-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathchroot.sh
More file actions
executable file
·319 lines (268 loc) · 8.93 KB
/
chroot.sh
File metadata and controls
executable file
·319 lines (268 loc) · 8.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
#!/bin/bash
#
# Copyright © 2024 Quintor B.V.
#
# BCLD is gelicentieerd onder de EUPL, versie 1.2 of
# – zodra ze zullen worden goedgekeurd door de Europese Commissie -
# latere versies van de EUPL (de "Licentie");
# U mag BCLD alleen gebruiken in overeenstemming met de licentie.
# U kunt een kopie van de licentie verkrijgen op:
#
# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
#
# Tenzij vereist door de toepasselijke wetgeving of overeengekomen in
# schrijven, wordt software onder deze licentie gedistribueerd
# gedistribueerd op een "AS IS"-basis,
# ZONDER ENIGE GARANTIES OF VOORWAARDEN, zowel
# expliciet als impliciet.
# Zie de licentie voor de specifieke taal die van toepassing is
# en de beperkingen van de licentie.
#
#
# Copyright © 2024 Quintor B.V.
#
# BCLD is licensed under the EUPL, Version 1.2 or
# – as soon they will be approved by the European Commission -
# subsequent versions of the EUPL (the "Licence");
# You may not use BCLD except in compliance with the Licence.
# You may obtain a copy of the License at:
#
# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
#
# Unless required by applicable law or agreed to in
# writing, software distributed under the License is
# distributed on an "AS IS" basis,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied.
# See the License for the specific language governing
# permissions and limitations under the License.
#
#
# BCLD Chroot script
# This script configures the freshly bootstrapped chroot environment
# on the build agent.
set -e
# shellcheck source=./root/BUILD.conf
BUILD_CONF='/root/BUILD.conf'
ECHO_TOOLS='/usr/bin/echo_tools.sh'
source "${ECHO_TOOLS}" \
&& list_item "Echo tools loaded!"
source "${BUILD_CONF}" \
&& list_item "Build config loaded!" \
&& list_entry \
&& /usr/bin/cat "${BUILD_CONF}"
# ENVs
BCLD_ROOT='/root'
BCLD_MOUNT='/media/BCLD-USB'
CHROOT_RM='/opt/remotelogging'
SSHD="/etc/ssh/sshd_config.d/10-BCLD.conf"
SUDOERS="/etc/sudoers"
# VARs
BCLD_HOME="/home/${BCLD_USER}"
NSSDB="${BCLD_HOME}/.pki/nssdb"
APP_PKGS="${BCLD_ROOT}/APP"
CHROOT_PKGS="${BCLD_ROOT}/CHROOT"
PKGS_ALL="${BCLD_ROOT}/PKGS_ALL"
LOG_FILE="${BCLD_ROOT}/APT_LOG.log"
REMOVE="${BCLD_ROOT}/REMOVE"
SELECTIONS="${BCLD_ROOT}/selections.conf"
# ENVs
DEB_COUNT=$(/usr/bin/find "${APP_DIR}" -type f -name '*.deb' | wc -l)
DEFAULT_TARGET='graphical'
TAG="RUN-CHROOT"
## Functions
# Function to remove files if they exist
function clear_file () {
if [[ -f ${1} ]]; then
list_item "Cleaning up file: ${1}"
/usr/bin/rm -f "${1}"
fi
}
# Function to create sudoer
function add_user () {
/usr/sbin/useradd -rmo \
--uid 999 \
--groups adm,cdrom,sudo,dip,plugdev,video \
--shell /bin/bash \
--password "${BCLD_SECRET}" \
"${1}"
list_item "Added \"${1}\" to 'sudo'..."
list_item "Added \"${1}\" with GID '999'..."
list_item "Added \"${1}\" with 'bash' shell..."
/usr/bin/echo "${1} ALL=(ALL) NOPASSWD:ALL" >> "${SUDOERS}"
list_item "Added \"${1}\" to sudoers file..."
}
# Set password with OpenSSL
function set_passwd () {
list_header "Setting user password for: ${1}"
/usr/sbin/usermod --password "$(/usr/bin/echo "${2}" | openssl passwd -1 -stdin)" "${1}"
}
### Install packages ###
# Only works if /tmp is accessible
/usr/bin/chmod -v 1777 /tmp
# Add critical packages to bootstrapped image
/usr/bin/apt-get update && /usr/bin/apt-get install -y curl gpg
# Update using the selected mirror
list_header "Updating packages"
list_entry
/usr/bin/apt-get update -y
/usr/bin/apt-get upgrade -y
# Configure dpkg first for auto keyboard
list_header "Configuring DPKG (essentials)"
list_entry
/usr/bin/apt-get install -yq --no-install-recommends $(/usr/bin/cat ${CHROOT_PKGS}) | /usr/bin/tee -a "${LOG_FILE}"
debconf-set-selections < "${SELECTIONS}"
## Refresh repositories and check certificates
/usr/sbin/update-ca-certificates
# Start installing
list_header "APT installations"
list_entry
/usr/bin/apt-get install -yq --no-install-recommends $(/usr/bin/cat ${PKGS_ALL}) | /usr/bin/tee -a "${LOG_FILE}"
## Install extra packages
if [[ -n "${BCLD_PKG_EXTRA}" ]]; then
list_header "Found extra packages: ${BCLD_PKG_EXTRA}"
list_entry
/usr/bin/apt-get install -yq --no-install-recommends ${BCLD_PKG_EXTRA} | /usr/bin/tee -a "${LOG_FILE}"
fi
### Uninstall packages ###
## If there is a REMOVE file, use it.
if [[ -f ${REMOVE} ]]; then
list_header "REMOVE file detected, excluding packages"
list_entry
/usr/bin/cat "${REMOVE}"
list_catch
list_entry
/usr/bin/apt-get remove -yq --purge $(/usr/bin/cat ${REMOVE}) | /usr/bin/tee -a "${LOG_FILE}"
fi
# Configurations
list_header "Configurations"
## User/Run Level/Target, het is complex...
list_item "Default Target: ${DEFAULT_TARGET}"
list_entry
/usr/bin/systemctl enable "${DEFAULT_TARGET}.target"
/usr/bin/systemctl set-default "${DEFAULT_TARGET}.target"
list_catch
## User Management
list_item "User Management: \"${BCLD_USER}\""
if [[ -n ${BCLD_USER} ]]; then
add_user "${BCLD_USER}"
else
last_item "BCLD_USER is not set!"
