validate_yum

Makefile

@@ -1,5 +1,5 @@
 PACKER_BINARY ?= packer
-PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type
+PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type additional_yum_repos
 
 K8S_VERSION_PARTS := $(subst ., ,$(kubernetes_version))
 K8S_VERSION_MINOR := $(word 1,${K8S_VERSION_PARTS}).$(word 2,${K8S_VERSION_PARTS})
@@ -28,12 +28,12 @@ all: 1.11 1.12 1.13 1.14
 
 .PHONY: validate
 validate:
-	$(PACKER_BINARY) validate $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)=$($(packerVar)),)) eks-worker-al2.json
+	$(PACKER_BINARY) validate $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) eks-worker-al2.json
 
 .PHONY: k8s
 k8s: validate
 	@echo "$(T_GREEN)Building AMI for version $(T_YELLOW)$(kubernetes_version)$(T_GREEN) on $(T_YELLOW)$(arch)$(T_RESET)"
-	$(PACKER_BINARY) build $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)=$($(packerVar)),)) eks-worker-al2.json
+	$(PACKER_BINARY) build $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) eks-worker-al2.json
 
 # Build dates and versions taken from https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html
 

eks-worker-al2.json

@@ -29,8 +29,9 @@
     "ssh_username": "ec2-user",
     "temporary_security_group_source_cidrs": "",
     "associate_public_ip_address": "",
-    "subnet_id": ""
+    "subnet_id": "",
 
+    "additional_yum_repos": ""
   },
 
   "builders": [
@@ -101,9 +102,16 @@
       "source": "{{template_dir}}/files/",
       "destination": "/tmp/worker/"
     },
+    {
+        "type": "shell",
+        "script": "{{template_dir}}/scripts/install_additional_repos.sh",
+        "environment_vars": [
+          "ADDITIONAL_YUM_REPOS={{user `additional_yum_repos`}}"
+        ]
+    },
     {
       "type": "shell",
-      "script": "{{template_dir}}/install-worker.sh",
+      "script": "{{template_dir}}/scripts/install-worker.sh",
       "environment_vars": [
         "KUBERNETES_VERSION={{user `kubernetes_version`}}",
         "KUBERNETES_BUILD_DATE={{user `kubernetes_build_date`}}",
@@ -116,6 +124,17 @@
         "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}",
         "AWS_SESSION_TOKEN={{user `aws_session_token`}}"
       ]
+    },
+    {
+      "type": "shell",
+      "script": "{{template_dir}}/scripts/cleanup_additional_repos.sh",
+      "environment_vars": [
+        "ADDITIONAL_YUM_REPOS={{user `additional_yum_repos`}}"
+      ]
+    },
+    {
+      "type": "shell",
+      "script": "{{template_dir}}/scripts/validate.sh"
     }
   ],
   "post-processors": [

scripts/cleanup_additional_repos.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+#
+# Clean up additional YUM repositories, typically used for security patches.
+# The format of ADDITIONAL_YUM_REPOS is: "repo=patches-repo,name=Install patches,baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx,priority=10"
+# Multiple yum repos can be specified, separated by ';'
+
+if [ -z "${ADDITIONAL_YUM_REPOS}" ]; then
+  echo "no additional yum repo, skipping"
+  exit 0
+fi
+
+
+AWK_CMD='
+BEGIN {RS=";";FS=","}
+{
+  delete vars; 
+  for(i = 1; i <= NF; ++i) { 
+    n = index($i, "="); 
+    if(n) { 
+      vars[substr($i, 1, n-1)] = substr($i, n + 1)
+    }
+  } 
+  Repo = "/etc/yum.repos.d/"vars["repo"]".repo"
+}
+{cmd="rm -f " Repo; system(cmd)}
+'
+sudo awk "$AWK_CMD" <<< "${ADDITIONAL_YUM_REPOS}"

scripts/install_additional_repos.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+#
+# Install additional YUM repositories, typically used for security patches.
+# The format of ADDITIONAL_YUM_REPOS is: "repo=patches-repo,name=Install patches,baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx,priority=10"
+# which will create the file '/etc/yum.repos.d/patches-repo.repo' having the following content:
+# ```
+# [patches-repo]
+# name=Install patches
+# baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx
+# priority=10
+# ```
+# Note that priority is optional, but the other parameters are required. Multiple yum repos can be specified, each one separated by ';'
+
+if [ -z "${ADDITIONAL_YUM_REPOS}" ]; then
+  echo "no additional yum repo, skipping"
+  exit 0
+fi
+
+
+AWK_CMD='
+BEGIN {RS=";";FS=","}
+{
+  delete vars; 
+  for(i = 1; i <= NF; ++i) { 
+    n = index($i, "="); 
+    if(n) { 
+      vars[substr($i, 1, n-1)] = substr($i, n + 1)
+    }
+  } 
+  Repo = "/etc/yum.repos.d/"vars["repo"]".repo"
+}
+{print "["vars["repo"]"]" > Repo}
+{print "name="vars["name"] > Repo}
+{print "baseurl="vars["baseurl"] > Repo}
+{if (length(vars["priority"]) != 0) print "priority="vars["priority"] > Repo}
+'
+sudo awk "$AWK_CMD" <<< "${ADDITIONAL_YUM_REPOS}"

scripts/validate.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+#
+# Do basic validation of the generated AMI
+
+# Validates that a file or blob doesn't exist
+#
+# Arguments:
+#   a file name or blob
+# Returns:
+#   1 if a file exists, after printing an error
+validate_file_nonexists() {
+  local file_blob=$1
+  for f in $file_blob; do
+    if [ -e "$f" ]; then
+      echo "$f shouldn't exists"
+      exit 1
+    fi
+  done
+}
+
+validate_file_nonexists '/etc/hostname'
+validate_file_nonexists '/etc/resolv.conf'
+validate_file_nonexists '/etc/ssh/ssh_host*'
+validate_file_nonexists '/home/ec2-user/.ssh/authorized_keys'
+validate_file_nonexists '/root/.ssh/authorized_keys'
+validate_file_nonexists '/var/lib/cloud/data'
+validate_file_nonexists '/var/lib/cloud/instance'
+validate_file_nonexists '/var/lib/cloud/instances'
+validate_file_nonexists '/var/lib/cloud/sem'
+validate_file_nonexists '/var/lib/dhclient/*'
+validate_file_nonexists '/var/lib/dhcp/dhclient.*'
+validate_file_nonexists '/var/lib/yum/history'
+validate_file_nonexists '/var/log/cloud-init-output.log'
+validate_file_nonexists '/var/log/cloud-init.log'
+validate_file_nonexists '/var/log/secure'
+validate_file_nonexists '/var/log/wtmp'