emdee
/
libvirt_cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

proxy_ping_test

This commit is contained in:
emdee 2024-01-05 11:12:55 +00:00
parent 346682eedb
commit c8610f9ded
19 changed files with 1126 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
Makefile
View File

@ -9,21 +9,21 @@ ANSIBLE_PLUGINS=/usr/local/lib/python3.11/site-packages/ansible-2.9.22-py3.11.eg
# change this to be that hostname
LOCALHOST=`cat /etc/hostname`
BOX_NBD_BASE_DIR=/a/tmp/GentooImgr
BOX_NBD_BASE_FILE=gentoo.qcow2
BOX_NBD_BASE_QCOW=${BOX_NBD_BASE_DIR}/${BOX_NBD_BASE_FILE}
# set this to the name linux_local_group host in hosts.yml
LOCAL_HOSTS_NAME=pentoo
# set this to the name linux_chroot_group host in hosts.yml
YAML_CHROOT_NAME=linuxGentoo
# set this to the libvirt name of the linux_libvirt_group host in hosts.yml
YAML_BOX_NAME=gentoo1
INST_BOX_NAME=gentoo1
OVERLAY_HOSTS_NAME=gentoo_overlay-2
BOX_NBD_BASE_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_BASE_QCOW ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_DIR="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_DIR ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_QCOW ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_XML=${BOX_NBD_OVERLAY_DIR}/xml/${OVERLAY_HOSTS_NAME}.xml
BOX_NBD_OVERLAY_NAME="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_NAME ${OVERLAY_HOSTS_NAME}`"
#INST_BOX_DIR=/mnt/o/home/root/vms/virsh
INST_BOX_DIR=${BOX_NBD_BASE_DIR}/create-vm
PWD=/o/var/local/src/play_tox/
NETWORK=default
NETWORK=Whonix-External
VERBOSE=2
all: install lint build check run test
@ -66,27 +66,27 @@ build_base:: install
[ -f ${BOX_NBD_BASE_QCOW} ]
build_overlay::
@virsh list | grep "${INST_BOX_NAME}.*running" && \
virsh destroy ${INST_BOX_NAME} ; true
# @virsh list | grep "${INST_BOX_NAME}.*running" && exit 1
@virsh list --all | grep ${INST_BOX_NAME} && \
virsh undefine ${INST_BOX_NAME} && \
@virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && \
virsh destroy ${OVERLAY_HOSTS_NAME} ; true
# @virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && exit 1
@virsh list --all | grep ${OVERLAY_HOSTS_NAME} && \
virsh undefine ${OVERLAY_HOSTS_NAME} && \
rm -f \
${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml \
${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; true
${BOX_NBD_OVERLAY_XML} \
${BOX_NBD_OVERLAY_QCOW} ; true
# /a/tmp/GentooImgr/create-vm/xml/gentoo1.xml
# ! virsh list --all | grep "${INST_BOX_NAME}" && exit 2
[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] || { \
# ! virsh list --all | grep "${OVERLAY_HOSTS_NAME}" && exit 2
[ ! -f ${BOX_NBD_OVERLAY_QCOW} ] || { \
echo WARN delete this file to continue; \
echo rm -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; \
echo rm -f ${BOX_NBD_OVERLAY_QCOW} ; \
exit 3 ; }
[ ! -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ] || { \
[ ! -f ${BOX_NBD_OVERLAY_XML} ] || { \
echo WARN delete this file to continue ; \
echo rm -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ; \
echo rm -f ${BOX_NBD_OVERLAY_XML} ; \
exit 4 ; }
PLAY_ANSIBLE_SRC=${PWD} bash bin/toxcore_build_overlay_qcow.bash
[ -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ]
xmllint -noout ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
[ -f ${BOX_NBD_OVERLAY_XML} ]
xmllint -noout ${BOX_NBD_OVERLAY_XML}
check::
grep -n 'shell: *$$' roles/*/tasks/*.yml && { echo ERROR: "shell: in .yml" ; false ; } || true
@ -96,7 +96,7 @@ check::
$(MAKE) -$(MAKEFLAGS) check_base
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_chroot
@[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
@[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
check_localhost::
@ -106,9 +106,9 @@ check_localhost::
check_base::
ls ${BOX_NBD_BASE_QCOW}
ls ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img
ls ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
ps axf | grep 'qemu-system-x86_64 -name guest='${INST_BOX_NAME} ; \
ls ${BOX_NBD_OVERLAY_QCOW}
ls ${BOX_NBD_OVERLAY_XML}
ps axf | grep 'qemu-system-x86_64 -name guest='${OVERLAY_HOSTS_NAME} ; \
true
check_chroot::
@ -120,18 +120,19 @@ check_chroot::
$(ROLES) > .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1
check_overlay::
sudo /var/local/sbin/hostvms_libvirt_test_ga.bash ${INST_BOX_NAME} ls /
sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME} ls /
sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME}
# domain-*-gentoo/org.qemu.guest_agent.0 || true
sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} || exit 0
sudo find /var/lib/libvirt/qemu/channel/target/ | \
grep org.qemu.guest_agent.0
sudo find /var/lib/libvirt/qemu/channel/target/ -type s | \
grep ${INST_BOX_NAME}
ansible -c libvirt_qemu -l ${YAML_BOX_NAME} -i hosts.yml \
-m setup -vvv ${YAML_BOX_NAME}
sudo virsh list | grep -q ${INST_BOX_NAME} || exit 0
sudo sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \
grep ${OVERLAY_HOSTS_NAME}
ansible -c libvirt_qemu -l ${OVERLAY_HOSTS_NAME} -i hosts.yml \
-m setup -vvv ${OVERLAY_HOSTS_NAME}
sudo sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \
--check -c libvirt_qemu --verbose ${VERBOSE} \
$(ROLES) > .$@-${INST_BOX_NAME}-${LOCALHOST} 2>&1
$(ROLES) > .$@-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1
# Edit hosts.yml and customize this target if you are on a Debianish
devuan::
@ -150,8 +151,8 @@ run::
$(MAKE) -$(MAKEFLAGS) $@_local
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_chroot
@[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_libvirt
@[ ! -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
run_local:: lint
A=`grep nbd /proc/partitions | wc -l`
@ -174,26 +175,35 @@ run_chroot::
-c chroot --verbose ${VERBOSE} $(ROLES) \
> .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1
run_libvirt::
[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ]
install_libvirt::
@virsh net-list | grep "${NETWORK}.*active" || \
sudo virsh net-start "${NETWORK}"
@virsh list | grep ${INST_BOX_NAME} && \
virsh define ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
@virsh list | grep "${INST_BOX_NAME}.*running" || \
virsh start ${INST_BOX_NAME}
sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \
sudo virsh net-start "${NETWORK}" || { \
echo WARN: error virsh net-start "${NETWORK}" ; }
[ -f ${BOX_NBD_OVERLAY_XML} ]
# xmlstarlet sel -t -v
A=$(grep 'source file=' ${BOX_NBD_OVERLAY_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@" )
[ -n "${A}" ] && [ -f "${A}" ]
@virsh list --all | grep ${OVERLAY_HOSTS_NAME} || \
virsh define ${BOX_NBD_OVERLAY_XML}
@virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" || \
{ virsh start ${OVERLAY_HOSTS_NAME} ; sleep 40 ; }
run_overlay:: install_libvirt
[ -f ${BOX_NBD_OVERLAY_QCOW} ] || { \
echo WARN ${BOX_NBD_OVERLAY_QCOW} doesnt exist - make build_overlay ; \
exit 1 ; }
sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \
-c libvirt_qemu --verbose ${VERBOSE} $(ROLES) \
> .run-${INST_BOX_NAME}-${LOCALHOST} 2>&1
> .run-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1
# hourly is quick tests, weekly is medium tests, monthly is long tests
weekly:: test
test::
# bash .pyanal.sh &
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_local
@[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_libvert
@[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
test_local::
bash .pyanal.sh &
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml -l ${LOCALHOST} \
@ -201,15 +211,39 @@ test_local::
--verbose ${VERBOSE} -t weekly \
$(ROLES) > .$@-${LOCALHOST} 2>&1
test_libvirt::
# bash .pyanal.sh &
# check if ${INST_BOX_NAME} is running
! sudo virsh list | grep -q ${INST_BOX_NAME} && exit 0
test_overlay:: install_libvirt
! sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} && exit 0
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${INST_BOX_NAME} -c libvirt_qemu \
-l ${OVERLAY_HOSTS_NAME} -c libvirt_qemu \
--verbose ${VERBOSE} -t weekly \
$(ROLES) > .$@-${LOCALHOST} 2>&1
# this is a special test target to test a copy of the base qcow2
VM_HOSTS_NAME=gentoo_vm-2
VM_XML=/etc/libvirt/qemu/${VM_HOSTS_NAME}.xml
A="`grep 'source file=.*qcow2' ${VM_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@"`"
install_vm::
@virsh net-list | grep "${NETWORK}.*active" || \
sudo virsh net-start "${NETWORK}" || { \
echo WARN: error virsh net-start "${NETWORK}" ; }
[ -f ${VM_XML} ]
@virsh list --all | grep ${VM_HOSTS_NAME} || { \
echo ERROR virsh define ${VM_XML} ; exit 8 ; }
# xmlstarlet sel -t -v
[ -n "${A}" ] && [ -f "${A}" ]
@virsh list | grep "${VM_HOSTS_NAME}.*running" || \
{ virsh start ${VM_HOSTS_NAME} ; sleep 40 ; }
test_vm:: install_vm
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${VM_HOSTS_NAME} -c libvirt_qemu \
--check --verbose ${VERBOSE} -t daily \
$(ROLES) > .$@-${LOCALHOST} 2>&1
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${VM_HOSTS_NAME} -c libvirt_qemu \
--verbose ${VERBOSE} -t daily \
$(ROLES) > .$@-${LOCALHOST} 2>&1
veryclean:: clean
rm -f .run* .check*

2
ansible.cfg
View File

@ -1,5 +1,5 @@
[defaults]
log_path = var/tmp/2023/12/31/pentoo/base_proxy_toxcore.log
log_path = var/tmp/2024/01/05/gentoo_vm-2/base_proxy_toxcore.log
callback_plugins = ./lib/plugins/
# /i/data/DevOps/net/Http/docs.ansible.com/ansible/intro_configuration.html
# http://docs.ansible.com/ansible/intro_configuration.html#command-warnings

37
ansible_local.yml
View File

@ -101,10 +101,10 @@
that:
- "'{{ansible_lsb.id}}' == '{{BOX_OS_NAME}}'"
success_msg: "BOX_OS_FAMILY={{BOX_OS_FAMILY}}"
fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}} "
fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}}"
when:
- ansible_connection != 'local'
- ansible_lsb.id|default('')" != ''
# - ansible_connection != 'local'
- ansible_lsb.id|default('') != ''
ignore_errors: true
- name: "check BOX_ANSIBLE_CONNECTIONS"
@ -148,39 +148,8 @@
check_mode: false
when: ansible_connection == 'local' or ansible_connection == 'chroot'
- block:
- name: "spinup libvirt hosts"
shell: |
sudo virsh net-list | grep -q default || \
sudo virsh net-start default
sudo virsh list | grep -q "{{ inventory_hostname }}" || \
sudo virsh start "{{ inventory_hostname }}"
delegate_to: localhost
become: yes
- name: "spinup libvirt hosts"
# pip3.sh install ovirt-engine-sdk-python --break-system-packages
ovirt:
url: "qemu:///system"
instance_name: ubuntu18.04
instance_cpus: "1"
state: started
# instance_rootpw
user: "{{ BOX_USER_NAME }}" #
password: "{{ BOX_USER_NAME }}" # "{{ ansible_ssh_user }}
become: yes
# msg: ovirtsdk required for this module
ignore_errors: true
# required
tags: always
check_mode: false
when: ansible_connection == 'libvirt_qemu'
- block:
# after spinup
- name: "we will use sudo and make it a prerequisite"
shell: |
[ -z "$TMPDIR" ] || [ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"

