Update configs

* Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode
2021-12-01 16:23:28 +00:00
parent 75736a43cb
commit d7dc81cd18
11 changed files with 213 additions and 44 deletions
--- a/config/bundle_bionic.yaml
+++ b/config/bundle_bionic.yaml
@ -710,7 +710,7 @@ applications:
      "": *oam-space
    options:
      install_sources: |-
-        - 'deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main'
+        - 'deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main'
      install_keys: |-
         - |
           -----BEGIN PGP PUBLIC KEY BLOCK-----
@ -869,7 +869,7 @@ applications:
          =92oX
          -----END PGP PUBLIC KEY BLOCK-----
      install_sources: |
-          - 'deb https://artifacts.elastic.co/packages/5.x/apt stable main'
+          - 'deb https://192.168.1.12/artifacts.elastic.co/packages/5.x/apt stable main'
  nagios:
    charm: cs:nagios
    series: bionic
@ -922,7 +922,7 @@ applications:
    options:
      account-name: "standalone"
      origin: |
-        deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK-----
+        deb http://192.168.1.12/ppa.launchpad.net/landscape/19.10/ubuntu bionic main|-----BEGIN PGP PUBLIC KEY BLOCK-----
        Version: SKS 1.1.6
        Comment: Hostname: keyserver.ubuntu.com
        mI0ESXN/egEEAOgRYISU9dnQm4BB5ZEEwKT+NKUDNd/DhMYdtBMw9Yk7S5cyoqpbtwoPJVzK
@ -975,7 +975,7 @@ applications:
      # Contrail services are listening on 8094
      socket_listener_port: '8095'
      install_sources: |
-        - 'deb http://ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main'
+        - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main'
      install_keys: |-
        - |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
@ -1019,7 +1019,7 @@ applications:
      prometheus-client: *oam-space
    options:
      install_sources: |
-        - 'deb http://ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main'
+        - 'deb http://192.168.1.12/ppa.launchpad.net/telegraf-devs/ppa/ubuntu bionic main'
      install_keys: |-
        - |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
@ -1192,7 +1192,7 @@ relations:
 #  - [ "cinder2:amqp", "rabbitmq-server:amqp" ]
 #  - [ "cinder2:ha", "hacluster-cinder2:ha" ]

-  - [ "cinder-ceph:storage-backend", "cinder2:storage-backend" ]
+#  - [ "cinder-ceph:storage-backend", "cinder2:storage-backend" ]

 #  - [ "cinder2", "cinder-backup" ]

--- a/config/juju-model-default-cis-bionic.yaml
+++ b/config/juju-model-default-cis-bionic.yaml
@ -4,13 +4,26 @@ cloudinit-userdata: |
    - libopenscap8
  write_files:
  - owner: root:root
-    path: /etc/apt/auth.conf.d/cis-harden.conf
-    permissions: '0600'
+    path: /root/99-post-juju.yaml
+    permissions: '0644'
    content: |
-      # Credentials to allow the connecion for the CIS benchmarks private PPA
-      machine private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu
-      login arif-ali
-      password kNnpLf27XvGsdwt6VxfT
+      network:
+        version: 2
+        ethernets:
+          ens3:
+            link-local: []
+          ens4:
+            link-local: []
+          ens5:
+            link-local: []
+          ens6:
+            link-local: []
+          ens7:
+            link-local: []
+          ens8:
+            link-local: []
+          ens9:
+            link-local: []
  - owner: root:root
    path: /tmp/cis-hardening.conf
    permissions: '0644'
@ -61,12 +74,16 @@ cloudinit-userdata: |
  preruncmd:
    - locale-gen en_GB.UTF-8; update-locale
    - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
-    - sudo add-apt-repository "deb https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main"
+    - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main"
    - sudo apt update
    - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; sudo ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening.conf lvl2_server
    # remove auditd as added by Hardening script but is not supported on containers
    - "systemd-detect-virt --container && apt purge -y auditd"
+    - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
+    - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
+    - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
+    - sudo netplan apply

