Revamp basic OS installation and settings for Alpine
This commit is contained in:
parent
f0afd6e596
commit
aa100397f1
154
01-basic.sh
154
01-basic.sh
@ -1,153 +1,51 @@
|
|||||||
#!/bin/bash
|
#!/bin/sh
|
||||||
|
|
||||||
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
|
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
|
||||||
export DEBIAN_FRONTEND="noninteractive"
|
|
||||||
|
|
||||||
# Uninstall unnecessary packages
|
# Install packages
|
||||||
apt-get -y purge bsdmainutils dictionaries-common emacsen-common iamerican ibritish ienglish-common installation-report ispell laptop-detect nano os-prober task-english tasksel tasksel-data wamerican
|
apk --no-cache add docker gettext git htop kbd-misc libressl openssh-server openssh-sftp-server postfix nginx
|
||||||
|
|
||||||
# Install useful packages
|
|
||||||
apt-get -y update
|
|
||||||
apt-get -y --no-install-recommends install apt-transport-https bash-completion ca-certificates curl file git htop ntp openssl sudo tree unzip vim
|
|
||||||
|
|
||||||
|
|
||||||
######
|
|
||||||
# OpenSSH and user settings
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Install OpenSSH server
|
|
||||||
apt-get -y --no-install-recommends install openssh-server
|
|
||||||
mkdir ~/.ssh
|
|
||||||
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
|
|
||||||
|
|
||||||
# Copy profile files and settings
|
# Copy profile files and settings
|
||||||
|
mkdir /root/.ssh
|
||||||
mkdir -p /root/.config/htop
|
mkdir -p /root/.config/htop
|
||||||
cp ${SOURCE_DIR}/root/.bashrc /root/.bashrc
|
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
|
||||||
cp ${SOURCE_DIR}/root/.config/htop/htoprc /root/.config/htop/htoprc
|
cp ${SOURCE_DIR}/root/.config/htop/htoprc /root/.config/htop/htoprc
|
||||||
cp ${SOURCE_DIR}/root/.vimrc /root/.vimrc
|
|
||||||
|
|
||||||
# Remove default user
|
# Copy boot configuration
|
||||||
deluser --remove-all-files user 2>/dev/null
|
cp ${SOURCE_DIR}/boot/extlinux.conf /boot/extlinux.conf
|
||||||
|
|
||||||
|
|
||||||
#####
|
|
||||||
# System boot
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Rename encrypted partition
|
|
||||||
sed -i 's/sda2_crypt/system/' /etc/crypttab
|
|
||||||
dmsetup rename sda2_crypt system
|
|
||||||
|
|
||||||
# Suppress warnings during boot
|
|
||||||
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/lvm2 /usr/share/initramfs-tools/scripts/local-top/lvm2
|
|
||||||
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
|
|
||||||
|
|
||||||
# Set GRUB options
|
|
||||||
cp ${SOURCE_DIR}/etc/default/grub /etc/default/grub
|
|
||||||
|
|
||||||
# Set legal banner with URL + latin2 character set
|
|
||||||
cp ${SOURCE_DIR}/etc/default/console-setup /etc/default/console-setup
|
|
||||||
cp ${SOURCE_DIR}/etc/issue /etc/issue
|
|
||||||
dpkg-reconfigure console-setup
|
|
||||||
|
|
||||||
# Forbid login on tty1, disable tty2-6
|
# Forbid login on tty1, disable tty2-6
|
||||||
cp ${SOURCE_DIR}/lib/systemd/system/getty@.service /lib/systemd/system/getty@.service
|
cp ${SOURCE_DIR}/etc/inittab /etc/inittab
|
||||||
systemctl mask getty-static
|
|
||||||
|
|
||||||
# Update initramfs and GRUB
|
# Enable support for Czech characters
|
||||||
update-initramfs -u
|
cp ${SOURCE_DIR}/etc/rc.conf /etc/rc.conf
|
||||||
update-grub
|
cp ${SOURCE_DIR}/etc/conf.d/consolefont /etc/conf.d/consolefont
|
||||||
|
rc-update add consolefont boot
|
||||||
|
|
||||||
|
# Set legal banner with URL
|
||||||
#####
|
cp ${SOURCE_DIR}/etc/issue.template /etc/issue.template
|
||||||
# Postfix
|
cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # TODO: Make executable
|
||||||
#####
|
|
||||||
|
|
||||||
# Preconfigure
|
|
||||||
echo postfix postfix/main_mailer_type string "Satellite system" | debconf-set-selections
|
|
||||||
echo postfix postfix/mailname string "$(hostname -f)" | debconf-set-selections
|
|
||||||
echo postfix postfix/relayhost string "" | debconf-set-selections
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
apt-get -y --no-install-recommends install postfix
|
|
||||||
|
|
||||||
# Configure Postfix
|
# Configure Postfix
|
||||||
cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
|
# cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
|
||||||
|
|
||||||
# Restart services
|
|
||||||
systemctl restart postfix
|
|
||||||
|
|
||||||
|
|
||||||
#####
|
|
||||||
# Docker
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Add Docker repository
|
|
||||||
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list
|
|
||||||
wget https://download.docker.com/linux/debian/gpg -O - | apt-key add -
|
|
||||||
apt-get -y update
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
apt-get -y --no-install-recommends install docker-ce
|
|
||||||
|
|
||||||
# Install docker-compose
|
|
||||||
# wget https://github.com/docker/compose/releases/download/1.17.1/docker-compose-Linux-x86_64 -O /usr/local/bin/docker-compose
|
|
||||||
# chmod +x /usr/local/bin/docker-compose
|
|
||||||
|
|
||||||
|
|
||||||
#####
|
|
||||||
# Nginx + uWSGI
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
apt-get -y --no-install-recommends install nginx-light uwsgi uwsgi-plugin-python
|
|
||||||
|
|
||||||
# Create a self-signed certificate
|
# Create a self-signed certificate
|
||||||
|
mkdir /etc/ssl/private
|
||||||
openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)"
|
openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)"
|
||||||
chgrp ssl-cert /etc/ssl/private/services.key
|
|
||||||
chmod 640 /etc/ssl/private/services.key
|
chmod 640 /etc/ssl/private/services.key
|
||||||
|
|
||||||
# Configure nginx
|
# Configure nginx
|
||||||
mkdir /etc/nginx/apps-available /etc/nginx/apps-enabled
|
# cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||||
cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
# cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
||||||
cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
|
||||||
|
|
||||||
# Workaround for web2py shutdown problem, see https://github.com/web2py/web2py/issues/1769
|
|
||||||
sed -i 's|QUIT/30|QUIT/5|' /usr/share/uwsgi/init/specific_daemon
|
|
||||||
|
|
||||||
# Copy Portal resources
|
# Copy Portal resources
|
||||||
cp -r ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
|
cp ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
|
||||||
cp -r ${SOURCE_DIR}/srv/portal /srv/portal
|
cp -r ${SOURCE_DIR}/srv/portal /srv/portal
|
||||||
chown -R www-data:www-data /srv/portal
|
|
||||||
|
|
||||||
# Restart
|
# Configure services
|
||||||
systemctl restart nginx
|
for SERVICE in docker nginx postfix sshd; do
|
||||||
|
rc-update add ${SERVICE} boot
|
||||||
|
service ${SERVICE} start
|
||||||
|
done
|
||||||
|
|
||||||
#####
|
# TODO: Hide OpenRC output
|
||||||
# MariaDB
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
apt-get -y --no-install-recommends install mariadb-server
|
|
||||||
|
|
||||||
# Enable query logging. Only if the DEBUG environment variable is set
|
|
||||||
if [ ${DEBUG:-0} -eq 1 ]; then
|
|
||||||
sed -i 's/#general_log/general_log/g' /etc/mysql/mariadb.conf.d/50-server.cnf
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Restart
|
|
||||||
systemctl restart mysqld
|
|
||||||
|
|
||||||
|
|
||||||
#####
|
|
||||||
# Tomcat
|
|
||||||
#####
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
apt-get -y --no-install-recommends install libservlet3.1-java openjdk-8-jre-headless tomcat8
|
|
||||||
|
|
||||||
# Configure
|
|
||||||
cp ${SOURCE_DIR}/etc/tomcat8/server.xml /etc/tomcat8/server.xml
|
|
||||||
|
|
||||||
# Restart
|
|
||||||
systemctl restart tomcat8
|
|
||||||
|
6
basic/boot/extlinux.conf
Normal file
6
basic/boot/extlinux.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
DEFAULT vm
|
||||||
|
SAY Startuji SpotterVM...
