Current File : //proc/thread-self/root/usr/share/virtualbox/UnattendedTemplates/lgw_postinstall.sh
#!/bin/bash
## @file
# Post installation script template for local gateway image.
#
# Note! This script expects to be running chrooted (inside new sytem).
#
#
# Copyright (C) 2020-2023 Oracle and/or its affiliates.
#
# This file is part of VirtualBox base platform packages, as
# available from https://www.virtualbox.org.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, in version 3 of the
# License.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see <https://www.gnu.org/licenses>.
#
# SPDX-License-Identifier: GPL-3.0-only
#
#
# Globals.
#
MY_TARGET="/mnt/sysimage"
MY_LOGFILE="${MY_TARGET}/var/log/vboxpostinstall.log"
MY_CHROOT_CDROM="/cdrom"
MY_CDROM_NOCHROOT="/tmp/vboxcdrom"
MY_EXITCODE=0
MY_DEBUG="" # "yes"
@@VBOX_COND_HAS_PROXY@@
PROXY="@@VBOX_INSERT_PROXY@@"
export http_proxy="${PROXY}"
export https_proxy="${PROXY}"
echo "HTTP proxy is ${http_proxy}" | tee -a "${MY_LOGFILE}"
echo "HTTPS proxy is ${https_proxy}" | tee -a "${MY_LOGFILE}"
@@VBOX_COND_END@@
#
# Do we need to exec using target bash? If so, we must do that early
# or ash will bark 'bad substitution' and fail.
#
if [ "$1" = "--need-target-bash" ]; then
# Try figure out which directories we might need in the library path.
if [ -z "${LD_LIBRARY_PATH}" ]; then
LD_LIBRARY_PATH="${MY_TARGET}/lib"
fi
for x in \
${MY_TARGET}/lib \
${MY_TARGET}/usr/lib \
${MY_TARGET}/lib/*linux-gnu/ \
${MY_TARGET}/lib32/ \
${MY_TARGET}/lib64/ \
${MY_TARGET}/usr/lib/*linux-gnu/ \
${MY_TARGET}/usr/lib32/ \
${MY_TARGET}/usr/lib64/ \
;
do
if [ -e "$x" ]; then LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${x}"; fi;
done
export LD_LIBRARY_PATH
# Append target bin directories to the PATH as busybox may not have tee.
PATH="${PATH}:${MY_TARGET}/bin:${MY_TARGET}/usr/bin:${MY_TARGET}/sbin:${MY_TARGET}/usr/sbin"
export PATH
# Drop the --need-target-bash argument and re-exec.
shift
echo "******************************************************************************" >> "${MY_LOGFILE}"
echo "** Relaunching using ${MY_TARGET}/bin/bash $0 $*" >> "${MY_LOGFILE}"
echo "** LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" >> "${MY_LOGFILE}"
echo "** PATH=${PATH}" >> "${MY_LOGFILE}"
exec "${MY_TARGET}/bin/bash" "$0" "$@"
fi
#
# Commands.
#
# Logs execution of a command.
log_command()
{
echo "--------------------------------------------------" >> "${MY_LOGFILE}"
echo "** Date: `date -R`" >> "${MY_LOGFILE}"
echo "** Executing: $*" >> "${MY_LOGFILE}"
"$@" 2>&1 | tee -a "${MY_LOGFILE}"
MY_TMP_EXITCODE="${PIPESTATUS[0]}" # bashism - whatever.
if [ "${MY_TMP_EXITCODE}" != "0" ]; then
if [ "${MY_TMP_EXITCODE}" != "${MY_IGNORE_EXITCODE}" ]; then
echo "** exit code: ${MY_TMP_EXITCODE}" | tee -a "${MY_LOGFILE}"
MY_EXITCODE=1;
else
echo "** exit code: ${MY_TMP_EXITCODE} (ignored)" | tee -a "${MY_LOGFILE}"
fi
fi
}
# Logs execution of a command inside the target.
log_command_in_target()
{
log_command chroot "${MY_TARGET}" "$@"
}
# Checks if $1 is a command on the PATH inside the target jail.
chroot_which()
{
for dir in /bin /usr/bin /sbin /usr/sbin;
do
if [ -x "${MY_TARGET}${dir}/$1" ]; then
return 0;
fi
done
return 1;
