proxy_ping_test

This commit is contained in:
emdee 2024-01-05 11:12:55 +00:00
parent 346682eedb
commit c8610f9ded
19 changed files with 1126 additions and 183 deletions

138
Makefile
View File

@ -9,21 +9,21 @@ ANSIBLE_PLUGINS=/usr/local/lib/python3.11/site-packages/ansible-2.9.22-py3.11.eg
# change this to be that hostname
LOCALHOST=`cat /etc/hostname`
BOX_NBD_BASE_DIR=/a/tmp/GentooImgr
BOX_NBD_BASE_FILE=gentoo.qcow2
BOX_NBD_BASE_QCOW=${BOX_NBD_BASE_DIR}/${BOX_NBD_BASE_FILE}
# set this to the name linux_local_group host in hosts.yml
LOCAL_HOSTS_NAME=pentoo
# set this to the name linux_chroot_group host in hosts.yml
YAML_CHROOT_NAME=linuxGentoo
# set this to the libvirt name of the linux_libvirt_group host in hosts.yml
YAML_BOX_NAME=gentoo1
INST_BOX_NAME=gentoo1
OVERLAY_HOSTS_NAME=gentoo_overlay-2
BOX_NBD_BASE_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_BASE_QCOW ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_DIR="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_DIR ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_QCOW ${OVERLAY_HOSTS_NAME}`"
BOX_NBD_OVERLAY_XML=${BOX_NBD_OVERLAY_DIR}/xml/${OVERLAY_HOSTS_NAME}.xml
BOX_NBD_OVERLAY_NAME="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_NAME ${OVERLAY_HOSTS_NAME}`"
#INST_BOX_DIR=/mnt/o/home/root/vms/virsh
INST_BOX_DIR=${BOX_NBD_BASE_DIR}/create-vm
PWD=/o/var/local/src/play_tox/
NETWORK=default
NETWORK=Whonix-External
VERBOSE=2
all: install lint build check run test
@ -66,27 +66,27 @@ build_base:: install
[ -f ${BOX_NBD_BASE_QCOW} ]
build_overlay::
@virsh list | grep "${INST_BOX_NAME}.*running" && \
virsh destroy ${INST_BOX_NAME} ; true
# @virsh list | grep "${INST_BOX_NAME}.*running" && exit 1
@virsh list --all | grep ${INST_BOX_NAME} && \
virsh undefine ${INST_BOX_NAME} && \
@virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && \
virsh destroy ${OVERLAY_HOSTS_NAME} ; true
# @virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && exit 1
@virsh list --all | grep ${OVERLAY_HOSTS_NAME} && \
virsh undefine ${OVERLAY_HOSTS_NAME} && \
rm -f \
${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml \
${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; true
${BOX_NBD_OVERLAY_XML} \
${BOX_NBD_OVERLAY_QCOW} ; true
# /a/tmp/GentooImgr/create-vm/xml/gentoo1.xml
# ! virsh list --all | grep "${INST_BOX_NAME}" && exit 2
[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] || { \
# ! virsh list --all | grep "${OVERLAY_HOSTS_NAME}" && exit 2
[ ! -f ${BOX_NBD_OVERLAY_QCOW} ] || { \
echo WARN delete this file to continue; \
echo rm -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; \
echo rm -f ${BOX_NBD_OVERLAY_QCOW} ; \
exit 3 ; }
[ ! -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ] || { \
[ ! -f ${BOX_NBD_OVERLAY_XML} ] || { \
echo WARN delete this file to continue ; \
echo rm -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ; \
echo rm -f ${BOX_NBD_OVERLAY_XML} ; \
exit 4 ; }
PLAY_ANSIBLE_SRC=${PWD} bash bin/toxcore_build_overlay_qcow.bash
[ -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ]
xmllint -noout ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
[ -f ${BOX_NBD_OVERLAY_XML} ]
xmllint -noout ${BOX_NBD_OVERLAY_XML}
check::
grep -n 'shell: *$$' roles/*/tasks/*.yml && { echo ERROR: "shell: in .yml" ; false ; } || true
@ -96,7 +96,7 @@ check::
$(MAKE) -$(MAKEFLAGS) check_base
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_chroot
@[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
@[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
check_localhost::
@ -106,9 +106,9 @@ check_localhost::
check_base::
ls ${BOX_NBD_BASE_QCOW}
ls ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img
ls ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
ps axf | grep 'qemu-system-x86_64 -name guest='${INST_BOX_NAME} ; \
ls ${BOX_NBD_OVERLAY_QCOW}
ls ${BOX_NBD_OVERLAY_XML}
ps axf | grep 'qemu-system-x86_64 -name guest='${OVERLAY_HOSTS_NAME} ; \
true
check_chroot::
@ -120,18 +120,19 @@ check_chroot::
$(ROLES) > .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1
check_overlay::
sudo /var/local/sbin/hostvms_libvirt_test_ga.bash ${INST_BOX_NAME} ls /
sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME} ls /
sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME}
# domain-*-gentoo/org.qemu.guest_agent.0 || true
sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} || exit 0
sudo find /var/lib/libvirt/qemu/channel/target/ | \
grep org.qemu.guest_agent.0
sudo find /var/lib/libvirt/qemu/channel/target/ -type s | \
grep ${INST_BOX_NAME}
ansible -c libvirt_qemu -l ${YAML_BOX_NAME} -i hosts.yml \
-m setup -vvv ${YAML_BOX_NAME}
sudo virsh list | grep -q ${INST_BOX_NAME} || exit 0
sudo sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \
grep ${OVERLAY_HOSTS_NAME}
ansible -c libvirt_qemu -l ${OVERLAY_HOSTS_NAME} -i hosts.yml \
-m setup -vvv ${OVERLAY_HOSTS_NAME}
sudo sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \
--check -c libvirt_qemu --verbose ${VERBOSE} \
$(ROLES) > .$@-${INST_BOX_NAME}-${LOCALHOST} 2>&1
$(ROLES) > .$@-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1
# Edit hosts.yml and customize this target if you are on a Debianish
devuan::
@ -150,8 +151,8 @@ run::
$(MAKE) -$(MAKEFLAGS) $@_local
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_chroot
@[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_libvirt
@[ ! -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
run_local:: lint
A=`grep nbd /proc/partitions | wc -l`
@ -174,26 +175,35 @@ run_chroot::
-c chroot --verbose ${VERBOSE} $(ROLES) \
> .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1
run_libvirt::
[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ]
install_libvirt::
@virsh net-list | grep "${NETWORK}.*active" || \
sudo virsh net-start "${NETWORK}"
@virsh list | grep ${INST_BOX_NAME} && \
virsh define ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml
@virsh list | grep "${INST_BOX_NAME}.*running" || \
virsh start ${INST_BOX_NAME}
sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \
sudo virsh net-start "${NETWORK}" || { \
echo WARN: error virsh net-start "${NETWORK}" ; }
[ -f ${BOX_NBD_OVERLAY_XML} ]
# xmlstarlet sel -t -v
A=$(grep 'source file=' ${BOX_NBD_OVERLAY_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@" )
[ -n "${A}" ] && [ -f "${A}" ]
@virsh list --all | grep ${OVERLAY_HOSTS_NAME} || \
virsh define ${BOX_NBD_OVERLAY_XML}
@virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" || \
{ virsh start ${OVERLAY_HOSTS_NAME} ; sleep 40 ; }
run_overlay:: install_libvirt
[ -f ${BOX_NBD_OVERLAY_QCOW} ] || { \
echo WARN ${BOX_NBD_OVERLAY_QCOW} doesnt exist - make build_overlay ; \
exit 1 ; }
sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \
-c libvirt_qemu --verbose ${VERBOSE} $(ROLES) \
> .run-${INST_BOX_NAME}-${LOCALHOST} 2>&1
> .run-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1
# hourly is quick tests, weekly is medium tests, monthly is long tests
weekly:: test
test::
# bash .pyanal.sh &
@[ -d /mnt/gentoo/lost+found ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_local
@[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_libvert
@[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \
sudo $(MAKE) -$(MAKEFLAGS) $@_overlay
test_local::
bash .pyanal.sh &
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml -l ${LOCALHOST} \
@ -201,15 +211,39 @@ test_local::
--verbose ${VERBOSE} -t weekly \
$(ROLES) > .$@-${LOCALHOST} 2>&1
test_libvirt::
# bash .pyanal.sh &
# check if ${INST_BOX_NAME} is running
! sudo virsh list | grep -q ${INST_BOX_NAME} && exit 0
test_overlay:: install_libvirt
! sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} && exit 0
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${INST_BOX_NAME} -c libvirt_qemu \
-l ${OVERLAY_HOSTS_NAME} -c libvirt_qemu \
--verbose ${VERBOSE} -t weekly \
$(ROLES) > .$@-${LOCALHOST} 2>&1
# this is a special test target to test a copy of the base qcow2
VM_HOSTS_NAME=gentoo_vm-2
VM_XML=/etc/libvirt/qemu/${VM_HOSTS_NAME}.xml
A="`grep 'source file=.*qcow2' ${VM_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@"`"
install_vm::
@virsh net-list | grep "${NETWORK}.*active" || \
sudo virsh net-start "${NETWORK}" || { \
echo WARN: error virsh net-start "${NETWORK}" ; }
[ -f ${VM_XML} ]
@virsh list --all | grep ${VM_HOSTS_NAME} || { \
echo ERROR virsh define ${VM_XML} ; exit 8 ; }
# xmlstarlet sel -t -v
[ -n "${A}" ] && [ -f "${A}" ]
@virsh list | grep "${VM_HOSTS_NAME}.*running" || \
{ virsh start ${VM_HOSTS_NAME} ; sleep 40 ; }
test_vm:: install_vm
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${VM_HOSTS_NAME} -c libvirt_qemu \
--check --verbose ${VERBOSE} -t daily \
$(ROLES) > .$@-${LOCALHOST} 2>&1
sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \
-l ${VM_HOSTS_NAME} -c libvirt_qemu \
--verbose ${VERBOSE} -t daily \
$(ROLES) > .$@-${LOCALHOST} 2>&1
veryclean:: clean
rm -f .run* .check*

View File

@ -1,5 +1,5 @@
[defaults]
log_path = var/tmp/2023/12/31/pentoo/base_proxy_toxcore.log
log_path = var/tmp/2024/01/05/gentoo_vm-2/base_proxy_toxcore.log
callback_plugins = ./lib/plugins/
# /i/data/DevOps/net/Http/docs.ansible.com/ansible/intro_configuration.html
# http://docs.ansible.com/ansible/intro_configuration.html#command-warnings

View File

@ -101,10 +101,10 @@
that:
- "'{{ansible_lsb.id}}' == '{{BOX_OS_NAME}}'"
success_msg: "BOX_OS_FAMILY={{BOX_OS_FAMILY}}"
fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}} "
fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}}"
when:
- ansible_connection != 'local'
- ansible_lsb.id|default('')" != ''
# - ansible_connection != 'local'
- ansible_lsb.id|default('') != ''
ignore_errors: true
- name: "check BOX_ANSIBLE_CONNECTIONS"
@ -148,39 +148,8 @@
check_mode: false
when: ansible_connection == 'local' or ansible_connection == 'chroot'
- block:
- name: "spinup libvirt hosts"
shell: |
sudo virsh net-list | grep -q default || \
sudo virsh net-start default
sudo virsh list | grep -q "{{ inventory_hostname }}" || \
sudo virsh start "{{ inventory_hostname }}"
delegate_to: localhost
become: yes
- name: "spinup libvirt hosts"
# pip3.sh install ovirt-engine-sdk-python --break-system-packages
ovirt:
url: "qemu:///system"
instance_name: ubuntu18.04
instance_cpus: "1"
state: started
# instance_rootpw
user: "{{ BOX_USER_NAME }}" #
password: "{{ BOX_USER_NAME }}" # "{{ ansible_ssh_user }}
become: yes
# msg: ovirtsdk required for this module
ignore_errors: true
# required
tags: always
check_mode: false
when: ansible_connection == 'libvirt_qemu'
- block:
# after spinup
- name: "we will use sudo and make it a prerequisite"
shell: |
[ -z "$TMPDIR" ] || [ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"

