Linux/Xen/DomU/Devuan/Devuan ASCII: Difference between revisions

From Guungle
Jump to navigation Jump to search
No edit summary
Line 158: Line 158:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
--- old_ssh 2017-01-15 10:04:56.399284075 -0600
--- old_ssh 2018-12-16 21:33:01.193415639 +0000
+++ ssh 2017-01-15 10:09:02.999284075 -0600
+++ ssh 2018-12-23 18:52:01.653415639 +0000
@@ -78,6 +78,74 @@
@@ -72,6 +72,57 @@ check_privsep_dir() {
     fi
     fi
  }
  }
Line 166: Line 166:
+# Some variables to make things more readable  
+# Some variables to make things more readable  
+KEYGEN=/usr/bin/ssh-keygen
+KEYGEN=/usr/bin/ssh-keygen
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
Line 179: Line 177:
+                        chmod 600 $RSA_KEY
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+                        chmod 644 $RSA_KEY.pub
+ echo "OK"
+                else
+ echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+
+do_dsa_keygen() {
+        if [ ! -s $DSA_KEY ]; then
+                echo -n "Generating SSH2 DSA host key: "
+                rm -f $DSA_KEY
+                if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $DSA_KEY
+                        chmod 644 $DSA_KEY.pub
+ echo "OK"
+ echo "OK"
+                else
+                else
Line 232: Line 215:
+}
+}
+
+
  export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
  check_config() {
    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
case "$1" in
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +154,12 @@
@@ -86,6 +137,12 @@ case "$1" in
  check_privsep_dir
  check_privsep_dir
  check_for_no_start
  check_for_no_start
Line 246: Line 229:
+
+
  log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
  log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
  if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
  if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
      log_end_msg 0 || true
      log_end_msg 0 || true
</syntaxhighlight>
</syntaxhighlight>


====Firewall====
====Firewall====

Revision as of 11:59, 23 December 2018

Devuan ASCII

Start this process on a existing Devuan system. You will need to have the Devuan patched version of debootstrap installed.

Create a empty image file and format it with ext3. 

dd if=/dev/zero of=devuan_ascii.img bs=1M count=1 seek=1024
mkfs.ext3 devuan_ascii.img

Create a directory to mount the image on. Using '/mnt/img' for this example. 

mkdir /mnt/img
mount -oloop devuan_ascii.img /mnt/img

Start the debootstrap process. 

debootstrap --variant=minbase ascii /mnt/img http://auto.mirror.devuan.org/merged/

Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates. 

cp /etc/apt/sources.list /mnt/img/etc/apt/

Here is a basic sources.list 

deb http://auto.mirror.devuan.org/merged ascii main
deb http://auto.mirror.devuan.org/merged ascii-updates main
deb http://auto.mirror.devuan.org/merged ascii-security main

Mount the necessary system files so that we can enter the new root filesystem with chroot. 

mount --bind /dev /mnt/img/dev
mount --bind /dev/pts /mnt/img/dev/pts
mount -t proc proc /mnt/img/proc
mount -t sysfs sys /mnt/img/sys
chroot /mnt/img

Run updates and install a language pack. 

apt-get update
apt-get upgrade

Install a frontend for debconf 

apt-get install whiptail

Install locales and configure them. 

apt-get install locales
dpkg-reconfigure locales

Configure the system timezone. 

dpkg-reconfigure tzdata

Install networking systems 

apt-get install netbase net-tools ifupdown inetutils-ping

Install the kernel image, SSH server, full version of vim and rsyslog 

apt-get install linux-image-`dpkg --print-architecture`
apt-get install openssh-server
apt-get install vim
apt-get install rsyslog

To use the Xen console 'xm console (domU)' you need to setup a tty on /dev/hvc0. Edit /etc/inittab and add this line. 

co:2345:respawn:/sbin/getty 38400 hvc0


The default udev rules for Devuan ignore Xen generated MAC addresses so you won't get a '/etc/udev/rules.d/70-persistent-net.rules' This causes your network interfaces not to come up.

Edit '/lib/udev/rules.d/75-persistent-net-generator.rules' and comment these lines. Here's the changes in patch/diff format. 

