bsp: Add runonce bits
This is based on and some items pulled directly from Google's Mendel Linux. This adds a service that lets us run scripts 1 time, typically the first boot, but it will also check if any of the scripts have changed since being created, and if there are changes, it will run again. Things that will need to change: e2fsresize - we're going to want to expand the partition first enable-services - decide a list of services we're going to want to enable - possibly do services based on files in /boot (ala enable-ssh) The user and language related stuff, we can probably make it so that they can be replaced with a supplied user variable in the build script or something, and replace that, so when users create their own images, they can generate them with their own users/language settings. For now, we hardcode en_US.UTF-8 and kali
This commit is contained in:
5
bsp/profile.d/default-lang.sh
Normal file
5
bsp/profile.d/default-lang.sh
Normal file
@@ -0,0 +1,5 @@
|
||||
# Set the default LANG to something sensible if it is unset
|
||||
if [ -z "$LANG" ]; then
|
||||
source /etc/locale.conf
|
||||
export LANG
|
||||
fi
|
||||
3
bsp/runonce.d/00-e2fsresize
Normal file
3
bsp/runonce.d/00-e2fsresize
Normal file
@@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
/sbin/resize2fs $(findmnt -n -o SOURCE /)
|
||||
26
bsp/runonce.d/00-rootfs-cleanup
Normal file
26
bsp/runonce.d/00-rootfs-cleanup
Normal file
@@ -0,0 +1,26 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
# Choose a locale and generate it to eliminate LC warnings.
|
||||
echo en_US.UTF-8 UTF-8 >/etc/locale.en
|
||||
locale-gen 2>&1 >> /var/log/rootfs-cleanups.log
|
||||
echo LANG=en_US.UTF-8 >/etc/locale.conf
|
||||
|
||||
# Add the kali user and give them all the access they need.
|
||||
if ! grep -qE '^kali:' /etc/passwd; then
|
||||
adduser kali --home /home/kali --shell /bin/bash --disabled-password --gecos "" 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
|
||||
mkdir -p /home/kali 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
chown kali:kali /home/kali 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
echo 'kali:kali' |chpasswd 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
fi
|
||||
|
||||
# Reload and trigger udev rule
|
||||
udevadm control --reload-rules
|
||||
udevadm trigger
|
||||
|
||||
KALI_GROUPS="adm audio bluetooth games i2c input plugdev staff sudo users video netdev systemd-journal render wireshark kismet"
|
||||
|
||||
for i in $KALI_GROUPS; do
|
||||
echo "runonce: adding kali to $i" 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
adduser kali $i 2>&1 >>/var/log/rootfs-cleanups.log
|
||||
done
|
||||
5
bsp/runonce.d/01-enable-services
Normal file
5
bsp/runonce.d/01-enable-services
Normal file
@@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
systemctl enable ssh
|
||||
systemctl enable bluetooth
|
||||
systemctl enable NetworkManager
|
||||
8
bsp/runonce.d/03-check-ssh-keys
Normal file
8
bsp/runonce.d/03-check-ssh-keys
Normal file
@@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
#sed -re's/^#?PasswordAuthentication.*/PasswordAuthentication no/g' -i /etc/ssh/sshd_config
|
||||
#sed -re's/^#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/g' -i /etc/ssh/sshd_config
|
||||
sed -re's/^#?PermitRootLogin.*/PermitRootLogin no/g' -i /etc/ssh/sshd_config
|
||||
|
||||
rm -f /etc/ssh/ssh_host_*
|
||||
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
|
||||
6
bsp/runonce.d/97-iptables
Normal file
6
bsp/runonce.d/97-iptables
Normal file
@@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Docker doesn't play nicely with nftables. Use iptables-legacy instead.
|
||||
# Other things don't tend to use nftables either so this makes sense to do.
|
||||
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
|
||||
13
bsp/runonce.d/98-set-datetime
Normal file
13
bsp/runonce.d/98-set-datetime
Normal file
@@ -0,0 +1,13 @@
|
||||
#!/bin/bash
|
||||
|
||||
TIMESTAMP_FILE=/var/lib/systemd/clock
|
||||
PROGNAME=$(basename $(readlink -f $0))
|
||||
|
||||
systemctl stop systemd-timesyncd
|
||||
|
||||
date --set="$(stat /lost+found |grep Change |sed -e 's/^Change: //g' -e 's/+0000//g')"
|
||||
hwclock --systohc
|
||||
rm -f $TIMESTAMP_FILE
|
||||
touch $TIMESTAMP_FILE
|
||||
|
||||
systemctl start systemd-timesyncd
|
||||
6
bsp/runonce.d/99-user-sudo
Normal file
6
bsp/runonce.d/99-user-sudo
Normal file
@@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Add the user to the sudoers file if they're not there
|
||||
if ! grep -q kali /etc/sudoers; then
|
||||
echo 'kali ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers
|
||||
fi
|
||||
47
bsp/scripts/runonce
Normal file
47
bsp/scripts/runonce
Normal file
@@ -0,0 +1,47 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Expansions of unset variables cause an error
|
||||
set -u
|
||||
|
||||
# Given a script and its content SHA-1, determine if it should run based upon
|
||||
# whether its contents have changed.
|
||||
#
|
||||
# Returns 0 if the script should run, other values indicate it should not run.
|
||||
|
||||
function should-run-script {
|
||||
local script="$1"; shift
|
||||
local script_sha1="$1"; shift
|
||||
local scipt_basename=$(basename "${script")
|
||||
|
||||
if [[ -f /var/cache/runonce/$script_basename ]]; then
|
||||
previous_sha1=$(cat /var/cache/runonce/$script_basename)
|
||||
|
||||
if [[ $script_sha1 == $previous_sha1 ]]; then
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
function main {
|
||||
local script=""
|
||||
|
||||
for script in /etc/runonce.d/*; do
|
||||
local script_sha1=$(sha1sum $script |awk '{ print $1 }')
|
||||
|
||||
if ! should-run-script $script $script_sha1; then
|
||||
continue;
|
||||
fi
|
||||
|
||||
$script
|
||||
|
||||
if [[ $? == 0 ]]; then
|
||||
local script_basename=$(basename $script)
|
||||
echo $script_sha1 > /var/cache/runonce/$script_basename
|
||||
sync /var/cache/runonce/$script_basename
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
main
|
||||
13
bsp/services/all/runonce.service
Normal file
13
bsp/services/all/runonce.service
Normal file
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Scripts that should be run only once
|
||||
Before=basic.target network-pre.target
|
||||
After=sysinit.target local-fs.target
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/sbin/runonce
|
||||
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
Reference in New Issue
Block a user