├── README ├── buildcentos ├── buildserentos ├── buildsqueeze └── buildubuntu /README: -------------------------------------------------------------------------------- 1 | These require that they be run on a CentOS or other RPM based distro for 2 | the RedHat derived systems, and on Debian or Ubuntu for the dpkg based 3 | systems. You'll need either yumdownloader or debootstrap respectively; 4 | these will halt on any errors encountered along the way. Please let me 5 | know what breaks. 6 | -------------------------------------------------------------------------------- /buildcentos: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Template construction and configuration utility 3 | # 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | root="/tmp/newvz_chroot" 9 | pkg="/tmp/newvz_pkg" 10 | out="/tmp/centos-5-minimal_5.5_amd64.tar.gz" 11 | umount $root/var/cache/yum || true 12 | rm -rf "$root" "$pkg" 13 | 14 | mkdir -p $root/var/lib/rpm $root/var/cache/yum $root/dev/pts 15 | 16 | mount --bind /root/buildtemplate-data/yum $root/var/cache/yum 17 | 18 | rpm --root $root --initdb 19 | yumdownloader --destdir=$pkg centos-release 20 | rpm --root $root -ivh --nodeps $pkg/centos-release*rpm 21 | yum --installroot=$root -y install rpm yum \ 22 | basesystem coreutils openssh-clients openssh-server ed less \ 23 | vim-enhanced iptables logrotate crontabs gzip passwd rootfiles \ 24 | sudo tar tmpwatch gawk bc bzip2 joe mtr perl strace tcpdump \ 25 | telnet unzip vixie-cron wget zsh 26 | 27 | umount $root/var/cache/yum 28 | 29 | # Set the same timezone as for host system 30 | [ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime 31 | 32 | # Kill udevd 33 | sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit 34 | chroot $root /sbin/MAKEDEV null zero full tty ptmx console random urandom stdin stdout stderr 35 | 36 | # Turn unneeded services off 37 | OFF_SERVICES="acpid rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth auditd autofs mcstrans messagebus restorecond haldaemon gpm lm_sensors" 38 | for S in $OFF_SERVICES; do 39 | [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S off 40 | done 41 | 42 | # Turn needed services on 43 | ON_SERVICES="network iptables crond sshd rsyslog" 44 | for S in $ON_SERVICES; do 45 | [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on 46 | done 47 | 48 | # Convert system to shadow password files 49 | chroot $root /usr/sbin/pwconv 50 | 51 | # Disable root login 52 | chroot $root /usr/sbin/usermod -L root 53 | 54 | # Do not launch *getty on tty devices - they are not accessible from VPS 55 | sed -i -e '/getty/d' $root/etc/inittab 56 | 57 | # Mount /dev/pts 58 | echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab 59 | 60 | # Disable fsync() in syslog 61 | if [ -f $root/etc/syslog.conf ]; then 62 | sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf 63 | fi 64 | 65 | # Remove unnecessary setuid bits 66 | find $root/ $root/usr -xdev -type f -perm +04000 | \ 67 | grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ 68 | xargs -r chmod ug-s 69 | 70 | # Remove unnecessary setgid bits 71 | find $root/ $root/usr -xdev -type f -perm +02000 | \ 72 | grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ 73 | xargs -r chmod g-s 74 | 75 | # Do not try to unload iptables modules 76 | if [ -f $root/etc/sysconfig/iptables-config ]; then 77 | sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config 78 | fi 79 | 80 | # Assume we're not doing a multilib system. 