[people/pmueller/ipfire-2.x.git] / src / initscripts / helper / oci-setup

#!/bin/bash

. /etc/sysconfig/rc
. ${rc_functions}

# Set PATH to find our own executables
export PATH=/usr/local/sbin:/usr/local/bin:${PATH}

# GCP only supports an MTU of 1460
DEFAULT_MTU=1460

get() {
	local file="${1}"

	wget -qO - "http://169.254.169.254/opc/v1/${file}"
}

to_address() {
	local n="${1}"

	local o1=$(( (n & 0xff000000) >> 24 ))
	local o2=$(( (n & 0xff0000) >> 16 ))
	local o3=$(( (n & 0xff00) >> 8 ))
	local o4=$(( (n & 0xff) ))

	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
}

to_integer() {
	local address="${1}"

	local integer=0

	local i
	for i in ${address//\./ }; do
		integer=$(( (integer << 8) + i ))
	done

	printf "%d\n" "${integer}"
}

prefix2netmask() {
	local prefix=${1}

	local zeros=$(( 32 - prefix ))
	local netmask=0

	local i
	for (( i=0; i<${zeros}; i++ )); do
		netmask=$(( (netmask << 1) ^ 1 ))
	done

	to_address "$(( netmask ^ 0xffffffff ))"
}

oci_list_interfaces() {
	get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))"
}

oci_get_interface_param() {
	local id="${1}"
	local param="${2}"

	get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))"
}

import_oci_configuration() {
	local instance_id="$(get instance/id)"

	boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..."

	# Store instance ID
	echo "${instance_id}" > /var/run/oci-instance-id

	# Initialise system settings
	local hostname=$(get instance/hostname)

	# Set hostname
	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
		echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
	fi

	# Set domainname
	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
		echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
	fi

	# Create setup user
	if ! getent passwd setup &>/dev/null; then
		useradd setup -s /usr/bin/run-setup -g nobody -m

		# Unlock the account
		usermod -p "x" setup
	fi

	# Import SSH keys for setup user
	local line
	while read -r line; do
		# Strip the username part from the key
		local key="${line#*:}"

		if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
			mkdir -p "/home/setup/.ssh"
			chmod 700 "/home/setup/.ssh"
			chown setup.nobody "/home/setup/.ssh"

			echo "${key}" >> "/home/setup/.ssh/authorized_keys"
			chmod 600 "/home/setup/.ssh/authorized_keys"
			chown setup.nobody "/home/setup/.ssh/authorized_keys"
		fi
	done <<<"$(get instance/metadata/ssh_authorized_keys)"

	# Download the user-data script only on the first boot
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Download a startup script
		local script="$(get instance/metadata/user_data)"

		# Execute the script
		if [ "${script:0:2}" = "#!" ]; then
			echo "${script}" > /tmp/user-data.script
			chmod 700 /tmp/user-data.script

			# Run the script
			local now="$(date -u +"%s")"
			/tmp/user-data.script &>/var/log/user-data.log.${now}

			# Delete the script right away
			rm /tmp/user-data.script
		fi
	fi

	# Import network configuration
	# After this, no network connectivity will be available from this script due to the
	# renaming of the network interfaces for which they have to be shut down
	local config_type=1
	: > /var/ipfire/ethernet/settings

	local id
	for id in $(oci_list_interfaces); do
		local mac="$(oci_get_interface_param "${id}" "macAddr")"

		# First IPv4 address
		local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")"
		local ipv4_address_num="$(to_integer "${ipv4_address}")"

		local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")"
		local prefix="${subnet#*/}"

		local netmask="$(prefix2netmask "${prefix}")"
		local netmask_num="$(to_integer "${netmask}")"

		# Calculate the network and broadcast addresses
		local netaddress="${subnet%/*}"
		local broadcast="$(to_address $(( ipv4_address_num | (0xffffffff ^ netmask_num) )))"

		local index="$(oci_get_interface_param "${id}" "nicIndex")"

		# Set index to zero if it was empty
		if [ -z "${index}" ]; then
			index=0
		fi

		case "${index}" in
			# RED
			0)
				local interface_name="red0"
				local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")"

