Created
February 17, 2018 00:44
-
-
Save jakedsouza/19244439d198c5f84f79397552fc3d44 to your computer and use it in GitHub Desktop.
Minimal ubuntu setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
require_root() { | |
if [[ $EUID -ne 0 ]]; then | |
echo "This script must be run as root" 1>&2 | |
exit 1 | |
fi | |
} | |
update_apt() { | |
echo "==> Configure APT" | |
systemctl disable apt-daily.service # disable run when system boot | |
systemctl disable apt-daily.timer # disable timer run | |
apt update | |
apt full-upgrade -y | |
} | |
install_prereqs() { | |
echo "==> Installing tools" | |
apt install -yqq \ | |
vim-nox \ | |
haveged \ | |
linux-image-extra-$(uname -r) \ | |
linux-image-extra-virtual \ | |
open-vm-tools \ | |
apt-transport-https \ | |
ca-certificates \ | |
curl \ | |
software-properties-common | |
} | |
configure_sshd() { | |
echo "UseDNS no" >> /etc/ssh/sshd_config | |
} | |
configure_sudoers() { | |
echo "==> Configuring sudoers" | |
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=sudo' /etc/sudoers | |
sed -i -e 's/%sudo\s*ALL=(ALL:ALL) ALL/%sudo\tALL=(ALL) NOPASSWD:ALL/g' /etc/sudoers | |
} | |
configure_haveged() { | |
echo "==> Configuring haveged" | |
systemctl enable haveged | |
systemctl start haveged | |
} | |
configure_docker() { | |
echo "==> Installing docker" | |
groupadd docker | |
usermod -aG docker vic | |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - | |
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | |
apt update | |
apt install -y docker-ce | |
mkdir -p /etc/systemd/system/docker.service.d | |
echo '[Service] | |
ExecStart= | |
ExecStart=/usr/bin/dockerd -H fd:// | |
' > /etc/systemd/system/docker.service.d/override-start.conf | |
systemctl daemon-reload | |
systemctl enable docker | |
systemctl start docker | |
} | |
minimize() { | |
# Remove some packages to get a minimal install | |
echo "==> Removing all linux kernels except the currrent one" | |
dpkg --list | awk '{ print $2 }' | grep -e 'linux-\(headers\|image\)-.*[0-9]\($\|-generic\)' | grep -v "$(uname -r | sed 's/-generic//')" | xargs apt-get -y purge | |
echo "==> Removing linux source" | |
dpkg --list | awk '{ print $2 }' | grep linux-source | xargs apt-get -y purge | |
echo "==> Removing development packages" | |
dpkg --list | awk '{ print $2 }' | grep -- '-dev$' | xargs apt-get -y purge | |
echo "==> Removing documentation" | |
dpkg --list | awk '{ print $2 }' | grep -- '-doc$' | xargs apt-get -y purge | |
echo "==> Removing development tools" | |
apt-get -y purge build-essential git | |
echo "==> Removing default system Ruby" | |
apt-get -y purge ruby ri rdoc | |
echo "==> Removing obsolete networking components" | |
apt-get -y purge ppp pppconfig pppoeconf | |
echo "==> Removing other oddities" | |
apt-get -y purge popularity-contest installation-report landscape-common wireless-tools wpasupplicant ubuntu-serverguide | |
apt-get -y autoremove --purge | |
apt-get -y autoclean | |
apt-get -y clean | |
apt-get -y install deborphan | |
while [ -n "$(deborphan --guess-all --libdevel)" ]; do | |
deborphan --guess-all --libdevel | xargs apt-get -y purge | |
done | |
apt-get -y purge deborphan dialog | |
} | |
cleanup() { | |
rm -rf /usr/share/doc/* | |
rm -rf /usr/share/man/* | |
find /var/cache -type f -exec rm -rf {} \; | |
find /var/log/ -name *.log -exec rm -f {} \; | |
unset HISTFILE | |
rm -f /root/.bash_history | |
rm -f /home/vic/.bash_history | |
echo "==> Clearing last login information" | |
>/var/log/lastlog | |
>/var/log/wtmp | |
>/var/log/btmp | |
# Whiteout root | |
count=$(df --sync -kP / | tail -n1 | awk -F ' ' '{print $4}') | |
let count-- | |
dd if=/dev/zero of=/tmp/whitespace bs=1024 count=$count | |
rm /tmp/whitespace | |
# Whiteout /boot | |
count=$(df --sync -kP /boot | tail -n1 | awk -F ' ' '{print $4}') | |
let count-- | |
dd if=/dev/zero of=/boot/whitespace bs=1024 count=$count | |
rm /boot/whitespace | |
echo '==> Clear out swap and disable until reboot' | |
set +e | |
swapuuid=$(/sbin/blkid -o value -l -s UUID -t TYPE=swap) | |
case "$?" in | |
2|0) ;; | |
*) exit 1 ;; | |
esac | |
set -e | |
if [ "x${swapuuid}" != "x" ]; then | |
# Whiteout the swap partition to reduce box size | |
# Swap is disabled till reboot | |
swappart=$(readlink -f /dev/disk/by-uuid/$swapuuid) | |
/sbin/swapoff "${swappart}" | |
dd if=/dev/zero of="${swappart}" bs=1M || echo "dd exit code $? is suppressed" | |
/sbin/mkswap -U "${swapuuid}" "${swappart}" | |
fi | |
dd if=/dev/zero of=/EMPTY bs=1M || echo "dd exit code $? is suppressed" | |
rm -f /EMPTY | |
sync | |
} | |
require_root | |
update_apt | |
install_prereqs | |
configure_sshd | |
configure_sudoers | |
configure_haveged | |
configure_docker | |
minimize | |
cleanup | |
reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment