[people/pmueller/ipfire-2.x.git] / src / initscripts / helper / oci-setup

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

. /etc/sysconfig/rc
. ${rc_functions}

# Set PATH to find our own executables
export PATH=/usr/local/sbin:/usr/local/bin:${PATH}

# GCP only supports an MTU of 1460
DEFAULT_MTU=1460

get() {
	local file="${1}"

	wget -qO - "http://169.254.169.254/opc/v1/${file}"
}

try_base64_decode() {
	local input="${1}"

	local tmp="$(mktemp)"

	# Try to decode this and return output if successful
	if base64 -d <<< "${input}" > "${tmp}" 2>/dev/null; then
		echo "$(<${tmp})"

	# Otherwise just return the input
	else
		echo "${input}"
	fi

	# Cleanup
	unlink "${tmp}"
}

to_address() {
	local n="${1}"

	local o1=$(( (n & 0xff000000) >> 24 ))
	local o2=$(( (n & 0xff0000) >> 16 ))
	local o3=$(( (n & 0xff00) >> 8 ))
	local o4=$(( (n & 0xff) ))

	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
}

to_integer() {
	local address="${1}"

	local integer=0

	local i
	for i in ${address//\./ }; do
		integer=$(( (integer << 8) + i ))
	done

	printf "%d\n" "${integer}"
}

prefix2netmask() {
	local prefix=${1}

	local zeros=$(( 32 - prefix ))
	local netmask=0

	local i
	for (( i=0; i<${zeros}; i++ )); do
		netmask=$(( (netmask << 1) ^ 1 ))
	done

	to_address "$(( netmask ^ 0xffffffff ))"
}

oci_list_interfaces() {
	get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))"
}

oci_get_interface_param() {
	local id="${1}"
	local param="${2}"

	get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))"
}

import_oci_configuration() {
	local instance_id="$(get instance/id)"

	boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..."

	# Store instance ID
	echo "${instance_id}" > /var/run/oci-instance-id

	# Initialise system settings
	local hostname=$(get instance/hostname)

	# Set hostname
	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
		echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
	fi

	# Set domainname
	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
		echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
	fi

	# Create setup user
	if ! getent passwd setup &>/dev/null; then
		useradd setup -s /usr/bin/run-setup -g nobody -m

		# Unlock the account
		usermod -p "x" setup
	fi

	# Import SSH keys for setup user
	local line
	while read -r line; do
		# Strip the username part from the key
		local key="${line#*:}"

		if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
			mkdir -p "/home/setup/.ssh"
			chmod 700 "/home/setup/.ssh"
			chown setup.nobody "/home/setup/.ssh"

			echo "${key}" >> "/home/setup/.ssh/authorized_keys"
			chmod 600 "/home/setup/.ssh/authorized_keys"
			chown setup.nobody "/home/setup/.ssh/authorized_keys"
		fi
	done <<<"$(get instance/metadata/ssh_authorized_keys)"

	# Download the user-data script only on the first boot
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Download a startup script
		local script="$(get instance/metadata/user_data)"

		# Try to decode this
		script="$(try_base64_decode "${script}")"

		# Execute the script
		if [ "${script:0:2}" = "#!" ]; then
			echo "${script}" > /tmp/user-data.script
			chmod 700 /tmp/user-data.script

			# Run the script
			local now="$(date -u +"%s")"
			/tmp/user-data.script &>/var/log/user-data.log.${now}

			# Delete the script right away
			rm /tmp/user-data.script
		fi
	fi

	# Import network configuration
	# After this, no network connectivity will be available from this script due to the
	# renaming of the network interfaces for which they have to be shut down
	local config_type=1
	: > /var/ipfire/ethernet/settings

	local id
	for id in $(oci_list_interfaces); do
		local mac="$(oci_get_interface_param "${id}" "macAddr")"

		# First IPv4 address
		local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")"
		local ipv4_address_num="$(to_integer "${ipv4_address}")"

		local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")"
		local prefix="${subnet#*/}"

		local netmask="$(prefix2netmask "${prefix}")"

		# Calculate the network and broadcast addresses
		local netaddress="${subnet%/*}"

		local index="$(oci_get_interface_param "${id}" "nicIndex")"

		# Set index to zero if it was empty
		if [ -z "${index}" ]; then
			index=0
		fi

		case "${index}" in
			# RED
			0)
				local interface_name="red0"
				local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")"