}
#
# Log header.
#
echo "******************************************************************************" >> "${MY_LOGFILE}"
echo "** VirtualBox Unattended Guest Installation - Late installation actions" >> "${MY_LOGFILE}"
echo "** Date: `date -R`" >> "${MY_LOGFILE}"
echo "** Started: $0 $*" >> "${MY_LOGFILE}"
#
# We want the ISO available inside the target jail.
#
if [ -d "${MY_TARGET}${MY_CHROOT_CDROM}" ]; then
MY_RMDIR_TARGET_CDROM=
else
MY_RMDIR_TARGET_CDROM="yes"
log_command mkdir -p ${MY_TARGET}${MY_CHROOT_CDROM}
fi
if [ -f "${MY_TARGET}${MY_CHROOT_CDROM}/vboxpostinstall.sh" ]; then
MY_UNMOUNT_TARGET_CDROM=
echo "** binding cdrom into jail: already done" | tee -a "${MY_LOGFILE}"
else
MY_UNMOUNT_TARGET_CDROM="yes"
log_command mount -o bind "${MY_CDROM_NOCHROOT}" "${MY_TARGET}${MY_CHROOT_CDROM}"
if [ -f "${MY_TARGET}${MY_CHROOT_CDROM}/vboxpostinstall.sh" ]; then
echo "** binding cdrom into jail: success" | tee -a "${MY_LOGFILE}"
else
echo "** binding cdrom into jail: failed" | tee -a "${MY_LOGFILE}"
fi
if [ "${MY_DEBUG}" = "yes" ]; then
log_command find "${MY_TARGET}${MY_CHROOT_CDROM}"
fi
fi
#
# Debug
#
if [ "${MY_DEBUG}" = "yes" ]; then
log_command id
log_command ps
log_command ps auxwwwf
log_command env
log_command df
log_command mount
log_command_in_target df
log_command_in_target mount
#log_command find /
MY_EXITCODE=0
fi
#
# Proxy hack for yum
#
@@VBOX_COND_HAS_PROXY@@
echo "" >> "${MY_TARGET}/etc/yum.conf"
echo "proxy=@@VBOX_INSERT_PROXY@@" >> "${MY_TARGET}/etc/yum.conf"
@@VBOX_COND_END@@
#
# Packages needed for GAs.
#
echo "--------------------------------------------------" >> "${MY_LOGFILE}"
echo '** Installing packages for building kernel modules...' | tee -a "${MY_LOGFILE}"
log_command_in_target yum -y install "kernel-devel-$(uname -r)"
log_command_in_target yum -y install "kernel-headers-$(uname -r)"
log_command_in_target yum -y install gcc
log_command_in_target yum -y install binutils
log_command_in_target yum -y install make
log_command_in_target yum -y install dkms
log_command_in_target yum -y install make
log_command_in_target yum -y install bzip2
log_command_in_target yum -y install perl
#
# GAs
#
@@VBOX_COND_IS_INSTALLING_ADDITIONS@@
echo "--------------------------------------------------" >> "${MY_LOGFILE}"
echo '** Installing VirtualBox Guest Additions...' | tee -a "${MY_LOGFILE}"
MY_IGNORE_EXITCODE=2 # returned if modules already loaded and reboot required.
log_command_in_target /bin/bash "${MY_CHROOT_CDROM}/vboxadditions/VBoxLinuxAdditions.run" --nox11
log_command_in_target /bin/bash -c "udevadm control --reload-rules" # GAs doesn't yet do this.
