add stage4 musl config
This commit is contained in:
parent
9144c990bf
commit
274837a3d1
|
@ -0,0 +1,4 @@
|
||||||
|
=sys-apps/portage-2.3.1 ~amd64
|
||||||
|
=net-analyzer/macchanger-1.7.0-r1 ~amd64
|
||||||
|
<sys-kernel/hardened-sources-4.5.0 ~amd64
|
||||||
|
=sys-apps/busybox-1.26.0::musl
|
|
@ -0,0 +1 @@
|
||||||
|
>sys-kernel/hardened-sources-4.5.0
|
|
@ -0,0 +1 @@
|
||||||
|
sys-boot/grub grub_platforms_pc
|
5
tools-musl/run-stage4.sh
Executable file
5
tools-musl/run-stage4.sh
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
MUSL_DIR="$( cd "$( dirname ${BASH_SOURCE[0]} )" && pwd )"
|
||||||
|
cp "${MUSL_DIR}"/stage4-hardened-amd64.spec "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
|
||||||
|
sed -i "s|@REPO_DIR@|${MUSL_DIR}|g" "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec
|
||||||
|
|
||||||
|
catalyst -f "${MUSL_DIR}"/stage4-hardened-amd64-configured.spec | tee -a "${MUSL_DIR}"/zzz.log
|
81
tools-musl/stage4-fsscript.sh
Executable file
81
tools-musl/stage4-fsscript.sh
Executable file
|
@ -0,0 +1,81 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Set timezone
|
||||||
|
echo 'UTC' > /etc/timezone
|
||||||
|
|
||||||
|
# Some rootfs stuff
|
||||||
|
grep -v rootfs /proc/mounts > /etc/mtab
|
||||||
|
|
||||||
|
# This is set in rackspaces prep, might help us
|
||||||
|
echo 'net.ipv4.conf.eth0.arp_notify = 1' >> /etc/sysctl.conf
|
||||||
|
echo 'vm.swappiness = 0' >> /etc/sysctl.conf
|
||||||
|
|
||||||
|
# Let's configure our grub
|
||||||
|
# Access on both regular tty and serial console
|
||||||
|
mkdir /boot/grub
|
||||||
|
cat >>/etc/default/grub <<EOF
|
||||||
|
GRUB_TERMINAL='serial console'
|
||||||
|
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
|
||||||
|
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
|
||||||
|
EOF
|
||||||
|
grub-mkconfig -o /boot/grub/grub.cfg
|
||||||
|
sed -r -i 's/loop[0-9]+p1/LABEL\=cloudimg-rootfs/g' /boot/grub/grub.cfg
|
||||||
|
sed -i 's/root=.*\ ro/root=LABEL\=cloudimg-rootfs\ ro/' /boot/grub/grub.cfg
|
||||||
|
|
||||||
|
# And the fstab
|
||||||
|
echo 'LABEL=cloudimg-rootfs / ext4 defaults 0 0' > /etc/fstab
|
||||||
|
|
||||||
|
# allow the console log
|
||||||
|
sed -i 's/#s0/s0/g' /etc/inittab
|
||||||
|
|
||||||
|
# let ipv6 use normal slaac
|
||||||
|
sed -i 's/slaac/#slaac/g' /etc/dhcpcd.conf
|
||||||
|
# don't let dhcpcd set domain name or hostname
|
||||||
|
sed -i 's/domain_name\,\ domain_search\,\ host_name/domain_search/g' /etc/dhcpcd.conf
|
||||||
|
|
||||||
|
# need to do this here because it clobbers an openrc owned file
|
||||||
|
cat > /etc/conf.d/hostname << "EOL"
|
||||||
|
# Set to the hostname of this machine
|
||||||
|
if [ -f /etc/hostname ];then
|
||||||
|
hostname=$(cat /etc/hostname 2> /dev/null | cut -d"." -f1 2> /dev/null)
|
||||||
|
else
|
||||||
|
hostname="localhost"
|
||||||
|
fi
|
||||||
|
EOL
|
||||||
|
chmod 0644 /etc/conf.d/hostname
|
||||||
|
chown root:root /etc/conf.d/hostname
|
||||||
|
|
||||||
|
# set a nice default for /etc/resolv.conf
|
||||||
|
