fatalerrors/init.sh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hardening code and moved stage file removal later

Browse Source
This commit is contained in:
fatalerrors
2023-09-08 20:16:35 +02:00
parent 264537e9ea
commit 0eba77e3d5
2 changed files with 103 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
conf/balut.conf.sh Normal file
View File

@@ -0,0 +1,73 @@
# Fichier de configuration principal
# ------------------------------------------------------------------------------
# -------------------- Importation de paramêtres globaux -----------------------
# ------------------------------------------------------------------------------
# Importe les paramètres geoffray-levasseur.org
. $MYPATH/conf/includes/gl.conf.sh
# Importe la sélection de paquets par défaut
. $MYPATH/conf/includes/pkgsel.base.conf.sh
# Les paramètres précédemment importés sont surchargeable après cette ligne
# ------------------------------------------------------------------------------
# ------------------------------ General Section -------------------------------
# ------------------------------------------------------------------------------
# User of the machine (must exists)
MAINUSER=root
# Pilotes X11 non libre à installer ?
#X11_DRV="virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11"
# Authentication: use LDAP+Kerberos ?
WITH_LDAP_KERB=no
# Users to create, add or remove
REMOVE_USERS=fatal
# Network
IPV4_IFACES="eth0 eth1 eth2"
NET4_MODE_eth0="static"
NET4_IP_eth0="192.168.1.221/24"
NET4_GW_eth0="192.168.1.231"
NET4_NS_eth0="192.168.1.206 192.168.1.205"
NET4_NS_SEARCH_eth0=$REALM
NET4_MODE_eth1="static"
NET4_IP_eth1="192.168.74.221/24"
NET4_MODE_eth2="static"
NET4_IP_eth2="10.0.254.221/16"
IPV6_IFACES="eth0 eth1"
NET6_MODE_eth0="static"
NET6_IP_eth0="2a03:7220:8081:b301::dd/64"
NET6_GW_eth0="2a03:7220:8081:b301::e7"
NET6_NS_eth0="2a03:7220:8081:b301::ce 2a03:7220:8081:b301::cd"
NET6_NS_SEARCH_eth0=$REALM
NET6_MODE_eth1="static"
NET6_IP_eth1="2a03:7220:8081:b34a::dd/64"
# Mode d'installation :
# * dev : installe les paquets un par un avec apt (lent)
# * full : envoie d'un seul coup la liste de tous les paquets à apt (rapide)
INTALL_MODE=full
# Paquets additionnels
PKGSEL="$PKGSEL iptables fail2ban curl"
# ------------------------------------------------------------------------------
# -------------------------- Section modules d'init ----------------------------
# ------------------------------------------------------------------------------
# Liste des modules à executer (surchargeable en ligne de commande)
MODULE_LIST="conf_ntp upgrade_dist conf_ceph authnz conf_locale conf_ssh \
conf_mail install_pkg install_profile patch_snmp install_mkagent \
conf_syslog conf_network"

60
init.sh
View File

@@ -36,17 +36,17 @@ export LC_ALL=C
export LANG=C export LANG=C
# Version of init # Version of init
export VERSION="0.99.18" export VERSION="0.99.20"
# Store script's path (realpath -s resolve symlinks if init.sh is a symlink) # Store script's path (realpath -s resolve symlinks if init.sh is a symlink)
export MYPATH=$(dirname $(realpath -s $0)) export MYPATH=$(dirname "$(realpath -s "$0")")
# Get hostname # Get hostname
export HOSTNAME=$(hostname) export HOSTNAME=$(hostname)
# Load libraries # Load libraries
for lib in $MYPATH/lib/*.sh; do for lib in $MYPATH/lib/*.sh; do
. $lib . "$lib"
done done
unset lib unset lib
@@ -65,7 +65,7 @@ function_exists prnt || (
# ==== Main Program ==== # ==== Main Program ====
# ====================== # ======================
# Set system dependent vars (OS, distro and version) # Set system dependent vars (arch, OS, distro and version)
set_sys_vars $(uname -m) $(get_os_version) set_sys_vars $(uname -m) $(get_os_version)
# Initializing global variables # Initializing global variables
@@ -84,22 +84,22 @@ check_root
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Logfile variable treatment -- cannot be a function # Logfile variable treatment -- cannot be a function
if [[ -n $NEW_LOGFILE ]]; then if [[ -n "$NEW_LOGFILE" ]]; then
export LOGFILE=$NEW_LOGFILE export LOGFILE="$NEW_LOGFILE"
else else
export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"} export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"}
fi fi
prnt I "Creating log files welcoming directory..." prnt I "Creating log files welcoming directory..."
if [[ ! -d $(dirname $LOGFILE) ]]; then if [[ ! -d $(dirname "$LOGFILE") ]]; then
mkdir -pv $(dirname $LOGFILE) mkdir -pv $(dirname "$LOGFILE")
fi fi
# Log all outputs to the logfile # Log all outputs to the logfile
exec 3>&1 4>&2 exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3 trap 'exec 2>&4 1>&3' 0 1 2 3
exec > >(tee -a $LOGFILE) exec > >(tee -a "$LOGFILE")
exec 2> >(tee -a $LOGFILE >&2) exec 2> >(tee -a "$LOGFILE" >&2)
prnt I "Starting init.sh version $VERSION." prnt I "Starting init.sh version $VERSION."
prnt I "The log file is $LOGFILE." prnt I "The log file is $LOGFILE."
if [[ -n $SYS_CODE ]]; then if [[ -n $SYS_CODE ]]; then
@@ -113,7 +113,7 @@ fi
separator separator
if [[ -n $CHROOT_PATH && -z $CHROOT_DONE ]]; then if [[ -n "$CHROOT_PATH" && -z $CHROOT_DONE ]]; then
chroot_bootstrap $@ chroot_bootstrap $@
prnt I "Normal end of chrooted execution!" prnt I "Normal end of chrooted execution!"
exit 0 exit 0
@@ -129,11 +129,6 @@ process_commandline_and_vars
set_system_proxy set_system_proxy
# Reinit stage file if no resuming
if [[ $RESUME != true ]] && [[ -f $STAGE_FILE ]]; then
rm -f $STAGE_FILE
fi
# Loading activated modules # Loading activated modules
for mod in $MODULE_LIST; do for mod in $MODULE_LIST; do
. modules/$mod.sh . modules/$mod.sh
@@ -144,7 +139,7 @@ separator
if [[ $RUN_SHELL == true ]]; then if [[ $RUN_SHELL == true ]]; then
prnt I "Launching an interactive shell..." prnt I "Launching an interactive shell..."
bash --rcfile $MYPATH/bash.rc -i bash --rcfile "$MYPATH/bash.rc" -i
prnt I "Script execution terminated after interactive shell execution." prnt I "Script execution terminated after interactive shell execution."
exit 0 exit 0
fi fi
@@ -170,8 +165,8 @@ if ! command -v wget &> /dev/null; then
fi fi
# Run prechecks # Run prechecks
if [[ JUMP != true ]]; then if [[ $JUMP != true ]]; then
tmpfile=$(mktemp /tmp/init-XXXXXX) tmpfile="$(mktemp /tmp/init-XXXXXX)"
if [[ -n $MANUAL_MODULE_LIST ]]; then if [[ -n $MANUAL_MODULE_LIST ]]; then
prnt W "Dependency checks are deactivated with a manual module list." prnt W "Dependency checks are deactivated with a manual module list."
fi fi
@@ -179,11 +174,11 @@ if [[ JUMP != true ]]; then
prnt W "Dependency checks have been deactivated manually." prnt W "Dependency checks have been deactivated manually."
fi fi
if [[ $RESUME == true ]]; then if [[ $RESUME == true ]]; then
cat $STAGE_FILE >> $tmpfile cat "$STAGE_FILE" >> $tmpfile
fi fi
for mod in $MODULE_LIST; do for mod in $MODULE_LIST; do
version=VER_$mod version=VER_$mod
if [[ $RESUME == true ]] && [[ $(grep $mod $STAGE_FILE) ]]; then if [[ $RESUME == true ]] && [[ $(grep $mod "$STAGE_FILE") ]]; then
prnt I "Checks previously executed for $mod version ${!version}." prnt I "Checks previously executed for $mod version ${!version}."