|
||||||
|
LABEL vm
|
||||||
|
LINUX vmlinuz-virthardened
|
||||||
|
INITRD initramfs-virthardened
|
||||||
|
APPEND root=/dev/vg0/root modules=sd-mod,usb-storage,ext4 pax_nouderef quiet rootfstype=ext4 cryptroot=/dev/sda2 cryptdm=system
|
11
basic/etc/conf.d/consolefont
Normal file
11
basic/etc/conf.d/consolefont
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# The consolefont service is not activated by default. If you need to
|
||||||
|
# use it, you should run "rc-update add consolefont boot" as root.
|
||||||
|
#
|
||||||
|
# consolefont specifies the default font that you'd like Linux to use on the
|
||||||
|
# console. You can find a good selection of fonts in /usr/share/consolefonts;
|
||||||
|
consolefont="lat2-sun16.psfu.gz"
|
||||||
|
|
||||||
|
# consoletranslation is the charset map file to use. Leave commented to use
|
||||||
|
# the default one. Have a look in /usr/share/consoletrans for a selection of
|
||||||
|
# map files you can use.
|
||||||
|
consoletranslation="8859-2_to_uni.trans"
|
@ -1,16 +0,0 @@
|
|||||||
# CONFIGURATION FILE FOR SETUPCON
|
|
||||||
|
|
||||||
# Consult the console-setup(5) manual page.
|
|
||||||
|
|
||||||
ACTIVE_CONSOLES="/dev/tty[1-6]"
|
|
||||||
|
|
||||||
CHARMAP="UTF-8"
|
|
||||||
|
|
||||||
CODESET="Lat2"
|
|
||||||
FONTFACE="Fixed"
|
|
||||||
FONTSIZE="8x16"
|
|
||||||
|
|
||||||
VIDEOMODE=
|
|
||||||
|
|
||||||
# The following is an example how to use a braille font
|
|
||||||
# FONT='lat9w-08.psf.gz brl-8x8.psf'
|
|
@ -1,34 +0,0 @@
|
|||||||
# If you change this file, run 'update-grub' afterwards to update
|
|
||||||
# /boot/grub/grub.cfg.
|
|
||||||
# For full documentation of the options in this file, see:
|
|
||||||
# info -f grub -n 'Simple configuration'
|
|
||||||
|
|
||||||
GRUB_DEFAULT=0
|
|
||||||
GRUB_TIMEOUT=0
|
|
||||||
GRUB_RECORDFAIL_TIMEOUT=0
|
|
||||||
GRUB_FORCE_HIDDEN_MENU="true"
|
|
||||||
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
|
|
||||||
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=0"
|
|
||||||
GRUB_CMDLINE_LINUX=""
|
|
||||||
|
|
||||||
# Uncomment to enable BadRAM filtering, modify to suit your needs
|
|
||||||
# This works with Linux (no patch required) and with any kernel that obtains
|
|
||||||
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
|
|
||||||
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
|
|
||||||
|
|
||||||
# Uncomment to disable graphical terminal (grub-pc only)
|
|
||||||
#GRUB_TERMINAL=console
|
|
||||||
|
|
||||||
# The resolution used on graphical terminal
|
|
||||||
# note that you can use only modes which your graphic card supports via VBE
|
|
||||||
# you can see them in real GRUB with the command `vbeinfo'
|
|
||||||
#GRUB_GFXMODE=640x480
|
|
||||||
|
|
||||||
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
|
|
||||||
#GRUB_DISABLE_LINUX_UUID=true
|
|
||||||
|
|
||||||
# Uncomment to disable generation of recovery mode menu entries
|
|
||||||
GRUB_DISABLE_RECOVERY="true"
|
|
||||||
|
|
||||||
# Uncomment to get a beep at grub start
|
|
||||||
#GRUB_INIT_TUNE="480 440 1"
|
|
26
basic/etc/inittab
Normal file
26
basic/etc/inittab
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
# /etc/inittab
|
||||||
|
|
||||||
|
::sysinit:/sbin/openrc sysinit
|
||||||
|
::sysinit:/sbin/openrc boot
|
||||||
|
::wait:/sbin/openrc default
|
||||||
|
|
||||||
|
# Set up a couple of getty's
|
||||||
|
::wait:/sbin/issue-gen
|
||||||
|
tty1::respawn:/sbin/getty -l /sbin/nologin 38400 tty1
|
||||||
|
#tty2::respawn:/sbin/getty 38400 tty2
|
||||||
|
#tty3::respawn:/sbin/getty 38400 tty3
|
||||||
|
#tty4::respawn:/sbin/getty 38400 tty4
|
||||||
|
#tty5::respawn:/sbin/getty 38400 tty5
|
||||||
|
#tty6::respawn:/sbin/getty 38400 tty6
|
||||||
|
|
||||||
|
# Put a getty on the serial port
|
||||||
|
#ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
|
||||||
|
|
||||||
|
# Stuff to do for the 3-finger salute
|
||||||
|
::ctrlaltdel:/sbin/reboot
|
||||||
|
|
||||||
|
# Stuff to do before rebooting
|
||||||
|
::shutdown:/sbin/openrc shutdown
|
||||||
|
|
||||||
|
# enable login on alternative console
|
||||||
|
#ttyS0::respawn:/sbin/getty -L 115200 ttyS0 vt100
|
@ -1,11 +1,11 @@
|
|||||||
|
|
||||||
[1;32m _____ _ _ _____ _ _
|
[1;32m _____ _ _ __ ____ __
|
||||||
/ ____| | | | | / ____| | | |
|
/ ____| | | | | \\ \\ / / \\/ |
|
||||||
| (___ _ __ ___ | |_| |_ ___ _ __ | | | |_ _ ___| |_ ___ _ __
|
| (___ _ __ ___ | |_| |_ ___ _ _\\ \\ / /| \\ / |
|
||||||
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__| | | | | | | / __| __/ _ \\ '__|
|
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__\\ \\/ / | |\\/| |
|
||||||
____) | |_) | (_) | |_| || __/ | | |____| | |_| \\__ \\ || __/ |
|
____) | |_) | (_) | |_| || __/ | \\ / | | | |
|
||||||
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\_____|_|\\__,_|___/\\__\\___|_|
|
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\/ |_| |_|
|
||||||
| |
|
| |
|
||||||
|_|[0m
|
|_|[0m
|
||||||
|
|
||||||
|
|
||||||
@ -25,7 +25,7 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
Pro přístup k aplikacím otevřete URL [1mhttps://\4/[0m ve Vašem
|
Pro přístup k aplikacím otevřete URL [1mhttps://${URL}/[0m ve Vašem
|
||||||
internetovém prohlížeči.
