XEN/PVH - Sabotage Linux

Requirements

build it yourself or grab some stage2 aka core

cd /data/kernels/
wget http://ftp.barfooze.de/pub/sabotage/sabotage-1.1.24-x86_64-rootfs-core-1f74666.tar.xz
ls -lhF *.tar.xz # 50M

Virtual disk

cd /data/guests/
mkdir -p sg/lala/
cd sg/

sparse file right below the 8589934591 bytes limit for tar and ustar formats: 8192 - 1 MiB

dd if=/dev/zero of=sg.reiser4 bs=1M count=0 seek=8191

REISER4

#or even better, just one block of 4K behind
# 8589934591 - 4096
#dd if=/dev/zero of=sg.reiser4 bs=8589930496 count=0 seek=1

mkfs.reiser4 -fy sg.reiser4
mkdir lala/
mount sg.reiser4 lala/

–or– EXT4

dd if=/dev/zero of=sg.ext4 bs=1M count=0 seek=8191
mkfs.ext4 sg.ext4
#dumpe2fs sg.ext4 | grep features
#tune2fs -O ^metadata_csum sg.ext4
mount sg.ext4 lala/

Bootstrap

tar xaf /data/kernels/sabotage-1.1.24-x86_64-rootfs-core-1f74666.tar.xz
mv sabotage-rootfs-core-1f74666/rootfs/* lala/
rmdir sabotage-rootfs-core-1f74666/rootfs/
vi lala/etc/fstab

/dev/xvda1             /             reiser4   defaults            0      1
#/dev/xvda1             /             ext4  defaults            0      1

cp -R lala/etc/service/ttyS0/ lala/etc/service/hvc0/
vi lala/etc/service/hvc0/run

exec getty -L 38400 hvc0 xterm
#linux

assuming some XEN DomU-capable kernel in da place. otherwise grab our kernel builds.

mkdir lala/lib/modules/
tar xzf /data/kernels/5.2.21.domureiser4.modules.tar.gz -C lala/lib/modules/

remove hwclock and that hotplug thing line 23

cp -pi lala/etc/rc.boot lala/etc/rc.boot.dist
vi lala/etc/rc.boot

(remove hwclock)
#echo /sbin/mdev > /proc/sys/kernel/hotplug
(get rid of the `/tmp/` write-test condition right after rw=true)

cp -pi lala/etc/rc.shutdown lala/etc/rc.shutdown.dist
vi lala/etc/rc.shutdown

(remove hwclock there also)

echo modprobe tmem > lala/etc/rc.modules
chmod +x lala/etc/rc.modules

cp -pi lala/etc/rc.local lala/etc/rc.local.dist
vi lala/etc/rc.local

    do_static_ip=true

    if=eth0
    ip=x.x.x.x
    nm=255.255.255.0
    gw=x.x.x.x

    cp -pi lala/etc/profile lala/etc/profile.dist
    vi lala/etc/profile

    TZ="Europe/Moscow"
    #TZ="Europe/Paris"

case "$-" in *i*)
    alias ll='ls --group-directories-first -alhF --color=auto'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'
    ;;
esac

du -sh lala/
# v1.1.19 reiser4 454M / ext4 174M
# v1.1.24 ext4 293M

rm -f lala/root/.ash_history

default password is sabotage but that’s already too complicated to remember

ls -lhF lala/etc/shadow
cp -pi lala/etc/shadow lala/etc/shadow.dist
chroot lala/ passwd -d root
diff -bu lala/etc/shadow.dist lala/etc/shadow

#mv lala/etc/shadow lala/etc/shadow.dist
#echo root:*:15082:0::::: > lala/etc/shadow
#chmod 400 lala/etc/shadow

no need for RSA host key and enable the daemon at boot-time

ls -lF lala/var/service/openssh
ls -alF lala/var/service/openssh/
vi lala/var/service/openssh/run

(comment out the rsa line)

    ls -lF lala/var/service/openssh/down
    rm -f lala/var/service/openssh/down

further tune SSHD

vi lala/etc/ssh/sshd_config

(remove rsa host key)
(remove UsePrivilegeSeparation)
X11Forwarding no

and you’re done

umount lala/
rmdir lala/

Skeleton

assuming a domU kernel, as stated above

ls -lhF /data/kernels/*vmlinuz*
vi sg

INTERNAL NETWORK br0

kernel = "/data/kernels/5.2.21.domureiser4.vmlinuz"
root = "/dev/xvda1 ro console=hvc0 mitigations=off"
name = "sg"
vcpus = 3
maxvcpus = 8
memory = 7168
disk = ['tap:tapdisk:aio:/root/guests/sg/sg.reiser4,xvda1,w']
vif = [ 'bridge=br0, vifname=sg.0' ]
type = "pvh"

#extra = "init=/bin/mksh"
#disk = ['tap:tapdisk:aio:/data/guests/sg/sg.ext4,xvda1,w']
#disk = ['phy:/dev/vdisks/thin1,xvda1,w']

xl create sg -c

lsmod | grep tmem
free -m

System preparation

post-installation

check connection

ping -c3 opendns.com

eventually mount the system read-write

mount
mount -o remount,rw /
#-n

chose packages are already there with the v1.1.24 core?

#butch search ksh
#butch install mksh
#butch install openssh
#butch install htop

ln -s mksh /bin/ksh

install a few packages

butch search ...
butch install ...

re-enable some services e.g.

butch-install-service openssh /var/service/openssh/run
rm -f /var/service/openssh/down

and eventually further tune your environment and MKSH shell

or just make a template out of it

sync
rm -f .ash_history
^]

xl shu sg
cd ../
newtemplate.bash sg

Ready to go

You’re now ready to reboot and switch to read-only mode.

reboot

your system should be read-only but /var/ and /tmp/

mount
ps auxfww | grep ssh

Alternative – just a chroot

in case you just want a chroot instead of a XEN guest

mkdir lala/
mount sg.ext4 lala/
    mount -o bind /dev/ lala/dev/
    mount -o bind /dev/pts/ lala/dev/pts/
    mount -o bind /proc/ lala/proc/
    mount -o bind /sys/ lala/sys/
chroot lala/ /bin/mksh

and once you’re done

umount -R lala/

Additional notes

generate some host keys otherwise the daemon won’t start

ssh-keygen -q -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@sg" -N ""

TODO

fix that

/etc/rc.boot: line 23: can't create /proc/sys/kernel/hotplug: nonexistent directory

Additional notes

To create a user, it’s a bit specific.

adduser -s /bin/sh -G GROUPNAME -D USERNAME
# -D              Don't assign a password
chmod 700 /home/USERNAME/

Troubleshooting

/etc/ssh/sshd_config line 6: Deprecated option UsePrivilegeSeparation

==> remove that useless line

Deprecated

Subsystem sftp /opt/openssh/lib/ssh/sftp-server

Resources

Index of /sabotage/ http://mirrors.2f30.org/sabotage/

Index of /pub/sabotage/ http://ftp.barfooze.de/pub/sabotage/

Runit tools in busybox - up to the task? https://busybox.net/kill_it_with_fire.txt


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH