diff options
author | Max Illfelder <illfelder@users.noreply.github.com> | 2016-08-19 13:45:55 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-08-19 13:45:55 -0700 |
commit | 04bb5dbd5e284770c3aa7ddefacd6a489cebfef8 (patch) | |
tree | 1cfa257ebbe761c6e2ce2bd8a4053d5a8218d21c /google_config | |
parent | 5ad399aa50b5b65e4b5142d4a12f2d7a62da14d3 (diff) | |
download | google-compute-image-packages-04bb5dbd5e284770c3aa7ddefacd6a489cebfef8.tar.gz |
Renamed google_configs directory to match package. (#323)
Diffstat (limited to 'google_config')
-rwxr-xr-x | google_config/bin/set_hostname | 41 | ||||
-rwxr-xr-x | google_config/build_packages.sh | 64 | ||||
-rwxr-xr-x | google_config/dhcp/google_hostname.sh | 21 | ||||
-rw-r--r-- | google_config/rsyslog/90-google.conf | 6 | ||||
-rw-r--r-- | google_config/sysctl/11-gce-network-security.conf | 61 | ||||
-rw-r--r-- | google_config/udev/64-gce-disk-removal.rules | 17 | ||||
-rw-r--r-- | google_config/udev/65-gce-disk-naming.rules | 24 |
7 files changed, 234 insertions, 0 deletions
diff --git a/google_config/bin/set_hostname b/google_config/bin/set_hostname new file mode 100755 index 0000000..f7d0b10 --- /dev/null +++ b/google_config/bin/set_hostname @@ -0,0 +1,41 @@ +#!/bin/bash +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Deal with a new hostname assignment. + +if [ -n "$new_host_name" ] && [ -n "$new_ip_address" ]; then + # Delete entries with new_host_name or new_ip_address in /etc/hosts. + sed -i '/Added by Google/d' /etc/hosts + + # Add an entry for our new_host_name/new_ip_address in /etc/hosts. + echo "${new_ip_address} ${new_host_name} ${new_host_name%%.*} # Added by Google" >> /etc/hosts +fi + +# /sbin/dhclient-scripts in both ubuntu and centos have some problems for us: +# 1) BOUND doesn't always set hostname (e.g. if old_host_name is unset in +# precise pangolin) +# 2) Using too long of a FQDN as a hostname causes some tools to break in +# some distros (e.g. ssh-keygen) and hostname tool complains when given +# a FQDN that is > 64 bytes. +# +# As a result, we set the host name in all circumstances here, to the truncated +# unqualified domain name. + +if [ -n "$new_host_name" ]; then + hostname "${new_host_name%%.*}" + + # Let syslogd know we've changed the hostname. + pkill -HUP syslogd +fi diff --git a/google_config/build_packages.sh b/google_config/build_packages.sh new file mode 100755 index 0000000..af35e7d --- /dev/null +++ b/google_config/build_packages.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +COMMON_FILES=( + 'rsyslog/90-google.conf=/etc/rsyslog.d/90-google.conf' + 'sysctl/11-gce-network-security.conf=/etc/sysctl.d/11-gce-network-security.conf' + 'udev/64-gce-disk-removal.rules=/etc/udev/rules.d/64-gce-disk-removal.rules' + 'udev/65-gce-disk-naming.rules=/etc/udev/rules.d/65-gce-disk-naming.rules') +TIMESTAMP="$(date +%s)" + +function build_distro() { + declare -r distro="$1" + declare -r pkg_type="$2" + declare files=("$@") + declare name='google-config' + + if [[ "${pkg_type}" == 'deb' ]]; then + name="${name}-${distro}" + fi + + fpm \ + -s dir \ + -t "${pkg_type}" \ + --description 'Google Compute Engine Linux guest configuration' \ + --iteration "0.${TIMESTAMP}" \ + --license 'Apache Software License' \ + --maintainer 'gc-team@google.com' \ + --name "${name}" \ + --rpm-dist "${distro}" \ + --url 'https://github.com/GoogleCloudPlatform/compute-image-packages' \ + --vendor 'Google Compute Engine Team' \ + --version '2.0.0' \ + "${COMMON_FILES[@]}" \ + "${files[@]:2}" +} + +# RHEL/CentOS 6 +build_distro 'el6' 'rpm' \ + 'bin/set_hostname=/etc/dhcp/dhclient-exit-hooks' + +# RHEL/CentOS 7 +build_distro 'el7' 'rpm' \ + 'bin/set_hostname=/usr/bin/set_hostname' \ + 'dhcp/google_hostname.sh=/etc/dhcp/dhclient.d/google_hostname.sh' + +# Debian 7 +build_distro 'wheezy' 'deb' \ + 'bin/set_hostname=/etc/dhcp/dhclient-exit-hooks.d/set_hostname' + +# Debian 8 +build_distro 'jessie' 'deb' \ + 'bin/set_hostname=/etc/dhcp/dhclient-exit-hooks.d/set_hostname' diff --git a/google_config/dhcp/google_hostname.sh b/google_config/dhcp/google_hostname.sh new file mode 100755 index 0000000..67231e0 --- /dev/null +++ b/google_config/dhcp/google_hostname.