log_command_in_target /bin/bash -c "udevadm trigger" # (ditto)
MY_IGNORE_EXITCODE=
log_command_in_target usermod -a -G vboxsf "@@VBOX_INSERT_USER_LOGIN@@"
@@VBOX_COND_END@@
#
# Local gateway support
#
log_command_in_target yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
#log_command_in_target yum -y update
log_command_in_target yum -y install openvpn
log_command_in_target yum -y install connect-proxy
log_command_in_target usermod -a -G wheel "@@VBOX_INSERT_USER_LOGIN@@"
echo "** Creating ${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/cloud-bridge.conf..." | tee -a "${MY_LOGFILE}"
cat >"${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/cloud-bridge.conf" <<'EOT'
# port 1194
# proto udp
port 443
proto tcp-server
dev tap0
secret static.key
keepalive 10 120
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
EOT
echo "** Creating ${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/cloud-bridge.sh..." | tee -a "${MY_LOGFILE}"
cat >"${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/cloud-bridge.sh" <<'EOT'
# Initialize variables
br="br0"
tap="tap0"
vnic1=$1
vnic2=$2
vnic2_gw=$3
target_mac=$4
# Install openvpn if it is missing
if ! yum list installed openvpn; then
sudo yum -y install openvpn
fi
# Let openvpn traffic through Linux firewall
#sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
# Switch to secondary VNIC
sudo ip route change default via $vnic2_gw dev $vnic2
sudo ip link set dev $vnic1 down
# Bring up the cloud end of the tunnel
sudo openvpn --config cloud-bridge.conf --daemon
# Use target MAC for primary VNIC
sudo ip link set dev $vnic1 address $target_mac
# Bridge tap and primary VNIC
sudo ip link add name $br type bridge
sudo ip link set dev $vnic1 master $br
sudo ip link set dev $tap master $br
# Bring up all interfaces
sudo ip link set dev $tap up
sudo ip link set dev $vnic1 up
sudo ip link set dev $br up
EOT
log_command chmod +x "${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/cloud-bridge.sh"
echo "** Creating ${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/local-bridge.conf..." | tee -a "${MY_LOGFILE}"
cat >"${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/local-bridge.conf" <<'EOT'
dev tap0
# proto udp
# port 1194
proto tcp-client
port 443
persist-key
persist-tun
secret static.key
compress lz4-v2
log-append /var/log/openvpn.log
verb 3
EOT
echo "** Creating ${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/local-bridge.sh..." | tee -a "${MY_LOGFILE}"
cat >"${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/local-bridge.sh" <<'EOT'
echo Complete command line for debugging purposes:
echo $0 $*
# Make sure we are at home
cd ~
# Initialize variables
user=opc
cbr_ip1=$1
cbr_ip2=$2
target_mac=$3
br="br0"
tap="tap0"
eth="enp0s8"
proxy1_ssh=""
proxy2_ssh=""
proxy2_vpn=""
case $4 in
HTTP | HTTPS)
proxy1_ssh="connect-proxy -w 30 -H $5:$6 %h %p"
;;
SOCKS | SOCKS5)
proxy1_ssh="connect-proxy -w 30 -S $5:$6 %h %p"
;;
SOCKS4)
proxy1_ssh="connect-proxy -w 30 -4 -S $5:$6 %h %p"
;;
esac
case $7 in
HTTP | HTTPS)
proxy2_ssh="connect-proxy -w 30 -H $8:$9 %h %p"
proxy2_vpn="--http-proxy $8 $9"
;;
SOCKS | SOCKS5)
proxy2_ssh="connect-proxy -w 30 -S $8:$9 %h %p"
proxy2_vpn="--socks-proxy $8 $9"
;;
SOCKS4)
proxy2_ssh="connect-proxy -w 30 -4 -S $8:$9 %h %p"
proxy2_vpn="--socks-proxy $8 $9"
;;
esac
# Generate pre-shared secret and share it with the server, bypassing proxy if necessary
/usr/sbin/openvpn --genkey --secret static.key
