-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathbuildcentos
executable file
·92 lines (70 loc) · 3.19 KB
/
buildcentos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
# Template construction and configuration utility
#
set -o errexit
set -o nounset
root="/tmp/newvz_chroot"
pkg="/tmp/newvz_pkg"
out="/tmp/centos-5-minimal_5.5_amd64.tar.gz"
umount $root/var/cache/yum || true
rm -rf "$root" "$pkg"
mkdir -p $root/var/lib/rpm $root/var/cache/yum $root/dev/pts
mount --bind /root/buildtemplate-data/yum $root/var/cache/yum
rpm --root $root --initdb
yumdownloader --destdir=$pkg centos-release
rpm --root $root -ivh --nodeps $pkg/centos-release*rpm
yum --installroot=$root -y install rpm yum \
basesystem coreutils openssh-clients openssh-server ed less \
vim-enhanced iptables logrotate crontabs gzip passwd rootfiles \
sudo tar tmpwatch gawk bc bzip2 joe mtr perl strace tcpdump \
telnet unzip vixie-cron wget zsh
umount $root/var/cache/yum
# Set the same timezone as for host system
[ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime
# Kill udevd
sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit
chroot $root /sbin/MAKEDEV null zero full tty ptmx console random urandom stdin stdout stderr
# Turn unneeded services off
OFF_SERVICES="acpid rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth auditd autofs mcstrans messagebus restorecond haldaemon gpm lm_sensors"
for S in $OFF_SERVICES; do
[ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S off
done
# Turn needed services on
ON_SERVICES="network iptables crond sshd rsyslog"
for S in $ON_SERVICES; do
[ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on
done
# Convert system to shadow password files
chroot $root /usr/sbin/pwconv
# Disable root login
chroot $root /usr/sbin/usermod -L root
# Do not launch *getty on tty devices - they are not accessible from VPS
sed -i -e '/getty/d' $root/etc/inittab
# Mount /dev/pts
echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab
# Disable fsync() in syslog
if [ -f $root/etc/syslog.conf ]; then
sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf
fi
# Remove unnecessary setuid bits
find $root/ $root/usr -xdev -type f -perm +04000 | \
grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \
xargs -r chmod ug-s
# Remove unnecessary setgid bits
find $root/ $root/usr -xdev -type f -perm +02000 | \
grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \
xargs -r chmod g-s
# Do not try to unload iptables modules
if [ -f $root/etc/sysconfig/iptables-config ]; then
sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config
fi
# Assume we're not doing a multilib system.
[ -f $root/etc/yum.conf ] && echo multilib_policy=best >> $root/etc/yum.conf
# Link /etc/mtab to /proc/mounts
rm -f $root/etc/mtab
ln -s /proc/mounts $root/etc/mtab
# Set non-interactive mode for initscripts (openvz bug #46)
sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init
rm -f $out || true
tar --numeric-owner -C $root -czf $out .
echo "Completed template can be found at $out"