blob: 0d7dc841a6b959760509a01c75ae5ee905b8173d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
#!/bin/sh
#
# $FreeBSD$
#
# Set to a list of packages to install.
export VM_EXTRA_PACKAGES="firstboot-freebsd-update firstboot-pkgs \
google-cloud-sdk panicmail sudo firstboot-growfs \
sysutils/py-google-compute-engine"
# Set to a list of third-party software to enable in rc.conf(5).
export VM_RC_LIST="google_accounts_manager ntpd sshd firstboot_growfs \
firstboot_pkgs firstboot_freebsd_update google_startup \
google_accounts_daemon google_clock_skew_daemon
google_instance_setup google_ip_forwarding_daemon
google_network_setup"
vm_extra_install_base() {
echo 'search google.internal' > ${DESTDIR}/etc/resolv.conf
echo 'nameserver 169.254.169.254' >> ${DESTDIR}/etc/resolv.conf
echo 'nameserver 8.8.8.8' >> ${DESTDIR}/etc/resolv.conf
}
vm_extra_pre_umount() {
cat << EOF >> ${DESTDIR}/etc/rc.conf
dumpdev="AUTO"
ifconfig_DEFAULT="SYNCDHCP mtu 1460"
ntpd_sync_on_start="YES"
# need to fill in something here
#firstboot_pkgs_list=""
panicmail_autosubmit="YES"
EOF
cat << EOF >> ${DESTDIR}/boot/loader.conf
autoboot_delay="-1"
beastie_disable="YES"
loader_logo="none"
hw.memtest.tests="0"
console="comconsole,vidconsole"
hw.vtnet.mq_disable=1
kern.timecounter.hardware=ACPI-safe
aesni_load="YES"
nvme_load="YES"
EOF
echo '169.254.169.254 metadata.google.internal metadata' > \
${DESTDIR}/etc/hosts
# overwrite ntp.conf
cat << EOF > ${DESTDIR}/etc/ntp.conf
server metadata.google.internal iburst
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
EOF
cat << EOF >> ${DESTDIR}/etc/syslog.conf
*.err;kern.warning;auth.notice;mail.crit /dev/console
EOF
cat << EOF >> ${DESTDIR}/etc/ssh/sshd_config
ChallengeResponseAuthentication no
X11Forwarding no
AcceptEnv LANG
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
AllowAgentForwarding no
ClientAliveInterval 420
EOF
cat << EOF >> ${DESTDIR}/etc/crontab
0 3 * * * root /usr/sbin/freebsd-update cron
EOF
cat << EOF >> ${DESTDIR}/etc/sysctl.conf
net.inet.icmp.drop_redirect=1
net.inet.ip.redirect=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
debug.trace_on_panic=1
debug.debugger_on_panic=0
EOF
## XXX: Verify this is needed. I do not see this requirement
## in the docs, and it impairs the ability to boot-test a copy
## of the image prior to packaging for upload to GCE.
#sed -E -i '' 's/^([^#].*[[:space:]])on/\1off/' ${DESTDIR}/etc/ttys
touch ${DESTDIR}/firstboot
return 0
}
|
