]>
Commit | Line | Data |
---|---|---|
138c94a9 | 1 | #!/bin/bash |
66c36198 PM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
138c94a9 MT |
21 | |
22 | . /etc/sysconfig/rc | |
23 | . ${rc_functions} | |
24 | ||
25 | # Set PATH to find our own executables | |
26 | export PATH=/usr/local/sbin:/usr/local/bin:${PATH} | |
27 | ||
28 | # GCP only supports an MTU of 1460 | |
29 | DEFAULT_MTU=1460 | |
30 | ||
31 | get() { | |
32 | local file="${1}" | |
33 | ||
34 | wget -qO - "http://169.254.169.254/opc/v1/${file}" | |
35 | } | |
36 | ||
d5538121 MT |
37 | try_base64_decode() { |
38 | local input="${1}" | |
39 | ||
40 | local tmp="$(mktemp)" | |
41 | ||
42 | # Try to decode this and return output if successful | |
43 | if base64 -d <<< "${input}" > "${tmp}" 2>/dev/null; then | |
44 | echo "$(<${tmp})" | |
45 | ||
46 | # Otherwise just return the input | |
47 | else | |
48 | echo "${input}" | |
49 | fi | |
50 | ||
51 | # Cleanup | |
52 | unlink "${tmp}" | |
53 | } | |
54 | ||
138c94a9 MT |
55 | to_address() { |
56 | local n="${1}" | |
57 | ||
58 | local o1=$(( (n & 0xff000000) >> 24 )) | |
59 | local o2=$(( (n & 0xff0000) >> 16 )) | |
60 | local o3=$(( (n & 0xff00) >> 8 )) | |
61 | local o4=$(( (n & 0xff) )) | |
62 | ||
63 | printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" | |
64 | } | |
65 | ||
66 | to_integer() { | |
67 | local address="${1}" | |
68 | ||
69 | local integer=0 | |
70 | ||
71 | local i | |
72 | for i in ${address//\./ }; do | |
73 | integer=$(( (integer << 8) + i )) | |
74 | done | |
75 | ||
76 | printf "%d\n" "${integer}" | |
77 | } | |
78 | ||
79 | prefix2netmask() { | |
80 | local prefix=${1} | |
81 | ||
82 | local zeros=$(( 32 - prefix )) | |
83 | local netmask=0 | |
84 | ||
85 | local i | |
86 | for (( i=0; i<${zeros}; i++ )); do | |
87 | netmask=$(( (netmask << 1) ^ 1 )) | |
88 | done | |
89 | ||
90 | to_address "$(( netmask ^ 0xffffffff ))" | |
91 | } | |
92 | ||
93 | oci_list_interfaces() { | |
94 | get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))" | |
95 | } | |
96 | ||
97 | oci_get_interface_param() { | |
98 | local id="${1}" | |
99 | local param="${2}" | |
100 | ||
101 | get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))" | |
102 | } | |
103 | ||
104 | import_oci_configuration() { | |
105 | local instance_id="$(get instance/id)" | |
106 | ||
107 | boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..." | |
108 | ||
109 | # Store instance ID | |
110 | echo "${instance_id}" > /var/run/oci-instance-id | |
111 | ||
112 | # Initialise system settings | |
113 | local hostname=$(get instance/hostname) | |
114 | ||
115 | # Set hostname | |
116 | if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then | |
117 | echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings | |
118 | fi | |
119 | ||
120 | # Set domainname | |
121 | if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then | |
122 | echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings | |
123 | fi | |
124 | ||
125 | # Create setup user | |
126 | if ! getent passwd setup &>/dev/null; then | |
127 | useradd setup -s /usr/bin/run-setup -g nobody -m | |
128 | ||
129 | # Unlock the account | |
130 | usermod -p "x" setup | |
131 | fi | |
132 | ||
133 | # Import SSH keys for setup user | |
134 | local line | |
135 | while read -r line; do | |
136 | # Strip the username part from the key | |
137 | local key="${line#*:}" | |
138 | ||
139 | if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then | |
