8enmann/ami.sh Secret

## ami.sh
#!/usr/bin/env bash

set -ux

validate_env_set() {
    (
        set +o nounset

        if [ -z "${!1}" ]; then
            echo "Packer variable '$1' was not set. Aborting"
            exit 1
        fi
    )
}

validate_env_set REGION
validate_env_set AWS_ACCESS_KEY_ID


# Get DNS working.
sudo bash -c 'echo "nameserver 172.31.0.2" > /etc/resolv.conf'
sudo chmod 644 /etc/resolv.conf
sudo service docker start


# https://blog.vgs.dev/secure-compute-part-2
# Install dependencies
sudo yum install -y git

# Install Golang
wget -nc https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.14.4.linux-amd64.tar.gz

GOROOT=/usr/local/go
GOPATH=$HOME/go
PATH=/usr/local/go/bin:$HOME/go/bin:$PATH

# Install gVisor runsc
# URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
ARCH=$(uname -m)
wget -nc https://storage.googleapis.com/gvisor/releases/release/20210712/${ARCH}/runsc
sudo mv runsc /usr/local/bin
sudo chown root:root /usr/local/bin/runsc
sudo chmod 0755 /usr/local/bin/runsc

# Install gvisor-containerd-shim
rm -rf gvisor-containerd-shim
git clone https://github.com/google/gvisor-containerd-shim.git
cd gvisor-containerd-shim
make
sudo make install

# Install gvisor without cloning & make
# (
#   set -e
#   ARCH=$(uname -m)
#   # TODO(ben): unpin release?
#   # URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
#   URL=https://storage.googleapis.com/gvisor/releases/release/20210712/${ARCH}
#   wget ${URL}/runsc ${URL}/runsc.sha512 \
#     ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
#   sha512sum -c runsc.sha512 \
#     -c containerd-shim-runsc-v1.sha512
#   rm -f *.sha512
#   chmod a+rx runsc containerd-shim-runsc-v1
#   sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
#   /usr/local/bin/runsc install
#   sudo systemctl reload docker
# )
#

# Configure containerd
# https://github.com/google/gvisor/blob/master/g3doc/user_guide/containerd/quick_start.md#configure-containerd
# Except overwrite the EKS file https://github.com/awslabs/amazon-eks-ami/blob/af6a02dec0171bae7a20605e1427ba4d9e051bc2/files/bootstrap.sh#L404
#  cat <<EOF | sudo tee /etc/containerd/config.toml
cat <<EOF | sudo tee /etc/eks/containerd/containerd-config.toml
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"

[grpc]
address = "/run/containerd/containerd.sock"

[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"

[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"

[plugins."io.containerd.runtime.v1.linux"]
  shim_debug = true

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
  runtime_type = "io.containerd.runsc.v1"
EOF

# This appears to successfully switch us over to containerd
# cat <<'EOF' | sudo tee /etc/systemd/system/kubelet.service
cat <<'EOF' | sudo tee /etc/eks/containerd/kubelet-containerd.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service

[Service]
ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5
ExecStart=
ExecStart=/usr/bin/kubelet --cloud-provider aws \
    --config /etc/kubernetes/kubelet/kubelet-config.json \
    --kubeconfig /var/lib/kubelet/kubeconfig \
    --container-runtime remote \
    --container-runtime-endpoint "unix:///run/containerd/containerd.sock" \
    --network-plugin cni $KUBELET_ARGS $KUBELET_EXTRA_ARGS

Restart=on-failure
RestartForceExitStatus=SIGPIPE
RestartSec=5
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl restart containerd

# Undo DNS lest it break everything.
sudo service docker stop
# Clean up
# https://github.com/awslabs/amazon-eks-ami/blob/af6a02dec0171bae7a20605e1427ba4d9e051bc2/scripts/install-worker.sh#L332-L348
sudo yum clean all
sudo rm -rf \
  /etc/hostname \
  /etc/machine-id \
  /etc/resolv.conf \
  /etc/ssh/ssh_host* \
  /home/ec2-user/.ssh/authorized_keys \
  /root/.docker/config.json \
  /root/.ssh/authorized_keys \
  /var/cache/yum \
  /var/lib/cloud/data \
  /var/lib/cloud/instance \
  /var/lib/cloud/instances \
  /var/lib/cloud/sem \
  /var/lib/dhclient/* \
  /var/lib/dhcp/dhclient.* \
  /var/lib/yum/history \
  /var/log/cloud-init-output.log \
  /var/log/cloud-init.log \
  /var/log/secure \
  /var/log/wtmp

