diff --git a/fickit-pkg/boot/Dockerfile b/fickit-pkg/boot/Dockerfile new file mode 100644 index 00000000..39c59490 --- /dev/null +++ b/fickit-pkg/boot/Dockerfile @@ -0,0 +1,3 @@ +FROM alpine:latest + +COPY init.sh /init diff --git a/fickit-pkg/boot/build.yml b/fickit-pkg/boot/build.yml new file mode 100644 index 00000000..c3e81b59 --- /dev/null +++ b/fickit-pkg/boot/build.yml @@ -0,0 +1 @@ +image: boot diff --git a/fickit-pkg/boot/init.sh b/fickit-pkg/boot/init.sh new file mode 100755 index 00000000..6b192b2b --- /dev/null +++ b/fickit-pkg/boot/init.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# /proc/cmdline parser (from Gentoo Wiki) +cmdline() { + local value + value=" $(cat /proc/cmdline) " + value="${value##* $1=}" + value="${value%% *}" + [ "$value" != "" ] && echo "$value" +} + +mount -t devtmpfs none /dev +mount -t proc none /proc + +mount -o ro /dev/sda1 /boot + +mount -o loop -t squashfs /boot/imgs/$(cmdline root) /mnt || /bin/sh + +umount /dev +umount /proc +mount --move /boot /mnt/boot + +# Switch +exec switch_root /mnt /init diff --git a/fickit-pkg/mdadm/Dockerfile b/fickit-pkg/mdadm/Dockerfile new file mode 100644 index 00000000..59e23d30 --- /dev/null +++ b/fickit-pkg/mdadm/Dockerfile @@ -0,0 +1,11 @@ +FROM alpine AS mirror + +RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ +RUN apk add --no-cache --initdb -p /out \ + mdadm +RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache + +FROM scratch +COPY --from=mirror /out/ / +COPY etc/ /etc/ +CMD ["/sbin/mdadm", "--monitor", "--scan"] diff --git a/fickit-pkg/mdadm/build.yml b/fickit-pkg/mdadm/build.yml new file mode 100644 index 00000000..74e2e398 --- /dev/null +++ b/fickit-pkg/mdadm/build.yml @@ -0,0 +1,10 @@ +image: mdadm +network: true +config: + binds: + - /dev:/dev + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + net: new + ipc: new diff --git a/fickit-pkg/mdadm/etc/init.d/005-mdadm b/fickit-pkg/mdadm/etc/init.d/005-mdadm new file mode 100755 index 00000000..1b52ae87 --- /dev/null +++ b/fickit-pkg/mdadm/etc/init.d/005-mdadm @@ -0,0 +1,3 @@ +#!/bin/sh + +mdadm --assemble /dev/md0 /dev/sda3 /dev/sdb3 diff --git a/fickit-pkg/rsync/Dockerfile b/fickit-pkg/rsync/Dockerfile new file mode 100644 index 00000000..362c7568 --- /dev/null +++ b/fickit-pkg/rsync/Dockerfile @@ -0,0 +1,26 @@ +FROM alpine:latest AS mirror + +RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ +RUN apk add --no-cache --initdb -p /out \ + alpine-baselayout \ + apk-tools \ + busybox \ + ca-certificates \ + musl \ + openssh-server \ + openssh-client \ + rsync \ + tini \ + util-linux \ + && true +#RUN mv /out/etc/apk/repositories.upstream /out/etc/apk/repositories + +FROM scratch +ENTRYPOINT [] +WORKDIR / +COPY --from=mirror /out/ / +COPY etc/ /etc/ +COPY usr/ /usr/ +RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh +CMD ["/sbin/tini", "/usr/bin/ssh.sh"] +LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}' diff --git a/fickit-pkg/rsync/build.yml b/fickit-pkg/rsync/build.yml new file mode 100644 index 00000000..d0475dbd --- /dev/null +++ b/fickit-pkg/rsync/build.yml @@ -0,0 +1,2 @@ +image: rsync +network: true diff --git a/fickit-pkg/rsync/etc/motd b/fickit-pkg/rsync/etc/motd new file mode 100644 index 00000000..2414d0d9 --- /dev/null +++ b/fickit-pkg/rsync/etc/motd @@ -0,0 +1,4 @@ +Welcome to LinuxKit! + +NOTE: This system is namespaced. +The namespace you are currently in may not be the root. diff --git a/fickit-pkg/rsync/etc/profile.d/namespace.sh b/fickit-pkg/rsync/etc/profile.d/namespace.sh new file mode 100644 index 00000000..45775ea0 --- /dev/null +++ b/fickit-pkg/rsync/etc/profile.d/namespace.sh @@ -0,0 +1 @@ +export PS1="(ns: sshd) $PS1" diff --git a/fickit-pkg/rsync/etc/ssh/sshd_config b/fickit-pkg/rsync/etc/ssh/sshd_config new file mode 100644 index 00000000..8cfa9570 --- /dev/null +++ b/fickit-pkg/rsync/etc/ssh/sshd_config @@ -0,0 +1,144 @@ +# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Default of no subsystems +#Subsystem sftp /usr/lib/ssh/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# disable hpn performance boosts +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/fickit-pkg/rsync/usr/bin/ssh.sh b/fickit-pkg/rsync/usr/bin/ssh.sh new file mode 100755 index 00000000..46dbf090 --- /dev/null +++ b/fickit-pkg/rsync/usr/bin/ssh.