/sleep 0.1
slumber=$(( ${slumber} - 1 ))
[ ${slumber} -gt 0 ] || break
done
if [ ${slumber} -gt 0 ]; then
log_end_msg 0
else
log_end_msg 1 || true
fi
fi
udev_settle
# We've given up, but we'll let the user fix matters if they can
if [ ! -e "${cryptsource}" ]; then
echo " ALERT! ${cryptsource} does not exist."
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
echo " or missing modules, devices: cat /proc/modules; ls /dev"
panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix."
fi
if [ ! -e "${cryptsource}" ]; then
return 1
fi
# Prepare commands
cryptopen="/sbin/cryptsetup -T 1"
if [ "$cryptdiscard" = "yes" ]; then
cryptopen="$cryptopen --allow-discards"
fi
if [ -n "$cryptheader" ]; then
cryptopen="$cryptopen --header=$cryptheader"
fi
if [ -n "$cryptkeyslot" ]; then
cryptopen="$cryptopen --key-slot=$cryptkeyslot"
fi
if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
elif [ "$crypttcrypt" = "yes" ]; then
cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget"
else
cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-"
fi
cryptremove="/sbin/cryptsetup remove $crypttarget"
NEWROOT="/dev/mapper/$crypttarget"
# Try to get a satisfactory password $crypttries times
count=0
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
export CRYPTTAB_TRIED="$count"
count=$(( $count + 1 ))
if [ ! -e "$NEWROOT" ]; then
if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
$cryptkeyscript "$cryptkey" | $cryptopen; then
message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?"
continue
fi
fi
if [ ! -e "$NEWROOT" ]; then
message "cryptsetup ($crypttarget): unknown error setting up device mapping"
return 1
fi
#FSTYPE=''
#eval $(fstype < "$NEWROOT")
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
# See if we need to setup lvm on the crypto device
#if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then
if [ -z "$cryptlvm" ]; then
message "cryptsetup ($crypttarget): lvm fs found but no lvm configured"
return 1
elif ! activate_vg; then
# disable error message, LP: #151532
#message "cryptsetup ($crypttarget): failed to setup lvm device"
return 1
fi
# Apparently ROOT is already set in /conf/param.conf for
# flashed kernels at least. See bugreport #759720.
if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then
NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf)
else
NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm}
if [ "$cryptrootdev" = "yes" ]; then
# required for lilo to find the root device
echo "ROOT=$NEWROOT" >>/conf/param.conf
fi
fi
#eval $(fstype < "$NEWROOT")
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
fi
#if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
if [ -z "$FSTYPE" ]; then
message "cryptsetup ($crypttarget): unknown fstype, bad password or options?"
udev_settle
$cryptremove
continue
fi
# decrease $count by 1, apparently last try was successful.
count=$(( $count - 1 ))
message "cryptsetup ($crypttarget): set up successfully"
break
done
failsleep=60 # make configurable later?
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
message "cryptsetup: going to sleep for $failsleep seconds..."
sleep $failsleep
exit 1
fi
udev_settle
return 0
}
#
# Begin real processing
#
# Do we have any kernel boot arguments?
cmdline_cryptopts=''
unset cmdline_root
for opt in $(cat /proc/cmdline); do
case $opt in
cryptopts=*)
opt="${opt#cryptopts=}"
if [ -n "$opt" ]; then
if [ -n "$cmdline_cryptopts" ]; then
cmdline_cryptopts="$cmdline_cryptopts $opt"
else
cmdline_cryptopts="$opt"
fi
fi
;;
root=*)
opt="${opt#root=}"
case $opt in
/*) # Absolute path given. Not lilo major/minor number.
cmdline_root=$opt
;;
*) # lilo major/minor number (See #398957). Ignore
esac
;;
esac
done
if [ -n "$cmdline_cryptopts" ]; then
# Call setup_mapping separately for each possible cryptopts= setting
for cryptopt in $cmdline_cryptopts; do
setup_mapping "$cryptopt"
done
exit 0
fi
# Do we have any settings from the /conf/conf.d/cryptroot file?
if [ -r /conf/conf.d/cryptroot ]; then
while read mapping <&3; do
setup_mapping "$mapping" 3<&-
done 3< /conf/conf.d/cryptroot
fi
exit 0

View File

@ -1,65 +0,0 @@
#!/bin/sh
PREREQ="mdadm mdrun multipath"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
if [ ! -e /sbin/lvm ]; then
exit 0
fi
lvchange_activate() {
lvm lvchange -aay -y --sysinit --ignoreskippedcluster "$@" >/dev/null 2>&1
}
activate() {
local dev="$1"
# Make sure that we have a non-empty argument
if [ -z "$dev" ]; then
return 1
fi
case "$dev" in
# Take care of lilo boot arg, risky activating of all vg
fe[0-9]*)
lvchange_activate
exit 0
;;
# FIXME: check major
/dev/root)
lvchange_activate
exit 0
;;
/dev/mapper/*)
eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
if [ "$DM_VG_NAME" ] && [ "$DM_LV_NAME" ]; then
lvchange_activate "$DM_VG_NAME/$DM_LV_NAME"
fi
;;
/dev/*/*)
# Could be /dev/VG/LV; use lvs to check
if lvm lvs -- "$dev" >/dev/null 2>&1; then
lvchange_activate "$dev"
fi
;;
esac
}
activate "$ROOT"
activate "$resume"
exit 0