140 | mkdir -p "/home/setup/.ssh" | |
141 | chmod 700 "/home/setup/.ssh" | |
142 | chown setup.nobody "/home/setup/.ssh" | |
143 | ||
144 | echo "${key}" >> "/home/setup/.ssh/authorized_keys" | |
145 | chmod 600 "/home/setup/.ssh/authorized_keys" | |
146 | chown setup.nobody "/home/setup/.ssh/authorized_keys" | |
147 | fi | |
148 | done <<<"$(get instance/metadata/ssh_authorized_keys)" | |
149 | ||
150 | # Download the user-data script only on the first boot | |
151 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
152 | # Download a startup script | |
153 | local script="$(get instance/metadata/user_data)" | |
154 | ||
d5538121 MT |
155 | # Try to decode this |
156 | script="$(try_base64_decode "${script}")" | |
157 | ||
138c94a9 MT |
158 | # Execute the script |
159 | if [ "${script:0:2}" = "#!" ]; then | |
160 | echo "${script}" > /tmp/user-data.script | |
161 | chmod 700 /tmp/user-data.script | |
162 | ||
163 | # Run the script | |
164 | local now="$(date -u +"%s")" | |
165 | /tmp/user-data.script &>/var/log/user-data.log.${now} | |
166 | ||
167 | # Delete the script right away | |
168 | rm /tmp/user-data.script | |
169 | fi | |
170 | fi | |
171 | ||
172 | # Import network configuration | |
173 | # After this, no network connectivity will be available from this script due to the | |
174 | # renaming of the network interfaces for which they have to be shut down | |
175 | local config_type=1 | |
176 | : > /var/ipfire/ethernet/settings | |
177 | ||
178 | local id | |
179 | for id in $(oci_list_interfaces); do | |
180 | local mac="$(oci_get_interface_param "${id}" "macAddr")" | |
181 | ||
182 | # First IPv4 address | |
183 | local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")" | |
184 | local ipv4_address_num="$(to_integer "${ipv4_address}")" | |
185 | ||
186 | local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")" | |
187 | local prefix="${subnet#*/}" | |
188 | ||
189 | local netmask="$(prefix2netmask "${prefix}")" | |
138c94a9 MT |
190 | |
191 | # Calculate the network and broadcast addresses | |
192 | local netaddress="${subnet%/*}" | |
138c94a9 MT |
193 | |
194 | local index="$(oci_get_interface_param "${id}" "nicIndex")" | |
195 | ||
196 | # Set index to zero if it was empty | |
197 | if [ -z "${index}" ]; then | |
198 | index=0 | |
199 | fi | |
200 | ||
201 | case "${index}" in | |
202 | # RED | |
203 | 0) | |
204 | local interface_name="red0" | |
205 | local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")" | |
206 | ||
207 | ( | |
208 | echo "RED_TYPE=STATIC" | |
209 | echo "RED_DEV=${interface_name}" | |
210 | echo "RED_MACADDR=${mac}" | |
211 | echo "RED_DESCRIPTION='${id}'" | |
212 | echo "RED_ADDRESS=${ipv4_address}" | |
213 | echo "RED_NETMASK=${netmask}" | |
214 | echo "RED_NETADDRESS=${netaddress}" | |
138c94a9 MT |
215 | echo "RED_MTU=1500" |
216 | echo "DEFAULT_GATEWAY=${gateway}" | |
217 | ) >> /var/ipfire/ethernet/settings | |
218 | ||
219 | # Import aliases for RED | |
220 | #for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do | |
221 | # echo "${alias},on," | |
222 | #done > /var/ipfire/ethernet/aliases | |
223 | ;; | |
224 | ||
225 | # GREEN | |
226 | 1) | |
227 | local interface_name="green0" | |
228 | ||
229 | ( | |
230 | echo "GREEN_DEV=${interface_name}" | |
231 | echo "GREEN_MACADDR=${mac}" | |
232 | echo "GREEN_DESCRIPTION='${id}'" | |
233 | echo "GREEN_ADDRESS=${ipv4_address}" | |
234 | echo "GREEN_NETMASK=${netmask}" | |
