-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PE-5714 #321
PE-5714 #321
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,8 +6,8 @@ | |
# | ||
|
||
|
||
root_dir="$( cd "$( dirname $0 )" && pwd )" | ||
echo Root dir $root_dir | ||
root_dir="$( cd "$( dirname "$0" )" && pwd )" | ||
echo Root dir "$root_dir" | ||
|
||
|
||
########################################################################## | ||
|
@@ -21,7 +21,7 @@ check_error() | |
|
||
if [[ ${status} -ne 0 ]]; then | ||
echo -e "\033[31m - ${msg} \033[0m" | ||
exit ${exit_status} | ||
exit "${exit_status}" | ||
fi | ||
|
||
return 0 | ||
|
@@ -40,10 +40,10 @@ update_config_files() { | |
check_error 1 "File ${config_file} not found" | ||
fi | ||
|
||
sed -i "s/^\($search_str.*\)$/#\1/" ${config_file} | ||
sed -i "s/^\($search_str.*\)$/#\1/" "${config_file}" | ||
check_error $? "Failed commenting config value $search_str." 1 | ||
|
||
echo "$append_str" >> ${config_file} | ||
echo "$append_str" >> "${config_file}" | ||
check_error $? "Failed appending config value $append_str" 1 | ||
|
||
return 0 | ||
|
@@ -109,7 +109,7 @@ upgrade_packages() { | |
apt-get -y upgrade | ||
check_error $? "Failed upgrading packages" 1 | ||
apt-get install -y auditd apparmor-utils libpam-pwquality | ||
if [[ $? -ne 0 ]]; then | ||
if $? -ne 0 ; then | ||
echo 'deb http://archive.ubuntu.com/ubuntu focal main restricted' > /etc/apt/sources.list.d/repotmp.list | ||
apt-get update | ||
apt-get install -y auditd apparmor-utils libpam-pwquality | ||
|
@@ -516,8 +516,8 @@ harden_system() { | |
|
||
echo "Error out if there are users with empty password" | ||
cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}' | ||
if [[ $? -ne 0 ]]; then | ||
echo "Users present with empty password. Remove the user or set password for the users" | ||
if $? -ne 0 ; then | ||
echo "Users present with empty password. Remove the user or set pasword for the users" | ||
exit 1 | ||
fi | ||
|
||
|
@@ -529,18 +529,18 @@ harden_system() { | |
fi | ||
|
||
echo "Fix permission of all cron files" | ||
for each in `echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab` | ||
for each in echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab | ||
do | ||
if [[ -e ${each} ]]; then | ||
stat -L -c "%a %u %g" ${each} | egrep ".00 0 0" | ||
if [[ $? -ne 0 ]]; then | ||
chown root:root ${each} | ||
chmod og-rwx ${each} | ||
stat -L -c "%a %u %g" "${each}" | grep -E".00 0 0" | ||
rajeshfrontline marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if $? -ne 0 ; then | ||
chown root:root "${each}" | ||
chmod og-rwx "${each}" | ||
fi | ||
fi | ||
done | ||
|
||
echo "Remove cron and at deny files and have allow files in place" | ||
echo "Remove cron and at deny files anf have allow files in place" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you fix the typo in this line ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. updated. |
||
rm -f /etc/cron.deny | ||
rm -f /etc/at.deny | ||
touch /etc/cron.allow | ||
|
@@ -821,12 +821,14 @@ harden_auth() { | |
# Backup the original file | ||
cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak | ||
|
||
echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" > /etc/pam.d/common-auth | ||
echo "auth [success=1 default=ignore] pam_unix.so nullok" >> /etc/pam.d/common-auth | ||
echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth | ||
echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth | ||
echo "auth requisite pam_deny.so" >> /etc/pam.d/common-auth | ||
echo "auth required pam_permit.so" >> /etc/pam.d/common-auth | ||
{ | ||
echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" | ||
echo "auth [success=1;default=ignore] pam_unix.so nullok" | ||
echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" | ||
echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" | ||
echo "auth requisite pam_deny.so" | ||
echo "auth required pam_permit.so" | ||
} > /etc/pam.d/common-auth | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using this approach, will the content get appended if the file has existing content? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. updated with >> /etc/pam.d/common-auth |
||
|
||
# Backup the original file | ||
cp /etc/pam.d/common-account /etc/pam.d/common-account.bak | ||
|
@@ -838,10 +840,12 @@ harden_auth() { | |
# Backup the original file | ||
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak | ||
|
||
echo "password requisite pam_pwquality.so retry=3" > /etc/pam.d/common-password | ||
echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5" >> /etc/pam.d/common-password | ||
echo "password requisite pam_deny.so" >> /etc/pam.d/common-password | ||
echo "password required pam_permit.so" >> /etc/pam.d/common-password | ||
{ | ||
echo "password requisite pam_pwquality.so retry=3" | ||
echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5" | ||
echo "password requisite pam_deny.so" | ||
echo "password required pam_permit.so" | ||
} > /etc/pam.d/common-password | ||
|
||
#####################Password expiry policy################# | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,17 +18,17 @@ function build_with_proxy() { | |
--rm -t \ | ||
-e GLOBAL_CONFIG="$global_config" \ | ||
