shell based PoC

2023-06-08 18:12:14 +02:00 · 2023-06-08 18:12:14 +02:00 · d0a9623a29
commit d0a9623a29
parent d7f6fb874c
8 changed files with 304 additions and 0 deletions
--- a/bin/create_kube.sh
+++ b/bin/create_kube.sh
@ -0,0 +1,42 @@
+#!/bin/sh
+
+set -e
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+NAME=kube
+DISK=/var/openkubsd/disks/${NAME}.qcow2
+
+# create a qcow2 file for /home
+test -f "${DISK}" || vmctl create -s 60G "${DISK}"
+
+# generate a MAC address
+MAC="$(openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/:$//')"
+NEXT_IP=$(/var/openkubsd/bin/get_ip.sh)
+
+# create the vm.conf file
+cat <<EOF >/var/openkubsd/vm.conf.d/vms/${NAME}.conf
+vm "${NAME}" {
+    disk /var/openkubsd/templates/openbsd-template.qcow2
+    disk $DISK
+    interface locked lladdr $MAC switch kubes
+    disable
+}
+EOF
+
+cat <<EOF >/var/openkubsd/dhcpd.d/${NAME}.conf
+host ${NAME} {
+    hardware ethernet $MAC;
+    fixed-address $NEXT_IP;
+}
+EOF
+
+/var/openkubsd/bin/recreate_conf.sh
+
+# generate PF rules
+
+# generate NFS
--- a/bin/create_template.sh
+++ b/bin/create_template.sh
@ -0,0 +1,92 @@
+#!/bin/sh
+
+DIR="$(mktemp -d /tmp/openkubsd-new-template.XXXXXXXXXXXXXXXXXXXXX)"
+NAME=openbsd-template
+DISK=/var/openkubsd/templates/${NAME}.qcow2
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+if ! rcctl check vmd
+then
+    echo "vmd isn't running"
+    exit 1
+fi
+
+cd $DIR || exit 1
+if [[ -f "$DISK" ]]
+then
+    echo "$DISK already exist"
+    exit 1
+fi
+
+# download upobsd
+curl -OL https://raw.githubusercontent.com/rapenne-s/upobsd/master/upobsd.sh
+
+# download bsd.rd
+curl -OL https://cdn.openbsd.org/pub/OpenBSD/7.3/amd64/bsd.rd
+
+# create install.conf
+cat <<EOF >install.conf
+System hostname = $NAME
+Password for root = *************
+Public ssh key for root = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOIZKLFQXVM15viQXHYRjGqE6LLfvETMkjjgSz0mxMzS
+Change the default console to com0 = yes
+Which speed should com0 use = 19200
+Allow root ssh login = prohibit-password
+Setup a user = user
+Password for user = *************
+Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOIZKLFQXVM15viQXHYRjGqE6LLfvETMkjjgSz0mxMzS
+What timezone are you in = Europe/Paris
+Location of sets = http
+HTTP Server = 10.100.0.1
+EOF
+
+# update bsd.rd
+chmod +x upobsd.sh
+./upobsd.sh -f bsd.rd -i install.conf
+
+# create disk
+vmctl create -s 60G "${DISK}"
+
+# generate a MAC address
+MAC="$(openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/:$//')"
+NEXT_IP=$(/var/openkubsd/bin/get_ip.sh)
+
+# run install
+cat <<EOF >/var/openkubsd/vm.conf.d/vms/${NAME}.conf
+vm "${NAME}" {
+    disk ${DISK}
+    boot device disk
+    boot ${DIR}/bsd.rd
+    interface locked lladdr $MAC switch kubes
+    disable
+}
+EOF
+
+cat <<EOF >/var/openkubsd/dhcpd.d/${NAME}.conf
+host ${NAME} {
+    hardware ethernet $MAC;
+    fixed-address $NEXT_IP;
+}
+EOF
+
+/var/openkubsd/bin/recreate_conf.sh
+
+vmctl start "${NAME}"
+vmctl wait "${NAME}"
+
+cat <<EOF >/var/openkubsd/vm.conf.d/vms/${NAME}.conf
+vm "${NAME}" {
+    disk ${DISK}
+    interface locked lladdr $MAC switch kubes
+    disable
+}
+EOF
+
+/var/openkubsd/bin/recreate_conf.sh
+
+rm -fr "$DIR"
--- a/bin/get_ip.sh
+++ b/bin/get_ip.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+SUBNET=$(awk '/^subnet/ { print $2 }' /var/openkubsd/dhcpd.d/00_base.conf | cut -d '.' -f 1-3)
+IP_LIST=$(grep fixed-address /var/openkubsd/dhcpd.d/*conf | awk '{ print $3 }' | awk -F '.' '{ print $4 }' | tr -d ';' | sort -n)
+
+# .1 is the gateway
+for i in $(seq 2 240)
+do
+    if ! echo "${IP_LIST}" | grep "^${i}$" >/dev/null
+    then
+        echo "${SUBNET}.${i}"
+        break
+    fi
+done
--- a/bin/recreate_conf.sh
+++ b/bin/recreate_conf.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+cd /var/openkubsd/vm.conf.d/vms/