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +google_hostname_config() { + set_hostname +} +google_hostname_restore() { + : +} diff --git a/google_config/rsyslog/90-google.conf b/google_config/rsyslog/90-google.conf new file mode 100644 index 0000000..81b2ed7 --- /dev/null +++ b/google_config/rsyslog/90-google.conf @@ -0,0 +1,6 @@ +# Google Compute Engine default console logging. +# +# daemon: logging from Google provided daemons. +# kern: logging information in case of an unexpected crash during boot. +# +daemon,kern.* /dev/console diff --git a/google_config/sysctl/11-gce-network-security.conf b/google_config/sysctl/11-gce-network-security.conf new file mode 100644 index 0000000..0e4db8c --- /dev/null +++ b/google_config/sysctl/11-gce-network-security.conf @@ -0,0 +1,61 @@ +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Google-recommended kernel parameters + +# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss +# of TCP functionality/features under normal conditions. When flood +# protections kick in under high unanswered-SYN load, the system +# should remain more stable, with a trade off of some loss of TCP +# functionality/features (e.g. TCP Window scaling). +net.ipv4.tcp_syncookies=1 + +# Ignore source-routed packets +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 + +# Ignore ICMP redirects from non-GW hosts +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + +# Don't pass traffic between networks or act as a router +net.ipv4.ip_forward=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks. +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +# Ignore ICMP broadcasts to avoid participating in Smurf attacks +net.ipv4.icmp_echo_ignore_broadcasts=1 + +# Ignore bad ICMP errors +net.ipv4.icmp_ignore_bogus_error_responses=1 + +# Log spoofed, source-routed, and redirect packets +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.default.log_martians=1 + +# RFC 1337 fix +net.ipv4.tcp_rfc1337=1 + +# Addresses of mmap base, heap, stack and VDSO page are randomized +kernel.randomize_va_space=2 + +# Reboot the machine soon after a kernel panic. +kernel.panic=10 diff --git a/google_config/udev/64-gce-disk-removal.rules b/google_config/udev/64-gce-disk-removal.rules new file mode 100644 index 0000000..4ff1f99 --- /dev/null +++ b/google_config/udev/64-gce-disk-removal.rules @@ -0,0 +1,17 @@ +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# When a disk is removed, unmount any remaining attached volumes. + +ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*", RUN+="/bin/sh -c '/bin/umount -fl /dev/$name && /usr/bin/logger -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'" diff --git a/google_config/udev/65-gce-disk-naming.rules b/google_config/udev/65-gce-disk-naming.rules new file mode 100644 index 0000000..c686837 --- /dev/null +++ b/google_config/udev/65-gce-disk-naming.rules @@ -0,0 +1,24 @@ +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Name the attached disks as the specified by deviceName. + +ACTION!="add|change", GOTO="gce_disk_naming_end" +SUBSYSTEM!="block", GOTO="gce_disk_naming_end" + +KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode" +KERNEL=="sd*|vd*", ENV{ID_SERIAL_SHORT}=="?*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}" +KERNEL=="sd*|vd*", ENV{ID_SERIAL_SHORT}=="?*", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}-part%n" + +LABEL="gce_disk_naming_end" |