bsp: Add runonce bits

This is based on and some items pulled directly from Google's Mendel Linux.

This adds a service that lets us run scripts 1 time, typically the first boot, but
it will also check if any of the scripts have changed since being created, and if
there are changes, it will run again.

Things that will need to change:
  e2fsresize - we're going to want to expand the partition first
  enable-services - decide a list of services we're going to want to enable - possibly do services based on files in /boot (ala enable-ssh)

  The user and language related stuff, we can probably make it so that they can be replaced with a supplied user variable in the build script or something,
  and replace that, so when users create their own images, they can generate them with their own users/language settings.  For now, we hardcode en_US.UTF-8 and kali
This commit is contained in:
Steev Klimaszewski
2020-08-19 17:00:53 -05:00
parent c97011182d
commit a033f1fb12
10 changed files with 132 additions and 0 deletions

View File

@@ -0,0 +1,5 @@
# Set the default LANG to something sensible if it is unset
if [ -z "$LANG" ]; then
source /etc/locale.conf
export LANG
fi

View File

@@ -0,0 +1,3 @@
#!/bin/bash
/sbin/resize2fs $(findmnt -n -o SOURCE /)

View File

@@ -0,0 +1,26 @@
#!/bin/bash -e
# Choose a locale and generate it to eliminate LC warnings.
echo en_US.UTF-8 UTF-8 >/etc/locale.en
locale-gen 2>&1 >> /var/log/rootfs-cleanups.log
echo LANG=en_US.UTF-8 >/etc/locale.conf
# Add the kali user and give them all the access they need.
if ! grep -qE '^kali:' /etc/passwd; then
adduser kali --home /home/kali --shell /bin/bash --disabled-password --gecos "" 2>&1 >>/var/log/rootfs-cleanups.log
mkdir -p /home/kali 2>&1 >>/var/log/rootfs-cleanups.log
chown kali:kali /home/kali 2>&1 >>/var/log/rootfs-cleanups.log
echo 'kali:kali' |chpasswd 2>&1 >>/var/log/rootfs-cleanups.log
fi
# Reload and trigger udev rule
udevadm control --reload-rules
udevadm trigger
KALI_GROUPS="adm audio bluetooth games i2c input plugdev staff sudo users video netdev systemd-journal render wireshark kismet"
for i in $KALI_GROUPS; do
echo "runonce: adding kali to $i" 2>&1 >>/var/log/rootfs-cleanups.log
adduser kali $i 2>&1 >>/var/log/rootfs-cleanups.log
done

View File

@@ -0,0 +1,5 @@
#!/bin/bash
systemctl enable ssh
systemctl enable bluetooth
systemctl enable NetworkManager

View File

@@ -0,0 +1,8 @@
#!/bin/bash
#sed -re's/^#?PasswordAuthentication.*/PasswordAuthentication no/g' -i /etc/ssh/sshd_config
#sed -re's/^#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/g' -i /etc/ssh/sshd_config
sed -re's/^#?PermitRootLogin.*/PermitRootLogin no/g' -i /etc/ssh/sshd_config
rm -f /etc/ssh/ssh_host_*
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server

View File

@@ -0,0 +1,6 @@
#!/bin/bash
# Docker doesn't play nicely with nftables. Use iptables-legacy instead.
# Other things don't tend to use nftables either so this makes sense to do.
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

View File

@@ -0,0 +1,13 @@
#!/bin/bash
TIMESTAMP_FILE=/var/lib/systemd/clock
PROGNAME=$(basename $(readlink -f $0))
systemctl stop systemd-timesyncd
date --set="$(stat /lost+found |grep Change |sed -e 's/^Change: //g' -e 's/+0000//g')"
hwclock --systohc
rm -f $TIMESTAMP_FILE
touch $TIMESTAMP_FILE
systemctl start systemd-timesyncd

View File

@@ -0,0 +1,6 @@
#!/bin/bash
# Add the user to the sudoers file if they're not there
if ! grep -q kali /etc/sudoers; then
echo 'kali ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers
fi

47
bsp/scripts/runonce Normal file
View File

@@ -0,0 +1,47 @@
#!/bin/bash
# Expansions of unset variables cause an error
set -u
# Given a script and its content SHA-1, determine if it should run based upon
# whether its contents have changed.
#
# Returns 0 if the script should run, other values indicate it should not run.
function should-run-script {
local script="$1"; shift
local script_sha1="$1"; shift
local scipt_basename=$(basename "${script")
if [[ -f /var/cache/runonce/$script_basename ]]; then
previous_sha1=$(cat /var/cache/runonce/$script_basename)
if [[ $script_sha1 == $previous_sha1 ]]; then
return 1
fi
fi
return 0
}
function main {
local script=""
for script in /etc/runonce.d/*; do
local script_sha1=$(sha1sum $script |awk '{ print $1 }')
if ! should-run-script $script $script_sha1; then
continue;
fi
$script
if [[ $? == 0 ]]; then
local script_basename=$(basename $script)
echo $script_sha1 > /var/cache/runonce/$script_basename
sync /var/cache/runonce/$script_basename
fi
done
}
main

View File

@@ -0,0 +1,13 @@
[Unit]
Description=Scripts that should be run only once
Before=basic.target network-pre.target
After=sysinit.target local-fs.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/runonce
[Install]
WantedBy=basic.target