cat > /etc/resolv.conf << EOL
|
||||||
|
nameserver 8.8.8.8
|
||||||
|
nameserver 2001:4860:4860::8888
|
||||||
|
EOL
|
||||||
|
|
||||||
|
# let's upgrade (security fixes and otherwise)
|
||||||
|
USE="-build" emerge -uDNv --with-bdeps=y --buildpkg=y --jobs=2 @world
|
||||||
|
USE="-build" emerge --verbose=n --depclean
|
||||||
|
USE="-build" emerge -v --usepkg=n --buildpkg=y @preserved-rebuild
|
||||||
|
etc-update --automode -5
|
||||||
|
|
||||||
|
# Clean up portage
|
||||||
|
emerge --verbose=n --depclean
|
||||||
|
if [[ -a /usr/bin/eix ]]; then
|
||||||
|
eix-update
|
||||||
|
fi
|
||||||
|
emaint all -f
|
||||||
|
eselect news read all
|
||||||
|
eclean-dist --destructive
|
||||||
|
sed -i '/^USE=\"\${USE}\ \ build\"$/d' /etc/portage/make.conf
|
||||||
|
|
||||||
|
# clean up system
|
||||||
|
passwd -d root
|
||||||
|
passwd -l root
|
||||||
|
for i in $(find /var/log -type f); do truncate -s 0 $i; done
|
||||||
|
# remove foreign manpages
|
||||||
|
find /usr/share/man/ -mindepth 1 -maxdepth 1 -path "/usr/share/man/man*" -prune -o -exec rm -rf {} \;
|
||||||
|
|
||||||
|
# fine if this fails, aka non-hardened
|
||||||
|
if [[ -x /usr/sbin/migrate-pax ]]; then
|
||||||
|
echo 'migraging pax'
|
||||||
|
/usr/sbin/migrate-pax -m
|
||||||
|
fi
|
86
tools-musl/stage4-hardened-amd64-configured.spec
Normal file
86
tools-musl/stage4-hardened-amd64-configured.spec
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
subarch: amd64
|
||||||
|
target: stage4
|
||||||
|
version_stamp: cloud-latest
|
||||||
|
rel_type: default
|
||||||
|
profile: hardened/linux/musl/amd64
|
||||||
|
snapshot: current
|
||||||
|
source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
|
||||||
|
portage_confdir: /root/releng/tools-musl/portage.amd64.hardened-stage4
|
||||||
|
portage_overlay: /opt/overlays/musl
|
||||||
|
|
||||||
|
stage4/use:
|
||||||
|
bash-completion
|
||||||
|
bindist
|
||||||
|
bzip2
|
||||||
|
idm
|
||||||
|
ipv6
|
||||||
|
mmx
|
||||||
|
sse
|
||||||
|
sse2
|
||||||
|
urandom
|
||||||
|
|
||||||
|
stage4/packages:
|
||||||
|
app-admin/logrotate
|
||||||
|
app-admin/sudo
|
||||||
|
app-admin/syslog-ng
|
||||||
|
app-editors/vim
|
||||||
|
app-portage/eix
|
||||||
|
app-portage/gentoolkit
|
||||||
|
net-misc/dhcpcd
|
||||||
|
net-misc/iputils
|
||||||
|
sys-boot/grub
|
||||||
|
sys-apps/dmidecode
|
||||||
|
sys-apps/gptfdisk
|
||||||
|
sys-apps/iproute2
|
||||||
|
sys-apps/lsb-release
|
||||||
|
sys-apps/pciutils
|
||||||
|
sys-block/parted
|
||||||
|
sys-devel/bc
|
||||||
|
sys-power/acpid
|
||||||
|
sys-process/cronie
|
||||||
|
stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
|
||||||
|
stage4/rcadd:
|
||||||
|
acpid|default
|
||||||
|
cronie|default
|
||||||
|
dhcpcd|default
|
||||||
|
net.lo|default
|
||||||
|
netmount|default
|
||||||
|
sshd|default
|
||||||
|
syslog-ng|default
|
||||||
|
|
||||||
|
boot/kernel: gentoo
|
||||||
|
boot/kernel/gentoo/sources: hardened-sources
|
||||||
|
boot/kernel/gentoo/config: /root/releng/tools-musl/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
|
||||||
|
boot/kernel/gentoo/extraversion: openstack
|
||||||
|
boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
|
||||||
|
|
||||||
|
# all of the cleanup...
|
||||||
|
stage4/unmerge:
|
||||||
|
sys-kernel/genkernel
|
||||||
|
sys-kernel/hardened-sources
|
||||||
|
|
||||||
|
stage4/empty:
|
||||||
|
/root/.ccache
|
||||||
|
/tmp
|
||||||
|
/usr/portage/distfiles
|
||||||
|
/usr/src
|
||||||
|
/var/cache/edb/dep
|
||||||
|
/var/cache/genkernel
|
||||||
|
/var/cache/portage/distfiles
|
||||||
|
/var/empty
|
||||||
|
/var/run
|
||||||
|
/var/state
|
||||||
|
/var/tmp
|
||||||
|
|
||||||
|
stage4/rm:
|
||||||
|
/etc/*-
|
||||||
|
/etc/*.old
|
||||||
|
/etc/ssh/ssh_host_*
|
||||||
|
/root/.*history
|
||||||
|
/root/.lesshst
|
||||||
|
/root/.ssh/known_hosts
|
||||||
|
/root/.viminfo
|
||||||
|
# Remove any generated stuff by genkernel
|
||||||
|
/usr/share/genkernel
|
||||||
|
# This is 3MB of crap for each copy
|
||||||
|
/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
|
86
tools-musl/stage4-hardened-amd64.spec
Normal file
86
tools-musl/stage4-hardened-amd64.spec
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
subarch: amd64
|
||||||
|
target: stage4
|
||||||
|
version_stamp: cloud-latest
|
||||||
|
rel_type: default
|
||||||
|
profile: hardened/linux/musl/amd64
|
||||||
|
snapshot: current
|
||||||
|
source_subpath: musl/hardened/amd64/stage3-amd64-musl-hardened
|
||||||
|
portage_confdir: @REPO_DIR@/portage.amd64.hardened-stage4
|
||||||
|
portage_overlay: /opt/overlays/musl
|
||||||
|
|
||||||
|
stage4/use:
|
||||||
|
bash-completion
|
||||||
|
bindist
|
||||||
|
bzip2
|
||||||
|
idm
|
||||||
|
ipv6
|
||||||
|
mmx
|
||||||
|
sse
|
||||||
|
sse2
|
||||||
|
urandom
|
||||||
|
|
||||||
|
stage4/packages:
|
||||||
|
app-admin/logrotate
|
||||||
|
app-admin/sudo
|
||||||
|
app-admin/syslog-ng
|
||||||
|
app-editors/vim
|
||||||
|
app-portage/eix
|
||||||
|
app-portage/gentoolkit
|
||||||
|
net-misc/dhcpcd
|
||||||
|
net-misc/iputils
|
||||||
|
sys-boot/grub
|
||||||
|
sys-apps/dmidecode
|
||||||
|
sys-apps/gptfdisk
|
||||||
|
sys-apps/iproute2
|
||||||
|
sys-apps/lsb-release
|
||||||
|
sys-apps/pciutils
|
||||||
|
sys-block/parted
|
||||||
|
sys-devel/bc
|
||||||
|
sys-power/acpid
|
||||||
|
sys-process/cronie
|
||||||
|
stage4/fsscript: /root/releng/tools-musl/tools-musl/stage4-fsscript.sh
|
||||||
|
stage4/rcadd:
|
||||||
|
acpid|default
|
||||||
|
cronie|default
|
||||||
|
dhcpcd|default
|
||||||
|
net.lo|default
|
||||||
|
netmount|default
|
||||||
|
sshd|default
|
||||||
|
syslog-ng|default
|
||||||
|
|
||||||
|
boot/kernel: gentoo
|
||||||
|
boot/kernel/gentoo/sources: hardened-sources
|
||||||
|
boot/kernel/gentoo/config: @REPO_DIR@/../releases/weekly/kconfig/amd64/admincd-4.4.8-r1.config
|
||||||
|
boot/kernel/gentoo/extraversion: openstack
|
||||||
|
boot/kernel/gentoo/gk_kernargs: --all-ramdisk-modules --makeopts=-j4
|
||||||
|
|
||||||
|
# all of the cleanup...
|
||||||
|
stage4/unmerge:
|
||||||
|
sys-kernel/genkernel
|
||||||
|
sys-kernel/hardened-sources
|
||||||
|
|
||||||
|
stage4/empty:
|
||||||
|
/root/.ccache
|
||||||
|
/tmp
|
||||||
|
/usr/portage/distfiles
|
||||||
|
/usr/src
|
||||||
|
/var/cache/edb/dep
|
||||||
|
/var/cache/genkernel
|
||||||
|
/var/cache/portage/distfiles
|
||||||
|
/var/empty
|
||||||
|
/var/run
|
||||||
|
/var/state
|
||||||
|
/var/tmp
|
||||||
|
|
||||||
|
stage4/rm:
|
||||||
|
/etc/*-
|
||||||
|
/etc/*.old
|
||||||
|
/etc/ssh/ssh_host_*
|
||||||
|
/root/.*history
|
||||||
|
/root/.lesshst
|
||||||
|
/root/.ssh/known_hosts
|
||||||
|
/root/.viminfo
|
||||||
|
# Remove any generated stuff by genkernel
|
||||||
|
/usr/share/genkernel
|
||||||
|
# This is 3MB of crap for each copy
|
||||||
|
/usr/lib64/python*/site-packages/gentoolkit/test/eclean/testdistfiles.tar.gz
|
Loading…
Reference in a new issue