-e BUILDKIT_TCP_TRANSPORT_ENABLED=true \ | ||
-e http_proxy=$HTTP_PROXY \ | ||
-e https_proxy=$HTTPS_PROXY \ | ||
-e HTTPS_PROXY=$HTTPS_PROXY \ | ||
-e HTTP_PROXY=$HTTP_PROXY \ | ||
-e NO_PROXY=$NO_PROXY \ | ||
-e no_proxy=$NO_PROXY \ | ||
-e EARTHLY_GIT_CONFIG=$gitconfig \ | ||
-v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \ | ||
-e http_proxy="$HTTP_PROXY" \ | ||
-e https_proxy="$HTTPS_PROXY" \ | ||
-e HTTPS_PROXY="$HTTPS_PROXY" \ | ||
-e HTTP_PROXY="$HTTP_PROXY" \ | ||
-e NO_PROXY="$NO_PROXY" \ | ||
-e no_proxy="$NO_PROXY" \ | ||
-e EARTHLY_GIT_CONFIG="$gitconfig" \ | ||
-v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" \ | ||
-v earthly-tmp:/tmp/earthly:rw \ | ||
-p 8372:8372 \ | ||
$SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION | ||
"$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION | ||
# Update the CA certificates in the container | ||
docker exec -it earthly-buildkitd update-ca-certificates | ||
|
||
|
@@ -40,21 +40,21 @@ function build_with_proxy() { | |
-e GLOBAL_CONFIG="$global_config" \ | ||
-e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 \ | ||
-e BUILDKIT_TLS_ENABLED=false \ | ||
-e http_proxy=$HTTP_PROXY \ | ||
-e https_proxy=$HTTPS_PROXY \ | ||
-e HTTPS_PROXY=$HTTPS_PROXY \ | ||
-e HTTP_PROXY=$HTTP_PROXY \ | ||
-e NO_PROXY=$NO_PROXY \ | ||
-e no_proxy=$NO_PROXY \ | ||
-e http_proxy="$HTTP_PROXY" \ | ||
-e https_proxy="$HTTPS_PROXY" \ | ||
-e HTTPS_PROXY="$HTTPS_PROXY" \ | ||
-e HTTP_PROXY="$HTTP_PROXY" \ | ||
-e NO_PROXY="$NO_PROXY" \ | ||
-e no_proxy="$NO_PROXY" \ | ||
-v "$(pwd)":/workspace \ | ||
-v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \ | ||
-v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" \ | ||
--entrypoint /workspace/earthly-entrypoint.sh \ | ||
$SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" | ||
"$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" | ||
} | ||
|
||
function build_without_proxy() { | ||
# Run Earthly in Docker to create artifacts Variables are passed from the .arg file | ||
docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" | ||
docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" | ||
} | ||
|
||
function print_os_pack() { | ||
|
@@ -94,14 +94,6 @@ PE_VERSION=$(git describe --abbrev=0 --tags) | |
SPECTRO_PUB_REPO=us-docker.pkg.dev/palette-images | ||
EARTHLY_VERSION=v0.8.15 | ||
source .arg | ||
|
||
# Workaround to support deprecated field PROXY_CERT_PATH | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This special handling is missing in your changes. Could you check it out again ? |
||
if [ -n "$PROXY_CERT_PATH" ]; then | ||
echo "PROXY_CERT_PATH is deprecated. Please place your certificates in the certs directory." | ||
echo "Copying the certificates from $PROXY_CERT_PATH to certs/" | ||
cp $PROXY_CERT_PATH certs/ | ||
fi | ||
|
||
ALPINE_IMG=$SPECTRO_PUB_REPO/edge/canvos/alpine:3.20 | ||
### Verify Dependencies | ||
# Check if Docker is installed | ||
|
@@ -111,28 +103,28 @@ else | |
echo "Docker not found. Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker." | ||
fi | ||
# Check if the current user has permission to run privileged containers | ||
if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then | ||
if ! docker run --rm --privileged "$ALPINE_IMG" sh -c 'echo "Privileged container test"' &>/dev/null; then | ||
echo "Privileged containers are not allowed for the current user." | ||
exit 1 | ||
fi | ||
if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY" ] && [ -z "$(find certs -type f ! -name '.*' -print -quit)" ]; then | ||
if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY"]; then | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The 3rd condition is missing ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. updated. |
||
build_without_proxy "$@" | ||
else | ||
build_with_proxy "$@" | ||
fi | ||
|
||
# Verify the command was successful | ||
if [ $? -ne 0 ]; then | ||
if $? -ne 0 ; then | ||
echo "An error occurred while running the command." | ||
exit 1 | ||
fi | ||
# Cleanup builder helper images. | ||
docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION | ||
docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION | ||
if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "true" ]; then | ||
docker stop earthly-buildkitd | ||
fi | ||
docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null | ||
docker rmi $ALPINE_IMG | ||
docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null | ||
docker rmi "$ALPINE_IMG" | ||
|
||
if [[ "$1" == "+uki-genkey" ]]; then | ||
./keys.sh secure-boot/ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
BASE_IMAGE="${1:-ubuntu-focal-fips}" | ||
|
||
DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t $BASE_IMAGE | ||
docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://$BASE_IMAGE --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" | ||
DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t "BASE_IMAGE" | ||
docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://"BASE_IMAGE" --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will not work as expected. the recommendation was to use the commands
$(...) notation instead of legacy backticks