Configure an image deployed with MaaS to NHSCS spec for edu use.
WARNING: Do not use this script without modifying it for your environment, it is hard coded for NHSCS and WILL FAIL without modification.
We use a combination of Systemd and MaaS to build out our deployment.
- Enable Active Directory Authentication.
- Add the system to a ADDS domain.
- Define NTP server for ADDS use. (To stop time drift from breaking ADDS).
- Pull the ADDS join password from a webserver so that it isn't on GitHub.
- Configure sudoers to respect ADDS rights. (Sudo for users without endangering the system.)
- Configure pam.d to respect ADDS rights.
- Configure pam.d to allow ADDS users to create home directories.
- Add a service to run scripts to confirm the configuration of pam.d, realmd, systemd, and ADDS at boottime (to prevent an update from breaking ADDS).
- Configure local apt-cache location.
- Configure GDM3 to disable auto login.
- Configure GDM3 to request a username for login.
- Configure GDM3 login branding.
- Automatically define hostname based on time/random var.
- Generate and Pull a password from a webserver so that root isn't accessible.
This is a breakdown of how the config should apply, please note that the scripts are coded for an existing environment and may fail if they are run without modification. Please heed the warning at the top of this page.
Note: postinit.service, and postinit.sh must be included in your installer image for any of this to work. I'd recommend Cubic to modify the stock ubuntu installer. You must follow or modify the path provided by postinit.service.
At install time no configuration will occur, but postinit.sh will run. The first part of postinit.sh checks to determine if the script is running in an installer or not, and will not continue in an installer, but will exit cleanly. If you get an error during install check and make sure that postinit.service is activated, and that the files have correct unix syntax.
- Use cat to verify:
cat --vet ./<filepath.sh>
MaaS installs are automatically configured with a live user, so we don't need to worry about logging in, yet. Systemd starts our service before the Xserver, so depending on the speed of your system you may not see the desktop before a reboot is triggered. This is normal. Here are the steps that postinit.sh completes:
- Contacts GitHub without certificate verification and pulls postinstall.sh
- Contacts GitHub without certificate verification and pulls hw.service
- Enables hw.service so on next boot configuration continues.
- Log to the system that postinit.sh has completed
- Writes
pinit.checkwith a 1 so that when postinstall.sh runs it can determine the system's current deployment status.
This part of configuration is called HW (short for hello world), we do not consider the system live until this step has completed, hence why the section after this is called "Firstboot". Here are the steps that postinstall.sh completes:
- Creates base deployment dirs in
/etc/nhscs, /etc/nhscs/config, and /etc/nhscs/config/deploy - Creates storage dir for step 1:
.../config/firstboot - Contacts GitHub without certificate verification and pulls firstboot.sh placing the file in:
/etc/nhscs/config/deploy/firstboot. - Contacts GitHub without certificate verification and pulls firstboot.service placing the file in:
/etc/nhscs/config/deploy/firstboot. - Runs
chmod +xon the script to enable execution. - Enable the firstboot.serivce on startup.
- Runs daemon-reload.
- Creates storage dir for step 2:
.../config/secondboot - Contacts GitHub without certificate verification and pulls secondboot.sh placing the file in:
/etc/nhscs/config/deploy/secondboot. - Contacts GitHub without certificate verification and pulls secondboot.service placing the file in:
/etc/nhscs/config/deploy/secondboot. - Runs
chmod +xon the script to enable execution. - Enable the secondboot.serivce on startup.
- Runs daemon-reload.
- Creates storage dir for step 3:
.../config/thirdboot - Contacts GitHub without certificate verification and pulls thirdbootboot.sh placing the file in:
/etc/nhscs/config/deploy/thirdboot. - Contacts GitHub without certificate verification and pulls thirdbootboot.service placing the file in:
/etc/nhscs/config/deploy/thirdboot. - Runs
chmod +xon the script to enable execution. - Enable the thridbootboot.serivce on startup.
- Runs daemon-reload.
- Creates check files for every step in deployment.
mkdir .../config/checks/mkdir .../config/checks/fbp1.checkmkdir .../config/checks/fbp2.checkmkdir .../config/checks/fbp3.checkmkdir .../config/checks/hwch.check
- Creates storage dir for conf files.
mkdir .../config/files
- Creates storage dir for sudoers conf:
.../files/sudoers - Contacts GitHub without certificate verification and pulls sudoers placing the file in:
/etc/nhscs/config/files/sudoers. - Creates storage dir for pam.d conf:
.../files/pam.d - Contacts GitHub without certificate verification and pulls pam.d placing the file in:
/etc/nhscs/config/files/pam.d. - Creates storage dir for dconf files:
.../files/dconf - Contacts GitHub without certificate verification and pulls dconf placing the files in:
/etc/nhscs/config/files/dconf. - Creates storage dir for gdm3 conf:
.../files/gdm3 - Contacts GitHub without certificate verification and pulls gdm3 placing the file in:
/etc/nhscs/config/files/gdm3.