View File

@ -79,7 +79,6 @@ all:
BOX_USR_LIB: lib
BOX_DEFAULT_OUTPUT_IF: wlan4
BOX_PROXY_MODE: selektor
BOX_WHONIX_PROXY_HOST: ""
BOX_GENTOO_DISTFILES_ARCHIVES: "/i/net/Http/distfiles.gentoo.org/distfiles"
BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
# /usr/lib/jvm/openjdk-bin-*/conf/net.properties
@ -110,7 +109,6 @@ all:
BOX_JAVA_NET_PROPERTIES: /etc/java-11-openjdk/net.properties
BOX_WHONIX_PROXY_HOST: ""
BOX_PROXY_MODE: tor
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
@ -126,13 +124,45 @@ all:
hosts:
gentoo1:
gentoo_overlay-2:
ansible_remote_addr: "gentoo1"
ansible_host: "gentoo1"
ansible_remote_addr: "gentoo_overlay-2"
ansible_host: "gentoo_overlay-2"
ansible_ssh_user: "gentoo"
BOX_SERVICE_MGR: "openrc"
BOX_HOST_NAME: "gentoo1"
BOX_HOST_NAME: "gentoo_overlay-2"
BOX_USER_NAME: "gentoo"
BOX_USER_GROUP: "adm"
BOX_ALSO_GROUP: "adm"
BOX_USER_HOME: "/home/gentoo"
BOX_OS_NAME: Gentoo
BOX_OS_FAMILY: Gentoo
BOX_OS_FLAVOR: "Gentoo"
BOX_PROXY_MODE: nat
BOX_USR_LIB: lib64
BOX_DEFAULT_OUTPUT_IF: eth0
BOX_PYTHON2_MINOR: ""
BOX_PYTHON3_MINOR: "3.11"
BASE_PORTAGE_PYTHON_MINOR: 3.11
BOX_HOST_CONTAINER_MOUNTS: []
BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/linuxPen19/usr/portage/distfiles"
BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties
BOX_ALSO_USERS:
- gentoo
BOX_BASE_FEATURES: []
BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
BOX_NBD_OVERLAY_NAME: "gentoo_overlay-2" # was gentoo1
BOX_NBD_OVERLAY_BASE: "/a/tmp/GentooImgr/gentoo_base-2.qcow2"
BOX_NBD_OVERLAY_QCOW: "/a/tmp/GentooImgr/create-vm/images/gentoo_overlay-2.img"
gentoo_vm-2:
# vm no overlay, copy of the overlay's base
ansible_remote_addr: "gentoo_vm-2"
ansible_host: "gentoo_vm-2"
ansible_ssh_user: "gentoo"
BOX_SERVICE_MGR: "openrc"
BOX_HOST_NAME: "gentoo_vm-2"
BOX_USER_NAME: "gentoo"
BOX_USER_GROUP: "adm"
BOX_ALSO_GROUP: "adm"
@ -151,8 +181,10 @@ all:
BOX_ALSO_USERS:
- gentoo
BOX_BASE_FEATURES: []
BOX_TOXCORE_FEATURES: ['libvirt', 'docker']
BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker
BOX_GENTOO_FROM_MP: "/mnt/linuxPen19"
BOX_VM_NAME: "gentoo_vm-2" # was gentoo1
BOX_VM_QCOW: "/o/var/lib/libvirt/images/gentoo_vm-2.qcow2"
ubuntu18.04:
# /mnt
@ -187,11 +219,6 @@ all:
# ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
# ansible_ssh_host: "127.0.0.1"
BOX_ROOT_GROUP: root
BOX_PROXY_MODE: client
http_proxy: "http://127.0.0.1:3128"
https_proxy: "http://127.0.0.1:9128"
socks_proxy: "socks5://127.0.0.1:9050"
no_proxy: "localhost,127.0.0.1,127.0.0.1"
linux_chroot_group :
@ -261,7 +288,6 @@ all:
# toxcore
BOX_NBD_DEV: nbd1
BOX_NBD_MP: /mnt/gentoo
BOX_NBD_OVERLAY_NAME: "gentoo1"
BOX_NBD_FILES: "/i/data/Agile/tmp/Topics/GentooImgr"
BOX_NBD_PORTAGE_FILE: "{{AGI_NBD_FILES}}/portage-20231223.tar.xz"
BOX_NBD_STAGE3_FILE: "{{AGI_NBD_FILES}}/stage3-amd64-openrc-20231217T170203Z.tar.xz"
@ -269,12 +295,10 @@ all:
BOX_NBD_BASE_PROFILE: openrc
BOX_NBD_BASE_DIR: "/a/tmp/GentooImgr"
BOX_NBD_BASE_QCOW: "{{BOX_NBD_BASE_DIR}}/gentoo.qcow2"
BOX_NBD_OVERLAY_QCOW: "/o/var/lib/libvirt/images/gentoo1.qcow2"
BOX_NBD_BASE_PUBKEY: "/root/.ssh/id_rsa-ansible.pub"
# libvirt overlay
BOX_NBD_OVERLAY_DIR: "/a/tmp/GentooImgr/create-vm"
BOX_NBD_OVERLAY_BASE: "/o/var/lib/libvirt/images/gentoo.qcow2.2"
BOX_NBD_LOGLEVEL: 10
BOX_NBD_OVERLAY_GB: "20"
BOX_NBD_OVERLAY_CPUS: 1
@ -286,7 +310,6 @@ all:
BOX_NBD_OVERLAY_PASS: "gentoo"
BOX_GENTOOIMGR_CONFIGFILE: "/g/Agile/tmp/Topics/GentooImgr/base.json"
vars:
# These come from the inventory overridden for connection = local,chroot in base_proxy.yml
http_proxy: ""

