starlingx/tools
Code Issues Proposed changes
9cdb43da42
tools/debian-mirror-tools/config/debian/common/base-bullseye.yaml
Carmen Rata 5527d0df46 Disallow remote login as root 
This commit fixes a security vulnerability found by a NESSUS Scan
in the sshd configuration. The ssh login as root is allowed in
"/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes".
It should be disallowed, and the setting of "PermitRootLogin"
should be "no". The fix is to remove the section pertaining to
"Allow root ssh login" in "base_bullseye.yaml", which is a leftover
cleanup from the Debian integration.

Test Plan:
PASS: Verify the stx build installs correctly in an AIO-SX system
configuration.
PASS: Verify the "PermitRootLogin" is set to "no" in
"/etc/ssh/sshd_config" file.
PASS: Verify that remote ssh as user root is not successful.

Closes-Bug: 2051473

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88
2024-01-29 15:12:10 +00:00

421 lines
15 KiB
YAML
Raw Blame History

---
name: starlingx
machine: intel-x86-64
image_type:
- iso
- ostree-repo
debootstrap-mirror: deb-merge-all
package_feeds: []
package_type: external-debian
wic:
OSTREE_WKS_BOOT_SIZE: ''
OSTREE_WKS_EFI_SIZE: --size=32M
OSTREE_WKS_ROOT_SIZE: ''
OSTREE_WKS_FLUX_SIZE: ''
OSTREE_FLUX_PART: fluxdata
gpg:
gpg_path: /tmp/.lat_gnupg_root
ostree:
gpgid: Wind-River-Linux-Sample
gpgkey: $OECORE_NATIVE_SYSROOT/usr/share/genimage/rpm_keys/RPM-GPG-PRIVKEY-Wind-River-Linux-Sample
gpg_password: windriver
grub:
BOOT_GPG_NAME: SecureBootCore
BOOT_GPG_PASSPHRASE: SecureCore
BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys
BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore
BOOT_SINGED_SHIM: $IMAGE_ROOTFS/usr/lib/shim/bootx64.efi
BOOT_SINGED_SHIMTOOL: $IMAGE_ROOTFS/usr/lib/shim/mmx64.efi
BOOT_SINGED_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grubx64.efi
BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
BOOT_GRUB_CFG: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grub.cfg
BOOT_NOSIG_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/bootx64-nosig.efi
EFI_SECURE_BOOT: disable
packages: []
external-packages: []
include-default-packages: '0'
rootfs-pre-scripts:
- |
# The StarlingX customize pacakges includes:
# - ostree 2019.1
export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
chroot $IMAGE_ROOTFS bash << SCRIPT_ENDOF
set -e
# Speed up apt/dpkg used for running build-image
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/unsafe-io
apt update
apt install -y --no-install-recommends linux-image-stx-amd64 linux-rt-image-stx-amd64 grub-common
apt install -y --allow-downgrades --allow-unauthenticated --no-install-recommends ostree ostree-boot libostree-1-1 ostree-upgrade-mgr
apt install --no-install-recommends -y ifupdown
apt install -y bc vim uuid-runtime iputils-ping
# Move dpkg database to /usr so it's accessible after the OS /var is
# mounted, but make a symlink so it works without modifications to
# dpkg or apt
mv /var/lib/dpkg /usr/share/dpkg/database
ln -sr /usr/share/dpkg/database /var/lib/dpkg
SCRIPT_ENDOF
rootfs-post-scripts:
- |-
# Set bash as default shell
ln -snf --relative $IMAGE_ROOTFS/bin/bash $IMAGE_ROOTFS/bin/sh
- |-
# FIXME: OSTree will not set up a link to scratch automagically. Need to
# relocate scratch to a more ostree friendly locale
mkdir $IMAGE_ROOTFS/var/rootdirs/scratch
