alfredodeza/prepare.sh

## prepare.sh
#!/bin/bash -x

# Setup hostname vagrant-something.
FQDN="vagrant-rhel7"
if grep '^HOSTNAME=' /etc/sysconfig/network > /dev/null; then
    sed -i 's/HOSTNAME=\(.*\)/HOSTNAME='${FQDN}'/' /etc/sysconfig/network
else
    echo "HOSTNAME=${FQDN}" >> /etc/sysconfig/network
fi

# Cannot install any software since the box will lack entitlements. Both
# NetworkManager and cloud-init can complicate network setup of the box so they
# get removed here.
yum remove -y NetworkManager cloud-init

# Setup the vagrant user and password, ensure the group is correct
echo 'vagrant' | passwd --stdin root
grep 'vagrant' /etc/passwd > /dev/null
if [ $? -ne 0 ]; then
    echo '* Creating user vagrant.'
    useradd vagrant
    echo 'vagrant' | passwd --stdin vagrant
fi
grep '^admin:' /etc/group > /dev/null || groupadd admin
usermod -G admin vagrant

echo 'Defaults    env_keep += "SSH_AUTH_SOCK"' >> /etc/sudoers
echo '%admin ALL=NOPASSWD: ALL' >> /etc/sudoers
sed -i 's/Defaults\s*requiretty/Defaults !requiretty/' /etc/sudoers

# SSH setup
# Add Vagrant ssh key for root and vagrant accouts.
sed -i 's/.*UseDNS.*/UseDNS no/' /etc/ssh/sshd_config

[ -d ~root/.ssh ] || mkdir ~root/.ssh
chmod 700 ~root/.ssh
cat > ~root/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
EOF
chmod 600 ~root/.ssh/authorized_keys

[ -d ~vagrant/.ssh ] || mkdir ~vagrant/.ssh
chmod 700 ~vagrant/.ssh
cat > ~vagrant/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
EOF
chmod 600 ~vagrant/.ssh/authorized_keys

# this script runs as root so any changes to the .ssh directory of the vagrant
# user must be chown back again
chown -R vagrant:vagrant ~vagrant/.ssh


# Disable firewall and switch SELinux to permissive mode. The box will refuse
# to start with SELinux on so we are forced to fully disable it when shipping
# converting.
chkconfig iptables off
chkconfig ip6tables off

# Disable firewall
systemctl disable firewalld
# Enable sshd
systemctl enable sshd

cat > /etc/selinux/config << EOF
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#    targeted - Only targeted network daemons are protected.
#    strict - Full SELinux protection.
SELINUXTYPE=targeted
EOF

# Networking setup...
# Don't fix ethX names to hw address.
rm -f /etc/udev/rules.d/*persistent-net.rules
rm -f /etc/udev/rules.d/*-net.rules
rm -rf /var/lib/dhclient/*    # remove any old leases that could be around...

# XXX: unsure if this will help, but we'll try it out:
# Problem situation: Two interfaces are connected to same network. One interface
# wants to renew DHCP lease and asks server for address. DHCPACK message from
# server arrives, client moves to BOUND state. The client performs a check on
# the suggested address to ensure that the address is not already in use. On
# arping for specified IP address, other interface replies and that's why
# dhclient-script replies with DHCPDECLINE message. (See RFC2131, 4.4.1.).
# Solution: Set sysctl to reply only if the target IP address is local address
# configured on the incoming interface. (See kernel documentation
# Documentation/networking/ip-sysctl.txt)
set_sysctl() {
    grep "$1" /etc/sysctl.conf > /dev/null
    [ $? -eq 0 ] && sed -i '/'$1'/d' /etc/sysctl.conf
    echo "$1 = $2" >> /etc/sysctl.conf
}
set_sysctl 'net.ipv4.conf.all.arp_ignore' 1
set_sysctl 'net.ipv4.conf.all.arp_announce' 2
set_sysctl 'net.ipv4.conf.all.rp_filter' 3

# Interface eth0 should get IP address via dhcp.
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
NM_CONTROLLED="no"
EOF

# Do some cleanup..
rm -f ~root/.bash_history
	#!/bin/bash -x

	# Setup hostname vagrant-something.
	FQDN="vagrant-rhel7"
	if grep '^HOSTNAME=' /etc/sysconfig/network > /dev/null; then
	sed -i 's/HOSTNAME=\(.*\)/HOSTNAME='${FQDN}'/' /etc/sysconfig/network
	else
	echo "HOSTNAME=${FQDN}" >> /etc/sysconfig/network
	fi

