]>
Commit | Line | Data |
---|---|---|
138c94a9 MT |
1 | #!/bin/bash |
2 | ||
3 | . /etc/sysconfig/rc | |
4 | . ${rc_functions} | |
5 | ||
6 | # Set PATH to find our own executables | |
7 | export PATH=/usr/local/sbin:/usr/local/bin:${PATH} | |
8 | ||
9 | # GCP only supports an MTU of 1460 | |
10 | DEFAULT_MTU=1460 | |
11 | ||
12 | get() { | |
13 | local file="${1}" | |
14 | ||
15 | wget -qO - "http://169.254.169.254/opc/v1/${file}" | |
16 | } | |
17 | ||
18 | to_address() { | |
19 | local n="${1}" | |
20 | ||
21 | local o1=$(( (n & 0xff000000) >> 24 )) | |
22 | local o2=$(( (n & 0xff0000) >> 16 )) | |
23 | local o3=$(( (n & 0xff00) >> 8 )) | |
24 | local o4=$(( (n & 0xff) )) | |
25 | ||
26 | printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" | |
27 | } | |
28 | ||
29 | to_integer() { | |
30 | local address="${1}" | |
31 | ||
32 | local integer=0 | |
33 | ||
34 | local i | |
35 | for i in ${address//\./ }; do | |
36 | integer=$(( (integer << 8) + i )) | |
37 | done | |
38 | ||
39 | printf "%d\n" "${integer}" | |
40 | } | |
41 | ||
42 | prefix2netmask() { | |
43 | local prefix=${1} | |
44 | ||
45 | local zeros=$(( 32 - prefix )) | |
46 | local netmask=0 | |
47 | ||
48 | local i | |
49 | for (( i=0; i<${zeros}; i++ )); do | |
50 | netmask=$(( (netmask << 1) ^ 1 )) | |
51 | done | |
52 | ||
53 | to_address "$(( netmask ^ 0xffffffff ))" | |
54 | } | |
55 | ||
56 | oci_list_interfaces() { | |
57 | get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))" | |
58 | } | |
59 | ||
60 | oci_get_interface_param() { | |
61 | local id="${1}" | |
62 | local param="${2}" | |
63 | ||
64 | get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))" | |
65 | } | |
66 | ||
67 | import_oci_configuration() { | |
68 | local instance_id="$(get instance/id)" | |
69 | ||
70 | boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..." | |
71 | ||
72 | # Store instance ID | |
73 | echo "${instance_id}" > /var/run/oci-instance-id | |
74 | ||
75 | # Initialise system settings | |
76 | local hostname=$(get instance/hostname) | |
77 | ||
78 | # Set hostname | |
79 | if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then | |
80 | echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings | |
81 | fi | |
82 | ||
83 | # Set domainname | |
84 | if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then | |
85 | echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings | |
86 | fi | |
87 | ||
88 | # Create setup user | |
89 | if ! getent passwd setup &>/dev/null; then | |
90 | useradd setup -s /usr/bin/run-setup -g nobody -m | |
91 | ||
92 | # Unlock the account | |
93 | usermod -p "x" setup | |
94 | fi | |
95 | ||
96 | # Import SSH keys for setup user | |
97 | local line | |
98 | while read -r line; do | |
99 | # Strip the username part from the key | |
100 | local key="${line#*:}" | |
101 | ||
102 | if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then | |
103 | mkdir -p "/home/setup/.ssh" | |
104 | chmod 700 "/home/setup/.ssh" | |
105 | chown setup.nobody "/home/setup/.ssh" | |
106 | ||
107 | echo "${key}" >> "/home/setup/.ssh/authorized_keys" | |
108 | chmod 600 "/home/setup/.ssh/authorized_keys" | |
109 | chown setup.nobody "/home/setup/.ssh/authorized_keys" | |
110 | fi | |
111 | done <<<"$(get instance/metadata/ssh_authorized_keys)" | |
112 | ||
113 | # Download the user-data script only on the first boot | |
114 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
115 | # Download a startup script | |
116 | local script="$(get instance/metadata/user_data)" | |
117 | ||
118 | # Execute the script | |
119 | if [ "${script:0:2}" = "#!" ]; then | |
120 | echo "${script}" > /tmp/user-data.script | |
121 | chmod 700 /tmp/user-data.script | |
122 | ||
123 | # Run the script | |
124 | local now="$(date -u +"%s")" | |
125 | /tmp/user-data.script &>/var/log/user-data.log.${now} | |
126 | ||
127 | # Delete the script right away | |
128 | rm /tmp/user-data.script | |
129 | fi | |
130 | fi | |
131 | ||
132 | # Import network configuration | |
133 | # After this, no network connectivity will be available from this script due to the | |
134 | # renaming of the network interfaces for which they have to be shut down | |
135 | local config_type=1 | |
136 | : > /var/ipfire/ethernet/settings | |
137 | ||
138 | local id | |
139 | for id in $(oci_list_interfaces); do | |
140 | local mac="$(oci_get_interface_param "${id}" "macAddr")" | |
141 | ||
142 | # First IPv4 address | |
143 | local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")" | |
144 | local ipv4_address_num="$(to_integer "${ipv4_address}")" | |
145 | ||
146 | local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")" | |
147 | local prefix="${subnet#*/}" | |
148 | ||
149 | local netmask="$(prefix2netmask "${prefix}")" | |
150 | local netmask_num="$(to_integer "${netmask}")" | |
151 | ||
152 | # Calculate the network and broadcast addresses | |
153 | local netaddress="${subnet%/*}" | |
