diff --git a/Makefile b/Makefile index 90467fa18..2a2fa3a8e 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ PACKER_BINARY ?= packer -PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type +PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type additional_yum_repos K8S_VERSION_PARTS := $(subst ., ,$(kubernetes_version)) K8S_VERSION_MINOR := $(word 1,${K8S_VERSION_PARTS}).$(word 2,${K8S_VERSION_PARTS}) @@ -28,12 +28,12 @@ all: 1.11 1.12 1.13 1.14 .PHONY: validate validate: - $(PACKER_BINARY) validate $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)=$($(packerVar)),)) eks-worker-al2.json + $(PACKER_BINARY) validate $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) eks-worker-al2.json .PHONY: k8s k8s: validate @echo "$(T_GREEN)Building AMI for version $(T_YELLOW)$(kubernetes_version)$(T_GREEN) on $(T_YELLOW)$(arch)$(T_RESET)" - $(PACKER_BINARY) build $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)=$($(packerVar)),)) eks-worker-al2.json + $(PACKER_BINARY) build $(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) eks-worker-al2.json # Build dates and versions taken from https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html diff --git a/eks-worker-al2.json b/eks-worker-al2.json index 86d0cb400..bf360d91e 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -29,8 +29,9 @@ "ssh_username": "ec2-user", "temporary_security_group_source_cidrs": "", "associate_public_ip_address": "", - "subnet_id": "" + "subnet_id": "", + "additional_yum_repos": "" }, "builders": [ @@ -101,9 +102,16 @@ "source": "{{template_dir}}/files/", "destination": "/tmp/worker/" }, + { + "type": "shell", + "script": "{{template_dir}}/scripts/install_additional_repos.sh", + "environment_vars": [ + "ADDITIONAL_YUM_REPOS={{user `additional_yum_repos`}}" + ] + }, { "type": "shell", - "script": "{{template_dir}}/install-worker.sh", + "script": "{{template_dir}}/scripts/install-worker.sh", "environment_vars": [ "KUBERNETES_VERSION={{user `kubernetes_version`}}", "KUBERNETES_BUILD_DATE={{user `kubernetes_build_date`}}", @@ -116,6 +124,17 @@ "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}" ] + }, + { + "type": "shell", + "script": "{{template_dir}}/scripts/cleanup_additional_repos.sh", + "environment_vars": [ + "ADDITIONAL_YUM_REPOS={{user `additional_yum_repos`}}" + ] + }, + { + "type": "shell", + "script": "{{template_dir}}/scripts/validate.sh" } ], "post-processors": [ diff --git a/scripts/cleanup_additional_repos.sh b/scripts/cleanup_additional_repos.sh new file mode 100644 index 000000000..e2665b484 --- /dev/null +++ b/scripts/cleanup_additional_repos.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# +# Clean up additional YUM repositories, typically used for security patches. +# The format of ADDITIONAL_YUM_REPOS is: "repo=patches-repo,name=Install patches,baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx,priority=10" +# Multiple yum repos can be specified, separated by ';' + +if [ -z "${ADDITIONAL_YUM_REPOS}" ]; then + echo "no additional yum repo, skipping" + exit 0 +fi + + +AWK_CMD=' +BEGIN {RS=";";FS=","} +{ + delete vars; + for(i = 1; i <= NF; ++i) { + n = index($i, "="); + if(n) { + vars[substr($i, 1, n-1)] = substr($i, n + 1) + } + } + Repo = "/etc/yum.repos.d/"vars["repo"]".repo" +} +{cmd="rm -f " Repo; system(cmd)} +' +sudo awk "$AWK_CMD" <<< "${ADDITIONAL_YUM_REPOS}" \ No newline at end of file diff --git a/install-worker.sh b/scripts/install-worker.sh similarity index 100% rename from install-worker.sh rename to scripts/install-worker.sh diff --git a/scripts/install_additional_repos.sh b/scripts/install_additional_repos.sh new file mode 100644 index 000000000..afe7efed2 --- /dev/null +++ b/scripts/install_additional_repos.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# +# Install additional YUM repositories, typically used for security patches. +# The format of ADDITIONAL_YUM_REPOS is: "repo=patches-repo,name=Install patches,baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx,priority=10" +# which will create the file '/etc/yum.repos.d/patches-repo.repo' having the following content: +# ``` +# [patches-repo] +# name=Install patches +# baseurl=http://amazonlinux.$awsregion.$awsdomain/xxxx +# priority=10 +# ``` +# Note that priority is optional, but the other parameters are required. Multiple yum repos can be specified, each one separated by ';' + +if [ -z "${ADDITIONAL_YUM_REPOS}" ]; then + echo "no additional yum repo, skipping" + exit 0 +fi + + +AWK_CMD=' +BEGIN {RS=";";FS=","} +{ + delete vars; + for(i = 1; i <= NF; ++i) { + n = index($i, "="); + if(n) { + vars[substr($i, 1, n-1)] = substr($i, n + 1) + } + } + Repo = "/etc/yum.repos.d/"vars["repo"]".repo" +} +{print "["vars["repo"]"]" > Repo} +{print "name="vars["name"] > Repo} +{print "baseurl="vars["baseurl"] > Repo} +{if (length(vars["priority"]) != 0) print "priority="vars["priority"] > Repo} +' +sudo awk "$AWK_CMD" <<< "${ADDITIONAL_YUM_REPOS}" \ No newline at end of file diff --git a/scripts/validate.sh b/scripts/validate.sh new file mode 100644 index 000000000..cc6e22e8e --- /dev/null +++ b/scripts/validate.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +# +# Do basic validation of the generated AMI + +# Validates that a file or blob doesn't exist +# +# Arguments: +# a file name or blob +# Returns: +# 1 if a file exists, after printing an error +validate_file_nonexists() { + local file_blob=$1 + for f in $file_blob; do + if [ -e "$f" ]; then + echo "$f shouldn't exists" + exit 1 + fi + done +} + +validate_file_nonexists '/etc/hostname' +validate_file_nonexists '/etc/resolv.conf' +validate_file_nonexists '/etc/ssh/ssh_host*' +validate_file_nonexists '/home/ec2-user/.ssh/authorized_keys' +validate_file_nonexists '/root/.ssh/authorized_keys' +validate_file_nonexists '/var/lib/cloud/data' +validate_file_nonexists '/var/lib/cloud/instance' +validate_file_nonexists '/var/lib/cloud/instances' +validate_file_nonexists '/var/lib/cloud/sem' +validate_file_nonexists '/var/lib/dhclient/*' +validate_file_nonexists '/var/lib/dhcp/dhclient.*' +validate_file_nonexists '/var/lib/yum/history' +validate_file_nonexists '/var/log/cloud-init-output.log' +validate_file_nonexists '/var/log/cloud-init.log' +validate_file_nonexists '/var/log/secure' +validate_file_nonexists '/var/log/wtmp'