on_failure
fi
## USB-logger
list_item "Enable USB-logger by default"
list_entry
/usr/bin/mkdir -pv "${BCLD_MOUNT}"
list_catch
list_item "Enabling USB-logger service..."
list_entry
/usr/bin/systemctl enable BCLD-USB.service
list_catch
## Chrome Dump
list_item "Enable BCLD-crosdump.service to catch Chrome dumps"
list_item "Enabling Chromium dump logger service..."
list_entry
/usr/bin/systemctl enable BCLD-crosdump.service
list_catch
## Rsyslog
list_item "Creating: ${CHROOT_RM} for Rsyslog"
list_entry
/usr/bin/mkdir -v "${CHROOT_RM}"
list_catch
## Xauth
# Broken
#list_item "Configuring Xauth..."
#/usr/bin/xauth -v generate :0 . trusted
#/usr/bin/xauth -v add ${HOST}:0 . $(xxd -l 16 -p /dev/urandom)
## Configure BCLD Big Mouse
BIG_MOUSE="$(mktemp --directory --suffix=_BCLD-BIG-MOUSE)"
list_item "Configuring BCLD Big Mouse™️ inside: ${BIG_MOUSE}"
list_entry
/usr/bin/chown -Rv _apt "${BIG_MOUSE}"
cd "${BIG_MOUSE}"
/usr/bin/apt-get download -y big-cursor
/usr/bin/ar -xv big-cursor*.deb
/usr/bin/zstd -d data.tar.zst
/usr/bin/tar -xf data.tar
/usr/bin/cp "${BIG_MOUSE}/usr/share/fonts/X11/misc/big-cursor.pcf.gz" "/home/${BCLD_USER}"
cd -
list_catch
## Unattended Security upgrades
list_item "Set DPKG to unattended..."
/usr/bin/echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades
# This is where the Chrome apps will be pulled from Nexus
if [[ ${DEB_COUNT} -gt 0 ]]; then
# Look for any Chrome apps inside APP_DIR
list_item "${DEB_COUNT} DEBs found in ${APP_DIR}! Installing..."
list_entry
/usr/bin/apt-get clean
# Install any DEBs found in APP_DIR
/usr/bin/find "${APP_DIR}" -type f -name '*.deb' -exec /usr/bin/apt-get install -fy {} \; -quit
# Change ownership of /opt to the BCLD_USER
/usr/bin/chown -Rv "${BCLD_USER}":"${BCLD_USER}" /opt
# Cleanup the DEB dir
/usr/bin/rm -rfv "${APP_DIR}"
list_catch
elif [[ -z "${APP_PKGS}" ]]; then
list_item_fail "${APP_PKGS} cannot be empty!"
on_failure
else
# If there are no DEBs, use APP packages instead
list_item "No DEBs found in APP_DIR, using: ${APP_PKGS}"
list_entry
/usr/bin/apt-get install -yq --no-install-recommends $(/usr/bin/cat "${APP_PKGS}")
list_catch
fi
## Configure Avahi
list_item "Disable resolvconf (for Avahi)"
# Since we are going with Avahi, disable resolveconf
#/usr/bin/systemctl disable --now systemd-resolved.service
clear_file '/lib/systemd/system/systemd-resolved.service' 'Removing resolv.conf service...'
clear_file '/etc/resolv.conf' 'Removing resolv.conf file...'
## Configure firewall
list_item "Configuring firewall settings"
### Flush defaults
list_item "Flushing defaults..."
/usr/sbin/iptables -F
### Save settings
list_item "Saving firewall configurations..."
list_entry
/usr/sbin/netfilter-persistent save
list_catch
## Reload libraries
/usr/sbin/ldconfig
## Configure Plymouth
list_item "Configuring Plymouth Spinner..."
list_entry
/usr/bin/update-alternatives --install /usr/share/plymouth/themes/default.plymouth default.plymouth /usr/share/plymouth/themes/spinner/spinner.plymouth 200
list_catch
# MODEL packs
if [[ ${BCLD_MODEL} = 'test' ]]; then
list_item "BCLD_MODEL set to: ${BCLD_MODEL}"
last_item 'Configuring OpenSSH Server...'
/usr/bin/echo 'PasswordAuthentication yes' > "${SSHD}"
/usr/bin/echo 'X11Forwarding yes' >> "${SSHD}"
/usr/bin/systemctl enable ssh.service
fi
# Cleanup
list_header "Cleanup"
## Remove all the package lists...
clear_file "${CHROOT_PKGS}"
clear_file "${APP_PKGS}"
clear_file "${PKGS_ALL}"
clear_file "${REMOVE}"
clear_file "${SELECTIONS}"
## Clean APT and history
list_item "Cleaning APT..."
list_entry
/usr/bin/apt-get autoremove -yq | /usr/bin/tee -a "${LOG_FILE}"
/usr/bin/apt-get clean
history -c
list_catch
## Clear chroot logs
list_item "Cleaning chroot logs..."
list_entry
/usr/bin/rm -fv ${CHROOT_DIR}/root/*.log
list_exit