From 9cf8d7bd50166dae208095026332d09372475dc2 Mon Sep 17 00:00:00 2001 From: Fabio Erculiani Date: Thu, 30 Aug 2012 18:22:53 +0200 Subject: [PATCH] [molecules] add Sabayon "Hardened Server" spec files --- molecules/hardenedserver.common | 53 +++++++++++++++++++ molecules/sabayon-amd64-hardenedserver.spec | 11 ++++ molecules/sabayon-x86-hardenedserver.spec | 15 ++++++ remaster/hardenedserver_isolinux.cfg | 31 +++++++++++ scripts/generic_pre_iso_script.sh | 7 +++ ...ardenedserver_inner_chroot_script_after.sh | 32 +++++++++++ 6 files changed, 149 insertions(+) create mode 100644 molecules/hardenedserver.common create mode 100644 molecules/sabayon-amd64-hardenedserver.spec create mode 100644 molecules/sabayon-x86-hardenedserver.spec create mode 100644 remaster/hardenedserver_isolinux.cfg create mode 100755 scripts/remaster_hardenedserver_inner_chroot_script_after.sh diff --git a/molecules/hardenedserver.common b/molecules/hardenedserver.common new file mode 100644 index 0000000..0383731 --- /dev/null +++ b/molecules/hardenedserver.common @@ -0,0 +1,53 @@ +# Define an alternative execution strategy, in this case, the value must be +# "iso_remaster" +execution_strategy: iso_remaster + +# ISO Image title +iso_title: Sabayon Hardened Server + +# Release string +release_string: Sabayon Linux + +# File to write release string +release_file: /etc/sabayon-edition + +# Outer chroot script command, to be executed outside destination chroot before +# before entering it (and before inner_chroot_script) +%env outer_chroot_script: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/remaster_pre.sh + +# Execute repositories update here, in a more fault-tolerant flavor +%env inner_chroot_script: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/remaster_generic_inner_chroot_script.sh + +# Inner chroot script command, to be executed inside destination chroot after +# packages installation and removal +%env inner_chroot_script_after: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/remaster_hardenedserver_inner_chroot_script_after.sh + +# Outer chroot script command, to be executed outside destination chroot before +# before entering it (and AFTER inner_chroot_script) +%env outer_chroot_script_after: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/remaster_post.sh + +# Used to umount /proc and unbind packages dir +%env error_script: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/remaster_error_script.sh + +# Extra mkisofs parameters, perhaps something to include/use your bootloader +extra_mkisofs_parameters: -b isolinux/isolinux.bin -c isolinux/boot.cat + +# Pre-ISO building script. Hook to be able to copy kernel images in place, for example +%env pre_iso_script: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/generic_pre_iso_script.sh HardenedServer + +# Post-ISO building script, called after ISO image generation. +%env post_iso_script: ${SABAYON_MOLECULE_HOME:-/sabayon}/scripts/generic_post_iso_script.sh + +# Destination directory for the ISO image path (MANDATORY) +%env destination_iso_directory: ${SABAYON_MOLECULE_HOME:-/sabayon}/iso + +packages_to_add: + sys-kernel/linux-hardened, + sys-apps/paxctl + +packages_to_remove: + sys-kernel/linux-sabayon + +# Determine whether repositories update should be run (if packages_to_add is set) +# (default is: no), values are: yes, no. +execute_repositories_update: no diff --git a/molecules/sabayon-amd64-hardenedserver.spec b/molecules/sabayon-amd64-hardenedserver.spec new file mode 100644 index 0000000..a96f68b --- /dev/null +++ b/molecules/sabayon-amd64-hardenedserver.spec @@ -0,0 +1,11 @@ +# Use abs path, otherwise daily iso build won't work +%env %import ${SABAYON_MOLECULE_HOME:-/sabayon}/molecules/hardenedserver.common + +release_version: 10 +release_desc: amd64 Hardened Server + +# Path to source ISO file (MANDATORY) +%env source_iso: ${SABAYON_MOLECULE_HOME:-/sabayon}/iso/Sabayon_Linux_SpinBase_DAILY_amd64.iso + +# Destination ISO image name, call whatever you want.iso, not mandatory +destination_iso_image_name: Sabayon_Linux_HardenedServer_10_amd64.iso diff --git a/molecules/sabayon-x86-hardenedserver.spec b/molecules/sabayon-x86-hardenedserver.spec new file mode 100644 index 0000000..2f49144 --- /dev/null +++ b/molecules/sabayon-x86-hardenedserver.spec @@ -0,0 +1,15 @@ +# use abs path, otherwise daily iso build automagic won't work +%env %import ${SABAYON_MOLECULE_HOME:-/sabayon}/molecules/hardenedserver.common + +release_version: 10 +release_desc: x86 Hardened Server + +# pre chroot command, example, for 32bit chroots on 64bit system, you always +# have to append "linux32" this is useful for inner_chroot_script +prechroot: linux32 + +# Path to source ISO file (MANDATORY) +%env source_iso: ${SABAYON_MOLECULE_HOME:-/sabayon}/iso/Sabayon_Linux_SpinBase_DAILY_x86.iso + +# Destination ISO image name, call whatever you want.iso, not mandatory +destination_iso_image_name: Sabayon_Linux_HardenedServer_10_x86.iso diff --git a/remaster/hardenedserver_isolinux.cfg b/remaster/hardenedserver_isolinux.cfg new file mode 100644 index 0000000..00f98b1 --- /dev/null +++ b/remaster/hardenedserver_isolinux.cfg @@ -0,0 +1,31 @@ +default console + +label console + menu label Start Sabayon __VERSION__ ServerBase + kernel /boot/sabayon + append root=/dev/ram0 initrd=/boot/sabayon.igz init=/linuxrc cdroot cdroot_type=udf looptype=squashfs loop=/livecd.squashfs splash=verbose,theme:sabayon vga=791 gfxpayload=1024x768x16 console=tty1 quiet -- + +label text-install + menu label ^Installation + kernel /boot/sabayon + append root=/dev/ram0 initrd=/boot/sabayon.igz init=/linuxrc cdroot cdroot_type=udf looptype=squashfs loop=/livecd.squashfs splash=verbose,theme:sabayon vga=791 gfxpayload=1024x768x16 console=tty1 quiet installer-text -- + +label genuine + menu label Start in Safe ^Mode + kernel /boot/sabayon + append root=/dev/ram0 initrd=/boot/sabayon.igz init=/linuxrc cdroot cdroot_type=udf looptype=squashfs loop=/livecd.squashfs splash=silent,theme:sabayon vga=788 gfxpayload=800x600x16 noproprietary res=1024x768 pci=routeirq irqpoll console=tty1 quiet nokvm -- + +label debug + menu label Deb^ug mode + kernel /boot/sabayon + append root=/dev/ram0 initrd=/boot/sabayon.igz init=/linuxrc cdroot cdroot_type=udf looptype=squashfs loop=/livecd.squashfs console=tty1 debug -- + +label memtest + menu label Memory ^test + kernel /boot/memtest + append - + +label hd + menu label ^Boot from first hard disk + localboot 0x80 + append - diff --git a/scripts/generic_pre_iso_script.sh b/scripts/generic_pre_iso_script.sh index 3954155..4f5e7fc 100755 --- a/scripts/generic_pre_iso_script.sh +++ b/scripts/generic_pre_iso_script.sh @@ -20,6 +20,13 @@ elif [ "${remaster_type}" = "ServerBase" ]; then cp "${boot_kernel}" "${CDROOT_DIR}/boot/sabayon" || exit 1 cp "${boot_ramfs}" "${CDROOT_DIR}/boot/sabayon.igz" || exit 1 isolinux_source="${SABAYON_MOLECULE_HOME}/remaster/serverbase_isolinux.cfg" +elif [ "${remaster_type}" = "HardenedServer" ]; then + echo "HardenedServer trigger, copying server kernel over" + boot_kernel=$(find "${CHROOT_DIR}/boot" -name "kernel-*" | sort | head -n 1) + boot_ramfs=$(find "${CHROOT_DIR}/boot" -name "initramfs-*" | sort | head -n 1) + cp "${boot_kernel}" "${CDROOT_DIR}/boot/sabayon" || exit 1 + cp "${boot_ramfs}" "${CDROOT_DIR}/boot/sabayon.igz" || exit 1 + isolinux_source="${SABAYON_MOLECULE_HOME}/remaster/hardenedserver_isolinux.cfg" fi cp "${isolinux_source}" "${isolinux_destination}" || exit 1 diff --git a/scripts/remaster_hardenedserver_inner_chroot_script_after.sh b/scripts/remaster_hardenedserver_inner_chroot_script_after.sh new file mode 100755 index 0000000..5afedd8 --- /dev/null +++ b/scripts/remaster_hardenedserver_inner_chroot_script_after.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +rc-update del installer-gui boot +rc-update del x-setup boot +rc-update del hald boot +rc-update del avahi-daemon default + +# A RUNNING NetworkManager is required by Anaconda !! +# re-enable rc_hotplug +# sed -i 's:^rc_hotplug=.*:rc_hotplug="*":g' /etc/rc.conf +# rc-update del NetworkManager default + +# install-data dir is really not needed +rm -rf /install-data + +mount -t proc proc /proc +/lib/rc/bin/rc-depend -u + +# Generate openrc cache +touch /lib/rc/init.d/softlevel +/etc/init.d/savecache start +/etc/init.d/savecache zap + +ldconfig +ldconfig +umount /proc + +emaint --fix world + +rm -rf /var/lib/entropy/*cache* + +exit 0