1. photon
  2. support
  3. cloud-image-builder
  4. gce
  5. gce-patch.sh
Raw Blame History 
#!/bin/bash

cd /lib/systemd/system/multi-user.target.wants/

# Create links in multi-user.target to auto-start these scripts and services.
for i in ../google*; do  ln -s $i `basename $i`; done
# for i in ../kube*; do  ln -s $i `basename $i`; done

ln -s ../ntpd.service ntpd.service
ln -s ../docker.service docker.service

# Update /etc/hosts file with GCE values
echo "169.254.169.254 metadata.google.internal metadata" >> /etc/hosts

# Remove all servers from ntp.conf and add Google's ntp server.
sed -i -e "/server/d" /etc/ntp.conf
echo "server metadata.google.internal iburst" >> /etc/ntp.conf
echo "server 169.254.169.254" >> /etc/ntp.conf


# Set UTC timezone
ln -sf /usr/share/zoneinfo/UTC /etc/localtime

echo "DNS=169.254.169.254 8.8.8.8" >> /etc/systemd/resolved.conf

# Remove ssh host keys and add script to regenerate them at boot time.

rm -f /etc/ssh/ssh_host_*

printf "GOOGLE\n" > /etc/ssh/sshd_not_to_be_run

sudo groupadd docker
sudo groupadd sudo

rm /root/.ssh/authorized_keys   

# ssh server config
# Override old values
rm /etc/ssh/sshd_config

echo "AuthorizedKeysFile .ssh/authorized_keys" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "PermitTunnel no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config
echo "X11Forwarding no" >> /etc/ssh/sshd_config
echo "ClientAliveInterval 420" >> /etc/ssh/sshd_config
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
echo "UsePAM yes" >> /etc/ssh/sshd_config


# ssh client config
# Override old values

rm /etc/ssh/ssh_config

echo "Host *" >> /etc/ssh/ssh_config
echo "Protocol 2" >> /etc/ssh/ssh_config
echo "ForwardAgent no" >> /etc/ssh/ssh_config
echo "ForwardX11 no" >> /etc/ssh/ssh_config
echo "HostbasedAuthentication no" >> /etc/ssh/ssh_config
echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc" >> /etc/ssh/ssh_config
echo "Tunnel no" >> /etc/ssh/ssh_config
echo "ServerAliveInterval 420" >> /etc/ssh/ssh_config

# Disable root login
usermod -L root

# Disable ipv6
echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/ipv6-disable.conf

# Disable loading/unloading of modules
#echo "kernel.modules_disabled = 1" > /etc/sysctl.d/modules_disabled.conf

# Remove kernel symbols
rm -f /boot/System.map*

echo "[Link]" >> /etc/systemd/network/*.network
echo "MTUBytes=1460" >> /etc/systemd/network/*.network

cat > /usr/bin/gcloud << "EOF"
docker inspect google/cloud-sdk &> /dev/null

if [ $? == 1 ]; then
        docker pull google/cloud-sdk &> /dev/null
fi

docker run --rm -it google/cloud-sdk gcloud $*
EOF

cat > /usr/bin/gsutil << "EOF"
docker inspect google/cloud-sdk &> /dev/null

if [ $? == 1 ]; then
        docker pull google/cloud-sdk &> /dev/null
fi

docker run --rm -it google/cloud-sdk gsutil $*
EOF

chmod a+x /usr/bin/gcloud
chmod a+x /usr/bin/gsutil