From d330f441947ead023b95891396ba6e3caa6eda65 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Tue, 12 Jun 2018 17:02:40 -0400 Subject: [PATCH 001/736] Log suspicious DNS queries based on Spamhaus DBL Signed-off-by: Anders Kaseorg --- server/fedora/config/etc/named.conf | 4 +- server/fedora/config/etc/scripts/shackle | 258 ++++++++++++++++++ .../config/etc/systemd/system/shackle.service | 5 + .../config/etc/systemd/system/shackle.socket | 6 + 4 files changed, 271 insertions(+), 2 deletions(-) create mode 100755 server/fedora/config/etc/scripts/shackle create mode 100644 server/fedora/config/etc/systemd/system/shackle.service create mode 100644 server/fedora/config/etc/systemd/system/shackle.socket diff --git a/server/fedora/config/etc/named.conf b/server/fedora/config/etc/named.conf index 2e80fcd4..58ab7991 100644 --- a/server/fedora/config/etc/named.conf +++ b/server/fedora/config/etc/named.conf @@ -8,8 +8,8 @@ // options { - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; + listen-on port 54 { 127.0.0.1; }; + listen-on-v6 port 54 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; diff --git a/server/fedora/config/etc/scripts/shackle b/server/fedora/config/etc/scripts/shackle new file mode 100755 index 00000000..efc0abb8 --- /dev/null +++ b/server/fedora/config/etc/scripts/shackle @@ -0,0 +1,258 @@ +#!/usr/bin/python + +import copy +import ctypes +import pwd +import socket +from socket import AF_INET, AF_INET6, inet_pton +import struct +import sys +import syslog +from twisted.internet import address, error, reactor, udp +from twisted.names import client, dns, server +from twisted.python import log, systemd + +DBL_MIN_TIMEOUT_SECS = 0.5 + +try: + libpsl = ctypes.cdll.LoadLibrary("libpsl.so.5") +except OSError: + libpsl = ctypes.cdll.LoadLibrary("libpsl.so.0") + + +class psl_ctx_t(ctypes.Structure): + pass + + +psl_builtin = libpsl.psl_builtin +psl_builtin.restype = ctypes.POINTER(psl_ctx_t) +psl_builtin.argtypes = () + +psl_registrable_domain = libpsl.psl_registrable_domain +psl_registrable_domain.restype = ctypes.c_char_p +psl_registrable_domain.argtypes = (ctypes.POINTER(psl_ctx_t), ctypes.c_char_p) + +LOG_AUTHPRIV = 80 + +addrFamily = {address.IPv4Address: AF_INET, address.IPv6Address: AF_INET6} +tableFile = { + (AF_INET, "UDP"): "/proc/net/udp", + (AF_INET6, "UDP"): "/proc/net/udp6", + (AF_INET, "TCP"): "/proc/net/tcp", + (AF_INET6, "TCP"): "/proc/net/tcp6", +} + +MIN_UNSCRUPULOUS = inet_pton(AF_INET, "127.0.1.0") +MAX_UNSCRUPULOUS = inet_pton(AF_INET, "127.0.1.99") + +dblExplain = { + inet_pton(AF_INET, "127.0.1.2"): "spam domain", + inet_pton(AF_INET, "127.0.1.4"): "phish domain", + inet_pton(AF_INET, "127.0.1.5"): "malware domain", + inet_pton(AF_INET, "127.0.1.6"): "botnet C&C domain", + inet_pton(AF_INET, "127.0.1.102"): "abused legit spam", + inet_pton(AF_INET, "127.0.1.103"): "abused spammed redirector domain", + inet_pton(AF_INET, "127.0.1.104"): "abused legit phish", + inet_pton(AF_INET, "127.0.1.105"): "abused legit malware", + inet_pton(AF_INET, "127.0.1.106"): "abused legit botnet C&C", + inet_pton(AF_INET, "127.0.1.255"): "IP queries prohibited!", +} + + +class MousetrapQuery(object): + def __init__(self, factory, message, protocol, address, peer, query, domain): + self.factory = factory + self.message = message + self.protocol = protocol + self.address = address + self.peer = peer + self.query = query + self.done = False + self.dblDone = False + self.deferred = self.factory.resolver.query(query).addCallbacks( + self.gotResponse, self.gotError + ) + self.dblDeferred = self.factory.resolver.query( + dns.Query(domain + ".dbl.spamhaus.org") + ).addCallbacks(self.gotDBLResponse, self.gotDBLError) + self.timeoutCall = reactor.callLater(DBL_MIN_TIMEOUT_SECS, self.timeoutDBL) + + def update(self): + if self.done and self.dblDone: + if self.ok: + self.factory.gotResolverResponse( + self.result, self.message, self.protocol, self.address + ) + else: + self.factory.gotResolverError( + self.result, self.message, self.protocol, self.address + ) + + def gotResponse(self, response): + self.done = True + self.ok = True + self.result = response + self.update() + + def gotError(self, fail): + self.done = True + self.ok = False + self.result = fail + self.update() + + def gotDBLResponse(self, response): + family = addrFamily[type(self.peer)] + packed = inet_pton(family, self.peer.host) + chunks = len(packed) // 4 + src_hex = ( # WTF? + ("{:08X}" * chunks).format(*struct.unpack("<{}I".format(chunks), packed)) + + ":{:04X}".format(self.peer.port) + ).encode() + src0_hex = ("0" * 8 * chunks + ":{:04X}".format(self.peer.port)).encode() + + with open(tableFile[family, self.peer.type], "rb") as f: + for line in f: + line = line.split() + if line[1] == src_hex or line[1] == src0_hex: + uid = int(line[7]) + break + else: + return + + try: + username = pwd.getpwuid(uid).pw_name + except KeyError: + username = None + user = "%d" % uid + else: + user = "%d %r" % (uid, username) + + dblAddress = response[0][0].payload.address + if MIN_UNSCRUPULOUS <= dblAddress <= MAX_UNSCRUPULOUS and username not in [ + "postfix", + "sa-milt", + ]: + syslog.syslog( + syslog.LOG_WARNING | LOG_AUTHPRIV, + "unscrupulous query %r (%s) by uid %s" + % (str(self.query.name), dblExplain.get(dblAddress), user), + ) + + self.dblDone = True + self.timeoutCall.cancel() + self.update() + + def gotDBLError(self, fail): + self.dblDone = True + self.timeoutCall.cancel() + self.update() + + def timeoutDBL(self): + self.dblDone = True + self.dblDeferred.cancel() + self.update() + + +class MousetrapDNSServerFactory(server.DNSServerFactory, object): + def __init__(self, resolver, verbose=0): + super(MousetrapDNSServerFactory, self).__init__(verbose=verbose) + self.psl = psl_builtin() + assert self.psl, "Could not load public suffix list" + self.resolver = resolver + self.canRecurse = True + + def handleQuery(self, message, protocol, address): + if address: + peer = copy.copy(protocol.transport.getHost()) + peer.host, peer.port = address + else: + peer = protocol.transport.getPeer() + query = message.queries[0] + name = str(query.name) + domain = psl_registrable_domain(self.psl, name) + if domain is None or domain.endswith(".in-addr.arpa"): + return ( + self.resolver.query(query) + .addCallback(self.gotResolverResponse, protocol, message, address) + .addErrback(self.gotResolverError, protocol, message, address) + ) + else: + MousetrapQuery(self, protocol, message, address, peer, query, domain) + + +try: + adoptDatagramPort = reactor.adoptDatagramPort +except AttributeError: + + class PreexistingUDPPort(udp.Port): + @classmethod + def _fromListeningDescriptor( + cls, reactor, fd, addressFamily, protocol, maxPacketSize + ): + port = socket.fromfd(fd, addressFamily, cls.socketType) + interface = port.getsockname()[0] + self = cls( + None, + protocol, + interface=interface, + reactor=reactor, + maxPacketSize=maxPacketSize, + ) + self._preexistingSocket = port + return self + + def _bindSocket(self): + if self._preexistingSocket is None: + super(PreexistingUDPPort, self)._bindSocket() + else: + skt = self._preexistingSocket + self._preexistingSocket = None + self._realPortNumber = skt.getsockname()[1] + + log.msg( + "%s starting on %s" + % (self._getLogPrefix(self.protocol), self._realPortNumber) + ) + + self.connected = 1 + self.socket = skt + self.fileno = self.socket.fileno + + def adoptDatagramPort(fileDescriptor, addressFamily, protocol, maxPacketSize=8192): + if addressFamily not in (AF_INET, AF_INET6): + raise error.UnsupportedAddressFamily(addressFamily) + + p = PreexistingUDPPort._fromListeningDescriptor( + reactor, + fileDescriptor, + addressFamily, + protocol, + maxPacketSize=maxPacketSize, + ) + p.startListening() + return p + + +def main(): + upstreamAddr = sys.argv[1] + upstreamPort = int(sys.argv[2]) + syslog.openlog("shackle") + resolver = client.Resolver(servers=[(upstreamAddr, upstreamPort)]) + factory = MousetrapDNSServerFactory(resolver) + + for fd, domain, type in zip( + systemd.ListenFDs.fromEnvironment().inheritedDescriptors(), + sys.argv[3::2], + sys.argv[4::2], + ): + family = getattr(socket, "AF_" + domain) + if type == "DGRAM": + adoptDatagramPort(fd, family, dns.DNSDatagramProtocol(controller=factory)) + elif type == "STREAM": + reactor.adoptStreamPort(fd, family, factory) + + reactor.run() + + +if __name__ == "__main__": + main() diff --git a/server/fedora/config/etc/systemd/system/shackle.service b/server/fedora/config/etc/systemd/system/shackle.service new file mode 100644 index 00000000..7ceb7662 --- /dev/null +++ b/server/fedora/config/etc/systemd/system/shackle.service @@ -0,0 +1,5 @@ +[Service] +ExecStart=/etc/scripts/shackle 127.0.0.1 54 INET STREAM INET DGRAM +NonBlocking=true +User=nobody +Group=nobody diff --git a/server/fedora/config/etc/systemd/system/shackle.socket b/server/fedora/config/etc/systemd/system/shackle.socket new file mode 100644 index 00000000..67206190 --- /dev/null +++ b/server/fedora/config/etc/systemd/system/shackle.socket @@ -0,0 +1,6 @@ +[Socket] +ListenStream=127.0.0.1:53 +ListenDatagram=127.0.0.1:53 + +[Install] +WantedBy=sockets.target From 7d219b5593e4da6b4b6bbab547481bd1d8b98028 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 00:24:00 -0400 Subject: [PATCH 002/736] Kickstart file to run Ansible on a new XVM --- server/fedora/ansible-config-me.service | 10 +++++ server/fedora/ansible-config-me.sh | 9 ++++ server/fedora/ks/kickstart.txt | 56 +++++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 server/fedora/ansible-config-me.service create mode 100644 server/fedora/ansible-config-me.sh create mode 100644 server/fedora/ks/kickstart.txt diff --git a/server/fedora/ansible-config-me.service b/server/fedora/ansible-config-me.service new file mode 100644 index 00000000..33cf8e54 --- /dev/null +++ b/server/fedora/ansible-config-me.service @@ -0,0 +1,10 @@ +[Unit] +Description=Run ansible-pull at first boot to apply environment configuration +After=network-online.target + +[Service] +ExecStart=/srv/repository/server/fedora/.sh +Type=oneshot + +[Install] +WantedBy=multi-user.target diff --git a/server/fedora/ansible-config-me.sh b/server/fedora/ansible-config-me.sh new file mode 100644 index 00000000..5707f116 --- /dev/null +++ b/server/fedora/ansible-config-me.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e +set -x + +cd /srv/repository/ansible +ansible-playbook playbook.yml + +systemctl disable ansible-config-me.service diff --git a/server/fedora/ks/kickstart.txt b/server/fedora/ks/kickstart.txt new file mode 100644 index 00000000..aaba4edc --- /dev/null +++ b/server/fedora/ks/kickstart.txt @@ -0,0 +1,56 @@ +# from http://ezyang.scripts.mit.edu/kickstart/scripts.php?type=xvm&release=30&hostname=feral-purrbeast.xvm.mit.edu + +# Kickstart file for scripts.mit.edu + +install + +url --url=http://mirrors.mit.edu/fedora/linux/releases/30/Server/x86_64/os + +lang en_US.UTF-8 +keyboard us +#network --device eth0 --bootproto static --ip 18.49.4.31 --netmask 255.255.0.0 --gateway 18.49.0.1 --nameserver 18.70.0.160 --nameserver 18.71.0.151 --nameserver 18.72.0.3 --hostname feral-purrbeast.xvm.mit.edu +#network --device eth1 --bootproto static --ip 172.21.4.31 --netmask 255.255.0.0 + +timezone --utc America/New_York +selinux --disabled +authconfig --enableshadow --passalgo=sha512 --enablefingerprint +firewall --disabled + +clearpart --all --drives=xvda --initlabel +ignoredisk --only-use=xvda +part / --fstype=ext4 --grow --asprimary --size=1 +part swap --grow --size=1 + +# console=hvc0 makes this VM work as an XVM ParaVM (which is what we +# eventually want to be running as, not HVM which we have to do +# for boot CDs). +# biosdevname=0 disables clever device naming, which happens when Fedora +# is unable to tell that we are running as a VM. +bootloader --location=mbr --driveorder=xvda --append="console=hvc0 rhgb quiet biosdevname=0" + +#repo --name="fedora30" --baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/releases/30/Everything/x86_64/os/ +#repo --name="updates30" --baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/30/Everything/x86_64/ + +# --disabled=avahi-daemon,nfslock,pcscd,rpcgssd,rpcidmapd,sendmail +services --enabled=named,ntpd,network --disabled=rpcbind + +user --name=scripts-build --groups=mock + +poweroff + +%packages +@core +@online-docs +@standard +@system-tools +ansible +git +%end + +%post --erroronfail --log=/root/ks-post.log +set -e +cd /srv +git clone -b ansible-realserver https://github.com/mit-scripts/scripts repository +chown -R scripts-build /srv/repository +ln -s /srv/repository/server/fedora/ansible-config-me.service /etc/systemd/system/ +%end From 8fcab60d94d7fcdd63101fa623cdf984e34e6b14 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 01:25:13 -0400 Subject: [PATCH 003/736] Basic ansible rules for realservers --- ansible/inventory.yml | 4 ++++ ansible/playbook.yml | 3 +++ server/fedora/ks/kickstart.txt | 6 ++++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ansible/inventory.yml b/ansible/inventory.yml index d7b3ef32..e00da96a 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -65,3 +65,7 @@ all: hosts: log-flume.mit.edu: {} log-normal.mit.edu: {} + + scripts-real: + hosts: + quentin-scripts-f30.xvm.mit.edu: {} diff --git a/ansible/playbook.yml b/ansible/playbook.yml index b7396ba3..a9329ccd 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -3,3 +3,6 @@ - import_playbook: scripts-directors-cib.yml - import_playbook: scripts-syslog.yml + +- import_playbook: scripts-real.yml + diff --git a/server/fedora/ks/kickstart.txt b/server/fedora/ks/kickstart.txt index aaba4edc..108befcf 100644 --- a/server/fedora/ks/kickstart.txt +++ b/server/fedora/ks/kickstart.txt @@ -4,7 +4,9 @@ install -url --url=http://mirrors.mit.edu/fedora/linux/releases/30/Server/x86_64/os +text + +url --url=http://mirrors.mit.edu/fedora/linux/releases/30/Everything/x86_64/os lang en_US.UTF-8 keyboard us @@ -40,8 +42,8 @@ poweroff %packages @core -@online-docs @standard +@online-docs @system-tools ansible git From 620264e0e48633c9f1fa77277a1562176c73b3cd Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 01:47:03 -0400 Subject: [PATCH 004/736] Move configuration nrpe to a role --- ansible/roles/nrpe/handlers/main.yml | 10 ++++++++++ ansible/roles/nrpe/tasks/main.yml | 19 +++++++++++++++++++ ansible/scripts-directors.yml | 9 +-------- ansible/scripts-real.yml | 9 +++++++++ 4 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 ansible/roles/nrpe/handlers/main.yml create mode 100644 ansible/roles/nrpe/tasks/main.yml create mode 100644 ansible/scripts-real.yml diff --git a/ansible/roles/nrpe/handlers/main.yml b/ansible/roles/nrpe/handlers/main.yml new file mode 100644 index 00000000..b51cf678 --- /dev/null +++ b/ansible/roles/nrpe/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart nrpe debian + listen: restart nrpe + service: name=nagios-nrpe-server state=restarted + when: ansible_os_family == "Debian" +- name: restart nrpe redhat + listen: restart nrpe + service: name=nrpe state=restarted + when: ansible_os_family == "RedHat" + diff --git a/ansible/roles/nrpe/tasks/main.yml b/ansible/roles/nrpe/tasks/main.yml new file mode 100644 index 00000000..11f89d9c --- /dev/null +++ b/ansible/roles/nrpe/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Install nrpe + apt: + name: "nagios-nrpe-server" + state: present + when: ansible_os_family == "Debian" +- name: Install nrpe + yum: + name: nrpe + state: present + when: ansible_os_family == "RedHat" +- name: Configure nrpe + line: include=/etc/nagios/nrpe_local.cfg + notify: restart nrpe +- name: Configure nrpe 2 + copy: + dest: /etc/nagios/nrpe_local.cfg + src: nrpe_local.cfg + notify: restart nrpe diff --git a/ansible/scripts-directors.yml b/ansible/scripts-directors.yml index cc3adf6c..9e4e92df 100644 --- a/ansible/scripts-directors.yml +++ b/ansible/scripts-directors.yml @@ -27,7 +27,6 @@ - mlocate - lighttpd - lighttpd-mod-magnet - - nagios-nrpe-server - pacemaker - pacemaker-cli-utils - crmsh @@ -54,6 +53,7 @@ - lvs-iptables - lvs-lighttpd - munin-node + - nrpe tasks: - name: Install munin cps plugin copy: @@ -81,11 +81,6 @@ [cps_3_0] env.graph_title Load balanced SMTP connections notify: restart munin-node - - name: Configure nrpe - copy: - dest: /etc/nagios/nrpe_local.cfg - src: files/nrpe_local.cfg - notify: restart nrpe - name: Load IPVS modules copy: dest: /etc/modules-load.d/lvs.conf @@ -146,7 +141,5 @@ service: name=ipvsadm state=restarted - name: reboot include_tasks: reboot.yml - - name: restart nrpe - service: name=nagios-nrpe-server state=restarted - name: setup setup: diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml new file mode 100644 index 00000000..7f9f7f62 --- /dev/null +++ b/ansible/scripts-real.yml @@ -0,0 +1,9 @@ +- hosts: scripts-real + serial: 1 + roles: + - k5login + - syslog-client + - root-aliases + - munin-node + - nrpe + From b158bfa74bdf17124a6bac5b026bc5fd714832f0 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 02:18:56 -0400 Subject: [PATCH 005/736] Update roles to support RedHat --- ansible/roles/k5login/handlers/main.yml | 9 ++++++++- ansible/roles/munin-node/tasks/main.yml | 10 ++++++---- ansible/roles/nrpe/tasks/main.yml | 12 ++++-------- ansible/roles/syslog-client/tasks/main.yml | 6 +++++- ansible/scripts-real.yml | 2 +- 5 files changed, 24 insertions(+), 15 deletions(-) diff --git a/ansible/roles/k5login/handlers/main.yml b/ansible/roles/k5login/handlers/main.yml index a5df68bb..05f83613 100644 --- a/ansible/roles/k5login/handlers/main.yml +++ b/ansible/roles/k5login/handlers/main.yml @@ -1,2 +1,9 @@ -- name: reload ssh +- name: reload ssh debian + listen: reload ssh service: name=ssh state=reloaded + when: ansible_os_family == "Debian" +- name: reload ssh redhat + listen: reload ssh + service: name=sshd state=reloaded + when: ansible_os_family == "RedHat" + diff --git a/ansible/roles/munin-node/tasks/main.yml b/ansible/roles/munin-node/tasks/main.yml index 23f6ac14..6e61e579 100644 --- a/ansible/roles/munin-node/tasks/main.yml +++ b/ansible/roles/munin-node/tasks/main.yml @@ -1,8 +1,10 @@ --- -- name: Install munin-node - apt: - name: munin-node - state: present +- name: Install munin-node debian + apt: name=munin-node state=present + when: ansible_os_family == "Debian" +- name: Install munin-node redhat + dnf: name=munin-node state=present + when: ansible_os_family == "RedHat" - name: Configure munin blockinfile: path: /etc/munin/munin-node.conf diff --git a/ansible/roles/nrpe/tasks/main.yml b/ansible/roles/nrpe/tasks/main.yml index 11f89d9c..45445771 100644 --- a/ansible/roles/nrpe/tasks/main.yml +++ b/ansible/roles/nrpe/tasks/main.yml @@ -1,13 +1,9 @@ --- -- name: Install nrpe - apt: - name: "nagios-nrpe-server" - state: present +- name: Install nrpe debian + apt: name=nagios-nrpe-server state=present when: ansible_os_family == "Debian" -- name: Install nrpe - yum: - name: nrpe - state: present +- name: Install nrpe redhat + dnf: name=nrpe state=present when: ansible_os_family == "RedHat" - name: Configure nrpe line: include=/etc/nagios/nrpe_local.cfg diff --git a/ansible/roles/syslog-client/tasks/main.yml b/ansible/roles/syslog-client/tasks/main.yml index ce5b6814..418aead4 100644 --- a/ansible/roles/syslog-client/tasks/main.yml +++ b/ansible/roles/syslog-client/tasks/main.yml @@ -1,5 +1,9 @@ -- name: Install rsyslog-relp +- name: Install rsyslog-relp debian apt: name=rsyslog-relp state=present + when: ansible_os_family == "Debian" +- name: Install rsyslog-relp redhat + dnf: name=rsyslog-relp state=present + when: ansible_os_family == "RedHat" - name: Configure rsyslog copy: dest: /etc/rsyslog.d/scripts-syslog-client.conf diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 7f9f7f62..aa74a815 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -6,4 +6,4 @@ - root-aliases - munin-node - nrpe - + # TODO: Configure nrpe with realserver-specific checks From c69c1bb79c8bc24406efe661916ac5124df3a6ec Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 02:49:52 -0400 Subject: [PATCH 006/736] Don't try to enable services that aren't installed yet --- server/fedora/ks/kickstart.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/fedora/ks/kickstart.txt b/server/fedora/ks/kickstart.txt index 108befcf..6e6ddcf0 100644 --- a/server/fedora/ks/kickstart.txt +++ b/server/fedora/ks/kickstart.txt @@ -34,7 +34,7 @@ bootloader --location=mbr --driveorder=xvda --append="console=hvc0 rhgb quiet bi #repo --name="updates30" --baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/30/Everything/x86_64/ # --disabled=avahi-daemon,nfslock,pcscd,rpcgssd,rpcidmapd,sendmail -services --enabled=named,ntpd,network --disabled=rpcbind +#services --enabled=named,ntpd,network --disabled=rpcbind user --name=scripts-build --groups=mock From 16a614e59ee27eb5bdd7b2277a5db3441003480a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 03:01:16 -0400 Subject: [PATCH 007/736] We don't need @system-tools --- server/fedora/ks/kickstart.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/server/fedora/ks/kickstart.txt b/server/fedora/ks/kickstart.txt index 6e6ddcf0..85ca51b9 100644 --- a/server/fedora/ks/kickstart.txt +++ b/server/fedora/ks/kickstart.txt @@ -44,7 +44,6 @@ poweroff @core @standard @online-docs -@system-tools ansible git %end From d154b85255a065d7936366020a1afec998245277 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 03:15:19 -0400 Subject: [PATCH 008/736] Fix ansible-config-me --- server/fedora/ansible-config-me.service | 2 +- server/fedora/ansible-config-me.sh | 0 2 files changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 server/fedora/ansible-config-me.sh diff --git a/server/fedora/ansible-config-me.service b/server/fedora/ansible-config-me.service index 33cf8e54..8f6d0653 100644 --- a/server/fedora/ansible-config-me.service +++ b/server/fedora/ansible-config-me.service @@ -3,7 +3,7 @@ Description=Run ansible-pull at first boot to apply environment configuration After=network-online.target [Service] -ExecStart=/srv/repository/server/fedora/.sh +ExecStart=/srv/repository/server/fedora/ansible-config-me.sh Type=oneshot [Install] diff --git a/server/fedora/ansible-config-me.sh b/server/fedora/ansible-config-me.sh old mode 100644 new mode 100755 From 56cdf555465c8a0281d386896c7f9c4b43936219 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 03:18:24 -0400 Subject: [PATCH 009/736] Fix NRPE module --- ansible/roles/nrpe/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/roles/nrpe/tasks/main.yml b/ansible/roles/nrpe/tasks/main.yml index 45445771..3ea94263 100644 --- a/ansible/roles/nrpe/tasks/main.yml +++ b/ansible/roles/nrpe/tasks/main.yml @@ -6,7 +6,9 @@ dnf: name=nrpe state=present when: ansible_os_family == "RedHat" - name: Configure nrpe - line: include=/etc/nagios/nrpe_local.cfg + lineinfile: + line: include=/etc/nagios/nrpe_local.cfg + path: /etc/nagios/nrpe.cfg notify: restart nrpe - name: Configure nrpe 2 copy: From f8612aa39b22e3753516f119d21abee17e8a550a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:27:00 -0400 Subject: [PATCH 010/736] Limit ansible to a single host --- server/fedora/ansible-config-me.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/fedora/ansible-config-me.sh b/server/fedora/ansible-config-me.sh index 5707f116..393043e3 100755 --- a/server/fedora/ansible-config-me.sh +++ b/server/fedora/ansible-config-me.sh @@ -4,6 +4,6 @@ set -e set -x cd /srv/repository/ansible -ansible-playbook playbook.yml +ansible-playbook playbook.yml -c local -l "localhost,$(hostname -f),$(hostname -s),127.0.0.1" systemctl disable ansible-config-me.service From 6f11e859b49c2c9b34655b478c4935cb9484e5c4 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:32:12 -0400 Subject: [PATCH 011/736] F30 doesn't have Python 2 --- ansible/inventory.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/inventory.yml b/ansible/inventory.yml index e00da96a..161721d5 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -67,5 +67,7 @@ all: log-normal.mit.edu: {} scripts-real: + vars: + ansible_python_interpreter: /usr/bin/python3 hosts: quentin-scripts-f30.xvm.mit.edu: {} From 6a0d42ca13664c2260ace5aa3ac12c766eb922b2 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:51:15 -0400 Subject: [PATCH 012/736] Configure autofs --- ansible/scripts-real.yml | 12 ++++++++++++ server/fedora/config/etc/auto.master | 1 - 2 files changed, 12 insertions(+), 1 deletion(-) delete mode 100644 server/fedora/config/etc/auto.master diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index aa74a815..928e40ba 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -7,3 +7,15 @@ - munin-node - nrpe # TODO: Configure nrpe with realserver-specific checks + tasks: + - name: Install autofs + dnf: name=autofs state=present + - name: Configure autofs + copy: + dest: /etc/auto.master + content: | + /mit hesiod:hesiod + notify: reload autofs + handlers: + - name: reload autofs + service: name=ipvsadm state=reloaded diff --git a/server/fedora/config/etc/auto.master b/server/fedora/config/etc/auto.master deleted file mode 100644 index 85bf7acd..00000000 --- a/server/fedora/config/etc/auto.master +++ /dev/null @@ -1 +0,0 @@ -/mit hesiod:hesiod From 74241f3e727699c14dd8991690363369603a75f7 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:53:15 -0400 Subject: [PATCH 013/736] Configure hesiod --- ansible/scripts-real.yml | 8 ++++++++ server/fedora/config/etc/hesiod.conf | 2 -- 2 files changed, 8 insertions(+), 2 deletions(-) delete mode 100644 server/fedora/config/etc/hesiod.conf diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 928e40ba..a5df249f 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -8,6 +8,14 @@ - nrpe # TODO: Configure nrpe with realserver-specific checks tasks: + - name: Install hesiod + dnf: name=hesiod-devel state=present + - name: Configure hesiod + copy: + dest: /etc/hesiod.conf + content: | + rhs=.ATHENA.MIT.EDU + lhs=.ns - name: Install autofs dnf: name=autofs state=present - name: Configure autofs diff --git a/server/fedora/config/etc/hesiod.conf b/server/fedora/config/etc/hesiod.conf deleted file mode 100644 index 2ffb2a93..00000000 --- a/server/fedora/config/etc/hesiod.conf +++ /dev/null @@ -1,2 +0,0 @@ -rhs=.ATHENA.MIT.EDU -lhs=.ns From 53b718b7e6e7a2c45653a44f41ae5f05c39d106a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:55:13 -0400 Subject: [PATCH 014/736] TODO fix aliases --- ansible/scripts-real.