81 | [ -f $root/etc/yum.conf ] && echo multilib_policy=best >> $root/etc/yum.conf 82 | 83 | # Link /etc/mtab to /proc/mounts 84 | rm -f $root/etc/mtab 85 | ln -s /proc/mounts $root/etc/mtab 86 | 87 | # Set non-interactive mode for initscripts (openvz bug #46) 88 | sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init 89 | 90 | rm -f $out || true 91 | tar --numeric-owner -C $root -czf $out . 92 | echo "Completed template can be found at $out" 93 | -------------------------------------------------------------------------------- /buildserentos: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Template construction and configuration utility 3 | # 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | root="/tmp/newvz_chroot" 9 | pkg="/tmp/newvz_pkg" 10 | out="/tmp/serentos-minimal_6.0_amd64.tar.gz" 11 | umount $root/var/cache/yum || true 12 | rm -rf "$root" "$pkg" 13 | 14 | mkdir -p $root/var/lib/rpm $root/var/cache/yum $root/dev/pts 15 | 16 | mount --bind /root/buildtemplate-data/yum $root/var/cache/yum 17 | 18 | rpm --root $root --initdb 19 | yumdownloader --destdir=$pkg serentos-release 20 | rpm --root $root -ivh --nodeps $pkg/centos-release*rpm 21 | yum --installroot=$root -y install rpm yum \ 22 | basesystem coreutils openssh-clients openssh-server ed less \ 23 | vim-enhanced iptables logrotate crontabs gzip passwd rootfiles \ 24 | sudo tar tmpwatch gawk bc bzip2 joe mtr perl strace tcpdump \ 25 | telnet unzip vixie-cron wget zsh 26 | 27 | umount $root/var/cache/yum 28 | 29 | # Set the same timezone as for host system 30 | [ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime 31 | 32 | # Kill udevd 33 | sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit 34 | chroot $root /sbin/MAKEDEV null zero full tty ptmx console random urandom stdin stdout stderr 35 | 36 | # Turn unneeded services off 37 | OFF_SERVICES="acpid rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth auditd autofs mcstrans messagebus restorecond haldaemon gpm lm_sensors" 38 | for S in $OFF_SERVICES; do 39 | [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S off 40 | done 41 | 42 | # Turn needed services on 43 | ON_SERVICES="network iptables crond sshd rsyslog" 44 | for S in $ON_SERVICES; do 45 | [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on 46 | done 47 | 48 | # Convert system to shadow password files 49 | chroot $root /usr/sbin/pwconv 50 | 51 | # Disable root login 52 | chroot $root /usr/sbin/usermod -L root 53 | 54 | # Do not launch *getty on tty devices - they are not accessible from VPS 55 | sed -i -e '/getty/d' $root/etc/inittab 56 | 57 | # Mount /dev/pts 58 | echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab 59 | 60 | # Disable fsync() in syslog 61 | if [ -f $root/etc/syslog.conf ]; then 62 | sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf 63 | fi 64 | 65 | # Remove unnecessary setuid bits 66 | find $root/ $root/usr -xdev -type f -perm +04000 | \ 67 | grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ 68 | xargs -r chmod ug-s 69 | 70 | # Remove unnecessary setgid bits 71 | find $root/ $root/usr -xdev -type f -perm +02000 | \ 72 | grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ 73 | xargs -r chmod g-s 74 | 75 | # Do not try to unload iptables modules 76 | if [ -f $root/etc/sysconfig/iptables-config ]; then 77 | sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config 78 | fi 79 | 80 | # Assume we're not doing a multilib system. 81 | [ -f $root/etc/yum.conf ] && echo multilib_policy=best >> $root/etc/yum.conf 82 | 83 | # Link /etc/mtab to /proc/mounts 84 | rm -f $root/etc/mtab 85 | ln -s /proc/mounts $root/etc/mtab 86 | 87 | # Set non-interactive mode for initscripts (openvz bug #46) 88 | sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init 89 | 90 | rm -f $out || true 91 | tar --numeric-owner -C $root -czf $out . 