235 | echo "GREEN_NETADDRESS=${netaddress}" | |
138c94a9 MT |
236 | echo "GREEN_MTU=${DEFAULT_MTU}" |
237 | ) >> /var/ipfire/ethernet/settings | |
238 | ;; | |
239 | ||
240 | # ORANGE | |
241 | 2) | |
242 | local interface_name="orange0" | |
243 | config_type=2 | |
244 | ||
245 | ( | |
246 | echo "ORANGE_DEV=${interface_name}" | |
247 | echo "ORANGE_MACADDR=${mac}" | |
248 | echo "ORANGE_DESCRIPTION='${id}'" | |
249 | echo "ORANGE_ADDRESS=${ipv4_address}" | |
250 | echo "ORANGE_NETMASK=${netmask}" | |
251 | echo "ORANGE_NETADDRESS=${netaddress}" | |
138c94a9 MT |
252 | echo "ORANGE_MTU=${DEFAULT_MTU}" |
253 | ) >> /var/ipfire/ethernet/settings | |
254 | ;; | |
255 | esac | |
256 | done | |
257 | ||
258 | # Save CONFIG_TYPE | |
259 | echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings | |
260 | ||
261 | # Actions performed only on the very first start | |
262 | if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then | |
263 | # Disable using ISP nameservers | |
264 | sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings | |
265 | ||
266 | # Enable SSH | |
267 | sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings | |
268 | ||
269 | # Disable SSH password authentication | |
270 | sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings | |
271 | ||
272 | # Enable SSH key authentication | |
273 | sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings | |
274 | ||
275 | # Apply SSH settings | |
276 | /usr/local/bin/sshctrl | |
277 | ||
278 | # Mark SSH to start immediately (but not right now) | |
279 | touch /var/ipfire/remote/enablessh | |
280 | chown nobody:nobody /var/ipfire/remote/enablessh | |
281 | ||
282 | # Firewall rules for SSH and WEBIF | |
283 | ( | |
284 | echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
285 | echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" | |
286 | ) >> /var/ipfire/firewall/input | |
287 | ||
288 | # This script has now completed the first steps of setup | |
289 | touch /var/ipfire/main/firstsetup_ok | |
290 | fi | |
291 | ||
292 | # All done | |
293 | echo_ok | |
294 | } | |
295 | ||
296 | case "${reason}" in | |
297 | PREINIT) | |
298 | # Bring up the interface | |
299 | ip link set "${interface}" up | |
300 | ;; | |
301 | ||
302 | BOUND|RENEW|REBIND|REBOOT) | |
303 | # Remove any previous IP addresses | |
304 | ip addr flush dev "${interface}" | |
305 | ||
306 | # Add (or re-add) the new IP address | |
307 | ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" | |
308 | ||
309 | # Add the default route | |
310 | ip route add "${new_routers}" dev "${interface}" | |
311 | ip route add default via "${new_routers}" | |
312 | ||
313 | # Setup DNS | |
314 | for domain_name_server in ${new_domain_name_servers}; do | |
315 | echo "nameserver ${domain_name_server}" | |
316 | done > /etc/resolv.conf | |
317 | ||
318 | # The system is online now | |
319 | touch /var/ipfire/red/active | |
320 | ||
321 | # Import OCI configuration | |
322 | import_oci_configuration | |
323 | ;; | |
324 | ||
325 | EXPIRE|FAIL|RELEASE|STOP) | |
326 | # The system is no longer online | |
327 | rm -f /var/ipfire/red/active | |
328 | ||
329 | # Remove all IP addresses | |
330 | ip addr flush dev "${interface}" | |
331 | ||
332 | # Shut down the interface | |
333 | ip link set "${interface}" down | |
334 | ;; | |
335 | ||
336 | *) | |
337 | echo "Unhandled reason: ${reason}" >&2 | |
338 | exit 2 | |
339 | ;; | |
340 | esac | |
341 | ||
342 | # Terminate | |
343 | exit 0 |