	# Cannot install any software since the box will lack entitlements. Both
	# NetworkManager and cloud-init can complicate network setup of the box so they
	# get removed here.
	yum remove -y NetworkManager cloud-init

	# Setup the vagrant user and password, ensure the group is correct
	echo 'vagrant' \| passwd --stdin root
	grep 'vagrant' /etc/passwd > /dev/null
	if [ $? -ne 0 ]; then
	echo '* Creating user vagrant.'
	useradd vagrant
	echo 'vagrant' \| passwd --stdin vagrant
	fi
	grep '^admin:' /etc/group > /dev/null \|\| groupadd admin
	usermod -G admin vagrant

	echo 'Defaults env_keep += "SSH_AUTH_SOCK"' >> /etc/sudoers
	echo '%admin ALL=NOPASSWD: ALL' >> /etc/sudoers
	sed -i 's/Defaults\s*requiretty/Defaults !requiretty/' /etc/sudoers

	# SSH setup
	# Add Vagrant ssh key for root and vagrant accouts.
	sed -i 's/.UseDNS./UseDNS no/' /etc/ssh/sshd_config

	[ -d ~root/.ssh ] \|\| mkdir ~root/.ssh
	chmod 700 ~root/.ssh
	cat > ~root/.ssh/authorized_keys << EOF
	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
	EOF
	chmod 600 ~root/.ssh/authorized_keys

	[ -d ~vagrant/.ssh ] \|\| mkdir ~vagrant/.ssh
	chmod 700 ~vagrant/.ssh
	cat > ~vagrant/.ssh/authorized_keys << EOF
	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
	EOF
	chmod 600 ~vagrant/.ssh/authorized_keys

	# this script runs as root so any changes to the .ssh directory of the vagrant
	# user must be chown back again
	chown -R vagrant:vagrant ~vagrant/.ssh


	# Disable firewall and switch SELinux to permissive mode. The box will refuse
	# to start with SELinux on so we are forced to fully disable it when shipping
	# converting.
	chkconfig iptables off
	chkconfig ip6tables off

	# Disable firewall
	systemctl disable firewalld
	# Enable sshd
	systemctl enable sshd

	cat > /etc/selinux/config << EOF
	# This file controls the state of SELinux on the system.
	# SELINUX= can take one of these three values:
	# enforcing - SELinux security policy is enforced.
	# permissive - SELinux prints warnings instead of enforcing.
	# disabled - No SELinux policy is loaded.
	SELINUX=disabled
	# SELINUXTYPE= type of policy in use. Possible values are:
	# targeted - Only targeted network daemons are protected.
	# strict - Full SELinux protection.
	SELINUXTYPE=targeted
	EOF

	# Networking setup...
	# Don't fix ethX names to hw address.
	rm -f /etc/udev/rules.d/*persistent-net.rules
	rm -f /etc/udev/rules.d/*-net.rules
	rm -rf /var/lib/dhclient/* # remove any old leases that could be around...

	# XXX: unsure if this will help, but we'll try it out:
	# Problem situation: Two interfaces are connected to same network. One interface
	# wants to renew DHCP lease and asks server for address. DHCPACK message from
	# server arrives, client moves to BOUND state. The client performs a check on
	# the suggested address to ensure that the address is not already in use. On
	# arping for specified IP address, other interface replies and that's why
	# dhclient-script replies with DHCPDECLINE message. (See RFC2131, 4.4.1.).
	# Solution: Set sysctl to reply only if the target IP address is local address
	# configured on the incoming interface. (See kernel documentation
	# Documentation/networking/ip-sysctl.txt)
	set_sysctl() {
	grep "$1" /etc/sysctl.conf > /dev/null
	[ $? -eq 0 ] && sed -i '/'$1'/d' /etc/sysctl.conf
	echo "$1 = $2" >> /etc/sysctl.conf
	}
	set_sysctl 'net.ipv4.conf.all.arp_ignore' 1
	set_sysctl 'net.ipv4.conf.all.arp_announce' 2
	set_sysctl 'net.ipv4.conf.all.rp_filter' 3

	# Interface eth0 should get IP address via dhcp.
	cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
	DEVICE="eth0"
	BOOTPROTO="dhcp"
	ONBOOT="yes"
	NM_CONTROLLED="no"
	EOF

	# Do some cleanup..
	rm -f ~root/.bash_history