openstack-ansible-ops/multi-node-aio/playbooks/pxe/configs/debian/vm-post-install-script.sh.j2

#!/usr/bin/env bash

apt-get remove --purge snap* lxc* lxd* || true

sed -i 's/\(GRUB_CMDLINE_LINUX_DEFAULT=\).*/\1\"\"/g' /target/etc/default/grub
update-grub

sed -i '/PermitRootLogin / s/ .*/ yes/' /etc/ssh/sshd_config

mkdir -p /root/.ssh
chmod 0700 /root/.ssh
echo "{{ tftp_ssh_key }}" >> /root/.ssh/authorized_keys

wget --no-proxy http://{{ tftp_server }}/networking/$(cat /etc/hostname)-bridges.cfg -O /etc/network/interfaces.d/vm-bridges.cfg
wget --no-proxy http://{{ tftp_server }}/networking/basic-debian-interface.cfg -O /etc/network/interfaces
# Trusty VMs seem to have their interfaces file overwritten after we write to
# it, so we make it immutable to ensure no further changes take place
# NOTE: We remove the immutable attr in deploy-vms.yml once the instance is up
#       and accessible.
[[ "$(lsb_release -sc)" == "trusty" ]] && chattr +i /etc/network/interfaces

cat > /etc/network/if-up.d/post-up-rules <<EOF
#!/usr/bin/env bash

function iptables_filter_rule_add {
if ! iptables -w -t $1 -C $2;then
  /sbin/iptables -w -t $1 -I $2
fi
}

# To ensure ssh checksum is correct
iptables_filter_rule_add "mangle" "POSTROUTING -p tcp --dport 22 -j CHECKSUM --checksum-fill"

# To provide internet connectivity to instances
iptables_filter_rule_add "nat" "POSTROUTING -o \$(ip route get 1 | awk '{print $5}') -j MASQUERADE"

# Make sure instances can talk to the metadata server
iptables_filter_rule_add "mangle" "POSTROUTING -p tcp --sport 80 -j CHECKSUM --checksum-fill"
EOF
chmod + /etc/network/if-up.d/post-up-rules