This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 251556c9bea35c137bdbe5d93b1ed0959d639955 (commit) via 8531a9503c2328f88deb83820364ce21bc8a357d (commit) via 138c94a96dd9bdceda01fcb2078bf00aa287f8dc (commit) via 7c24a0d973f56eb912eb6375b6577bb40e81093f (commit) from 4576ca4cc798d664a2d551762058c98d311ac0bc (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 251556c9bea35c137bdbe5d93b1ed0959d639955 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Aug 5 19:01:38 2020 +0000
start core149 and add oci changes.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8531a9503c2328f88deb83820364ce21bc8a357d Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jul 21 10:36:41 2020 +0000
smt: Do not disable SMT in virtual machines
Processors in virtual machines are *virtual*. Therefore this only degrades the performance of the guest, but does not increase it's security.
This patch always leaves SMT enabled in all virtual environments.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 138c94a96dd9bdceda01fcb2078bf00aa287f8dc Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jul 21 10:36:40 2020 +0000
oci: Add automatic configuration script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 7c24a0d973f56eb912eb6375b6577bb40e81093f Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jul 21 10:36:39 2020 +0000
oci: Add detection for Oracle Cloud
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/aarch64/initscripts | 1 + config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + config/rootfiles/common/x86_64/initscripts | 1 + config/rootfiles/core/{148 => 149}/exclude | 0 config/rootfiles/core/149/filelists/files | 8 +++ .../rootfiles/{oldcore/147 => core/149}/update.sh | 20 +++--- config/rootfiles/{core => oldcore}/148/exclude | 0 .../{core => oldcore}/148/filelists/Locale-Country | 0 .../{core => oldcore}/148/filelists/files | 0 .../{core => oldcore}/148/filelists/libloc | 0 .../{core => oldcore}/148/filelists/xtables-addons | 0 config/rootfiles/{core => oldcore}/148/update.sh | 0 make.sh | 2 +- src/initscripts/helper/{gcp-setup => oci-setup} | 80 +++++++++++++--------- src/initscripts/system/cloud-init | 2 + src/initscripts/system/functions | 11 +++ src/initscripts/system/smt | 5 ++ 18 files changed, 89 insertions(+), 43 deletions(-) copy config/rootfiles/core/{148 => 149}/exclude (100%) create mode 100644 config/rootfiles/core/149/filelists/files copy config/rootfiles/{oldcore/147 => core/149}/update.sh (91%) rename config/rootfiles/{core => oldcore}/148/exclude (100%) rename config/rootfiles/{core => oldcore}/148/filelists/Locale-Country (100%) rename config/rootfiles/{core => oldcore}/148/filelists/files (100%) rename config/rootfiles/{core => oldcore}/148/filelists/libloc (100%) rename config/rootfiles/{core => oldcore}/148/filelists/xtables-addons (100%) rename config/rootfiles/{core => oldcore}/148/update.sh (100%) copy src/initscripts/helper/{gcp-setup => oci-setup} (77%)
Difference in files: diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 69fef394b..bbf57af37 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 69fef394b..bbf57af37 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index b4e944342..e0c8495c8 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index b4e944342..e0c8495c8 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/core/148/exclude b/config/rootfiles/core/149/exclude similarity index 100% rename from config/rootfiles/core/148/exclude rename to config/rootfiles/core/149/exclude diff --git a/config/rootfiles/core/149/filelists/files b/config/rootfiles/core/149/filelists/files new file mode 100644 index 000000000..95a56178b --- /dev/null +++ b/config/rootfiles/core/149/filelists/files @@ -0,0 +1,8 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs +etc/rc.d/helper/oci-setup +etc/rc.d/init.d/cloud-init +etc/rc.d/init.d/functions +etc/rc.d/init.d/smt diff --git a/config/rootfiles/core/149/update.sh b/config/rootfiles/core/149/update.sh new file mode 100644 index 000000000..b1dfa97c9 --- /dev/null +++ b/config/rootfiles/core/149/update.sh @@ -0,0 +1,75 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2020 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=149 + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Remove files +#rm -vf \ + +# Stop services + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Filesytem cleanup +/usr/local/bin/filesystem-cleanup + +# Start services + +# Update crontab +sed -i /var/spool/cron/root.orig \ + -e "s/xt_geoip_update/update-location-database/" \ + -e "/location/s/monthly/hourly/" \ + -e "s/GeoIP/location/" +fcrontab -z + +# This update needs a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/148/exclude b/config/rootfiles/oldcore/148/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/oldcore/148/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/148/filelists/Locale-Country b/config/rootfiles/oldcore/148/filelists/Locale-Country similarity index 100% rename from config/rootfiles/core/148/filelists/Locale-Country rename to config/rootfiles/oldcore/148/filelists/Locale-Country diff --git a/config/rootfiles/core/148/filelists/files b/config/rootfiles/oldcore/148/filelists/files similarity index 100% rename from config/rootfiles/core/148/filelists/files rename to config/rootfiles/oldcore/148/filelists/files diff --git a/config/rootfiles/core/148/filelists/libloc b/config/rootfiles/oldcore/148/filelists/libloc similarity index 100% rename from config/rootfiles/core/148/filelists/libloc rename to config/rootfiles/oldcore/148/filelists/libloc diff --git a/config/rootfiles/core/148/filelists/xtables-addons b/config/rootfiles/oldcore/148/filelists/xtables-addons similarity index 100% rename from config/rootfiles/core/148/filelists/xtables-addons rename to config/rootfiles/oldcore/148/filelists/xtables-addons diff --git a/config/rootfiles/core/148/update.sh b/config/rootfiles/oldcore/148/update.sh similarity index 100% rename from config/rootfiles/core/148/update.sh rename to config/rootfiles/oldcore/148/update.sh diff --git a/make.sh b/make.sh index 544320f09..799aeee66 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name # If you update the version don't forget to update backupiso and add it to core update VERSION="2.25" # Version number -CORE="148" # Core Level (Filename) +CORE="149" # Core Level (Filename) SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir NICE=10 # Nice level diff --git a/src/initscripts/helper/oci-setup b/src/initscripts/helper/oci-setup new file mode 100644 index 000000000..aca09e673 --- /dev/null +++ b/src/initscripts/helper/oci-setup @@ -0,0 +1,308 @@ +#!/bin/bash + +. /etc/sysconfig/rc +. ${rc_functions} + +# Set PATH to find our own executables +export PATH=/usr/local/sbin:/usr/local/bin:${PATH} + +# GCP only supports an MTU of 1460 +DEFAULT_MTU=1460 + +get() { + local file="${1}" + + wget -qO - "http://169.254.169.254/opc/v1/$%7Bfile%7D" +} + +to_address() { + local n="${1}" + + local o1=$(( (n & 0xff000000) >> 24 )) + local o2=$(( (n & 0xff0000) >> 16 )) + local o3=$(( (n & 0xff00) >> 8 )) + local o4=$(( (n & 0xff) )) + + printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" +} + +to_integer() { + local address="${1}" + + local integer=0 + + local i + for i in ${address//./ }; do + integer=$(( (integer << 8) + i )) + done + + printf "%d\n" "${integer}" +} + +prefix2netmask() { + local prefix=${1} + + local zeros=$(( 32 - prefix )) + local netmask=0 + + local i + for (( i=0; i<${zeros}; i++ )); do + netmask=$(( (netmask << 1) ^ 1 )) + done + + to_address "$(( netmask ^ 0xffffffff ))" +} + +oci_list_interfaces() { + get "vnics/" | python3 -c "import json, sys; print("\n".join([vnic["vnicId"] for vnic in json.load(sys.stdin)]))" +} + +oci_get_interface_param() { + local id="${1}" + local param="${2}" + + get "vnics/" | python3 -c "import json, sys; print("\n".join(vnic.get("${param}", "") for