 default-series: "bionic"
-apt-mirror: http://192.168.1.12/ubuntu
+apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
--- a/config/juju-model-default-cis-focal.yaml
+++ b/config/juju-model-default-cis-focal.yaml
@ -0,0 +1,97 @@
+cloudinit-userdata: |
+  packages:
+    - squashfuse
+    - libopenscap8
+  write_files:
+  - owner: root:root
+    path: /root/99-post-juju.yaml
+    permissions: '0644'
+    content: |
+      network:
+        version: 2
+        ethernets:
+          ens3:
+            link-local: []
+          ens4:
+            link-local: []
+          ens5:
+            link-local: []
+          ens6:
+            link-local: []
+          ens7:
+            link-local: []
+          ens8:
+            link-local: []
+          ens9:
+            link-local: []
+  - owner: root:root
+    path: /tmp/cis-hardening.conf
+    permissions: '0644'
+    content: |
+      # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
+      # is not set.
+      # (CIS rule 1.4.2)
+      grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2
+      # Grub user set for authentication
+      grub_user=ubuntu
+
+      # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
+      # (CIS rule 2.2.1.1-2.2.1.3)
+      time_sync_svc=
+      time_sync_addr=
+
+      # Audit log storage size, before log is automatically rotated
+      # (CIS rule 4.1.1.1)
+      max_log_file=8
+
+      # Remote log host address (CIS rule 4.2.2.4)
+      # Use the format loghost.example.com:554, to define the port
+      remote_log_server=
+
+      # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
+      AllowUsers=ubuntu
+      AllowGroups=
+      DenyUsers=
+      DenyGroups=
+
+      # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
+      minlen=14
+      dcredit=-1
+      ucredit=-1
+      ocredit=-1
+      lcredit=-1
+
+      # sudo group members, aside from root (CIS rule 5.6)
+      sudo_member=
+
+      # Unowned files will be changed to this user (CIS rule 6.1.11)
+      unowned_user=root
+      # Ungrouped files will be changed to this user (CIS rule 6.1.12)
+      unowned_group=root
+
+      # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
+      delete_user_files=true
+
+      # Exclude rsync rules on Focal
+      ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
+      ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
+      ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
+      ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
+      ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
+      ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"
+  preruncmd:
+    - locale-gen en_GB.UTF-8; update-locale
+    - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
+    - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu focal main"
+    - sudo apt update
+    - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
+    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening.conf custom
+    # remove auditd as added by Hardening script but is not supported on containers
+    - "systemd-detect-virt --container && apt purge -y auditd"
+    - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
+    - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
+    - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
+    - sudo netplan apply
+
+default-series: "focal"
+apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
--- a/config/juju-model-default.yaml
+++ b/config/juju-model-default.yaml
@ -29,4 +29,4 @@ cloudinit-userdata: |
    - sudo netplan apply

