]>
git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/helper/oci-setup
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
25 # Set PATH to find our own executables
26 export PATH
=/ usr
/ local
/ sbin
:/ usr
/ local
/ bin
: ${PATH}
28 # GCP only supports an MTU of 1460
34 wget
-qO - "http://169.254.169.254/opc/v1/ ${file} "
42 # Try to decode this and return output if successful
43 if base64
-d <<< " ${input} " > " ${tmp} " 2 >/ dev
/ null
; then
46 # Otherwise just return the input
58 local o1
= $
(( ( n
& 0xff000000 ) >> 24 ))
59 local o2
= $
(( ( n
& 0xff0000 ) >> 16 ))
60 local o3
= $
(( ( n
& 0xff00 ) >> 8 ))
61 local o4
= $
(( ( n
& 0xff ) ))
63 printf "%d.%d.%d.%d \n " " ${o1}" "${o2}" "${o3}" "${o4} "
72 for i
in ${address//\./ } ; do
73 integer
= $
(( ( integer
<< 8) + i ))
76 printf "%d\n" " ${integer} "
82 local zeros=$(( 32 - prefix ))
86 for (( i=0; i< ${zeros} ; i++ )); do
87 netmask=$(( (netmask << 1) ^ 1 ))
90 to_address "$(( netmask ^ 0xffffffff ))"
93 oci_list_interfaces() {
94 get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))"
97 oci_get_interface_param() {
101 get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\" ${param} \", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \" ${id} \"))"
104 import_oci_configuration() {
105 local instance_id="$(get instance/id)"
107 boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id} ..."
110 echo " ${instance_id} " > /var/run/oci-instance-id
112 # Initialise system settings
113 local hostname=$(get instance/hostname)
116 if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
117 echo "HOSTNAME= ${hostname%%.*} " >> /var/ipfire/main/settings
121 if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
122 echo "DOMAINNAME= ${hostname#*.} " >> /var/ipfire/main/settings
126 if ! getent passwd setup &>/dev/null; then
127 useradd setup -s /usr/bin/run-setup -g nobody -m
133 # Import SSH keys for setup user
135 while read -r line; do
136 # Strip the username part from the key
137 local key=" ${line#*:} "
139 if [ -n " ${key} " ] && ! grep -q "^ ${key} $" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
140 mkdir -p "/home/setup/.ssh"
141 chmod 700 "/home/setup/.ssh"
142 chown setup.nobody "/home/setup/.ssh"
144 echo " ${key} " >> "/home/setup/.ssh/authorized_keys"
145 chmod 600 "/home/setup/.ssh/authorized_keys"
146 chown setup.nobody "/home/setup/.ssh/authorized_keys"
148 done <<<"$(get instance/metadata/ssh_authorized_keys)"
150 # Import network configuration
151 # After this, no network connectivity will be available from this script due to the
152 # renaming of the network interfaces for which they have to be shut down
154 : > /var/ipfire/ethernet/settings
157 for id in $(oci_list_interfaces); do
158 local mac="$(oci_get_interface_param " ${id} " "macAddr")"
161 local ipv4_address="$(oci_get_interface_param " ${id} " "privateIp")"
162 local ipv4_address_num="$(to_integer " ${ipv4_address} ")"
164 local subnet="$(oci_get_interface_param " ${id} " "subnetCidrBlock")"
165 local prefix=" ${subnet#*/} "
167 local netmask="$(prefix2netmask " ${prefix} ")"
169 # Calculate the network and broadcast addresses
170 local netaddress=" ${subnet%/*} "
172 local index="$(oci_get_interface_param " ${id} " "nicIndex")"
174 # Set index to zero if it was empty
175 if [ -z " ${index} " ]; then
182 local interface_name="red0"
183 local gateway="$(oci_get_interface_param " ${id} " "virtualRouterIp")"
186 echo "RED_TYPE=STATIC"
187 echo "RED_DEV= ${interface_name} "
188 echo "RED_MACADDR= ${mac} "