# https://github.com/awslabs/amazon-eks-ami/blob/master/scripts/validate.sh
validate_file_nonexists() {
  local file_blob=$1
  for f in $file_blob; do
    if [ -e "$f" ]; then
      echo "$f shouldn't exists"
      exit 1
    fi
  done
}

validate_file_nonexists '/etc/hostname'
validate_file_nonexists '/etc/resolv.conf'
validate_file_nonexists '/etc/ssh/ssh_host*'
validate_file_nonexists '/home/ec2-user/.ssh/authorized_keys'
validate_file_nonexists '/root/.ssh/authorized_keys'
validate_file_nonexists '/var/lib/cloud/data'
validate_file_nonexists '/var/lib/cloud/instance'
validate_file_nonexists '/var/lib/cloud/instances'
validate_file_nonexists '/var/lib/cloud/sem'
validate_file_nonexists '/var/lib/dhclient/*'
validate_file_nonexists '/var/lib/dhcp/dhclient.*'
validate_file_nonexists '/var/lib/yum/history'
validate_file_nonexists '/var/log/cloud-init-output.log'
validate_file_nonexists '/var/log/cloud-init.log'
validate_file_nonexists '/var/log/secure'
validate_file_nonexists '/var/log/wtmp'
	#!/usr/bin/env bash

	set -ux

	validate_env_set() {
	(
	set +o nounset

	if [ -z "${!1}" ]; then
	echo "Packer variable '$1' was not set. Aborting"
	exit 1
	fi
	)
	}

	validate_env_set REGION
	validate_env_set AWS_ACCESS_KEY_ID


	# Get DNS working.
	sudo bash -c 'echo "nameserver 172.31.0.2" > /etc/resolv.conf'
	sudo chmod 644 /etc/resolv.conf
	sudo service docker start


	# https://blog.vgs.dev/secure-compute-part-2
	# Install dependencies
	sudo yum install -y git

	# Install Golang
	wget -nc https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz
	sudo tar -C /usr/local -xzf go1.14.4.linux-amd64.tar.gz

	GOROOT=/usr/local/go
	GOPATH=$HOME/go
	PATH=/usr/local/go/bin:$HOME/go/bin:$PATH

	# Install gVisor runsc
	# URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
	ARCH=$(uname -m)
	wget -nc https://storage.googleapis.com/gvisor/releases/release/20210712/${ARCH}/runsc
	sudo mv runsc /usr/local/bin
	sudo chown root:root /usr/local/bin/runsc
	sudo chmod 0755 /usr/local/bin/runsc

	# Install gvisor-containerd-shim
	rm -rf gvisor-containerd-shim
	git clone https://github.com/google/gvisor-containerd-shim.git
	cd gvisor-containerd-shim
	make
	sudo make install

	# Install gvisor without cloning & make
	# (
	# set -e
	# ARCH=$(uname -m)
	# # TODO(ben): unpin release?
	# # URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
	# URL=https://storage.googleapis.com/gvisor/releases/release/20210712/${ARCH}
	# wget ${URL}/runsc ${URL}/runsc.sha512 \
	# ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
	# sha512sum -c runsc.sha512 \
	# -c containerd-shim-runsc-v1.sha512
	# rm -f *.sha512
	# chmod a+rx runsc containerd-shim-runsc-v1
	# sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
	# /usr/local/bin/runsc install
	# sudo systemctl reload docker
	# )
	#

	# Configure containerd
	# https://github.com/google/gvisor/blob/master/g3doc/user_guide/containerd/quick_start.md#configure-containerd
	# Except overwrite the EKS file https://github.com/awslabs/amazon-eks-ami/blob/af6a02dec0171bae7a20605e1427ba4d9e051bc2/files/bootstrap.sh#L404
	# cat <<EOF \| sudo tee /etc/containerd/config.toml
	cat <<EOF \| sudo tee /etc/eks/containerd/containerd-config.toml
	version = 2
	root = "/var/lib/containerd"
	state = "/run/containerd"