 default-series: "bionic"
-apt-mirror: http://192.168.1.12/ubuntu
+apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
--- a/config/juju_deploy.sh
+++ b/config/juju_deploy.sh
@ -1,17 +0,0 @@
-#!/bin/bash
-
-juju deploy ./bundle.yaml \
-    --overlay ./overlays/ovs.yaml \
-    --overlay ./overlays/hostnames.yaml \
-    --overlay ./overlays/ldap.yaml \
-    --overlay ./overlays/resources.yaml \
-    --overlay ./overlays/openstack_versioned_overlay.yaml \
-    --overlay ./overlays/stsstack.yaml $*
-
-#    --overlay ./overlays/contrail.yaml \
-#    --overlay ./overlays/openstack_versioned_overlay.yaml \
-#    --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \
-#    --overlay ./overlays/contrail_versioned_overlay.yaml \
-#    --overlay ./overlays/ssl.yaml \
-#    --overlay ./overlays/contrail.yaml \
-#    --overlay ./overlays/contrail_versioned_overlay.yaml \
--- a/config/juju_deploy.sh
+++ b/config/juju_deploy.sh
@ -0,0 +1 @@
+juju_deploy_bionic.sh
--- a/config/juju_deploy_bionic.sh
+++ b/config/juju_deploy_bionic.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+series=bionic
+
+juju model-config juju-model-default-cis-${series}.yaml
+
+juju deploy ./bundle_${series}.yaml \
+    --overlay ./overlays/ovs.yaml \
+    --overlay ./overlays/hostnames.yaml \
+    --overlay ./overlays/ldap.yaml \
+    --overlay ./overlays/resources.yaml \
+    --overlay ./overlays/openstack_versioned_overlay_${series}.yaml \
+    --overlay ./overlays/stsstack.yaml $*
+
+#    --overlay ./overlays/contrail.yaml \
+#    --overlay ./overlays/openstack_versioned_overlay.yaml \
+#    --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \
+#    --overlay ./overlays/contrail_versioned_overlay.yaml \
+#    --overlay ./overlays/ssl.yaml \
+#    --overlay ./overlays/contrail.yaml \
+#    --overlay ./overlays/contrail_versioned_overlay.yaml \
--- a/config/juju_deploy_focal.sh
+++ b/config/juju_deploy_focal.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+series=focal
+
+juju model-config juju-model-default-cis-${series}.yaml
+
+juju deploy ./bundle_${series}.yaml \
+    --overlay ./overlays/ovs.yaml \
+    --overlay ./overlays/hostnames.yaml \
+    --overlay ./overlays/ldap.yaml \
+    --overlay ./overlays/resources.yaml \
+    --overlay ./overlays/openstack_versioned_overlay_${series}.yaml \
+    --overlay ./overlays/stsstack.yaml $*
+
+#    --overlay ./overlays/contrail.yaml \
+#    --overlay ./overlays/openstack_versioned_overlay.yaml \
+#    --overlay ./overlays/openstack_versioned_overlay_gemini.yaml \
+#    --overlay ./overlays/contrail_versioned_overlay.yaml \
+#    --overlay ./overlays/ssl.yaml \
+#    --overlay ./overlays/contrail.yaml \
+#    --overlay ./overlays/contrail_versioned_overlay.yaml \
--- a/config/overlays/openstack_versioned_overlay_bionic.yaml
+++ b/config/overlays/openstack_versioned_overlay_bionic.yaml
@ -19,8 +19,8 @@ applications:
 #    charm: cs:ceph-radosgw-283
  cinder:
    charm: cs:cinder-297
-  cinder2:
-    charm: cs:cinder-297
+#  cinder2:
+#    charm: cs:cinder-297
  cinder-ceph:
    charm: cs:cinder-ceph-251
  easyrsa:
@ -47,8 +47,8 @@ applications:
    charm: cs:hacluster-63
  hacluster-cinder:
    charm: cs:hacluster-63
-  hacluster-cinder2:
-    charm: cs:hacluster-63
+#  hacluster-cinder2:
+#    charm: cs:hacluster-63
  hacluster-glance:
    charm: cs:hacluster-63
  hacluster-gnocchi:
--- a/config/overlays/ovs.yaml
+++ b/config/overlays/ovs.yaml
@ -14,8 +14,7 @@ applications:
      scheduler-default-filters: *nova-default-filters
  nova-compute:
    options:
-      # AppArmor needs to be disabled: LP:1820302
-      aa-profile-mode: disable 
+      aa-profile-mode: complain
  neutron-api:
    options:
      vlan-ranges: *vlan-ranges
--- a/scripts/other-scripts/init_vault.sh
+++ b/scripts/other-scripts/init_vault.sh
@ -0,0 +1,30 @@
+#!/bin/bash
+
+vault_vip=$(juju config vault vip)
+echo export VAULT_ADDR="http://${vault_vip}:8200"
+export VAULT_ADDR="http://${vault_vip}:8200"
+
+vault operator init -key-shares=5 -key-threshold=3 > ../../secrets/vault.txt
+
+echo " "
+
+IPS=$(juju status vault --format json  | jq '.applications.vault.units | to_entries[] | .value."public-address"' | sed s/\"//g)
+
+for ip in $IPS;do
+  echo export VAULT_ADDR=http://${ip}:8200;
+  export VAULT_ADDR=http://${ip}:8200;
+  for vault_key in $(head -n3 ../../secrets/vault.txt | awk '{print $4}');do
+    echo vault operator unseal -tls-skip-verify $vault_key
+    vault operator unseal -tls-skip-verify $vault_key
+  done;
+done;
+
+initial_token=$(grep Initial ../../secrets/vault.txt | awk '{print $4}')
+
+export VAULT_TOKEN=${initial_token}
+
+vault token create -ttl=10m > ../../secrets/vault-token.txt
+
+token=$(cat ../../secrets/vault-token.txt | grep token | head -n 1 | awk '{print $2}')
+
+juju run-action --wait vault/leader authorize-charm token=${token}
--- a/secrets/vault.txt
+++ b/secrets/vault.txt
@ -1,10 +1,10 @@
-Unseal Key 1: L3OvWpS8dYyIl9mxJ/rn46cn5uVlf9FVZOfngf6K03b+
-Unseal Key 2: OYnjKwMDar1pAWB8XFuwq0x6TyTBRaT5BvcG6J1jNKDJ
-Unseal Key 3: aKvnqpX+6kWIJe1GWR8M/joJpDissExSk1oYC1vO5lmy
-Unseal Key 4: 76IAnSGfbnugZCDBgtoLMsAnhmErr6N9aJnuEAQrUP//
-Unseal Key 5: +VhM7LYgcUpB8pkM+Xtceit6L6CPldbRCokPeWfCtynI
+Unseal Key 1: oMGA8W+TK7m5j6+Q03+2lPbWWQh+jpXG2SAY2CAlFhjV
+Unseal Key 2: C02Te6hwirjAGwVpkcgjbgBwy4yLjRNF78zONv08DTdE
+Unseal Key 3: iR6klzFrGeNBBYy+3iPHjWmdZEF2laQ/6UekkV9P8OSD
+Unseal Key 4: c4o5tfs2mbP6NxXEd2IZHG+pgE79r4CQYxjRPNcEgKlw
+Unseal Key 5: HocK1RoX8Yi2vMVS6PpA69dd5fQzWDLj8mbm/tyfV4aW

-Initial Root Token: s.MC3kjNzrLhBuPk2DCrOzVrcw
+Initial Root Token: s.ueSOq2WWU9SY9Ikaj91EvTA9

 Vault initialized with 5 key shares and a key threshold of 3. Please securely
 distribute the key shares printed above. When the Vault is re-sealed,