From 43b5f7ba94be2625d30d2b51736234958685b885 Mon Sep 17 00:00:00 2001 From: nemunaire Date: Sun, 10 Mar 2019 19:32:38 +0100 Subject: [PATCH] Backup tuto3 --- .gitignore | 5 + pkg/debian-tuto3/Dockerfile | 20 ++ pkg/debian-tuto3/build.yml | 1 + pkg/debian-tuto3/issue | 12 ++ pkg/debian-tuto3/sshd_config | 104 +++++++++ pkg/postfix/Dockerfile | 10 + pkg/postfix/build.yml | 1 + pkg/postfix/docker-entrypoint.sh | 13 ++ tuto3.yml | 359 +++++++++++++++++++++++++++++++ 9 files changed, 525 insertions(+) create mode 100644 pkg/debian-tuto3/Dockerfile create mode 100644 pkg/debian-tuto3/build.yml create mode 100644 pkg/debian-tuto3/issue create mode 100644 pkg/debian-tuto3/sshd_config create mode 100644 pkg/postfix/Dockerfile create mode 100644 pkg/postfix/build.yml create mode 100755 pkg/postfix/docker-entrypoint.sh create mode 100644 tuto3.yml diff --git a/.gitignore b/.gitignore index 9a680b3..8028011 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,9 @@ tuto2-initrd.img tuto2.iso tuto2-kernel tuto2-state/ +tuto3-cmdline +tuto3-initrd.img +tuto3.iso +tuto3-kernel +tuto3-state/ fonts/ diff --git a/pkg/debian-tuto3/Dockerfile b/pkg/debian-tuto3/Dockerfile new file mode 100644 index 0000000..2497c5b --- /dev/null +++ b/pkg/debian-tuto3/Dockerfile @@ -0,0 +1,20 @@ +FROM debian + +RUN apt-get update && apt-get install --no-install-recommends -y \ + busybox \ + console-data \ + curl \ + dnsutils \ + kbd \ + nano \ + iptables \ + nftables \ + openssh-server \ + python \ + ssmtp \ + systemd-sysv \ + udev \ + vim.tiny \ + && rm -rf /var/lib/apt/lists/* + +COPY sshd_config /etc/ssh/sshd_config diff --git a/pkg/debian-tuto3/build.yml b/pkg/debian-tuto3/build.yml new file mode 100644 index 0000000..c78afe4 --- /dev/null +++ b/pkg/debian-tuto3/build.yml @@ -0,0 +1 @@ +image: adlin-tuto3 diff --git a/pkg/debian-tuto3/issue b/pkg/debian-tuto3/issue new file mode 100644 index 0000000..7b7232a --- /dev/null +++ b/pkg/debian-tuto3/issue @@ -0,0 +1,12 @@ + .o. .o8 ooooo o8o + .888. "888 `888' `"' + .8"888. .oooo888  888 oooo ooo. .oo. + .8' `888. d88' `888  888 `888 `888P"Y88b + .88ooo8888. 888 888  888 888 888 888 + .8' `888. 888 888  888 o 888 888 888 + o88o o8888o `Y8bod88P" o888ooooood8 o888o o888o o888o + + +Debian GNU/Linux 9 \n \l + +IPv4: \4 diff --git a/pkg/debian-tuto3/sshd_config b/pkg/debian-tuto3/sshd_config new file mode 100644 index 0000000..982d908 --- /dev/null +++ b/pkg/debian-tuto3/sshd_config @@ -0,0 +1,104 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 diff --git a/pkg/postfix/Dockerfile b/pkg/postfix/Dockerfile new file mode 100644 index 0000000..bb9653f --- /dev/null +++ b/pkg/postfix/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:3.7 +MAINTAINER Pierre-Olivier Mercier + +RUN apk add --no-cache postfix + +EXPOSE 25 + +CMD ["/usr/sbin/postfix", "-d"] + +LABEL org.mobyproject.config='{"binds": ["/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["CAP_NET_BIND_SERVICE"]}' diff --git a/pkg/postfix/build.yml b/pkg/postfix/build.yml new file mode 100644 index 0000000..e939cae --- /dev/null +++ b/pkg/postfix/build.yml @@ -0,0 +1 @@ +image: postfix diff --git a/pkg/postfix/docker-entrypoint.sh b/pkg/postfix/docker-entrypoint.sh new file mode 100755 index 0000000..7db45e9 --- /dev/null +++ b/pkg/postfix/docker-entrypoint.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +if [ `which unbound-$1 2>/dev/null` ]; then + set -- unbound-"$@" +elif [ ! `which $1 2>/dev/null` ]; then + set -- unbound -dv "$@" +fi + +unbound-anchor + +exec "$@" diff --git a/tuto3.yml b/tuto3.yml new file mode 100644 index 0000000..f383168 --- /dev/null +++ b/tuto3.yml @@ -0,0 +1,359 @@ +kernel: + image: linuxkit/kernel:4.14.27 + cmdline: "console=tty0" + +init: + - linuxkit/init:b212cfeb4bb6330e0a7547d8010fe2e8489b677a + - linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731 + - linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0 + - linuxkit/ca-certificates:v0.2 + - linuxkit/getty:v0.2 + +onboot: + - name: sysctl + image: linuxkit/sysctl:v0.2 + binds: + - /etc/sysctl.d/:/etc/sysctl.d/:ro + + # Network: external + - name: dhcpcd + image: linuxkit/dhcpcd:v0.2 + command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] + net: new + runtime: + interfaces: + - name: eth0 + bindNS: + net: /run/netns/router + + # Network: workstations + - name: net-wks-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 192.168.6.254/24 dev ethwks; ip link set ethwks up;" ] + net: /run/netns/router + runtime: + interfaces: + - name: ethwks + add: veth + peer: veth-wks + + # Network: servers + - name: net-srv-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.42.1/24 dev ethsrv; ip link set ethsrv up;" ] + net: /run/netns/router + runtime: + interfaces: + - name: ethsrv + add: veth + peer: veth-srv + - name: net-srvns-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.42.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.42.1;" ] + net: new + runtime: + interfaces: + - name: vethin-ns + add: veth + peer: veth-ns + bindNS: + net: /run/netns/ns +# - name: net-srvmail-setup +# image: linuxkit/ip:v0.2 +# command: ["/bin/sh", "-c", "ip a add 172.23.42.3/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.42.1;" ] +# net: new +# runtime: +# interfaces: +# - name: vethin-mail +# add: veth +# peer: veth-mail +# bindNS: +# net: /run/netns/mail + - name: net-srvdb-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.42.4/24 dev vethin-db; ip link set vethin-db up; ip route add default via 172.23.42.1;" ] + net: new + runtime: + interfaces: + - name: vethin-db + add: veth + peer: veth-db + bindNS: + net: /run/netns/db + - name: net-srvchat-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.42.5/24 dev vethin-chat; ip link set vethin-chat up; ip route add default via 172.23.42.1;" ] + net: new + runtime: + interfaces: + - name: vethin-chat + add: veth + peer: veth-chat + bindNS: + net: /run/netns/chat + - name: net-srvttrss-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip a add 172.23.42.6/24 dev vethin-ttrss; ip link set vethin-ttrss up; ip route add default via 172.23.42.1;" ] + net: new + runtime: + interfaces: + - name: vethin-ttrss + add: veth + peer: veth-ttrss + bindNS: + net: /run/netns/ttrss + + # Network: bridges + - name: bridges-setup + image: linuxkit/ip:v0.2 + command: ["/bin/sh", "-c", "ip link set veth-srv master brsrv; ip link set veth-ns master brsrv; ip link set veth-mail master brsrv; ip link set veth-db master brsrv; ip link set veth-chat master brsrv; ip link set veth-ttrss master brsrv; ip link set veth-srv up; ip link set veth-ns up; ip link set veth-mail up; ip link set veth-db up; ip link set veth-chat up; ip link set veth-ttrss up; ip link set brsrv up; ip link set veth-wks master brwks; ip link set veth-wks1 master brwks; ip link set veth-wks2 master brwks; ip link set veth-wks up; ip link set veth-wks1 up; ip link set veth-wks2 up; ip link set brwks up;" ] + runtime: + interfaces: + - name: brsrv + add: bridge + - name: brwks + add: bridge + +services: + - name: dhcpcd-wks1 + image: linuxkit/dhcpcd:v0.2 + net: new + runtime: + interfaces: + - name: eth1 + - name: ethwks1 + add: veth + peer: veth-wks1 + bindNS: + net: /run/netns/wks1 + + - name: dhcpcd-wks2 + image: linuxkit/dhcpcd:v0.2 + net: new + runtime: + interfaces: + - name: ethwks2 + add: veth + peer: veth-wks2 + bindNS: + net: /run/netns/wks2 + + - name: sshd-wks1 + image: linuxkit/sshd:v0.2 + net: /run/netns/wks1 + binds: + - /etc/dpasswd:/etc/passwd + - /etc/dshadow:/etc/shadow + + - name: sshd-wks2 + image: linuxkit/sshd:v0.2 + net: /run/netns/wks2 + binds: + - /etc/dpasswd:/etc/passwd + - /etc/dshadow:/etc/shadow + + - name: router + image: nemunaire/adlin-tuto3:0fa628c796ff914e9a0f160c27a79a30092868e3-dirty + net: /run/netns/router + command: ["/bin/sh", "-c", "mkdir -p /run/sshd && exec /usr/sbin/sshd -D"] + capabilities: + - all + binds: + - /etc/dresolv.conf:/etc/resolv.conf + - /etc/dpasswd:/etc/passwd + - /etc/dshadow:/etc/shadow + - name: ns + image: nemunaire/unbound:528445043685979b1b479c6c44d68de36bc872ad + net: /run/netns/ns + capabilities: + - all + binds: + - /etc/unbound:/etc/unbound:ro + - name: db + image: postgres:alpine + net: /run/netns/db + capabilities: + - all + command: ["/docker-entrypoint.sh", "postgres"] + env: + - LANG=en_US.utf8 + - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/" + - PGDATA=/var/lib/postgresql/data + - POSTGRES_PASSWORD=adlin2019 + binds: + - /initdb/init-ttrss.sh:/docker-entrypoint-initdb.d/init-ttrss.sh:ro + - /initdb/init-mattermost.sh:/docker-entrypoint-initdb.d/init-mattermost.sh:ro + - name: chat + image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty + net: /run/netns/chat + capabilities: + - all + command: ["/entrypoint.sh", "/mattermost/bin/platform"] + env: + - MM_USERNAME=mattermost + - MM_DBNAME=mattermost + - MM_PASSWORD=adlin2019 + binds: + - /etc/hosts:/etc/hosts:ro + - name: ttrss + image: nemunaire/ttrss:89149d186daf3ebf752a764807dee3180f46b93d-dirty + net: /run/netns/ttrss + capabilities: + - all + command: ["/usr/bin/ttrss_entrypoint.sh", "/sbin/start_ttrss"] + env: + - TTRSS_PORT=80 + - TTRSS_DB_TYPE=pgsql + - TTRSS_DB_HOST=db + - TTRSS_DB_PORT=5432 + - TTRSS_DB_NAME=ttrss + - TTRSS_DB_USER=ttrss + - TTRSS_DB_PASS=adlin2019 + - TTRSS_SELF_URL_PATH=http://localhost/ + binds: + - /etc/hosts:/etc/hosts:ro + +files: + - path: etc/hosts + contents: | + 127.0.0.1 localhost + ::1 localhost + 172.23.42.4 db + mode: "0444" + + - path: /initdb/init-ttrss.sh + contents: | + #!/bin/sh + set -e + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER ttrss WITH PASSWORD 'adlin2019'; + CREATE DATABASE ttrss; + GRANT ALL PRIVILEGES ON DATABASE ttrss TO ttrss; + EOSQL + mode: "0555" + + - path: /initdb/init-mattermost.sh + contents: | + #!/bin/sh + set -e + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER mattermost WITH PASSWORD 'adlin2019'; + CREATE DATABASE mattermost; + GRANT ALL PRIVILEGES ON DATABASE mattermost TO mattermost; + EOSQL + mode: "0555" + + - path: /etc/init.d/500-showip.sh + contents: | + #!