baseline.sh revision 560e4f72
1#!/bin/bash
2
3# vim: ts=4 sw=4 sts=4 et tw=72 :
4
5rh_systems() {
6    # Handle the occurance where SELINUX is actually disabled
7    SELINUX=$(grep -E '^SELINUX=(disabled|permissive|enforcing)$' /etc/selinux/config)
8    MODE=$(echo "$SELINUX" | cut -f 2 -d '=')
9    case "$MODE" in
10        permissive)
11            echo "************************************"
12            echo "** SYSTEM ENTERING ENFORCING MODE **"
13            echo "************************************"
14            # make sure that the filesystem is properly labelled.
15            # it could be not fully labeled correctly if it was just switched
16            # from disabled, the autorelabel misses some things
17            # skip relabelling on /dev as it will generally throw errors
18            restorecon -R -e /dev /
19
20            # enable enforcing mode from the very start
21            setenforce enforcing
22
23            # configure system for enforcing mode on next boot
24            sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
25        ;;
26        disabled)
27            sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
28            touch /.autorelabel
29
30            echo "*******************************************"
31            echo "** SYSTEM REQUIRES A RESTART FOR SELINUX **"
32            echo "*******************************************"
33        ;;
34        enforcing)
35            echo "*********************************"
36            echo "** SYSTEM IS IN ENFORCING MODE **"
37            echo "*********************************"
38        ;;
39    esac
40
41    echo "---> Updating operating system"
42    yum clean all -q
43    yum install -y -q deltarpm
44    yum update -y -q
45
46    # add in components we need or want on systems
47    echo "---> Installing base packages"
48    yum install -y -q @base https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
49    # separate group installs from package installs since a non-existing
50    # group with dnf based systems (F21+) will fail the install if such
51    # a group does not exist
52    yum install -y -q unzip xz puppet git perl-XML-XPath wget make
53
54    # All of our systems require Java (because of Jenkins)
55    # Install all versions of the OpenJDK devel but force 1.7.0 to be the
56    # default
57
58    echo "---> Configuring OpenJDK"
59    yum install -y -q 'java-*-openjdk-devel'
60
61    FACTER_OS=$(/usr/bin/facter operatingsystem)
62    FACTER_OSVER=$(/usr/bin/facter operatingsystemrelease)
63    case "$FACTER_OS" in
64        Fedora)
65            if [ "$FACTER_OSVER" -ge "21" ]
66            then
67                echo "---> not modifying java alternatives as OpenJDK 1.7.0 does not exist"
68            else
69                alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
70                alternatives --set java_sdk_openjdk /usr/lib/jvm/java-1.7.0-openjdk.x86_64
71            fi
72        ;;
73        *)
74            alternatives --set java /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
75            alternatives --set java_sdk_openjdk /usr/lib/jvm/java-1.7.0-openjdk.x86_64
76        ;;
77    esac
78}
79
80ubuntu_systems() {
81    # Ignore SELinux since slamming that onto Ubuntu leads to
82    # frustration
83
84    export DEBIAN_FRONTEND=noninteractive
85    cat <<EOF >> /etc/apt/apt.conf
86APT {
87  Get {
88    Assume-Yes "true";
89    allow-change-held-packages "true";
90    allow-downgrades "true";
91    allow-remove-essential "true";
92  };
93};
94
95Dpkg::Options {
96  "--force-confdef";
97  "--force-confold";
98};
99
100EOF
101
102    echo "---> Updating operating system"
103    apt-get update -qq > /dev/null
104    apt-get upgrade -qq > /dev/null
105
106    # add in stuff we know we need
107    echo "---> Installing base packages"
108    apt-get install -qq unzip xz-utils puppet git libxml-xpath-perl make wget > /dev/null
109
110    # install Java 7
111    echo "---> Configuring OpenJDK"
112    apt-get install -qq openjdk-7-jdk > /dev/null
113
114    # make jdk8 available
115    add-apt-repository -y ppa:openjdk-r/ppa > /dev/null
116    apt-get update -qq > /dev/null
117    # We need to force openjdk-8-jdk to install
118    apt-get install -qq openjdk-8-jdk > /dev/null
119
120    # make sure that we still default to openjdk 7
121    update-alternatives --set java /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java
122    update-alternatives --set javac /usr/lib/jvm/java-7-openjdk-amd64/bin/javac
123
124    # disable unattended upgrades & daily updates
125    echo '---> Disabling automatic daily upgrades'
126    sed -ine 's/"1"/"0"/g' /etc/apt/apt.conf.d/10periodic
127    echo 'APT::Periodic::Unattended-Upgrade "0";' >> /etc/apt/apt.conf.d/10periodic
128}
129
130all_systems() {
131    # Allow jenkins access to update-alternatives command to switch java version
132    cat <<EOF >/etc/sudoers.d/89-jenkins-user-defaults
133Defaults:jenkins !requiretty
134jenkins ALL = NOPASSWD: /usr/bin/update-alternatives
135EOF
136
137    # Do any Distro specific installations here
138    echo "Checking distribution"
139    FACTER_OS=$(/usr/bin/facter operatingsystem)
140    case "$FACTER_OS" in
141        *)
142            echo "---> $FACTER_OS found"
143            echo "No extra steps for $FACTER_OS"
144        ;;
145    esac
146}
147
148echo "---> Attempting to detect OS"
149# upstream cloud images use the distro name as the initial user
150ORIGIN=$(if [ -e /etc/redhat-release ]
151    then
152        echo redhat
153    else
154        echo ubuntu
155    fi)
156#ORIGIN=$(logname)
157
158case "${ORIGIN}" in
159    fedora|centos|redhat)
160        echo "---> RH type system detected"
161        rh_systems
162    ;;
163    ubuntu)
164        echo "---> Ubuntu system detected"
165        ubuntu_systems
166    ;;
167    *)
168        echo "---> Unknown operating system"
169    ;;
170esac
171
172# execute steps for all systems
173all_systems
174