vnic in json.load(sys.stdin) if vnic["vnicId"] == "${id}"))" +} + +import_oci_configuration() { + local instance_id="$(get instance/id)" + + boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..." + + # Store instance ID + echo "${instance_id}" > /var/run/oci-instance-id + + # Initialise system settings + local hostname=$(get instance/hostname) + + # Set hostname + if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then + echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings + fi + + # Set domainname + if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then + echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings + fi + + # Create setup user + if ! getent passwd setup &>/dev/null; then + useradd setup -s /usr/bin/run-setup -g nobody -m + + # Unlock the account + usermod -p "x" setup + fi + + # Import SSH keys for setup user + local line + while read -r line; do + # Strip the username part from the key + local key="${line#*:}" + + if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then + mkdir -p "/home/setup/.ssh" + chmod 700 "/home/setup/.ssh" + chown setup.nobody "/home/setup/.ssh" + + echo "${key}" >> "/home/setup/.ssh/authorized_keys" + chmod 600 "/home/setup/.ssh/authorized_keys" + chown setup.nobody "/home/setup/.ssh/authorized_keys" + fi + done <<<"$(get instance/metadata/ssh_authorized_keys)" + + # Download the user-data script only on the first boot + if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then + # Download a startup script + local script="$(get instance/metadata/user_data)" + + # Execute the script + if [ "${script:0:2}" = "#!" ]; then + echo "${script}" > /tmp/user-data.script + chmod 700 /tmp/user-data.script + + # Run the script + local now="$(date -u +"%s")" + /tmp/user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/user-data.script + fi + fi + + # Import network configuration + # After this, no network connectivity will be available from this script due to the + # renaming of the network interfaces for which they have to be shut down + local config_type=1 + : > /var/ipfire/ethernet/settings + + local id + for id in $(oci_list_interfaces); do + local mac="$(oci_get_interface_param "${id}" "macAddr")" + + # First IPv4 address + local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")" + local ipv4_address_num="$(to_integer "${ipv4_address}")" + + local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")" + local prefix="${subnet#*/}" + + local netmask="$(prefix2netmask "${prefix}")" + local netmask_num="$(to_integer "${netmask}")" + + # Calculate the network and broadcast addresses + local netaddress="${subnet%/*}" + local broadcast="$(to_address $(( ipv4_address_num | (0xffffffff ^ netmask_num) )))" + + local index="$(oci_get_interface_param "${id}" "nicIndex")" + + # Set index to zero if it was empty + if [ -z "${index}" ]; then + index=0 + fi + + case "${index}" in + # RED + 0) + local interface_name="red0" + local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")" + + ( + echo "RED_TYPE=STATIC" + echo "RED_DEV=${interface_name}" + echo "RED_MACADDR=${mac}" + echo "RED_DESCRIPTION='${id}'" + echo "RED_ADDRESS=${ipv4_address}" + echo "RED_NETMASK=${netmask}" + echo "RED_NETADDRESS=${netaddress}" + echo "RED_BROADCAST=${broadcast}" + echo "RED_MTU=1500" + echo "DEFAULT_GATEWAY=${gateway}" + ) >> /var/ipfire/ethernet/settings + + # Import aliases for RED + #for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do + # echo "${alias},on," + #done > /var/ipfire/ethernet/aliases + ;; + + # GREEN + 1) + local interface_name="green0" + + ( + echo "GREEN_DEV=${interface_name}" + echo "GREEN_MACADDR=${mac}" + echo "GREEN_DESCRIPTION='${id}'" + echo "GREEN_ADDRESS=${ipv4_address}" + echo "GREEN_NETMASK=${netmask}" + echo "GREEN_NETADDRESS=${netaddress}" + echo "GREEN_BROADCAST=${broadcast}" + echo "GREEN_MTU=${DEFAULT_MTU}" + ) >> /var/ipfire/ethernet/settings + ;; + + # ORANGE + 2) + local