Merge branch 'first-version' into 'master'

First QEMU version

See merge request !1

.gitlab-ci.yml

+include:
+  - project: muni-kypo-images/ci-cd-virtual-images
+    file: .gitlab-ci-template.yml
+
+variables:
+  NAME: "rocky"
+  TYPE: "linux"
+  DISTRO: "centos"

CHANGELOG.md

+# Changelog
+
+## [qemu-0.1.0] - 2022-02-09
+### Added
+- First Rocky Linux version
+
+[qemu-0.1.0]: https://gitlab.ics.muni.cz/muni-kypo-images/rocky-8/-/tree/qemu-0.1.0

LICENSE

+Copyright 2021 Masaryk University
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

-# rocky-8
+# Rocky Linux 8 Base image
+
+This repo contains Packer files for building Rocky Linux 8 amd64 base image for QEMU/OpenStack and for VirtualBox/Vagrant using Gitlab CI/CD.
+
+## Image for QEMU/OpenStack
+
+There is one user account:
+
+*  `centos` created by [cloud-init](https://cloudinit.readthedocs.io/en/latest/), enabled for SSH
+
+Drm module is disabled due to graphical problem with Openstack's spice console.
+
+## Image for VirtualBox/Vagrant
+
+There is one user account:
+
+*  `vagrant` with password `vagrant`, enabled for SSH
+
+
+## Known issues and requested features
+
+* See [issues](https://gitlab.ics.muni.cz/muni-kypo-images/rocky-8/-/issues).
+
+## License
+
+This project is licensed under the [MIT License](LICENSE).
+
+## Acknowledgements
+
+<table>
+  <tr>
+    <td>![EU](figures/EU.jpg "EU emblem")</td>
+    <td>
+This software and accompanying documentation is part of a [project](https://cybersec4europe.eu) that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 830929.
+</td>
+  </tr>
+  <tr>
+      <td>![TACR](figures/TACR.png "TACR logo")</td>
+      <td>This software was developed with the support of the Technology Agency of the Czech Republic (TA ČR) from the National Centres of Competence programme (project identification TN01000077 – [National Centre of Competence in Cybersecurity](https://nc3.cz/)). 
+      </td>
+  </tr>
+ </table>
 
-Rocky Linux 8 base image for KYPO and Vagrant built from ISO
\ No newline at end of file

Vagrantfile

+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+
+  config.vm.box = "mybox"
+  config.vm.box_check_update = false
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.gui = false
+    vb.memory = "4096"
+  end
+
+  config.vm.provision :ansible do |ansible|
+    ansible.playbook = "playbook.yml"
+    ansible.verbose = true
+    ansible.extra_vars = {
+      ansible_python_interpreter: "/usr/bin/python3",
+    }
+  end
+end

cloud.cfg

+# The top level settings are used as module
+# and system configuration.
+
+# A set of users which may be applied and/or used by various modules
+# when a 'default' entry is found it will reference the 'default_user'
+# from the distro configuration specified below
+users:
+   - default
+
+# If this is set, 'root' will not be able to ssh in and they
+# will get a message to login instead as the above $user (debian)
+disable_root: true
+
+# This will cause the set+update hostname module to not operate (if true)
+preserve_hostname: false
+
+# Example datasource config
+# datasource:
+#    Ec2:
+#      metadata_urls: [ 'blah.com' ]
+#      timeout: 5 # (defaults to 50 seconds)
+#      max_wait: 10 # (defaults to 120 seconds)
+
+# The modules that run in the 'init' stage
+cloud_init_modules:
+ - migrator
+ - seed_random
+ - bootcmd
+ - write-files
+ - growpart
+ - resizefs
+ - disk_setup
+ - mounts
+ - set_hostname
+ - update_hostname
+ - update_etc_hosts
+ - ca-certs
+ - rsyslog
+ - users-groups
+ - ssh
+
+# The modules that run in the 'config' stage
+cloud_config_modules:
+# Emit the cloud config ready event
+# this can be used by upstart jobs for 'start on cloud-config'.
+ - emit_upstart
+ - ssh-import-id
+ - locale
+ - set-passwords
+ - grub-dpkg
+ - apt-pipelining
+ - apt-configure
+ - ntp
+ - timezone
+ - disable-ec2-metadata
+ - runcmd
+ - byobu
+
+# The modules that run in the 'final' stage
+cloud_final_modules:
+ - package-update-upgrade-install
+ - fan
+ - puppet
+ - chef
+ - salt-minion
+ - mcollective
+ - rightscale_userdata
+ - scripts-vendor
+ - scripts-per-once
+ - scripts-per-boot
+ - scripts-per-instance
+ - scripts-user
+ - ssh-authkey-fingerprints
+ - keys-to-console
+ - phone-home
+ - final-message
+ - power-state-change
+
+# System and/or distro specific settings
+# (not accessible to handlers/transforms)
+system_info:
+   # This will affect which distro class gets used
+   distro: centos
+   # Default user name + that default users groups (if added/used)
+   default_user:
+     name: centos
+     lock_passwd: True
+     gecos: Centos
+     groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
+     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+     shell: /bin/bash
+   # Other config here will be given to the distro class and/or path classes
+   paths:
+      cloud_dir: /var/lib/cloud/
+      templates_dir: /etc/cloud/templates/
+      upstart_dir: /etc/init/
+   package_mirrors:
+     - arches: [default]
+       failsafe:
+         primary: https://dl.rockylinux.org/pub/rocky/
+   ssh_svcname: ssh
+
+apt:
+   preserve_sources_list: true
+
+manage_etc_hosts: localhost