for i in 1 2 3 4
do
# Go via proxy if set
scp ${proxy1_ssh:+ -o ProxyCommand="$proxy1_ssh"} static.key cloud-bridge.conf cloud-bridge.sh $user@$cbr_ip1:
if [ $? -eq 0 ]; then break; fi; sleep 15
# Go direct even if proxy is set
scp static.key cloud-bridge.conf cloud-bridge.sh $user@$cbr_ip1:
if [ $? -eq 0 ]; then proxy1_ssh=""; break; fi; sleep 15
done
# Get metadata info from the cloud bridge
for i in 1 2 3 4; do metadata=$(ssh ${proxy1_ssh:+ -o ProxyCommand="$proxy1_ssh"} $user@$cbr_ip1 sudo oci-network-config) && break || sleep 15; done
# Extract primary VNIC info
vnic1_md=`echo "$metadata"|grep -E "\sUP\s"`
vnic1_dev=`echo $vnic1_md|cut -d ' ' -f 8`
vnic1_mac=`echo $vnic1_md|cut -d ' ' -f 12`
# Extract secondary VNIC info
vnic2_md=`echo "$metadata"|grep -E "\sDOWN\s"`
vnic2_dev=`echo $vnic2_md|cut -d ' ' -f 8`
vnic2_gw=`echo $vnic2_md|cut -d ' ' -f 5`
# Configure secondary VNIC
ssh ${proxy1_ssh:+ -o ProxyCommand="$proxy1_ssh"} $user@$cbr_ip1 sudo oci-network-config -c
# Bring up the cloud bridge
ssh ${proxy2_ssh:+ -o ProxyCommand="$proxy2_ssh"} $user@$cbr_ip2 /bin/sh -x cloud-bridge.sh $vnic1_dev $vnic2_dev $vnic2_gw $target_mac
if [ $? -eq 0 ]
then
# SSH was able to reach cloud via proxy, establish a tunnel via proxy as well
sudo /usr/sbin/openvpn $proxy2_vpn --config local-bridge.conf --daemon --remote $cbr_ip2
else
# Retry without proxy
ssh $user@$cbr_ip2 /bin/sh -x cloud-bridge.sh $vnic1_dev $vnic2_dev $vnic2_gw $target_mac
# Establish a tunnel to the cloud bridge
sudo /usr/sbin/openvpn --config local-bridge.conf --daemon --remote $cbr_ip2
fi
# Bridge the openvpn tap device and the local Ethernet interface
sudo ip link set dev $eth down
sudo ip link add name $br type bridge
sudo ip link set dev $eth master $br
sudo ip link set dev $tap master $br
# Bring up all interfaces
sudo ip link set dev $tap up
sudo ip link set dev $eth up
sudo ip link set dev $br up
EOT
log_command chmod +x "${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/local-bridge.sh"
echo "** Creating ${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/.ssh/config..." | tee -a "${MY_LOGFILE}"
log_command mkdir "${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/.ssh"
cat >"${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/.ssh/config" <<'EOT'
Host *
StrictHostKeyChecking no
EOT
log_command chmod 400 "${MY_TARGET}/home/@@VBOX_INSERT_USER_LOGIN@@/.ssh/config"
log_command_in_target chown -R @@VBOX_INSERT_USER_LOGIN@@:@@VBOX_INSERT_USER_LOGIN@@ "/home/@@VBOX_INSERT_USER_LOGIN@@"
echo '** Creating /etc/systemd/system/keygen.service...' | tee -a "${MY_LOGFILE}"
cat >"${MY_TARGET}/etc/systemd/system/keygen.service" <<'EOT'
[Unit]
Description=Boot-time ssh key pair generator
After=vboxadd.service
[Service]
ExecStart=/bin/sh -c 'su - vbox -c "cat /dev/zero | ssh-keygen -q -N \\\"\\\""'
ExecStartPost=/bin/sh -c 'VBoxControl guestproperty set "/VirtualBox/Gateway/PublicKey" "`cat ~vbox/.ssh/id_rsa.pub`" --flags TRANSIENT'
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOT
log_command chmod 644 "${MY_TARGET}/etc/systemd/system/keygen.service"
log_command_in_target systemctl enable keygen.service
echo '** Creating /etc/sudoers.d/020_vbox_sudo...' | tee -a "${MY_LOGFILE}"
echo "@@VBOX_INSERT_USER_LOGIN@@ ALL=(ALL) NOPASSWD: ALL" > "${MY_TARGET}/etc/sudoers.d/020_vbox_sudo"