+ls *.conf
+cat *.conf > ../vms.conf
+
+cd /var/openkubsd/dhcpd.d/
+ls *.conf
+cat *.conf > /etc/dhcpd.conf
+
+HOSTS=$(find /var/openkubsd/dhcpd.d/ -not -name 00_base.conf -type f -exec cat {} + | grep -E "(^host|fixed-address)" | tr -d ';' | paste - - | awk '{ print $5" "$2".kube" }')
+
+HOSTS_FILE=$(awk '/OpenKuBSD/ { stop=1 }; stop!=1 { print }' /etc/hosts)
+cat <<EOF >/etc/hosts
+$HOSTS_FILE
+
+# OpenKuBSD
+$HOSTS
+EOF
+
+rcctl reload vmd
+rcctl restart dhcpd
--- a/bin/remove_template.sh
+++ b/bin/remove_template.sh
@ -0,0 +1,23 @@
+#!/bin/sh
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+NAME=openbsd-template
+DISK=/var/openkubsd/templates/${NAME}.qcow2
+
+if grep -r "$DISK" /var/openkubsd/vm.conf.d/vms/ | grep -v "/var/openkubsd/vm.conf.d/vms/${NAME}.conf"
+then
+    echo "The configuration files above still need $NAME"
+    exit 1
+fi
+
+vmctl stop -fw $NAME
+rm "/var/openkubsd/vm.conf.d/vms/${NAME}.conf"
+rm "/var/openkubsd/dhcpd.d/${NAME}.conf"
+rm "$DISK"
+
+./recreate_conf.sh
--- a/bin/setup.sh
+++ b/bin/setup.sh
@ -0,0 +1,82 @@
+#!/bin/sh
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+# install ansible
+type ansible >/dev/null || pkg_add ansible
+
+# create some directories
+install -d -o root -g wheel -m 755 /var/openkubsd/
+install -d -o root -g wheel -m 755 /var/openkubsd/bin/
+install -d -o root -g wheel -m 755 /var/openkubsd/dhcpd.d/
+install -d -o root -g wheel -m 755 /var/openkubsd/vm.conf.d/
+install -d -o root -g wheel -m 755 /var/openkubsd/vm.conf.d/vms/
+install -d -o root -g wheel -m 700 /var/openkubsd/pf/
+install -d -o root -g wheel -m 700 /var/openkubsd/disks/
+install -d -o root -g wheel -m 755 /var/openkubsd/templates/
+
+install -o root -g wheel -m 555 ./get_ip.sh /var/openkubsd/bin/
+install -o root -g wheel -m 555 ./recreate_conf.sh /var/openkubsd/bin/
+
+# generate NAT PF rule
+cat <<EOF >/var/openkubsd/pf/nat
+match out on egress from vether0:network to any nat-to (egress)
+pass in proto { udp tcp } from vether0:network to any port domain \
+       rdr-to 9.9.9.9 port domain
+EOF
+
+# generate network interfaces
+cat <<EOF >/etc/hostname.vether0
+inet 10.100.0.1 255.255.255.0
+EOF
+
+cat <<EOF >/etc/hostname.bridge0
+add vether0
+EOF
+
+sh /etc/netstart vether0
+sh /etc/netstart bridge0
+
+# Configure vmd to use a switch
+cat <<EOF >/etc/vm.conf
+include "/var/openkubsd/vm.conf.d/switch.conf"
+include "/var/openkubsd/vm.conf.d/vms.conf"
+EOF
+
+cat <<EOF >/var/openkubsd/vm.conf.d/switch.conf
+switch "kubes" {
+    interface bridge0
+    locked lladdr
+}
+EOF
+test -f /var/openkubsd/vm.conf.d/vms.conf || touch /var/openkubsd/vm.conf.d/vms.conf
+
+# Prepare base DHCPD configuration
+cat <<EOF >/var/openkubsd/dhcpd.d/00_base.conf
+option  domain-name-servers 9.9.9.9;
+subnet 10.100.0.0 netmask 255.255.255.0 {
+	option routers 10.100.0.1;
+	range 10.100.0.240 10.100.0.245;
+}
+EOF
+
+# check for the PF anchor
+if pfctl -a "openkubsd" -sr 2>&1 | grep "does not exist"
+then
+    echo "anchor openkubsd missing in pf.conf"
+    exit 1
+fi
+
+# load the NAT rule into the anchor
+pfctl -a openkubsd -f /var/openkubsd/pf/nat
+
+# restart vmd
+rcctl enable dhcpd
+rcctl set dhcpd flags vether0
+rcctl restart dhcpd
+rcctl enable vmd
+rcctl restart vmd
--- a/bin/start_kube.sh
+++ b/bin/start_kube.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+# create a derived disk from the template
+rm -f /tmp/kube.qcow2
+vmctl create -b /var/openkubsd/templates/openbsd.qcow2 /tmp/kube.qcow2
+
+vmctl start -n kube -d /tmp/kube.qcow2 -d /var/openkubsd/disks/kube.qcow2 kube
--- a/bin/stop_kube.sh
+++ b/bin/stop_kube.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [[ "$(id -u)" -ne "0" ]]
+then
+    echo "you must run $0 as root"
+    exit 1
+fi
+
+vmctl stop -w kube
+rm -f /tmp/kube.qcow2