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index a5df249f..9e62bfff 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -7,6 +7,7 @@ - munin-node - nrpe # TODO: Configure nrpe with realserver-specific checks + # TODO: Configure aliases with blocked accounts and procmail for root tasks: - name: Install hesiod dnf: name=hesiod-devel state=present From 6b8ccf86bbf831d22d5ef6e2f62b4ef3eb4f4225 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 04:59:18 -0400 Subject: [PATCH 015/736] Configure sudoers --- ansible/scripts-real.yml | 14 ++++++ server/fedora/config/etc/sudoers | 81 -------------------------------- 2 files changed, 14 insertions(+), 81 deletions(-) delete mode 100644 server/fedora/config/etc/sudoers diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 9e62bfff..72729d67 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -25,6 +25,20 @@ content: | /mit hesiod:hesiod notify: reload autofs + - name: Configure sudoers + copy: + dest: /etc/sudoers.d/scripts + content: | + scripts ALL=(root) NOPASSWD: /usr/local/sbin/ldap-backup "" + scripts ALL=(root) NOPASSWD: /usr/local/sbin/get-homedirs "" + scripts ALL=(root) NOPASSWD: /etc/httpd/export-scripts-certs "" + nrpe ALL=(signup) NOPASSWD: /etc/nagios/check_ldap_mmr.real + pony ALL=(root) NOPASSWD: /etc/pki/tls/gencsr-pony + + Defaults:munin !syslog + + munin ALL=(root) SETENV: NOPASSWD: /etc/munin/plugins/postfix_mailqueue , /etc/munin/plugins/postfix_mailvolume , /etc/munin/plugins/hddtemp_smartctl , /etc/munin/plugins/sendmail* , /etc/munin/plugins/if_* , /etc/munin/plugins/if_err_eth2 + munin ALL=(root) NOPASSWD: /etc/munin/plugins/smart_*, /etc/munin/plugins/sensors_* handlers: - name: reload autofs service: name=ipvsadm state=reloaded diff --git a/server/fedora/config/etc/sudoers b/server/fedora/config/etc/sudoers deleted file mode 100644 index 6edfd9eb..00000000 --- a/server/fedora/config/etc/sudoers +++ /dev/null @@ -1,81 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -Cmnd_Alias DRIVERS = /sbin/modprobe - -#Defaults requiretty - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" -Defaults env_keep += "USE_NEWLINES" - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -scripts ALL=(root) NOPASSWD: /usr/local/sbin/ldap-backup "" -scripts ALL=(root) NOPASSWD: /usr/local/sbin/get-homedirs "" -scripts ALL=(root) NOPASSWD: /etc/httpd/export-scripts-certs "" -nrpe ALL=(signup) NOPASSWD: /etc/nagios/check_ldap_mmr.real -pony ALL=(root) NOPASSWD: /etc/pki/tls/gencsr-pony - -Defaults:munin !syslog - -munin ALL=(root) SETENV: NOPASSWD: /etc/munin/plugins/postfix_mailqueue , /etc/munin/plugins/postfix_mailvolume , /etc/munin/plugins/hddtemp_smartctl , /etc/munin/plugins/sendmail* , /etc/munin/plugins/if_* , /etc/munin/plugins/if_err_eth2 -munin ALL=(root) NOPASSWD: /etc/munin/plugins/smart_*, /etc/munin/plugins/sensors_* From 36aafae39fd832c9ff85be00349c45ca24a32f3a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 05:05:03 -0400 Subject: [PATCH 016/736] Hesiod doesn't exist in F30 --- ansible/scripts-real.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 72729d67..92fbc6b0 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -9,8 +9,8 @@ # TODO: Configure nrpe with realserver-specific checks # TODO: Configure aliases with blocked accounts and procmail for root tasks: - - name: Install hesiod - dnf: name=hesiod-devel state=present + #- name: Install hesiod + # dnf: name=hesiod-devel state=present - name: Configure hesiod copy: dest: /etc/hesiod.conf From df50027f19fea3b4535377fc579fe408bf68b203 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 05:06:21 -0400 Subject: [PATCH 017/736] Fix typo --- ansible/scripts-real.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 92fbc6b0..a567d16c 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -41,4 +41,4 @@ munin ALL=(root) NOPASSWD: /etc/munin/plugins/smart_*, /etc/munin/plugins/sensors_* handlers: - name: reload autofs - service: name=ipvsadm state=reloaded + service: name=autofs state=reloaded From d5bfbb6679bcbe2bd6417b57daebdac3ac6cd4bf Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 23:55:52 -0400 Subject: [PATCH 018/736] Install PAM configuration for sshd --- .../etc => ansible/roles/pam/files}/issue.net | 0 .../roles/pam/files}/issue.net.no_tkt | 0 .../roles/pam/files}/issue.net.no_user | 0 ansible/roles/pam/tasks/main.yml | 28 +++++++++++++++++++ server/fedora/config/etc/pam.d/sshd | 23 --------------- 5 files changed, 28 insertions(+), 23 deletions(-) rename {server/fedora/config/etc => ansible/roles/pam/files}/issue.net (100%) rename {server/fedora/config/etc => ansible/roles/pam/files}/issue.net.no_tkt (100%) rename {server/fedora/config/etc => ansible/roles/pam/files}/issue.net.no_user (100%) create mode 100644 ansible/roles/pam/tasks/main.yml delete mode 100644 server/fedora/config/etc/pam.d/sshd diff --git a/server/fedora/config/etc/issue.net b/ansible/roles/pam/files/issue.net similarity index 100% rename from server/fedora/config/etc/issue.net rename to ansible/roles/pam/files/issue.net diff --git a/server/fedora/config/etc/issue.net.no_tkt b/ansible/roles/pam/files/issue.net.no_tkt similarity index 100% rename from server/fedora/config/etc/issue.net.no_tkt rename to ansible/roles/pam/files/issue.net.no_tkt diff --git a/server/fedora/config/etc/issue.net.no_user b/ansible/roles/pam/files/issue.net.no_user similarity index 100% rename from server/fedora/config/etc/issue.net.no_user rename to ansible/roles/pam/files/issue.net.no_user diff --git a/ansible/roles/pam/tasks/main.yml b/ansible/roles/pam/tasks/main.yml new file mode 100644 index 00000000..9d907f32 --- /dev/null +++ b/ansible/roles/pam/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Configure sshd to print helpful warnings + blockinfile: + path: /etc/pam.d/sshd + insertafter: "#%PAM-1.0" + block: | + # If their user exists (success), + auth [success=ignore ignore=ignore default=1] pam_succeed_if.so uid >= 0 + # print the "You don't have tickets" error: + auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_tkt + # else print the "your account doesn't exist" error: + auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_user + # If they somehow slipped through, deny: + auth required pam_deny.so +- name: Remove all other auth methods + replace: + path: /etc/pam.d/sshd + after: 'pam_deny.so' + regexp: '^auth\s(.+)$' + replace: '# \1' +- name: Install /etc/{{ item }} + copy: + dest: "/etc/{{ item }}" + src: "{{ item }}" + with_items: + issue.net + issue.net.no_tkt + issue.net.no_user diff --git a/server/fedora/config/etc/pam.d/sshd b/server/fedora/config/etc/pam.d/sshd deleted file mode 100644 index 0e7ca4c4..00000000 --- a/server/fedora/config/etc/pam.d/sshd +++ /dev/null @@ -1,23 +0,0 @@ -#%PAM-1.0 -# Authentication modules - -# If their user exists (success), -auth [success=ignore ignore=ignore default=1] pam_succeed_if.so uid >= 0 -# print the "You don't have tickets" error: -auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_tkt -# else print the "your account doesn't exist" error: -auth [success=die ignore=reset default=die] pam_echo.so file=/etc/issue.net.no_user - -# Set environment variables: -auth required pam_env.so -# Use Unix authentication and succeed immediately (sufficient): -auth sufficient pam_unix.so try_first_pass -# If they somehow slipped through, deny: -auth required pam_deny.so - -account required pam_nologin.so -account include system-auth -password include system-auth -session optional pam_keyinit.so force revoke -session include system-auth -session required pam_loginuid.so From 92f0c0a953d78d889ea0e3fc3f7d8190559bba5d Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Tue, 21 May 2019 23:57:36 -0400 Subject: [PATCH 019/736] Actually run PAM role --- ansible/roles/{pam => real-pam}/files/issue.net | 0 ansible/roles/{pam => real-pam}/files/issue.net.no_tkt | 0 ansible/roles/{pam => real-pam}/files/issue.net.no_user | 0 ansible/roles/{pam => real-pam}/tasks/main.yml | 0 ansible/scripts-real.yml | 1 + 5 files changed, 1 insertion(+) rename ansible/roles/{pam => real-pam}/files/issue.net (100%) rename ansible/roles/{pam => real-pam}/files/issue.net.no_tkt (100%) rename ansible/roles/{pam => real-pam}/files/issue.net.no_user (100%) rename ansible/roles/{pam => real-pam}/tasks/main.yml (100%) diff --git a/ansible/roles/pam/files/issue.net b/ansible/roles/real-pam/files/issue.net similarity index 100% rename from ansible/roles/pam/files/issue.net rename to ansible/roles/real-pam/files/issue.net diff --git a/ansible/roles/pam/files/issue.net.no_tkt b/ansible/roles/real-pam/files/issue.net.no_tkt similarity index 100% rename from ansible/roles/pam/files/issue.net.no_tkt rename to ansible/roles/real-pam/files/issue.net.no_tkt diff --git a/ansible/roles/pam/files/issue.net.no_user b/ansible/roles/real-pam/files/issue.net.no_user similarity index 100% rename from ansible/roles/pam/files/issue.net.no_user rename to ansible/roles/real-pam/files/issue.net.no_user diff --git a/ansible/roles/pam/tasks/main.yml b/ansible/roles/real-pam/tasks/main.yml similarity index 100% rename from ansible/roles/pam/tasks/main.yml rename to ansible/roles/real-pam/tasks/main.yml diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index a567d16c..df3236ee 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -6,6 +6,7 @@ - root-aliases - munin-node - nrpe + - real-pam # TODO: Configure nrpe with realserver-specific checks # TODO: Configure aliases with blocked accounts and procmail for root tasks: From ddbd39717b82f0bb1faaec9b3056b2cf7a03219d Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 00:09:24 -0400 Subject: [PATCH 020/736] Fix PAM config --- ansible/roles/real-pam/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/roles/real-pam/tasks/main.yml b/ansible/roles/real-pam/tasks/main.yml index 9d907f32..93501ef6 100644 --- a/ansible/roles/real-pam/tasks/main.yml +++ b/ansible/roles/real-pam/tasks/main.yml @@ -16,13 +16,13 @@ replace: path: /etc/pam.d/sshd after: 'pam_deny.so' - regexp: '^auth\s(.+)$' + regexp: '^(auth\s.+)$' replace: '# \1' -- name: Install /etc/{{ item }} +- name: Install /etc/issue.net* copy: dest: "/etc/{{ item }}" src: "{{ item }}" - with_items: - issue.net - issue.net.no_tkt - issue.net.no_user + loop: + - issue.net + - issue.net.no_tkt + - issue.net.no_user From 00a3b667703999b4a3e00385b78a7bebee37dc5d Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 01:24:35 -0400 Subject: [PATCH 021/736] Configure sshd_config --- ansible/inventory.yml | 1 + ansible/roles/real-pam/tasks/main.yml | 5 +++++ ansible/scripts-real.yml | 21 +++++++++++++++++++++ server/fedora/config/etc/ssh/sshd_config | 24 ------------------------ 4 files changed, 27 insertions(+), 24 deletions(-) delete mode 100644 server/fedora/config/etc/ssh/sshd_config diff --git a/ansible/inventory.yml b/ansible/inventory.yml index 161721d5..2951d294 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -71,3 +71,4 @@ all: ansible_python_interpreter: /usr/bin/python3 hosts: quentin-scripts-f30.xvm.mit.edu: {} + scripts-f30-test.xvm.mit.edu: {} diff --git a/ansible/roles/real-pam/tasks/main.yml b/ansible/roles/real-pam/tasks/main.yml index 93501ef6..aad93a17 100644 --- a/ansible/roles/real-pam/tasks/main.yml +++ b/ansible/roles/real-pam/tasks/main.yml @@ -26,3 +26,8 @@ - issue.net - issue.net.no_tkt - issue.net.no_user +- name: Configure sshd for ChallengeResponseAuthentication + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?\s*ChallengeResponseAuthentication\s' + line: "ChallengeResponseAuthentication yes" diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index df3236ee..c0d224c2 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -40,6 +40,27 @@ munin ALL=(root) SETENV: NOPASSWD: /etc/munin/plugins/postfix_mailqueue , /etc/munin/plugins/postfix_mailvolume , /etc/munin/plugins/hddtemp_smartctl , /etc/munin/plugins/sendmail* , /etc/munin/plugins/if_* , /etc/munin/plugins/if_err_eth2 munin ALL=(root) NOPASSWD: /etc/munin/plugins/smart_*, /etc/munin/plugins/sensors_* + - name: Configure sshd for scripts + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?