From b197d2c64153b31d0b37dd284266b430281233e0 Mon Sep 17 00:00:00 2001 From: Charalampos Kominos Date: Wed, 23 Aug 2023 16:15:15 +0200 Subject: [PATCH] feat: Add new fail2ban elemenent This patch proposes a new element which installs fail2ban on the final image. More crucially, a custom jail.local is injected during built time which is a useful feature for cloud admins. Change-Id: I47b90bbf3809cd6f90148b848b2afe4233be79d7 Signed-off-by: Charalampos Kominos --- .../elements/fail2ban/README.rst | 19 ++++++++ .../elements/fail2ban/element-deps | 1 + .../elements/fail2ban/package-installs.yaml | 2 + .../post-install.d/80-enable-fail2ban-service | 48 +++++++++++++++++++ .../fail2ban/root.d/60-copy-fail2ban-config | 30 ++++++++++++ ...add-fail2ban-element-2ccdcab027c9abf7.yaml | 6 +++ 6 files changed, 106 insertions(+) create mode 100644 diskimage_builder/elements/fail2ban/README.rst create mode 100644 diskimage_builder/elements/fail2ban/element-deps create mode 100644 diskimage_builder/elements/fail2ban/package-installs.yaml create mode 100755 diskimage_builder/elements/fail2ban/post-install.d/80-enable-fail2ban-service create mode 100755 diskimage_builder/elements/fail2ban/root.d/60-copy-fail2ban-config create mode 100644 releasenotes/notes/add-fail2ban-element-2ccdcab027c9abf7.yaml diff --git a/diskimage_builder/elements/fail2ban/README.rst b/diskimage_builder/elements/fail2ban/README.rst new file mode 100644 index 000000000..8c723db92 --- /dev/null +++ b/diskimage_builder/elements/fail2ban/README.rst @@ -0,0 +1,19 @@ +======== +fail2ban +======== + +This element installs the fail2ban binary from the upstream repositories. +In the case of rocky linux, fail2ban lives in epel so the 'epel' element must also be included. + +In addition, a compulsory jail.local is expected, localy on the build system, to be inserted in the final image. + +Environment Variables +--------------------- + +DIB_FAIL2BAN_CONF: + :Required: Yes + :Default: None + :Description: The location of a fail2ban.conf file on the Builder system which will be injected into the image + :Example: ``DIB_FAIL2BAN_CONF=~/home/jail.local`` + +.. element_deps:: diff --git a/diskimage_builder/elements/fail2ban/element-deps b/diskimage_builder/elements/fail2ban/element-deps new file mode 100644 index 000000000..7076aba94 --- /dev/null +++ b/diskimage_builder/elements/fail2ban/element-deps @@ -0,0 +1 @@ +package-installs diff --git a/diskimage_builder/elements/fail2ban/package-installs.yaml b/diskimage_builder/elements/fail2ban/package-installs.yaml new file mode 100644 index 000000000..06094ba2a --- /dev/null +++ b/diskimage_builder/elements/fail2ban/package-installs.yaml @@ -0,0 +1,2 @@ +fail2ban: + phase: install.d diff --git a/diskimage_builder/elements/fail2ban/post-install.d/80-enable-fail2ban-service b/diskimage_builder/elements/fail2ban/post-install.d/80-enable-fail2ban-service new file mode 100755 index 000000000..19497b7b5 --- /dev/null +++ b/diskimage_builder/elements/fail2ban/post-install.d/80-enable-fail2ban-service @@ -0,0 +1,48 @@ +#!/bin/bash +# Copyright (c) 2023 ECMWF +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# +# See the License for the specific language governing permissions and +# limitations under the License. + + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + systemd) + systemctl enable fail2ban.service + ;; + openrc) + rc-update add fail2ban default + ;; + *) + echo "Unsupported init system $DIB_INIT_SYSTEM" + exit 1 + ;; +esac + +if [ -z "${DIB_FAIL2BAN_CONF:-}" ] ; then + echo "DIB_FAIL2BAN_CONF is not set - no fail2ban config can be found" + exit 0 +fi + +for file in $DIB_FAIL2BAN_CONF; do + if [ -f $file ]; then + echo "$file is not a valid fail2ban file" + echo "We need a proper file DIB_FAIL2BAN.CONF" + fi +done diff --git a/diskimage_builder/elements/fail2ban/root.d/60-copy-fail2ban-config b/diskimage_builder/elements/fail2ban/root.d/60-copy-fail2ban-config new file mode 100755 index 000000000..55c95d6a6 --- /dev/null +++ b/diskimage_builder/elements/fail2ban/root.d/60-copy-fail2ban-config @@ -0,0 +1,30 @@ +#!/bin/bash + +# Copyright (c) 2023 ECMWF +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# +# See the License for the specific language governing permissions and +# limitations under the License. + + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +if [[ -n ${DIB_FAIL2BAN_CONF:-} ]]; then + + sudo mkdir $TARGET_ROOT/etc/fail2ban + sudo cp ${DIB_FAIL2BAN_CONF} $TARGET_ROOT/etc/fail2ban/jail.local +fi diff --git a/releasenotes/notes/add-fail2ban-element-2ccdcab027c9abf7.yaml b/releasenotes/notes/add-fail2ban-element-2ccdcab027c9abf7.yaml new file mode 100644 index 000000000..c4fa801f6 --- /dev/null +++ b/releasenotes/notes/add-fail2ban-element-2ccdcab027c9abf7.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + A new fail2ban element has been added which has has been tested on Debian + and Rocky images. The usage of a new variable ``DIB_FAIL2BAN_CONF`` is now + mandatory during built time.