http/ks.cfg

+url --url https://dl.rockylinux.org/pub/rocky/8.5/BaseOS/x86_64/os/
+lang en_US.UTF-8
+keyboard us
+network --bootproto=dhcp
+rootpw toor
+firewall --disabled
+selinux --permissive
+timezone --utc Europe/Prague
+bootloader --location=mbr --timeout=0
+text
+skipx
+zerombr
+clearpart --all --initlabel
+
+# Partitioning
+
+part /boot --fstype="ext4" --ondisk=sda --size=1024
+part / --fstype="xfs" --ondisk=sda --size=13720
+part swap --fstype="swap" --ondisk=sda --size=1639
+
+auth --enableshadow --passalgo=sha512 --kickstart
+user --name=root --plaintext --password=toor --groups=wheel
+firstboot --disabled
+eula --agreed
+services --enabled=NetworkManager,sshd
+reboot
+
+%packages --ignoremissing --excludedocs
+@Base
+@Core
+@Development Tools
+openssl-devel
+readline-devel
+zlib-devel
+kernel-headers
+kernel-devel
+net-tools
+vim
+xwget
+curl
+rsync
+
+#unnecessary firmware
+-aic94xx-firmware
+-atmel-firmware
+-b43-openfwwf
+-bfa-firmware
+-ipw2100-firmware
+-ipw2200-firmware
+-ivtv-firmware
+-iwl100-firmware
+-iwl1000-firmware
+-iwl3945-firmware
+-iwl4965-firmware
+-iwl5000-firmware
+-iwl5150-firmware
+-iwl6000-firmware
+-iwl6000g2a-firmware
+-iwl6050-firmware
+-libertas-usb8388-firmware
+-ql2100-firmware
+-ql2200-firmware
+-ql23xx-firmware
+-ql2400-firmware
+-ql2500-firmware
+-rt61pci-firmware
+-rt73usb-firmware
+-xorg-x11-drv-ati-firmware
+-zd1211-firmware
+%end
+
+%post
+yum update -y
+# update root certs
+wget -O/etc/pki/tls/certs/ca-bundle.crt http://curl.haxx.se/ca/cacert.pem
+
+%end

playbook.yml

+- name: Hello world
+  hosts: all
+  gather_facts: no
+  tasks:
+    - name: Wait for connection
+      wait_for_connection:
+        timeout: 600
+
+    - name: Gather facts
+      setup:
+
+    - name: Gather services facts
+      service_facts:
+  
+    - name: Print hello world
+      debug:
+        msg: "Hello World"
+