ln -snf --relative $IMAGE_ROOTFS/var/rootdirs/scratch $IMAGE_ROOTFS/scratch
- |-
# Make /opt/branding to writable (To make end-user enable to place their branding archive)
mkdir $IMAGE_ROOTFS/var/branding
mkdir -p $IMAGE_ROOTFS/var/rootdirs/opt
ln -snf --relative $IMAGE_ROOTFS/var/branding $IMAGE_ROOTFS/var/rootdirs/opt/branding
- |-
cat /dev/null > $IMAGE_ROOTFS/etc/resolv.conf
- |-
cat /dev/null > $IMAGE_ROOTFS/etc/apt/sources.list
- |-
# Only used for running build-image
rm -f etc/dpkg/dpkg.cfg.d/unsafe-io
- |-
# There is ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi from parent linux installed
# For secure boot feature, it should be replaced with the right one
if [ "$EFI_SECURE_BOOT" = enable ]; then
install -m 0644 ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi
fi
environments:
- NO_RECOMMENDATIONS="1"
- DEBIAN_FRONTEND=noninteractive
- KERNEL_PARAMS=crashkernel=2048M apparmor=0 security=apparmor
ostree:
ostree_use_ab: '0'
ostree_osname: debian
ostree_skip_boot_diff: '2'
ostree_remote_url: ''
ostree_install_device: '/dev/sda'
OSTREE_GRUB_USER: root
OSTREE_GRUB_PW_FILE: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/ostree_grub_pw
OSTREE_FDISK_BLM: 2506
OSTREE_FDISK_BSZ: 512
OSTREE_FDISK_RSZ: 20480
OSTREE_FDISK_VSZ: 20480
OSTREE_FDISK_FSZ: 32
OSTREE_CONSOLE: console=ttyS0,115200
debootstrap-key: ''
apt-keys:
- /opt/LAT/pubkey.rsa
iso-grub-entry: |
submenu 'UEFI Debian Controller Install' --unrestricted --id=standard {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one Install' --unrestricted --id=aio {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-std %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
initrd @INITRD@
}
}
submenu 'UEFI Debian All-in-one (lowlatency) Install' --unrestricted --id=aio-lowlat {
menuentry 'Serial Console' --unrestricted --id=serial {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime
initrd @INITRD@
}
menuentry 'Graphical Console' --unrestricted --id=graphical {
set fallback=1
efi-watchdog enable 0 1200
linux /bzImage-rt %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 efi=runtime console=tty1
initrd @INITRD@
}
}
iso-syslinux-entry: |
menu start
ontimeout 1
menu begin
menu title Debian Controller Install
menu default
label 1
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64
label 2
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one Install
label 3
menu label Serial Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64
label 4
menu label Graphical Console
kernel /bzImage-std
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker defaultkernel=vmlinuz-*[!t]-amd64 console=tty1
menu end
menu begin
menu title Debian All-in-one (lowlatency) Install
label 5
menu label Serial Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64
label 6
menu label Graphical Console
kernel /bzImage-rt
ipappend 2
append initrd=@INITRD@ %BOOT_PARAMS% traits=controller,worker,lowlatency defaultkernel=vmlinuz-*-rt-amd64 console=tty1
menu end
iso-post-script: |
cd ${ISO_DIR}
# 0. Prepare
# According to `multiple-kernels' in lat yaml, install std
# or rt kernel to ISO
for k in ${OSTREE_MULTIPLE_KERNELS}; do
if [ "${k%%-rt-amd64}" != "${k}" ]; then
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-rt
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-rt.sig
