ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-08 14:04:14 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #84 from ovh/centos

Browse source 
Fix for centos 8.3
This commit is contained in:
Stéphane Lesimple 2020-12-08 16:39:04 +01:00 committed by GitHub
commit 3031b6ff0c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 96 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/tests.yml vendored
View file

@ -20,7 +20,7 @@ jobs:
name: Full name: Full
strategy: strategy:
matrix: matrix:
platform: [centos7, centos8, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'tests:full') if: contains(github.event.pull_request.labels.*.name, 'tests:full')
steps: steps:

2
README.md
View file

@ -73,7 +73,7 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS: Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
- Debian 10 (Buster), 9 (Stretch), 8 (Jessie) - Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
- RHEL/CentOS 8, 7 - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*

12
bin/admin/packages-check.sh
View file

@ -69,12 +69,12 @@ if echo "$DISTRO_LIKE" | grep -q -w debian; then
install_cmd="apt-get install" install_cmd="apt-get install"
elif echo "$DISTRO_LIKE" | grep -q -w rhel; then elif echo "$DISTRO_LIKE" | grep -q -w rhel; then
wanted_list="perl-JSON perl-Net-Netmask perl-Net-IP \ wanted_list="perl-JSON perl-Net-Netmask perl-Net-IP \
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \
sudo fping xz sqlite binutils acl perl-TimeDate gnupg rsync \ sudo fping xz sqlite binutils acl gnupg rsync \
perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \ perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \
perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \ perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \
expect openssh-server nc bash perl-CGI perl(Test::More) passwd \ expect openssh-server nc bash perl-CGI perl(Test::More) passwd \
cracklib-dicts perl-Time-Piece perl-Time-HiRes which \ cracklib-dicts perl-Time-Piece perl-Time-HiRes diffutils \
perl-Sys-Syslog pamtester google-authenticator qrencode-libs" perl-Sys-Syslog pamtester google-authenticator qrencode-libs"
if [ "$DISTRO_VERSION_MAJOR" = 7 ]; then if [ "$DISTRO_VERSION_MAJOR" = 7 ]; then
wanted_list="$wanted_list fortune-mod coreutils" wanted_list="$wanted_list fortune-mod coreutils"
@ -102,14 +102,14 @@ elif echo "$DISTRO_LIKE" | grep -q -w rhel; then
install_cmd="yum install" install_cmd="yum install"
elif echo "$DISTRO_LIKE" | grep -q -w suse; then elif echo "$DISTRO_LIKE" | grep -q -w suse; then
wanted_list="perl-common-sense perl-JSON perl-Net-Netmask perl-Net-IP \ wanted_list="perl-common-sense perl-JSON perl-Net-Netmask perl-Net-IP \
perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \
fortune sudo fping \ fortune sudo fping \
xz sqlite binutils acl perl-TimeDate gnupg rsync \ xz sqlite binutils acl gnupg rsync \
perl-JSON-XS inotify-tools lsof curl perl-TermReadLine-Gnu \ perl-JSON-XS inotify-tools lsof curl perl-TermReadLine-Gnu \
perl-libwww-perl perl-Digest perl-IO-Socket-SSL \ perl-libwww-perl perl-Digest perl-IO-Socket-SSL \
perl-Net-Server cryptsetup mosh expect openssh \ perl-Net-Server cryptsetup mosh expect openssh \
coreutils netcat-openbsd bash perl-CGI iputils \ coreutils netcat-openbsd bash perl-CGI iputils \
perl-Time-HiRes which perl-Unix-Syslog hostname" perl-Time-HiRes perl-Unix-Syslog hostname"
wanted_list="$wanted_list google-authenticator-libpam" wanted_list="$wanted_list google-authenticator-libpam"
# perl-GnuPG # perl-GnuPG
[ "$opt_syslogng" = 1 ] && wanted_list="$wanted_list syslog-ng" [ "$opt_syslogng" = 1 ] && wanted_list="$wanted_list syslog-ng"

40
bin/helper/osh-groupCreate
View file

@ -175,6 +175,26 @@ $fnret->err eq 'OK'
# Building /home/$group # Building /home/$group
OVH::Bastion::touch_file("/home/$group/allowed.ip"); OVH::Bastion::touch_file("/home/$group/allowed.ip");
osh_info("Adjusting permissions...");
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
foreach my $command (
['chown', '-R', "$group:$group", "/home/$group"],
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
['chmod', '0664', "/home/$group/allowed.ip"],
)
{
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
$fnret->err eq 'OK'
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
}
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
}
osh_debug("Adding allowkeeper to group $group"); osh_debug("Adding allowkeeper to group $group");
$fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key'); $fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key');
$fnret or HEXIT($fnret); $fnret or HEXIT($fnret);
@ -239,26 +259,6 @@ if (!$no_key) {
$fnret or HEXIT($fnret); $fnret or HEXIT($fnret);
} }
osh_info("Adjusting permissions...");
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
foreach my $command (
['chown', '-R', "$group:$group", "/home/$group"],
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
['chmod', '0664', "/home/$group/allowed.ip"],
)
{
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
$fnret->err eq 'OK'
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
}
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
}
# allowed to sudo for the group # allowed to sudo for the group
osh_info("Configuring sudoers for this group"); osh_info("Configuring sudoers for this group");
$fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1); $fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1);