				(
					echo "RED_TYPE=STATIC"
					echo "RED_DEV=${interface_name}"
					echo "RED_MACADDR=${mac}"
					echo "RED_DESCRIPTION='${id}'"
					echo "RED_ADDRESS=${ipv4_address}"
					echo "RED_NETMASK=${netmask}"
					echo "RED_NETADDRESS=${netaddress}"
					echo "RED_BROADCAST=${broadcast}"
					echo "RED_MTU=1500"
					echo "DEFAULT_GATEWAY=${gateway}"
				) >> /var/ipfire/ethernet/settings

				# Import aliases for RED
				#for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do
				#	echo "${alias},on,"
				#done > /var/ipfire/ethernet/aliases
				;;

			# GREEN
			1)
				local interface_name="green0"

				(
					echo "GREEN_DEV=${interface_name}"
					echo "GREEN_MACADDR=${mac}"
					echo "GREEN_DESCRIPTION='${id}'"
					echo "GREEN_ADDRESS=${ipv4_address}"
					echo "GREEN_NETMASK=${netmask}"
					echo "GREEN_NETADDRESS=${netaddress}"
					echo "GREEN_BROADCAST=${broadcast}"
					echo "GREEN_MTU=${DEFAULT_MTU}"
				) >> /var/ipfire/ethernet/settings
				;;

			# ORANGE
			2)
				local interface_name="orange0"
				config_type=2

				(
					echo "ORANGE_DEV=${interface_name}"
					echo "ORANGE_MACADDR=${mac}"
					echo "ORANGE_DESCRIPTION='${id}'"
					echo "ORANGE_ADDRESS=${ipv4_address}"
					echo "ORANGE_NETMASK=${netmask}"
					echo "ORANGE_NETADDRESS=${netaddress}"
					echo "ORANGE_BROADCAST=${broadcast}"
					echo "ORANGE_MTU=${DEFAULT_MTU}"
				) >> /var/ipfire/ethernet/settings
				;;
		esac
	done

	# Save CONFIG_TYPE
	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings

	# Actions performed only on the very first start
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Disable using ISP nameservers
		sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings

		# Enable SSH
		sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings

		# Disable SSH password authentication
		sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings

		# Enable SSH key authentication
		sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings

		# Apply SSH settings
		/usr/local/bin/sshctrl

		# Mark SSH to start immediately (but not right now)
		touch /var/ipfire/remote/enablessh
		chown nobody:nobody /var/ipfire/remote/enablessh

		# Firewall rules for SSH and WEBIF
		(
			echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
			echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
		) >> /var/ipfire/firewall/input

		# This script has now completed the first steps of setup
		touch /var/ipfire/main/firstsetup_ok
	fi

	# All done
	echo_ok
}

case "${reason}" in
	PREINIT)
		# Bring up the interface
		ip link set "${interface}" up
		;;

	BOUND|RENEW|REBIND|REBOOT)
		# Remove any previous IP addresses
		ip addr flush dev "${interface}"

		# Add (or re-add) the new IP address
		ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

		# Add the default route
		ip route add "${new_routers}" dev "${interface}"
		ip route add default via "${new_routers}"

		# Setup DNS
		for domain_name_server in ${new_domain_name_servers}; do
			echo "nameserver ${domain_name_server}"
		done > /etc/resolv.conf

		# The system is online now
		touch /var/ipfire/red/active

		# Import OCI configuration
		import_oci_configuration
		;;

	EXPIRE|FAIL|RELEASE|STOP)
		# The system is no longer online
		rm -f /var/ipfire/red/active

