baseimage/initializeBaseUbuntuImage.sh

#!/bin/bash

set -euv -o pipefail

readonly USER=yellowtent
readonly USER_HOME="/home/${USER}"
readonly INSTALLER_SOURCE_DIR="${USER_HOME}/installer"
readonly INSTALLER_REVISION="${1:-master}"
readonly PROVIDER="${2:-generic}"

readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

function die {
    echo $1
    exit 1
}

[[ "$(systemd --version 2>&1)" == *"systemd 229"* ]] || die "Expecting systemd to be 229"

echo "==== Create User ${USER} ===="
if ! id "${USER}"; then
    useradd "${USER}" -m
fi

export DEBIAN_FRONTEND=noninteractive

echo "=== Upgrade ==="
apt-get -o Dpkg::Options::="--force-confdef" update -y
apt-get -o Dpkg::Options::="--force-confdef" dist-upgrade -y
apt-get install -y curl iptables

echo "==== Install btrfs tools ==="
apt-get -y install btrfs-tools

echo "==== Install docker ===="
# install docker from binary to pin it to a specific version. the current debian repo does not allow pinning
# IMPORTANT: docker 1.11.x breaks the --dns option hack that we use below
curl https://get.docker.com/builds/Linux/x86_64/docker-1.10.2 > /usr/bin/docker
apt-get -y install aufs-tools
chmod +x /usr/bin/docker
groupadd docker
usermod "${USER}" -a -G docker

echo "=== Enable memory accounting =="
sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
update-grub

echo "==== Install nodejs ===="
# Cannot use anything above 4.1.1 - https://github.com/nodejs/node/issues/3803
mkdir -p /usr/local/node-4.1.1
curl -sL https://nodejs.org/dist/v4.1.1/node-v4.1.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-4.1.1
ln -s /usr/local/node-4.1.1/bin/node /usr/bin/node
ln -s /usr/local/node-4.1.1/bin/npm /usr/bin/npm
apt-get install -y python   # Install python which is required for npm rebuild
[[ "$(python --version 2>&1)" == "Python 2.7."* ]] || die "Expecting python version to be 2.7.x"

echo "==== Downloading docker images ===="
if [ -f ${SOURCE_DIR}/infra_version.js ]; then
    images=$(node -e "var i = require('${SOURCE_DIR}/infra_version.js'); console.log(i.baseImages.join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")

    echo "Pulling images: ${images}"
    for image in ${images}; do
        docker pull "${image}"
    done
else
    echo "No infra_versions.js found, skipping image download"
fi

echo "==== Install nginx ===="
apt-get -y install nginx-full
[[ "$(nginx -v 2>&1)" == *"nginx/1.10."* ]] || die "Expecting nginx version to be 1.10.x"

echo "==== Install build-essential ===="
apt-get -y install build-essential rcconf

echo "==== Install mysql ===="
debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'
apt-get -y install mysql-server-5.7
[[ "$(mysqld --version 2>&1)" == *"5.7."* ]] || die "Expecting mysql version to be 5.7.x"

echo "==== Install pwgen and swaks awscli ===="
apt-get -y install pwgen swaks awscli

echo "==== Install collectd ==="
if ! apt-get install -y collectd collectd-utils; then
    # FQDNLookup is true in default debian config. The box code has a custom collectd.conf that fixes this
    echo "Failed to install collectd. Presumably because of http://mailman.verplant.org/pipermail/collectd/2015-March/006491.html"
    sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf
fi
update-rc.d -f collectd remove

# this simply makes it explicit that we run logrotate via cron. it's already part of base ubuntu
echo "==== Install logrotate ==="
apt-get install -y cron logrotate
systemctl enable cron

echo "=== Prepare installer revision - ${INSTALLER_REVISION}) ==="
rm -rf /tmp/box && mkdir -p /tmp/box
curl "https://git.cloudron.io/cloudron/box/repository/archive.tar.gz?ref=${INSTALLER_REVISION}" | tar zxvf - --strip-components=1 -C /tmp/box
mkdir -p "${INSTALLER_SOURCE_DIR}"
cp -rf /tmp/box/installer/* "${INSTALLER_SOURCE_DIR}" && rm -rf /tmp/box
chown "${USER}:${USER}" -R "${INSTALLER_SOURCE_DIR}"
echo "${INSTALLER_REVISION}" > "${INSTALLER_SOURCE_DIR}/REVISION"

apt-get -y install acl

# DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
# We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
echo "==== Install unbound DNS ==="
apt-get -y install unbound

echo "==== Install ssh ==="
apt-get -y install openssh-server
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`#!/bin/bash`