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +KEYS=$(find /etc/ssh -name 'ssh_host_*_key') +[ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null + +exec /usr/sbin/sshd -D -e diff --git a/fickit-pkg/syslinux/Dockerfile b/fickit-pkg/syslinux/Dockerfile new file mode 100644 index 00000000..05bffdfa --- /dev/null +++ b/fickit-pkg/syslinux/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine AS mirror + +RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ +RUN apk add --no-cache --initdb -p /out \ + dosfstools \ + syslinux +RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache + +FROM scratch +COPY --from=mirror /out/ / diff --git a/fickit-pkg/syslinux/build.yml b/fickit-pkg/syslinux/build.yml new file mode 100644 index 00000000..2fcbd901 --- /dev/null +++ b/fickit-pkg/syslinux/build.yml @@ -0,0 +1,8 @@ +image: syslinux +network: true +config: + binds: + - /dev:/dev + capabilities: + - CAP_SYS_ADMIN + ipc: new diff --git a/fickit-pkg/unbound/Dockerfile b/fickit-pkg/unbound/Dockerfile new file mode 100644 index 00000000..3a36e754 --- /dev/null +++ b/fickit-pkg/unbound/Dockerfile @@ -0,0 +1,11 @@ +FROM alpine AS mirror + +RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ +RUN apk add --no-cache --initdb -p /out \ + unbound +RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache +RUN wget -O /out/etc/unbound/root.hints ftp://ftp.internic.net/domain/named.cache + +FROM scratch +COPY --from=mirror /out/ / +COPY etc/unbound/ /etc/unbound diff --git a/fickit-pkg/unbound/build.yml b/fickit-pkg/unbound/build.yml new file mode 100644 index 00000000..94cee7e2 --- /dev/null +++ b/fickit-pkg/unbound/build.yml @@ -0,0 +1,8 @@ +image: unbound +network: true +config: + capabilities: + - CAP_NET_BIND_SERVICE + ipc: new + pid: new + uts: new diff --git a/fickit-pkg/unbound/etc/unbound/unbound.conf b/fickit-pkg/unbound/etc/unbound/unbound.conf new file mode 100644 index 00000000..aefec065 --- /dev/null +++ b/fickit-pkg/unbound/etc/unbound/unbound.conf @@ -0,0 +1,132 @@ +server: + verbosity: 1 + + # number of threads to create. 1 disables threading. + # num-threads: 1 + + # specify the interfaces to answer queries from by ip-address. + interface: 0.0.0.0 + interface: ::0 + + # Detach from the terminal, run in background, "yes" or "no". + # Set the value to "no" when unbound runs as systemd service. + do-daemonize: no + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). + #access-control: 172.23.0.0/16 allow + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + # username: "unbound" + + # print one line with time, IP, name, type, class for every query. + # log-queries: no + log-queries: yes + + # print one line per reply, with time, IP, name, type, class, rcode, + # timetoresolve, fromcache and responsesize. + # log-replies: no + log-replies: yes + + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + log-servfail: yes + + # file to read root hints from. + # get one from https://www.internic.net/domain/named.cache + # root-hints: "" + root-hints: "root.hints" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + hide-identity: yes + + # enable to not answer version.server and version.bind queries. + # hide-version: no + hide-version: yes + + # enable to not answer trustanchor.unbound queries. + # hide-trustanchor: no + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to NS when possible. + qname-minimisation: yes + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + module-config: "validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + #auto-trust-anchor-file: "var/root-anchors.txt" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + # trust-anchor-signaling: yes + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. + # DLV is going to be decommissioned. Please do not use it any more. + # dlv-anchor-file: "dlv.isc.org.key" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. + # trust-anchor-file: "/etc/dnssec/root-anchors.txt" + trust-anchor-file: "root-anchors.txt" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + #val-permissive-mode: yes + + include: /etc/unbound/unbound.d/*.conf