		# Remove all IP addresses
		ip addr flush dev "${interface}"

		# Shut down the interface
		ip link set "${interface}" down
		;;

	*)
		echo "Unhandled reason: ${reason}" >&2
		exit 2
		;;
esac

# Terminate
exit 0
Commit	Line	Data
138c94a9 MT	1	#!/bin/bash
	2
	3	. /etc/sysconfig/rc
	4	. ${rc_functions}
	5
	6	# Set PATH to find our own executables
	7	export PATH=/usr/local/sbin:/usr/local/bin:${PATH}
	8
	9	# GCP only supports an MTU of 1460
	10	DEFAULT_MTU=1460
	11
	12	get() {
	13	local file="${1}"
	14
	15	wget -qO - "http://169.254.169.254/opc/v1/${file}"
	16	}
	17
	18	to_address() {
	19	local n="${1}"
	20
	21	local o1=$(( (n & 0xff000000) >> 24 ))
	22	local o2=$(( (n & 0xff0000) >> 16 ))
	23	local o3=$(( (n & 0xff00) >> 8 ))
	24	local o4=$(( (n & 0xff) ))
	25
	26	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
	27	}
	28
	29	to_integer() {
	30	local address="${1}"
	31
	32	local integer=0
	33
	34	local i
	35	for i in ${address//\./ }; do
	36	integer=$(( (integer << 8) + i ))
	37	done
	38
	39	printf "%d\n" "${integer}"
	40	}
	41
	42	prefix2netmask() {
	43	local prefix=${1}
	44
	45	local zeros=$(( 32 - prefix ))
	46	local netmask=0
	47
	48	local i
	49	for (( i=0; i<${zeros}; i++ )); do
	50	netmask=$(( (netmask << 1) ^ 1 ))
	51	done
	52
	53	to_address "$(( netmask ^ 0xffffffff ))"
	54	}
	55
	56	oci_list_interfaces() {
	57	get "vnics/" \| python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))"
	58	}
	59
	60	oci_get_interface_param() {
	61	local id="${1}"
	62	local param="${2}"
	63
	64	get "vnics/" \| python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))"
65	}
66
67	import_oci_configuration() {
68	local instance_id="$(get instance/id)"
69
70	boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..."
71
72	# Store instance ID
73	echo "${instance_id}" > /var/run/oci-instance-id
74
75	# Initialise system settings
76	local hostname=$(get instance/hostname)
77
78	# Set hostname
79	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
80	echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
81	fi
82
83	# Set domainname
84	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
85	echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
86	fi
87
88	# Create setup user
89	if ! getent passwd setup &>/dev/null; then
90	useradd setup -s /usr/bin/run-setup -g nobody -m
91
92	# Unlock the account
93	usermod -p "x" setup
94	fi
95
96	# Import SSH keys for setup user
97	local line
98	while read -r line; do
99	# Strip the username part from the key
100	local key="${line#*:}"
101
102	if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
103	mkdir -p "/home/setup/.ssh"
104	chmod 700 "/home/setup/.ssh"
105	chown setup.nobody "/home/setup/.ssh"
106
107	echo "${key}" >> "/home/setup/.ssh/authorized_keys"
108	chmod 600 "/home/setup/.ssh/authorized_keys"
109	chown setup.nobody "/home/setup/.ssh/authorized_keys"
110	fi
111	done <<<"$(get instance/metadata/ssh_authorized_keys)"
112
113	# Download the user-data script only on the first boot
114	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
115	# Download a startup script
116	local script="$(get instance/metadata/user_data)"
117
118	# Execute the script
119	if [ "${script:0:2}" = "#!" ]; then
120	echo "${script}" > /tmp/user-data.script
121	chmod 700 /tmp/user-data.script
122
123	# Run the script
124	local now="$(date -u +"%s")"
125	/tmp/user-data.script &>/var/log/user-data.log.${now}
126
127	# Delete the script right away
128	rm /tmp/user-data.script
129	fi
130	fi
131
132	# Import network configuration
133	# After this, no network connectivity will be available from this script due to the
134	# renaming of the network interfaces for which they have to be shut down
135	local config_type=1
136	: > /var/ipfire/ethernet/settings
137
138	local id
139	for id in $(oci_list_interfaces); do
140	local mac="$(oci_get_interface_param "${id}" "macAddr")"
141
142	# First IPv4 address
143	local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")"
144	local ipv4_address_num="$(to_integer "${ipv4_address}")"
145
146	local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")"
147	local prefix="${subnet#*/}"
148
149	local netmask="$(prefix2netmask "${prefix}")"
150	local netmask_num="$(to_integer "${netmask}")"