rocky.json

+{
+  "builders": [
+    {
+      "use_default_display": "{{user `headless`}}",
+      "boot_command": [
+        "<tab> text inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks.cfg<enter><wait>"
+      ],
+      "boot_key_interval": "10ms",
+      "boot_wait": "{{user `boot_wait`}}",
+      "disk_interface": "virtio-scsi",
+      "disk_size": "{{ user `disk_size` }}",
+      "format": "raw",
+      "headless": "{{user `headless`}}",
+      "http_directory": "{{user `http_directory`}}",
+      "http_port_max": "{{user `http_port_max`}}",
+      "http_port_min": "{{user `http_port_min`}}",
+      "iso_checksum": "{{user `iso_checksum`}}",
+      "iso_url": "{{user `iso_url`}}",
+      "name": "qemu",
+      "net_device": "virtio-net",
+      "output_directory": "target-qemu",
+      "qemuargs": [
+        [
+          "-m",
+          "{{ user `memory_size` }}m"
+        ],
+        [
+          "-smp",
+          "cpus={{ user `cpus` }},maxcpus=16,cores=4"
+        ]
+      ],
+      "shutdown_command": "{{user `shutdown_command`}}",
+      "ssh_password": "{{user `ssh_password`}}",
+      "ssh_port": "{{user `ssh_port`}}",
+      "ssh_timeout": "{{user `ssh_wait_timeout`}}",
+      "ssh_username": "{{user `ssh_username`}}",
+      "type": "qemu",
+      "vm_name": "{{user `vm_name`}}",
+      "vnc_bind_address": "{{user `vnc_vrdp_bind_address`}}",
+      "vnc_port_min": "{{user `vnc_vrdp_port`}}",
+      "vnc_port_max": "{{user `vnc_vrdp_port`}}"
+    },
+    {
+      "boot_command": [
+        "<tab> text inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks.cfg<enter><wait>"
+      ],
+      "boot_wait": "{{user `boot_wait`}}",
+      "disk_size": "{{ user `disk_size` }}",
+      "guest_os_type": "RedHat_64",
+      "headless": "{{user `headless`}}",
+      "http_directory": "{{user `http_directory`}}",
+      "http_port_max": "{{user `http_port_max`}}",
+      "http_port_min": "{{user `http_port_min`}}",
+      "iso_checksum": "{{user `iso_checksum`}}",
+      "iso_url": "{{user `iso_url`}}",
+      "name": "vbox",
+      "shutdown_command": "echo 'vagrant' | {{user `shutdown_command`}}",
+      "ssh_password": "{{user `ssh_password`}}",
+      "ssh_port": "{{user `ssh_port`}}",
+      "ssh_wait_timeout": "{{user `ssh_wait_timeout`}}",
+      "ssh_username": "{{user `ssh_username`}}",
+      "type": "virtualbox-iso",
+      "vrdp_bind_address": "{{user `vnc_vrdp_bind_address`}}",
+      "vrdp_port_min": "{{user `vnc_vrdp_port`}}",
+      "vrdp_port_max": "{{user `vnc_vrdp_port`}}",
+      "vboxmanage": [
+        [
+          "modifyvm",
+          "{{.Name}}",
+          "--memory",
+          "{{ user `memory_size` }}"
+        ],
+        [
+          "modifyvm",
+          "{{.Name}}",
+          "--cpus",
+          "{{ user `cpus` }}"
+        ]
+      ],
+      "vm_name": "{{user `vm_name`}}"
+    }
+  ],
+  "post-processors": [
+    {
+      "output": "target-vbox/rocky.box",
+      "type": "vagrant",
+      "only": ["vbox"]
+    }
+  ],
+  "provisioners": [
+    {
+      "destination": "/tmp/cloud.cfg",
+      "source": "cloud.cfg",
+      "type": "file"
+    },
+    {
+      "scripts": [
+        "scripts/cloud_init_installation.sh",
+        "scripts/disable-drm.sh"
+      ],
+      "type": "shell",
+      "only": ["qemu"]
+    },
+    {
+      "scripts": [
+        "scripts/addVagrantUser.sh",
+        "scripts/guestAdditions.sh"
+      ],
+      "type": "shell",
+      "only": ["vbox"]
+    },
+    {
+      "scripts": [
+        "scripts/additional_packages.sh",
+        "scripts/cleanup.sh"
+      ],
+      "type": "shell"
+    }
+  ],
+  "variables": {
+    "boot_wait": "10s",
+    "cpus": "4",
+    "disk_size": "16384",
+    "headless": "true",
+    "http_directory": "http",
+    "http_port_max": "10089",
+    "http_port_min": "10082",
+    "iso_checksum": "4eb2ae6b06876205f2209e4504110fe4115b37540c21ecfbbc0ebc11084cb779",
+    "iso_url": "https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.5-x86_64-minimal.iso",
+    "memory_size": "4096",
+    "shutdown_command": "sudo shutdown -P now",
+    "ssh_password": "toor",
+    "ssh_port": "22",
+    "ssh_username": "root",
+    "ssh_wait_timeout": "90m",
+    "vm_name": "rocky",
+    "vnc_vrdp_bind_address": "127.0.0.1",
+    "vnc_vrdp_port": "5900"
+  }
+}
+