|
internetovém prohlížeči.
|
||||||
|
|
||||||
|
|
251
basic/etc/rc.conf
Normal file
251
basic/etc/rc.conf
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
# Global OpenRC configuration settings
|
||||||
|
|
||||||
|
# Set to "YES" if you want the rc system to try and start services
|
||||||
|
# in parallel for a slight speed improvement. When running in parallel we
|
||||||
|
# prefix the service output with its name as the output will get
|
||||||
|
# jumbled up.
|
||||||
|
# WARNING: whilst we have improved parallel, it can still potentially lock
|
||||||
|
# the boot process. Don't file bugs about this unless you can supply
|
||||||
|
# patches that fix it without breaking other things!
|
||||||
|
#rc_parallel="NO"
|
||||||
|
|
||||||
|
# Set rc_interactive to "YES" and you'll be able to press the I key during
|
||||||
|
# boot so you can choose to start specific services. Set to "NO" to disable
|
||||||
|
# this feature. This feature is automatically disabled if rc_parallel is
|
||||||
|
# set to YES.
|
||||||
|
#rc_interactive="YES"
|
||||||
|
|
||||||
|
# If we need to drop to a shell, you can specify it here.
|
||||||
|
# If not specified we use $SHELL, otherwise the one specified in /etc/passwd,
|
||||||
|
# otherwise /bin/sh
|
||||||
|
# Linux users could specify /sbin/sulogin
|
||||||
|
#rc_shell=/bin/sh
|
||||||
|
|
||||||
|
# Do we allow any started service in the runlevel to satisfy the dependency
|
||||||
|
# or do we want all of them regardless of state? For example, if net.eth0
|
||||||
|
# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
|
||||||
|
# both will be started, but services that depend on 'net' will work if either
|
||||||
|
# one comes up. With rc_depend_strict="YES" we would require them both to
|
||||||
|
# come up.
|
||||||
|
#rc_depend_strict="YES"
|
||||||
|
|
||||||
|
# rc_hotplug controls which services we allow to be hotplugged.
|
||||||
|
# A hotplugged service is one started by a dynamic dev manager when a matching
|
||||||
|
# hardware device is found.
|
||||||
|
# Hotplugged services appear in the "hotplugged" runlevel.
|
||||||
|
# If rc_hotplug is set to any value, we compare the name of this service
|
||||||
|
# to every pattern in the value, from left to right, and we allow the
|
||||||
|
# service to be hotplugged if it matches a pattern, or if it matches no
|
||||||
|
# patterns. Patterns can include shell wildcards.
|
||||||
|
# To disable services from being hotplugged, prefix patterns with "!".
|
||||||
|
#If rc_hotplug is not set or is empty, all hotplugging is disabled.
|
||||||
|
# Example - rc_hotplug="net.wlan !net.*"
|
||||||
|
# This allows net.wlan and any service not matching net.* to be hotplugged.
|
||||||
|
# Example - rc_hotplug="!net.*"
|
||||||
|
# This allows services that do not match "net.*" to be hotplugged.
|
||||||
|
|
||||||
|
# rc_logger launches a logging daemon to log the entire rc process to
|
||||||
|
# /var/log/rc.log
|
||||||
|
# NOTE: Linux systems require the devfs service to be started before
|
||||||
|
# logging can take place and as such cannot log the sysinit runlevel.
|
||||||
|
#rc_logger="NO"
|
||||||
|
|
||||||
|
# Through rc_log_path you can specify a custom log file.
|
||||||
|
# The default value is: /var/log/rc.log
|
||||||
|
#rc_log_path="/var/log/rc.log"
|
||||||
|
|
||||||
|
# If you want verbose output for OpenRC, set this to yes. If you want
|
||||||
|
# verbose output for service foo only, set it to yes in /etc/conf.d/foo.
|
||||||
|
#rc_verbose=no
|
||||||
|
|
||||||
|
# By default we filter the environment for our running scripts. To allow other
|
||||||
|
# variables through, add them here. Use a * to allow all variables through.
|
||||||
|
#rc_env_allow="VAR1 VAR2"
|
||||||
|
|
||||||
|
# By default we assume that all daemons will start correctly.
|
||||||
|
# However, some do not - a classic example is that they fork and return 0 AND
|
||||||
|
# then child barfs on a configuration error. Or the daemon has a bug and the
|
||||||
|
# child crashes. You can set the number of milliseconds start-stop-daemon
|
||||||
|
# waits to check that the daemon is still running after starting here.
|
||||||
|
# The default is 0 - no checking.
|
||||||
|
#rc_start_wait=100
|
||||||
|
|
||||||
|
# rc_nostop is a list of services which will not stop when changing runlevels.
|
||||||
|
# This still allows the service itself to be stopped when called directly.
|
||||||
|
#rc_nostop=""
|
||||||
|
|
||||||
|
# rc will attempt to start crashed services by default.
|
||||||
|
# However, it will not stop them by default as that could bring down other
|
||||||
|
# critical services.
|
||||||
|
#rc_crashed_stop=NO
|
||||||
|
#rc_crashed_start=YES
|
||||||
|
|
||||||
|
# Set rc_nocolor to yes if you do not want colors displayed in OpenRC
|
||||||
|
# output.
|
||||||
|
#rc_nocolor=NO
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# MISC CONFIGURATION VARIABLES
|
||||||
|
# There variables are shared between many init scripts
|
||||||
|
|
||||||
|
# Set unicode to YES to turn on unicode support for keyboards and screens.
|
||||||
|
#unicode="NO"
|
||||||
|
unicode="YES"