55
hosts.yml
View File

@ -79,7 +79,6 @@ all:
BOX_USR_LIB: lib
BOX_DEFAULT_OUTPUT_IF: wlan4
BOX_PROXY_MODE: selektor
BOX_WHONIX_PROXY_HOST: ""
BOX_GENTOO_DISTFILES_ARCHIVES: "/i/net/Http/distfiles.gentoo.org/distfiles"
BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
# /usr/lib/jvm/openjdk-bin-*/conf/net.properties
@ -110,7 +109,6 @@ all:
BOX_JAVA_NET_PROPERTIES: /etc/java-11-openjdk/net.properties
BOX_WHONIX_PROXY_HOST: ""
BOX_PROXY_MODE: tor
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
@ -126,13 +124,45 @@ all:
hosts:
gentoo1:
gentoo_overlay-2:
ansible_remote_addr: "gentoo1"
ansible_host: "gentoo1"
ansible_remote_addr: "gentoo_overlay-2"
ansible_host: "gentoo_overlay-2"
ansible_ssh_user: "gentoo"
BOX_SERVICE_MGR: "openrc"
BOX_HOST_NAME: "gentoo1"
BOX_HOST_NAME: "gentoo_overlay-2"
BOX_USER_NAME: "gentoo"
BOX_USER_GROUP: "adm"
BOX_ALSO_GROUP: "adm"
BOX_USER_HOME: "/home/gentoo"
BOX_OS_NAME: Gentoo
BOX_OS_FAMILY: Gentoo
BOX_OS_FLAVOR: "Gentoo"
BOX_PROXY_MODE: nat
BOX_USR_LIB: lib64
BOX_DEFAULT_OUTPUT_IF: eth0
BOX_PYTHON2_MINOR: ""
BOX_PYTHON3_MINOR: "3.11"
BASE_PORTAGE_PYTHON_MINOR: 3.11
BOX_HOST_CONTAINER_MOUNTS: []
BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/linuxPen19/usr/portage/distfiles"
BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
BOX_ALSO_USERS:
- gentoo
BOX_BASE_FEATURES: []
BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
BOX_NBD_OVERLAY_NAME: "gentoo_overlay-2" # was gentoo1
BOX_NBD_OVERLAY_BASE: "/a/tmp/GentooImgr/gentoo_base-2.qcow2"
BOX_NBD_OVERLAY_QCOW: "/a/tmp/GentooImgr/create-vm/images/gentoo_overlay-2.img"
gentoo_vm-2:
# vm no overlay, copy of the overlay's base
ansible_remote_addr: "gentoo_vm-2"
ansible_host: "gentoo_vm-2"
ansible_ssh_user: "gentoo"
BOX_SERVICE_MGR: "openrc"
BOX_HOST_NAME: "gentoo_vm-2"
BOX_USER_NAME: "gentoo"
BOX_USER_GROUP: "adm"
BOX_ALSO_GROUP: "adm"
@ -151,8 +181,10 @@ all:
BOX_ALSO_USERS:
- gentoo
BOX_BASE_FEATURES: []
BOX_TOXCORE_FEATURES: ['libvirt', 'docker']
BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
BOX_VM_NAME: "gentoo_vm-2" # was gentoo1
BOX_VM_QCOW: "/o/var/lib/libvirt/images/gentoo_vm-2.qcow2"
ubuntu18.04:
# /mnt
@ -187,11 +219,6 @@ all:
# ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
# ansible_ssh_host: "127.0.0.1"
BOX_ROOT_GROUP: root
BOX_PROXY_MODE: client
http_proxy: "http://127.0.0.1:3128"
https_proxy: "http://127.0.0.1:9128"
socks_proxy: "socks5://127.0.0.1:9050"
no_proxy: "localhost,127.0.0.1,127.0.0.1"
linux_chroot_group :
@ -261,7 +288,6 @@ all:
# toxcore
BOX_NBD_DEV: nbd1
BOX_NBD_MP: /mnt/gentoo
BOX_NBD_OVERLAY_NAME: "gentoo1"
BOX_NBD_FILES: "/i/data/Agile/tmp/Topics/GentooImgr"
BOX_NBD_PORTAGE_FILE: "{{AGI_NBD_FILES}}/portage-20231223.tar.xz"
BOX_NBD_STAGE3_FILE: "{{AGI_NBD_FILES}}/stage3-amd64-openrc-20231217T170203Z.tar.xz"
@ -269,12 +295,10 @@ all:
BOX_NBD_BASE_PROFILE: openrc
BOX_NBD_BASE_DIR: "/a/tmp/GentooImgr"
BOX_NBD_BASE_QCOW: "{{BOX_NBD_BASE_DIR}}/gentoo.qcow2"
BOX_NBD_OVERLAY_QCOW: "/o/var/lib/libvirt/images/gentoo1.qcow2"
BOX_NBD_BASE_PUBKEY: "/root/.ssh/id_rsa-ansible.pub"
# libvirt overlay
BOX_NBD_OVERLAY_DIR: "/a/tmp/GentooImgr/create-vm"
BOX_NBD_OVERLAY_BASE: "/o/var/lib/libvirt/images/gentoo.qcow2.2"
BOX_NBD_LOGLEVEL: 10
BOX_NBD_OVERLAY_GB: "20"
BOX_NBD_OVERLAY_CPUS: 1
@ -286,7 +310,6 @@ all:
BOX_NBD_OVERLAY_PASS: "gentoo"
BOX_GENTOOIMGR_CONFIGFILE: "/g/Agile/tmp/Topics/GentooImgr/base.json"
vars:
# These come from the inventory overridden for connection = local,chroot in base_proxy.yml
http_proxy: ""

370
lib/plugins/#libvirt_qemu.py# Normal file
View File

@ -0,0 +1,370 @@
# Based on local.py (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
# Based on chroot.py (c) 2013, Maykel Moya <mmoya@speedyrails.com>
# (c) 2013, Michael Scherer <misc@zarb.org>
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
# (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
import sys
import time
__metaclass__ = type
DOCUMENTATION = """
author: Jesse Pretorius <jesse@odyssey4.me>
connection: community.libvirt.libvirt_qemu
short_description: Run tasks on libvirt/qemu virtual machines
description:
- Run commands or put/fetch files to libvirt/qemu virtual machines using the qemu agent API.
notes:
- Currently DOES NOT work with selinux set to enforcing in the VM.
- Requires the qemu-agent installed in the VM.
- Requires access to the qemu-ga commands guest-exec, guest-exec-status, guest-file-close, guest-file-open, guest-file-read, guest-file-write.
version_added: "2.10"
options:
remote_addr:
description: Virtual machine name
default: inventory_hostname
vars:
- name: ansible_host
executable:
description: Shell to use for execution inside container
default: /bin/sh
vars:
- name: ansible_executable
virt_uri:
description: libvirt URI to connect to to access the virtual machine
default: qemu:///system
vars:
- name: ansible_libvirt_uri
timeout:
description: timeout for libvirt to connect to access the virtual machine
required: false
type: int
default: 10
"""
import base64
import json
import libvirt
import libvirt_qemu
import shlex
import traceback
from ansible import constants as C
from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound
from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.plugins.connection import ConnectionBase, BUFSIZE
from ansible.plugins.shell.powershell import _parse_clixml
from ansible.utils.display import Display
from ansible.plugins.callback.minimal import CallbackModule
from functools import partial
from os.path import exists, getsize
display = Display()
iMAX_WAIT = 10 # sec.
REQUIRED_CAPABILITIES = [
{'enabled': True, 'name': 'guest-exec', 'success-response': True},
{'enabled': True, 'name': 'guest-exec-status', 'success-response': True},
{'enabled': True, 'name': 'guest-file-close', 'success-response': True},
{'enabled': True, 'name': 'guest-file-open', 'success-response': True},
{'enabled': True, 'name': 'guest-file-read', 'success-response': True},
{'enabled': True, 'name': 'guest-file-write', 'success-response': True}
]
class Connection(ConnectionBase):
''' Local libvirt qemu based connections '''
transport = 'community.libvirt.libvirt_qemu'
# TODO(odyssey4me):
# Figure out why pipelining does not work and fix it
has_pipelining = False
has_tty = False
def __init__(self, play_context, new_stdin, *args, **kwargs):
super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
self._host = self._play_context.remote_addr
# Windows operates differently from a POSIX connection/shell plugin,
# we need to set various properties to ensure SSH on Windows continues
# to work
if getattr(self._shell, "_IS_WINDOWS", False):
self.has_native_async = True
self.always_pipeline_modules = True
self.module_implementation_preferences = ('.ps1', '.exe', '')
self.allow_executable = False
self._timeout = sgelf.get_option('timeout', 10)
def _connect(self):
''' connect to the virtual machine; nothing to do here '''
super(Connection, self)._connect()
if not self._connected:
self._virt_uri = self.get_option('virt_uri')
self._display.vvv(u"CONNECT TO {0}".format(self._virt_uri), host=self._host)
try:
self.conn = libvirt.open(self._virt_uri)
except libvirt.libvirtError as err:
self._display.vv(u"ERROR: libvirtError CONNECT TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
self._display.vvv(u"FIND DOMAIN {0}".format(self._host), host=self._host)
try:
self.domain = self.conn.lookupByName(self._host)
except libvirt.libvirtError as err:
raise AnsibleConnectionFailure(to_native(err))
request_cap = json.dumps({'execute': 'guest-info'})
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0))
self.capabilities = response_cap['return']['supported_commands']
self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host)
missing_caps = []
for cap in REQUIRED_CAPABILITIES:
if cap not in self.capabilities:
missing_caps.append(cap['name'])
if len(missing_caps) > 0:
self._display.vvv(u"REQUIRED CAPABILITIES MISSING: {0}".format(missing_caps), host=self._host)
raise AnsibleConnectionFailure('Domain does not have required capabilities')
display.vvv(u"ESTABLISH {0} CONNECTION".format(self.transport), host=self._host)
self._connected = True
def exec_command(self, cmd, in_data=None, sudoable=True, timeout=None):
""" execute a command on the virtual machine host """
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
self._display.vvv(u"EXEC {0}".format(cmd), host=self._host)
if timeout is None:
timeout = self._timeout
cmd_args_list = shlex.split(to_native(cmd, errors='surrogate_or_strict'))
if getattr(self._shell, "_IS_WINDOWS", False):
# Become method 'runas' is done in the wrapper that is executed,
# need to disable sudoable so the bare_run is not waiting for a
# prompt that will not occur
sudoable = False
# Generate powershell commands
cmd_args_list = self._shell._encode_script(cmd, as_list=True, strict_mode=False, preserve_rc=False)
# TODO(odyssey4me):
# Implement buffering much like the other connection plugins
# Implement 'env' for the environment settings
# Implement 'input-data' for whatever it might be useful for
request_exec = {
'execute': 'guest-exec',
'arguments': {
'path': cmd_args_list[0],
'capture-output': True,
'arg': cmd_args_list[1:]
}
}
request_exec_json = json.dumps(request_exec)
display.vvv("GA send: {0}".format(request_exec_json), host=self._host)
# sys.stderr.write("GA send: {0}\n".format(request_exec_json))
command_start = time.clock_gettime(time.CLOCK_MONOTONIC)
# TODO(odyssey4me):
# Add timeout parameter
flags = 0
try:
result_exec = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_exec_json, timeout, flags))
except libvirt.libvirtError as err:
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err)))
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
display.vvv(u"GA return: {0}".format(result_exec), host=self._host)
request_status = {
'execute': 'guest-exec-status',
'arguments': {
'pid': result_exec['return']['pid']
}
}
request_status_json = json.dumps(request_status)
display.vvv(u"GA send: {0}".format(request_status_json), host=self._host)
# TODO(odyssey4me):
# Work out a better way to wait until the command has exited
max_time = iMAX_WAIT + time.clock_gettime(time.CLOCK_MONOTONIC)
result_status = {
'return': dict(exited=False),
}
while not result_status['return']['exited']:
# Wait for 5% of the time already elapsed
sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100)
if sleep_time < 0.0002:
sleep_time = 0.0002
elif sleep_time > 1:
sleep_time = 1
time.sleep(sleep_time)
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time:
err = 'timeout'
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err)))
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
while not result_status['return']['exited']:
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
if result_status['return'].get('out-data'):
stdout = base64.b64decode(result_status['return']['out-data'])
else:
stdout = b''
if result_status['return'].get('err-data'):
stderr = base64.b64decode(result_status['return']['err-data'])
else:
stderr = b''
# Decode xml from windows
if getattr(self._shell, "_IS_WINDOWS", False) and stdout.startswith(b"#< CLIXML"):
stdout = _parse_clixml(stdout)
display.vvv(u"GA stdout: {0}".format(to_text(stdout)), host=self._host)
display.vvv(u"GA stderr: {0}".format(to_text(stderr)), host=self._host)
return result_status['return']['exitcode'], stdout, stderr
def put_file(self, in_path, out_path):
''' transfer a file from local to domain '''
super(Connection, self).put_file(in_path, out_path)
display.vvv("PUT %s TO %s" % (in_path, out_path), host=self._host)
if not exists(to_bytes(in_path, errors='surrogate_or_strict')):
raise AnsibleFileNotFound(
"file or module does not exist: %s" % in_path)
request_handle = {
'execute': 'guest-file-open',
'arguments': {
'path': out_path,
'mode': 'wb+'
}
}
request_handle_json = json.dumps(request_handle)
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
# TODO(odyssey4me):
# Handle exception for file/path IOError
with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as in_file:
for chunk in iter(partial(in_file.read, BUFSIZE), b''):
try:
request_write = {
'execute': 'guest-file-write',
'arguments': {
'handle': result_handle['return'],
'buf-b64': base64.b64encode(chunk).decode()
}
}
request_write_json = json.dumps(request_write)
display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host)
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_write), host=self._host)
except Exception:
traceback.print_exc()
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
request_close = {
'execute': 'guest-file-close',
'arguments': {
'handle': result_handle['return']
}
}
request_close_json = json.dumps(request_close)
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
def fetch_file(self, in_path, out_path):
''' fetch a file from domain to local '''
super(Connection, self).fetch_file(in_path, out_path)
display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self._host)
request_handle = {
'execute': 'guest-file-open',
'arguments': {
'path': in_path,
'mode': 'r'
}
}
request_handle_json = json.dumps(request_handle)
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
request_read = {
'execute': 'guest-file-read',
'arguments': {
'handle': result_handle['return'],
'count': BUFSIZE
}
}
request_read_json = json.dumps(request_read)
display.vvv(u"GA send: {0}".format(request_read_json), host=self._host)
with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file:
try:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
while not result_read['return']['eof']:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
except Exception:
traceback.print_exc()
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
request_close = {
'execute': 'guest-file-close',
'arguments': {
'handle': result_handle['return']
}
}
request_close_json = json.dumps(request_close)
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
def close(self):
''' terminate the connection; nothing to do here '''
super(Connection, self).close()
self._connected = False