				(
					echo "RED_TYPE=STATIC"
					echo "RED_DEV=${interface_name}"
					echo "RED_MACADDR=${mac}"
					echo "RED_DESCRIPTION='${id}'"
					echo "RED_ADDRESS=${ipv4_address}"
					echo "RED_NETMASK=${netmask}"
					echo "RED_NETADDRESS=${netaddress}"
					echo "RED_MTU=1500"
					echo "DEFAULT_GATEWAY=${gateway}"
				) >> /var/ipfire/ethernet/settings

				# Import aliases for RED
				#for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do
				#	echo "${alias},on,"
				#done > /var/ipfire/ethernet/aliases
				;;

			# GREEN
			1)
				local interface_name="green0"

				(
					echo "GREEN_DEV=${interface_name}"
					echo "GREEN_MACADDR=${mac}"
					echo "GREEN_DESCRIPTION='${id}'"
					echo "GREEN_ADDRESS=${ipv4_address}"
					echo "GREEN_NETMASK=${netmask}"
					echo "GREEN_NETADDRESS=${netaddress}"
					echo "GREEN_MTU=${DEFAULT_MTU}"
				) >> /var/ipfire/ethernet/settings
				;;

			# ORANGE
			2)
				local interface_name="orange0"
				config_type=2

				(
					echo "ORANGE_DEV=${interface_name}"
					echo "ORANGE_MACADDR=${mac}"
					echo "ORANGE_DESCRIPTION='${id}'"
					echo "ORANGE_ADDRESS=${ipv4_address}"
					echo "ORANGE_NETMASK=${netmask}"
					echo "ORANGE_NETADDRESS=${netaddress}"
					echo "ORANGE_MTU=${DEFAULT_MTU}"
				) >> /var/ipfire/ethernet/settings
				;;
		esac
	done

	# Save CONFIG_TYPE
	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings

	# Actions performed only on the very first start
	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
		# Disable using ISP nameservers
		sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings

		# Enable SSH
		sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings

		# Disable SSH password authentication
		sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings

		# Enable SSH key authentication
		sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings

		# Apply SSH settings
		/usr/local/bin/sshctrl

		# Mark SSH to start immediately (but not right now)
		touch /var/ipfire/remote/enablessh
		chown nobody:nobody /var/ipfire/remote/enablessh

		# Firewall rules for SSH and WEBIF
		(
			echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
			echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
		) >> /var/ipfire/firewall/input

		# This script has now completed the first steps of setup
		touch /var/ipfire/main/firstsetup_ok
	fi

	# All done
	echo_ok
}

case "${reason}" in
	PREINIT)
		# Bring up the interface
		ip link set "${interface}" up
		;;

	BOUND|RENEW|REBIND|REBOOT)
		# Remove any previous IP addresses
		ip addr flush dev "${interface}"

		# Add (or re-add) the new IP address
		ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

		# Add the default route
		ip route add "${new_routers}" dev "${interface}"
		ip route add default via "${new_routers}"

		# Setup DNS
		for domain_name_server in ${new_domain_name_servers}; do
			echo "nameserver ${domain_name_server}"
		done > /etc/resolv.conf

		# The system is online now
		touch /var/ipfire/red/active

		# Import OCI configuration
		import_oci_configuration
		;;

	EXPIRE|FAIL|RELEASE|STOP)
		# The system is no longer online
		rm -f /var/ipfire/red/active