			`set -euv -o pipefail`

			`readonly USER=yellowtent`
			`readonly USER_HOME="/home/${USER}"`
			`readonly INSTALLER_SOURCE_DIR="${USER_HOME}/installer"`
download installer in base image script 2016-10-21 15:52:40 -07:00			`readonly INSTALLER_REVISION="${1:-master}"`
default provider to generic 2016-10-21 12:58:01 -07:00			`readonly PROVIDER="${2:-generic}"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Use constants from the box repo 2015-08-12 19:52:43 -07:00			`readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
Only pull infra images if we have an INFRA_VERSION file 2015-12-23 13:27:33 +01:00
pin packages fixes #558 2016-01-22 10:33:34 -08:00			`function die {`
			`echo $1`
			`exit 1`
			`}`

bump systemd to 229 2016-04-29 19:18:31 -07:00			`[[ "$(systemd --version 2>&1)" == "systemd 229" ]] \|\| die "Expecting systemd to be 229"`
pin packages fixes #558 2016-01-22 10:33:34 -08:00
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`echo "==== Create User ${USER} ===="`
			`if ! id "${USER}"; then`
			`useradd "${USER}" -m`
			`fi`

			`export DEBIAN_FRONTEND=noninteractive`

			`echo "=== Upgrade ==="`
Choose default confs Fixes #92 2016-11-08 15:35:51 +05:30			`apt-get -o Dpkg::Options::="--force-confdef" update -y`
			`apt-get -o Dpkg::Options::="--force-confdef" dist-upgrade -y`
Ensure we have iptables installed Fixes #122 2016-12-02 17:13:42 +01:00			`apt-get install -y curl iptables`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Move ssh to port 202 2015-11-01 08:46:28 -08:00			`echo "==== Install btrfs tools ==="`
Create app and data partitions dynamically 2015-08-26 09:23:30 -07:00			`apt-get -y install btrfs-tools`

list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`echo "==== Install docker ===="`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`# install docker from binary to pin it to a specific version. the current debian repo does not allow pinning`
we are tied to docker 1.10 for now 2016-08-11 16:29:03 -07:00			`# IMPORTANT: docker 1.11.x breaks the --dns option hack that we use below`
use docker 1.10.2 (untested) 2016-03-01 10:13:44 -08:00			`curl https://get.docker.com/builds/Linux/x86_64/docker-1.10.2 > /usr/bin/docker`
install aufs tools https://github.com/docker/docker/issues/915 2016-03-01 10:13:02 -08:00			`apt-get -y install aufs-tools`
Install docker binaries instead of apt The apt binaries lxc-* are obsolete and replaced with 'docker-engine' packages. The new repos however do not allow pinning to a specific version. so brain dead. https://docs.docker.com/engine/installation/binaries/#get-the-linux-binary 2015-11-18 11:52:41 -08:00			`chmod +x /usr/bin/docker`
			`groupadd docker`
Move firewall setup to container.sh Part of #152 2016-12-21 11:31:58 -08:00			`usermod "${USER}" -a -G docker`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
Enable memory accounting 2015-08-24 22:33:35 -07:00			`echo "=== Enable memory accounting =="`
Remove DO specific grub cmd line The new DO images have a different label causing DO images to not boot root@ubuntu-2gb-sfo1-01:~# e2label /dev/vda1 cloudimg-rootfs net.ifnames=0 is used get unpredictable names as per https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/. Not sure why we want that. Not sure about notsc and clocksource. This change also preserves any existing cmdline 2016-12-22 12:20:57 -08:00			`sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub`
			`update-grub`
Enable memory accounting 2015-08-24 22:33:35 -07:00
use infra_version.js in baseimage script 2016-05-24 13:05:49 -07:00			`echo "==== Install nodejs ===="`
			`# Cannot use anything above 4.1.1 - https://github.com/nodejs/node/issues/3803`
			`mkdir -p /usr/local/node-4.1.1`
			`curl -sL https://nodejs.org/dist/v4.1.1/node-v4.1.1-linux-x64.tar.gz \| tar zxvf - --strip-components=1 -C /usr/local/node-4.1.1`
			`ln -s /usr/local/node-4.1.1/bin/node /usr/bin/node`
			`ln -s /usr/local/node-4.1.1/bin/npm /usr/bin/npm`
			`apt-get install -y python # Install python which is required for npm rebuild`
			`[[ "$(python --version 2>&1)" == "Python 2.7."* ]] \|\| die "Expecting python version to be 2.7.x"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
use infra_version.js in baseimage script 2016-05-24 13:05:49 -07:00			`echo "==== Downloading docker images ===="`
Make infra_version.js option and fix base image on DO 2016-08-10 12:45:23 +02:00			`if [ -f ${SOURCE_DIR}/infra_version.js ]; then`
make baseImage an array 2016-08-20 10:24:29 -07:00			`images=$(node -e "var i = require('${SOURCE_DIR}/infra_version.js'); console.log(i.baseImages.join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")`
Make infra_version.js option and fix base image on DO 2016-08-10 12:45:23 +02:00
			`echo "Pulling images: ${images}"`
			`for image in ${images}; do`
			`docker pull "${image}"`
			`done`
			`else`
			`echo "No infra_versions.js found, skipping image download"`
			`fi`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "==== Install nginx ===="`
			`apt-get -y install nginx-full`
update nginx version 2016-04-29 19:38:06 -07:00			`[[ "$(nginx -v 2>&1)" == "nginx/1.10." ]] \|\| die "Expecting nginx version to be 1.10.x"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "==== Install build-essential ===="`
			`apt-get -y install build-essential rcconf`

			`echo "==== Install mysql ===="`
			`debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'`
			`debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'`
select mysql 5.7 2016-04-29 19:12:20 -07:00			`apt-get -y install mysql-server-5.7`
			`[[ "$(mysqld --version 2>&1)" == "5.7." ]] \|\| die "Expecting mysql version to be 5.7.x"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
install aws-cli tool (for backups) 2016-04-08 23:58:07 -07:00			`echo "==== Install pwgen and swaks awscli ===="`
			`apt-get -y install pwgen swaks awscli`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
			`echo "==== Install collectd ==="`
Add collectd hack 2016-01-05 15:12:58 -08:00			`if ! apt-get install -y collectd collectd-utils; then`
			`# FQDNLookup is true in default debian config. The box code has a custom collectd.conf that fixes this`
			`echo "Failed to install collectd. Presumably because of http://mailman.verplant.org/pipermail/collectd/2015-March/006491.html"`
			`sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf`
			`fi`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00			`update-rc.d -f collectd remove`

make it explicit that logrotate is run via cron in base system 2015-10-14 15:08:38 -07:00			`# this simply makes it explicit that we run logrotate via cron. it's already part of base ubuntu`
			`echo "==== Install logrotate ==="`
			`apt-get install -y cron logrotate`
			`systemctl enable cron`

download installer in base image script 2016-10-21 15:52:40 -07:00			`echo "=== Prepare installer revision - ${INSTALLER_REVISION}) ==="`
			`rm -rf /tmp/box && mkdir -p /tmp/box`
Extract properly 2016-10-21 16:14:50 -07:00			`curl "https://git.cloudron.io/cloudron/box/repository/archive.tar.gz?ref=${INSTALLER_REVISION}" \| tar zxvf - --strip-components=1 -C /tmp/box`
			`mkdir -p "${INSTALLER_SOURCE_DIR}"`
download installer in base image script 2016-10-21 15:52:40 -07:00			`cp -rf /tmp/box/installer/* "${INSTALLER_SOURCE_DIR}" && rm -rf /tmp/box`
Change ownership only of installer/ 2015-08-26 16:01:45 -07:00			`chown "${USER}:${USER}" -R "${INSTALLER_SOURCE_DIR}"`
No need to run npm install for the installer anymore 2016-10-31 15:19:10 +01:00			`echo "${INSTALLER_REVISION}" > "${INSTALLER_SOURCE_DIR}/REVISION"`
list ldap as 0.0.25 change 2015-08-04 16:29:49 -07:00
install acl 2015-11-23 11:32:05 -08:00			`apt-get -y install acl`
give yellowtent user access to cloudron logs 2015-11-02 13:20:43 -08:00
Only reload sshd for caas 2016-12-06 18:41:06 +01:00			`# DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)`
			`# We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)`
			`echo "==== Install unbound DNS ==="`
			`apt-get -y install unbound`

Remove obsolete SELFHOSTED env 2016-06-10 14:10:59 +02:00			`echo "==== Install ssh ==="`
			`apt-get -y install openssh-server`