|
||||||
|
|
||||||
|
# This is how long fuser should wait for a remote server to respond. The
|
||||||
|
# default is 60 seconds, but it can be adjusted here.
|
||||||
|
#rc_fuser_timeout=60
|
||||||
|
|
||||||
|
# Below is the default list of network fstypes.
|
||||||
|
#
|
||||||
|
# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs
|
||||||
|
# nfs nfs4 ocfs2 shfs smbfs
|
||||||
|
#
|
||||||
|
# If you would like to add to this list, you can do so by adding your
|
||||||
|
# own fstypes to the following variable.
|
||||||
|
#extra_net_fs_list=""
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# SERVICE CONFIGURATION VARIABLES
|
||||||
|
# These variables are documented here, but should be configured in
|
||||||
|
# /etc/conf.d/foo for service foo and NOT enabled here unless you
|
||||||
|
# really want them to work on a global basis.
|
||||||
|
# If your service has characters in its name which are not legal in
|
||||||
|
# shell variable names and you configure the variables for it in this
|
||||||
|
# file, those characters should be replaced with underscores in the
|
||||||
|
# variable names as shown below.
|
||||||
|
|
||||||
|
# Some daemons are started and stopped via start-stop-daemon.
|
||||||
|
# We can set some things on a per service basis, like the nicelevel.
|
||||||
|
#SSD_NICELEVEL="-19"
|
||||||
|
# Or the ionice level. The format is class[:data] , just like the
|
||||||
|
# --ionice start-stop-daemon parameter.
|
||||||
|
#SSD_IONICELEVEL="2:2"
|
||||||
|
|
||||||
|
# Pass ulimit parameters
|
||||||
|
# If you are using bash in POSIX mode for your shell, note that the
|
||||||
|
# ulimit command uses a block size of 512 bytes for the -c and -f
|
||||||
|
# options
|
||||||
|
#rc_ulimit="-u 30"
|
||||||
|
|
||||||
|
# It's possible to define extra dependencies for services like so
|
||||||
|
#rc_config="/etc/foo"
|
||||||
|
#rc_need="openvpn"
|
||||||
|
#rc_use="net.eth0"
|
||||||
|
#rc_after="clock"
|
||||||
|
#rc_before="local"
|
||||||
|
#rc_provide="!net"
|
||||||
|
|
||||||
|
# You can also enable the above commands here for each service. Below is an
|
||||||
|
# example for service foo.
|
||||||
|
#rc_foo_config="/etc/foo"
|
||||||
|
#rc_foo_need="openvpn"
|
||||||
|
#rc_foo_after="clock"
|
||||||
|
|
||||||
|
# Below is an example for service foo-bar. Note that the '-' is illegal
|
||||||
|
# in a shell variable name, so we convert it to an underscore.
|
||||||
|
# example for service foo-bar.
|
||||||
|
#rc_foo_bar_config="/etc/foo-bar"
|
||||||
|
#rc_foo_bar_need="openvpn"
|
||||||
|
#rc_foo_bar_after="clock"
|
||||||
|
|
||||||
|
# You can also remove dependencies.
|
||||||
|
# This is mainly used for saying which services do NOT provide net.
|
||||||
|
#rc_net_tap0_provide="!net"
|
||||||
|
|
||||||
|
# This is the subsystem type.
|
||||||
|
# It is used to match against keywords set by the keyword call in the
|
||||||
|
# depend function of service scripts.
|
||||||
|
#
|
||||||
|
# It should be set to the value representing the environment this file is
|
||||||
|
# PRESENTLY in, not the virtualization the environment is capable of.
|
||||||
|
# If it is commented out, automatic detection will be used.
|
||||||
|
#
|
||||||
|
# The list below shows all possible settings as well as the host
|
||||||
|
# operating systems where they can be used and autodetected.
|
||||||
|
#
|
||||||
|
# "" - nothing special
|
||||||
|
# "docker" - Docker container manager (Linux)
|
||||||
|
# "jail" - Jail (DragonflyBSD or FreeBSD)
|
||||||
|
# "lxc" - Linux Containers
|
||||||
|
# "openvz" - Linux OpenVZ
|
||||||
|
# "prefix" - Prefix
|
||||||
|
# "rkt" - CoreOS container management system (Linux)
|
||||||
|
# "subhurd" - Hurd subhurds (to be checked)
|
||||||
|
# "systemd-nspawn" - Container created by systemd-nspawn (Linux)
|
||||||
|
# "uml" - Usermode Linux
|
||||||
|
# "vserver" - Linux vserver
|
||||||
|
# "xen0" - Xen0 Domain (Linux and NetBSD)
|
||||||
|
# "xenU" - XenU Domain (Linux and NetBSD)
|
||||||
|
#rc_sys=""
|
||||||
|
|
||||||
|
# on Linux and Hurd, this is the number of ttys allocated for logins
|
||||||
|
# It is used in the consolefont, keymaps, numlock and termencoding
|
||||||
|
# service scripts.
|
||||||
|
rc_tty_number=12
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# LINUX CGROUPS RESOURCE MANAGEMENT
|
||||||
|
|
||||||
|
# If you have cgroups turned on in your kernel, this switch controls
|
||||||
|
# whether or not a group for each controller is mounted under
|
||||||
|
# /sys/fs/cgroup.
|
||||||
|
# None of the other options in this section work if this is set to "NO".
|
||||||
|
#rc_controller_cgroups="YES"
|
||||||
|
|
||||||
|
# The following settings allow you to set up values for the cgroup
|
||||||
|
# controllers for your services.
|
||||||
|
# They can be set in this file;, however, if you do this, the settings
|
||||||
|
# will apply to all of your services.
|
||||||
|
# If you want different settings for each service, place the settings in
|
||||||
|
# /etc/conf.d/foo for service foo.
|
||||||
|
# The format is to specify the names of the settings followed by their
|
||||||
|
# values. Each variable can hold multiple settings.
|
||||||
|
# For example, you would use this to set the cpu.shares setting in the
|
||||||
|
# cpu controller to 512 for your service.
|
||||||
|
# rc_cgroup_cpu="
|
||||||
|
# cpu.shares 512
|
||||||
|
# "
|
||||||
|
#
|
||||||
|
#For more information about the adjustments that can be made with
|
||||||
|
#cgroups, see Documentation/cgroups/* in the linux kernel source tree.
|
||||||
|
|
||||||
|
# Set the blkio controller settings for this service.
|
||||||
|
#rc_cgroup_blkio=""
|
||||||
|
|
||||||
|
# Set the cpu controller settings for this service.
|
||||||
|
#rc_cgroup_cpu=""
|
||||||
|
|
||||||
|
# Add this service to the cpuacct controller (any value means yes).
|
||||||
|
#rc_cgroup_cpuacct=""
|
||||||
|
|
||||||
|
# Set the cpuset controller settings for this service.
|
||||||
|
#rc_cgroup_cpuset=""
|
||||||
|
|
||||||
|
# Set the devices controller settings for this service.
|
||||||
|
#rc_cgroup_devices=""
|
||||||
|
|
||||||
|
# Set the hugetlb controller settings for this service.
|
||||||
|
#rc_cgroup_hugetlb=""
|
||||||
|
|
||||||
|
# Set the memory controller settings for this service.
|
||||||
|
#rc_cgroup_memory=""
|
||||||
|
|
||||||
|
# Set the net_cls controller settings for this service.
|
||||||
|
#rc_cgroup_net_cls=""
|
||||||
|
|
||||||
|
# Set the net_prio controller settings for this service.
|
||||||
|
#rc_cgroup_net_prio=""
|
||||||
|
|
||||||
|
# Set the pids controller settings for this service.
|
||||||
|
#rc_cgroup_pids=""
|
||||||
|
|
||||||
|
# Set this to YES if you want all of the processes in a service's cgroup
|
||||||
|
# killed when the service is stopped or restarted.
|
||||||
|
# This should not be set globally because it kills all of the service's
|
||||||
|
# child processes, and most of the time this is undesirable. Please set
|
||||||
|
# it in /etc/conf.d/<service>.
|
||||||
|
# To perform this cleanup manually for a stopped service, you can
|
||||||
|
# execute cgroup_cleanup with /etc/init.d/<service> cgroup_cleanup or
|
||||||
|
# rc-service <service> cgroup_cleanup.
|
||||||
|
# rc_cgroup_cleanup="NO"
|
@ -1,169 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!--
|
|
||||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
||||||
contributor license agreements. See the NOTICE file distributed with
|
|
||||||
this work for additional information regarding copyright ownership.
