Browse code
cloud-init metadata enable in ami
Anish Swaminathan authored on 2015/08/14 09:17:01Showing 3 changed files
- support/cloud-image-builder/ami/ami-patch.sh
- support/cloud-image-builder/ami/cloud-photon.cfg
- support/cloud-image-builder/cloud-image-build.sh
| ... | ... |
@@ -39,13 +39,15 @@ rm /etc/ssh/sshd_config |
| 39 | 39 |
|
| 40 | 40 |
echo "AuthorizedKeysFile .ssh/authorized_keys" >> /etc/ssh/sshd_config |
| 41 | 41 |
echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config |
| 42 |
-echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config |
|
| 43 |
-echo "PermitRootLogin yes" >> /etc/ssh/sshd_config |
|
| 42 |
+echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config |
|
| 43 |
+echo "PasswordAuthentication no" >> /etc/ssh/sshd_config |
|
| 44 |
+echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config |
|
| 44 | 45 |
echo "PermitTunnel no" >> /etc/ssh/sshd_config |
| 45 | 46 |
echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config |
| 46 | 47 |
echo "X11Forwarding no" >> /etc/ssh/sshd_config |
| 47 | 48 |
echo "ClientAliveInterval 420" >> /etc/ssh/sshd_config |
| 48 |
-#echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config |
|
| 49 |
+echo "UseDNS no" >> /etc/ssh/sshd_config |
|
| 50 |
+echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config |
|
| 49 | 51 |
echo "UsePAM yes" >> /etc/ssh/sshd_config |
| 50 | 52 |
|
| 51 | 53 |
|
| ... | ... |
@@ -65,7 +67,7 @@ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc, |
| 65 | 65 |
echo "Tunnel no" >> /etc/ssh/ssh_config |
| 66 | 66 |
echo "ServerAliveInterval 420" >> /etc/ssh/ssh_config |
| 67 | 67 |
|
| 68 |
- |
|
| 68 |
+sed -i '/.*linux.*vmlinuz/ s/$/ console=ttyS0/' /boot/grub/grub.cfg |
|
| 69 | 69 |
# Disable root login |
| 70 | 70 |
#usermod -L root |
| 71 | 71 |
|
| 72 | 72 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,92 @@ |
| 0 |
+# The top level settings are used as module |
|
| 1 |
+# and system configuration. |
|
| 2 |
+ |
|
| 3 |
+# A set of users which may be applied and/or used by various modules |
|
| 4 |
+# when a 'default' entry is found it will reference the 'default_user' |
|
| 5 |
+# from the distro configuration specified below |
|
| 6 |
+users: |
|
| 7 |
+ - name: root |
|
| 8 |
+ lock-passwd: true |
|
| 9 |
+ |
|
| 10 |
+# If this is set, 'root' will not be able to ssh in and they |
|
| 11 |
+# will get a message to login instead as the above $user (ubuntu) |
|
| 12 |
+disable_root: false |
|
| 13 |
+ |
|
| 14 |
+# This will cause the set+update hostname module to not operate (if true) |
|
| 15 |
+preserve_hostname: false |
|
| 16 |
+ |
|
| 17 |
+# datasources to check for cloud-config |
|
| 18 |
+datasource_list: [ |
|
| 19 |
+ Ec2 |
|
| 20 |
+ ] |
|
| 21 |
+ |
|
| 22 |
+# Example datasource config |
|
| 23 |
+datasource: |
|
| 24 |
+ Ec2: |
|
| 25 |
+ metadata_urls: [ 'http://169.254.169.254' ] |
|
| 26 |
+# timeout: 5 # (defaults to 50 seconds) |
|
| 27 |
+# max_wait: 10 # (defaults to 120 seconds) |
|
| 28 |
+ |
|
| 29 |
+# The modules that run in the 'init' stage |
|
| 30 |
+cloud_init_modules: |
|
| 31 |
+# - migrator |
|
| 32 |
+# - seed_random |
|
| 33 |
+ - bootcmd |
|
| 34 |
+ - write-files |
|
| 35 |
+# - growpart |
|
| 36 |
+# - resizefs |
|
| 37 |
+ - set_hostname |
|
| 38 |
+ - update_hostname |
|
| 39 |
+# - update_etc_hosts |
|
| 40 |
+# - ca-certs |
|
| 41 |
+# - rsyslog |
|
| 42 |
+ - users-groups |
|
| 43 |
+ - ssh |
|
| 44 |
+ |
|
| 45 |
+# The modules that run in the 'config' stage |
|
| 46 |
+cloud_config_modules: |
|
| 47 |
+# Emit the cloud config ready event |
|
| 48 |
+# this can be used by upstart jobs for 'start on cloud-config'. |
|
| 49 |
+# - emit_upstart |
|
| 50 |
+# - disk_setup |
|
| 51 |
+# - mounts |
|
| 52 |
+ - ssh-import-id |
|
| 53 |
+# - set-passwords |
|
| 54 |
+ - package-update-upgrade-install |
|
| 55 |
+# - landscape |
|
| 56 |
+# - timezone |
|
| 57 |
+# - puppet |
|
| 58 |
+# - chef |
|
| 59 |
+# - salt-minion |
|
| 60 |
+# - mcollective |
|
| 61 |
+# - disable-ec2-metadata |
|
| 62 |
+ - runcmd |
|
| 63 |
+# - byobu |
|
| 64 |
+ - yum-add-repo |
|
| 65 |
+ |
|
| 66 |
+# The modules that run in the 'final' stage |
|
| 67 |
+cloud_final_modules: |
|
| 68 |
+# - rightscale_userdata |
|
| 69 |
+ - scripts-vendor |
|
| 70 |
+ - scripts-per-once |
|
| 71 |
+ - scripts-per-boot |
|
| 72 |
+ - scripts-per-instance |
|
| 73 |
+ - scripts-user |
|
| 74 |
+ - ssh-authkey-fingerprints |
|
| 75 |
+# - keys-to-console |
|
| 76 |
+# - phone-home |
|
| 77 |
+ - final-message |
|
| 78 |
+# - power-state-change |
|
| 79 |
+ |
|
| 80 |
+# System and/or distro specific settings |
|
| 81 |
+# (not accessible to handlers/transforms) |
|
| 82 |
+system_info: |
|
| 83 |
+ # This will affect which distro class gets used |
|
| 84 |
+ distro: photon |
|
| 85 |
+ # Other config here will be given to the distro class and/or path classes |
|
| 86 |
+ paths: |
|
| 87 |
+ cloud_dir: /var/lib/cloud/ |
|
| 88 |
+ templates_dir: /etc/cloud/templates/ |
|
| 89 |
+ upstart_dir: /etc/init/ |
|
| 90 |
+ |
|
| 91 |
+ ssh_svcname: ssh |
| ... | ... |
@@ -97,6 +97,7 @@ if [ $IMG_NAME != "ova" ] |
| 97 | 97 |
cp etcd.service $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/lib/systemd/system/
|
| 98 | 98 |
cp -f docker.service $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/lib/systemd/system/
|
| 99 | 99 |
cp -f docker.socket $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/lib/systemd/system/
|
| 100 |
+ cp -f $IMG_NAME/cloud-photon.cfg $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/etc/cloud/cloud.cfg
|
|
| 100 | 101 |
cp $IMG_NAME/$IMG_NAME-patch.sh $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/
|
| 101 | 102 |
|
| 102 | 103 |
cp /etc/resolv.conf $PHOTON_IMG_OUTPUT_PATH/photon-${IMG_NAME}/etc/
|