	[grpc]
	address = "/run/containerd/containerd.sock"

	[plugins."io.containerd.grpc.v1.cri".containerd]
	default_runtime_name = "runc"

	[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
	runtime_type = "io.containerd.runc.v2"

	[plugins."io.containerd.grpc.v1.cri".cni]
	bin_dir = "/opt/cni/bin"
	conf_dir = "/etc/cni/net.d"

	[plugins."io.containerd.runtime.v1.linux"]
	shim_debug = true

	[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
	runtime_type = "io.containerd.runsc.v1"
	EOF

	# This appears to successfully switch us over to containerd
	# cat <<'EOF' \| sudo tee /etc/systemd/system/kubelet.service
	cat <<'EOF' \| sudo tee /etc/eks/containerd/kubelet-containerd.service
	[Unit]
	Description=Kubernetes Kubelet
	Documentation=https://github.com/kubernetes/kubernetes
	After=containerd.service
	Requires=containerd.service

	[Service]
	ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5
	ExecStart=
	ExecStart=/usr/bin/kubelet --cloud-provider aws \
	--config /etc/kubernetes/kubelet/kubelet-config.json \
	--kubeconfig /var/lib/kubelet/kubeconfig \
	--container-runtime remote \
	--container-runtime-endpoint "unix:///run/containerd/containerd.sock" \
	--network-plugin cni $KUBELET_ARGS $KUBELET_EXTRA_ARGS

	Restart=on-failure
	RestartForceExitStatus=SIGPIPE
	RestartSec=5
	KillMode=process

	[Install]
	WantedBy=multi-user.target
	EOF

	sudo systemctl restart containerd

	# Undo DNS lest it break everything.
	sudo service docker stop
	# Clean up
	# https://github.com/awslabs/amazon-eks-ami/blob/af6a02dec0171bae7a20605e1427ba4d9e051bc2/scripts/install-worker.sh#L332-L348
	sudo yum clean all
	sudo rm -rf \
	/etc/hostname \
	/etc/machine-id \
	/etc/resolv.conf \
	/etc/ssh/ssh_host* \
	/home/ec2-user/.ssh/authorized_keys \
	/root/.docker/config.json \
	/root/.ssh/authorized_keys \
	/var/cache/yum \
	/var/lib/cloud/data \
	/var/lib/cloud/instance \
	/var/lib/cloud/instances \
	/var/lib/cloud/sem \
	/var/lib/dhclient/* \
	/var/lib/dhcp/dhclient.* \
	/var/lib/yum/history \
	/var/log/cloud-init-output.log \
	/var/log/cloud-init.log \
	/var/log/secure \
	/var/log/wtmp

	# https://github.com/awslabs/amazon-eks-ami/blob/master/scripts/validate.sh
	validate_file_nonexists() {
	local file_blob=$1
	for f in $file_blob; do
	if [ -e "$f" ]; then
	echo "$f shouldn't exists"
	exit 1
	fi
	done
	}

	validate_file_nonexists '/etc/hostname'
	validate_file_nonexists '/etc/resolv.conf'
	validate_file_nonexists '/etc/ssh/ssh_host*'
	validate_file_nonexists '/home/ec2-user/.ssh/authorized_keys'
	validate_file_nonexists '/root/.ssh/authorized_keys'
	validate_file_nonexists '/var/lib/cloud/data'
	validate_file_nonexists '/var/lib/cloud/instance'
	validate_file_nonexists '/var/lib/cloud/instances'
	validate_file_nonexists '/var/lib/cloud/sem'
	validate_file_nonexists '/var/lib/dhclient/*'
	validate_file_nonexists '/var/lib/dhcp/dhclient.*'
	validate_file_nonexists '/var/lib/yum/history'
	validate_file_nonexists '/var/log/cloud-init-output.log'
	validate_file_nonexists '/var/log/cloud-init.log'
	validate_file_nonexists '/var/log/secure'
	validate_file_nonexists '/var/log/wtmp'