From b4cf2550ac50eb1cc3ae604edf907285fc0d816e Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 19 Jan 2026 14:27:47 +0700 Subject: [PATCH 01/11] feat: reduce attack surface --- ansible/tasks/clean-build-dependencies.yml | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 567398f5f..af70d4d7a 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -19,3 +19,41 @@ - patch - python2 state: 'absent' + +# Security hardening: remove packages that increase attack surface +# - Compiler toolchain enables local exploit compilation +# - Dev packages provide headers for building exploits +# - salt-minion is a remote management agent (large attack surface) +# - sshpass stores credentials in plaintext +- name: Remove high-security-risk packages + ansible.builtin.apt: + autoremove: true + pkg: + # Compiler toolchain + - binutils + - binutils-aarch64-linux-gnu + - binutils-common + - gcc-14-base + # Dev/header packages + - libc6-dev + - libcrypt-dev + - libevent-dev + - libpcre3-dev + - libssl-dev + - libsystemd-dev + - linux-headers-aws + - linux-libc-dev + - pkg-config + - pkgconf + - pkgconf-bin + - rpcsvc-proto + - systemd-dev + - zlib1g-dev + # Remote management (if not used) + - salt-minion + - salt-common + # Credential handling + - sshpass + # Build tool leftovers + - ansible-core + state: 'absent' From 733a64f274a24c35ca9d095ff06b8fc3cd09140d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Mon, 19 Jan 2026 14:58:07 +0700 Subject: [PATCH 02/11] fix: gcc-14-base is just shared files used by runtime libs, not compiler, and is required --- ansible/tasks/clean-build-dependencies.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index af70d4d7a..bc057c28f 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -29,11 +29,10 @@ ansible.builtin.apt: autoremove: true pkg: - # Compiler toolchain + # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it) - binutils - binutils-aarch64-linux-gnu - binutils-common - - gcc-14-base # Dev/header packages - libc6-dev - libcrypt-dev From f35939655c8e0a797537d3929ce787e532c92d0a Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Fri, 30 Jan 2026 10:32:17 -0500 Subject: [PATCH 03/11] fix: bypass need for add-apt-repository since it's gone by this point --- scripts/90-cleanup-qemu.sh | 4 +++- scripts/90-cleanup.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh index e6a585001..3e055561b 100644 --- a/scripts/90-cleanup-qemu.sh +++ b/scripts/90-cleanup-qemu.sh @@ -38,7 +38,9 @@ elif [ -n "$(command -v apt-get)" ]; then ansible \ snapd - add-apt-repository --yes --remove ppa:ansible/ansible + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 644e5f7f6..eaa338f14 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -36,7 +36,9 @@ elif [ -n "$(command -v apt-get)" ]; then libgcc-9-dev \ ansible - add-apt-repository --yes --remove ppa:ansible/ansible + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release From 1af23d0172f8298c9c559d9ddb0d0efc3191546f Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sat, 31 Jan 2026 16:46:21 -0500 Subject: [PATCH 04/11] fix: do not remove ssh --- ansible/tasks/clean-build-dependencies.yml | 17 ++++++++++++++++- scripts/90-cleanup-qemu.sh | 7 +++++++ scripts/90-cleanup.sh | 9 ++++++++- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index bc057c28f..0c73209b6 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -1,3 +1,10 @@ +# Protect packages that SSH and cloud-init depend on from autoremove +# These must be marked as manually installed BEFORE any autoremove runs +- name: Mark SSH and cloud-init dependencies as manually installed + ansible.builtin.shell: | + apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 python3-yaml python3-oauthlib python3-configobj || true + changed_when: false + - name: Remove build dependencies ansible.builtin.apt: autoremove: true @@ -25,9 +32,10 @@ # - Dev packages provide headers for building exploits # - salt-minion is a remote management agent (large attack surface) # - sshpass stores credentials in plaintext +# NOTE: autoremove disabled here to prevent cascading removal of cloud-init deps - name: Remove high-security-risk packages ansible.builtin.apt: - autoremove: true + autoremove: false pkg: # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it) - binutils @@ -56,3 +64,10 @@ # Build tool leftovers - ansible-core state: 'absent' + +# Run a final autoremove to clean up any remaining orphaned packages +# This runs after apt-mark manual, so cloud-init deps are protected +- name: Clean up orphaned packages + ansible.builtin.apt: + autoremove: true + changed_when: false diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh index 3e055561b..27784aa95 100644 --- a/scripts/90-cleanup-qemu.sh +++ b/scripts/90-cleanup-qemu.sh @@ -44,8 +44,15 @@ elif [ -n "$(command -v apt-get)" ]; then source /etc/os-release + # Protect critical runtime packages from autoremove apt-mark manual libevent-2.1-7t64 + # Protect SSH and cloud-init dependencies from autoremove + # Without these, the image won't be accessible via SSH after boot + apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ + python3-yaml python3-oauthlib python3-configobj python3-requests \ + python3-urllib3 python3-certifi python3-chardet python3-idna || true + apt-get remove -y --purge ansible-core apport appstream bash-completion bcache-tools bind9-dnsutils bind9-host bind9-libs bolt btrfs-progs byobu command-not-found console-setup distro-info eject fonts-ubuntu-console friendly-recovery ftp fwupd gawk gdisk keyboard-configuration libvolume-key1 libssl-dev lvm2 lxd-agent-loader man-db mdadm modemmanager mtd-utils nano netcat-openbsd nfs-common ntfs-3g parted pastebinit screen strace thin-provisioning-tools tmux usb-modeswitch vim vim-runtime wget whiptail xfsprogs apt remove -y --purge libc6-dev linux-libc-dev libevent-dev libpcre3-dev libsystemd-dev packagekit multipath-tools unattended-upgrades plymouth gnupg open-vm-tools xauth lxd-installer publicsuffix libclang-cpp18 python3-twisted python-babel-localedata libicu74 python3-pygments fonts-dejavu* python3-botocore diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index eaa338f14..bac852e4a 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -41,9 +41,16 @@ elif [ -n "$(command -v apt-get)" ]; then /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release - + apt-get -y update apt-get -y upgrade + + # Protect SSH and cloud-init dependencies from autoremove + # Without these, the AMI won't be accessible via SSH after boot + apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ + python3-yaml python3-oauthlib python3-configobj python3-requests \ + python3-urllib3 python3-certifi python3-chardet python3-idna || true + apt-get -y autoremove apt-get -y autoclean fi From 7ad787d59195f82ffb5eb3151214137a512e6fe2 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sat, 31 Jan 2026 20:09:17 -0500 Subject: [PATCH 05/11] fix: rm all autoremove true --- ansible/tasks/clean-build-dependencies.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 0c73209b6..3555b859c 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -1,13 +1,10 @@ -# Protect packages that SSH and cloud-init depend on from autoremove -# These must be marked as manually installed BEFORE any autoremove runs -- name: Mark SSH and cloud-init dependencies as manually installed - ansible.builtin.shell: | - apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 python3-yaml python3-oauthlib python3-configobj || true - changed_when: false +# IMPORTANT: Do NOT use autoremove: true in these tasks! +# Autoremove causes cascading removal of cloud-init and breaks SSH on the AMI. +# Autoremove is handled safely in 90-cleanup.sh after apt-mark protection. - name: Remove build dependencies ansible.builtin.apt: - autoremove: true + autoremove: false pkg: - bison - build-essential @@ -32,7 +29,6 @@ # - Dev packages provide headers for building exploits # - salt-minion is a remote management agent (large attack surface) # - sshpass stores credentials in plaintext -# NOTE: autoremove disabled here to prevent cascading removal of cloud-init deps - name: Remove high-security-risk packages ansible.builtin.apt: autoremove: false @@ -64,10 +60,3 @@ # Build tool leftovers - ansible-core state: 'absent' - -# Run a final autoremove to clean up any remaining orphaned packages -# This runs after apt-mark manual, so cloud-init deps are protected -- name: Clean up orphaned packages - ansible.builtin.apt: - autoremove: true - changed_when: false From 471933cfb933f78ab23d2cc29523391e13865f95 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sat, 31 Jan 2026 21:11:48 -0500 Subject: [PATCH 06/11] fix: explicitly reinstall cloud-init and openssh-server before autoremove cloud-init was being removed during Ansible package cleanup despite autoremove being disabled. Rather than debug further, explicitly reinstall both critical packages before apt-mark and autoremove. --- scripts/90-cleanup-qemu.sh | 4 ++++ scripts/90-cleanup.sh | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh index 27784aa95..116d515cb 100644 --- a/scripts/90-cleanup-qemu.sh +++ b/scripts/90-cleanup-qemu.sh @@ -47,6 +47,10 @@ elif [ -n "$(command -v apt-get)" ]; then # Protect critical runtime packages from autoremove apt-mark manual libevent-2.1-7t64 + # Ensure cloud-init and openssh-server are installed + # They may have been removed as dependencies during package cleanup + apt-get -y install --no-install-recommends cloud-init openssh-server + # Protect SSH and cloud-init dependencies from autoremove # Without these, the image won't be accessible via SSH after boot apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index bac852e4a..55716827d 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -45,6 +45,10 @@ elif [ -n "$(command -v apt-get)" ]; then apt-get -y update apt-get -y upgrade + # Ensure cloud-init and openssh-server are installed + # They may have been removed as dependencies during package cleanup + apt-get -y install --no-install-recommends cloud-init openssh-server + # Protect SSH and cloud-init dependencies from autoremove # Without these, the AMI won't be accessible via SSH after boot apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ From 9d56a79fb5d66e42e979996d979813e0de20b969 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sun, 1 Feb 2026 09:15:11 -0500 Subject: [PATCH 07/11] fix: align 90-cleanup.sh with 90-cleanup-qemu.sh for SSH stability Key changes: - Set multi-user.target as default boot target to prevent graphical boot issues - Move apt-get update/upgrade to after autoremove (matching qemu script order) - Protect libevent-2.1-7t64 from autoremove (needed by PgBouncer) - Add journalctl cleanup commands for proper log rotation - Add fstrim at end to optimize disk These changes align the AWS AMI cleanup script with the QEMU cleanup script which has been working. The most critical fix is setting multi-user.target as default, which ensures the system boots properly for SSH access. --- scripts/90-cleanup.sh | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 55716827d..3164b1348 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -42,8 +42,8 @@ elif [ -n "$(command -v apt-get)" ]; then source /etc/os-release - apt-get -y update - apt-get -y upgrade + # Protect critical runtime packages from autoremove + apt-mark manual libevent-2.1-7t64 # Ensure cloud-init and openssh-server are installed # They may have been removed as dependencies during package cleanup @@ -57,11 +57,24 @@ elif [ -n "$(command -v apt-get)" ]; then apt-get -y autoremove apt-get -y autoclean + + apt-get -y update + apt-get -y upgrade fi + +# Set multi-user target (non-graphical) as default +systemctl set-default multi-user.target +systemctl disable getty@tty1.service +systemctl mask getty@tty1.service +systemctl mask graphical.target + rm -rf /tmp/* /var/tmp/* history -c cat /dev/null > /root/.bash_history unset HISTFILE + +journalctl --rotate +journalctl --vacuum-time=1s find /var/log -mtime -1 -type f -exec truncate -s 0 {} \; rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-???????? rm -rf /var/lib/cloud/instances/* @@ -69,6 +82,9 @@ rm -f /root/.ssh/authorized_keys /etc/ssh/*key* touch /etc/ssh/revoked_keys chmod 600 /etc/ssh/revoked_keys +cat /dev/null > /var/log/lastlog +cat /dev/null > /var/log/wtmp + # Securely erase the unused portion of the filesystem GREEN='\033[0;32m' NC='\033[0m' @@ -87,4 +103,5 @@ dd if=/dev/zero of=/zerofile & sleep 5 done sync; rm /zerofile; sync -cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp + +fstrim / From f0e3b15b059cc8914a0d43cf745a9729acd6df83 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sun, 1 Feb 2026 13:33:24 -0500 Subject: [PATCH 08/11] fix: reset to previous state do not try to run these here --- scripts/90-cleanup.sh | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 3164b1348..415c0d413 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -61,20 +61,10 @@ elif [ -n "$(command -v apt-get)" ]; then apt-get -y update apt-get -y upgrade fi - -# Set multi-user target (non-graphical) as default -systemctl set-default multi-user.target -systemctl disable getty@tty1.service -systemctl mask getty@tty1.service -systemctl mask graphical.target - rm -rf /tmp/* /var/tmp/* history -c cat /dev/null > /root/.bash_history unset HISTFILE - -journalctl --rotate -journalctl --vacuum-time=1s find /var/log -mtime -1 -type f -exec truncate -s 0 {} \; rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-???????? rm -rf /var/lib/cloud/instances/* @@ -82,9 +72,6 @@ rm -f /root/.ssh/authorized_keys /etc/ssh/*key* touch /etc/ssh/revoked_keys chmod 600 /etc/ssh/revoked_keys -cat /dev/null > /var/log/lastlog -cat /dev/null > /var/log/wtmp - # Securely erase the unused portion of the filesystem GREEN='\033[0;32m' NC='\033[0m' @@ -103,5 +90,4 @@ dd if=/dev/zero of=/zerofile & sleep 5 done sync; rm /zerofile; sync - -fstrim / +cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp From d740185328bce09297939562b2d29e2f220eb484 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sun, 1 Feb 2026 14:42:24 -0500 Subject: [PATCH 09/11] fix: restoring meeded items --- scripts/90-cleanup.