From f8d0c78bf6304b71da0664f44c7ffbd506ca9542 Mon Sep 17 00:00:00 2001 From: David Kebler Date: Mon, 29 Jan 2024 15:11:57 -0800 Subject: [PATCH] refactor core moving files to core/rootfs move helper scripts to /opt/lib from /opt/bin therein refactor creating a user and installing UCI shell --- Dockerfile.d/core.tpl | 6 +- core/core.sh | 12 ++- core/rootfs/etc/profile | 83 ------------------- core/rootfs/etc/profile.d/02-root.sh | 6 -- core/rootfs/etc/profile.d/03-startup.sh | 10 --- core/rootfs/opt/bin/entrypoint | 13 ++- core/rootfs/opt/{bin => lib}/image-info | 0 core/rootfs/opt/lib/uci-shell | 29 +++++++ core/rootfs/opt/lib/user-create | 66 +++++++++++++++ .../{bin/map-host-id => lib/user-map-host-id} | 0 .../{bin/set-host-id => lib/user-set-host-id} | 0 core/uci-shell.sh | 24 ------ core/user.sh | 58 ------------- 13 files changed, 116 insertions(+), 191 deletions(-) delete mode 100644 core/rootfs/etc/profile delete mode 100644 core/rootfs/etc/profile.d/02-root.sh delete mode 100644 core/rootfs/etc/profile.d/03-startup.sh rename core/rootfs/opt/{bin => lib}/image-info (100%) create mode 100755 core/rootfs/opt/lib/uci-shell create mode 100755 core/rootfs/opt/lib/user-create rename core/rootfs/opt/{bin/map-host-id => lib/user-map-host-id} (100%) rename core/rootfs/opt/{bin/set-host-id => lib/user-set-host-id} (100%) delete mode 100755 core/uci-shell.sh delete mode 100755 core/user.sh diff --git a/Dockerfile.d/core.tpl b/Dockerfile.d/core.tpl index 76beaf2..7311b84 100644 --- a/Dockerfile.d/core.tpl +++ b/Dockerfile.d/core.tpl @@ -7,11 +7,13 @@ % if ! { [ "$VERBOSE" = "core" ] || [ "$VERBOSE" = "all" ]; }; then unset VERBOSE; fi +echo "**************************************" +echo "****** Building UCI Image Core ******" + +echo copying core rootfs to image /bin/cp -R -f -p rootfs/. / . /opt/lib/verbose.lib -echo "**************************************" -echo "****** Building UCI Image Core ******" quiet echo core build directory quiet pwd quiet ls -la diff --git a/core/core.sh b/core/core.sh index 88a8df2..8242fa0 100644 --- a/core/core.sh +++ b/core/core.sh @@ -10,6 +10,8 @@ if [[ -f ./build.env ]]; then source ./build.env fi source $LIB_DIR/verbose.lib + +[[ -f ./custom-core.sh ]] && echo "sourcing custom core script" && source "./custom-core.sh" echo appending pkg commands to core_run.env echo appending sourcing of $ENV_DIR/run.env if it exists cat <> /opt/core_run.env @@ -21,14 +23,16 @@ quiet cat /opt/core_run.env mkdir -p /etc/profile.d echo creating login sourcing file for core_run.env in /etc/profile.d echo "source /opt/core_run.env" > /etc/profile.d/01-core-run-env.sh -quiet ls -la /etc/profile.d + +# if UCI_SHELL is set then USER must be login user [[ $USER_PW ]] && export USER=${USER:-host} if [[ $USER ]]; then export UHID=${UHID:-1000} chown -R -h $UHID:$UHID /opt $VOLUME_DIRS - /bin/bash user.sh + $LIB_DIR/user-create fi -[[ $UCI_SHELL ]] && /bin/bash uci-shell.sh - +[[ $UCI_SHELL ]] && $LIB_DIR/uci-shell +quiet ls -la /etc/profile.d +quiet cat /etc/profile ls -la /opt echo "done ------------- CORE INSTALLATION ------------" \ No newline at end of file diff --git a/core/rootfs/etc/profile b/core/rootfs/etc/profile deleted file mode 100644 index dfc8913..0000000 --- a/core/rootfs/etc/profile +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/bash - -# do not add code here for non-interative login shell -# rather put additional non-interactive profile script code in files in /etc/profile.d - -# this files is sourced for all login shells and also interactive non-login shells via /etc/bash.bashrc -# more info see http://www.linuxfromscratch.org/blfs/view/svn/postlfs/profile.html - -# interactive non-login and login shells will call the BASH_SHELL_LOAD script below -# non-interative login shells only source /etc/profile.d -# in profile.d is 03-startup.sh which will call -# any of the scripts in a repo's startup subdirectory -# non-interactive non-login shells are not handled here only via /etc/bash.bashrc -# interactive login - - -([ -n "$SSH_CONNECTION" ] || [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]) && export SSH_SESSION=true -[[ $- == *i* ]] && export SHELL_INTERACTIVE=true -shopt -q login_shell && export SHELL_LOGIN=true -[ $EUID -eq 0 ] && export USER_ROOT=true - -# uncomment for debugging non-interactive login shell, i.e. $ . /etc/profile -#unset SHELL_INTERACTIVE - -#uncomment these for debugging. -# echo ---- sourcing system /etc/profile --- -# [[ $USER_ROOT ]] && echo 'Root User' || echo 'Non Root User' -# [[ $SHELL_INTERACTIVE ]] && echo 'Interactive' || echo 'Not interactive' -# [[ $SHELL_LOGIN ]] && echo 'Login shell' || echo 'Not login shell' -# [[ $SSH_SESSION ]] && echo ssh remote user || echo local user -# echo --------------------- - -# Set the initial path -export PATH=/bin:/usr/bin:/usr/local/bin -# set directory for base shell repo -export BASH_SHELL_BASE=/shell -# now bootstrap by souring the shell repo envinroment -source $BASH_SHELL_BASE/shell.env -# set $BASH_SAFE_MODE=true in shell.env to disable UCI interactive shell from loading -# TODO see if $NO_BASH_SHELL_SSH=true in user or host directory (at the remote machine) -# if so don't source the load command below and make just a simple prompt. -if [[ $SHELL_INTERACTIVE ]]; then - if [[ ! $BASH_SAFE_MODE ]]; then - # echo interactive shell loading $BASH_SHELL_LOAD - source "$BASH_SHELL_LOAD" - else - # safe mode - # just set a simple prompt instead - NORMAL="\[\e[0m\]" - RED="\[\e[1;31m\]" - GREEN="\[\e[1;32m\]" - YELLOW='\e[1;33m' - if [[ $EUID == 0 ]] ; then - PS1="${YELLOW}SAFE:$RED\u [ $NORMAL\w$RED ]# $NORMAL" - else - PS1="${YELLOW}SAFE:$GREEN \u [ $NORMAL\w$GREEN ]\$ $NORMAL" - fi - unset RED GREEN NORMAL YELLOW - fi -else - # this is non-interactive login (e.g. at user machine login) - if [[ $EUID -ne 0 ]] && [[ ! $SSH_SESSION ]]; then - export LOGIN_LOG=$HOME/logs/login.log - mkdir -p $HOME/logs - touch $LOGIN_LOG - llog () { - echo "$@" >> $LOGIN_LOG 2>&1 - } - export -f llog - llog "$(env | grep BASH)" - echo "$(date)" > $LOGIN_LOG - llog "non-interactive login shell for $USER" - if [ -d /etc/profile.d ]; then - for i in /etc/profile.d/*.sh; do - if [ -r $i ]; then - llog "sourcing $i" - source $i - fi - done - unset i - fi - fi -fi diff --git a/core/rootfs/etc/profile.d/02-root.sh b/core/rootfs/etc/profile.d/02-root.sh deleted file mode 100644 index 0d85643..0000000 --- a/core/rootfs/etc/profile.d/02-root.sh +++ /dev/null @@ -1,6 +0,0 @@ -# root login setup only, put in if block -if [ $EUID -eq 0 ] ; then # if root user - echo login profile, root specific setup - export PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin - unset HISTFILE -fi diff --git a/core/rootfs/etc/profile.d/03-startup.sh b/core/rootfs/etc/profile.d/03-startup.sh deleted file mode 100644 index 42bd158..0000000 --- a/core/rootfs/etc/profile.d/03-startup.sh +++ /dev/null @@ -1,10 +0,0 @@ -# this runs startups for bash shell base system - # don't run statup if user logs in via su - if [ "$SHELL" = "/bin/bash" ] && [ "${BASH_SHELL_STARTUP}" ] && [ "$(ps -o comm= $PPID)" != "su" ]; then - # uncomment for debugging - if [[ -f $BASH_SHELL_STARTUP ]] && [[ $EUID -ne 0 ]]; then - llog "sourcing startup script $BASH_SHELL_STARTUP" - # (${BASH_SHELL_STARTUP}) & - source ${BASH_SHELL_STARTUP} - fi - fi diff --git a/core/rootfs/opt/bin/entrypoint b/core/rootfs/opt/bin/entrypoint index c7370c4..3ba57a3 100755 --- a/core/rootfs/opt/bin/entrypoint +++ b/core/rootfs/opt/bin/entrypoint @@ -1,18 +1,23 @@ #!