154 | local broadcast="$(to_address $(( ipv4_address_num | (0xffffffff ^ netmask_num) )))" | |
155 | ||
156 | local index="$(oci_get_interface_param "${id}" "nicIndex")" | |
157 | ||
158 | # Set index to zero if it was empty | |
159 | if [ -z "${index}" ]; then | |
160 | index=0 | |
161 | fi | |
162 | ||
163 | case "${index}" in | |
164 | # RED | |
165 | 0) | |
166 | local interface_name="red0" | |
167 | local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")" | |
168 | ||
169 | ( | |
170 | echo "RED_TYPE=STATIC" | |
171 | echo "RED_DEV=${interface_name}" | |
172 | echo "RED_MACADDR=${mac}" | |
173 | echo "RED_DESCRIPTION='${id}'" | |
174 | echo "RED_ADDRESS=${ipv4_address}" | |
175 | echo "RED_NETMASK=${netmask}" | |
176 | echo "RED_NETADDRESS=${netaddress}" | |
177 | echo "RED_BROADCAST=${broadcast}" | |
178 | echo "RED_MTU=1500" | |
179 | echo "DEFAULT_GATEWAY=${gateway}" | |
180 | ) >> /var/ipfire/ethernet/settings | |
181 | ||
182 | # Import aliases for RED | |
183 | #for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do | |
184 | # echo "${alias},on," | |
185 | #done > /var/ipfire/ethernet/aliases | |
186 | ;; | |
187 | ||
188 | # GREEN | |
189 | 1) | |
190 | local interface_name="green0" | |
191 | ||
192 | ( | |
193 | echo "GREEN_DEV=${interface_name}" | |
194 | echo "GREEN_MACADDR=${mac}" | |
195 | echo "GREEN_DESCRIPTION='${id}'" | |
196 | echo "GREEN_ADDRESS=${ipv4_address}" | |
197 | echo "GREEN_NETMASK=${netmask}" | |
198 | echo "GREEN_NETADDRESS=${netaddress}" | |
199 | echo "GREEN_BROADCAST=${broadcast}" | |
200 | echo "GREEN_MTU=${DEFAULT_MTU}" | |
201 | ) >> /var/ipfire/ethernet/settings | |
202 | ;; | |
203 | ||
204 | # ORANGE | |
205 | 2) | |
206 | local interface_name="orange0" | |
207 | config_type=2 | |
208 | ||
209 | ( | |
210 | echo "ORANGE_DEV=${interface_name}" | |
211 | echo "ORANGE_MACADDR=${mac}" | |
212 | echo "ORANGE_DESCRIPTION='${id}'" | |
213 | echo "ORANGE_ADDRESS=${ipv4_address}" | |
214 | echo "ORANGE_NETMASK=${netmask}" | |
215 | echo "ORANGE_NETADDRESS=${netaddress}" | |
216 | echo "ORANGE_BROADCAST=${broadcast}" | |
217 | echo "ORANGE_MTU=${DEFAULT_MTU}" | |
218 | ) >> /var/ipfire/ethernet/settings | |
219 | ;; | |
220 | esac | |
221 | done | |
222 | ||
223 | # Save CONFIG_TYPE | |
224 | echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings | |
225 | ||
226 | # Actions performed only on the very first start | |
227 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
228 | # Disable using ISP nameservers | |
229 | sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings | |
230 | ||
231 | # Enable SSH | |
232 | sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings | |
233 | ||
234 | # Disable SSH password authentication | |
235 | sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings | |
236 | ||
237 | # Enable SSH key authentication | |
238 | sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings | |
239 | ||
240 | # Apply SSH settings | |
241 | /usr/local/bin/sshctrl | |
242 | ||
243 | # Mark SSH to start immediately (but not right now) | |
244 | touch /var/ipfire/remote/enablessh | |
245 | chown nobody:nobody /var/ipfire/remote/enablessh | |
246 | ||
247 | # Firewall rules for SSH and WEBIF | |
248 | ( | |
249 | echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
250 | echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
251 | ) >> /var/ipfire/firewall/input | |
252 | ||
253 | # This script has now completed the first steps of setup | |
254 | touch /var/ipfire/main/firstsetup_ok | |
255 | fi | |
256 | ||
257 | # All done | |
258 | echo_ok | |
259 | } | |
260 | ||
261 | case "${reason}" in | |
262 | PREINIT) | |
263 | # Bring up the interface | |
264 | ip link set "${interface}" up | |
265 | ;; | |
266 | ||
267 | BOUND|RENEW|REBIND|REBOOT) | |
268 | # Remove any previous IP addresses | |
269 | ip addr flush dev "${interface}" | |
270 | ||
271 | # Add (or re-add) the new IP address | |
272 | ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" | |
273 | ||
274 | # Add the default route | |
275 | ip route add "${new_routers}" dev "${interface}" | |
276 | ip route add default via "${new_routers}" | |
277 | ||
278 | # Setup DNS | |
279 | for domain_name_server in ${new_domain_name_servers}; do | |
280 | echo "nameserver ${domain_name_server}" | |
281 | done > /etc/resolv.conf | |
282 | ||
283 | # The system is online now | |
284 | touch /var/ipfire/red/active | |
285 | ||
286 | # Import OCI configuration | |
287 | import_oci_configuration | |
288 | ;; | |
289 | ||
290 | EXPIRE|FAIL|RELEASE|STOP) | |
291 | # The system is no longer online | |
292 | rm -f /var/ipfire/red/active | |
293 | ||
294 | # Remove all IP addresses | |
295 | ip addr flush dev "${interface}" | |
296 | ||
297 | # Shut down the interface | |
298 | ip link set "${interface}" down | |
299 | ;; | |
300 | ||
301 | *) | |
302 | echo "Unhandled reason: ${reason}" >&2 | |
303 | exit 2 | |
304 | ;; | |
305 | esac | |
306 | ||
307 | # Terminate | |
308 | exit 0 |