View File

@ -0,0 +1,370 @@
# Based on local.py (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
# Based on chroot.py (c) 2013, Maykel Moya <mmoya@speedyrails.com>
# (c) 2013, Michael Scherer <misc@zarb.org>
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
# (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
import sys
import time
__metaclass__ = type
DOCUMENTATION = """
author: Jesse Pretorius <jesse@odyssey4.me>
connection: community.libvirt.libvirt_qemu
short_description: Run tasks on libvirt/qemu virtual machines
description:
- Run commands or put/fetch files to libvirt/qemu virtual machines using the qemu agent API.
notes:
- Currently DOES NOT work with selinux set to enforcing in the VM.
- Requires the qemu-agent installed in the VM.
- Requires access to the qemu-ga commands guest-exec, guest-exec-status, guest-file-close, guest-file-open, guest-file-read, guest-file-write.
version_added: "2.10"
options:
remote_addr:
description: Virtual machine name
default: inventory_hostname
vars:
- name: ansible_host
executable:
description: Shell to use for execution inside container
default: /bin/sh
vars:
- name: ansible_executable
virt_uri:
description: libvirt URI to connect to to access the virtual machine
default: qemu:///system
vars:
- name: ansible_libvirt_uri
timeout:
description: timeout for libvirt to connect to access the virtual machine
required: false
type: int
default: 10
"""
import base64
import json
import libvirt
import libvirt_qemu
import shlex
import traceback
from ansible import constants as C
from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound
from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.plugins.connection import ConnectionBase, BUFSIZE
from ansible.plugins.shell.powershell import _parse_clixml
from ansible.utils.display import Display
from ansible.plugins.callback.minimal import CallbackModule
from functools import partial
from os.path import exists, getsize
display = Display()
iMAX_WAIT = 10 # sec.
REQUIRED_CAPABILITIES = [
{'enabled': True, 'name': 'guest-exec', 'success-response': True},
{'enabled': True, 'name': 'guest-exec-status', 'success-response': True},
{'enabled': True, 'name': 'guest-file-close', 'success-response': True},
{'enabled': True, 'name': 'guest-file-open', 'success-response': True},
{'enabled': True, 'name': 'guest-file-read', 'success-response': True},
{'enabled': True, 'name': 'guest-file-write', 'success-response': True}
]
class Connection(ConnectionBase):
''' Local libvirt qemu based connections '''
transport = 'community.libvirt.libvirt_qemu'
# TODO(odyssey4me):
# Figure out why pipelining does not work and fix it
has_pipelining = False
has_tty = False
def __init__(self, play_context, new_stdin, *args, **kwargs):
super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
self._host = self._play_context.remote_addr
# Windows operates differently from a POSIX connection/shell plugin,
# we need to set various properties to ensure SSH on Windows continues
# to work
if getattr(self._shell, "_IS_WINDOWS", False):
self.has_native_async = True
self.always_pipeline_modules = True
self.module_implementation_preferences = ('.ps1', '.exe', '')
self.allow_executable = False
self._timeout = sgelf.get_option('timeout', 10)
def _connect(self):
''' connect to the virtual machine; nothing to do here '''
super(Connection, self)._connect()
if not self._connected:
self._virt_uri = self.get_option('virt_uri')
self._display.vvv(u"CONNECT TO {0}".format(self._virt_uri), host=self._host)
try:
self.conn = libvirt.open(self._virt_uri)
except libvirt.libvirtError as err:
self._display.vv(u"ERROR: libvirtError CONNECT TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
self._display.vvv(u"FIND DOMAIN {0}".format(self._host), host=self._host)
try:
self.domain = self.conn.lookupByName(self._host)
except libvirt.libvirtError as err:
raise AnsibleConnectionFailure(to_native(err))
request_cap = json.dumps({'execute': 'guest-info'})
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0))
self.capabilities = response_cap['return']['supported_commands']
self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host)
missing_caps = []
for cap in REQUIRED_CAPABILITIES:
if cap not in self.capabilities:
missing_caps.append(cap['name'])
if len(missing_caps) > 0:
self._display.vvv(u"REQUIRED CAPABILITIES MISSING: {0}".format(missing_caps), host=self._host)
raise AnsibleConnectionFailure('Domain does not have required capabilities')
display.vvv(u"ESTABLISH {0} CONNECTION".format(self.transport), host=self._host)
self._connected = True
def exec_command(self, cmd, in_data=None, sudoable=True, timeout=None):
""" execute a command on the virtual machine host """
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
self._display.vvv(u"EXEC {0}".format(cmd), host=self._host)
if timeout is None:
timeout = self._timeout
cmd_args_list = shlex.split(to_native(cmd, errors='surrogate_or_strict'))
if getattr(self._shell, "_IS_WINDOWS", False):
# Become method 'runas' is done in the wrapper that is executed,
# need to disable sudoable so the bare_run is not waiting for a
# prompt that will not occur
sudoable = False
# Generate powershell commands
cmd_args_list = self._shell._encode_script(cmd, as_list=True, strict_mode=False, preserve_rc=False)
# TODO(odyssey4me):
# Implement buffering much like the other connection plugins
# Implement 'env' for the environment settings
# Implement 'input-data' for whatever it might be useful for
request_exec = {
'execute': 'guest-exec',
'arguments': {
'path': cmd_args_list[0],
'capture-output': True,
'arg': cmd_args_list[1:]
}
}
request_exec_json = json.dumps(request_exec)
display.vvv("GA send: {0}".format(request_exec_json), host=self._host)
# sys.stderr.write("GA send: {0}\n".format(request_exec_json))
command_start = time.clock_gettime(time.CLOCK_MONOTONIC)
# TODO(odyssey4me):
# Add timeout parameter
flags = 0
try:
result_exec = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_exec_json, timeout, flags))
except libvirt.libvirtError as err:
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err)))
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
display.vvv(u"GA return: {0}".format(result_exec), host=self._host)
request_status = {
'execute': 'guest-exec-status',
'arguments': {
'pid': result_exec['return']['pid']
}
}
request_status_json = json.dumps(request_status)
display.vvv(u"GA send: {0}".format(request_status_json), host=self._host)
# TODO(odyssey4me):
# Work out a better way to wait until the command has exited
max_time = iMAX_WAIT + time.clock_gettime(time.CLOCK_MONOTONIC)
result_status = {
'return': dict(exited=False),
}
while not result_status['return']['exited']:
# Wait for 5% of the time already elapsed
sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100)
if sleep_time < 0.0002:
sleep_time = 0.0002
elif sleep_time > 1:
sleep_time = 1
time.sleep(sleep_time)
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time:
err = 'timeout'
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err)))
self._connected = False
raise AnsibleConnectionFailure(to_native(err))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
while not result_status['return']['exited']:
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
if result_status['return'].get('out-data'):
stdout = base64.b64decode(result_status['return']['out-data'])
else:
stdout = b''
if result_status['return'].get('err-data'):
stderr = base64.b64decode(result_status['return']['err-data'])
else:
stderr = b''
# Decode xml from windows
if getattr(self._shell, "_IS_WINDOWS", False) and stdout.startswith(b"#< CLIXML"):
stdout = _parse_clixml(stdout)
display.vvv(u"GA stdout: {0}".format(to_text(stdout)), host=self._host)
display.vvv(u"GA stderr: {0}".format(to_text(stderr)), host=self._host)
return result_status['return']['exitcode'], stdout, stderr
def put_file(self, in_path, out_path):
''' transfer a file from local to domain '''
super(Connection, self).put_file(in_path, out_path)
display.vvv("PUT %s TO %s" % (in_path, out_path), host=self._host)
if not exists(to_bytes(in_path, errors='surrogate_or_strict')):
raise AnsibleFileNotFound(
"file or module does not exist: %s" % in_path)
request_handle = {
'execute': 'guest-file-open',
'arguments': {
'path': out_path,
'mode': 'wb+'
}
}
request_handle_json = json.dumps(request_handle)
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
# TODO(odyssey4me):
# Handle exception for file/path IOError
with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as in_file:
for chunk in iter(partial(in_file.read, BUFSIZE), b''):
try:
request_write = {
'execute': 'guest-file-write',
'arguments': {
'handle': result_handle['return'],
'buf-b64': base64.b64encode(chunk).decode()
}
}
request_write_json = json.dumps(request_write)
display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host)
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_write), host=self._host)
except Exception:
traceback.print_exc()
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
request_close = {
'execute': 'guest-file-close',
'arguments': {
'handle': result_handle['return']
}
}
request_close_json = json.dumps(request_close)
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
def fetch_file(self, in_path, out_path):
''' fetch a file from domain to local '''
super(Connection, self).fetch_file(in_path, out_path)
display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self._host)
request_handle = {
'execute': 'guest-file-open',
'arguments': {
'path': in_path,
'mode': 'r'
}
}
request_handle_json = json.dumps(request_handle)
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
request_read = {
'execute': 'guest-file-read',
'arguments': {
'handle': result_handle['return'],
'count': BUFSIZE
}
}
request_read_json = json.dumps(request_read)
display.vvv(u"GA send: {0}".format(request_read_json), host=self._host)
with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file:
try:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
while not result_read['return']['eof']:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
except Exception:
traceback.print_exc()
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
request_close = {
'execute': 'guest-file-close',
'arguments': {
'handle': result_handle['return']
}
}
request_close_json = json.dumps(request_close)
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
def close(self):
''' terminate the connection; nothing to do here '''
super(Connection, self).close()
self._connected = False