92 | echo "Completed template can be found at $out" 93 | -------------------------------------------------------------------------------- /buildsqueeze: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Template construction and configuration utility 3 | # 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | root="/tmp/newvz_chroot_debian" 9 | pkg="/tmp/newvz_pkg" 10 | out="/tmp/debian-6.0-minimal_6.0_amd64.tar.gz" 11 | rm -rf "$root" "$pkg" 12 | debootstrap \ 13 | --include=cron,openssh-server,logrotate,strace,vim,iptables,tcpdump,bc,mtr-tiny,telnet,sudo,gawk,gpgv,less,iputils-ping,wget,zsh,unzip,aptitude,rsyslog,dhcp3-client,rsync,locales,net-tools\ 14 | --arch=amd64 --variant=minbase squeeze $root 15 | 16 | # Fix locale so apt doesn't kill us 17 | echo "en_US.UTF-8 UTF-8" >> $root/etc/locale.gen 18 | chroot $root /usr/sbin/locale-gen en_US.UTF-8 19 | chroot $root /usr/sbin/update-locale LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8" LC_ALL="en_US.UTF-8" LC_CTYPE="C" 20 | chroot $root /usr/sbin/update-locale 21 | # Set the same timezone as for host system 22 | [ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime 23 | 24 | # Kill udevd 25 | #sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit 26 | #chroot $root "cd /dev && /sbin/MAKEDEV ptyp" 27 | cat <> $root/etc/sysctl.conf 28 | # On Hardware Node we generally need packet 29 | # forwarding enabled and proxy arp disabled 30 | 31 | net.ipv4.conf.default.forwarding=1 32 | net.ipv4.conf.default.proxy_arp = 0 33 | net.ipv4.ip_forward=1 34 | 35 | # Enables source route verification 36 | net.ipv4.conf.all.rp_filter = 1 37 | 38 | # Enables the magic-sysrq key 39 | kernel.sysrq = 1 40 | 41 | # TCP Explict Congestion Notification 42 | net.ipv4.tcp_ecn = 0 43 | 44 | # we do not want all our interfaces to send redirects 45 | net.ipv4.conf.default.send_redirects = 1 46 | net.ipv4.conf.all.send_redirects = 0 47 | EOF 48 | 49 | cat << EOF > $root/etc/apt/sources.list 50 | deb http://http.us.debian.org/debian squeeze main contrib 51 | deb http://security.debian.org squeeze/updates main contrib 52 | deb http://http.us.debian.org/debian squeeze-updates main 53 | ## backports - ONLY IF YOU KNOW WHAT YOU DO 54 | # deb http://http.us.debian.org/debian-backports/ squeeze-backports main 55 | EOF 56 | cat << EOF > $root/etc/apt/preferences 57 | Package: * 58 | Pin: release a=squeeze-backports 59 | Pin-Priority: 200 60 | EOF 61 | 62 | #Remove services that we don't want starting 63 | # Turn unneeded services off 64 | #OFF_SERVICES="control hwclock module mount network-interface 65 | #plymouth procps tty udev upstart" 66 | #for S in $OFF_SERVICES; do 67 | # rm $root/etc/init/$S* 68 | # #This doesn't work right yet; the above is a hack 69 | # #chroot $root update-rc.d $S purge 70 | #done 71 | 72 | # Turn needed services on 73 | #ON_SERVICES="network iptables crond sshd rsyslog" 74 | #for S in $ON_SERVICES; do 75 | # [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on 76 | #done 77 | 78 | #include packages that minbase lacks 79 | #chroot $root apt-get install -y cron openssh-server logrotate \ 80 | #sysstat strace vim iptables gzip tcpdump bc mtr-tiny telnet sudo gawk \ 81 | #less ping sed wget zsh unzip aptitude rsyslog || true 82 | 83 | # Convert system to shadow password files 84 | chroot $root /usr/sbin/pwconv 85 | 86 | # Disable root login 87 | chroot $root /usr/sbin/usermod -L root 88 | 89 | # Do not launch *getty on tty devices - they are not accessible from VPS 90 | #sed -i -e '/getty/d' $root/etc/inittab 91 | 92 | # Mount /dev/pts 93 | echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab 94 | 95 | # Modprobe is NOT our friend 96 | #chroot $root rm /sbin/modprobe 97 | #chroot $root ln -s /bin/true /sbin/modprobe 98 | 99 | # Disable fsync() in syslog 100 | #if [ -f $root/etc/syslog.conf ]; then 101 | # sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf 102 | #fi 103 | 104 | # Remove unnecessary setuid bits 105 | #find $root/ $root/usr -xdev -type f -perm +04000 | \ 106 | # grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ 107 | # xargs -r chmod ug-s 108 | 109 | # Remove unnecessary setgid bits 110 | #find $root/ $root/usr -xdev -type f -perm +02000 | \ 111 | # grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ 112 | # xargs -r chmod g-s 113 | 114 | # Do not try to unload iptables modules 115 | #if [ -f $root/etc/sysconfig/iptables-config ]; then 116 | # sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config 117 | #fi 118 | 119 | # Set non-interactive mode for initscripts (openvz bug #46) 120 | #sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init 121 | 122 | #Cleanup 123 | chroot $root apt-get clean 124 | chroot $root apt-get autoremove 125 | chroot $root rm -f /etc/ssh/ssh_host_* 126 | 127 | #Generate new ssh keys on firstboot 128 | cat << EOF > $root/etc/rc2.d/S15ssh_gen_host_keys 129 | #!/bin/sh 130 | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' 131 | ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' 132 | rm -f \$0 133 | EOF 134 | 135 | chmod a+x $root/etc/rc2.d/S15ssh_gen_host_keys 136 | 137 | chroot $root update-rc.d -f ondemand remove 138 | 139 | > $root/etc/resolv.conf \ 140 | echo localhost > $root/etc/hostname \ 141 | > $root/var/log/messages; > $root/var/log/auth.log; > $root/var/log/kern.log; > $root/var/log/bootstrap.log; \ 142 | > $root/var/log/dpkg.log; > $root/var/log/syslog; > $root/var/log/daemon.log; > $root/var/log/apt/term.log; rm -f $root/var/log/*.0 $root/var/log/*.1 143 | rm -f $out || true 144 | tar --numeric-owner -C $root -czf $out . 145 | echo "Completed template can be found at $out" 146 | -------------------------------------------------------------------------------- /buildubuntu: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Template construction and configuration utility 3 | # 4 | 5 | set -o errexit 6 | set -o nounset 7 | 8 | root="/tmp/newvz_chroot_ubuntu" 9 | pkg="/tmp/newvz_pkg" 10 | out="/tmp/ubuntu-10.04_amd64.tar.gz" 11 | rm -rf "$root" "$pkg" 12 | debootstrap \ 13 | --include=cron,openssh-server,logrotate,strace,vim,iptables,tcpdump,bc,mtr-tiny,telnet,sudo,gawk,gpgv,less,iputils-ping,wget,zsh,unzip,aptitude,rsyslog,dhcp3-client,rsync,base-files,ubuntu-keyring \ 14 | --arch=amd64 --variant=minbase lucid $root 15 | 16 | # Set the same timezone as for host system 17 | [ -f /etc/localtime ] && cp -fp /etc/localtime $root/etc/localtime 18 | 19 | # Kill udevd 20 | #sed -i 's|/sbin/start_udev|#/sbin/start_udev|g' $root/etc/rc.d/rc.sysinit 21 | #chroot $root "cd /dev && /sbin/MAKEDEV ptyp" 22 | 23 | cat <> $root/etc/apt/sources.list 24 | # 25 | # deb cdrom:[Ubuntu-Server 10.04.3 LTS _Lucid Lynx_ - Release amd64 (20110719.2)]/ lucid main restricted 26 | 27 | # deb cdrom:[Ubuntu-Server 10.04.3 LTS _Lucid Lynx_ - Release amd64 (20110719.2)]/ lucid main restricted 28 | # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to 29 | # newer versions of the distribution. 30 | 31 | deb http://us.archive.ubuntu.com/ubuntu/ lucid main restricted 32 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid main restricted 33 | 34 | ## Major bug fix updates produced after the final release of the 35 | ## distribution. 