fi
else
cp ${DEPLOY_DIR_IMAGE}/${k} bzImage-std
if [ -e ${DEPLOY_DIR_IMAGE}/${k}.sig ]; then
cp ${DEPLOY_DIR_IMAGE}/${k}.sig bzImage-std.sig
fi
fi
done
# 1. Kickstart
mkdir -p kickstart
# 1.1 Kickstart example for PXE
cat << ENDOF > kickstart/pxe-ks.cfg
lat-disk --install-device=/dev/disk/by-path/pci-0000:af:00.0-scsi-0:2:0:0
ENDOF
# 1.2 Kickstart example for ISO
cat << ENDOF > kickstart/iso-ks.cfg
lat-disk --install-device=/dev/sda
ENDOF
# 1.3 Kickstart from image rootfs (provided by package platform-kickstarts)
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/kickstart.cfg kickstart/
fi
if [ -e $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg ]; then
cp $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/miniboot.cfg kickstart/
fi
if [ -d $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos ]; then
cp -r $IMAGE_ROOTFS/var/www/pages/feed/rel-*/kickstart/centos kickstart/
fi
# 2. PXE
mkdir -p pxeboot/pxelinux.cfg
# 2.1 Kernel and initramfs
install -m 644 bzImage* pxeboot
install -m 644 initrd* pxeboot
# 2.2 Bootloader
# 2.2.1 Legacy BIOS PXE
cp $OECORE_TARGET_SYSROOT/usr/share/syslinux/pxelinux.0 pxeboot/
cp isolinux/isolinux.cfg pxeboot/pxelinux.cfg/default
for f in libcom32.c32 ldlinux.c32 libutil.c32 vesamenu.c32; do
cp isolinux/$f pxeboot/
done
# 2.2.2 EFI PXE
cp -a EFI pxeboot
if [ -e ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
cp ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
fi
# 2.3 Edit grub.cfg and pxelinux.cfg/default
# 2.3.1 Drop to install from local ostree repo
sed -i "s#instl=/ostree_repo#@BOOTPARAMS@#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.2 Install from remote ostree repo
sed -i "s#insturl=file://NOT_SET#insturl=http://pxecontroller:8080/feed/debian/ostree_repo#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.3 Configure kickstart url
BOOT_PARAMS="ks=http://pxecontroller:8080/feed/debian/kickstart/pxe-ks.cfg"
# 2.3.4 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 2.3.5 Update boot params
sed -i "s#@BOOTPARAMS@#${BOOT_PARAMS}#g" \
pxeboot/EFI/BOOT/grub.cfg \
pxeboot/pxelinux.cfg/default
# 2.3.6 Add `Boot from hard drive' entry to grub.cfg
cat <<ENDOF>> pxeboot/EFI/BOOT/grub.cfg
export skip_check_cfg
menuentry 'UEFI Boot from hard drive' {
search --set=root --label otaefi
configfile /efi/boot/grub.cfg
}
ENDOF
# 2.4 Tweak PXE if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
# On some host, PXE make bootx64.efi search grubx64.efi
# from tftp/ dir other than tftp/EFI/BOOT/
install -m 0644 EFI/BOOT/grubx64.efi pxeboot/
# Resign grub.cfg
rm pxeboot/EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
pxeboot/EFI/BOOT/grub.cfg
fi
# 2.5 copy pxeboot config template files to pxeboot/pxelinux.cfg
mkdir -p pxeboot/pxelinux.cfg.files
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxe-* pxeboot/pxelinux.cfg.files/
cp ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxe-* pxeboot/pxelinux.cfg.files/
# 2.6 upgrades directory and upgrade meta files
RELEASE_VER=$(cat ${IMAGE_ROOTFS}/etc/build.info | grep SW_VERSION | cut -f2 -d'=' | tr -d '"')
mkdir -p upgrades
cp ${IMAGE_ROOTFS}/etc/pxeboot-update-${RELEASE_VER}.sh upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/deploy-precheck upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/upgrade_utils.py upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/import.sh upgrades/