|
|
||||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
||||||
(the "License"); you may not use this file except in compliance with
|
|
||||||
the License. You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
-->
|
|
||||||
<!-- Note: A "Server" is not itself a "Container", so you may not
|
|
||||||
define subcomponents such as "Valves" at this level.
|
|
||||||
Documentation at /docs/config/server.html
|
|
||||||
-->
|
|
||||||
<Server port="9005" shutdown="SHUTDOWN">
|
|
||||||
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
|
|
||||||
<!-- Security listener. Documentation at /docs/config/listeners.html
|
|
||||||
<Listener className="org.apache.catalina.security.SecurityListener" />
|
|
||||||
-->
|
|
||||||
<!--APR library loader. Documentation at /docs/apr.html -->
|
|
||||||
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
|
|
||||||
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
|
|
||||||
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
|
|
||||||
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
|
|
||||||
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
|
|
||||||
|
|
||||||
<!-- Global JNDI resources
|
|
||||||
Documentation at /docs/jndi-resources-howto.html
|
|
||||||
-->
|
|
||||||
<GlobalNamingResources>
|
|
||||||
<!-- Editable user database that can also be used by
|
|
||||||
UserDatabaseRealm to authenticate users
|
|
||||||
-->
|
|
||||||
<Resource name="UserDatabase" auth="Container"
|
|
||||||
type="org.apache.catalina.UserDatabase"
|
|
||||||
description="User database that can be updated and saved"
|
|
||||||
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
|
|
||||||
pathname="conf/tomcat-users.xml" />
|
|
||||||
</GlobalNamingResources>
|
|
||||||
|
|
||||||
<!-- A "Service" is a collection of one or more "Connectors" that share
|
|
||||||
a single "Container" Note: A "Service" is not itself a "Container",
|
|
||||||
so you may not define subcomponents such as "Valves" at this level.
|
|
||||||
Documentation at /docs/config/service.html
|
|
||||||
-->
|
|
||||||
<Service name="Catalina">
|
|
||||||
|
|
||||||
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
|
|
||||||
<!--
|
|
||||||
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
|
|
||||||
maxThreads="150" minSpareThreads="4"/>
|
|
||||||
-->
|
|
||||||
|
|
||||||
|
|
||||||
<!-- A "Connector" represents an endpoint by which requests are received
|
|
||||||
and responses are returned. Documentation at :
|
|
||||||
Java HTTP Connector: /docs/config/http.html
|
|
||||||
Java AJP Connector: /docs/config/ajp.html
|
|
||||||
APR (HTTP/AJP) Connector: /docs/apr.html
|
|
||||||
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
|
|
||||||
-->
|
|
||||||
<Connector address="127.0.0.1" port="9080" protocol="HTTP/1.1"
|
|
||||||
connectionTimeout="20000"
|
|
||||||
redirectPort="8443" />
|
|
||||||
<!-- A "Connector" using the shared thread pool-->
|
|
||||||
<!--
|
|
||||||
<Connector executor="tomcatThreadPool"
|
|
||||||
port="8080" protocol="HTTP/1.1"
|
|
||||||
connectionTimeout="20000"
|
|
||||||
redirectPort="8443" />
|
|
||||||
-->
|
|
||||||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
|
|
||||||
This connector uses the NIO implementation. The default
|
|
||||||
SSLImplementation will depend on the presence of the APR/native
|
|
||||||
library and the useOpenSSL attribute of the
|
|
||||||
AprLifecycleListener.
|
|
||||||
Either JSSE or OpenSSL style configuration may be used regardless of
|
|
||||||
the SSLImplementation selected. JSSE style configuration is used below.
|
|
||||||
-->
|
|
||||||
<!--
|
|
||||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
|
|
||||||
maxThreads="150" SSLEnabled="true">
|
|
||||||
<SSLHostConfig>
|
|
||||||
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
|
|
||||||
type="RSA" />
|
|
||||||
</SSLHostConfig>
|
|
||||||
</Connector>
|
|
||||||
-->
|
|
||||||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
|
|
||||||
This connector uses the APR/native implementation which always uses
|
|
||||||
OpenSSL for TLS.
|
|
||||||
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
|
|
||||||
configuration is used below.
|
|
||||||
-->
|
|
||||||
<!--
|
|
||||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
|
|
||||||
maxThreads="150" SSLEnabled="true" >
|
|
||||||
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
|
|
||||||
<SSLHostConfig>
|
|
||||||
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
|
|
||||||
certificateFile="conf/localhost-rsa-cert.pem"
|
|
||||||
certificateChainFile="conf/localhost-rsa-chain.pem"
|
|
||||||
type="RSA" />
|
|
||||||
</SSLHostConfig>
|
|
||||||
</Connector>
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!-- Define an AJP 1.3 Connector on port 8009 -->
|
|
||||||
<!--
|
|
||||||
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
|
|
||||||
-->
|
|
||||||
|
|
||||||
|
|
||||||
<!-- An Engine represents the entry point (within Catalina) that processes
|
|
||||||
every request. The Engine implementation for Tomcat stand alone
|
|
||||||
analyzes the HTTP headers included with the request, and passes them
|
|
||||||
on to the appropriate Host (virtual host).
|
|
||||||
Documentation at /docs/config/engine.html -->
|
|
||||||
|
|
||||||
<!-- You should set jvmRoute to support load-balancing via AJP ie :
|
|
||||||
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
|
|
||||||
-->
|
|
||||||
<Engine name="Catalina" defaultHost="localhost">
|
|
||||||
|
|
||||||
<!--For clustering, please take a look at documentation at:
|
|
||||||
/docs/cluster-howto.html (simple how to)
|
|
||||||
/docs/config/cluster.html (reference documentation) -->
|
|
||||||
<!--
|
|
||||||
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
|
|
||||||
via a brute-force attack -->
|
|
||||||
<Realm className="org.apache.catalina.realm.LockOutRealm">
|
|
||||||
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
|
||||||
resources under the key "UserDatabase". Any edits
|
|
||||||
that are performed against this UserDatabase are immediately
|
|
||||||
available for use by the Realm. -->
|
|
||||||
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
|
||||||
resourceName="UserDatabase"/>
|
|
||||||
</Realm>
|
|
||||||
|
|
||||||
<Host name="localhost" appBase="webapps"
|
|
||||||
unpackWARs="true" autoDeploy="true">
|
|
||||||
|
|
||||||
<!-- SingleSignOn valve, share authentication between web applications
|
|
||||||
Documentation at: /docs/config/valve.html -->
|
|
||||||
<!--
|
|
||||||
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!-- Access log processes all example.