\s*{{ item | regex_search("^(\S+)") }}\s' + line: "{{ item }}" + loop: + # "PasswordAuthentication no" and "GSSAPIAuthentication yes" comes from the k5login role + # "ChallengeResponseAuthentication yes" comes from the real-pam role + - GSSAPICleanupCredentials yes + - GSSAPIStrictAcceptorCheck no + - GSSAPIKeyExchange yes + - X11Forwarding no + - Banner /etc/issue.net + - LogLevel VERBOSE + - MaxStartups 50:30:500 + - AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL EDITOR VISUAL + # See trac #23 + - HostbasedAuthentication yes + - IgnoreRhosts yes + - IgnoreUserKnownHosts yes + - DenyUsers {{ groups['scripts-real'] | map('regex_replace', '^', 'root@') | join(' ') }} handlers: - name: reload autofs service: name=autofs state=reloaded diff --git a/server/fedora/config/etc/ssh/sshd_config b/server/fedora/config/etc/ssh/sshd_config deleted file mode 100644 index 7a2adfe1..00000000 --- a/server/fedora/config/etc/ssh/sshd_config +++ /dev/null @@ -1,24 +0,0 @@ -Protocol 2 -SyslogFacility AUTHPRIV -PasswordAuthentication no -ChallengeResponseAuthentication yes -GSSAPIAuthentication yes -GSSAPICleanupCredentials yes -GSSAPIStrictAcceptorCheck no -GSSAPIKeyExchange yes -UsePAM yes -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL -AcceptEnv EDITOR VISUAL -X11Forwarding no -Banner /etc/issue.net -Subsystem sftp /usr/libexec/openssh/sftp-server -LogLevel VERBOSE -MaxStartups 50:30:500 - -# See trac #23 -HostbasedAuthentication yes -IgnoreRhosts yes -IgnoreUserKnownHosts yes -DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu root@golden-egg.mit.edu root@miracle-cure.mit.edu root@lucky-star.mit.edu From d8e16ef1e534598764cbb401206744d09e196cfd Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 01:29:03 -0400 Subject: [PATCH 022/736] Reload ssh after changing its configuration --- ansible/roles/real-pam/tasks/main.yml | 1 + ansible/scripts-real.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/ansible/roles/real-pam/tasks/main.yml b/ansible/roles/real-pam/tasks/main.yml index aad93a17..9cf8da23 100644 --- a/ansible/roles/real-pam/tasks/main.yml +++ b/ansible/roles/real-pam/tasks/main.yml @@ -31,3 +31,4 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?\s*ChallengeResponseAuthentication\s' line: "ChallengeResponseAuthentication yes" + notify: reload ssh diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index c0d224c2..2a2b7c8e 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -61,6 +61,7 @@ - IgnoreRhosts yes - IgnoreUserKnownHosts yes - DenyUsers {{ groups['scripts-real'] | map('regex_replace', '^', 'root@') | join(' ') }} + notify: reload ssh handlers: - name: reload autofs service: name=autofs state=reloaded From fa36cc7e1c87457012b012e719301379cf8bea9f Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 01:46:57 -0400 Subject: [PATCH 023/736] Install and configure mock --- ansible/scripts-real.yml | 52 ++++++++++++++++++++--------- server/fedora/config/etc/pam.d/mock | 15 --------- 2 files changed, 36 insertions(+), 31 deletions(-) delete mode 100644 server/fedora/config/etc/pam.d/mock diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 2a2b7c8e..f3a273c2 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -10,22 +10,26 @@ # TODO: Configure nrpe with realserver-specific checks # TODO: Configure aliases with blocked accounts and procmail for root tasks: - #- name: Install hesiod - # dnf: name=hesiod-devel state=present - - name: Configure hesiod - copy: - dest: /etc/hesiod.conf - content: | - rhs=.ATHENA.MIT.EDU - lhs=.ns - - name: Install autofs - dnf: name=autofs state=present - - name: Configure autofs - copy: - dest: /etc/auto.master - content: | - /mit hesiod:hesiod - notify: reload autofs + - name: Hesiod + block: + #- name: Install hesiod + # dnf: name=hesiod-devel state=present + - name: Configure hesiod + copy: + dest: /etc/hesiod.conf + content: | + rhs=.ATHENA.MIT.EDU + lhs=.ns + - name: autofs + block: + - name: Install autofs + dnf: name=autofs state=present + - name: Configure autofs + copy: + dest: /etc/auto.master + content: | + /mit hesiod:hesiod + notify: reload autofs - name: Configure sudoers copy: dest: /etc/sudoers.d/scripts @@ -62,6 +66,22 @@ - IgnoreUserKnownHosts yes - DenyUsers {{ groups['scripts-real'] | map('regex_replace', '^', 'root@') | join(' ') }} notify: reload ssh + - name: mock + block: + - name: Install mock + dnf: name=mock state=present + - name: Restrict mock to root + block: + - lineinfile: + path: /etc/pam.d/mock + insertafter: EOF + line: "{{ item }}" + loop: + - "auth required pam_deny.so" + - "account required pam_deny.so" + - replace: + path: /etc/pam.d/mock + regexp: '^(auth|account)\s+.*\s+system-auth' handlers: - name: reload autofs service: name=autofs state=reloaded diff --git a/server/fedora/config/etc/pam.d/mock b/server/fedora/config/etc/pam.d/mock deleted file mode 100644 index f6a97ffd..00000000 --- a/server/fedora/config/etc/pam.d/mock +++ /dev/null @@ -1,15 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet -# Uncomment the following line to implicitly trust users in the "wheel" group. -#auth sufficient pam_wheel.so trust use_uid -# Uncomment the following line to require a user to be in the "wheel" group. -#auth required pam_wheel.so use_uid -#auth include system-auth -auth required pam_deny.so -account sufficient pam_succeed_if.so user ingroup mock use_uid quiet -#account include system-auth -account required pam_deny.so -password include system-auth -session include system-auth -session optional pam_xauth.so From 89419ae0a63e93abb9f0a5f43f3bbef6b41e30ab Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 02:05:29 -0400 Subject: [PATCH 024/736] Configure mock chroots --- ansible/roles/mock/tasks/main.yml | 24 ++++ ansible/roles/mock/templates/chroot.cfg.j2 | 136 ++++++++++++++++++ ansible/scripts-real.yml | 17 +-- .../config/etc/mock/scripts-fc11-i386.cfg | 44 ------ .../config/etc/mock/scripts-fc11-x86_64.cfg | 47 ------ .../config/etc/mock/scripts-fc13-i386.cfg | 40 ------ .../config/etc/mock/scripts-fc13-x86_64.cfg | 53 ------- .../config/etc/mock/scripts-fc15-i386.cfg | 44 ------ .../config/etc/mock/scripts-fc15-x86_64.cfg | 48 ------- .../config/etc/mock/scripts-fc17-i386.cfg | 47 ------ .../config/etc/mock/scripts-fc17-x86_64.cfg | 51 ------- .../config/etc/mock/scripts-fc19-i386.cfg | 69 --------- .../config/etc/mock/scripts-fc19-x86_64.cfg | 69 --------- .../config/etc/mock/scripts-fc20-i386.cfg | 71 --------- .../config/etc/mock/scripts-fc20-x86_64.cfg | 71 --------- .../config/etc/mock/scripts-fc27-x86_64.cfg | 71 --------- 16 files changed, 161 insertions(+), 741 deletions(-) create mode 100644 ansible/roles/mock/tasks/main.yml create mode 100644 ansible/roles/mock/templates/chroot.cfg.j2 delete mode 100644 server/fedora/config/etc/mock/scripts-fc11-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc13-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc15-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc17-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc19-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc20-i386.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg delete mode 100644 server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg diff --git a/ansible/roles/mock/tasks/main.yml b/ansible/roles/mock/tasks/main.yml new file mode 100644 index 00000000..e66da746 --- /dev/null +++ b/ansible/roles/mock/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Install mock + dnf: name=mock state=present +- name: Restrict mock to root + block: + - lineinfile: + path: /etc/pam.d/mock + insertafter: EOF + line: "{{ item }}" + loop: + - "auth required pam_deny.so" + - "account required pam_deny.so" + - replace: + path: /etc/pam.d/mock + regexp: '^(auth|account)\s+.*\s+system-auth' +- name: Configure mock chroots + vars: + releasever: "{{ item[0] }}" + arch: "{{ item[1] }}" + template: + src: chroot.cfg.j2 + dest: /etc/mock/scripts-fc{{ releasever }}-{{ arch }}.cfg + loop: + - ["30", "x86_64" ] diff --git a/ansible/roles/mock/templates/chroot.cfg.j2 b/ansible/roles/mock/templates/chroot.cfg.j2 new file mode 100644 index 00000000..c12d225e --- /dev/null +++ b/ansible/roles/mock/templates/chroot.cfg.j2 @@ -0,0 +1,136 @@ +config_opts['root'] = 'fedora-{{ releasever }}-{{ arch }}' +config_opts['target_arch'] = '{{ arch }}' +config_opts['legal_host_arches'] = ('{{ arch }}',) +# config_opts['module_enable'] = ['list', 'of', 'modules'] +# config_opts['module_install'] = ['module1/profile', 'module2/profile'] +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' +config_opts['dist'] = 'fc{{ releasever }}' # only useful for --resultdir variable subst +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['releasever'] = '{{ releasever }}' +config_opts['package_manager'] = 'dnf' + +config_opts['yum.conf'] = """ +[main] +keepcache=1 +debuglevel=2 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +install_weak_deps=0 +metadata_expire=0 +best=1 +module_platform_id=platform:f{{ releasever }} + +# repos + +[fedora] +name=fedora +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates] +name=updates +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-testing] +name=updates-testing +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc27/ +enabled=1 +gpgcheck=0 + +[fedora-debuginfo] +name=fedora-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-debuginfo] +name=updates-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[updates-testing-debuginfo] +name=updates-testing-debuginfo +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch +enabled=0 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +skip_if_unavailable=False + +[fedora-source] +name=fedora-source +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +enabled=0 +skip_if_unavailable=False + +[updates-source] +name=updates-source +metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ releasever }}-primary +gpgcheck=1 +enabled=0 +skip_if_unavailable=False + +# modular + +[fedora-modular] +name=Fedora Modular $releasever - $basearch +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-modular-debuginfo] +name=Fedora Modular $releasever - $basearch - Debug +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-debug-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False + +[fedora-modular-source] +name=Fedora Modular $releasever - Source +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-source-$releasever&arch=$basearch +enabled=0 +repo_gpgcheck=0 +type=rpm +gpgcheck=1 +gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary +skip_if_unavailable=False +""" \ No newline at end of file diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index f3a273c2..850501f7 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -7,6 +7,7 @@ - munin-node - nrpe - real-pam + - mock # TODO: Configure nrpe with realserver-specific checks # TODO: Configure aliases with blocked accounts and procmail for root tasks: @@ -66,22 +67,6 @@ - IgnoreUserKnownHosts yes - DenyUsers {{ groups['scripts-real'] | map('regex_replace', '^', 'root@') | join(' ') }} notify: reload ssh - - name: mock - block: - - name: Install mock - dnf: name=mock state=present - - name: Restrict mock to root - block: - - lineinfile: - path: /etc/pam.d/mock - insertafter: EOF - line: "{{ item }}" - loop: - - "auth required pam_deny.so" - - "account required pam_deny.so" - - replace: - path: /etc/pam.d/mock - regexp: '^(auth|account)\s+.