36 | deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates main restricted 37 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates main restricted 38 | 39 | ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 40 | ## team. Also, please note that software in universe WILL NOT receive any 41 | ## review or updates from the Ubuntu security team. 42 | deb http://us.archive.ubuntu.com/ubuntu/ lucid universe 43 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe 44 | deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe 45 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe 46 | 47 | ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 48 | ## team, and may not be under a free licence. Please satisfy yourself as to 49 | ## your rights to use the software. Also, please note that software in 50 | ## multiverse WILL NOT receive any review or updates from the Ubuntu 51 | ## security team. 52 | deb http://us.archive.ubuntu.com/ubuntu/ lucid multiverse 53 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid multiverse 54 | deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse 55 | deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse 56 | 57 | ## Uncomment the following two lines to add software from the 'backports' 58 | ## repository. 59 | ## N.B. software from this repository may not have been tested as 60 | ## extensively as that contained in the main release, although it includes 61 | ## newer versions of some applications which may provide useful features. 62 | ## Also, please note that software in backports WILL NOT receive any review 63 | ## or updates from the Ubuntu security team. 64 | # deb http://us.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse 65 | # deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse 66 | 67 | ## Uncomment the following two lines to add software from Canonical's 68 | ## 'partner' repository. 69 | ## This software is not part of Ubuntu, but is offered by Canonical and the 70 | ## respective vendors as a service to Ubuntu users. 71 | # deb http://archive.canonical.com/ubuntu lucid partner 72 | # deb-src http://archive.canonical.com/ubuntu lucid partner 73 | 74 | deb http://security.ubuntu.com/ubuntu lucid-security main restricted 75 | deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted 76 | deb http://security.ubuntu.com/ubuntu lucid-security universe 77 | deb-src http://security.ubuntu.com/ubuntu lucid-security universe 78 | deb http://security.ubuntu.com/ubuntu lucid-security multiverse 79 | deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse 80 | EOF 81 | cat <> $root/etc/init/openvz.conf 82 | # OpenVZ - Fix init sequence to have OpenVZ working with upstart 83 | 84 | description "Fix OpenVZ" 85 | 86 | start on startup 87 | 88 | task 89 | pre-start script 90 | mount -t devpts devpts /dev/pts 91 | #mount -t tmpfs varrun /var/run 92 | #mount -t tmpfs varlock /var/lock 93 | mkdir -p /var/run/network 94 | if [ ! -e /etc/mtab ]; then 95 | cat /proc/mounts > /etc/mtab 96 | fi 97 | touch /var/run/utmp 98 | chmod 664 /var/run/utmp 99 | chown root.utmp /var/run/utmp 100 | if [ "$(find /etc/network/ -name upstart -type f)" ]; then 101 | chmod -x /etc/network/*/upstart || true 102 | fi 103 | end script 104 | 105 | script 106 | start networking 107 | initctl emit filesystem --no-wait 108 | initctl emit local-filesystems --no-wait 109 | initctl emit virtual-filesystems --no-wait 110 | init 2 111 | end script 112 | 113 | EOF 114 | 115 | # No console on these things 116 | perl -pi -e '/^console/ and s/^/#/' $root/etc/init/rc.conf 117 | 118 | # Fix locale so apt doesn't kill us 119 | chroot $root /usr/sbin/locale-gen en_US.UTF-8 120 | #chroot $root '/usr/sbin/update-locale LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8" LC_ALL="en_US.UTF-8" LC_CTYPE="C"' 121 | chroot $root /usr/sbin/update-locale 