From 30eb90f1207ca6f41b82ab338677a48e935870fd Mon Sep 17 00:00:00 2001 From: Niklas Salmoukas Date: Mon, 9 Apr 2018 02:35:53 +0200 Subject: [PATCH] add debian stretch draft (not working currently) --- debian/stretch/build-disk.sh | 24 +++ debian/stretch/build-iso.sh | 60 ++++++ debian/stretch/custom/boot-menu.patch | 14 ++ debian/stretch/custom/preseed.cfg | 174 ++++++++++++++++++ debian/stretch/custom/ssh-host-keygen.service | 11 ++ 5 files changed, 283 insertions(+) create mode 100755 debian/stretch/build-disk.sh create mode 100755 debian/stretch/build-iso.sh create mode 100644 debian/stretch/custom/boot-menu.patch create mode 100644 debian/stretch/custom/preseed.cfg create mode 100644 debian/stretch/custom/ssh-host-keygen.service diff --git a/debian/stretch/build-disk.sh b/debian/stretch/build-disk.sh new file mode 100755 index 0000000..333ee35 --- /dev/null +++ b/debian/stretch/build-disk.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +# get parameters +RAM_SIZE=${1:-"2048"} +DISK_SIZE=${2:-"10G"} +DISK_FORMAT=${3:-"qcow2"} +SSH_PUBLIC_KEY_FILE=${4:-"$HOME/.ssh/id_rsa.pub"} +DISK_FILE=${5:-"`pwd`/debian-stretch-amd64-$RAM_SIZE-$DISK_SIZE.$DISK_FORMAT"} + +# create iso +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +TMP_ISO_DIR="`mktemp -d`" +eval "$SCRIPT_DIR/build-iso.sh" "$SSH_PUBLIC_KEY_FILE" "$TMP_ISO_DIR/debian-stretch-netboot-amd64-unattended.iso" + +# create image and run installer +qemu-img create "$DISK_FILE" -f "$DISK_FORMAT" "$DISK_SIZE" +kvm -m "$RAM_SIZE" -cdrom "$TMP_ISO_DIR/debian-stretch-netboot-amd64-unattended.iso" -boot once=d "$DISK_FILE" + +# remove tmp +rm -r -f "$TMP_ISO_DIR" + +# done +echo "Next steps: deploy image, login via root, adjust the authorized keys, set a root password (if you want to), deploy via ansible (if applicable), enjoy!" diff --git a/debian/stretch/build-iso.sh b/debian/stretch/build-iso.sh new file mode 100755 index 0000000..a9758fe --- /dev/null +++ b/debian/stretch/build-iso.sh @@ -0,0 +1,60 @@ +#!/bin/bash +set -e + +# get parameters +SSH_PUBLIC_KEY_FILE=${1:-"$HOME/.ssh/id_rsa.pub"} +TARGET_ISO=${2:-"`pwd`/debian-stretch-netboot-amd64-unattended.iso"} + +# check if ssh key exists +if [ ! -f "$SSH_PUBLIC_KEY_FILE" ]; +then + echo "Error: public SSH key $SSH_PUBLIC_KEY_FILE not found!" + exit 1 +fi + +# get directories +CURRENT_DIR="`pwd`" +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +TMP_DOWNLOAD_DIR="`mktemp -d`" +TMP_DISC_DIR="`mktemp -d`" +TMP_INITRD_DIR="`mktemp -d`" + +# download and extract netboot iso +SOURCE_ISO_URL="http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/mini.iso" +cd "$TMP_DOWNLOAD_DIR" +wget -4 "$SOURCE_ISO_URL" -O "./netboot.iso" +7z x "./netboot.iso" "-o$TMP_DISC_DIR" + +# patch boot menu +cd "$TMP_DISC_DIR" +patch -p1 -i "$SCRIPT_DIR/custom/boot-menu.patch" + +# prepare assets +cd "$TMP_INITRD_DIR" +mkdir "./custom" +cp "$SCRIPT_DIR/custom/preseed.cfg" "./preseed.cfg" +cp "$SSH_PUBLIC_KEY_FILE" "./custom/userkey.pub" +cp "$SCRIPT_DIR/custom/ssh-host-keygen.service" "./custom/ssh-host-keygen.service" + +# append assets to initrd image +cd "$TMP_INITRD_DIR" +cat "$TMP_DISC_DIR/initrd.gz" | gzip -d > "./initrd" +echo "./preseed.cfg" | fakeroot cpio -o -H newc -A -F "./initrd" +find "./custom" | fakeroot cpio -o -H newc -A -F "./initrd" +cat "./initrd" | gzip -9c > "$TMP_DISC_DIR/initrd.gz" + +# build iso +cd "$TMP_DISC_DIR" +rm -r '[BOOT]' +mkisofs -r -V "debian stretch unattended" -cache-inodes -J -l -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -input-charset utf-8 -o "$TARGET_ISO" ./ + +# go back to initial directory +cd "$CURRENT_DIR" + +# delete all temporary directories +rm -r "$TMP_DOWNLOAD_DIR" +rm -r "$TMP_DISC_DIR" +rm -r "$TMP_INITRD_DIR" + +# done +echo "Next steps: install system, login via root, adjust the authorized keys, set a root password (if you want to), deploy via ansible (if applicable), enjoy!" diff --git a/debian/stretch/custom/boot-menu.patch b/debian/stretch/custom/boot-menu.patch new file mode 100644 index 0000000..addbd16 --- /dev/null +++ b/debian/stretch/custom/boot-menu.patch @@ -0,0 +1,14 @@ +diff -cr orig/isolinux.cfg custom/isolinux.cfg +*** orig/isolinux.cfg 2016-10-12 04:45:19.000000000 +0200 +--- custom/isolinux.cfg 2017-02-12 00:36:09.201190417 +0100 +*************** +*** 4,7 **** + include menu.cfg + default vesamenu.c32 + prompt 0 +! timeout 0 +--- 4,7 ---- + include menu.cfg + default vesamenu.c32 + prompt 0 +! timeout 100 diff --git a/debian/stretch/custom/preseed.cfg b/debian/stretch/custom/preseed.cfg new file mode 100644 index 0000000..1c3d9f9 --- /dev/null +++ b/debian/stretch/custom/preseed.cfg @@ -0,0 +1,174 @@ +### Preseed for Debian Stretch + +### Compatibility +# Tested with the netboot image: +# http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/mini.iso + +### Authentication +# We recommend to use public key authentication and therefore disabled the root +# password. The build-iso.sh script will do all the hard work for you. +# +# In case you still want to use password authentication, you need to set the +# passwd/root-password-crypted variable. See below for further instructions. + +### Usage +# We recommend to use the build-iso.sh script to build an image with embedded +# preseed and other required files. In that case the preseed file gets loaded +# automatically and all additional files are available to the installer. +# +# In case you want to use a vanilla ISO image, please use the following boot +# instructions to load the preseed file (press ESC and enter in boot prompt): +# +# install auto=true priority=critical url=https://raw.githubusercontent.com/core-process/linux-unattended-installation/master/debian/stretch/custom/preseed.cfg +# +# Note: you will need to adjust the "preseed/late_command" variable to match +# your environment in case you do not use the build-iso.sh script. + + +### Unattended Installation +d-i auto-install/enable boolean true +d-i debconf/priority select critical + +### Localization +d-i debian-installer/locale string en_US.UTF-8 +d-i localechooser/supported-locales multiselect en_US.UTF-8, de_DE.UTF-8 +d-i console-setup/ask_detect boolean false +d-i console-keymaps-at/keymap select us +d-i keyboard-configuration/xkb-keymap select us + +### Network configuration +d-i netcfg/choose_interface select auto +d-i netcfg/hostname string device +d-i netcfg/get_hostname string device +d-i netcfg/get_domain string unnamed +d-i hw-detect/load_firmware boolean true + +### Mirror settings +d-i mirror/country string manual +d-i mirror/http/hostname string ftp.debian.org +d-i mirror/http/directory string /debian +d-i mirror/http/proxy string + +### Account setup +d-i passwd/root-login boolean true +d-i passwd/root-password-crypted password !! +d-i passwd/make-user boolean false + +# The root password is disabled by default. In case you want to use a root +# password, please generate a password with the following command +# printf "please-change-password" | mkpasswd -s -m sha-512 +# and update the passwd/root-password-crypted variable accordingly. Furthermore +# you need to remove the call to "usermod" below. + +### Clock and time zone setup +d-i clock-setup/utc boolean true +d-i time/zone string Etc/UTC +d-i clock-setup/ntp boolean true +d-i clock-setup/ntp-server string pool.ntp.org + +### Partitioning +d-i preseed/early_command string umount /media || true +d-i partman-auto/method string lvm +d-i partman-auto-lvm/guided_size string max +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true +d-i partman-auto-lvm/new_vg_name string main +d-i partman-md/device_remove_md boolean true +d-i partman-md/confirm boolean true +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true +d-i partman-basicmethods/method_only boolean false + +### Disk layout + +# Keep 25% free space +d-i partman-auto/expert_recipe string \ + boot-root :: \ + 512 512 512 ext4 \ + $primary{ } \ + $bootable{ } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /boot } \ + . \ + 1024 102400000 1000000000 ext4 \ + $lvmok{ } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ / } \ + lv_name{ root } \ + . \ + 256 25600000 1000000000 ext4 \ + $lvmok{ } \ + method{ keep } \ + lv_name{ placeholder } \ + . \ + 200% 200% 200% linux-swap \ + $lvmok{ } \ + method{ swap } format{ } \ + lv_name{ swap } \ + . + +# Use entire disk +#d-i partman-auto/expert_recipe string \ +# boot-root :: \ +# 512 512 512 ext4 \ +# $primary{ } \ +# $bootable{ } \ +# method{ format } format{ } \ +# use_filesystem{ } filesystem{ ext4 } \ +# mountpoint{ /boot } \ +# . \ +# 1024 102400000 1000000000 ext4 \ +# $lvmok{ } \ +# method{ format } format{ } \ +# use_filesystem{ } filesystem{ ext4 } \ +# mountpoint{ / } \ +# lv_name{ root } \ +# . \ +# 200% 200% 200% linux-swap \ +# $lvmok{ } \ +# method{ swap } format{ } \ +# lv_name{ swap } \ +# . + +### Base system installation +d-i base-installer/install-recommends boolean true +d-i base-installer/kernel/image string linux-generic + +### Apt setup +d-i apt-setup/restricted boolean true +d-i apt-setup/universe boolean true +d-i apt-setup/backports boolean true +d-i apt-setup/use_mirror boolean false +d-i apt-setup/services-select multiselect security, updates +d-i apt-setup/security_host string security.debian.org + +### Package selection +d-i tasksel/first multiselect none +d-i pkgsel/include string openssh-server python +d-i pkgsel/upgrade select full-upgrade +d-i pkgsel/update-policy select unattended-upgrades +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean true + +### Finishing up the installation +d-i preseed/late_command string \ + cp -r /custom /target/custom; \ + in-target sh -c 'lvremove -f --noudevsync main/placeholder || true'; \ + in-target sh -c 'usermod -p "!" root'; \ + in-target sh -c 'mkdir -p --mode=0700 /root/.ssh && cat /custom/userkey.pub > /root/.ssh/authorized_keys && chmod 0600 /root/.ssh/authorized_keys'; \ + in-target sh -c 'sed -i "s/^#PermitRootLogin.*\$/PermitRootLogin prohibit-password/g" /etc/ssh/sshd_config'; \ + in-target sh -c 'rm -f /etc/ssh/ssh_host_*_key* && mkdir -p /usr/lib/systemd/system && cp /custom/ssh-host-keygen.service /usr/lib/systemd/system/ssh-host-keygen.service && systemctl enable ssh-host-keygen.service'; \ + in-target sh -c 'echo "IPv4: \\\4" >> /etc/issue && echo "IPv6: \\\6" >> /etc/issue && echo "" >> /etc/issue'; \ + in-target sh -c 'eject || true'; \ + rm -r /target/custom; +d-i debian-installer/splash boolean false +d-i cdrom-detect/eject boolean true + +### Shutdown machine +d-i finish-install/reboot_in_progress note +d-i debian-installer/exit/poweroff boolean true diff --git a/debian/stretch/custom/ssh-host-keygen.service b/debian/stretch/custom/ssh-host-keygen.service new file mode 100644 index 0000000..e08f357 --- /dev/null +++ b/debian/stretch/custom/ssh-host-keygen.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH Server Key Generation +Before=ssh.service + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target