		# Remove all IP addresses
		ip addr flush dev "${interface}"

		# Shut down the interface
		ip link set "${interface}" down
		;;

	*)
		echo "Unhandled reason: ${reason}" >&2
		exit 2
		;;
esac

# Terminate
exit 0
Commit	Line	Data
138c94a9	1	#!/bin/bash
66c36198 PM	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
138c94a9 MT	21
	22	. /etc/sysconfig/rc
	23	. ${rc_functions}
	24
	25	# Set PATH to find our own executables
	26	export PATH=/usr/local/sbin:/usr/local/bin:${PATH}
	27
	28	# GCP only supports an MTU of 1460
	29	DEFAULT_MTU=1460
	30
	31	get() {
	32	local file="${1}"
	33
	34	wget -qO - "http://169.254.169.254/opc/v1/${file}"
	35	}
	36
d5538121 MT	37	try_base64_decode() {
	38	local input="${1}"
	39
	40	local tmp="$(mktemp)"
	41
	42	# Try to decode this and return output if successful
	43	if base64 -d <<< "${input}" > "${tmp}" 2>/dev/null; then
	44	echo "$(<${tmp})"
	45
	46	# Otherwise just return the input
	47	else
	48	echo "${input}"
	49	fi
	50
	51	# Cleanup
	52	unlink "${tmp}"
	53	}
	54
138c94a9 MT	55	to_address() {
	56	local n="${1}"
	57
	58	local o1=$(( (n & 0xff000000) >> 24 ))
	59	local o2=$(( (n & 0xff0000) >> 16 ))
	60	local o3=$(( (n & 0xff00) >> 8 ))
	61	local o4=$(( (n & 0xff) ))
	62
	63	printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}"
	64	}
	65
	66	to_integer() {
	67	local address="${1}"
	68
	69	local integer=0
	70
	71	local i
	72	for i in ${address//\./ }; do
	73	integer=$(( (integer << 8) + i ))
	74	done
	75
	76	printf "%d\n" "${integer}"
	77	}
	78
	79	prefix2netmask() {
	80	local prefix=${1}
	81
	82	local zeros=$(( 32 - prefix ))
	83	local netmask=0
	84
	85	local i
	86	for (( i=0; i<${zeros}; i++ )); do
	87	netmask=$(( (netmask << 1) ^ 1 ))
	88	done
	89
	90	to_address "$(( netmask ^ 0xffffffff ))"
	91	}
	92
	93	oci_list_interfaces() {
	94	get "vnics/" \| python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))"
	95	}
	96
	97	oci_get_interface_param() {
	98	local id="${1}"
	99	local param="${2}"
	100
	101	get "vnics/" \| python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))"
	102	}
	103
	104	import_oci_configuration() {
	105	local instance_id="$(get instance/id)"
	106
	107	boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..."
	108
	109	# Store instance ID
	110	echo "${instance_id}" > /var/run/oci-instance-id
	111
	112	# Initialise system settings
	113	local hostname=$(get instance/hostname)
	114
	115	# Set hostname
	116	if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then
	117	echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings
	118	fi
119
120	# Set domainname
121	if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then
122	echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
123	fi
124
125	# Create setup user
126	if ! getent passwd setup &>/dev/null; then
127	useradd setup -s /usr/bin/run-setup -g nobody -m
128
129	# Unlock the account
130	usermod -p "x" setup
131	fi
132
133	# Import SSH keys for setup user
134	local line
135	while read -r line; do
136	# Strip the username part from the key
137	local key="${line#*:}"
138
139	if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
140	mkdir -p "/home/setup/.ssh"
141	chmod 700 "/home/setup/.ssh"
142	chown setup.nobody "/home/setup/.ssh"
143
144	echo "${key}" >> "/home/setup/.ssh/authorized_keys"
145	chmod 600 "/home/setup/.ssh/authorized_keys"
146	chown setup.nobody "/home/setup/.ssh/authorized_keys"
147	fi
148	done <<<"$(get instance/metadata/ssh_authorized_keys)"
149
150	# Download the user-data script only on the first boot
151	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
152	# Download a startup script
153	local script="$(get instance/metadata/user_data)"
154
d5538121 MT	155	# Try to decode this
	156	script="$(try_base64_decode "${script}")"
	157
138c94a9 MT	158	# Execute the script
	159	if [ "${script:0:2}" = "#!" ]; then
	160	echo "${script}" > /tmp/user-data.script
	161	chmod 700 /tmp/user-data.script
	162
	163	# Run the script
	164	local now="$(date -u +"%s")"
	165	/tmp/user-data.script &>/var/log/user-data.log.${now}
	166
	167	# Delete the script right away
	168	rm /tmp/user-data.script
	169	fi
	170	fi
	171
	172	# Import network configuration
	173	# After this, no network connectivity will be available from this script due to the
	174	# renaming of the network interfaces for which they have to be shut down
	175	local config_type=1
	176	: > /var/ipfire/ethernet/settings
	177
	178	local id
	179	for id in $(oci_list_interfaces); do
	180	local mac="$(oci_get_interface_param "${id}" "macAddr")"