/bin/bash source /opt/core_run.env -case "$1" in +cmd=$1 + +# [[ $DEVELOPMENT && $cmd == "${ENTRYPOINT_CMD:-start}" ]] && echo "development mode enabled, idling container" && cmd=idle + +case "$cmd" in maphostid) shift 1 -/bin/bash -l -c '$BIN_DIR/map-host-id $@' $0 "$@" +/bin/bash -l -c '$:LIB_DIR/map-host-id $@' $0 "$@" ;; idle) +echo container put in idle mode, use docker terminal to access sleep infinity ;; image) shift 1 -/bin/bash -l -c '$BIN_DIR/image-info $@' $0 "$@" +/bin/bash -l -c '$LIB_DIR/image-info $@' $0 "$@" ;; shell) shift 1 @@ -29,7 +34,7 @@ cat | /bin/bash -l ;; ${ENTRYPOINT_CMD:-start}) shift 1 -/bin/bash -l -c '${ENTRYPOINT_CMD_PATH:-$BIN_DIR/start} $@' $0 "$@" +/bin/bash -l -c '${ENTRYPOINT_CMD_PATH:-$BIN_DIR/${ENTRYPOINT_CMD:-start}} $@' $0 "$@" ;; *) echo "--- command passed to container: $* ---" diff --git a/core/rootfs/opt/bin/image-info b/core/rootfs/opt/lib/image-info similarity index 100% rename from core/rootfs/opt/bin/image-info rename to core/rootfs/opt/lib/image-info diff --git a/core/rootfs/opt/lib/uci-shell b/core/rootfs/opt/lib/uci-shell new file mode 100755 index 0000000..412e5a0 --- /dev/null +++ b/core/rootfs/opt/lib/uci-shell @@ -0,0 +1,29 @@ +#!/bin/bash +echo -e "\n------------ ADD UCI-SHELL ---------------" +/bin/cp -R -f -p shell/. /shell +ls -la / +ls -ls /shell +# mkdir -p /shell +# _url=https://git.kebler.net/bash/shell-base.git +# git clone $_url /shell + +source /shell/base/install/install.sh +usermod --shell /bin/bash root + +if [[ $USER_PW ]]; then +echo adding shell for login user $USER +homedir=$( getent passwd "$USER" | cut -d: -f6 ) +mkdir -p $homedir/shell +uci_bash_shell_install $USER +chown -R :$USER /shell +chmod -R g+r /shell +# setfacl -d --set u::rwx,g::rwx,o::- /shell +chown -R :host $homedir/shell +chmod -R g+rw $homedir/shell +# setfacl -d --set u::rwx,g::rwx,o::- /home/$USER/shell +else + uci_bash_shell_install +fi + +echo "----------- uci shell install complete ------" + diff --git a/core/rootfs/opt/lib/user-create b/core/rootfs/opt/lib/user-create new file mode 100755 index 0000000..0e2c26c --- /dev/null +++ b/core/rootfs/opt/lib/user-create @@ -0,0 +1,66 @@ +#!/bin/bash +USER=${1:-$USER} +USER_PW=${2-$USER_PW} +UHID=${UHID:-1000} + +# TODO make SUDO conditional on USER_SUDO=true + +if [[ $USER ]]; then +echo "------- Adding USER: $USER with ID: $UHID ------" + +cat <> /etc/login.defs +SYS_UID_MAX $UHID" +SYS_GID_MAX $UHID" +DOC + + source $LIB_DIR/verbose.lib + # echo loading acl package + # silence $INSTALL_PKGS acl + groupadd -g $UHID $USER + # user passwords implies system (sudo) login user + + if [[ $USER_PW ]]; then + echo "$USER is being created as a login user" + useradd -rm -s /bin/bash -G $USER,$([[ $(getent group sudo) ]] && echo sudo || echo wheel) -g $USER -u $UHID $USER + echo $USER groups: $(groups $USER) + chpasswd <<< "${USER}:${USER_PW}" + +# SUDOERS Setup + cat <> /etc/sudoers.d/01-sudo-wheel +Defaults lecture = never +%wheel ALL=(ALL:ALL) ALL +%sudo ALL=(ALL:ALL) ALL +SUDO + chmod 440 /etc/sudoers.d/01-sudo-wheel + + cat <> /etc/sudoers.d/02-$USER +$USER ALL = NOPASSWD:/bin/chown +$USER ALL = NOPASSWD:/bin/chmod +USER + chmod 