189 echo "RED_DESCRIPTION=' ${id} '"
190 echo "RED_ADDRESS= ${ipv4_address} "
191 echo "RED_NETMASK= ${netmask} "
192 echo "RED_NETADDRESS= ${netaddress} "
194 echo "DEFAULT_GATEWAY= ${gateway} "
195 ) >> /var/ipfire/ethernet/settings
197 # Import aliases for RED
198 #for alias in $(get "instance/network-interfaces/ ${device_number} /ip-aliases"); do
199 # echo " ${alias} ,on,"
200 #done > /var/ipfire/ethernet/aliases
205 local interface_name="green0"
208 echo "GREEN_DEV= ${interface_name} "
209 echo "GREEN_MACADDR= ${mac} "
210 echo "GREEN_DESCRIPTION=' ${id} '"
211 echo "GREEN_ADDRESS= ${ipv4_address} "
212 echo "GREEN_NETMASK= ${netmask} "
213 echo "GREEN_NETADDRESS= ${netaddress} "
214 echo "GREEN_MTU= ${DEFAULT_MTU} "
215 ) >> /var/ipfire/ethernet/settings
220 local interface_name="orange0"
224 echo "ORANGE_DEV= ${interface_name} "
225 echo "ORANGE_MACADDR= ${mac} "
226 echo "ORANGE_DESCRIPTION=' ${id} '"
227 echo "ORANGE_ADDRESS= ${ipv4_address} "
228 echo "ORANGE_NETMASK= ${netmask} "
229 echo "ORANGE_NETADDRESS= ${netaddress} "
230 echo "ORANGE_MTU= ${DEFAULT_MTU} "
231 ) >> /var/ipfire/ethernet/settings
237 echo "CONFIG_TYPE= ${config_type} " >> /var/ipfire/ethernet/settings
239 # Actions performed only on the very first start
240 if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
241 # Disable using ISP nameservers
242 sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings
245 sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings
247 # Disable SSH password authentication
248 sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings
250 # Enable SSH key authentication
251 sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings
254 /usr/local/bin/sshctrl
256 # Mark SSH to start immediately (but not right now)
257 touch /var/ipfire/remote/enablessh
258 chown nobody:nobody /var/ipfire/remote/enablessh
260 # Firewall rules for SSH and WEBIF
262 echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
263 echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
264 ) >> /var/ipfire/firewall/input
266 # Download a startup script
267 local script="$(get instance/metadata/user_data)"
270 script="$(try_base64_decode " ${script} ")"
273 if [ " ${script:0:2} " = "#!" ]; then
274 echo " ${script} " > /tmp/user-data.script
275 chmod 700 /tmp/user-data.script
278 local now="$(date -u +"%s")"
279 /tmp/user-data.script &>/var/log/user-data.log. ${now}
281 # Delete the script right away
282 rm /tmp/user-data.script
285 # This script has now completed the first steps of setup
286 touch /var/ipfire/main/firstsetup_ok
295 # Bring up the interface
296 ip link set " ${interface} " up
299 BOUND|RENEW|REBIND|REBOOT)
300 # Remove any previous IP addresses
301 ip addr flush dev " ${interface} "
303 # Add (or re-add) the new IP address
304 ip addr add " ${new_ip_address}/${new_subnet_mask}" dev "${interface} "
306 # Add the default route
307 ip route add " ${new_routers} " dev " ${interface} "
308 ip route add default via " ${new_routers} "
311 for domain_name_server in ${new_domain_name_servers} ; do
312 echo "nameserver ${domain_name_server} "
313 done > /etc/resolv.conf
315 # The system is online now
316 touch /var/ipfire/red/active
318 # Import OCI configuration
319 import_oci_configuration
322 EXPIRE|FAIL|RELEASE|STOP)
323 # The system is no longer online
324 rm -f /var/ipfire/red/active
326 # Remove all IP addresses
327 ip addr flush dev " ${interface} "
329 # Shut down the interface
330 ip link set " ${interface} " down
334 echo "Unhandled reason: ${reason} " >&2