forked from ajacoutot/aws-openbsd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathec2-init.sh
128 lines (115 loc) · 3.46 KB
/
ec2-init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/sh
#
# Copyright (c) 2015, 2016 Antoine Jacoutot <ajacoutot@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# AWS cloud-init like helper for OpenBSD
# ======================================
# Install as /usr/local/libexec/ec2-init and append to /etc/hostname.xnf0:
# !/usr/local/libexec/ec2-init
# XXXTODO https://cloudinit.readthedocs.org/en/latest/topics/format.html
set -e
cleanjunk()
{
local _l
# reset root's password
#chpass -a 'root:*:0:0:daemon:0:0:Charlie &:/root:/bin/ksh'
# remove generated keys
rm -f /etc/{iked,isakmpd}/{local.pub,private/local.key} \
/etc/ssh/ssh_host_*
# remove dhcp client configuration and old leases
rm -f /etc/dhclient.conf /var/db/dhclient.leases.*
# remove cruft from /tmp
rm -rf /tmp/{.[!.],}*
# reset entropy files
>/etc/random.seed
>/var/db/host.random
# empty log files
rm -f /var/log/[a-zA-Z]*.{{out,log}{,.old},[0-9]}*
for _l in $(find /var/log -type f ! -name '*.gz' -size +0); do
>${_l}
done
}
ec2_fingerprints()
{
cat <<-'EOF-RC' >>/etc/rc.firsttime
logger -s -t ec2 2>/var/log/cloudinit-output.log <<EOF
#############################################################
-----BEGIN SSH HOST KEY FINGERPRINTS-----
$(for _f in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -lf ${_f}; done)
-----END SSH HOST KEY FINGERPRINTS-----
#############################################################
EOF
cat /var/log/cloudinit-output.log
EOF-RC
}
ec2_hostname()
{
local _hostname="$(mock meta-data/local-hostname)"
hostname ${_hostname}
print -- "${_hostname}" >/etc/myname
}
ec2_instanceid()
{
local _instanceid="$(mock meta-data/instance-id)"
print -- "${_instanceid}" >/var/db/instance-id
}
ec2_pubkey()
{
local _pubkey="$(mock meta-data/public-keys/0/openssh-key)"
print -- "${_pubkey}" >>/home/ec2-user/.ssh/authorized_keys
}
ec2_userdata()
{
local _script="$(mktemp -p /tmp -t aws-user-data.XXXXXXXXXX)"
mock user-data >${_script} && [[ $(head -1 ${_script}) == @(#!*) ]] ||
{ rm ${_script}; return 0; }
chmod u+x ${_script} && env -i /bin/sh -c ${_script} && rm ${_script}
}
mock()
{
[[ -n ${1} ]]
local _ret
_ret=$(ftp -MVo - http://169.254.169.254/latest/${1} 2>/dev/null)
[[ -n ${_ret} ]] && print -- "${_ret}"
}
mock_pf()
{
[[ -z ${INRC} ]] && return
rcctl get pf status || return 0
case ${1} in
open)
print -- \
"pass out proto tcp from egress to 169.254.169.254 port www" |
pfctl -f - ;;
close)
print -- "" | pfctl -f - ;;
*)
return 1 ;;
esac
}
if [[ $(id -u) != 0 ]]; then
echo "${0##*/}: needs root privileges"
exit 1
fi
mock_pf open
if [[ $(mock meta-data/instance-id) != $(cat /var/db/instance-id 2>/dev/null) ]]
then
cleanjunk # run early to prevent erasing logs from ec2-init
ec2_pubkey
ec2_instanceid # write instance-id _after_ ssh keys are installed
ec2_hostname
ec2_userdata
mock_pf close
ec2_fingerprints
fi