initializeBaseUbuntuImage.sh 6.6 KB
Newer Older
1 2 3 4
#!/bin/bash

set -euv -o pipefail

5
readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
6

7 8 9
readonly arg_provider="${1:-generic}"
readonly arg_infraversionpath="${SOURCE_DIR}/${2:-}"

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
10 11 12 13 14
function die {
    echo $1
    exit 1
}

15 16
export DEBIAN_FRONTEND=noninteractive

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
17
# hold grub since updating it breaks on some VPS providers. also, dist-upgrade will trigger it
18
apt-mark hold grub* >/dev/null
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
19
apt-get -o Dpkg::Options::="--force-confdef" update -y
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
20
apt-get -o Dpkg::Options::="--force-confdef" upgrade -y
21
apt-mark unhold grub* >/dev/null
22

23 24 25 26 27
echo "==> Installing required packages"

debconf-set-selections <<< 'mysql-server mysql-server/root_password password password'
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'

28
# this enables automatic security upgrades (https://help.ubuntu.com/community/AutomaticSecurityUpdates)
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
29
# resolvconf is needed for unbound to work property after disabling systemd-resolved in 18.04
30
ubuntu_version=$(lsb_release -rs)
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
31
ubuntu_codename=$(lsb_release -cs)
32
gpg_package=$([[ "${ubuntu_version}" == "16.04" ]] && echo "gnupg" || echo "gpg")
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
33
apt-get -y install \
34 35
    acl \
    build-essential \
36
    cifs-utils \
37 38
    cron \
    curl \
39
    debconf-utils \
40
    dmsetup \
41
    $gpg_package \
42
    iptables \
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
43
    libpython2.7 \
44
    linux-generic \
45 46 47 48 49
    logrotate \
    mysql-server-5.7 \
    nginx-full \
    openssh-server \
    pwgen \
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
50
    resolvconf \
51
    swaks \
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
52
    tzdata \
53
    unattended-upgrades \
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
54 55
    unbound \
    xfsprogs
56

57 58 59
# on some providers like scaleway the sudo file is changed and we want to keep the old one
apt-get -o Dpkg::Options::="--force-confold" install -y sudo

60 61 62 63
# this ensures that unattended upgades are enabled, if it was disabled during ubuntu install time (see #346)
# debconf-set-selection of unattended-upgrades/enable_auto_updates + dpkg-reconfigure does not work
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades

64
echo "==> Installing node.js"
65 66 67 68
mkdir -p /usr/local/node-10.15.1
curl -sL https://nodejs.org/dist/v10.15.1/node-v10.15.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.15.1
ln -sf /usr/local/node-10.15.1/bin/node /usr/bin/node
ln -sf /usr/local/node-10.15.1/bin/npm /usr/bin/npm
69 70
apt-get install -y python   # Install python which is required for npm rebuild
[[ "$(python --version 2>&1)" == "Python 2.7."* ]] || die "Expecting python version to be 2.7.x"
71

72 73
# https://docs.docker.com/engine/installation/linux/ubuntulinux/
echo "==> Installing Docker"
74

75
# create systemd drop-in file. if you channge options here, be sure to fixup installer.sh as well
76
mkdir -p /etc/systemd/system/docker.service.d
77
echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs --storage-driver=overlay2" > /etc/systemd/system/docker.service.d/cloudron.conf
78

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
79
# there are 3 packages for docker - containerd, CLI and the daemon
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
80
curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/containerd.io_1.2.2-3_amd64.deb" -o /tmp/containerd.deb
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
81 82
curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce-cli_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker-ce-cli.deb
curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker.deb
83
# apt install with install deps (as opposed to dpkg -i)
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
84 85
apt install -y /tmp/containerd.deb  /tmp/docker-ce-cli.deb /tmp/docker.deb
rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb
86

87
storage_driver=$(docker info | grep "Storage Driver" | sed 's/.*: //')
88 89
if [[ "${storage_driver}" != "overlay2" ]]; then
    echo "Docker is using "${storage_driver}" instead of overlay2"
90 91
    exit 1
fi
92

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
93 94 95 96 97
# do not upgrade grub because it might prompt user and break this script
echo "==> Enable memory accounting"
apt-get -y --no-upgrade install grub2-common
sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
update-grub
98

99
echo "==> Downloading docker images"
100 101 102
if [ ! -f "${arg_infraversionpath}/infra_version.js" ]; then
    echo "No infra_versions.js found"
    exit 1
103
fi
104

105
images=$(node -e "var i = require('${arg_infraversionpath}/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
106 107 108 109

echo -e "\tPulling docker images: ${images}"
for image in ${images}; do
    docker pull "${image}"
110
    docker pull "${image%@sha256:*}" # this will tag the image for readability
111 112
done

113
echo "==> Install collectd"
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
114 115 116 117 118
if ! apt-get install -y collectd collectd-utils; then
    # FQDNLookup is true in default debian config. The box code has a custom collectd.conf that fixes this
    echo "Failed to install collectd. Presumably because of http://mailman.verplant.org/pipermail/collectd/2015-March/006491.html"
    sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf
fi
Johannes Zellner's avatar
Johannes Zellner committed
119

120 121 122
echo "==> Configuring host"
sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
timedatectl set-ntp 1
123
# mysql follows the system timezone
124 125
timedatectl set-timezone UTC

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
126 127 128
echo "==> Adding sshd configuration warning"
sed -e '/Port 22/ i # NOTE: Cloudron only supports moving SSH to port 202. See https://cloudron.io/documentation/security/#securing-ssh-access' -i /etc/ssh/sshd_config

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
129 130 131 132
# https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068
echo "==> Disabling motd news"
sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news

133 134 135
# Disable bind for good measure (on online.net, kimsufi servers these are pre-installed and conflicts with unbound)
systemctl stop bind9 || true
systemctl disable bind9 || true
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
136 137 138 139 140

# on ovh images dnsmasq seems to run by default
systemctl stop dnsmasq || true
systemctl disable dnsmasq || true

141 142 143 144
# on ssdnodes postfix seems to run by default
systemctl stop postfix || true
systemctl disable postfix || true

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
145
# on ubuntu 18.04, this is the default. this requires resolvconf for DNS to work further after the disable
146 147 148
systemctl stop systemd-resolved || true
systemctl disable systemd-resolved || true

Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
149 150
# ubuntu's default config for unbound does not work if ipv6 is disabled. this config is overwritten in start.sh
# we need unbound to work as this is required for installer.sh to do any DNS requests
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
151
ip6=$([[ -s /proc/net/if_inet6 ]] && echo "yes" || echo "no")
Girish Ramakrishnan's avatar
Girish Ramakrishnan committed
152 153 154
echo -e "server:\n\tinterface: 127.0.0.1\n\tdo-ip6: ${ip6}" > /etc/unbound/unbound.conf.d/cloudron-network.conf
systemctl restart unbound