122 | #Remove services that we don't want starting 123 | # Turn unneeded services off 124 | OFF_SERVICES="control hwclock module mount network-interface 125 | plymouth procps tty udev upstart" 126 | for S in $OFF_SERVICES; do 127 | rm $root/etc/init/$S* 128 | #This doesn't work right yet; the above is a hack 129 | #chroot $root update-rc.d $S purge 130 | done 131 | 132 | # Turn needed services on 133 | #ON_SERVICES="network iptables crond sshd rsyslog" 134 | #for S in $ON_SERVICES; do 135 | # [ -f $root/etc/init.d/$S ] && chroot $root /sbin/chkconfig $S on 136 | #done 137 | 138 | # This keeps apt from whining about bad locale 139 | 140 | #include packages that minbase lacks 141 | #chroot $root apt-get install -y cron openssh-server logrotate \ 142 | #sysstat strace vim iptables gzip tcpdump bc mtr-tiny telnet sudo gawk \ 143 | #less ping sed wget zsh unzip aptitude rsyslog || true 144 | 145 | # Convert system to shadow password files 146 | chroot $root /usr/sbin/pwconv 147 | 148 | # Disable root login 149 | chroot $root /usr/sbin/usermod -L root 150 | 151 | # Do not launch *getty on tty devices - they are not accessible from VPS 152 | #sed -i -e '/getty/d' $root/etc/inittab 153 | 154 | # Mount /dev/pts 155 | echo "none /dev/pts devpts rw 0 0" >> $root/etc/fstab 156 | 157 | # Modprobe is NOT our friend 158 | chroot $root rm /sbin/modprobe 159 | chroot $root ln -s /bin/true /sbin/modprobe 160 | 161 | # Disable fsync() in syslog 162 | #if [ -f $root/etc/syslog.conf ]; then 163 | # sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' $root/etc/rsyslog.conf 164 | #fi 165 | 166 | # Remove unnecessary setuid bits 167 | find $root/ $root/usr -xdev -type f -perm +04000 | \ 168 | grep -vP '(/bin/(su|ping|traceroute)|/usr/bin/(passwd|sudo|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ 169 | xargs -r chmod ug-s 170 | 171 | # Remove unnecessary setgid bits 172 | find $root/ $root/usr -xdev -type f -perm +02000 | \ 173 | grep -vP '(/usr/sbin/(postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ 174 | xargs -r chmod g-s 175 | 176 | # Do not try to unload iptables modules 177 | #if [ -f $root/etc/sysconfig/iptables-config ]; then 178 | # sed -i -e 's/^IPTABLES_MODULES_UNLOAD.*/IPTABLES_MODULES_UNLOAD=\"no\"/' $root/etc/sysconfig/iptables-config 179 | #fi 180 | 181 | # Set non-interactive mode for initscripts (openvz bug #46) 182 | #sed -i -e 's/^PROMPT=.*/PROMPT=no/' $root/etc/sysconfig/init 183 | 184 | #Cleanup 185 | #chroot $root apt-get update 186 | #chroot $root aptitude -y dist-upgrade || true 187 | chroot $root apt-get clean 188 | chroot $root apt-get autoremove 189 | chroot $root rm -f /etc/ssh/ssh_host_* 190 | 191 | #Generate new ssh keys on firstboot 192 | cat << EOF > $root/etc/rc2.d/S15ssh_gen_host_keys 193 | #!/bin/sh 194 | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N '' 195 | ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N '' 196 | rm -f \$0 197 | EOF 198 | 199 | chmod a+x $root/etc/rc2.d/S15ssh_gen_host_keys 200 | 201 | chroot $root update-rc.d -f ondemand remove 202 | chroot $root update-rc.d ssh defaults 203 | 204 | > $root/etc/resolv.conf \ 205 | echo localhost > $root/etc/hostname \ 206 | > $root/var/log/messages; > $root/var/log/auth.log; > $root/var/log/kern.log; > $root/var/log/bootstrap.log; \ 207 | > $root/var/log/dpkg.log; > $root/var/log/syslog; > $root/var/log/daemon.log; > $root/var/log/apt/term.log; rm -f $root/var/log/*.0 $root/var/log/*.1 208 | rm -f $out || true 209 | tar --numeric-owner -C $root -czf $out . 210 | echo "Completed template can be found at $out" 211 | --------------------------------------------------------------------------------