View File

@ -42,7 +42,7 @@ DOCUMENTATION = """
description: timeout for libvirt to connect to access the virtual machine
required: false
type: int
default: 5
default: 10
"""
import base64
@ -98,7 +98,7 @@ class Connection(ConnectionBase):
self.always_pipeline_modules = True
self.module_implementation_preferences = ('.ps1', '.exe', '')
self.allow_executable = False
self._timeout = self.get_option('timeout', 5)
self._timeout = self.get_option('timeout', 10)
def _connect(self):
''' connect to the virtual machine; nothing to do here '''
@ -122,7 +122,7 @@ class Connection(ConnectionBase):
raise AnsibleConnectionFailure(to_native(err))
request_cap = json.dumps({'execute': 'guest-info'})
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0))
response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, self._timeout, 0))
self.capabilities = response_cap['return']['supported_commands']
self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host)
missing_caps = []
@ -201,7 +201,9 @@ class Connection(ConnectionBase):
result_status = {
'return': dict(exited=False),
}
while not result_status['return']['exited']:
i=0
while not result_status['return']['exited'] and i < 20:
i = i + 1
# Wait for 5% of the time already elapsed
sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100)
if sleep_time < 0.0002:
@ -209,7 +211,7 @@ class Connection(ConnectionBase):
elif sleep_time > 1:
sleep_time = 1
time.sleep(sleep_time)
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0))
if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time:
err = 'timeout'
self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host)
@ -220,7 +222,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
while not result_status['return']['exited']:
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0))
result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_status), host=self._host)
@ -263,7 +265,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
@ -283,7 +285,7 @@ class Connection(ConnectionBase):
display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host)
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0))
result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_write), host=self._host)
@ -301,7 +303,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)
@ -321,7 +323,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host)
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0))
result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_handle), host=self._host)
@ -338,11 +340,11 @@ class Connection(ConnectionBase):
with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file:
try:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
while not result_read['return']['eof']:
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0))
result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0))
display.vvvvv(u"GA return: {0}".format(result_read), host=self._host)
out_file.write(base64.b64decode(result_read['return']['buf-b64']))
@ -360,7 +362,7 @@ class Connection(ConnectionBase):
display.vvv(u"GA send: {0}".format(request_close_json), host=self._host)
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0))
result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0))
display.vvv(u"GA return: {0}".format(result_close), host=self._host)

View File

@ -14,7 +14,7 @@ AGI_PROXY_MODE: "{{PROXY_MODE|default('')}}"
AGI_use_local_kernel: false
AGI_install_disklabel: msdos
AGI_install_timezone: UTC
AGI_install_timezone: "{{ BASE_TIMEZONE|default('Etc/UTC') }}"
AGI_install_locales:
- en_US ISO-8859-1
- en_US.UTF-8 UTF-8
@ -28,9 +28,9 @@ AGI_install_network_interfaces:
config: dhcp
AGI_container_disk: /dev/vda
AGI_install_syslog_daemon: syslog-ng # app-admin/sysklogd
AGI_install_cron_daemon: cronie
AGI_install_bootloader: syslinux
AGI_install_syslog_daemon: syslog-ng # sysklogd
AGI_install_cron_daemon: cronie #
AGI_install_bootloader: syslinux # grub:2
AGI_install_syslinux_kernel_line:
# this is required I think
@ -48,11 +48,11 @@ AGI_install_syslinux_kernel_line:
# =0x37f works too
- vga=789
# these may not all be needed or useful in a container
- pti=on
- iommu=pt
- amd_iommu=on
- intel_iommu=on
- debug
# - pti=on
# - iommu=pt
# - amd_iommu=on
# - intel_iommu=on
# - debug
# remove the unused ones:
AGI_install_syslinux_c32:

View File

@ -0,0 +1,171 @@
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo
-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted. RELATED?
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
# let dhcp through? - YES
-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
-A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
# -A INPUT -i wlan6 -p udp -j DROP
-A INPUT -i wlan6 -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
# st-routers.mcast.net.
-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# gateway
#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020

View File

@ -42,8 +42,8 @@
label pentoo2019-Pen19-6.1.52-pentoo_2023_09_30_0x037f
menu label pentoo2019_Pen19_6.1.52-pentoo_2023_09_30_0x037f
menu default
kernel vmlinuz-6.1.52-pentoo_2023_09_30
INITRD initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
kernel /vmlinuz-6.1.52-pentoo_2023_09_30
INITRD /initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
# was vga=0x315
APPEND root=LABEL=root {{''.join(AGI_install_syslinux_kernel_commands)}}
@ -106,7 +106,39 @@
-i /etc/default/grub
grub-script-check /etc/default/grub
when: AGI_install_bootloader == 'grub:2'
- name: roles/ansible-gentoo_install/tasks/
shell: |
LINE="rd.skipfsck=1 ipv6.disable=1 console=ttys0 lang=en keymap=us "
# LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
LINE="$LINE intel_iommu=on vga=0x315 text
df | grep /boot || mount /dev/vda1 /boot
[ -d /boot/grub ] || exit 2
[ -f /boot/grub/grub.cfg ] || exit 3
cd /
# boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
- name: /etc/default/grub
lineinfile:
dest: /etc/default/grub
line: '{{item.from}}="{{item.to}}"'
regexp: '^#*{{item.from}}=.*'
with_items:
# Append parameters to the linux kernel command line for non-recovery entries
- from: GRUB_CMDLINE_LINUX_DEFAULT
to: " rd.skipfsck=1 ipv6.disable=1 console=ttyS0 lang=en keymap=us intel_iommu=on vga=0x315 text"
# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
- from: GRUB_GFXMODE
to: 640x480
# Set to 'text' to force the Linux kernel to boot in normal text
- from: GRUB_GFXPAYLOAD_LINUX
to: text
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
- from: GRUB_DISABLE_LINUX_UUID
to: true
when: AGI_install_bootloader == 'grub:2'
- name: fstab root
lineinfile:
@ -151,54 +183,36 @@
dest: /etc/conf.d/consolefont
line: 'consolefont="ter-v{{AGI_consolefont_font_size}}b"'
regexp: '^consolefont=.*'
- name: /etc/default/grub
lineinfile:
dest: /etc/default/grub
line: '{{item.from}}="{{item.to}}"'
regexp: '^#*{{item.from}}=.*'
with_items:
# Append parameters to the linux kernel command line for non-recovery entries
- from: GRUB_CMDLINE_LINUX_DEFAULT
to: " rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us intel_iommu=on vga=0x315 text"
# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
- from: GRUB_GFXMODE
to: 640x480
# Set to 'text' to force the Linux kernel to boot in normal text
- from: GRUB_GFXPAYLOAD_LINUX
to: text
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
- from: GRUB_DISABLE_LINUX_UUID
to: true
- name: roles/ansible-gentoo_install/tasks/
shell: |
LINE="rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us "
# LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
LINE="$LINE intel_iommu=on vga=0x315 text
df | grep /boot || mount /dev/vda1 /boot
[ -d /boot/grub ] || exit 2
[ -f /boot/grub/grub.cfg ] || exit 3
cd /
# ln -s boot/vmlinuz* vmlinuz
# boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
ln -s boot/initramfs* initrd.img
- name: consolefont
shell: |
cat >> /etc/rc.local << EOF
grep -q /etc/init.d/consolefont /etc/rc.local || \
cat >> /etc/rc.local << EOF
#!/bin/sh
/etc/init.d consolefont stop
/etc/init.d consolefont start
stty -F /dev/tty1 cols 80 rows 24
# these are right for ter-v28b consolefont
if tty|grep -q /dev/ttyS0 ; then
stty cols 80 rows 35
elif tty|grep -q /dev/tty[1-6] ; then
stty cols 80 rows 22
fi
EOF
bash /etc/rc.local
chmod 755 /etc/rc.local
ignore_errors: true
- name: rc-update add bootlogd boot
shell: |
[ -d /etc/modules-load.d ] || mkdir /etc/modules-load.d
[ -f /etc/modules-load.d/virtio.conf ] || \
echo "{{'\n'.join(AGI_bootstrap_modules)}}" \
> /etc/modules-load.d/virtio.conf
rc-update add consolefont
rc-update | grep -q 'bootlogd .* boot' || \
rc-update add bootlogd boot
grep -q '^s0:' /etc/inittab || \
sed -e 's/^#s0:/s0:/' /etc/inittab
exit 0

View File

@ -18,9 +18,11 @@
- name: copy resolv.conf into chroot
copy:
src: /etc/resolv.conf
dest: "{{AGI_NBD_MP}}/etc/resolv.conf"
src: "/{{item}}"
dest: "{{AGI_NBD_MP}}/{{item}}"
mode: '0644'
remote_src: yes
with_items: "{{AGI_bootstrap_files}}"
when: not ansible_check_mode
- name: mount /proc in chroot

View File

@ -0,0 +1,23 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# localhost
---
- name: "DEBUG: ansible-gentoo_install libvirt"
debug:
verbosity: 1
msg: "DEBUG: ansible-gentoo_install libvirt"
- name: test we are NOT in the chroot
shell: |
[ -n "{{AGI_NBD_MP}}" ] || exit 2
[ -d "{{AGI_NBD_MP}}" ] || exit 3
check_mode: false
# - name: setup libvirt network
# - name: setup libvirt iptables
# net.ipv4.conf.virbr1.forwarding = 1
# net.ipv4.ip_forward = 1
# mkdir /etc/libvirt/qemu
# qemu-ga -D > /etc/libvirt/qemu/qemu-ga.conf
# for elt in unix-listen virtio-serial isa-serial vsock-listen ; do
# /etc/conf.d/qemu-ga

View File

@ -85,6 +85,7 @@
state: mounted
check_mode: false
- include: libvirt.yml
- include: tarball.yml
- include: copy.yml
when: AGI_use_local_kernel

View File

@ -131,13 +131,10 @@
var: ansible_gentooimgr_out
check_mode: false
when:
- ansible_connection in ['chroot', 'local', 'libvirt_qemu']
- ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']
# - nbd_disk|default('') == AGI_NBD_DISK
- name: include_tasks local.yml
include_tasks: local.yml
- name: include_tasks local.yml
include_tasks: local.yml
when:
- ansible_connection in ['chroot', 'local']
- ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']

View File

@ -15,6 +15,10 @@
for elt in {{ AGI_bootstrap_mountpoints|join(' ') }} ; do
[ -d $elt ] || mkdir $elt
done
# 700 files from ansible umask
find /usr/local/*bin/ /usr/local/etc/ -name '*sh' -exec chmod 755 {} \;
find /usr/local/ -type f -exec chown ${BOX_USER_NAME}:${BOX_USER_GROUP} {} \;
exit 0
when: AGI_bootstrap_mountpoints|default([])|length > 0
@ -32,7 +36,7 @@
dest: /etc/localtime
src: /usr/share/zoneinfo/{{ AGI_install_timezone }}
state: link
force: yes
force: no
- name: configure locales
lineinfile:

View File

@ -0,0 +1,171 @@
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo
-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted. RELATED?
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
# let dhcp through? - YES
-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
-A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
# -A INPUT -i wlan6 -p udp -j DROP
-A INPUT -i wlan6 -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
# st-routers.mcast.net.
-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# gateway
#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020

View File

@ -0,0 +1,18 @@
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit Whonix-External
or other application using the libvirt API.
-->
<network>
<name>External</name>
<forward mode='nat'/>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:f7:fb:37'/>
<ip address='10.0.2.2' netmask='255.255.255.0'>
<dhcp>
<range start='10.0.2.20' end='10.0.2.254'/>
</dhcp>
</ip>
</network>

View File

@ -27,6 +27,9 @@ AGI_bootstrap_links:
- from: /var/db/repos/gentoo
to: /usr/portage
AGI_bootstrap_modules:
- virtio_console
# NO LEADING /
AGI_bootstrap_dirs:
- usr/local/etc/local.d
@ -49,6 +52,8 @@ AGI_bootstrap_files:
- usr/local/etc/local.d/local.bash
- usr/local/bin/usr_local_tput.bash
- usr/local/bin/proxy_export.bash
- etc/hosts
- etc/resolv.conf
AGI_bootstrap_uris:
- http://distfiles.gentoo.org/distfiles/00/elfutils-0.190.tar.bz2
@ -56,24 +61,35 @@ AGI_bootstrap_uris:
- http://distfiles.gentoo.org/distfiles/60/shared-mime-info-2.2.tar.gz
- http://distfiles.gentoo.org/distfiles/fc/qemu-8.0.3.tar.xz
AGI_bootstrap_pips3:
- negotiator-guest
# proxy_pkgs_inst:
AGI_bootstrap_pkgs:
- app-admin/sudo
- sys-boot/grub:2
- sys-boot/syslinux
- app-editors/mg
- qemu-guest-agent
- app-admin/logrotate
- "sys-process/{{ AGI_install_cron_daemon }}"
- "{{ AGI_install_syslog_daemon}}"
- "sys-boot/{{ AGI_install_bootloader }}"
- media-fonts/terminus-font
- sys-apps/gptfdisk
- net-analyzer/openbsd-netcat
- app-admin/logrotate
- "sys-process/{{ AGI_install_cron_daemon }}"
- "app-admin/{{ AGI_install_syslog_daemon}}"
- "sys-boot/{{ AGI_install_bootloader }}"
- media-fonts/terminus-font
- net-misc/curl
- app-arch/unzip
- net-libs/pacparser
- sys-process/lsof
- dev-util/strace
- sys-libs/gpm
- app-portage/eix
- net-misc/curl
- sys-libs/gpm
- linux-firmware
- net-dns/bind-tools
# - www-client/lynx
- app-admin/supervisor
- dev-python/pip
AGI_cloud_pkgs:
# get these from base.json
@ -94,4 +110,3 @@ AGI_cloud_pkgs:
# get these from config.json
# - app-emulation/cloud-init
# - sys-block/open-iscsi

View File

@ -0,0 +1,15 @@
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.2%
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.0%
# /etc/portage/package.mask/2023_BROKEN.txt qemu
=app-emulation/qemu-guest-agent-8.0.3%
# /etc/portage/package.mask/2023_BROKEN.txt libvirt
=app-emulation/libvirt-9.4.0-r1%
# /etc/portage/package.mask/2022_BLOCKED.txt docker
app-containers/docker-compose%

114
roles/toxcore/vars/use.txt Normal file
View File

@ -0,0 +1,114 @@
# /etc/portage/package.use/2017-01-01_libguestfs.txt iptables
net-firewall/iptables% nftables ipv6
# /etc/portage/package.use/2017-08_testdisk.txt testdisk
app-admin/testdisk% ntfs qt5 -ewf
# /etc/portage/package.use/2020-01_static-libs.txt zstd
app-arch/zstd% static-libs
# /etc/portage/package.use/2020-03_jq.txt jq
app-misc/jq% oniguruma
# /etc/portage/package.use/2016-11_world.txt libvpx
media-libs/libvpx% svc
# /etc/portage/package.use/2019-02_electron.txt libvpx
media-libs/libvpx% postproc svc
# /etc/portage/package.use/2021-04_world.txt libxcb
x11-libs/libxcb% xkb
# /etc/portage/package.use/2018-01_qt.txt libxkbcommon
x11-libs/libxkbcommon% X tools
# /etc/portage/package.use/2020-01_readline.txt libxml2
dev-libs/libxml2% -readline
# /etc/portage/package.use/2021-00_verify-sig.txt libxml2
dev-libs/libxml2:2% verify-sig
# /etc/portage/package.use/2021-04_world.txt libxml2
dev-libs/libxml2% python icu ipv6 lzma
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2021-08_wafw00f.txt requests
dev-python/requests% socks5
# /etc/portage/package.use/2020-00_dbus.txt dbus
sys-apps/dbus% X elogind -systemd
# /etc/portage/package.use/2020-01_dbus.txt dbus
sys-apps/dbus% X elogind -systemd
# /etc/portage/package.use/2021-01_wayland.txt gtk+
x11-libs/gtk+% X -wayland
# /etc/portage/package.use/2021-04_world.txt vte
x11-libs/vte% crypt -icu introspection vala -debug -gtk-doc -systemd -vanilla
# /etc/portage/package.use/2022-01_xterms.txt vte
x11-libs/vte% vanilla
# /etc/portage/package.use/2021-00_verify-sig.txt zfs-kmod
sys-fs/zfs-kmod% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt zfs
sys-fs/zfs% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt zfs
sys-fs/zfs-kmod% verify-sig
# /etc/portage/package.use/2020-01_nls.txt qemu
app-emulation/qemu% -nls
# /etc/portage/package.use/2021-04_qemu.txt qemu
app-emulation/qemu% -accessibility aio alsa bzip2 caps -capstone curl -debug doc fdt filecaps -fuse -glusterfs gnutls gtk -infiniband -io-uring -iscsi -jack -jemalloc jpeg lzo -multipath ncurses -nfs -nls numa opengl -oss pin-upstream-blobs plugins png -pulseaudio python -rbd sasl sdl sdl-image seccomp -selinux -slirp -smartcard snappy spice ssh -static -static-user -systemtap -test -udev usb usbredir vde vhost-net vhost-user-fs virgl virtfs vnc vte xattr -xen xfs zstd #
# /etc/portage/package.use/2023-00_python-3.11.txt qemu
app-emulation/qemu% -python_single_target_python3_10 python_single_target_python3_11 python_single_target_python3_11 -python_single_target_python3_10
# /etc/portage/package.use/2019-11_aqemu.txt aqemu
app-emulation/aqemu% vnc
# /etc/portage/package.use/2019-09_spice-gtk.txt spice-gtk
>=net-misc/spice-gtk-0.35% usbredir
# /etc/portage/package.use/2020-01_polkit.txt spice-gtk
net-misc/spice-gtk% policykit
# /etc/portage/package.use/2020-01_polkit.txt libvirt
app-emulation/libvirt% apparmor audit -bash-completion caps -dbus -dtrace -firewalld fuse -glusterfs -iscsi -iscsi-direct libssh libvirtd lvm lxc -macvtap -nfs -nls numa -openvz parted pcap -policykit qemu -rbd -sasl -selinux udev vepa verify-sig virt-network virtualbox -wireshark-plugins -xen -zfs
# /etc/portage/package.use/2020-10_nfs.txt libvirt
app-emulation/libvirt% -nfs
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
app-emulation/libvirt% verify-sig
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2020-01_polkit.txt virt-manager
app-emulation/virt-manager% gtk -policykit virtualbox libvirtd caps dbus fuse libssh lxc macvtap numa parted pcap policykit qemu vepa virt-network
# /etc/portage/package.use/2019-11_qxl.txt xf86-video-qxl
x11-drivers/xf86-video-qxl% xspice
# /etc/portage/package.use/2019-11_libguestfs.txt libguestfs
app-emulation/libguestfs% parted virtualbox libvirt -erlang -lua perl fuse gtk inspect-icons introspection -ocaml python -ruby
# /etc/portage/package.use/2023-00_python-3.11.txt libguestfs
app-emulation/libguestfs% python_single_target_python3_11
# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
dev-python/libvirt-python% verify-sig
# /etc/portage/package.use/2017-02_docker.txt tini
sys-process/tini% static args
# /etc/portage/package.use/2017-02_docker.txt docker
app-containers/docker% btrfs