- Creates storage dir for our certificates:
.../files/telaforce - Contacts GitHub without certificate verification and pulls our certs placing the file in:
/etc/nhscs/config/files/telaforce.
- Log to the system that postinstall.sh has completed
- Writes
hwch.checkwith a 1 so that when firstboot.sh runs it can determine the system's current deployment status.
At this point in deployment we consider the system live, as all of our base configuration has taken place and we are now ready to start implementing the features we need.
Note: At this point the deployment will wait for network access before continuing, if the system can not bring up the network interface at this step, the deployment will hang. This is configured in the firstboot.service file and generally should be left alone. If you are certain that your interface will come up, but for some reason systemd is being stupid, you can remove this line.
Firstboot.sh completes the following steps, and then reboots the machine:
- Run a test against our
.checkfiles to determine current stage of deployment.
- Write the file
/etc/apt/apt.conf.d/01proxywith our apt-cache server. - Note: At this point if you do not modify the script, updating will fail as you're trying to hit a server that doesn't exist in your environment. Please heed the warning at the top of the page.
- Remove
ntp.conf - Rewrite
ntp.confwith our configuration as to ensure that time drift does not break ADDS. - Enable the NTP service on bootup.
- Import our certs into the local trusted store from our storage location.
- Log to the system that firstboot.sh has completed.
- Writes
firstboot.checkwith a 1 so that when secondboot.sh runs it can determine the system's current deployment status.
Secondboot is our primary configuration script, we are going to join our ADDS Domain, set our hostname, configure base sudo permissions, and configure respect for ADDS security groups.
Note: At this point the deployment will wait for network access before continuing, if the system can not bring up the network interface at this step, the deployment will hang. This is configured in the secondboot.service file and generally should be left alone. If you are certain that your interface will come up, but for some reason systemd is being stupid, you can remove this line.
Secondboot.sh completes the following steps, and then reboots the machine:
- Run a test against our
.checkfiles to determine current stage of deployment.
- Start the process to join the machine to ADDS.
- Generate a hostname based on the UUID of the system, and the date & time, storing it in a variable.
- Change the hostname to the generated hostname.
- Pull the domain join password from a server (to prevent publishing to GitHub).
- Install
realmdto provide authentication methods for ADDS. - Join the domain via realmd passing the hostname variable for computer name.
- Configure
realmdto permit login for the required groups.
- Configure sudoers to respect ADDS permissions for root and sudo access.
- Note: In this deployment our custom sudoers blocks access to some commands for specific user groups, but standard sudo access remains for local users, this is why we use a random password later on, we do not want local access on the system. In this deployment a system problem should be resolved with a reimage, not troubleshooting.
- Log to the system that secondboot.sh has completed.
- Writes
secondboot.checkwith a 1 so that when thirdboot.sh runs it can determine the system's current deployment status.
Thirdboot is the final configuration script we run. It finishes configuration and then cleans up the system so it's in a state ready for use.
Note: At this point the deployment will wait for network access before continuing, if the system can not bring up the network interface at this step, the deployment will hang. This is configured in the thirdboot.service file and generally should be left alone. If you are certain that your interface will come up, but for some reason systemd is being stupid, you can remove this line.
Thirdboot.sh completes the following steps, and then reboots the machine:
- Run a test against our
.checkfiles to determine current stage of deployment.
- Disable automatic login via dconf.
- Update the system
- Install required packages
- Open-VM-Tools
- Configure GDM3 to meet our requirements
- Add login text
- Require username every time
- Do not show last user
- Update the pam.d configuration to allow ADDS users to create home directories.
- Start Cleanup Phase
- Use
systemctlto disablehw.service - Use
systemctlto disablepostinit.service - Use
systemctlto disablefirstboot.service - Use
systemctlto disablesecondboot.service - Use
systemctlto disablethirdboot.service - Remove all service files from
/etc/systemd/system
- Remove MaaS created user account
- Add a local user with bash as their shell
- Make this user a member of the sudo group.
- Pull a password from the Password Tumbler and set the users password.
- Log to the system that thirdboot.sh has completed.
- Writes
thirdboot.checkwith a 1 so that when everyboot.sh runs it can determine the system's current deployment status.
Note: After this step network access is no longer a requirement, Everyboot does not check for network access at boot.
Everyboot.sh runs at boot time to replace the configuration files that may have been replaced by an update. Primary the sudoers and pam.d configuration.
- Run a test against our
.checkfiles to determine if deployment has completed or not.
- Replace
/etc/pam.d/common-sessionwith the backup copy from/etc/nhscs/config/files/pam.d/common-session - Replace
/etc/sudoers.d/01domainwith the backup copy from/etc/nhscs/config/files/sudoers/01domain
- Log to the system that everyboot.sh has completed.