28
lib/plugins/libvirt_qemu.py
View File

@ -42,7 +42,7 @@ DOCUMENTATION = """
description: timeout for libvirt to connect to access the virtual machine
required: false
type: int
default: 5
default: 10
"""
import base64
@ -98,7 +98,7 @@ class Connection(ConnectionBase):
self.always_pipeline_modules = True
self.module_implementation_preferences = ('.ps1', '.exe', '')
self.allow_executable = False
self._timeout = self.get_option('timeout', 5)
self._timeout = self.get_option('timeout', 10)
def _connect(self):
''' connect to the virtual machine; nothing to do here '''
@ -122,7 +122,7 @@ class Connection(ConnectionBase):
raise AnsibleConnectionFailure(to_native(err))
request_cap = json.dumps({'execute': 'guest-info'})
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0))
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, self._timeout, 0))
self.capabilities = response_cap['return']['supported_commands']
self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host)
missing_caps = []
@ -201,7 +201,9 @@ class Connection(ConnectionBase):
result_status = {
'return': dict(exited=False),
}
while not result_status['return']['exited']:
i=0
while not result_status['return']['exited'] and i < 20:
i = i + 1
# Wait for 5% of the time already elapsed
sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100)
if sleep_time < 0.0002:
@ -209,7 +211,7 @@ class Connection(ConnectionBase):
elif sleep_time > 1:
sleep_time = 1
time.sleep(sleep_time)
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0))
if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time:
err = 'timeout'
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
@ -220,7 +222,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
while not result_status['return']['exited']:
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
@ -263,7 +265,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
@ -283,7 +285,7 @@ class Connection(ConnectionBase):
display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host)
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0))
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_write), host=self._host)
@ -301,7 +303,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
@ -321,7 +323,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
@ -338,11 +340,11 @@ class Connection(ConnectionBase):
with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file:
try:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
while not result_read['return']['eof']:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
@ -360,7 +362,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)

18
roles/ansible-gentoo_install/defaults/main.yml
View File

@ -14,7 +14,7 @@ AGI_PROXY_MODE: "{{PROXY_MODE|default('')}}"
AGI_use_local_kernel: false
AGI_install_disklabel: msdos
AGI_install_timezone: UTC
AGI_install_timezone: "{{ BASE_TIMEZONE|default('Etc/UTC') }}"
AGI_install_locales:
- en_US ISO-8859-1
- en_US.UTF-8 UTF-8
@ -28,9 +28,9 @@ AGI_install_network_interfaces:
config: dhcp
AGI_container_disk: /dev/vda
AGI_install_syslog_daemon: syslog-ng # app-admin/sysklogd
AGI_install_cron_daemon: cronie
AGI_install_bootloader: syslinux
AGI_install_syslog_daemon: syslog-ng # sysklogd
AGI_install_cron_daemon: cronie #
AGI_install_bootloader: syslinux # grub:2
AGI_install_syslinux_kernel_line:
# this is required I think
@ -48,11 +48,11 @@ AGI_install_syslinux_kernel_line:
# =0x37f works too
- vga=789
# these may not all be needed or useful in a container
- pti=on
- iommu=pt
- amd_iommu=on
- intel_iommu=on
- debug
# - pti=on
# - iommu=pt
# - amd_iommu=on
# - intel_iommu=on
# - debug
# remove the unused ones:
AGI_install_syslinux_c32:

171
roles/ansible-gentoo_install/files/firewall.conf Normal file
View File

@ -0,0 +1,171 @@
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo
-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted. RELATED?
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
# let dhcp through? - YES
-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
-A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
# -A INPUT -i wlan6 -p udp -j DROP
-A INPUT -i wlan6 -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
# st-routers.mcast.net.
-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# gateway
#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020

96
roles/ansible-gentoo_install/tasks/bootloader.yml
View File

@ -42,8 +42,8 @@
label pentoo2019-Pen19-6.1.52-pentoo_2023_09_30_0x037f
menu label pentoo2019_Pen19_6.1.52-pentoo_2023_09_30_0x037f
menu default
kernel vmlinuz-6.1.52-pentoo_2023_09_30
INITRD initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
kernel /vmlinuz-6.1.52-pentoo_2023_09_30
INITRD /initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
# was vga=0x315
APPEND root=LABEL=root {{''.join(AGI_install_syslinux_kernel_commands)}}
@ -106,7 +106,39 @@
-i /etc/default/grub
grub-script-check /etc/default/grub
when: AGI_install_bootloader == 'grub:2'
- name: roles/ansible-gentoo_install/tasks/
shell: |
LINE="rd.skipfsck=1 ipv6.disable=1 console=ttys0 lang=en keymap=us "
# LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
LINE="$LINE intel_iommu=on vga=0x315 text
df | grep /boot || mount /dev/vda1 /boot
[ -d /boot/grub ] || exit 2
[ -f /boot/grub/grub.cfg ] || exit 3
cd /
# boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
- name: /etc/default/grub
lineinfile:
dest: /etc/default/grub
line: '{{item.from}}="{{item.to}}"'
regexp: '^#*{{item.from}}=.*'
with_items:
# Append parameters to the linux kernel command line for non-recovery entries
- from: GRUB_CMDLINE_LINUX_DEFAULT
to: " rd.skipfsck=1 ipv6.disable=1 console=ttyS0 lang=en keymap=us intel_iommu=on vga=0x315 text"
# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
- from: GRUB_GFXMODE
to: 640x480
# Set to 'text' to force the Linux kernel to boot in normal text
- from: GRUB_GFXPAYLOAD_LINUX
to: text
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
- from: GRUB_DISABLE_LINUX_UUID
to: true
when: AGI_install_bootloader == 'grub:2'
- name: fstab root
lineinfile:
@ -151,54 +183,36 @@
dest: /etc/conf.d/consolefont
line: 'consolefont="ter-v{{AGI_consolefont_font_size}}b"'
regexp: '^consolefont=.*'
- name: /etc/default/grub
lineinfile:
dest: /etc/default/grub
line: '{{item.from}}="{{item.to}}"'
regexp: '^#*{{item.from}}=.*'
with_items:
# Append parameters to the linux kernel command line for non-recovery entries
- from: GRUB_CMDLINE_LINUX_DEFAULT
to: " rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us intel_iommu=on vga=0x315 text"
# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
- from: GRUB_GFXMODE
to: 640x480
# Set to 'text' to force the Linux kernel to boot in normal text
- from: GRUB_GFXPAYLOAD_LINUX
to: text
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
- from: GRUB_DISABLE_LINUX_UUID
to: true
- name: roles/ansible-gentoo_install/tasks/
shell: |
LINE="rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us "
# LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
LINE="$LINE intel_iommu=on vga=0x315 text
df | grep /boot || mount /dev/vda1 /boot
[ -d /boot/grub ] || exit 2
[ -f /boot/grub/grub.cfg ] || exit 3
cd /
# ln -s boot/vmlinuz* vmlinuz
# boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
ln -s boot/initramfs* initrd.img
- name: consolefont
shell: |
cat >> /etc/rc.local << EOF
grep -q /etc/init.d/consolefont /etc/rc.local || \
cat >> /etc/rc.local << EOF
#!/bin/sh
/etc/init.d consolefont stop
/etc/init.d consolefont start
stty -F /dev/tty1 cols 80 rows 24
# these are right for ter-v28b consolefont
if tty|grep -q /dev/ttyS0 ; then
stty cols 80 rows 35
elif tty|grep -q /dev/tty[1-6] ; then
stty cols 80 rows 22
fi
EOF
bash /etc/rc.local
chmod 755 /etc/rc.local
ignore_errors: true
- name: rc-update add bootlogd boot
shell: |
[ -d /etc/modules-load.d ] || mkdir /etc/modules-load.d
[ -f /etc/modules-load.d/virtio.conf ] || \
echo "{{'\n'.join(AGI_bootstrap_modules)}}" \
> /etc/modules-load.d/virtio.conf
rc-update add consolefont
rc-update | grep -q 'bootlogd .* boot' || \
rc-update add bootlogd boot
grep -q '^s0:' /etc/inittab || \
sed -e 's/^#s0:/s0:/' /etc/inittab
exit 0

6
roles/ansible-gentoo_install/tasks/chroot.yml
View File

@ -18,9 +18,11 @@
- name: copy resolv.conf into chroot
copy:
src: /etc/resolv.conf
dest: "{{AGI_NBD_MP}}/etc/resolv.conf"
src: "/{{item}}"
dest: "{{AGI_NBD_MP}}/{{item}}"
mode: '0644'
remote_src: yes
with_items: "{{AGI_bootstrap_files}}"
when: not ansible_check_mode
- name: mount /proc in chroot

23
roles/ansible-gentoo_install/tasks/libvirt.yml Normal file
View File

@ -0,0 +1,23 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# localhost
---
- name: "DEBUG: ansible-gentoo_install libvirt"
debug:
verbosity: 1
msg: "DEBUG: ansible-gentoo_install libvirt"
- name: test we are NOT in the chroot
shell: |
[ -n "{{AGI_NBD_MP}}" ] || exit 2
[ -d "{{AGI_NBD_MP}}" ] || exit 3
check_mode: false
# - name: setup libvirt network
# - name: setup libvirt iptables
# net.ipv4.conf.virbr1.forwarding = 1
# net.ipv4.ip_forward = 1
# mkdir /etc/libvirt/qemu
# qemu-ga -D > /etc/libvirt/qemu/qemu-ga.conf
# for elt in unix-listen virtio-serial isa-serial vsock-listen ; do
# /etc/conf.d/qemu-ga

1
roles/ansible-gentoo_install/tasks/local.yml
View File

@ -85,6 +85,7 @@
state: mounted
check_mode: false
- include: libvirt.yml
- include: tarball.yml
- include: copy.yml
when: AGI_use_local_kernel

9
roles/ansible-gentoo_install/tasks/main.yml
View File

@ -131,13 +131,10 @@
var: ansible_gentooimgr_out
check_mode: false
when:
- ansible_connection in ['chroot', 'local', 'libvirt_qemu']
- ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']
# - nbd_disk|default('') == AGI_NBD_DISK
- name: include_tasks local.yml
include_tasks: local.yml
- name: include_tasks local.yml
include_tasks: local.yml
when:
- ansible_connection in ['chroot', 'local']
- ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']

6
roles/ansible-gentoo_install/tasks/misc.yml
View File

@ -15,6 +15,10 @@
for elt in {{ AGI_bootstrap_mountpoints|join(' ') }} ; do
[ -d $elt ] || mkdir $elt
done
# 700 files from ansible umask
find /usr/local/*bin/ /usr/local/etc/ -name '*sh' -exec chmod 755 {} \;
find /usr/local/ -type f -exec chown ${BOX_USER_NAME}:${BOX_USER_GROUP} {} \;
exit 0
when: AGI_bootstrap_mountpoints|default([])|length > 0
@ -32,7 +36,7 @@
dest: /etc/localtime
src: /usr/share/zoneinfo/{{ AGI_install_timezone }}
state: link
force: yes
force: no
- name: configure locales
lineinfile:

171
roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf Normal file
View File

@ -0,0 +1,171 @@
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo
-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted. RELATED?
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
# let dhcp through? - YES
-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
-A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
# -A INPUT -i wlan6 -p udp -j DROP
-A INPUT -i wlan6 -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
# st-routers.mcast.net.
-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# gateway
#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020

18
roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml Normal file
View File

@ -0,0 +1,18 @@
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit Whonix-External
or other application using the libvirt API.
-->
<network>
<name>External</name>
<forward mode='nat'/>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:f7:fb:37'/>
<ip address='10.0.2.2' netmask='255.255.255.0'>
<dhcp>
<range start='10.0.2.20' end='10.0.2.254'/>
</dhcp>
</ip>
</network>

31
roles/ansible-gentoo_install/vars/target_Gentoo2.yml
View File

@ -27,6 +27,9 @@ AGI_bootstrap_links:
- from: /var/db/repos/gentoo
to: /usr/portage
AGI_bootstrap_modules:
- virtio_console
# NO LEADING /
AGI_bootstrap_dirs:
- usr/local/etc/local.d
@ -49,6 +52,8 @@ AGI_bootstrap_files:
- usr/local/etc/local.d/local.bash
- usr/local/bin/usr_local_tput.bash
- usr/local/bin/proxy_export.bash
- etc/hosts
- etc/resolv.conf
AGI_bootstrap_uris:
- http://distfiles.gentoo.org/distfiles/00/elfutils-0.190.tar.bz2
@ -56,24 +61,35 @@ AGI_bootstrap_uris:
- http://distfiles.gentoo.org/distfiles/60/shared-mime-info-2.2.tar.gz
- http://distfiles.gentoo.org/distfiles/fc/qemu-8.0.3.tar.xz
AGI_bootstrap_pips3:
- negotiator-guest
# proxy_pkgs_inst:
AGI_bootstrap_pkgs:
- app-admin/sudo
- sys-boot/grub:2
- sys-boot/syslinux
- app-editors/mg
- qemu-guest-agent
- app-admin/logrotate
- "sys-process/{{ AGI_install_cron_daemon }}"
- "{{ AGI_install_syslog_daemon}}"
- "sys-boot/{{ AGI_install_bootloader }}"
- media-fonts/terminus-font
- sys-apps/gptfdisk
- net-analyzer/openbsd-netcat
- app-admin/logrotate
- "sys-process/{{ AGI_install_cron_daemon }}"
- "app-admin/{{ AGI_install_syslog_daemon}}"
- "sys-boot/{{ AGI_install_bootloader }}"
- media-fonts/terminus-font
- net-misc/curl
- app-arch/unzip
- net-libs/pacparser
- sys-process/lsof
- dev-util/strace
- sys-libs/gpm
- app-portage/eix
- net-misc/curl
- sys-libs/gpm
- linux-firmware
- net-dns/bind-tools
# - www-client/lynx
- app-admin/supervisor
- dev-python/pip
AGI_cloud_pkgs:
# get these from base.json
@ -94,4 +110,3 @@ AGI_cloud_pkgs:
# get these from config.json
# - app-emulation/cloud-init
# - sys-block/open-iscsi

15
roles/toxcore/vars/mask.txt Normal file
View File

@ -0,0 +1,15 @@
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.2%
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.0%
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.3%
# /etc/portage/package.mask/2023_BROKEN.txt libvirt
=app-emulation/libvirt-9.4.0-r1%
# /etc/portage/package.mask/2022_BLOCKED.txt docker
app-containers/docker-compose%

114
roles/toxcore/vars/use.txt Normal file
View File

@ -0,0 +1,114 @@
# /etc/portage/package.use/2017-01-01_libguestfs.txt iptables
net-firewall/iptables% nftables ipv6
# /etc/portage/package.use/2017-08_testdisk.txt testdisk
app-admin/testdisk% ntfs qt5 -ewf
# /etc/portage/package.use/2020-01_static-libs.txt zstd
app-arch/zstd% static-libs
# /etc/portage/package.use/2020-03_jq.txt jq
app-misc/jq% oniguruma
# /etc/portage/package.use/2016-11_world.txt libvpx
media-libs/libvpx% svc
# /etc/portage/package.use/2019-02_electron.txt libvpx
media-libs/libvpx% postproc svc
# /etc/portage/package.use/2021-04_world.txt libxcb
x11-libs/libxcb% xkb
# /etc/portage/package.use/2018-01_qt.txt libxkbcommon
x11-libs/libxkbcommon% X tools
# /etc/portage/package.use/2020-01_readline.txt libxml2
dev-libs/libxml2% -readline
# /etc/portage/package.use/2021-00_verify-sig.txt libxml2
dev-libs/libxml2:2% verify-sig
# /etc/portage/package.use/2021-04_world.txt libxml2
dev-libs/libxml2% python icu ipv6 lzma
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2021-08_wafw00f.txt requests
dev-python/requests% socks5
# /etc/portage/package.use/2020-00_dbus.txt dbus
sys-apps/dbus% X elogind -systemd
# /etc/portage/package.use/2020-01_dbus.txt dbus
sys-apps/dbus% X elogind -systemd
# /etc/portage/package.use/2021-01_wayland.txt gtk+
x11-libs/gtk+% X -wayland
# /etc/portage/package.use/2021-04_world.txt vte
x11-libs/vte% crypt -icu introspection vala -debug -gtk-doc -systemd -vanilla
# /etc/portage/package.use/2022-01_xterms.txt vte
x11-libs/vte% vanilla
# /etc/portage/package.use/2021-00_verify-sig.txt zfs-kmod
sys-fs/zfs-kmod% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt zfs
sys-fs/zfs% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt zfs
sys-fs/zfs-kmod% verify-sig
# /etc/portage/package.use/2020-01_nls.txt qemu
app-emulation/qemu% -nls
# /etc/portage/package.use/2021-04_qemu.txt qemu
app-emulation/qemu% -accessibility aio alsa bzip2 caps -capstone curl -debug doc fdt filecaps -fuse -glusterfs gnutls gtk -infiniband -io-uring -iscsi -jack -jemalloc jpeg lzo -multipath ncurses -nfs -nls numa opengl -oss pin-upstream-blobs plugins png -pulseaudio python -rbd sasl sdl sdl-image seccomp -selinux -slirp -smartcard snappy spice ssh -static -static-user -systemtap -test -udev usb usbredir vde vhost-net vhost-user-fs virgl virtfs vnc vte xattr -xen xfs zstd #
# /etc/portage/package.use/2023-00_python-3.11.txt qemu
app-emulation/qemu% -python_single_target_python3_10 python_single_target_python3_11 python_single_target_python3_11 -python_single_target_python3_10
# /etc/portage/package.use/2019-11_aqemu.txt aqemu
app-emulation/aqemu% vnc
# /etc/portage/package.use/2019-09_spice-gtk.txt spice-gtk
>=net-misc/spice-gtk-0.35% usbredir
# /etc/portage/package.use/2020-01_polkit.txt spice-gtk
net-misc/spice-gtk% policykit
# /etc/portage/package.use/2020-01_polkit.txt libvirt
app-emulation/libvirt% apparmor audit -bash-completion caps -dbus -dtrace -firewalld fuse -glusterfs -iscsi -iscsi-direct libssh libvirtd lvm lxc -macvtap -nfs -nls numa -openvz parted pcap -policykit qemu -rbd -sasl -selinux udev vepa verify-sig virt-network virtualbox -wireshark-plugins -xen -zfs
# /etc/portage/package.use/2020-10_nfs.txt libvirt
app-emulation/libvirt% -nfs
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
app-emulation/libvirt% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2020-01_polkit.txt virt-manager
app-emulation/virt-manager% gtk -policykit virtualbox libvirtd caps dbus fuse libssh lxc macvtap numa parted pcap policykit qemu vepa virt-network
# /etc/portage/package.use/2019-11_qxl.txt xf86-video-qxl
x11-drivers/xf86-video-qxl% xspice
# /etc/portage/package.use/2019-11_libguestfs.txt libguestfs
app-emulation/libguestfs% parted virtualbox libvirt -erlang -lua perl fuse gtk inspect-icons introspection -ocaml python -ruby
# /etc/portage/package.use/2023-00_python-3.11.txt libguestfs
app-emulation/libguestfs% python_single_target_python3_11
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2017-02_docker.txt tini
sys-process/tini% static args
# /etc/portage/package.use/2017-02_docker.txt docker
app-containers/docker% btrfs