-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathbuildubuntu
210 lines (172 loc) · 7.83 KB
/
buildubuntu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/bin/bash
# Template construction and configuration utility
#
set -o errexit
set -o nounset
root="/tmp/newvz_chroot_ubuntu"
pkg="/tmp/newvz_pkg"
out="/tmp/ubuntu-10.04_amd64.tar.gz"
rm -rf "$root" "$pkg"
debootstrap \
--include=cron,openssh-server,logrotate,strace,vim,iptables,tcpdump,bc,mtr-tiny,telnet,sudo,gawk,gpgv,less,iputils-ping,wget,zsh,unzip,aptitude,rsyslog,dhcp3-client,rsync,base-files,ubuntu-keyring \
--arch=amd64 --variant=minbase lucid $root
# Set the same timezone as for host system
[ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime
# Kill udevd
#sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit
#chroot $root "cd /dev && /sbin/MAKEDEV ptyp"
cat <<EOF >> $root/etc/apt/sources.list
#
# deb cdrom:[Ubuntu-Server 10.04.3 LTS _Lucid Lynx_ - Release amd64 (20110719.2)]/ lucid main restricted
# deb cdrom:[Ubuntu-Server 10.04.3 LTS _Lucid Lynx_ - Release amd64 (20110719.2)]/ lucid main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ lucid main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe
deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ lucid multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid multiverse
deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://us.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu lucid partner
# deb-src http://archive.canonical.com/ubuntu lucid partner
deb http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb http://security.ubuntu.com/ubuntu lucid-security multiverse
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse
EOF
cat <<EOF >> $root/etc/init/openvz.conf
# OpenVZ - Fix init sequence to have OpenVZ working with upstart
description "Fix OpenVZ"
start on startup
task
pre-start script
mount -t devpts devpts /dev/pts
#mount -t tmpfs varrun /var/run
#mount -t tmpfs varlock /var/lock
mkdir -p /var/run/network
if [ ! -e /etc/mtab ]; then
cat /proc/mounts > /etc/mtab
fi
touch /var/run/utmp
chmod 664 /var/run/utmp
chown root.utmp /var/run/utmp
if [ "$(find /etc/network/ -name upstart -type f)" ]; then
chmod -x /etc/network/*/upstart || true
fi
end script
script
start networking
initctl emit filesystem --no-wait
initctl emit local-filesystems --no-wait
initctl emit virtual-filesystems --no-wait
init 2
end script
EOF
# No console on these things
perl -pi -e '/^console/ and s/^/#/' $root/etc/init/rc.conf
# Fix locale so apt doesn't kill us
chroot $root /usr/sbin/locale-gen en_US.UTF-8
#chroot $root '/usr/sbin/update-locale LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8" LC_ALL="en_US.UTF-8" LC_CTYPE="C"'
chroot $root /usr/sbin/update-locale
#Remove services that we don't want starting
# Turn unneeded services off
OFF_SERVICES="control hwclock module mount network-interface
plymouth procps tty udev upstart"
for S in $OFF_SERVICES; do
rm $root/etc/init/$S*
#This doesn't work right yet; the above is a hack
#chroot $root update-rc.d $S purge
done
# Turn needed services on
#ON_SERVICES="network iptables crond sshd rsyslog"
#for S in $ON_SERVICES; do
# [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on
#done
# This keeps apt from whining about bad locale
#include packages that minbase lacks
#chroot $root apt-get install -y cron openssh-server logrotate \
#sysstat strace vim iptables gzip tcpdump bc mtr-tiny telnet sudo gawk \
#less ping sed wget zsh unzip aptitude rsyslog || true
# Convert system to shadow password files
chroot $root /usr/sbin/pwconv
# Disable root login
chroot $root /usr/sbin/usermod -L root
# Do not launch *getty on tty devices - they are not accessible from VPS
#sed -i -e '/getty/d' $root/etc/inittab
# Mount /dev/pts
echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab
# Modprobe is NOT our friend
chroot $root rm /sbin/modprobe
chroot $root ln -s /bin/true /sbin/modprobe
# Disable fsync() in syslog
#if [ -f $root/etc/syslog.conf ]; then
# sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf
#fi
# Remove unnecessary setuid bits
find $root/ $root/usr -xdev -type f -perm +04000 | \
grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \
xargs -r chmod ug-s
# Remove unnecessary setgid bits
find $root/ $root/usr -xdev -type f -perm +02000 | \
grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \
xargs -r chmod g-s
# Do not try to unload iptables modules
#if [ -f $root/etc/sysconfig/iptables-config ]; then
# sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config
#fi
# Set non-interactive mode for initscripts (openvz bug #46)
#sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init
#Cleanup
#chroot $root apt-get update
#chroot $root aptitude -y dist-upgrade || true
chroot $root apt-get clean
chroot $root apt-get autoremove
chroot $root rm -f /etc/ssh/ssh_host_*
#Generate new ssh keys on firstboot
cat << EOF > $root/etc/rc2.d/S15ssh_gen_host_keys
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
rm -f \$0
EOF
chmod a+x $root/etc/rc2.d/S15ssh_gen_host_keys
chroot $root update-rc.d -f ondemand remove
chroot $root update-rc.d ssh defaults
> $root/etc/resolv.conf \
echo localhost > $root/etc/hostname \
> $root/var/log/messages; > $root/var/log/auth.log; > $root/var/log/kern.log; > $root/var/log/bootstrap.log; \
> $root/var/log/dpkg.log; > $root/var/log/syslog; > $root/var/log/daemon.log; > $root/var/log/apt/term.log; rm -f $root/var/log/*.0 $root/var/log/*.1
rm -f $out || true
tar --numeric-owner -C $root -czf $out .
echo "Completed template can be found at $out"