|
|
||||||
Documentation at: /docs/config/valve.html
|
|
||||||
Note: The pattern used is equivalent to using pattern="common" -->
|
|
||||||
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
|
|
||||||
prefix="localhost_access_log" suffix=".txt"
|
|
||||||
pattern="%h %l %u %t "%r" %s %b" />
|
|
||||||
|
|
||||||
</Host>
|
|
||||||
</Engine>
|
|
||||||
</Service>
|
|
||||||
</Server>
|
|
@ -1,53 +0,0 @@
|
|||||||
# This file is part of systemd.
|
|
||||||
#
|
|
||||||
# systemd is free software; you can redistribute it and/or modify it
|
|
||||||
# under the terms of the GNU Lesser General Public License as published by
|
|
||||||
# the Free Software Foundation; either version 2.1 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
|
|
||||||
[Unit]
|
|
||||||
Description=Getty on %I
|
|
||||||
Documentation=man:agetty(8) man:systemd-getty-generator(8)
|
|
||||||
Documentation=http://0pointer.de/blog/projects/serial-console.html
|
|
||||||
After=systemd-user-sessions.service plymouth-quit-wait.service
|
|
||||||
After=rc-local.service
|
|
||||||
|
|
||||||
# If additional gettys are spawned during boot then we should make
|
|
||||||
# sure that this is synchronized before getty.target, even though
|
|
||||||
# getty.target didn't actually pull it in.
|
|
||||||
Before=getty.target
|
|
||||||
IgnoreOnIsolate=yes
|
|
||||||
|
|
||||||
# IgnoreOnIsolate causes issues with sulogin, if someone isolates
|
|
||||||
# rescue.target or starts rescue.service from multi-user.target or
|
|
||||||
# graphical.target.
|
|
||||||
Conflicts=rescue.service
|
|
||||||
Before=rescue.service
|
|
||||||
|
|
||||||
# On systems without virtual consoles, don't start any getty. Note
|
|
||||||
# that serial gettys are covered by serial-getty@.service, not this
|
|
||||||
# unit.
|
|
||||||
ConditionPathExists=/dev/tty0
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
# the VT is cleared by TTYVTDisallocate
|
|
||||||
ExecStart=-/sbin/agetty -l /usr/sbin/nologin %I $TERM
|
|
||||||
Type=idle
|
|
||||||
Restart=always
|
|
||||||
RestartSec=0
|
|
||||||
UtmpIdentifier=%I
|
|
||||||
TTYPath=/dev/%I
|
|
||||||
TTYReset=yes
|
|
||||||
TTYVHangup=yes
|
|
||||||
TTYVTDisallocate=yes
|
|
||||||
KillMode=process
|
|
||||||
IgnoreSIGPIPE=no
|
|
||||||
SendSIGHUP=yes
|
|
||||||
|
|
||||||
# Unset locale for the console getty since the console has problems
|
|
||||||
# displaying some internationalized messages.
|
|
||||||
Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION=
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=getty.target
|
|
||||||
DefaultInstance=tty1
|
|
@ -1,25 +0,0 @@
|
|||||||
shopt -s histappend
|
|
||||||
HISTSIZE=10000
|
|
||||||
HISTFILESIZE=20000
|
|
||||||
HISTTIMEFORMAT="(%F %T) "
|
|
||||||
PROMPT_COMMAND="history -a"
|
|
||||||
|
|
||||||
case "$TERM" in
|
|
||||||
xterm*|rxvt*)
|
|
||||||
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H:\w\a\]$PS1"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
eval "`dircolors`"
|
|
||||||
COLOR="--color=auto"
|
|
||||||
|
|
||||||
if [ -f /etc/bash_completion ]; then
|
|
||||||
. /etc/bash_completion
|
|
||||||
fi
|
|
||||||
|
|
||||||
alias ls='ls --color=auto'
|
|
||||||
alias ll='ls -la --color=auto'
|
|
||||||
alias l='ls -a --color=auto'
|
|
||||||
alias grep='grep --color=auto'
|
|
@ -1,2 +0,0 @@
|
|||||||
runtime! defaults.vim
|
|
||||||
set mouse-=a
|
|
4
basic/sbin/issue-gen
Executable file
4
basic/sbin/issue-gen
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
export URL=$(ip route get 1 | awk '{print $NF;exit}')
|
||||||
|
envsubst </etc/issue.template >/etc/issue
|
@ -1,425 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
PREREQ="cryptroot-prepare"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Standard initramfs preamble
|
|
||||||
#
|
|
||||||
prereqs()
|
|
||||||
{
|
|
||||||
# Make sure that cryptroot is run last in local-top
|
|
||||||
for req in $(dirname $0)/*; do
|
|
||||||
script=${req##*/}
|
|
||||||
if [ $script != cryptroot ]; then
|
|
||||||
echo $script
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
prereqs)
|
|
||||||
prereqs
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# source for log_*_msg() functions, see LP: #272301
|
|
||||||
. /scripts/functions
|
|
||||||
|
|
||||||
#
|
|
||||||
# Helper functions
|
|
||||||
#
|
|
||||||
message()
|
|
||||||
{
|
|
||||||
if [ -x /bin/plymouth ] && plymouth --ping; then
|
|
||||||
plymouth message --text="$@"
|
|
||||||
else
|
|
||||||
echo "$@" >&2
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
udev_settle()
|
|
||||||
{
|
|
||||||
# Wait for udev to be ready, see https://launchpad.net/bugs/85640
|
|
||||||
if command -v udevadm >/dev/null 2>&1; then
|
|
||||||
udevadm settle --timeout=30
|
|
||||||
elif command -v udevsettle >/dev/null 2>&1; then
|
|
||||||
udevsettle --timeout=30
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
parse_options()
|
|
||||||
{
|
|
||||||
local cryptopts
|
|
||||||
cryptopts="$1"
|
|
||||||
|
|
||||||
if [ -z "$cryptopts" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Defaults
|
|
||||||
cryptcipher=aes-cbc-essiv:sha256
|
|
||||||
cryptsize=256
|
|
||||||
crypthash=ripemd160
|
|
||||||
crypttarget=cryptroot
|
|
||||||
cryptsource=""
|
|
||||||
cryptheader=""
|
|
||||||
cryptlvm=""
|
|
||||||
cryptkeyscript=""
|
|
||||||
cryptkey="" # This is only used as an argument to an eventual keyscript
|
|
||||||
cryptkeyslot=""
|
|
||||||
crypttries=3
|
|
||||||
crypttcrypt=""
|
|
||||||
cryptveracrypt=""
|
|
||||||
cryptrootdev=""
|
|
||||||
cryptdiscard=""
|
|
||||||
CRYPTTAB_OPTIONS=""
|
|
||||||
|
|
||||||
local IFS=" ,"
|
|
||||||
for x in $cryptopts; do
|
|
||||||
case $x in
|
|
||||||
hash=*)
