diff --git a/config/bundle.yaml b/config/bundle_bionic.yaml similarity index 98% rename from config/bundle.yaml rename to config/bundle_bionic.yaml index 47adee0..74a5831 100644 --- a/config/bundle.yaml +++ b/config/bundle_bionic.yaml @@ -710,7 +710,7 @@ applications: "": *oam-space options: install_sources: |- - - 'deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main' + - 'deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main' install_keys: |- - | -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -869,7 +869,7 @@ applications: =92oX -----END PGP PUBLIC KEY BLOCK----- install_sources: | - - 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' + - 'deb https://192.168.1.12/artifacts.elastic.co/packages/5.x/apt stable main' nagios: charm: cs:nagios series: bionic @@ -922,7 +922,7 @@ applications: options: account-name: "standalone" origin: | - deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK----- + deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.6 Comment: Hostname: keyserver.ubuntu.com mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK @@ -975,7 +975,7 @@ applications: # Contrail services are listening on 8094 socket_listener_port: '8095' install_sources: | - - 'deb http://ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main' + - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main' install_keys: |- - | -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -1019,7 +1019,7 @@ applications: prometheus-client: *oam-space options: install_sources: | - - 'deb http://ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main' + - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main' install_keys: |- - | -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -1192,7 +1192,7 @@ relations: # - [ "cinder2:amqp", "rabbitmq-server:amqp" ] # - [ "cinder2:ha", "hacluster-cinder2:ha" ] - - [ "cinder-ceph:storage-backend", "cinder2:storage-backend" ] +# - [ "cinder-ceph:storage-backend", "cinder2:storage-backend" ] # - [ "cinder2", "cinder-backup" ] diff --git a/config/juju-model-default-cis.yaml b/config/juju-model-default-cis-bionic.yaml similarity index 70% rename from config/juju-model-default-cis.yaml rename to config/juju-model-default-cis-bionic.yaml index 114927b..c654a09 100644 --- a/config/juju-model-default-cis.yaml +++ b/config/juju-model-default-cis-bionic.yaml @@ -4,13 +4,26 @@ cloudinit-userdata: | - libopenscap8 write_files: - owner: root:root - path: /etc/apt/auth.conf.d/cis-harden.conf - permissions: '0600' + path: /root/99-post-juju.yaml + permissions: '0644' content: | - # Credentials to allow the connecion for the CIS benchmarks private PPA - machine private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu - login arif-ali - password kNnpLf27XvGsdwt6VxfT + network: + version: 2 + ethernets: + ens3: + link-local: [] + ens4: + link-local: [] + ens5: + link-local: [] + ens6: + link-local: [] + ens7: + link-local: [] + ens8: + link-local: [] + ens9: + link-local: [] - owner: root:root path: /tmp/cis-hardening.conf permissions: '0644' @@ -61,12 +74,16 @@ cloudinit-userdata: | preruncmd: - locale-gen en_GB.UTF-8; update-locale - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C - - sudo add-apt-repository "deb https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main" + - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main" - sudo apt update - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; sudo ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening.conf lvl2_server # remove auditd as added by Hardening script but is not supported on containers - "systemd-detect-virt --container && apt purge -y auditd" + - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml" + - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml" + - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true" + - sudo netplan apply default-series: "bionic" -apt-mirror: http://192.168.1.12/ubuntu +apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu diff --git a/config/juju-model-default-cis-focal.yaml b/config/juju-model-default-cis-focal.yaml new file mode 100644 index 0000000..49f43a1 --- /dev/null +++ b/config/juju-model-default-cis-focal.yaml @@ -0,0 +1,97 @@ +cloudinit-userdata: | + packages: + - squashfuse + - libopenscap8 + write_files: + - owner: root:root + path: /root/99-post-juju.yaml + permissions: '0644' + content: | + network: + version: 2 + ethernets: + ens3: + link-local: [] + ens4: + link-local: [] + ens5: + link-local: [] + ens6: + link-local: [] + ens7: + link-local: [] + ens8: + link-local: [] + ens9: + link-local: [] + - owner: root:root + path: /tmp/cis-hardening.conf + permissions: '0644' + content: | + # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password + # is not set. + # (CIS rule 1.4.2) + grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2 + # Grub user set for authentication + grub_user=ubuntu + + # Time synchronization service selected (ntp or chrony - if empty, none will be installed) + # (CIS rule 2.2.1.1-2.2.1.3) + time_sync_svc= + time_sync_addr= + + # Audit log storage size, before log is automatically rotated + # (CIS rule 4.1.1.1) + max_log_file=8 + + # Remote log host address (CIS rule 4.2.2.4) + # Use the format loghost.example.com:554, to define the port + remote_log_server= + + # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14) + AllowUsers=ubuntu + AllowGroups= + DenyUsers= + DenyGroups= + + # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1) + minlen=14 + dcredit=-1 + ucredit=-1 + ocredit=-1 + lcredit=-1 + + # sudo group members, aside from root (CIS rule 5.6) + sudo_member= + + # Unowned files will be changed to this user (CIS rule 6.1.11) + unowned_user=root + # Ungrouped files will be changed to this user (CIS rule 6.1.12) + unowned_group=root + + # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14) + delete_user_files=true + + # Exclude rsync rules on Focal + ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10" + ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4" + ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4" + ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4" + ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6" + ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17" + preruncmd: + - locale-gen en_GB.UTF-8; update-locale + - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C + - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu focal main" + - sudo apt update + - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark + - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening.conf custom + # remove auditd as added by Hardening script but is not supported on containers + - "systemd-detect-virt --container && apt purge -y auditd" + - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml" + - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml" + - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true" + - sudo netplan apply + +default-series: "focal" +apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu diff --git a/config/juju-model-default.yaml b/config/juju-model-default.yaml index f00136a..ea3f992 100644 --- a/config/juju-model-default.yaml +++ b/config/juju-model-default.yaml @@ -29,4 +29,4 @@ cloudinit-userdata: | - sudo netplan apply default-series: "bionic" -apt-mirror: http://192.168.1.12/ubuntu +apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu diff --git a/config/juju_deploy.sh b/config/juju_deploy.sh deleted file mode 100755 index 7a8b426..0000000 --- a/config/juju_deploy.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -juju deploy ./bundle.yaml \ - --overlay ./overlays/ovs.yaml \ - --overlay ./overlays/hostnames.yaml \ - --overlay ./overlays/ldap.yaml \ - --overlay ./overlays/resources.yaml \ - --overlay ./overlays/openstack_versioned_overlay.yaml \ - --overlay ./overlays/stsstack.yaml $* - -# --overlay ./overlays/contrail.yaml \ -# --overlay ./overlays/openstack_versioned_overlay.yaml \ -# --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \ -# --overlay ./overlays/contrail_versioned_overlay.yaml \ -# --overlay ./overlays/ssl.yaml \ -# --overlay ./overlays/contrail.yaml \ -# --overlay ./overlays/contrail_versioned_overlay.yaml \ diff --git a/config/juju_deploy.sh b/config/juju_deploy.sh new file mode 120000 index 0000000..a1ccd91 --- /dev/null +++ b/config/juju_deploy.sh @@ -0,0 +1 @@ +juju_deploy_bionic.sh \ No newline at end of file diff --git a/config/juju_deploy_bionic.sh b/config/juju_deploy_bionic.sh new file mode 100755 index 0000000..d280dec --- /dev/null +++ b/config/juju_deploy_bionic.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +series=bionic + +juju model-config juju-model-default-cis-${series}.yaml + +juju deploy ./bundle_${series}.yaml \ + --overlay ./overlays/ovs.yaml \ + --overlay ./overlays/hostnames.yaml \ + --overlay ./overlays/ldap.yaml \ + --overlay ./overlays/resources.yaml \ + --overlay ./overlays/openstack_versioned_overlay_${series}.yaml \ + --overlay ./overlays/stsstack.yaml $* + +# --overlay ./overlays/contrail.yaml \ +# --overlay ./overlays/openstack_versioned_overlay.yaml \ +# --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \ +# --overlay ./overlays/contrail_versioned_overlay.yaml \ +# --overlay ./overlays/ssl.yaml \ +# --overlay ./overlays/contrail.yaml \ +# --overlay ./overlays/contrail_versioned_overlay.yaml \ diff --git a/config/juju_deploy_focal.sh b/config/juju_deploy_focal.sh new file mode 100755 index 0000000..ae1886b --- /dev/null +++ b/config/juju_deploy_focal.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +series=focal + +juju model-config juju-model-default-cis-${series}.yaml + +juju deploy ./bundle_${series}.yaml \ + --overlay ./overlays/ovs.yaml \ + --overlay ./overlays/hostnames.yaml \ + --overlay ./overlays/ldap.yaml \ + --overlay ./overlays/resources.yaml \ + --overlay ./overlays/openstack_versioned_overlay_${series}.yaml \ + --overlay ./overlays/stsstack.yaml $* + +# --overlay ./overlays/contrail.yaml \ +# --overlay ./overlays/openstack_versioned_overlay.yaml \ +# --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \ +# --overlay ./overlays/contrail_versioned_overlay.yaml \ +# --overlay ./overlays/ssl.yaml \ +# --overlay ./overlays/contrail.yaml \ +# --overlay ./overlays/contrail_versioned_overlay.yaml \ diff --git a/config/overlays/openstack_versioned_overlay.yaml b/config/overlays/openstack_versioned_overlay_bionic.yaml similarity index 97% rename from config/overlays/openstack_versioned_overlay.yaml rename to config/overlays/openstack_versioned_overlay_bionic.yaml index 8637035..bb03fdc 100644 --- a/config/overlays/openstack_versioned_overlay.yaml +++ b/config/overlays/openstack_versioned_overlay_bionic.yaml @@ -19,8 +19,8 @@ applications: # charm: cs:ceph-radosgw-283 cinder: charm: cs:cinder-297 - cinder2: - charm: cs:cinder-297 +# cinder2: +# charm: cs:cinder-297 cinder-ceph: charm: cs:cinder-ceph-251 easyrsa: @@ -47,8 +47,8 @@ applications: charm: cs:hacluster-63 hacluster-cinder: charm: cs:hacluster-63 - hacluster-cinder2: - charm: cs:hacluster-63 +# hacluster-cinder2: +# charm: cs:hacluster-63 hacluster-glance: charm: cs:hacluster-63 hacluster-gnocchi: diff --git a/config/overlays/ovs.yaml b/config/overlays/ovs.yaml index 29fb4b3..681fabf 100644 --- a/config/overlays/ovs.yaml +++ b/config/overlays/ovs.yaml @@ -14,8 +14,7 @@ applications: scheduler-default-filters: *nova-default-filters nova-compute: options: - # AppArmor needs to be disabled: LP:1820302 - aa-profile-mode: disable + aa-profile-mode: complain neutron-api: options: vlan-ranges: *vlan-ranges diff --git a/scripts/other-scripts/init_vault.sh b/scripts/other-scripts/init_vault.sh new file mode 100755 index 0000000..b6588ec --- /dev/null +++ b/scripts/other-scripts/init_vault.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +vault_vip=$(juju config vault vip) +echo export VAULT_ADDR="http://${vault_vip}:8200" +export VAULT_ADDR="http://${vault_vip}:8200" + +vault operator init -key-shares=5 -key-threshold=3 > ../../secrets/vault.txt + +echo " " + +IPS=$(juju status vault --format json | jq '.applications.vault.units | to_entries[] | .value."public-address"' | sed s/\"//g) + +for ip in $IPS;do + echo export VAULT_ADDR=http://${ip}:8200; + export VAULT_ADDR=http://${ip}:8200; + for vault_key in $(head -n3 ../../secrets/vault.txt | awk '{print $4}');do + echo vault operator unseal -tls-skip-verify $vault_key + vault operator unseal -tls-skip-verify $vault_key + done; +done; + +initial_token=$(grep Initial ../../secrets/vault.txt | awk '{print $4}') + +export VAULT_TOKEN=${initial_token} + +vault token create -ttl=10m > ../../secrets/vault-token.txt + +token=$(cat ../../secrets/vault-token.txt | grep token | head -n 1 | awk '{print $2}') + +juju run-action --wait vault/leader authorize-charm token=${token} diff --git a/secrets/vault.txt b/secrets/vault.txt index 3e0a668..df323e7 100644 --- a/secrets/vault.txt +++ b/secrets/vault.txt @@ -1,10 +1,10 @@ -Unseal Key 1: L3OvWpS8dYyIl9mxJ/rn46cn5uVlf9FVZOfngf6K03b+ -Unseal Key 2: OYnjKwMDar1pAWB8XFuwq0x6TyTBRaT5BvcG6J1jNKDJ -Unseal Key 3: aKvnqpX+6kWIJe1GWR8M/joJpDissExSk1oYC1vO5lmy -Unseal Key 4: 76IAnSGfbnugZCDBgtoLMsAnhmErr6N9aJnuEAQrUP// -Unseal Key 5: +VhM7LYgcUpB8pkM+Xtceit6L6CPldbRCokPeWfCtynI +Unseal Key 1: oMGA8W+TK7m5j6+Q03+2lPbWWQh+jpXG2SAY2CAlFhjV +Unseal Key 2: C02Te6hwirjAGwVpkcgjbgBwy4yLjRNF78zONv08DTdE +Unseal Key 3: iR6klzFrGeNBBYy+3iPHjWmdZEF2laQ/6UekkV9P8OSD +Unseal Key 4: c4o5tfs2mbP6NxXEd2IZHG+pgE79r4CQYxjRPNcEgKlw +Unseal Key 5: HocK1RoX8Yi2vMVS6PpA69dd5fQzWDLj8mbm/tyfV4aW -Initial Root Token: s.MC3kjNzrLhBuPk2DCrOzVrcw +Initial Root Token: s.ueSOq2WWU9SY9Ikaj91EvTA9 Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed,