From 2f6cc5cdffa11d44d4652dee337d12e9f440396b Mon Sep 17 00:00:00 2001 From: Luke Short Date: Fri, 9 Aug 2019 18:15:52 -0400 Subject: [PATCH] Create the tripleo-sshd role This role configures the sshd service and related issue and motd banners that are displayed during SSH login. Story: 2006023 Task: 34628 Task: 34630 Task: 34631 Change-Id: I1af1b95ede5f2ed61126ef345d4c87d950fa2525 Signed-off-by: Kevin Carter --- doc/source/roles/role-tripleo-sshd.rst | 6 ++ .../roles/tripleo-sshd/defaults/main.yml | 30 ++++++++ .../roles/tripleo-sshd/handlers/main.yml | 23 +++++++ .../roles/tripleo-sshd/meta/main.yml | 44 ++++++++++++ .../tripleo-sshd/molecule/default/Dockerfile | 37 ++++++++++ .../molecule/default/molecule.yml | 68 +++++++++++++++++++ .../molecule/default/playbook.yml | 26 +++++++ .../roles/tripleo-sshd/tasks/main.yml | 68 +++++++++++++++++++ .../templates/sshd_config_block.j2 | 9 +++ .../roles/tripleo-sshd/vars/main.yml | 30 ++++++++ .../roles/tripleo-sshd/vars/redhat.yml | 19 ++++++ zuul.d/molecule.yaml | 9 +++ 12 files changed, 369 insertions(+) create mode 100644 doc/source/roles/role-tripleo-sshd.rst create mode 100644 tripleo_ansible/roles/tripleo-sshd/defaults/main.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/handlers/main.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/meta/main.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/molecule/default/Dockerfile create mode 100644 tripleo_ansible/roles/tripleo-sshd/molecule/default/molecule.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/molecule/default/playbook.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/tasks/main.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/templates/sshd_config_block.j2 create mode 100644 tripleo_ansible/roles/tripleo-sshd/vars/main.yml create mode 100644 tripleo_ansible/roles/tripleo-sshd/vars/redhat.yml diff --git a/doc/source/roles/role-tripleo-sshd.rst b/doc/source/roles/role-tripleo-sshd.rst new file mode 100644 index 000000000..2bf0baa8f --- /dev/null +++ b/doc/source/roles/role-tripleo-sshd.rst @@ -0,0 +1,6 @@ +=================== +Role - tripleo-sshd +=================== + +.. ansibleautoplugin:: + :role: tripleo_ansible/roles/tripleo-sshd diff --git a/tripleo_ansible/roles/tripleo-sshd/defaults/main.yml b/tripleo_ansible/roles/tripleo-sshd/defaults/main.yml new file mode 100644 index 000000000..cc8d3fa7c --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/defaults/main.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should place placed in this file. + +# All variables within this role should have a prefix of "tripleo_tripleo_sshd" +# Mapping of sshd_config values + +# Package state for ssh +tripleo_sshd_package_state: present + +tripleo_sshd_motd_enabled: false +tripleo_sshd_banner_enabled: false + +# SSH configuration options +tripleo_sshd_password_authentication: 'no' diff --git a/tripleo_ansible/roles/tripleo-sshd/handlers/main.yml b/tripleo_ansible/roles/tripleo-sshd/handlers/main.yml new file mode 100644 index 000000000..ff9c1cbee --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/handlers/main.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +- name: Restart sshd + systemd: + name: sshd + state: restarted + enabled: true + become: true + tags: + - handler diff --git a/tripleo_ansible/roles/tripleo-sshd/meta/main.yml b/tripleo_ansible/roles/tripleo-sshd/meta/main.yml new file mode 100644 index 000000000..cbfeb34b0 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/meta/main.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- tripleo_sshd + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/tripleo_ansible/roles/tripleo-sshd/molecule/default/Dockerfile b/tripleo_ansible/roles/tripleo-sshd/molecule/default/Dockerfile new file mode 100644 index 000000000..1b91a0e0b --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/molecule/default/Dockerfile @@ -0,0 +1,37 @@ +# Molecule managed +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi + +{% for pkg in item.easy_install | default([]) %} +# install pip for centos where there is no python-pip rpm in default repos +RUN easy_install {{ pkg }} +{% endfor %} + + +CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/tripleo_ansible/roles/tripleo-sshd/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo-sshd/molecule/default/molecule.yml new file mode 100644 index 000000000..c5b487da9 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/molecule/default/molecule.yml @@ -0,0 +1,68 @@ +--- +driver: + name: docker + +log: true + +platforms: + - name: centos7 + hostname: centos7 + image: centos:7 + dockerfile: Dockerfile + pkg_extras: python-setuptools + easy_install: + - pip + environment: &env + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + command: /sbin/init + tmpfs: + - /run + - /tmp + capabilities: + - ALL # CENT7 requires all due to the age of the software + volumes: + - /run/udev:/run/udev:ro + - /sys/fs/cgroup:/sys/fs/cgroup:ro + + - name: fedora28 + hostname: fedora28 + image: fedora:28 + dockerfile: Dockerfile + pkg_extras: python*-setuptools + environment: + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + command: /sbin/init + privileged: true + tmpfs: + - /run + - /tmp + capabilities: + - SYS_ADMIN + volumes: + - /run/udev:/run/udev:ro + - /sys/fs/cgroup:/sys/fs/cgroup:ro + +provisioner: + name: ansible + log: true + env: + ANSIBLE_STDOUT_CALLBACK: yaml + +scenario: + test_sequence: + - destroy + - create + - prepare + - converge + - verify + - destroy + +lint: + enabled: false + +verifier: + name: testinfra + lint: + name: flake8 diff --git a/tripleo_ansible/roles/tripleo-sshd/molecule/default/playbook.yml b/tripleo_ansible/roles/tripleo-sshd/molecule/default/playbook.yml new file mode 100644 index 000000000..7f4dcebe8 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/molecule/default/playbook.yml @@ -0,0 +1,26 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Converge + hosts: all + roles: + - name: tripleo-sshd + vars: + tripleo_sshd_install: true + post_tasks: + - name: End the playbook before the systemd handler runs to restart sshd + meta: end_play diff --git a/tripleo_ansible/roles/tripleo-sshd/tasks/main.yml b/tripleo_ansible/roles/tripleo-sshd/tasks/main.yml new file mode 100644 index 000000000..794bb0e07 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/tasks/main.yml @@ -0,0 +1,68 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# found within the "vars/" path. If no OS files are found the task will skip. +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - skip: true + files: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always + +- name: Run sshd tasks as root + become: true + block: + - name: Install the OpenSSH server + package: + name: "{{ tripleo_sshd_packages }}" + state: "{{ tripleo_sshd_package_state }}" + notify: + - Restart sshd + + - name: force systemd to reread configs + meta: flush_handlers + + - name: Adjust ssh server configuration + blockinfile: + dest: /etc/ssh/sshd_config + state: present + marker: "# {mark} MANAGED BY TRIPLEO-ANSIBLE" + insertafter: "EOF" + validate: '/usr/sbin/sshd -T -f %s' + block: "{{ lookup('template', 'sshd_config_block.j2') }}" + notify: + - Restart sshd + + - name: Configure the banner text + copy: + content: "{{ tripleo_sshd_banner_text }}" + dest: /etc/issue + when: + - tripleo_sshd_banner_enabled | bool + + - name: Configure the motd banner + copy: + content: "{{ tripleo_sshd_message_of_the_day }}" + dest: /etc/motd + when: + - tripleo_sshd_motd_enabled | bool diff --git a/tripleo_ansible/roles/tripleo-sshd/templates/sshd_config_block.j2 b/tripleo_ansible/roles/tripleo-sshd/templates/sshd_config_block.j2 new file mode 100644 index 000000000..f30c24e6e --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/templates/sshd_config_block.j2 @@ -0,0 +1,9 @@ +SyslogFacility AUTHPRIV +AuthorizedKeysFile .ssh/authorized_keys +ChallengeResponseAuthentication no +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +UsePAM yes +UseDNS no +X11Forwarding yes +PasswordAuthentication {{ tripleo_sshd_password_authentication }} diff --git a/tripleo_ansible/roles/tripleo-sshd/vars/main.yml b/tripleo_ansible/roles/tripleo-sshd/vars/main.yml new file mode 100644 index 000000000..afe0c7122 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/vars/main.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +tripleo_sshd_banner_text: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** + +tripleo_sshd_message_of_the_day: | + ALERT! You are entering into a secured area! + This service is restricted to authorized users only. diff --git a/tripleo_ansible/roles/tripleo-sshd/vars/redhat.yml b/tripleo_ansible/roles/tripleo-sshd/vars/redhat.yml new file mode 100644 index 000000000..a1ff907d5 --- /dev/null +++ b/tripleo_ansible/roles/tripleo-sshd/vars/redhat.yml @@ -0,0 +1,19 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +tripleo_sshd_packages: + - openssh-server diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 16f0542f4..339fc26b8 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -33,6 +33,7 @@ - tripleo-ansible-centos-7-molecule-tripleo-cellv2 - tripleo-ansible-centos-7-molecule-tripleo-clients-install - tripleo-ansible-centos-7-molecule-tripleo-validations-package + - tripleo-ansible-centos-7-molecule-tripleo-sshd gate: jobs: - tripleo-ansible-centos-7-molecule-aide @@ -66,6 +67,7 @@ - tripleo-ansible-centos-7-molecule-tripleo-cellv2 - tripleo-ansible-centos-7-molecule-tripleo-clients-install - tripleo-ansible-centos-7-molecule-tripleo-validations-package + - tripleo-ansible-centos-7-molecule-tripleo-sshd name: tripleo-ansible-molecule-jobs - job: files: @@ -293,3 +295,10 @@ parent: tripleo-ansible-centos-7-base vars: tripleo_role_name: tripleo-validations-package +- job: + files: + - ^tripleo_ansible/roles/tripleo-sshd/.* + name: tripleo-ansible-centos-7-molecule-tripleo-sshd + parent: tripleo-ansible-centos-7-base + vars: + tripleo_role_name: tripleo-sshd