	181
	182	# First IPv4 address
	183	local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")"
	184	local ipv4_address_num="$(to_integer "${ipv4_address}")"
	185
	186	local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")"
	187	local prefix="${subnet#*/}"
	188
	189	local netmask="$(prefix2netmask "${prefix}")"
138c94a9 MT	190
	191	# Calculate the network and broadcast addresses
	192	local netaddress="${subnet%/*}"
138c94a9 MT	193
	194	local index="$(oci_get_interface_param "${id}" "nicIndex")"
	195
	196	# Set index to zero if it was empty
	197	if [ -z "${index}" ]; then
	198	index=0
	199	fi
	200
	201	case "${index}" in
	202	# RED
	203	0)
	204	local interface_name="red0"
	205	local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")"
	206
	207	(
	208	echo "RED_TYPE=STATIC"
	209	echo "RED_DEV=${interface_name}"
	210	echo "RED_MACADDR=${mac}"
	211	echo "RED_DESCRIPTION='${id}'"
	212	echo "RED_ADDRESS=${ipv4_address}"
	213	echo "RED_NETMASK=${netmask}"
	214	echo "RED_NETADDRESS=${netaddress}"
138c94a9 MT	215	echo "RED_MTU=1500"
	216	echo "DEFAULT_GATEWAY=${gateway}"
	217	) >> /var/ipfire/ethernet/settings
	218
	219	# Import aliases for RED
	220	#for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do
	221	# echo "${alias},on,"
	222	#done > /var/ipfire/ethernet/aliases
	223	;;
	224
	225	# GREEN
	226	1)
	227	local interface_name="green0"
	228
	229	(
	230	echo "GREEN_DEV=${interface_name}"
	231	echo "GREEN_MACADDR=${mac}"
	232	echo "GREEN_DESCRIPTION='${id}'"
	233	echo "GREEN_ADDRESS=${ipv4_address}"
	234	echo "GREEN_NETMASK=${netmask}"
	235	echo "GREEN_NETADDRESS=${netaddress}"
138c94a9 MT	236	echo "GREEN_MTU=${DEFAULT_MTU}"
	237	) >> /var/ipfire/ethernet/settings
	238	;;
	239
	240	# ORANGE
	241	2)
	242	local interface_name="orange0"
	243	config_type=2
	244
	245	(
	246	echo "ORANGE_DEV=${interface_name}"
	247	echo "ORANGE_MACADDR=${mac}"
	248	echo "ORANGE_DESCRIPTION='${id}'"
	249	echo "ORANGE_ADDRESS=${ipv4_address}"
	250	echo "ORANGE_NETMASK=${netmask}"
	251	echo "ORANGE_NETADDRESS=${netaddress}"
138c94a9 MT	252	echo "ORANGE_MTU=${DEFAULT_MTU}"
	253	) >> /var/ipfire/ethernet/settings
	254	;;
	255	esac
	256	done
	257
	258	# Save CONFIG_TYPE
	259	echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings
	260
	261	# Actions performed only on the very first start
	262	if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then
	263	# Disable using ISP nameservers
	264	sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings
	265
	266	# Enable SSH
	267	sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings
	268
	269	# Disable SSH password authentication
	270	sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings
	271
	272	# Enable SSH key authentication
	273	sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings
	274
	275	# Apply SSH settings
	276	/usr/local/bin/sshctrl
	277
	278	# Mark SSH to start immediately (but not right now)
	279	touch /var/ipfire/remote/enablessh
	280	chown nobody:nobody /var/ipfire/remote/enablessh
	281
	282	# Firewall rules for SSH and WEBIF
	283	(
	284	echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
	285	echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
	286	) >> /var/ipfire/firewall/input
	287
	288	# This script has now completed the first steps of setup
	289	touch /var/ipfire/main/firstsetup_ok
	290	fi
	291
	292	# All done
	293	echo_ok
	294	}
	295
	296	case "${reason}" in
	297	PREINIT)
	298	# Bring up the interface
	299	ip link set "${interface}" up
	300	;;
	301
	302	BOUND\|RENEW\|REBIND\|REBOOT)
	303	# Remove any previous IP addresses
	304	ip addr flush dev "${interface}"
	305
	306	# Add (or re-add) the new IP address
	307	ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"
	308
	309	# Add the default route
	310	ip route add "${new_routers}" dev "${interface}"
	311	ip route add default via "${new_routers}"
	312
	313	# Setup DNS
	314	for domain_name_server in ${new_domain_name_servers}; do
	315	echo "nameserver ${domain_name_server}"
316	done > /etc/resolv.conf
317
318	# The system is online now
319	touch /var/ipfire/red/active
320
321	# Import OCI configuration
322	import_oci_configuration
323	;;
324
325	EXPIRE\|FAIL\|RELEASE\|STOP)
326	# The system is no longer online
327	rm -f /var/ipfire/red/active
328
329	# Remove all IP addresses
330	ip addr flush dev "${interface}"
331
332	# Shut down the interface
333	ip link set "${interface}" down
334	;;
335
336	*)
337	echo "Unhandled reason: ${reason}" >&2
338	exit 2
339	;;
340	esac
341
342	# Terminate
343	exit 0