Adds ec2-user will full sudo access without password per Fedora security guidelines. We should not use root access on AMIs as it is not secure and prohibited by AWS.
issues.jboss.org/browse/BGBUILD-110
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 159 def add_ec2_user(guestfs) @log.debug "Adding ec2-user user..." # We need to add ec2-user only when it doesn't exists # # https://issues.jboss.org/browse/BGBUILD-313 unless guestfs.fgrep("ec2-user", "/etc/passwd").empty? @log.debug("ec2-user already exists, skipping.") return end guestfs.sh("useradd ec2-user") guestfs.sh("echo -e 'ec2-user\tALL=(ALL)\tNOPASSWD: ALL' >> /etc/sudoers") @log.debug "User ec2-user added." end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 27 def after_init register_deliverable(:disk => "#{@appliance_config.name}.ec2") register_supported_os('fedora', ['13', '14', '15', '16', '17']) register_supported_os('centos', ['5', '6']) register_supported_os('sl', ['5', '6']) register_supported_os('rhel', ['5', '6']) end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 217 def change_configuration(guestfs_helper) guestfs_helper.augeas do # disable password authentication set("/etc/ssh/sshd_config", "PasswordAuthentication", "no") # disable root login set("/etc/ssh/sshd_config", "PermitRootLogin", "no") end end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 90 def create_devices(guestfs) return if guestfs.exists('/sbin/MAKEDEV') == 0 @log.debug "Creating required devices..." guestfs.sh("/sbin/MAKEDEV -d /dev -x console") guestfs.sh("/sbin/MAKEDEV -d /dev -x null") guestfs.sh("/sbin/MAKEDEV -d /dev -x zero") @log.debug "Devices created." end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 100 def disk_device_prefix disk = 'xv' disk = 's' if (@appliance_config.os.name == 'rhel' or @appliance_config.os.name == 'centos') and @appliance_config.os.version == '5' disk end
enable networking on default runlevels
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 177 def enable_networking(guestfs) @log.debug "Enabling networking..." guestfs.sh("/sbin/chkconfig network on") guestfs.upload("#{File.dirname(__FILE__)}/src/ifcfg-eth0", "/etc/sysconfig/network-scripts/ifcfg-eth0") @log.debug "Networking enabled." end
This fixes issues with Fedora 14 on EC2: bugzilla.redhat.com/show_bug.cgi?id=651861#c39
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 148 def enable_nosegneg_flag(guestfs) @log.debug "Enabling nosegneg flag..." guestfs.sh("echo \"hwcap 1 nosegneg\" > /etc/ld.so.conf.d/libc6-xen.conf") guestfs.sh("/sbin/ldconfig") @log.debug "Nosegneg enabled." end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 36 def execute @linux_helper = LinuxHelper.new(:log => @log) @log.info "Converting #{@appliance_config.name} appliance image to EC2 format..." @image_helper.create_disk(@deliverables.disk, 10) # 10 GB destination disk @image_helper.customize([@previous_deliverables.disk, @deliverables.disk], :automount => false) do |guestfs, guestfs_helper| @image_helper.sync_filesystem(guestfs, guestfs_helper) # TODO is this really needed? @log.debug "Uploading '/etc/resolv.conf'..." guestfs.upload("/etc/resolv.conf", "/etc/resolv.conf") @log.debug "'/etc/resolv.conf' uploaded." if (@appliance_config.os.name == 'rhel' or @appliance_config.os.name == 'centos') and @appliance_config.os.version == '5' # Remove normal kernel guestfs.sh("yum -y remove kernel") # because we need to install kernel-xen package guestfs_helper.sh("yum -y install kernel-xen", :arch => @appliance_config.hardware.arch) # and add require modules @linux_helper.recreate_kernel_image(guestfs, ['xenblk', 'xennet']) end create_devices(guestfs) guestfs.mkdir("/data") if @appliance_config.is64bit? upload_fstab(guestfs) enable_networking(guestfs) upload_rc_local(guestfs) add_ec2_user(guestfs) change_configuration(guestfs_helper) install_menu_lst(guestfs) enable_nosegneg_flag(guestfs) if @appliance_config.os.name == 'fedora' execute_post(guestfs_helper) end @log.info "Image converted to EC2 format." end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 79 def execute_post(guestfs_helper) unless @appliance_config.post['ec2'].nil? @appliance_config.post['ec2'].each do |cmd| guestfs_helper.sh(cmd, :arch => @appliance_config.hardware.arch) end @log.debug "Post commands from appliance definition file executed." else @log.debug "No commands specified, skipping." end end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 107 def upload_fstab(guestfs) @log.debug "Uploading '/etc/fstab' file..." fstab_file = @appliance_config.is64bit? ? "#{File.dirname(__FILE__)}/src/fstab_64bit" : "#{File.dirname(__FILE__)}/src/fstab_32bit" fstab_data = File.open(fstab_file).read fstab_data.gsub!(/#DISK_DEVICE_PREFIX#/, disk_device_prefix) fstab_data.gsub!(/#FILESYSTEM_TYPE#/, @appliance_config.hardware.partitions['/']['type']) fstab = Tempfile.new('fstab') fstab << fstab_data fstab.flush guestfs.upload(fstab.path, "/etc/fstab") fstab.close @log.debug "'/etc/fstab' file uploaded." end
# File lib/boxgrinder-build/plugins/platform/ec2/ec2-plugin.rb, line 184 def upload_rc_local(guestfs) @log.debug "Uploading '/etc/rc.d/rc.local' file..." rc_local = Tempfile.new('rc_local') if guestfs.exists("/etc/rc.d/rc.local") == 1 # We're appending rc_local << guestfs.read_file("/etc/rc.d/rc.local") else # We're creating new file rc_local << "#!/bin/bash\n\n" end rc_local << File.read("#{File.dirname(__FILE__)}/src/rc_local") rc_local.flush guestfs.upload(rc_local.path, "/etc/rc.d/rc.local") rc_local.close # Fedora 16 doesn't have /etc/rc.local file and we need to # enable rc.local compatibility with systemd # We need to make sure that network is available when executing rc.local if (@appliance_config.os.name == 'fedora' and @appliance_config.os.version >= '16') guestfs.cp("/lib/systemd/system/rc-local.service", "/etc/systemd/system/") guestfs.sh("sed -i '/^ConditionFileIsExecutable/a After=network.target' /etc/systemd/system/rc-local.service") guestfs.sh("systemctl enable rc-local.service") guestfs.ln_sf("/etc/rc.d/rc.local", "/etc/rc.local") guestfs.chmod(0755, "/etc/rc.d/rc.local") end @log.debug "'/etc/rc.d/rc.local' file uploaded." end