/bin/sh + nsenter -n/run/netns/router ip a show dev eth0 + nsenter -n/run/netns/wks1 ip a show dev eth1 + exit 0 + mode: "0555" + + - path: /etc/init.d/999-getty.sh + contents: | + #!/bin/sh + while true + do + /usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -i -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux + sleep 1 + done & + mode: "0555" + + - path: etc/unbound/unbound.conf + contents: | + server: + verbosity: 1 + interface: 0.0.0.0 + interface: ::0 + prefer-ip6: no + access-control: 172.23.0.0/16 allow + access-control: 192.168.0.0/16 allow + log-queries: yes + log-replies: yes + use-syslog: no + hide-identity: yes + hide-version: yes + qname-minimisation: yes + domain-insecure: "." + val-permissive-mode: yes + trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" + local-zone: "adlin.nemunai.re" typetransparent + local-data: "news.adlin.nemunai.re A 172.23.42.1" + local-data: "im.adlin.nemunai.re A 172.23.42.1" + remote-control: + control-enable: no + forward-zone: + name: "." + forward-addr: 9.9.9.9 + mode: "0440" + + - path: etc/dpasswd + contents: | + root:x:0:0:root:/root:/bin/bash + daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin + bin:x:2:2:bin:/bin:/usr/sbin/nologin + sys:x:3:3:sys:/dev:/usr/sbin/nologin + sync:x:4:65534:sync:/bin:/bin/sync + games:x:5:60:games:/usr/games:/usr/sbin/nologin + man:x:6:12:man:/var/cache/man:/usr/sbin/nologin + lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin + mail:x:8:8:mail:/var/mail:/usr/sbin/nologin + news:x:9:9:news:/var/spool/news:/usr/sbin/nologin + uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin + proxy:x:13:13:proxy:/bin:/usr/sbin/nologin + www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin + backup:x:34:34:backup:/var/backups:/usr/sbin/nologin + list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin + irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin + gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin + nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin + _apt:x:100:65534::/nonexistent:/bin/false + messagebus:x:101:102::/var/run/dbus:/bin/false + sshd:x:102:65534::/run/sshd:/usr/sbin/nologin + systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false + systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false + systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false + systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false + mode: "0644" + + + - path: etc/dshadow + contents: | + root:$6$fCh6fLfB$wTiBuIJB2/QLl37VlJ16MsqGmfSDct8ALRpY8kemFC2T4N4eZgdlTnEqTuYn5i4FMc5GoDBx1nfENHQqm0Zgm.:17594:0:99999:7::: + daemon:*:17575:0:99999:7::: + bin:*:17575:0:99999:7::: + sys:*:17575:0:99999:7::: + sync:*:17575:0:99999:7::: + games:*:17575:0:99999:7::: + man:*:17575:0:99999:7::: + lp:*:17575:0:99999:7::: + mail:*:17575:0:99999:7::: + news:*:17575:0:99999:7::: + uucp:*:17575:0:99999:7::: + proxy:*:17575:0:99999:7::: + www-data:*:17575:0:99999:7::: + backup:*:17575:0:99999:7::: + list:*:17575:0:99999:7::: + irc:*:17575:0:99999:7::: + gnats:*:17575:0:99999:7::: + nobody:*:17575:0:99999:7::: + _apt:*:17575:0:99999:7::: + messagebus:*:17594:0:99999:7::: + sshd:*:17594:0:99999:7::: + systemd-timesync:*:17594:0:99999:7::: + systemd-network:*:17594:0:99999:7::: + systemd-resolve:*:17594:0:99999:7::: + systemd-bus-proxy:*:17594:0:99999:7::: + mode: "0640" + + - path: etc/dresolv.conf + contents: | + nameserver 172.23.42.2 + mode: "0644" + +trust: + org: + - linuxkit + - library