cp ${IMAGE_ROOTFS}/opt/upgrades/metadata.xml upgrades/
cp ${IMAGE_ROOTFS}/usr/sbin/usm_load_import upgrades/
sed -i "s/xxxSW_VERSIONxxx/${RELEASE_VER}/g" upgrades/metadata.xml
mkdir -p patches
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml upgrades/
cp ${IMAGE_ROOTFS}/etc/software/*-metadata.xml patches/
echo -n "VERSION=${RELEASE_VER}" > upgrades/version
mkdir -p upgrades/software-deploy
# Copy all software-deploy scripts to upgrades/software-deploy in ISO
cp ${IMAGE_ROOTFS}/usr/sbin/software-deploy/* upgrades/software-deploy/
# 3. ISO
# 3.1 Edit grub.cfg and isolinux.cfg
# 3.1.1 Configure local kickstart url and LVM root and fluxdata device
BOOT_PARAMS="ks=file:///kickstart/kickstart.cfg"
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_root=/dev/mapper/cgts--vg-root--lv"
BOOT_PARAMS="${BOOT_PARAMS} inst_ostree_var=/dev/mapper/cgts--vg-var--lv"
# 3.1.2 Verbose installation
#BOOT_PARAMS="${BOOT_PARAMS} instsh=2"
# 3.1.3 Update boot params
sed -i "s#instl=/ostree_repo#& ${BOOT_PARAMS}#g" \
EFI/BOOT/grub.cfg \
isolinux/isolinux.cfg
# According to `default-kernel' in lat yaml, set which
# bootloader menu entry to boot
sed -i "s/^DEFAULT .*//g" \
isolinux/isolinux.cfg
if [ "${OSTREE_DEFAULT_KERNEL%%-rt-amd64}" != "${OSTREE_DEFAULT_KERNEL}" ]; then
# Boot rt kernel by default
sed -i "s/ set default=.*/ set default=2/g" \
EFI/BOOT/grub.cfg
else
# Boot std kernel by default
sed -i "s/ set default=.*/ set default=0/g" \
EFI/BOOT/grub.cfg
fi
# 3.2 Resign grub.cfg if EFI secure boot enabled
if [ "$EFI_SECURE_BOOT" = enable ]; then
rm EFI/BOOT/grub.cfg.sig
echo 'SecureCore' | gpg --pinentry-mode loopback \
--batch \
--homedir /tmp/.lat_gnupg_root \
-u SecureBootCore \
--detach-sign \
--passphrase-fd 0 \
EFI/BOOT/grub.cfg
fi
# Update the grub.cfg in efi.img according to above setting.
# Don't update grub.cfg.sig because the grub.cfg signature checking
# has been omitted.
mdel -i efi.img ::/EFI/BOOT/grub.cfg
mcopy -i efi.img EFI/BOOT/grub.cfg ::/EFI/BOOT/
# Put the controller-0 pxeboot install grub menu samples and
# setup script into a new the ISO's pxeboot/samples directory.
install -v -d -m 0755 pxeboot/samples
install -m 0555 ${IMAGE_ROOTFS}/usr/sbin/pxeboot_setup.sh pxeboot/samples
echo "See pxeboot_setup.sh --help for usage details" > pxeboot/samples/README
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/pxeboot.cfg.debian pxeboot/samples
install -m 0664 ${IMAGE_ROOTFS}/var/pxeboot/pxelinux.cfg.files/efi-pxeboot.cfg.debian pxeboot/samples
# Added CERTS into efi.img
if [ "$EFI_SECURE_BOOT" = enable ]; then
mmd -i efi.img ::/CERTS
mcopy -i efi.img -s /localdisk/CERTS/* ::/CERTS/
mkdir images
ln -snf ../efi.img images/efiboot.img
fi
# Generate package list file in the iso root
echo "Verifying package list for ${IMAGE_NAME}"
if [ -f "/localdisk/workdir/${IMAGE_NAME}/packages.yaml" ]; then
echo "Copying ISO package list"
cp /localdisk/workdir/${IMAGE_NAME}/packages.yaml sw_package_list.yaml
fi
initramfs-sign-script: |
echo "End of initramfs-sign-script!"
multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64
default-kernel: vmlinuz-*[!t]-amd64
system:
- contains:
- /localdisk/deploy/lat-initramfs.yaml
View Git Blame Copy Permalink