ok, il mondo ci sorride

2017-02-10 01:04:29 +01:00 · 2017-02-10 01:04:29 +01:00 · 1b82a442b7
commit 1b82a442b7
parent 3555bca79e
3 changed files with 325 additions and 0 deletions
--- a/config.xml
+++ b/config.xml
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<loggedFS logEnabled="true" printProcessName="true">
+  <includes>
+    <include extension=".*" uid="*" action="open" retname=".*"/>
+    <include extension=".*" uid="*" action="readlink" retname="SUCCESS"/>
+  </includes>
+  <excludes>
+  </excludes>
+</loggedFS>
--- a/149
+++ b/149
@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+
+function print_help {
+  echo '''
+    Super Mini hardened container manager using alpine and runc
+    v1.0
+    Usage: lhc-create <containername>
+  '''
+  exit -1
+}
+
+get_arch() {
+  ORIG_ARCH=`arch`
+  case $ORIG_ARCH in
+    aarch64)
+      echo "arm64"
+      ;;
+    *)
+      echo $ORIG_ARCH
+      ;;
+  esac
+}
+
+# print message to console
+# if there's not second parameter this is an info
+print_msg() {
+  CONTENT=$1
+  TYPE=${2:+"[\e[91mError\e[0m]"}
+  TYPE=${msgType:-"[\e[92mInfo\e[0m]"}
+  echo -e $TYPE $CONTENT
+}
+export ARCH=$(get_arch)
+print_msg "Arch: $ARCH"
+
+## check if container's name is passed
+## TODO, has to check if is not '--help' or '-h'
+if [ $# -lt 1 ]
+then
+  print_help
+fi
+
+
+export CONTAINER_NAME=$1
+export FULL_CONTAINER_PATH="`pwd`/containers/$CONTAINER_NAME/"
+print_msg "Container Name: '$CONTAINER_NAME'"
+print_msg "Creating directory '$FULL_CONTAINER_PATH'"
+
+mkdir `pwd`/data/$CONTAINER_NAME
+mkdir `pwd`/containers/$CONTAINER_NAME
+
+print_msg "Decompress alpine rootfs into '$FULL_CONTAINER_PATH'"
+sudo tar xf rootfs/alpine-minirootfs-3.5.1-$ARCH.tar.gz -C $FULL_CONTAINER_PATH
+sudo chmod 0755 $FULL_CONTAINER_PATH
+
+## set dns
+echo "nameserver 84.200.70.40" >> $FULL_CONTAINER_PATH/etc/resolv.conf
+echo "nameserver 4.2.2.2" >> $FULL_CONTAINER_PATH/etc/resolv.conf
+
+## create user
+print_msg "Create user $CONTAINER_NAME"
+useradd $CONTAINER_NAME --no-create-home -p=''
+export CONTAINER_UID=`id $CONTAINER_NAME -u`
+export CONTAINER_GID=`id $CONTAINER_NAME -g`
+print_msg "Ok uid: $CONTAINER_UID gid: $CONTAINER_GID"
+
+print_msg "Create container $CONTAINER_NAME"
+export TERMINAL=false
+export DEPLOY=true
+export CAPABILITIES=""
+./runc.template > config.json
+
+## mount with loggedfs container root
+loggedfs -l files_$CONTAINER_NAME.log -c config.xml -p $FULL_CONTAINER_PATH
+
+## run chroot
+print_msg "
+\n
+I'm running chroot now, all opened files will be logged in $CONTAINER_NAME.log\n
+\n
+- Install and setup your stuff, if you need some package use 'apk update' and 'apk search'\n
+- Configure your process to use /data as storage point (/ will be read-only)\n
+- Clean $CONTAINER_NAME.log 'echo "" > $CONTAINER_NAME.log'\n
+- Start your process, exit on done!\n\n
+
+"
+
+mount -t proc proc $FULL_CONTAINER_PATH/proc/
+mount -t sysfs sys $FULL_CONTAINER_PATH/sys/
+mount -o bind /dev $FULL_CONTAINER_PATH/dev/
+
+chroot $FULL_CONTAINER_PATH sh
+escaped_path=$(echo $FULL_CONTAINER_PATH | sed   -e 's/\//\\\//g')
+echo "ESCAPED_PATH: $escaped_path"
+mkdir `pwd`/containers/$CONTAINER_NAME.tmp
+
+files=`sed -rn "s/.* open (readwrite |writeonly )?$escaped_path(.*) \{.*/\2/p" < files_rs.log | sort | uniq`
+links=`sed -rn "s/.* readlink $escaped_path(.*) \{.*/\1/p" < files_rs.log | sort | uniq`
+
+## ok, removing all file but ones in $CONTAINER_NAME.log
+cd $FULL_CONTAINER_PATH
+for f in $files; do
+  echo $f
+  cp --parents $f ../$CONTAINER_NAME.tmp/
+done
+
+for l in $links; do
+  to=$(ls -la $l | sed -rn "s/.*-> (.*)/\1/p")
+  echo "$l -> $to"
+  ln -s $to ../$CONTAINER_NAME.tmp/$l
+done
+
+
+
+cd ..
+umount $FULL_CONTAINER_PATH/proc
+umount $FULL_CONTAINER_PATH/dev
+umount $FULL_CONTAINER_PATH/sys
+umount $FULL_CONTAINER_PATH
+
+#export TERMINAL=true
+#export DEPLOY=false
+#export CAPABILITIES=', "CAP_SYS_ADMIN", "CAP_CHOWN", "CAP_FOWNER", "CAP_NET_RAW", "CAP_SETGID", "CAP_SETUID", "CAP_SYS_CHROOT"'
+#CONTAINER_UID=0
+#CONTAINER_GID=0
+#./runc.template > config.dev.json
+
+
+
+#print_msg "Patch inittab"
+## modify inittab to fix alpine tty/console issue!
+## comment all ttyN respawn lines
+#sudo sed -i "s/^.*respawn:\/sbin\/getty.*/#&/" $fullContainerPath/etc/inittab
+
+## and add a line for a console
+#sudo bash -c 'echo "console::respawn:/sbin/getty 38400 /dev/console" >> $fullContainerPath/etc/inittab'
+
+#print_msg "Update package"
+## update package
+#sudo systemd-nspawn -D $fullContainerPath -M $containerName apk update
+#print_msg "Install vim / git"
+#sudo systemd-nspawn -D $fullContainerPath -M $containerName apk add vim git openrc
+#print_msg "Ready"
+#sudo systemd-nspawn -bD $fullContainerPath -M $containerName
+
+
+
+##
+
+#sed  "s/.*\"\(.*\)\".*/\1/" file
--- a/runc.template
+++ b/runc.template
@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+cat <<EOF
+{
+	"ociVersion": "1.0.0-rc1",
+	"platform": {
+		"os": "linux",
+		"arch": "$ARCH"
+	},
+	"process": {
+		"terminal": $TERMINAL,
+    "tty": true,
+		"user": {
+			"uid": $CONTAINER_UID,
+			"gid": $CONTAINER_GID
+		},
+		"args": [
+			"sh"
+		],
+		"env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"TERM=xterm"
+		],
+		"cwd": "/",
+		"capabilities": [
+			"CAP_AUDIT_WRITE",
+			"CAP_KILL",
+			"CAP_NET_BIND_SERVICE"
+			$CAPABILITIES
+		],
+		"rlimits": [
+			{
+				"type": "RLIMIT_NOFILE",
+				"hard": 1024,
+				"soft": 1024
+			}
+		],
+		"noNewPrivileges": true
+	},
+	"root": {
+		"path": "./containers/$CONTAINER_NAME",
+		"readonly": $DEPLOY
+	},
+	"mounts": [
+    {
+      "type": "bind",
+      "source": "./data/$CONTAINER_NAME",
+      "destination": "/data",
+      "options": [ "rbind", "rw", "noexec" ]
+    },
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"destination": "/dev",
+			"type": "tmpfs",
+			"source": "tmpfs",
+			"options": [
+				"nosuid",
+				"strictatime",
+				"mode=755",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/pts",
+			"type": "devpts",
+			"source": "devpts",
+			"options": [
+				"nosuid",
+				"noexec",
+				"newinstance",
+				"ptmxmode=0666",
+				"mode=0620",
+				"gid=5"
+			]
+		},
+		{
+			"destination": "/dev/shm",
+			"type": "tmpfs",
+			"source": "shm",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"mode=1777",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/mqueue",
+			"type": "mqueue",
+			"source": "mqueue",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "sysfs",
+			"source": "sysfs",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"ro"
+			]
+		},
+		{
+			"destination": "/sys/fs/cgroup",
+			"type": "cgroup",
+			"source": "cgroup",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"relatime",
+				"ro"
+			]
+		}
+	],
+	"hooks": {},
+	"linux": {
+		"resources": {
+			"devices": [
+				{
+					"allow": false,
+					"access": "rwm"
+				}
+			]
+		},
+		"namespaces": [
+			{
+				"type": "pid"
+			},
+			{
+				"type": "ipc"
+			},
+			{
+				"type": "mount"
+			}
+		],
+		"maskedPaths": [
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
+			"/proc/sched_debug"
+		],
+		"readonlyPaths": [
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger"
+		]
+	},
+	"solaris": {
+		"cappedCPU": {},
+		"cappedMemory": {}
+	}
+}
+EOF