151
152	# Calculate the network and broadcast addresses
153	local netaddress="${subnet%/*}"
154	local broadcast="$(to_address $(( ipv4_address_num \| (0xffffffff ^ netmask_num) )))"
155
156	local index="$(oci_get_interface_param "${id}" "nicIndex")"
157
158	# Set index to zero if it was empty
159	if [ -z "${index}" ]; then
160	index=0
161	fi
162
163	case "${index}" in
164	# RED
165	0)
166	local interface_name="red0"
167	local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")"
168
169	(
170	echo "RED_TYPE=STATIC"
171	echo "RED_DEV=${interface_name}"
172	echo "RED_MACADDR=${mac}"
173	echo "RED_DESCRIPTION='${id}'"
174	echo "RED_ADDRESS=${ipv4_address}"
175	echo "RED_NETMASK=${netmask}"
176	echo "RED_NETADDRESS=${netaddress}"
177	echo "RED_BROADCAST=${broadcast}"
178	echo "RED_MTU=1500"
179	echo "DEFAULT_GATEWAY=${gateway}"
180	) >> /var/ipfire/ethernet/settings
181
182	# Import aliases for RED
183	#for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do
184	# echo "${alias},on,"
185	#done > /var/ipfire/ethernet/aliases
186	;;
187
188	# GREEN
189	1)
190	local interface_name="green0"
191
192	(
193	echo "GREEN_DEV=${interface_name}"
194	echo "GREEN_MACADDR=${mac}"
195	echo "GREEN_DESCRIPTION='${id}'"
196	echo "GREEN_ADDRESS=${ipv4_address}"
197	echo "GREEN_NETMASK=${netmask}"
198	echo "GREEN_NETADDRESS=${netaddress}"
199	echo "GREEN_BROADCAST=${broadcast}"
200	echo "GREEN_MTU=${DEFAULT_MTU}"
201	) >> /var/ipfire/ethernet/settings
202	;;
203
204	# ORANGE
205	2)
206	local interface_name="orange0"
207	config_type=2
208
209	(
210	echo "ORANGE_DEV=${interface_name}"
211	echo "ORANGE_MACADDR=${mac}"
212	echo "ORANGE_DESCRIPTION='${id}'"
213	echo "ORANGE_ADDRESS=${ipv4_address}"
214	echo "ORANGE_NETMASK=${netmask}"
215	echo "ORANGE_NETADDRESS=${netaddress}"
216	echo "ORANGE_BROADCAST=${broadcast}"
217	echo "ORANGE_MTU=${DEFAULT_MTU}"
218	) >> /var/ipfire/ethernet/settings
219	;;
220	esac
221	done
222
223	# Save CONFIG_TYPE
224	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings
225
226	# Actions performed only on the very first start
227	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
228	# Disable using ISP nameservers
229	sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings
230
231	# Enable SSH
232	sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings
233
234	# Disable SSH password authentication
235	sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings
236
237	# Enable SSH key authentication
238	sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings
239
240	# Apply SSH settings
241	/usr/local/bin/sshctrl
242
243	# Mark SSH to start immediately (but not right now)
244	touch /var/ipfire/remote/enablessh
245	chown nobody:nobody /var/ipfire/remote/enablessh
246
247	# Firewall rules for SSH and WEBIF
248	(
249	echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
250	echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
251	) >> /var/ipfire/firewall/input
252
253	# This script has now completed the first steps of setup
254	touch /var/ipfire/main/firstsetup_ok
255	fi
256
257	# All done
258	echo_ok
259	}
260
261	case "${reason}" in
262	PREINIT)
263	# Bring up the interface
264	ip link set "${interface}" up
265	;;
266
267	BOUND\|RENEW\|REBIND\|REBOOT)
268	# Remove any previous IP addresses
269	ip addr flush dev "${interface}"
270
271	# Add (or re-add) the new IP address
272	ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"
273
274	# Add the default route
275	ip route add "${new_routers}" dev "${interface}"
276	ip route add default via "${new_routers}"
277
278	# Setup DNS
279	for domain_name_server in ${new_domain_name_servers}; do
280	echo "nameserver ${domain_name_server}"
281	done > /etc/resolv.conf
282
283	# The system is online now
284	touch /var/ipfire/red/active
285
286	# Import OCI configuration
287	import_oci_configuration
288	;;
289
290	EXPIRE\|FAIL\|RELEASE\|STOP)
291	# The system is no longer online
292	rm -f /var/ipfire/red/active
293
294	# Remove all IP addresses
295	ip addr flush dev "${interface}"
296
297	# Shut down the interface
298	ip link set "${interface}" down
299	;;
300
301	*)
302	echo "Unhandled reason: ${reason}" >&2
303	exit 2
304	;;
305	esac
306
307	# Terminate
308	exit 0