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 415c0d413..052843375 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -49,6 +49,9 @@ elif [ -n "$(command -v apt-get)" ]; then # They may have been removed as dependencies during package cleanup apt-get -y install --no-install-recommends cloud-init openssh-server + # Ensure cloud-init and SSH services are enabled (may not be re-enabled on reinstall) + systemctl enable cloud-init-local.service cloud-init.service cloud-config.service cloud-final.service ssh.service || true + # Protect SSH and cloud-init dependencies from autoremove # Without these, the AMI won't be accessible via SSH after boot apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ From c48d2b6be175b38974fd5ffa0460d4aa2b66beda Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Sun, 1 Feb 2026 19:33:53 -0500 Subject: [PATCH 10/11] fix: symlink --- scripts/90-cleanup.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 052843375..6d093453d 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -50,7 +50,16 @@ elif [ -n "$(command -v apt-get)" ]; then apt-get -y install --no-install-recommends cloud-init openssh-server # Ensure cloud-init and SSH services are enabled (may not be re-enabled on reinstall) - systemctl enable cloud-init-local.service cloud-init.service cloud-config.service cloud-final.service ssh.service || true + # systemctl enable can fail silently in chroot - create symlinks manually + mkdir -p /etc/systemd/system/cloud-init.target.wants + mkdir -p /etc/systemd/system/multi-user.target.wants + ln -sf /usr/lib/systemd/system/cloud-init-local.service /etc/systemd/system/cloud-init.target.wants/ || true + ln -sf /usr/lib/systemd/system/cloud-init.service /etc/systemd/system/cloud-init.target.wants/ || true + ln -sf /usr/lib/systemd/system/cloud-config.service /etc/systemd/system/cloud-init.target.wants/ || true + ln -sf /usr/lib/systemd/system/cloud-final.service /etc/systemd/system/cloud-init.target.wants/ || true + ln -sf /usr/lib/systemd/system/cloud-init.target /etc/systemd/system/multi-user.target.wants/ || true + ln -sf /usr/lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ || true + echo "Created cloud-init and SSH service symlinks" # Protect SSH and cloud-init dependencies from autoremove # Without these, the AMI won't be accessible via SSH after boot From a03f6c0a7a7e21129cc299f2a132e33633b4773d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Tue, 3 Feb 2026 23:26:48 -0500 Subject: [PATCH 11/11] feat: use ubuntu minimal --- amazon-arm64-nix.pkr.hcl | 2 +- ansible/tasks/clean-build-dependencies.yml | 30 +------ scripts/90-cleanup.sh | 92 ++++++---------------- 3 files changed, 29 insertions(+), 95 deletions(-) diff --git a/amazon-arm64-nix.pkr.hcl b/amazon-arm64-nix.pkr.hcl index 630ab7c99..a754eaacc 100644 --- a/amazon-arm64-nix.pkr.hcl +++ b/amazon-arm64-nix.pkr.hcl @@ -1,6 +1,6 @@ variable "ami" { type = string - default = "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-*" + default = "ubuntu-minimal/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-minimal-*" } variable "profile" { diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 3555b859c..a16312849 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -6,6 +6,7 @@ ansible.builtin.apt: autoremove: false pkg: + # Build tools installed by Ansible tasks - bison - build-essential - clang-11 @@ -13,49 +14,26 @@ - cpp - flex - g++ - - g++-10 - g++-9 + - g++-10 - gcc-10 - make - - manpages - - manpages-dev - ninja-build - patch - python2 - state: 'absent' - -# Security hardening: remove packages that increase attack surface -# - Compiler toolchain enables local exploit compilation -# - Dev packages provide headers for building exploits -# - salt-minion is a remote management agent (large attack surface) -# - sshpass stores credentials in plaintext -- name: Remove high-security-risk packages - ansible.builtin.apt: - autoremove: false - pkg: - # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it) - - binutils - - binutils-aarch64-linux-gnu - - binutils-common - # Dev/header packages + # Dev headers installed for compilation - libc6-dev - libcrypt-dev - libevent-dev - libpcre3-dev - libssl-dev - - libsystemd-dev - linux-headers-aws - linux-libc-dev - pkg-config - pkgconf - pkgconf-bin - - rpcsvc-proto - - systemd-dev - zlib1g-dev - # Remote management (if not used) - - salt-minion - - salt-common - # Credential handling + # Security: credential handling - sshpass # Build tool leftovers - ansible-core diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 6d093453d..6c566deab 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -1,90 +1,45 @@ #!