|
|
||||||
crypthash=${x#hash=}
|
|
||||||
;;
|
|
||||||
size=*)
|
|
||||||
cryptsize=${x#size=}
|
|
||||||
;;
|
|
||||||
cipher=*)
|
|
||||||
cryptcipher=${x#cipher=}
|
|
||||||
;;
|
|
||||||
target=*)
|
|
||||||
crypttarget=${x#target=}
|
|
||||||
export CRYPTTAB_NAME="$crypttarget"
|
|
||||||
;;
|
|
||||||
source=*)
|
|
||||||
cryptsource=${x#source=}
|
|
||||||
if [ ${cryptsource#UUID=} != $cryptsource ]; then
|
|
||||||
cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
|
|
||||||
elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
|
|
||||||
cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')"
|
|
||||||
fi
|
|
||||||
export CRYPTTAB_SOURCE="$cryptsource"
|
|
||||||
;;
|
|
||||||
header=*)
|
|
||||||
cryptheader=${x#header=}
|
|
||||||
if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then
|
|
||||||
cryptheader="/conf/conf.d/cryptheader/$cryptheader"
|
|
||||||
fi
|
|
||||||
export CRYPTTAB_HEADER="$cryptheader"
|
|
||||||
;;
|
|
||||||
lvm=*)
|
|
||||||
cryptlvm=${x#lvm=}
|
|
||||||
;;
|
|
||||||
keyscript=*)
|
|
||||||
cryptkeyscript=${x#keyscript=}
|
|
||||||
;;
|
|
||||||
key=*)
|
|
||||||
if [ "${x#key=}" != "none" ]; then
|
|
||||||
cryptkey=${x#key=}
|
|
||||||
fi
|
|
||||||
export CRYPTTAB_KEY="$cryptkey"
|
|
||||||
;;
|
|
||||||
keyslot=*)
|
|
||||||
cryptkeyslot=${x#keyslot=}
|
|
||||||
;;
|
|
||||||
tries=*)
|
|
||||||
crypttries="${x#tries=}"
|
|
||||||
case "$crypttries" in
|
|
||||||
*[![:digit:].]*)
|
|
||||||
crypttries=3
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
tcrypt)
|
|
||||||
crypttcrypt="yes"
|
|
||||||
;;
|
|
||||||
veracrypt)
|
|
||||||
cryptveracrypt="--veracrypt"
|
|
||||||
;;
|
|
||||||
rootdev)
|
|
||||||
cryptrootdev="yes"
|
|
||||||
;;
|
|
||||||
discard)
|
|
||||||
cryptdiscard="yes"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
PARAM="${x%=*}"
|
|
||||||
if [ "$PARAM" = "$x" ]; then
|
|
||||||
VALUE="yes"
|
|
||||||
else
|
|
||||||
VALUE="${x#*=}"
|
|
||||||
fi
|
|
||||||
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
|
|
||||||
eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
|
|
||||||
done
|
|
||||||
export CRYPTTAB_OPTIONS
|
|
||||||
|
|
||||||
if [ -z "$cryptsource" ]; then
|
|
||||||
message "cryptsetup ($crypttarget): source parameter missing"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
activate_vg()
|
|
||||||
{
|
|
||||||
# Sanity checks
|
|
||||||
if [ ! -x /sbin/lvm ]; then
|
|
||||||
message "cryptsetup ($crypttarget): lvm is not available"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Detect and activate available volume groups
|
|
||||||
/sbin/lvm vgscan >/dev/null 2>&1
|
|
||||||
/sbin/lvm vgchange -a y --sysinit >/dev/null 2>&1
|
|
||||||
return $?
|
|
||||||
}
|
|
||||||
|
|
||||||
setup_mapping()
|
|
||||||
{
|
|
||||||
local opts count cryptopen cryptremove NEWROOT
|
|
||||||
opts="$1"
|
|
||||||
|
|
||||||
if [ -z "$opts" ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
parse_options "$opts" || return 1
|
|
||||||
|
|
||||||
if [ -z "$cryptkeyscript" ]; then
|
|
||||||
if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then
|
|
||||||
# UUIDs are not very helpful
|
|
||||||
diskname="$crypttarget"
|
|
||||||
else
|
|
||||||
diskname="$cryptsource ($crypttarget)"
|
|
||||||
fi
|
|
||||||
cryptkeyscript="/lib/cryptsetup/askpass"
|
|
||||||
cryptkey="Please unlock disk $diskname: "
|
|
||||||
elif ! type "$cryptkeyscript" >/dev/null; then
|
|
||||||
message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then
|
|
||||||
# skip the mapping if the root FS is not mounted yet
|
|
||||||
sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1
|
|
||||||
# substitute the "/root" prefix by the real root FS mountpoint otherwise
|
|
||||||
cryptkey="${rootmnt}/${cryptkey#/root/}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then
|
|
||||||
message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# The same target can be specified multiple times
|
|
||||||
# e.g. root and resume lvs-on-lvm-on-crypto
|
|
||||||
if [ -e "/dev/mapper/$crypttarget" ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
modprobe -q dm_crypt
|
|
||||||
|
|
||||||
# Make sure the cryptsource device is available
|
|
||||||
if [ ! -e $cryptsource ]; then
|
|
||||||
activate_vg
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If the encrypted source device hasn't shown up yet, give it a
|
|
||||||
# little while to deal with removable devices
|
|
||||||
|
|
||||||
# the following lines below have been taken from
|
|
||||||
# /usr/share/initramfs-tools/scripts/local, as suggested per
|
|
||||||
# https://launchpad.net/bugs/164044
|
|
||||||
if [ ! -e "$cryptsource" ]; then
|
|
||||||
log_begin_msg "Waiting for encrypted source device..."
|
|
||||||
|
|
||||||
# Default delay is 180s
|
|
||||||
if [ -z "${ROOTDELAY}" ]; then
|
|
||||||
slumber=180
|
|
||||||
else
|
|
||||||
slumber=${ROOTDELAY}
|
|
||||||
fi
|
|
||||||
|
|
||||||
slumber=$(( ${slumber} * 10 ))
|
|
||||||
while [ ! -e "$cryptsource" ]; do
|
|
||||||
# retry for LVM devices every 10 seconds
|
|
||||||
if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then
|
|
||||||
activate_vg
|
|
||||||
fi
|
|
||||||
|
|
||||||
/bin/sleep 0.1
|
|
||||||
slumber=$(( ${slumber} - 1 ))
|
|
||||||
[ ${slumber} -gt 0 ] || break
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ ${slumber} -gt 0 ]; then
|
|
||||||
log_end_msg 0
|
|
||||||
else
|
|
||||||
log_end_msg 1 || true
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
udev_settle
|
|
||||||
|
|
||||||
# We've given up, but we'll let the user fix matters if they can
|
|
||||||
if [ ! -e "${cryptsource}" ]; then
|
|
||||||
|
|
||||||
echo " ALERT! ${cryptsource} does not exist."
|
|
||||||
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
|
|
||||||
echo " or missing modules, devices: cat /proc/modules; ls /dev"
|
|
||||||
panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e "${cryptsource}" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# Prepare commands
|
|
||||||
cryptopen="/sbin/cryptsetup -T 1"
|
|
||||||
if [ "$cryptdiscard" = "yes" ]; then
|
|
||||||
cryptopen="$cryptopen --allow-discards"
|
|
||||||
fi
|
|
||||||
if [ -n "$cryptheader" ]; then
|
|
||||||
cryptopen="$cryptopen --header=$cryptheader"
|
|
||||||
fi
|
|
||||||
if [ -n "$cryptkeyslot" ]; then
|
|
||||||
cryptopen="$cryptopen --key-slot=$cryptkeyslot"
|
|
||||||
fi
|
|
||||||
if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
|
|
||||||
cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
|
|
||||||
elif [ "$crypttcrypt" = "yes" ]; then
|
|
||||||
cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget"
|
|
||||||
else
|
|
||||||
cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-"
|
|
||||||
fi
|
|
||||||
cryptremove="/sbin/cryptsetup remove $crypttarget"
|
|
||||||
NEWROOT="/dev/mapper/$crypttarget"
|
|
||||||
|
|
||||||
# Try to get a satisfactory password $crypttries times
|
|
||||||
count=0
|
|
||||||
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
|
|
||||||
export CRYPTTAB_TRIED="$count"
|
|
||||||
count=$(( $count + 1 ))
|
|
||||||
|
|
||||||
if [ ! -e "$NEWROOT" ]; then
|
|
||||||
if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
|
|
||||||
$cryptkeyscript "$cryptkey" | $cryptopen; then
|
|
||||||
message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e "$NEWROOT" ]; then
|
|
||||||
message "cryptsetup ($crypttarget): unknown error setting up device mapping"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
#FSTYPE=''
|
|
||||||
#eval $(fstype < "$NEWROOT")
|
|
||||||
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
|
|
||||||
|
|
||||||
# See if we need to setup lvm on the crypto device
|
|
||||||
#if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
|
|
||||||
if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then
|
|
||||||
if [ -z "$cryptlvm" ]; then
|
|
||||||
message "cryptsetup ($crypttarget): lvm fs found but no lvm configured"
|
|
||||||
return 1
|
|
||||||
elif ! activate_vg; then
|
|
||||||
# disable error message, LP: #151532
|
|
||||||
#message "cryptsetup ($crypttarget): failed to setup lvm device"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Apparently ROOT is already set in /conf/param.conf for
|
|
||||||
# flashed kernels at least. See bugreport #759720.
|
|
||||||
if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then
|
|
||||||
NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf)
|
|
||||||
else
|
|
||||||
NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm}
|
|
||||||
if [ "$cryptrootdev" = "yes" ]; then
|
|
||||||
# required for lilo to find the root device
|
|
||||||
echo "ROOT=$NEWROOT" >>/conf/param.conf
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
#eval $(fstype < "$NEWROOT")
|
|
||||||
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
|
|
||||||
if [ -z "$FSTYPE" ]; then
|
|
||||||
message "cryptsetup ($crypttarget): unknown fstype, bad password or options?"
|
|
||||||
udev_settle
|
|
||||||
$cryptremove
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
# decrease $count by 1, apparently last try was successful.
|
|
||||||
count=$(( $count - 1 ))
|
|
||||||
|
|
||||||
message "cryptsetup ($crypttarget): set up successfully"
|
|
||||||
break
|
|
||||||
done
|
|
||||||
|
|
||||||
failsleep=60 # make configurable later?
|
|
||||||
|
|
||||||
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
|
|
||||||
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
|
|
||||||
message "cryptsetup: going to sleep for $failsleep seconds..."
|
|
||||||
sleep $failsleep
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
udev_settle
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Begin real processing
|
|
||||||
#
|
|
||||||
|
|
||||||
# Do we have any kernel boot arguments?
|
|
||||||
cmdline_cryptopts=''
|
|
||||||
unset cmdline_root
|
|
||||||
for opt in $(cat /proc/cmdline); do
|
|
||||||
case $opt in
|
|
||||||
cryptopts=*)
|
|
||||||
opt="${opt#cryptopts=}"
|
|
||||||
if [ -n "$opt" ]; then
|
|
||||||
if [ -n "$cmdline_cryptopts" ]; then
|
|
||||||
cmdline_cryptopts="$cmdline_cryptopts $opt"
|
|
||||||
else
|
|
||||||
cmdline_cryptopts="$opt"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
root=*)
|
|
||||||
opt="${opt#root=}"
|
|
||||||
case $opt in
|
|
||||||
/*) # Absolute path given. Not lilo major/minor number.
|
|
||||||
cmdline_root=$opt
|
|
||||||
;;
|
|
||||||
*) # lilo major/minor number (See #398957). Ignore
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$cmdline_cryptopts" ]; then
|
|
||||||
# Call setup_mapping separately for each possible cryptopts= setting
|
|
||||||
for cryptopt in $cmdline_cryptopts; do
|
|
||||||
setup_mapping "$cryptopt"
|
|
||||||
done
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Do we have any settings from the /conf/conf.d/cryptroot file?
|
|
||||||
if [ -r /conf/conf.d/cryptroot ]; then
|
|
||||||
while read mapping <&3; do
|
|
||||||
setup_mapping "$mapping" 3<&-
|
|
||||||
done 3< /conf/conf.d/cryptroot
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,65 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
PREREQ="mdadm mdrun multipath"
|
|
||||||
|
|
||||||
prereqs()
|
|
||||||
{
|
|
||||||
echo "$PREREQ"
|
|
||||||
}
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
# get pre-requisites
|
|
||||||
prereqs)
|
|
||||||
prereqs
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ ! -e /sbin/lvm ]; then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
lvchange_activate() {
|
|
||||||
lvm lvchange -aay -y --sysinit --ignoreskippedcluster "$@" >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
activate() {
|
|
||||||
local dev="$1"
|
|
||||||
|
|
||||||
# Make sure that we have a non-empty argument
|
|
||||||
if [ -z "$dev" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "$dev" in
|
|
||||||
# Take care of lilo boot arg, risky activating of all vg
|
|
||||||
fe[0-9]*)
|
|
||||||
lvchange_activate
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
# FIXME: check major
|
|
||||||
/dev/root)
|
|
||||||
lvchange_activate
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
|
|
||||||
/dev/mapper/*)
|
|
||||||
eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
|
|
||||||
if [ "$DM_VG_NAME" ] && [ "$DM_LV_NAME" ]; then
|
|
||||||
lvchange_activate "$DM_VG_NAME/$DM_LV_NAME"
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
|
|
||||||
/dev/*/*)
|
|
||||||
# Could be /dev/VG/LV; use lvs to check
|
|
||||||
if lvm lvs -- "$dev" >/dev/null 2>&1; then
|
|
||||||
lvchange_activate "$dev"
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
activate "$ROOT"
|
|
||||||
activate "$resume"
|
|
||||||
|
|
||||||
exit 0
|
|
Loading…
Reference in New Issue
Block a user