--- 75-persistent-net-generator.rules.old       2018-10-20 12:40:48.812000000 -0500
+++ 75-persistent-net-generator.rules   2018-10-20 12:41:35.264000000 -0500
@@ -26,7 +26,7 @@
                                        GOTO="persistent_net_generator_end"

 # ignore Xen virtual interfaces
-SUBSYSTEMS=="xen",                     GOTO="persistent_net_generator_end"
+#SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"

 # ignore UML virtual interfaces
 DRIVERS=="uml-netdev",                 GOTO="persistent_net_generator_end"
@@ -78,7 +78,7 @@
 ENV{MATCHADDR}=="00:15:5d:*",          ENV{MATCHADDR}=""
 ENV{MATCHADDR}=="52:54:00:*|54:52:00:*", ENV{MATCHADDR}=""
 ENV{MATCHADDR}=="08:00:27:*",          ENV{MATCHADDR}=""
-ENV{MATCHADDR}=="00:16:3e:*",          ENV{MATCHADDR}=""
+#ENV{MATCHADDR}=="00:16:3e:*",         ENV{MATCHADDR}=""

 # ignore Windows Azure Hyper-V virtual interfaces
 ENV{MATCHADDR}=="00:03:ff:*", ENV{MATCHADDR}=""

Network

Configure your '/etc/network/interfaces' for DHCP 

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto eth0
iface eth0 inet dhcp

We need to allow root logins over SSH.

Edit /etc/ssh/sshd_config and change, 

#PermitRootLogin prohibit-password

to 

PermitRootLogin yes


GRUB

Setup a basic grub config in "/boot/grub/menu.lst" 

default         0
timeout         2

title           Devuan ASCII
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

title           Devuan ASCII (Single-User)
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro single console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

Configure a basic fstab 

# Begin /etc/fstab
# <file system> <mount-point>   <type>   <options>                      <dump> <pass>
/dev/sda1          /             ext3      defaults,errors=remount-ro    0     0
proc               /proc         proc      defaults                      0     0

# End /etc/fstab

SSH host keys fix

Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Devuan won't regenerate SSH host keys if you delete them from /etc/ssh. So we need to make some changes to /etc/init.d/ssh so it regenerates the host keys.

Here is a patch for /etc/init.d/ssh 

--- old_ssh	2018-12-16 21:33:01.193415639 +0000
+++ ssh	2018-12-23 18:52:01.653415639 +0000
@@ -72,6 +72,57 @@ check_privsep_dir() {
     fi
 }
 
+# Some variables to make things more readable 
+KEYGEN=/usr/bin/ssh-keygen
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+
+do_rsa_keygen() {
+        if [ ! -s $RSA_KEY ]; then
+                echo -n "Generating SSH2 RSA host key: "
+                rm -f $RSA_KEY
+                if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ecdsa_keygen() {
+        if [ ! -s $ECDSA_KEY ]; then
+                echo -n "Generating SSH2 ECDSA host key: "
+                rm -f $ECDSA_KEY
+                if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ECDSA_KEY
+                        chmod 644 $ECDSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ed25519_keygen() {
+        if [ ! -s $ED25519_KEY ]; then
+                echo -n "Generating SSH2 ED25519 host key: "
+                rm -f $ED25519_KEY
+                if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ED25519_KEY
+                        chmod 644 $ED25519_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+
 check_config() {
     if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
 	/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +137,12 @@ case "$1" in
 	check_privsep_dir
 	check_for_no_start
 	check_dev_null
+
+	do_rsa_keygen
+	do_dsa_keygen
+	do_ecdsa_keygen
+	do_ed25519_keygen
+
 	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
 	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true

Firewall

apt-get install iptables
apt-get install ufw

ufw allow OpenSSH
ufw enable

Final Cleanup

Set a hostname.

Remove /etc/udev/rules.d/70-persistent-net.rules so that network comes up clean when the image is booted for the first time.

Remove SSH host keys so that new ones get generated on first boot.

Set a root password 

echo 'devuan' > /etc/hostname
rm /etc/udev/rules.d/70-persistent-net.rules
rm /etc/ssh/ssh_host_*
passwd root
Retrieved from "https://wiki.guungle.com/index.php?title=Linux/Xen/DomU/Devuan/Devuan_ASCII&oldid=54"