scripts/addVagrantUser.sh

+#!/bin/sh -x
+
+# add user vagrant with password vagrant, set sudo, add public ssh key
+sudo adduser -p '$1$9bp.cPKY$BeaZIuXT4PyfJBnTu74c4.' --uid 900 --create-home --shell /bin/bash vagrant
+sudo echo "vagrant  ALL=(ALL)  NOPASSWD: ALL" | sudo tee /etc/sudoers.d/vagrant > /dev/null
+sudo sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
+sudo mkdir -p /home/vagrant/.ssh
+sudo chmod 0700 /home/vagrant/.ssh
+sudo echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" | sudo tee /home/vagrant/.ssh/authorized_keys > /dev/null
+sudo chmod 0600 /home/vagrant/.ssh/authorized_keys
+sudo chown -R vagrant:vagrant /home/vagrant
+sudo usermod -a -G wheel vagrant

scripts/additional_packages.sh

+
+# check for updates
+sudo yum update -y
+sudo dnf update -y
+
+# install python3
+sudo dnf install python3 -y
+
+# install console web browser
+sudo yum --enablerepo=powertools install elinks -y

scripts/cleanup.sh

+#!/bin/bash -x
+
+# disable ssh root login using password
+sudo sed -i 's/#\?PermitRootLogin.*/PermitRootLogin without-password/g' /etc/ssh/sshd_config
+
+# install resolvconf
+wget https://roy.marples.name/downloads/openresolv/openresolv-3.10.0.tar.xz
+tar fxv openresolv-3.10.0.tar.xz
+cd openresolv-3.10.0
+sudo make
+sudo su -c "sudo make install"
+sudo mv /root/openresolv-3.10.0 /usr/local/src
+
+#disable root passwd
+sudo passwd -l root
+
+# cleanup
+sudo rm -r /root/*
+sudo yum -y autoremove
+sudo rm -rf /var/log
+history -c

scripts/cloud_init_installation.sh

+#!/bin/sh -x
+
+sudo yum -y update
+
+# install cloud support
+sudo yum -y install vim bash-completion spice-vdagent cloud-init qemu-guest-agent cloud-utils-growpart
+sudo systemctl enable --now qemu-guest-agent.service
+sudo cp -f /tmp/cloud.cfg /etc/cloud/cloud.cfg
+sudo echo "NOZEROCONF=yes" >> /etc/sysconfig/network
+sudo rm /etc/sysconfig/network-scripts/ifcfg-ens3
+sudo rm /root/.bash_history; history -c
+
+
+# copy custom cloud-init configuration (do not modify default apt source list)
+sudo cp -f /tmp/cloud.cfg /etc/cloud/cloud.cfg

scripts/disable-drm.sh

+#!/bin/bash -x
+
+# Disabling drm module for fixing spice console graphical problem
+sudo touch /etc/modprobe.d/local-blacklist.conf
+sudo chmod 0555 /etc/modprobe.d/local-blacklist.conf
+sudo printf "blacklist drm\ninstall drm /bin/false\n" >> /etc/modprobe.d/local-blacklist.conf | sudo tee -a /etc/modprobe.d/local-blacklist.conf > /dev/null
+dracut -f

scripts/guestAdditions.sh

+#!/bin/sh -xe
+
+ISOPATH="$HOME/VBoxGuestAdditions.iso"
+
+if [ ! -e "$ISOPATH" ]; then
+    echo "Error: virtualbox guest additions ISO not found at $ISOPATH"
+    exit 1
+fi
+
+# Mount virtualbox guest additions ISO and install
+
+sudo mkdir -p /tmp/VBoxGuestAdditions
+sudo mount -o loop,ro "$ISOPATH" /tmp/VBoxGuestAdditions
+sudo dnf install tar bzip2 kernel-devel-$(uname -r) kernel-headers perl gcc make elfutils-libelf-devel -y
+sudo /tmp/VBoxGuestAdditions/VBoxLinuxAdditions.run
+
+sudo rm "$ISOPATH"
+sudo umount /tmp/VBoxGuestAdditions
+sudo rmdir /tmp/VBoxGuestAdditions