interface_name="orange0" + config_type=2 + + ( + echo "ORANGE_DEV=${interface_name}" + echo "ORANGE_MACADDR=${mac}" + echo "ORANGE_DESCRIPTION='${id}'" + echo "ORANGE_ADDRESS=${ipv4_address}" + echo "ORANGE_NETMASK=${netmask}" + echo "ORANGE_NETADDRESS=${netaddress}" + echo "ORANGE_BROADCAST=${broadcast}" + echo "ORANGE_MTU=${DEFAULT_MTU}" + ) >> /var/ipfire/ethernet/settings + ;; + esac + done + + # Save CONFIG_TYPE + echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings + + # Actions performed only on the very first start + if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then + # Disable using ISP nameservers + sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings + + # Enable SSH + sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings + + # Disable SSH password authentication + sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings + + # Enable SSH key authentication + sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings + + # Apply SSH settings + /usr/local/bin/sshctrl + + # Mark SSH to start immediately (but not right now) + touch /var/ipfire/remote/enablessh + chown nobody:nobody /var/ipfire/remote/enablessh + + # Firewall rules for SSH and WEBIF + ( + echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + ) >> /var/ipfire/firewall/input + + # This script has now completed the first steps of setup + touch /var/ipfire/main/firstsetup_ok + fi + + # All done + echo_ok +} + +case "${reason}" in + PREINIT) + # Bring up the interface + ip link set "${interface}" up + ;; + + BOUND|RENEW|REBIND|REBOOT) + # Remove any previous IP addresses + ip addr flush dev "${interface}" + + # Add (or re-add) the new IP address + ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" + + # Add the default route + ip route add "${new_routers}" dev "${interface}" + ip route add default via "${new_routers}" + + # Setup DNS + for domain_name_server in ${new_domain_name_servers}; do + echo "nameserver ${domain_name_server}" + done > /etc/resolv.conf + + # The system is online now + touch /var/ipfire/red/active + + # Import OCI configuration + import_oci_configuration + ;; + + EXPIRE|FAIL|RELEASE|STOP) + # The system is no longer online + rm -f /var/ipfire/red/active + + # Remove all IP addresses + ip addr flush dev "${interface}" + + # Shut down the interface + ip link set "${interface}" down + ;; + + *) + echo "Unhandled reason: ${reason}" >&2 + exit 2 + ;; +esac + +# Terminate +exit 0 diff --git a/src/initscripts/system/cloud-init b/src/initscripts/system/cloud-init index 284e24d7b..d39552b01 100644 --- a/src/initscripts/system/cloud-init +++ b/src/initscripts/system/cloud-init @@ -15,6 +15,8 @@ case "${1}" in scriptname="/etc/rc.d/helper/azure-setup" elif running_on_gcp; then scriptname="/etc/rc.d/helper/gcp-setup" + elif running_on_oci; then + scriptname="/etc/rc.d/helper/oci-setup" else # This system is not running in the cloud exit 0 diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index b6e6507d6..30119918c 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -834,4 +834,15 @@ running_on_gcp() { return 1 }
+running_on_oci() { + if [ -r "/sys/devices/virtual/dmi/id/chassis_asset_tag" ]; then + local asset_tag="$(</sys/devices/virtual/dmi/id/chassis_asset_tag)" + + [ "${asset_tag}" = "OracleCloud.com" ] && return 0 + fi + + # We are not running on OCI + return 1 +} + # End $rc_base/init.d/functions diff --git a/src/initscripts/system/smt b/src/initscripts/system/smt index cc4128b2d..bfa7d57b3 100644 --- a/src/initscripts/system/smt +++ b/src/initscripts/system/smt @@ -20,6 +20,11 @@ case "${1}" in exit 0 fi 2>/dev/null
+ # Do not disable SMT inside virtual machines + if [ -d "/sys/hypervisor" ]; then + exit 0 + fi + # Disable SMT when the processor is vulnerable to Foreshadow or Fallout/ZombieLoad/RIDL for vuln in l1tf mds; do if [ -r "/sys/devices/system/cpu/vulnerabilities/${vuln}" ] && \
hooks/post-receive -- IPFire 2.x development tree