440 /etc/sudoers.d/02-$USER + if [[ -f $USER-permits ]]; then + echo "--- $USER-permits file supplied copying to /etc/sudoers.d ---" + cat $USER-permits + cat $USER-permits >> /etc/sudoers.d/02-$USER + fi + else + echo $USER will be a non login user + # home_dir=${USER_HOME:-/home/$USER} + # mkdir -p $home_dir + useradd -rM -s /sbin/nologin -G $USER -g $USER -u $UHID $USER -p '*' -d /dev/null + # usermod -p '*' $USER + # -d $home_dir + # chown $USER:$USER $home_dir +fi + # shellcheck enable=add-default-case +# chmod -R g+rw /opt +# setfacl -d --set u::rwx,g::rwx,o::- /opt +cat /etc/passwd | grep $USER +id $USER +echo "done------- Adding USER: $USER ------" + +fi + + + + diff --git a/core/rootfs/opt/bin/map-host-id b/core/rootfs/opt/lib/user-map-host-id similarity index 100% rename from core/rootfs/opt/bin/map-host-id rename to core/rootfs/opt/lib/user-map-host-id diff --git a/core/rootfs/opt/bin/set-host-id b/core/rootfs/opt/lib/user-set-host-id similarity index 100% rename from core/rootfs/opt/bin/set-host-id rename to core/rootfs/opt/lib/user-set-host-id diff --git a/core/uci-shell.sh b/core/uci-shell.sh deleted file mode 100755 index 7c908f7..0000000 --- a/core/uci-shell.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -echo -e "\n------------ ADD UCI-SHELL ---------------" -mkdir -p /shell -_url=https://git.kebler.net/bash/shell-base.git -git clone $_url /shell -source /shell/install/install.sh - - -if [[ $USER_PW ]]; then -echo adding shell for login user $USER -mkdir -p /home/$USER/shell -uci_bash_shell_install $USER -chown -R $USER:$USER /shell -chmod -R g+rw /shell -# setfacl -d --set u::rwx,g::rwx,o::- /shell -chown -R :host /home/$USER/shell -chmod -R g+rw /home/$USER/shell -# setfacl -d --set u::rwx,g::rwx,o::- /home/$USER/shell -else - uci_bash_shell_install -fi - -echo "----------- uci shell install complete ------" - diff --git a/core/user.sh b/core/user.sh deleted file mode 100755 index 8ecc1a2..0000000 --- a/core/user.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -USER=${1:-$USER} -USER_PW=${2-$USER_PW} -UHID=${UHID:-1000} - -if [[ $USER ]]; then -echo "------- Adding USER: $USER with ID: $UHID ------" - -cat <> /etc/login.defs -SYS_UID_MAX $UHID" -SYS_GID_MAX $UHID" -DOC - - source $LIB_DIR/verbose.lib - # echo loading acl package - # silence $INSTALL_PKGS acl - groupadd -g $UHID $USER - # user passwords implies system (sudo) login user - if [[ $USER_PW ]]; then - echo "login system user being created" - useradd -rm -s /bin/bash -G $USER,$([[ $(getent group sudo) ]] && echo sudo || echo wheel) -g $USER -u $UHID $USER - echo $USER groups: $(groups $USER) - chpasswd <<< "${USER}:${USER_PW}" - -# SUDOERS Setup -cat <> /etc/sudoers.d/01-sudo-wheel -Defaults lecture = never -%wheel ALL=(ALL:ALL) ALL -%sudo ALL=(ALL:ALL) ALL -SUDO - chmod 440 /etc/sudoers.d/01-sudo-wheel - -cat <> /etc/sudoers.d/02-$USER -$USER ALL = NOPASSWD:/bin/chown -$USER ALL = NOPASSWD:/bin/chmod -USER - chmod 440 /etc/sudoers.d/02-$USER - if [[ -f $USER-permits ]]; then - echo "--- $USER-permits file supplied copying to /etc/sudoers.d ---" - cat $USER-permits - cat $USER-permits >> /etc/sudoers.d/02-$USER - fi - else - home_dir=$([[ $USER_HOME ]] && echo "$USER_HOME" || echo "/opt/user" ) - mkdir -p $home_dir - useradd -s /sbin/nologin -G $USER -g $USER -u $UHID $USER -d $home_dir - chown $USER:$USER $home_dir -fi - # shellcheck enable=add-default-case -# chmod -R g+rw /opt -# setfacl -d --set u::rwx,g::rwx,o::- /opt -cat /etc/passwd | grep $USER -echo "done------- Adding USER: $USER ------" -fi - - - -