#
# Test Execution Service.
#
@@VBOX_COND_IS_INSTALLING_TEST_EXEC_SERVICE@@
echo "--------------------------------------------------" >> "${MY_LOGFILE}"
echo '** Installing Test Execution Service...' | tee -a "${MY_LOGFILE}"
log_command_in_target test "${MY_CHROOT_CDROM}/vboxvalidationkit/linux/@@VBOX_INSERT_OS_ARCH@@/TestExecService"
log_command mkdir -p "${MY_TARGET}/opt/validationkit" "${MY_TARGET}/media/cdrom"
log_command cp -R ${MY_CDROM_NOCHROOT}/vboxvalidationkit/* "${MY_TARGET}/opt/validationkit/"
log_command chmod -R u+rw,a+xr "${MY_TARGET}/opt/validationkit/"
if [ -e "${MY_TARGET}/usr/bin/chcon" -o -e "${MY_TARGET}/bin/chcon" -o -e "${MY_TARGET}/usr/sbin/chcon" -o -e "${MY_TARGET}/sbin/chcon" ]; then
MY_IGNORE_EXITCODE=1
log_command_in_target chcon -R -t usr_t "/opt/validationkit/"
MY_IGNORE_EXITCODE=
fi
# systemd service config:
MY_UNIT_PATH="${MY_TARGET}/lib/systemd/system"
test -d "${MY_TARGET}/usr/lib/systemd/system" && MY_UNIT_PATH="${MY_TARGET}/usr/lib/systemd/system"
if [ -d "${MY_UNIT_PATH}" ]; then
log_command cp "${MY_TARGET}/opt/validationkit/linux/vboxtxs.service" "${MY_UNIT_PATH}/vboxtxs.service"
log_command chmod 644 "${MY_UNIT_PATH}/vboxtxs.service"
log_command_in_target systemctl -q enable vboxtxs
# System V like:
elif [ -e "${MY_TARGET}/etc/init.d/" ]; then
# Install the script. On rhel6 scripts are under /etc/rc.d/ with /etc/init.d and /etc/rc?.d being symlinks.
if [ -d "${MY_TARGET}/etc/rc.d/init.d/" ]; then
MY_INIT_D_PARENT_PATH="${MY_TARGET}/etc/rc.d"
log_command ln -s "../../../opt/validationkit/linux/vboxtxs" "${MY_INIT_D_PARENT_PATH}/init.d/"
else
MY_INIT_D_PARENT_PATH="${MY_TARGET}/etc"
log_command ln -s "../../opt/validationkit/linux/vboxtxs" "${MY_INIT_D_PARENT_PATH}/init.d/"
fi
# Use runlevel management script if found.
if chroot_which chkconfig; then # Redhat based sysvinit systems
log_command_in_target chkconfig --add vboxtxs
elif chroot_which insserv; then # SUSE-based sysvinit systems
log_command_in_target insserv vboxtxs
elif chroot_which update-rc.d; then # Debian/Ubuntu-based systems
log_command_in_target update-rc.d vboxtxs defaults
elif chroot_which rc-update; then # Gentoo Linux
log_command_in_target rc-update add vboxtxs default
# Fall back on hardcoded symlinking.
else
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc0.d/K65vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc1.d/K65vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc6.d/K65vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc2.d/S35vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc3.d/S35vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc4.d/S35vboxtxs"
log_command ln -s "../init.d/vboxtxs" "${MY_INIT_D_PARENT_PATH}/rc5.d/S35vboxtxs"
fi
else
echo "** error: Unknown init script system." | tee -a "${MY_LOGFILE}"
fi
@@VBOX_COND_END@@
#
# Run user command.
#
@@VBOX_COND_HAS_POST_INSTALL_COMMAND@@
echo '** Running custom user command ...' | tee -a "${MY_LOGFILE}"
log_command @@VBOX_INSERT_POST_INSTALL_COMMAND@@
@@VBOX_COND_END@@
#
# Unmount the cdrom if we bound it and clean up the chroot if we set it up.
#
if [ -n "${MY_UNMOUNT_TARGET_CDROM}" ]; then
echo "** unbinding cdrom from jail..." | tee -a "${MY_LOGFILE}"
log_command umount "${MY_TARGET}${MY_CHROOT_CDROM}"
fi
if [ -n "${MY_RMDIR_TARGET_CDROM}" ]; then
log_command rmdir "${MY_TARGET}${MY_CHROOT_CDROM}"
fi
#
# Log footer.
#
echo "******************************************************************************" >> "${MY_LOGFILE}"
echo "** Date: `date -R`" >> "${MY_LOGFILE}"
echo "** Final exit code: ${MY_EXITCODE}" >> "${MY_LOGFILE}"
echo "******************************************************************************" >> "${MY_LOGFILE}"
exit ${MY_EXITCODE}
Mini Shell