2
doc/sphinx/installation/basic.rst
View file

@ -27,7 +27,7 @@ We published a Puppet module to handle The Bastion configuration and prerequisit
The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
- Debian 10 (Buster), 9 (Stretch), 8 (Jessie) - Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
- RHEL/CentOS 8, 7 - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*

1
docker/Dockerfile.centos7
View file

@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908

1
docker/Dockerfile.centos8
View file

@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1
# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911

79
tests/functional/docker/docker_build_and_run_tests.sh
View file

@ -11,22 +11,56 @@ namespace=the-bastion-test
target="$1" target="$1"
test_script="$2" test_script="$2"
get_supported_targets() {
local target targets subtarget
for dockerfile in "$(dirname "$0")"/../../../docker/Dockerfile.*; do
if grep -q '^# TESTENV ' "$dockerfile"; then
target=$(basename "$dockerfile")
target=${target/Dockerfile./}
# if the file has a TESTFROM entry, then it's actually multiple similar targets
if grep -q '^# TESTFROM ' "$dockerfile"; then
# shellcheck disable=SC2013
for testfrom in $(grep '^# TESTFROM ' "$dockerfile" | cut -d' ' -f3-); do
subtarget="$target@$testfrom"
targets="$targets $subtarget"
done
fi
targets="$targets $target"
fi
done
# shellcheck disable=SC2086
echo $targets
}
print_supported_targets() {
local target
for target in $(get_supported_targets | tr " " "\n" | sort); do
echo "- $target"
done
echo
}
if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then
targets=$(grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==')
if [ -z "$target" ]; then if [ -z "$target" ]; then
echo "Usage: $0 <TARGET>" >&2 echo "Usage: $0 <TARGET>" >&2
echo -n "Supported targets are: " >&2 echo "Supported targets are: " >&2
grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr '\n' " " >&2 print_supported_targets >&2
echo >&2
exit 1 exit 1
else else
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo $targets print_supported_targets
exit 0 exit 0
fi fi
fi fi
target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target" if echo "$target" | grep -q '@'; then
subtarget=$(echo "$target" | cut -d@ -f2)
target_dockerfile=$(echo "$target" | cut -d@ -f1)
else
subtarget=''
target_dockerfile="$target"
fi
target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target_dockerfile"
if [ ! -f "$target_dockerfile" ] ; then if [ ! -f "$target_dockerfile" ] ; then
echo "Couldn't find a Dockerfile for $target ($target_dockerfile)" >&2 echo "Couldn't find a Dockerfile for $target ($target_dockerfile)" >&2
exit 1 exit 1
@ -37,10 +71,35 @@ echo "Building test environment"
testenv_dockerfile="$(dirname "$0")/../../../docker/Dockerfile.tester" testenv_dockerfile="$(dirname "$0")/../../../docker/Dockerfile.tester"
docker build -f "$testenv_dockerfile" -t "$namespace:tester" "$(dirname "$0")"/../../.. docker build -f "$testenv_dockerfile" -t "$namespace:tester" "$(dirname "$0")"/../../..
# if we have a subtarget, we need to override the FROM of the target_dockerfile
# don't do this in place however, create a tempfile for this
if [ -n "$subtarget" ]; then
dockerfiletmp=$(mktemp)
trap 'rm -f $dockerfiletmp' EXIT
sed -re "s/^FROM .+/FROM $subtarget/" "$target_dockerfile" > "$dockerfiletmp"
target_dockerfile="$dockerfiletmp"
fi
# build target # build target
echo "Building target environment" echo "Building target environment"
target=$(echo "$target" | sed -re 's/[^a-zA-Z0-9_-]/_/g')
docker build -f "$target_dockerfile" -t "$namespace:$target" --build-arg "TEST_QUICK=$TEST_QUICK" "$(dirname "$0")"/../../.. docker build -f "$target_dockerfile" -t "$namespace:$target" --build-arg "TEST_QUICK=$TEST_QUICK" "$(dirname "$0")"/../../..
# get the target environment we want from the dockerfile
varstoadd=''
privileged=''
for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//')
do
echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var "
[ "$var" = "PRIVILEGED=1" ] && privileged='--privileged'
done
# cleanup the dockerfile temp if applicable
if [ -n "$subtarget" ]; then
rm -f "$dockerfiletmp"
trap - EXIT
fi
# create temp key # create temp key
echo "Create user and root SSH keys" echo "Create user and root SSH keys"
privdir=$(mktemp -d) privdir=$(mktemp -d)
@ -54,14 +113,6 @@ ROOT_PUBKEY_B64=$(base64 -w0 < "$privdir"/rootkey.pub)
rm -rf "$privdir" rm -rf "$privdir"
trap - EXIT trap - EXIT
varstoadd=''
privileged=''
for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//')
do
echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var "
[ "$var" = "PRIVILEGED=1" ] && privileged='--privileged'
done
echo "Configuring network" echo "Configuring network"
docker rm -f "bastion_${target}_target" 2>/dev/null || true docker rm -f "bastion_${target}_target" 2>/dev/null || true
docker rm -f "bastion_${target}_tester" 2>/dev/null || true docker rm -f "bastion_${target}_tester" 2>/dev/null || true