*\s+system-auth' handlers: - name: reload autofs service: name=autofs state=reloaded diff --git a/server/fedora/config/etc/mock/scripts-fc11-i386.cfg b/server/fedora/config/etc/mock/scripts-fc11-i386.cfg deleted file mode 100644 index b453a3b8..00000000 --- a/server/fedora/config/etc/mock/scripts-fc11-i386.cfg +++ /dev/null @@ -1,44 +0,0 @@ -config_opts['root'] = 'fedora-11-i386' -config_opts['target_arch'] = 'i586' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc11' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-11&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f11&arch=i386 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/11/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc11/ -enabled=1 -gpgcheck=0 -""" - - - diff --git a/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg deleted file mode 100644 index b3e5dc7b..00000000 --- a/server/fedora/config/etc/mock/scripts-fc11-x86_64.cfg +++ /dev/null @@ -1,47 +0,0 @@ -config_opts['root'] = 'fedora-11-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc11' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-11&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f11&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/11/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc11/ -enabled=1 -gpgcheck=0 -""" - - diff --git a/server/fedora/config/etc/mock/scripts-fc13-i386.cfg b/server/fedora/config/etc/mock/scripts-fc13-i386.cfg deleted file mode 100644 index 73a0ee16..00000000 --- a/server/fedora/config/etc/mock/scripts-fc13-i386.cfg +++ /dev/null @@ -1,40 +0,0 @@ -config_opts['root'] = 'fedora-13-i386' -config_opts['target_arch'] = 'i686' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc13' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-13&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/13/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ -enabled=1 -gpgcheck=0 -""" # end config_opts['yum.conf'] diff --git a/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg deleted file mode 100644 index 8bb4049a..00000000 --- a/server/fedora/config/etc/mock/scripts-fc13-x86_64.cfg +++ /dev/null @@ -1,53 +0,0 @@ -config_opts['root'] = 'fedora-13-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc13' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-13&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f13&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/13/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/13/x86_64/ -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ -enabled=1 -gpgcheck=0 -""" - - diff --git a/server/fedora/config/etc/mock/scripts-fc15-i386.cfg b/server/fedora/config/etc/mock/scripts-fc15-i386.cfg deleted file mode 100644 index 876a086e..00000000 --- a/server/fedora/config/etc/mock/scripts-fc15-i386.cfg +++ /dev/null @@ -1,44 +0,0 @@ -config_opts['root'] = 'fedora-15-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=i386 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=i386 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/15/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg deleted file mode 100644 index d9450fea..00000000 --- a/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg +++ /dev/null @@ -1,48 +0,0 @@ -config_opts['root'] = 'fedora-15-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=x86_64 -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=x86_64 -baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/15/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc17-i386.cfg b/server/fedora/config/etc/mock/scripts-fc17-i386.cfg deleted file mode 100644 index 91240357..00000000 --- a/server/fedora/config/etc/mock/scripts-fc17-i386.cfg +++ /dev/null @@ -1,47 +0,0 @@ -config_opts['root'] = 'fedora-17-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc17' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-17&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/17/Everything/i386/os/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/17/Everything/i386/os/ -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f17&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/17/i386/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/17/i386/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg deleted file mode 100644 index 11ee88ba..00000000 --- a/server/fedora/config/etc/mock/scripts-fc17-x86_64.cfg +++ /dev/null @@ -1,51 +0,0 @@ -config_opts['root'] = 'fedora-17-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc17' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all -# .i?86 packages except these. -#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 -# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. - -# repos - -[fedora] -name=fedora -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-17&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/17/Everything/x86_64/os/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/17/Everything/x86_64/os/ -failovermethod=priority - -[updates-released] -name=updates -#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f17&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/17/x86_64/ -baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/updates/17/x86_64/ -failovermethod=priority - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc17/ -enabled=1 -gpgcheck=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc19-i386.cfg b/server/fedora/config/etc/mock/scripts-fc19-i386.cfg deleted file mode 100644 index 98786e24..00000000 --- a/server/fedora/config/etc/mock/scripts-fc19-i386.cfg +++ /dev/null @@ -1,69 +0,0 @@ -config_opts['root'] = 'fedora-19-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/i386/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/i386/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=i386 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=i386 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=i386 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=i386 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg deleted file mode 100644 index 94a54741..00000000 --- a/server/fedora/config/etc/mock/scripts-fc19-x86_64.cfg +++ /dev/null @@ -1,69 +0,0 @@ -config_opts['root'] = 'fedora-19-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' -config_opts['dist'] = 'fc19' # only useful for --resultdir variable subst - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/19/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f19&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc19/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-19&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f19&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f19&arch=x86_64 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc20-i386.cfg b/server/fedora/config/etc/mock/scripts-fc20-i386.cfg deleted file mode 100644 index 8b9cf83c..00000000 --- a/server/fedora/config/etc/mock/scripts-fc20-i386.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-20-i386' -config_opts['target_arch'] = 'i686' -config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '20' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Everything/i386/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=i386 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/20/i386/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=i386 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=i386 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=i386 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=i386 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg deleted file mode 100644 index d056655f..00000000 --- a/server/fedora/config/etc/mock/scripts-fc20-x86_64.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-20-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc20' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '20' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/20/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f20&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc20/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-20&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f20&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f20&arch=x86_64 -failovermethod=priority -enabled=0 -""" diff --git a/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg b/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg deleted file mode 100644 index 1363b17d..00000000 --- a/server/fedora/config/etc/mock/scripts-fc27-x86_64.cfg +++ /dev/null @@ -1,71 +0,0 @@ -config_opts['root'] = 'fedora-27-x86_64' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) -config_opts['chroot_setup_cmd'] = 'install @buildsys-build' -config_opts['dist'] = 'fc27' # only useful for --resultdir variable subst -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['releasever'] = '27' - -config_opts['yum.conf'] = """ -[main] -cachedir=/var/cache/yum -debuglevel=1 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= - -# repos - -[fedora] -name=fedora -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-27&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/releases/27/Everything/x86_64/os/ -failovermethod=priority - -[updates] -name=updates -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f27&arch=x86_64 -#baseurl=http://dl.fedoraproject.org/pub/fedora/linux/updates/27/x86_64/ -failovermethod=priority - -[updates-testing] -name=updates-testing -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f27&arch=x86_64 -failovermethod=priority -enabled=0 - -[local] -name=local -baseurl=file:///home/scripts-build/mock-local/ -cost=2000 -enabled=1 - -[scripts] -name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc27/ -enabled=1 -gpgcheck=0 - -[fedora-debuginfo] -name=fedora-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-debug-27&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-debuginfo] -name=updates-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-debug-f27&arch=x86_64 -failovermethod=priority -enabled=0 - -[updates-testing-debuginfo] -name=updates-testing-debuginfo -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f27&arch=x86_64 -failovermethod=priority -enabled=0 -""" From 0f44c57fa8de13c1d779900b42130c1616c24c01 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 02:17:01 -0400 Subject: [PATCH 025/736] Configure Kerberos --- .../etc => ansible/roles/k5login/files}/krb5.conf | 11 ++++++++--- ansible/roles/k5login/tasks/main.yml | 10 ++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) rename {server/fedora/config/etc => ansible/roles/k5login/files}/krb5.conf (91%) diff --git a/server/fedora/config/etc/krb5.conf b/ansible/roles/k5login/files/krb5.conf similarity index 91% rename from server/fedora/config/etc/krb5.conf rename to ansible/roles/k5login/files/krb5.conf index 1449b6bd..5f32fe89 100644 --- a/server/fedora/config/etc/krb5.conf +++ b/ansible/roles/k5login/files/krb5.conf @@ -18,13 +18,15 @@ something = something-else } } +# The following libdefaults parameters are only for Heimdal Kerberos. + fcc-mit-ticketflags = true + [realms] ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu:88 - kdc = kerberos-1.mit.edu:88 + kdc = kerberos.mit.edu + kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 - kdc = kerberos-3.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } @@ -111,6 +113,9 @@ .ai.mit.edu = CSAIL.MIT.EDU ai.mit.edu = CSAIL.MIT.EDU .stanford.edu = stanford.edu + .slac.stanford.edu = SLAC.STANFORD.EDU + .toronto.edu = UTORONTO.CA + .utoronto.ca = UTORONTO.CA [login] krb4_convert = true diff --git a/ansible/roles/k5login/tasks/main.yml b/ansible/roles/k5login/tasks/main.yml index c88cc340..f5daba3c 100644 --- a/ansible/roles/k5login/tasks/main.yml +++ b/ansible/roles/k5login/tasks/main.yml @@ -17,3 +17,13 @@ {% for maintainer in maintainers %} {{ maintainer.username }}/root@ATHENA.MIT.EDU {% endfor %} +- name: Install Kerberos utilities + block: + - apt: name=krb5-user state=present + when: ansible_os_family == "Debian" + - dnf: name=krb5-workstation state=present + when: ansible_os_family == "RedHat" +- name: Configure Kerberos + copy: + dest: /etc/krb5.conf + src: krb5.conf From 0ccbd37ea817cb2458e623348e22692b213035c2 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 02:32:10 -0400 Subject: [PATCH 026/736] Configure Java memory usage --- ansible/scripts-real.yml | 5 +++++ server/fedora/config/etc/environment | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) delete mode 100644 server/fedora/config/etc/environment diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 850501f7..3f0f8808 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -67,6 +67,11 @@ - IgnoreUserKnownHosts yes - DenyUsers {{ groups['scripts-real'] | map('regex_replace', '^', 'root@') | join(' ') }} notify: reload ssh + - name: Limit Java memory + lineinfile: + path: /etc/environment + line: JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M" + regexp: '^JAVA_TOOL_OPTIONS=' handlers: - name: reload autofs service: name=autofs state=reloaded diff --git a/server/fedora/config/etc/environment b/server/fedora/config/etc/environment deleted file mode 100644 index 887b2416..00000000 --- a/server/fedora/config/etc/environment +++ /dev/null @@ -1 +0,0 @@ -JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M" From 5cedce8dd4c41dd67078ad4e27872602020677a3 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 22:20:01 -0400 Subject: [PATCH 027/736] Configure resource limits --- ansible/scripts-real.yml | 13 ++++ server/fedora/config/etc/security/limits.conf | 60 ------------------- 2 files changed, 13 insertions(+), 60 deletions(-) delete mode 100644 server/fedora/config/etc/security/limits.conf diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 3f0f8808..9d6f0f39 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -72,6 +72,19 @@ path: /etc/environment line: JAVA_TOOL_OPTIONS="-Xmx128M -XX:MaxPermSize=64M" regexp: '^JAVA_TOOL_OPTIONS=' + - name: Configure resource limits + copy: + dest: /etc/security/limits.d/scripts + contents: | + # No limits for root + root - + scripts-build - + + # For everyone else, + * soft core 0 + * - rss 524268 + * - data 1048576 + * - as 1572864 handlers: - name: reload autofs service: name=autofs state=reloaded diff --git a/server/fedora/config/etc/security/limits.conf b/server/fedora/config/etc/security/limits.conf deleted file mode 100644 index efa288ec..00000000 --- a/server/fedora/config/etc/security/limits.conf +++ /dev/null @@ -1,60 +0,0 @@ -# /etc/security/limits.conf -# -#Each line describes a limit for a user in the form: -# -# -# -#Where: -# can be: -# - an user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# - the wildcard %, can be also used with %group syntax, -# for maxlogin limit -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit (KB) -# - maxlogins - max number of logins for this user -# - maxsyslogins - max number of logins on the system -# - priority - the priority to run user process with -# - locks - max number of file locks the user can hold -# - sigpending - max number of pending signals -# - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to values: [-20, 19] -# - rtprio - max realtime priority -# -# -# - -# No limits for root -root - -scripts-build - - -# For everyone else, -* soft core 0 -* - rss 524268 -* - data 1048576 -* - as 1572864 - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#@student - maxlogins 4 - -# End of file From f066d8a4aa2d6102d9d9c05967b14a96ac9da29c Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 22:23:48 -0400 Subject: [PATCH 028/736] We no longer use SELinux --- .../etc/selinux/strict/contexts/userhelper_context | 1 - .../fedora/config/etc/selinux/strict/contexts/users/root | 9 --------- 2 files changed, 10 deletions(-) delete mode 100644 server/fedora/config/etc/selinux/strict/contexts/userhelper_context delete mode 100644 server/fedora/config/etc/selinux/strict/contexts/users/root diff --git a/server/fedora/config/etc/selinux/strict/contexts/userhelper_context b/server/fedora/config/etc/selinux/strict/contexts/userhelper_context deleted file mode 100644 index b4915f0b..00000000 --- a/server/fedora/config/etc/selinux/strict/contexts/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -user_u:user_r:user_setuid_t:s0 diff --git a/server/fedora/config/etc/selinux/strict/contexts/users/root b/server/fedora/config/etc/selinux/strict/contexts/users/root deleted file mode 100644 index e9d95e86..00000000 --- a/server/fedora/config/etc/selinux/strict/contexts/users/root +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 From 91bde854265d7d31b9e6f40e40dbbc3f2653678a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 23:11:34 -0400 Subject: [PATCH 029/736] Configure NRPE plugins for scripts servers --- ansible/files/nrpe_local.cfg | 7 - ansible/roles/nrpe/defaults/main.yml | 8 + ansible/roles/nrpe/tasks/main.yml | 4 +- .../roles/nrpe/templates/nrpe_local.cfg.j2 | 4 + ansible/roles/real-nrpe/defaults/main.yml | 19 ++ .../roles/real-nrpe/files/plugins}/check_afs | 0 .../files/plugins}/check_cron_working | 0 .../real-nrpe/files/plugins}/check_kern_taint | 0 .../real-nrpe/files/plugins}/check_ldap_mmr | 0 .../files/plugins}/check_ldap_mmr.real | 0 .../files/plugins}/check_mail_dnsrbl | 0 ansible/roles/real-nrpe/meta/main.yml | 3 + ansible/roles/real-nrpe/tasks/main.yml | 5 + ansible/scripts-real.yml | 5 +- server/fedora/config/etc/nagios/nrpe.cfg | 228 ------------------ 15 files changed, 43 insertions(+), 240 deletions(-) delete mode 100644 ansible/files/nrpe_local.cfg create mode 100644 ansible/roles/nrpe/defaults/main.yml create mode 100644 ansible/roles/nrpe/templates/nrpe_local.cfg.j2 create mode 100644 ansible/roles/real-nrpe/defaults/main.yml rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_afs (100%) rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_cron_working (100%) rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_kern_taint (100%) rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_ldap_mmr (100%) rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_ldap_mmr.real (100%) rename {server/fedora/config/etc/nagios => ansible/roles/real-nrpe/files/plugins}/check_mail_dnsrbl (100%) create mode 100644 ansible/roles/real-nrpe/meta/main.yml create mode 100644 ansible/roles/real-nrpe/tasks/main.yml delete mode 100644 server/fedora/config/etc/nagios/nrpe.cfg diff --git a/ansible/files/nrpe_local.cfg b/ansible/files/nrpe_local.cfg deleted file mode 100644 index 2c5723e5..00000000 --- a/ansible/files/nrpe_local.cfg +++ /dev/null @@ -1,7 +0,0 @@ -allowed_hosts=18.4.60.65 -command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hda1 -command[check_disk2]=/usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hdb1 -command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z -command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 -command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% diff --git a/ansible/roles/nrpe/defaults/main.yml b/ansible/roles/nrpe/defaults/main.yml new file mode 100644 index 00000000..2505ae57 --- /dev/null +++ b/ansible/roles/nrpe/defaults/main.yml @@ -0,0 +1,8 @@ +--- +nrpe_checks: + check_load: /usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 + check_disk: /usr/lib/nagios/plugins/check_disk -w 10% -c 5% + check_disk1: /usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hda1 + check_disk2: /usr/lib/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hdb1 + check_zombie_procs: /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z + check_total_procs: /usr/lib/nagios/plugins/check_procs -w 150 -c 200 diff --git a/ansible/roles/nrpe/tasks/main.yml b/ansible/roles/nrpe/tasks/main.yml index 3ea94263..eb3eb0bf 100644 --- a/ansible/roles/nrpe/tasks/main.yml +++ b/ansible/roles/nrpe/tasks/main.yml @@ -11,7 +11,7 @@ path: /etc/nagios/nrpe.cfg notify: restart nrpe - name: Configure nrpe 2 - copy: + template: + src: nrpe_local.cfg.j2 dest: /etc/nagios/nrpe_local.cfg - src: nrpe_local.cfg notify: restart nrpe diff --git a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 new file mode 100644 index 00000000..eb76d177 --- /dev/null +++ b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 @@ -0,0 +1,4 @@ +allowed_hosts=18.4.60.65 +{% for name, command in nrpe_checks.iteritems() %} +command[{{ name }}]={{ command }} +{% endfor %} diff --git a/ansible/roles/real-nrpe/defaults/main.yml b/ansible/roles/real-nrpe/defaults/main.yml new file mode 100644 index 00000000..f87bfdfe --- /dev/null +++ b/ansible/roles/real-nrpe/defaults/main.yml @@ -0,0 +1,19 @@ +--- +nrpe_checks: + check_users: /usr/lib64/nagios/plugins/check_users -w 25 -c 50 + check_load: /usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 + check_disk: /usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt + check_procs_cpu: /usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 + check_procs_crond: "/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond" + check_procs_nscd: /usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd + check_procs_postfix: /usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix + check_postfix_mailq: /usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix + check_afs: /etc/nagios/check_afs + check_afs_athena: /etc/nagios/check_afs athena + check_afs_sipb: /etc/nagios/check_afs sipb + check_cron_working: /etc/nagios/check_cron_working + check_ldap_mmr: /etc/nagios/check_ldap_mmr + check_kern_taint: /etc/nagios/check_kern_taint + check_backend: /usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP + check_smtp: /usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 + check_mail_dnsrbl: /etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` diff --git a/server/fedora/config/etc/nagios/check_afs b/ansible/roles/real-nrpe/files/plugins/check_afs similarity index 100% rename from server/fedora/config/etc/nagios/check_afs rename to ansible/roles/real-nrpe/files/plugins/check_afs diff --git a/server/fedora/config/etc/nagios/check_cron_working b/ansible/roles/real-nrpe/files/plugins/check_cron_working similarity index 100% rename from server/fedora/config/etc/nagios/check_cron_working rename to ansible/roles/real-nrpe/files/plugins/check_cron_working diff --git a/server/fedora/config/etc/nagios/check_kern_taint b/ansible/roles/real-nrpe/files/plugins/check_kern_taint similarity index 100% rename from server/fedora/config/etc/nagios/check_kern_taint rename to ansible/roles/real-nrpe/files/plugins/check_kern_taint diff --git a/server/fedora/config/etc/nagios/check_ldap_mmr b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr similarity index 100% rename from server/fedora/config/etc/nagios/check_ldap_mmr rename to ansible/roles/real-nrpe/files/plugins/check_ldap_mmr diff --git a/server/fedora/config/etc/nagios/check_ldap_mmr.real b/ansible/roles/real-nrpe/files/plugins/check_ldap_mmr.real similarity index 100% rename from server/fedora/config/etc/nagios/check_ldap_mmr.real rename to ansible/roles/real-nrpe/files/plugins/check_ldap_mmr.real diff --git a/server/fedora/config/etc/nagios/check_mail_dnsrbl b/ansible/roles/real-nrpe/files/plugins/check_mail_dnsrbl similarity index 100% rename from server/fedora/config/etc/nagios/check_mail_dnsrbl rename to ansible/roles/real-nrpe/files/plugins/check_mail_dnsrbl diff --git a/ansible/roles/real-nrpe/meta/main.yml b/ansible/roles/real-nrpe/meta/main.yml new file mode 100644 index 00000000..68ab3b7f --- /dev/null +++ b/ansible/roles/real-nrpe/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - nrpe diff --git a/ansible/roles/real-nrpe/tasks/main.yml b/ansible/roles/real-nrpe/tasks/main.yml new file mode 100644 index 00000000..9c1fc028 --- /dev/null +++ b/ansible/roles/real-nrpe/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install NRPE plugins + copy: + src: plugins/ + dest: /etc/nagios/ diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 9d6f0f39..584a3e62 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -5,10 +5,9 @@ - syslog-client - root-aliases - munin-node - - nrpe + - real-nrpe - real-pam - mock - # TODO: Configure nrpe with realserver-specific checks # TODO: Configure aliases with blocked accounts and procmail for root tasks: - name: Hesiod @@ -75,7 +74,7 @@ - name: Configure resource limits copy: dest: /etc/security/limits.d/scripts - contents: | + content: | # No limits for root root - scripts-build - diff --git a/server/fedora/config/etc/nagios/nrpe.cfg b/server/fedora/config/etc/nagios/nrpe.cfg deleted file mode 100644 index 31edbc11..00000000 --- a/server/fedora/config/etc/nagios/nrpe.cfg +++ /dev/null @@ -1,228 +0,0 @@ -############################################################################# -# Sample NRPE Config File -# Written by: Ethan Galstad (nagios@nagios.org) -# -# Last Modified: 11-23-2007 -# -# NOTES: -# This is a sample configuration file for the NRPE daemon. It needs to be -# located on the remote host that is running the NRPE daemon, not the host -# from which the check_nrpe client is being executed. -############################################################################# - - -# LOG FACILITY -# The syslog facility that should be used for logging purposes. - -log_facility=daemon - - - -# PID FILE -# The name of the file in which the NRPE daemon should write it's process ID -# number. The file is only written if the NRPE daemon is started by the root -# user and is running in standalone mode. - -pid_file=/var/run/nrpe/nrpe.pid - - - -# PORT NUMBER -# Port number we should wait for connections on. -# NOTE: This must be a non-priviledged port (i.e. > 1024). -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -server_port=5666 - - - -# SERVER ADDRESS -# Address that nrpe should bind to in case there are more than one interface -# and you do not want nrpe to bind on all interfaces. -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -#server_address=127.0.0.1 - - - -# NRPE USER -# This determines the effective user that the NRPE daemon should run as. -# You can either supply a username or a UID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_user=nrpe - - - -# NRPE GROUP -# This determines the effective group that the NRPE daemon should run as. -# You can either supply a group name or a GID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_group=nrpe - - - -# ALLOWED HOST ADDRESSES -# This is an optional comma-delimited list of IP address or hostnames -# that are allowed to talk to the NRPE daemon. -# -# Note: The daemon only does rudimentary checking of the client's IP -# address. I would highly recommend adding entries in your /etc/hosts.allow -# file to allow only the specified host to connect to the port -# you are running this daemon on. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -allowed_hosts=18.4.60.61,18.4.60.65,18.4.60.51 - - - -# COMMAND ARGUMENT PROCESSING -# This option determines whether or not the NRPE daemon will allow clients -# to specify arguments to commands that are executed. This option only works -# if the daemon was configured with the --enable-command-args configure script -# option. -# -# *** ENABLING THIS OPTION IS A SECURITY RISK! *** -# Read the SECURITY file for information on some of the security implications -# of enabling this variable. -# -# Values: 0=do not allow arguments, 1=allow command arguments - -dont_blame_nrpe=0 - - - -# COMMAND PREFIX -# This option allows you to prefix all commands with a user-defined string. -# A space is automatically added between the specified prefix string and the -# command line from the command definition. -# -# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** -# Usage scenario: -# Execute restricted commmands using sudo. For this to work, you need to add -# the nagios user to your /etc/sudoers. An example entry for alllowing -# execution of the plugins from might be: -# -# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ -# -# This lets the nagios user run all commands in that directory (and only them) -# without asking for a password. If you do this, make sure you don't give -# random users write access to that directory or its contents! - -# command_prefix=/usr/bin/sudo - - - -# DEBUGGING OPTION -# This option determines whether or not debugging messages are logged to the -# syslog facility. -# Values: 0=debugging off, 1=debugging on - -debug=0 - - - -# COMMAND TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# allow plugins to finish executing before killing them off. - -command_timeout=60 - - - -# CONNECTION TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# wait for a connection to be established before exiting. This is sometimes -# seen where a network problem stops the SSL being established even though -# all network sessions are connected. This causes the nrpe daemons to -# accumulate, eating system resources. Do not set this too low. - -connection_timeout=300 - - - -# WEEK RANDOM SEED OPTION -# This directive allows you to use SSL even if your system does not have -# a /dev/random or /dev/urandom (on purpose or because the necessary patches -# were not applied). The random number generator will be seeded from a file -# which is either a file pointed to by the environment valiable $RANDFILE -# or $HOME/.rnd. If neither exists, the pseudo random number generator will -# be initialized and a warning will be issued. -# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness - -#allow_weak_random_seed=1 - - - -# INCLUDE CONFIG FILE -# This directive allows you to include definitions from an external config file. - -#include= - - - -# INCLUDE CONFIG DIRECTORY -# This directive allows you to include definitions from config files (with a -# .cfg extension) in one or more directories (with recursion). - -#include_dir= -#include_dir= - - - -# COMMAND DEFINITIONS -# Command definitions that this daemon will run. Definitions -# are in the following format: -# -# command[]= -# -# When the daemon receives a request to return the results of -# it will execute the command specified by the argument. -# -# Unlike Nagios, the command line cannot contain macros - it must be -# typed exactly as it should be executed. -# -# Note: Any plugins that are used in the command lines must reside -# on the machine that this daemon is running on! The examples below -# assume that you have plugins installed in a /usr/local/nagios/libexec -# directory. Also note that you will have to modify the definitions below -# to match the argument format the plugins expect. Remember, these are -# examples only! - - -# The following examples use hardcoded command arguments... - -#command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 -#command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -#command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 -#command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z -#command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200 - - -# The following examples allow user-supplied arguments and can -# only be used if the NRPE daemon was compiled with support for -# command arguments *AND* the dont_blame_nrpe directive in this -# config file is set to '1'. This poses a potential security risk, so -# make sure you read the SECURITY file before doing this. - -command[check_users]=/usr/lib64/nagios/plugins/check_users -w 25 -c 50 -command[check_load]=/usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 -command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt -command[check_procs_cpu]=/usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 -command[check_procs_crond]=/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond -command[check_procs_nscd]=/usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd -command[check_procs_postfix]=/usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix -command[check_postfix_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix -command[check_afs]=/etc/nagios/check_afs -command[check_afs_athena]=/etc/nagios/check_afs athena -command[check_afs_sipb]=/etc/nagios/check_afs sipb -command[check_cron_working]=/etc/nagios/check_cron_working -command[check_ldap_mmr]=/etc/nagios/check_ldap_mmr -command[check_kern_taint]=/etc/nagios/check_kern_taint -command[check_backend]=/usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP -command[check_smtp]=/usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 -command[check_mail_dnsrbl]=/etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` From 1bb8cd8d83388fd2c4f27e5b5645a97905637ab1 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 23:27:40 -0400 Subject: [PATCH 030/736] Fix for Python 3 --- ansible/roles/nrpe/templates/nrpe_local.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 index eb76d177..0755ee33 100644 --- a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 +++ b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 @@ -1,4 +1,4 @@ allowed_hosts=18.4.60.65 -{% for name, command in nrpe_checks.iteritems() %} +{% for name, command in nrpe_checks.items() %} command[{{ name }}]={{ command }} {% endfor %} From 7bc662461301b1cf624deafaf0591785769b9b5e Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Wed, 22 May 2019 23:36:37 -0400 Subject: [PATCH 031/736] Set vars in a way that they can propagate to nrpe role --- ansible/roles/real-nrpe/defaults/main.yml | 19 ------------------- ansible/roles/real-nrpe/meta/main.yml | 21 ++++++++++++++++++++- 2 files changed, 20 insertions(+), 20 deletions(-) delete mode 100644 ansible/roles/real-nrpe/defaults/main.yml diff --git a/ansible/roles/real-nrpe/defaults/main.yml b/ansible/roles/real-nrpe/defaults/main.yml deleted file mode 100644 index f87bfdfe..00000000 --- a/ansible/roles/real-nrpe/defaults/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -nrpe_checks: - check_users: /usr/lib64/nagios/plugins/check_users -w 25 -c 50 - check_load: /usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 - check_disk: /usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt - check_procs_cpu: /usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 - check_procs_crond: "/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond" - check_procs_nscd: /usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd - check_procs_postfix: /usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix - check_postfix_mailq: /usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix - check_afs: /etc/nagios/check_afs - check_afs_athena: /etc/nagios/check_afs athena - check_afs_sipb: /etc/nagios/check_afs sipb - check_cron_working: /etc/nagios/check_cron_working - check_ldap_mmr: /etc/nagios/check_ldap_mmr - check_kern_taint: /etc/nagios/check_kern_taint - check_backend: /usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP - check_smtp: /usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 - check_mail_dnsrbl: /etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` diff --git a/ansible/roles/real-nrpe/meta/main.yml b/ansible/roles/real-nrpe/meta/main.yml index 68ab3b7f..d62489b3 100644 --- a/ansible/roles/real-nrpe/meta/main.yml +++ b/ansible/roles/real-nrpe/meta/main.yml @@ -1,3 +1,22 @@ --- dependencies: - - nrpe + - role: nrpe + vars: + nrpe_checks: + check_users: /usr/lib64/nagios/plugins/check_users -w 25 -c 50 + check_load: /usr/lib64/nagios/plugins/check_load -w 50:50:50 -c 100:50:50 + check_disk: /usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -A -i ^/mnt + check_procs_cpu: /usr/lib64/nagios/plugins/check_procs -w 4 -c 6 -P 50 + check_procs_crond: "/usr/lib64/nagios/plugins/check_procs -w 1: -c 1: -C crond" + check_procs_nscd: /usr/lib64/nagios/plugins/check_procs -w 1:256 -c 1:512 -u nscd + check_procs_postfix: /usr/lib64/nagios/plugins/check_procs -w 1:128 -c 1:256 -u postfix + check_postfix_mailq: /usr/lib64/nagios/plugins/check_mailq -w 5000 -c 10000 -M postfix + check_afs: /etc/nagios/check_afs + check_afs_athena: /etc/nagios/check_afs athena + check_afs_sipb: /etc/nagios/check_afs sipb + check_cron_working: /etc/nagios/check_cron_working + check_ldap_mmr: /etc/nagios/check_ldap_mmr + check_kern_taint: /etc/nagios/check_kern_taint + check_backend: /usr/lib64/nagios/plugins/check_ping -H 172.21.0.52 -w 500.0,30% -c 3000.0,80% # sql.mit.edu backend IP + check_smtp: /usr/lib64/nagios/plugins/check_smtp -H localhost -f scripts@mit.edu -C 'RCPT TO:' -R 250 + check_mail_dnsrbl: /etc/nagios/check_mail_dnsrbl -w 3 -c 4 -h `hostname` From c31db53b79b27cacba52bf6a04c24b207a2cf14c Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 00:35:03 -0400 Subject: [PATCH 032/736] We don't use SNMP anymore either --- server/fedora/config/etc/snmp/snmpd.conf | 1 - 1 file changed, 1 deletion(-) delete mode 100644 server/fedora/config/etc/snmp/snmpd.conf diff --git a/server/fedora/config/etc/snmp/snmpd.conf b/server/fedora/config/etc/snmp/snmpd.conf deleted file mode 100644 index 9897c0e6..00000000 --- a/server/fedora/config/etc/snmp/snmpd.conf +++ /dev/null @@ -1 +0,0 @@ -rocommunity public From 85107f7244777d9ec22704eda558d2f295fee971 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 00:59:52 -0400 Subject: [PATCH 033/736] Configure Postfix --- .../roles/real-postfix/files}/postfix/blocked_users | 0 .../files}/postfix/mailbox-command-maps-ldap.cf | 0 .../files}/postfix/mailbox_command_maps | 0 .../roles/real-postfix/files}/postfix/mailq_users | 0 .../roles/real-postfix/files}/postfix/main.cf | 0 .../roles/real-postfix/files}/postfix/virtual | 0 .../files}/postfix/virtual-alias-domains-ldap.cf | 0 .../postfix/virtual-alias-maps-ldap-reserved.cf | 0 .../files}/postfix/virtual-alias-maps-ldap.cf | 0 ansible/roles/real-postfix/handlers/main.yml | 2 ++ ansible/roles/real-postfix/tasks/main.yml | 13 +++++++++++++ .../roles/real-postfix/templates/root-procmailrc.j2 | 4 ++++ ansible/scripts-real.yml | 1 + server/fedora/config/etc/scripts/root-procmailrc | 2 -- 14 files changed, 20 insertions(+), 2 deletions(-) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/blocked_users (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/mailbox-command-maps-ldap.cf (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/mailbox_command_maps (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/mailq_users (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/main.cf (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/virtual (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/virtual-alias-domains-ldap.cf (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/virtual-alias-maps-ldap-reserved.cf (100%) rename {server/fedora/config/etc => ansible/roles/real-postfix/files}/postfix/virtual-alias-maps-ldap.cf (100%) create mode 100644 ansible/roles/real-postfix/handlers/main.yml create mode 100644 ansible/roles/real-postfix/tasks/main.yml create mode 100644 ansible/roles/real-postfix/templates/root-procmailrc.j2 delete mode 100644 server/fedora/config/etc/scripts/root-procmailrc diff --git a/server/fedora/config/etc/postfix/blocked_users b/ansible/roles/real-postfix/files/postfix/blocked_users similarity index 100% rename from server/fedora/config/etc/postfix/blocked_users rename to ansible/roles/real-postfix/files/postfix/blocked_users diff --git a/server/fedora/config/etc/postfix/mailbox-command-maps-ldap.cf b/ansible/roles/real-postfix/files/postfix/mailbox-command-maps-ldap.cf similarity index 100% rename from server/fedora/config/etc/postfix/mailbox-command-maps-ldap.cf rename to ansible/roles/real-postfix/files/postfix/mailbox-command-maps-ldap.cf diff --git a/server/fedora/config/etc/postfix/mailbox_command_maps b/ansible/roles/real-postfix/files/postfix/mailbox_command_maps similarity index 100% rename from server/fedora/config/etc/postfix/mailbox_command_maps rename to ansible/roles/real-postfix/files/postfix/mailbox_command_maps diff --git a/server/fedora/config/etc/postfix/mailq_users b/ansible/roles/real-postfix/files/postfix/mailq_users similarity index 100% rename from server/fedora/config/etc/postfix/mailq_users rename to ansible/roles/real-postfix/files/postfix/mailq_users diff --git a/server/fedora/config/etc/postfix/main.cf b/ansible/roles/real-postfix/files/postfix/main.cf similarity index 100% rename from server/fedora/config/etc/postfix/main.cf rename to ansible/roles/real-postfix/files/postfix/main.cf diff --git a/server/fedora/config/etc/postfix/virtual b/ansible/roles/real-postfix/files/postfix/virtual similarity index 100% rename from server/fedora/config/etc/postfix/virtual rename to ansible/roles/real-postfix/files/postfix/virtual diff --git a/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-domains-ldap.cf similarity index 100% rename from server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf rename to ansible/roles/real-postfix/files/postfix/virtual-alias-domains-ldap.cf diff --git a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap-reserved.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap-reserved.cf similarity index 100% rename from server/fedora/config/etc/postfix/virtual-alias-maps-ldap-reserved.cf rename to ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap-reserved.cf diff --git a/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf b/ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap.cf similarity index 100% rename from server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf rename to ansible/roles/real-postfix/files/postfix/virtual-alias-maps-ldap.cf diff --git a/ansible/roles/real-postfix/handlers/main.yml b/ansible/roles/real-postfix/handlers/main.yml new file mode 100644 index 00000000..92e6bc6b --- /dev/null +++ b/ansible/roles/real-postfix/handlers/main.yml @@ -0,0 +1,2 @@ +- name: reload postfix + service: name=postfix state=reloaded diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml new file mode 100644 index 00000000..e27415ec --- /dev/null +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Install postfix + dnf: name=postfix state=present +- name: Install postfix configuration files + copy: + src: postfix/ + dest: /etc/postfix/ + notify: reload postfix +- name: Install root's procmailrc + template: + src: root-procmailrc.j2 + dest: /etc/scripts/root-procmailrc +# TODO: Move blocked users from /etc/aliases into LDAP as scriptsMailboxCommand: /bin/false diff --git a/ansible/roles/real-postfix/templates/root-procmailrc.j2 b/ansible/roles/real-postfix/templates/root-procmailrc.j2 new file mode 100644 index 00000000..a3b222be --- /dev/null +++ b/ansible/roles/real-postfix/templates/root-procmailrc.j2 @@ -0,0 +1,4 @@ +:0 +! {% for maintainer in maintainers|rejectattr('root_mail', 'none') -%} +{{ maintainer.root_mail|default(maintainer.username + '@mit.edu') }}{{ '' if loop.last else ', ' }} +{%- endfor %} \ No newline at end of file diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 584a3e62..7326c644 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -7,6 +7,7 @@ - munin-node - real-nrpe - real-pam + - real-postfix - mock # TODO: Configure aliases with blocked accounts and procmail for root tasks: diff --git a/server/fedora/config/etc/scripts/root-procmailrc b/server/fedora/config/etc/scripts/root-procmailrc deleted file mode 100644 index 334320cf..00000000 --- a/server/fedora/config/etc/scripts/root-procmailrc +++ /dev/null @@ -1,2 +0,0 @@ -:0 -! andersk@mit.edu, quentin@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu, glasgall@mit.edu, tboning@mit.edu, cereslee@mit.edu, btidor-scripts@mit.edu, vasilvv@mit.edu From 9a393910f49b90a7d487ceaf65184dab2a6dc1a8 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 01:40:30 -0400 Subject: [PATCH 034/736] Make /etc/scripts --- ansible/roles/real-postfix/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml index e27415ec..62c115aa 100644 --- a/ansible/roles/real-postfix/tasks/main.yml +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -6,6 +6,10 @@ src: postfix/ dest: /etc/postfix/ notify: reload postfix +- name: Ensure /etc/scripts exists + file: + path: /etc/scripts/ + state: directory - name: Install root's procmailrc template: src: root-procmailrc.j2 From 49fa5957f4bb37c2e6fc236a3c409d05e0f4ea9d Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 01:52:12 -0400 Subject: [PATCH 035/736] Enable postfix --- ansible/roles/real-postfix/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml index 62c115aa..528d013c 100644 --- a/ansible/roles/real-postfix/tasks/main.yml +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -14,4 +14,9 @@ template: src: root-procmailrc.j2 dest: /etc/scripts/root-procmailrc +- name: Enable postfix + service: + name: postfix + enabled: yes + state: started # TODO: Move blocked users from /etc/aliases into LDAP as scriptsMailboxCommand: /bin/false From 306ae9e2263ba2c9acad43f5287d7c5d8ef1b783 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 02:11:24 -0400 Subject: [PATCH 036/736] Only accept mail on some VIPs --- ansible/inventory.yml | 6 ++++++ ansible/roles/real-postfix/tasks/main.yml | 4 ++++ .../{files/postfix/main.cf => templates/main.cf.j2} | 3 ++- 3 files changed, 12 insertions(+), 1 deletion(-) rename ansible/roles/real-postfix/{files/postfix/main.cf => templates/main.cf.j2} (93%) diff --git a/ansible/inventory.yml b/ansible/inventory.yml index 2951d294..310308ba 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -27,6 +27,7 @@ all: ip: 18.4.86.43 cidr_netmask: 24 nic: vlan486 + mail: True - host: scripts-cert-new.mit.edu ip: 18.4.86.50 cidr_netmask: 24 @@ -35,6 +36,7 @@ all: ip: 18.4.86.46 cidr_netmask: 24 nic: vlan486 + mail: True - host: scripts-test-new.mit.edu ip: 18.4.86.229 cidr_netmask: 24 @@ -69,6 +71,10 @@ all: scripts-real: vars: ansible_python_interpreter: /usr/bin/python3 + vips: + - host: scripts-test.mit.edu + ip: 18.4.86.229 + cidr_netmask: 24 hosts: quentin-scripts-f30.xvm.mit.edu: {} scripts-f30-test.xvm.mit.edu: {} diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml index 528d013c..e66b5895 100644 --- a/ansible/roles/real-postfix/tasks/main.yml +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -6,6 +6,10 @@ src: postfix/ dest: /etc/postfix/ notify: reload postfix +- name: Install main.cf + template: + src: main.cf.j2 + dest: /etc/postfix/main.cf - name: Ensure /etc/scripts exists file: path: /etc/scripts/ diff --git a/ansible/roles/real-postfix/files/postfix/main.cf b/ansible/roles/real-postfix/templates/main.cf.j2 similarity index 93% rename from ansible/roles/real-postfix/files/postfix/main.cf rename to ansible/roles/real-postfix/templates/main.cf.j2 index e679cfd6..7f941506 100644 --- a/ansible/roles/real-postfix/files/postfix/main.cf +++ b/ansible/roles/real-postfix/templates/main.cf.j2 @@ -18,7 +18,8 @@ mailbox_command_maps = mailbox_size_limit = 0 message_size_limit = 41943040 recipient_delimiter = + -inet_interfaces = $myhostname, scripts.mit.edu, scripts-vhosts.mit.edu +inet_interfaces = $myhostname{% for vip in vips %}{% if vip.mail | default(False) %}, {{ vip.host }}{% endif %}{% endfor %} + readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail From 136e5bcc3bdad077ff826b2b55150a07abfaad4e Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 02:13:44 -0400 Subject: [PATCH 037/736] Configure test servers with different VIPs --- ansible/inventory.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/ansible/inventory.yml b/ansible/inventory.yml index 310308ba..decb596f 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -69,12 +69,14 @@ all: log-normal.mit.edu: {} scripts-real: - vars: - ansible_python_interpreter: /usr/bin/python3 - vips: - - host: scripts-test.mit.edu - ip: 18.4.86.229 - cidr_netmask: 24 - hosts: - quentin-scripts-f30.xvm.mit.edu: {} - scripts-f30-test.xvm.mit.edu: {} + children: + scripts-real-test: + vars: + ansible_python_interpreter: /usr/bin/python3 + vips: + - host: scripts-test.mit.edu + ip: 18.4.86.229 + cidr_netmask: 24 + hosts: + quentin-scripts-f30.xvm.mit.edu: {} + scripts-f30-test.xvm.mit.edu: {} From d3069a06ed1c6cf015d93b32a47509e3e336ae61 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 02:28:14 -0400 Subject: [PATCH 038/736] Configure lo aliases for vips --- ansible/scripts-real.yml | 7 +++++++ ansible/templates/real_ether_interfaces.yml.j2 | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 ansible/templates/real_ether_interfaces.yml.j2 diff --git a/ansible/scripts-real.yml b/ansible/scripts-real.yml index 7326c644..6c56b4d1 100644 --- a/ansible/scripts-real.yml +++ b/ansible/scripts-real.yml @@ -1,5 +1,12 @@ - hosts: scripts-real serial: 1 + vars: + network_ether_interfaces: "{{ lookup('template', 'templates/real_ether_interfaces.yml.j2') | from_yaml }}" + pre_tasks: + - include_role: + name: network_interface + vars: + network_check_packages: False roles: - k5login - syslog-client diff --git a/ansible/templates/real_ether_interfaces.yml.j2 b/ansible/templates/real_ether_interfaces.yml.j2 new file mode 100644 index 00000000..7c35e4f7 --- /dev/null +++ b/ansible/templates/real_ether_interfaces.yml.j2 @@ -0,0 +1,7 @@ +{% for vip in vips %} +- device: lo:{{ loop.index }} + bootproto: static + address: {{ vip.ip }} + netmask: {{ (vip.ip + "/" + (vip.cidr_netmask | string)) | ipaddr('netmask') }} + onboot: True +{% endfor %} \ No newline at end of file From 61d75b2740b7ca573b571ef9a98f21f3ad012819 Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 02:45:57 -0400 Subject: [PATCH 039/736] Use a stable sort order for NRPE configuration --- ansible/roles/nrpe/templates/nrpe_local.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 index 0755ee33..2ec29273 100644 --- a/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 +++ b/ansible/roles/nrpe/templates/nrpe_local.cfg.j2 @@ -1,4 +1,4 @@ allowed_hosts=18.4.60.65 -{% for name, command in nrpe_checks.items() %} +{% for name, command in nrpe_checks | dictsort %} command[{{ name }}]={{ command }} {% endfor %} From 217b7927b8a47d8f41708540397bc43c4b8eac2d Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 03:14:21 -0400 Subject: [PATCH 040/736] Install Postfix LDAP plugin --- ansible/roles/real-postfix/tasks/main.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml index e66b5895..3ad048ef 100644 --- a/ansible/roles/real-postfix/tasks/main.yml +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -1,6 +1,12 @@ --- - name: Install postfix - dnf: name=postfix state=present + dnf: + name: "{{ item }}" + state: present + with_items: + - postfix + - postfix-ldap + notify: reload postfix - name: Install postfix configuration files copy: src: postfix/ @@ -10,6 +16,7 @@ template: src: main.cf.j2 dest: /etc/postfix/main.cf + notify: reload postfix - name: Ensure /etc/scripts exists file: path: /etc/scripts/ From 8ff5182bc91ff464936f8968a6eaf8572b555e2a Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 03:16:44 -0400 Subject: [PATCH 041/736] Use non-deprecated way to specify multiple packages --- ansible/roles/real-postfix/tasks/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ansible/roles/real-postfix/tasks/main.yml b/ansible/roles/real-postfix/tasks/main.yml index 3ad048ef..a19a2fa8 100644 --- a/ansible/roles/real-postfix/tasks/main.yml +++ b/ansible/roles/real-postfix/tasks/main.yml @@ -1,11 +1,10 @@ --- - name: Install postfix dnf: - name: "{{ item }}" + name: + - postfix + - postfix-ldap state: present - with_items: - - postfix - - postfix-ldap notify: reload postfix - name: Install postfix configuration files copy: From b0549a769fac9fd52e2b693d24d058d96edd8dbf Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 03:21:03 -0400 Subject: [PATCH 042/736] Specify now-required smtpd_relay_restrictions --- ansible/roles/real-postfix/templates/main.cf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/real-postfix/templates/main.cf.j2 b/ansible/roles/real-postfix/templates/main.cf.j2 index 7f941506..108dd5d4 100644 --- a/ansible/roles/real-postfix/templates/main.cf.j2 +++ b/ansible/roles/real-postfix/templates/main.cf.j2 @@ -44,3 +44,4 @@ non_smtpd_milters = unix:/run/spamass-milter/postfix/sock inet_protocols = all # note: as of 21 Oct 2015, our IPv6 addresses do not have rDNS and are rejected by Gmail smtp_address_preference = ipv4 +smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination From 560a47108e2f1219e69030d26c3f871b5f62dd1e Mon Sep 17 00:00:00 2001 From: Quentin Smith Date: Thu, 23 May 2019 22:22:34 -0400 Subject: [PATCH 043/736] Configure nscd --- ansible/roles/real-nss/tasks/main.yml | 22 ++++++++ server/fedora/config/etc/nscd.conf | 80 --------------------------- 2 files changed, 22 insertions(+), 80 deletions(-) create mode 100644 ansible/roles/real-nss/tasks/main.yml delete mode 100644 server/fedora/config/etc/nscd.conf diff --git a/ansible/roles/real-nss/tasks/main.yml b/ansible/roles/real-nss/tasks/main.yml new file mode 100644 index 00000000..e499638d --- /dev/null +++ b/ansible/roles/real-nss/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Install nscd and nslcd + dnf: + name: + - nscd + - nslcd + state: present +- name: Configure nscd for caching + lineinfile: + path: /etc/nscd.conf + regexp: '(?i)^#?\s*{{ item | regex_search("^(\S+)") }}\s*{{ item | regex_search("^(passwd|group|hosts|services|netgroup)") }}\s' + line: "{{ item }}" + loop: + - threads 32 + - max-threads 128 + - negative-time-to-live passwd 5 + - negative-time-to-live group 5 + - suggested-size passwd 1999 + - persistent passwd no + - suggested-size group 1999 + - persistent group no + - suggested-size hosts 1999 diff --git a/server/fedora/config/etc/nscd.conf b/server/fedora/config/etc/nscd.conf deleted file mode 100644 index 936c20c1..00000000 --- a/server/fedora/config/etc/nscd.conf +++ /dev/null @@ -1,80 +0,0 @@ -# -# /etc/nscd.conf -# -# An example Name Service Cache config file. This file is needed by nscd. -# -# Legal entries are: -# -# logfile -# debug-level -# threads -# max-threads -# server-user -# server-user is ignored if nscd is started with -S parameters -# stat-user -# reload-count unlimited| -# paranoia -# restart-interval