continue continue
fi fi
@@ -191,7 +186,7 @@ if [[ JUMP != true ]]; then
if [[ -z $MANUAL_MODULE_LIST && $NO_DEPS != true ]]; then if [[ -z $MANUAL_MODULE_LIST && $NO_DEPS != true ]]; then
deps=DEP_$mod deps=DEP_$mod
for dep in ${!deps}; do for dep in ${!deps}; do
if [[ ! $(grep $dep $tmpfile) ]]; then if [[ ! $(grep $dep "$tmpfile") ]]; then
prnt E "Module $mod have unsatisfied dependencies or is executed too early." prnt E "Module $mod have unsatisfied dependencies or is executed too early."
prnt E " * $dep must be executed before $mod, please check your module list." prnt E " * $dep must be executed before $mod, please check your module list."
die 9 die 9
@@ -203,9 +198,9 @@ if [[ JUMP != true ]]; then
( (
precheck_$mod precheck_$mod
) )
echo $mod >> $tmpfile echo $mod >> "$tmpfile"
done done
rm -f $tmpfile rm -f "$tmpfile"
unset mod unset mod
fi fi
@@ -237,9 +232,14 @@ read -n 1 -rsp $"Press <C> key to continue or an other one to stop now..." key &
echo && separator && echo echo && separator && echo
if [[ $key == "C" || $key == 'c' ]]; then if [[ $key == "C" || $key == 'c' ]]; then
# Reinit stage file if no resuming
if [[ $RESUME != true ]] && [[ -f $STAGE_FILE ]]; then
rm -f "$STAGE_FILE"
fi
# We launch modules one after one # We launch modules one after one
for mod in $MODULE_LIST; do for mod in $MODULE_LIST; do
if [[ $RESUME == true ]] && [[ $(grep $mod $STAGE_FILE) ]]; then if [[ $RESUME == true ]] && [[ $(grep $mod "$STAGE_FILE") ]]; then
continue continue
fi fi
# We need this only if JUMP is set but doesn't matter if it's done again # We need this only if JUMP is set but doesn't matter if it's done again
@@ -250,9 +250,9 @@ if [[ $key == "C" || $key == 'c' ]]; then
export REBOOT_NEEDED=false export REBOOT_NEEDED=false
$mod $mod
if [[ $REBOOT_NEEDED == true ]]; then if [[ $REBOOT_NEEDED == true ]]; then
echo "$mod reboot" >> $STAGE_FILE # Mark as done for resuming echo "$mod reboot" >> "$STAGE_FILE" # Mark as done for resuming
else else
echo $mod >> $STAGE_FILE # Mark as done for resuming function echo "$mod" >> "$STAGE_FILE" # Mark as done for resuming function
fi fi
) )
separator separator
@@ -265,15 +265,15 @@ fi
prnt I "That's all folks !" prnt I "That's all folks !"
echo echo
if [[ -s $STAGE_FILE && $(grep " reboot" $STAGE_FILE) ]]; then if [[ -s "$STAGE_FILE" && $(grep " reboot" "$STAGE_FILE") ]]; then
prnt W "A reboot is required to apply some changes by the following packages:" prnt W "A reboot is required to apply some changes by the following packages:"
prnt m " * $(grep ' reboot' $STAGE_FILE | \ prnt m " * $(grep ' reboot' "$STAGE_FILE" | \
sed 's/ reboot//' | \ sed 's/ reboot//' | \
sed ':a' -e 'N' -e '$!ba' -e 's/\n/ /g')" sed ':a' -e 'N' -e '$!ba' -e 's/\n/ /g')"
prnt I "Please reboot now or as soon as possible!" prnt I "Please reboot now or as soon as possible!"
echo echo
fi fi
rm -f $STAGEFILE rm -f "$STAGE_FILE"
exit 0 exit 0
# EOF # EOF