/bin/bash - -# DigitalOcean Marketplace Image Validation Tool -# © 2021 DigitalOcean LLC. -# This code is licensed under Apache 2.0 license (see LICENSE.md for details) - set -o errexit -# Ensure /tmp exists and has the proper permissions before -# checking for security updates -# https://github.com/digitalocean/marketplace-partners/issues/94 +# Ensure /tmp exists and has proper permissions if [[ ! -d /tmp ]]; then mkdir /tmp fi chmod 1777 /tmp -if [ -n "$(command -v yum)" ]; then - yum update -y - yum clean all -elif [ -n "$(command -v apt-get)" ]; then - # Cleanup more packages - apt-get -y remove --purge \ - automake \ - autoconf \ - autotools-dev \ - cmake-data \ - cpp-9 \ - cpp-10 \ - gcc-9 \ - gcc-10 \ - git \ - git-man \ - ansible \ - libicu-dev \ - libcgal-dev \ - libgcc-9-dev \ - ansible - +# Update system +if [ -n "$(command -v apt-get)" ]; then # Remove ansible PPA directly (software-properties-common may not be installed) rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true - source /etc/os-release - - # Protect critical runtime packages from autoremove - apt-mark manual libevent-2.1-7t64 - - # Ensure cloud-init and openssh-server are installed - # They may have been removed as dependencies during package cleanup - apt-get -y install --no-install-recommends cloud-init openssh-server - - # Ensure cloud-init and SSH services are enabled (may not be re-enabled on reinstall) - # systemctl enable can fail silently in chroot - create symlinks manually - mkdir -p /etc/systemd/system/cloud-init.target.wants - mkdir -p /etc/systemd/system/multi-user.target.wants - ln -sf /usr/lib/systemd/system/cloud-init-local.service /etc/systemd/system/cloud-init.target.wants/ || true - ln -sf /usr/lib/systemd/system/cloud-init.service /etc/systemd/system/cloud-init.target.wants/ || true - ln -sf /usr/lib/systemd/system/cloud-config.service /etc/systemd/system/cloud-init.target.wants/ || true - ln -sf /usr/lib/systemd/system/cloud-final.service /etc/systemd/system/cloud-init.target.wants/ || true - ln -sf /usr/lib/systemd/system/cloud-init.target /etc/systemd/system/multi-user.target.wants/ || true - ln -sf /usr/lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ || true - echo "Created cloud-init and SSH service symlinks" - - # Protect SSH and cloud-init dependencies from autoremove - # Without these, the AMI won't be accessible via SSH after boot - apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ - python3-yaml python3-oauthlib python3-configobj python3-requests \ - python3-urllib3 python3-certifi python3-chardet python3-idna || true - - apt-get -y autoremove - apt-get -y autoclean - apt-get -y update apt-get -y upgrade + apt-get -y autoremove + apt-get -y autoclean fi + +# Clean temp files rm -rf /tmp/* /var/tmp/* + +# Clear history history -c cat /dev/null > /root/.bash_history unset HISTFILE + +# Clean logs find /var/log -mtime -1 -type f -exec truncate -s 0 {} \; rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-???????? + +# Clean cloud-init for fresh start rm -rf /var/lib/cloud/instances/* + +# Remove SSH keys (cloud-init regenerates on boot) rm -f /root/.ssh/authorized_keys /etc/ssh/*key* touch /etc/ssh/revoked_keys chmod 600 /etc/ssh/revoked_keys -# Securely erase the unused portion of the filesystem +# Securely erase unused disk space GREEN='\033[0;32m' NC='\033[0m' printf "\n${GREEN}Writing zeros to the remaining disk space to securely @@ -95,11 +50,12 @@ The secure erase will complete successfully when you see:${NC} Beginning secure erase now\n" dd if=/dev/zero of=/zerofile & - PID=$! - while [ -d /proc/$PID ] - do - printf "." - sleep 5 - done +PID=$! +while [ -d /proc/$PID ]; do + printf "." + sleep 5 +done sync; rm /zerofile; sync -cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp + +cat /dev/null > /var/log/lastlog +cat /dev/null > /var/log/wtmp