From c8610f9ded8f84524a73c964ea27bb7951013dd5 Mon Sep 17 00:00:00 2001 From: emdee Date: Fri, 5 Jan 2024 11:12:55 +0000 Subject: [PATCH] proxy_ping_test --- Makefile | 138 ++++--- ansible.cfg | 2 +- ansible_local.yml | 37 +- hosts.yml | 55 ++- lib/plugins/#libvirt_qemu.py# | 370 ++++++++++++++++++ lib/plugins/libvirt_qemu.py | 28 +- .../ansible-gentoo_install/defaults/main.yml | 18 +- .../files/firewall.conf | 171 ++++++++ .../tasks/bootloader.yml | 96 +++-- roles/ansible-gentoo_install/tasks/chroot.yml | 6 +- .../ansible-gentoo_install/tasks/libvirt.yml | 23 ++ roles/ansible-gentoo_install/tasks/local.yml | 1 + roles/ansible-gentoo_install/tasks/main.yml | 9 +- roles/ansible-gentoo_install/tasks/misc.yml | 6 +- .../templates/etc/firewall_External-tor.conf | 171 ++++++++ .../etc/libvirt/qemu/networks/External.xml | 18 + .../vars/target_Gentoo2.yml | 31 +- roles/toxcore/vars/mask.txt | 15 + roles/toxcore/vars/use.txt | 114 ++++++ 19 files changed, 1126 insertions(+), 183 deletions(-) create mode 100644 lib/plugins/#libvirt_qemu.py# create mode 100644 roles/ansible-gentoo_install/files/firewall.conf create mode 100644 roles/ansible-gentoo_install/tasks/libvirt.yml create mode 100644 roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf create mode 100644 roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml create mode 100644 roles/toxcore/vars/mask.txt create mode 100644 roles/toxcore/vars/use.txt diff --git a/Makefile b/Makefile index a6ebfea..54c6309 100644 --- a/Makefile +++ b/Makefile @@ -9,21 +9,21 @@ ANSIBLE_PLUGINS=/usr/local/lib/python3.11/site-packages/ansible-2.9.22-py3.11.eg # change this to be that hostname LOCALHOST=`cat /etc/hostname` -BOX_NBD_BASE_DIR=/a/tmp/GentooImgr -BOX_NBD_BASE_FILE=gentoo.qcow2 -BOX_NBD_BASE_QCOW=${BOX_NBD_BASE_DIR}/${BOX_NBD_BASE_FILE} # set this to the name linux_local_group host in hosts.yml LOCAL_HOSTS_NAME=pentoo # set this to the name linux_chroot_group host in hosts.yml YAML_CHROOT_NAME=linuxGentoo # set this to the libvirt name of the linux_libvirt_group host in hosts.yml -YAML_BOX_NAME=gentoo1 -INST_BOX_NAME=gentoo1 +OVERLAY_HOSTS_NAME=gentoo_overlay-2 + +BOX_NBD_BASE_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_BASE_QCOW ${OVERLAY_HOSTS_NAME}`" +BOX_NBD_OVERLAY_DIR="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_DIR ${OVERLAY_HOSTS_NAME}`" +BOX_NBD_OVERLAY_QCOW="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAT_QCOW ${OVERLAY_HOSTS_NAME}`" +BOX_NBD_OVERLAY_XML=${BOX_NBD_OVERLAY_DIR}/xml/${OVERLAY_HOSTS_NAME}.xml +BOX_NBD_OVERLAY_NAME="`/usr/local/bin/ansible_get_inventory.bash BOX_NBD_OVERLAY_NAME ${OVERLAY_HOSTS_NAME}`" -#INST_BOX_DIR=/mnt/o/home/root/vms/virsh -INST_BOX_DIR=${BOX_NBD_BASE_DIR}/create-vm PWD=/o/var/local/src/play_tox/ -NETWORK=default +NETWORK=Whonix-External VERBOSE=2 all: install lint build check run test @@ -66,27 +66,27 @@ build_base:: install [ -f ${BOX_NBD_BASE_QCOW} ] build_overlay:: - @virsh list | grep "${INST_BOX_NAME}.*running" && \ - virsh destroy ${INST_BOX_NAME} ; true -# @virsh list | grep "${INST_BOX_NAME}.*running" && exit 1 - @virsh list --all | grep ${INST_BOX_NAME} && \ - virsh undefine ${INST_BOX_NAME} && \ + @virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && \ + virsh destroy ${OVERLAY_HOSTS_NAME} ; true +# @virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" && exit 1 + @virsh list --all | grep ${OVERLAY_HOSTS_NAME} && \ + virsh undefine ${OVERLAY_HOSTS_NAME} && \ rm -f \ - ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml \ - ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; true + ${BOX_NBD_OVERLAY_XML} \ + ${BOX_NBD_OVERLAY_QCOW} ; true # /a/tmp/GentooImgr/create-vm/xml/gentoo1.xml -# ! virsh list --all | grep "${INST_BOX_NAME}" && exit 2 - [ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] || { \ +# ! virsh list --all | grep "${OVERLAY_HOSTS_NAME}" && exit 2 + [ ! -f ${BOX_NBD_OVERLAY_QCOW} ] || { \ echo WARN delete this file to continue; \ - echo rm -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ; \ + echo rm -f ${BOX_NBD_OVERLAY_QCOW} ; \ exit 3 ; } - [ ! -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ] || { \ + [ ! -f ${BOX_NBD_OVERLAY_XML} ] || { \ echo WARN delete this file to continue ; \ - echo rm -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ; \ + echo rm -f ${BOX_NBD_OVERLAY_XML} ; \ exit 4 ; } PLAY_ANSIBLE_SRC=${PWD} bash bin/toxcore_build_overlay_qcow.bash - [ -f ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml ] - xmllint -noout ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml + [ -f ${BOX_NBD_OVERLAY_XML} ] + xmllint -noout ${BOX_NBD_OVERLAY_XML} check:: grep -n 'shell: *$$' roles/*/tasks/*.yml && { echo ERROR: "shell: in .yml" ; false ; } || true @@ -96,7 +96,7 @@ check:: $(MAKE) -$(MAKEFLAGS) check_base @[ -d /mnt/gentoo/lost+found ] && \ sudo $(MAKE) -$(MAKEFLAGS) $@_chroot - @[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \ + @[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \ sudo $(MAKE) -$(MAKEFLAGS) $@_overlay check_localhost:: @@ -106,9 +106,9 @@ check_localhost:: check_base:: ls ${BOX_NBD_BASE_QCOW} - ls ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img - ls ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml - ps axf | grep 'qemu-system-x86_64 -name guest='${INST_BOX_NAME} ; \ + ls ${BOX_NBD_OVERLAY_QCOW} + ls ${BOX_NBD_OVERLAY_XML} + ps axf | grep 'qemu-system-x86_64 -name guest='${OVERLAY_HOSTS_NAME} ; \ true check_chroot:: @@ -120,18 +120,19 @@ check_chroot:: $(ROLES) > .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1 check_overlay:: - sudo /var/local/sbin/hostvms_libvirt_test_ga.bash ${INST_BOX_NAME} ls / + sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME} ls / + sudo /usr/local/sbin/toxcore_libvirt_test_ga.bash ${OVERLAY_HOSTS_NAME} # domain-*-gentoo/org.qemu.guest_agent.0 || true + sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} || exit 0 sudo find /var/lib/libvirt/qemu/channel/target/ | \ grep org.qemu.guest_agent.0 sudo find /var/lib/libvirt/qemu/channel/target/ -type s | \ - grep ${INST_BOX_NAME} - ansible -c libvirt_qemu -l ${YAML_BOX_NAME} -i hosts.yml \ - -m setup -vvv ${YAML_BOX_NAME} - sudo virsh list | grep -q ${INST_BOX_NAME} || exit 0 - sudo sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \ + grep ${OVERLAY_HOSTS_NAME} + ansible -c libvirt_qemu -l ${OVERLAY_HOSTS_NAME} -i hosts.yml \ + -m setup -vvv ${OVERLAY_HOSTS_NAME} + sudo sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \ --check -c libvirt_qemu --verbose ${VERBOSE} \ - $(ROLES) > .$@-${INST_BOX_NAME}-${LOCALHOST} 2>&1 + $(ROLES) > .$@-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1 # Edit hosts.yml and customize this target if you are on a Debianish devuan:: @@ -150,8 +151,8 @@ run:: $(MAKE) -$(MAKEFLAGS) $@_local @[ -d /mnt/gentoo/lost+found ] && \ sudo $(MAKE) -$(MAKEFLAGS) $@_chroot - @[ ! -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \ - sudo $(MAKE) -$(MAKEFLAGS) $@_libvirt + @[ ! -f ${BOX_NBD_OVERLAY_QCOW} ] && \ + sudo $(MAKE) -$(MAKEFLAGS) $@_overlay run_local:: lint A=`grep nbd /proc/partitions | wc -l` @@ -174,26 +175,35 @@ run_chroot:: -c chroot --verbose ${VERBOSE} $(ROLES) \ > .$@-${YAML_CHROOT_NAME}-${LOCALHOST} 2>&1 -run_libvirt:: - [ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] +install_libvirt:: @virsh net-list | grep "${NETWORK}.*active" || \ - sudo virsh net-start "${NETWORK}" - @virsh list | grep ${INST_BOX_NAME} && \ - virsh define ${INST_BOX_DIR}/xml/${INST_BOX_NAME}.xml - @virsh list | grep "${INST_BOX_NAME}.*running" || \ - virsh start ${INST_BOX_NAME} - sh ansible_local.bash --diff -i hosts.yml -l ${INST_BOX_NAME} \ + sudo virsh net-start "${NETWORK}" || { \ + echo WARN: error virsh net-start "${NETWORK}" ; } + [ -f ${BOX_NBD_OVERLAY_XML} ] +# xmlstarlet sel -t -v + A=$(grep 'source file=' ${BOX_NBD_OVERLAY_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@" ) + [ -n "${A}" ] && [ -f "${A}" ] + @virsh list --all | grep ${OVERLAY_HOSTS_NAME} || \ + virsh define ${BOX_NBD_OVERLAY_XML} + @virsh list | grep "${OVERLAY_HOSTS_NAME}.*running" || \ + { virsh start ${OVERLAY_HOSTS_NAME} ; sleep 40 ; } + +run_overlay:: install_libvirt + [ -f ${BOX_NBD_OVERLAY_QCOW} ] || { \ + echo WARN ${BOX_NBD_OVERLAY_QCOW} doesnt exist - make build_overlay ; \ + exit 1 ; } + sh ansible_local.bash --diff -i hosts.yml -l ${OVERLAY_HOSTS_NAME} \ -c libvirt_qemu --verbose ${VERBOSE} $(ROLES) \ - > .run-${INST_BOX_NAME}-${LOCALHOST} 2>&1 + > .run-${OVERLAY_HOSTS_NAME}-${LOCALHOST} 2>&1 # hourly is quick tests, weekly is medium tests, monthly is long tests weekly:: test test:: +# bash .pyanal.sh & @[ -d /mnt/gentoo/lost+found ] && \ sudo $(MAKE) -$(MAKEFLAGS) $@_local - @[ -f ${INST_BOX_DIR}/images/${INST_BOX_NAME}.img ] && \ - sudo $(MAKE) -$(MAKEFLAGS) $@_libvert - + @[ -f ${BOX_NBD_OVERLAY_QCOW} ] && \ + sudo $(MAKE) -$(MAKEFLAGS) $@_overlay test_local:: bash .pyanal.sh & sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml -l ${LOCALHOST} \ @@ -201,15 +211,39 @@ test_local:: --verbose ${VERBOSE} -t weekly \ $(ROLES) > .$@-${LOCALHOST} 2>&1 -test_libvirt:: -# bash .pyanal.sh & -# check if ${INST_BOX_NAME} is running - ! sudo virsh list | grep -q ${INST_BOX_NAME} && exit 0 +test_overlay:: install_libvirt + ! sudo virsh list | grep -q ${OVERLAY_HOSTS_NAME} && exit 0 sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \ - -l ${INST_BOX_NAME} -c libvirt_qemu \ + -l ${OVERLAY_HOSTS_NAME} -c libvirt_qemu \ --verbose ${VERBOSE} -t weekly \ $(ROLES) > .$@-${LOCALHOST} 2>&1 +# this is a special test target to test a copy of the base qcow2 +VM_HOSTS_NAME=gentoo_vm-2 +VM_XML=/etc/libvirt/qemu/${VM_HOSTS_NAME}.xml +A="`grep 'source file=.*qcow2' ${VM_XML} | sed -e 's@.*file=.@@' -e "s@'.*@@"`" +install_vm:: + @virsh net-list | grep "${NETWORK}.*active" || \ + sudo virsh net-start "${NETWORK}" || { \ + echo WARN: error virsh net-start "${NETWORK}" ; } + [ -f ${VM_XML} ] + @virsh list --all | grep ${VM_HOSTS_NAME} || { \ + echo ERROR virsh define ${VM_XML} ; exit 8 ; } +# xmlstarlet sel -t -v + [ -n "${A}" ] && [ -f "${A}" ] + @virsh list | grep "${VM_HOSTS_NAME}.*running" || \ + { virsh start ${VM_HOSTS_NAME} ; sleep 40 ; } + +test_vm:: install_vm + sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \ + -l ${VM_HOSTS_NAME} -c libvirt_qemu \ + --check --verbose ${VERBOSE} -t daily \ + $(ROLES) > .$@-${LOCALHOST} 2>&1 + sudo sh ansible_local.bash --diff -i ${PWD}/hosts.yml \ + -l ${VM_HOSTS_NAME} -c libvirt_qemu \ + --verbose ${VERBOSE} -t daily \ + $(ROLES) > .$@-${LOCALHOST} 2>&1 + veryclean:: clean rm -f .run* .check* diff --git a/ansible.cfg b/ansible.cfg index 2f0a9b9..e25b3cf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,5 @@ [defaults] -log_path = var/tmp/2023/12/31/pentoo/base_proxy_toxcore.log +log_path = var/tmp/2024/01/05/gentoo_vm-2/base_proxy_toxcore.log callback_plugins = ./lib/plugins/ # /i/data/DevOps/net/Http/docs.ansible.com/ansible/intro_configuration.html # http://docs.ansible.com/ansible/intro_configuration.html#command-warnings diff --git a/ansible_local.yml b/ansible_local.yml index 96fcd38..e7dbeec 100644 --- a/ansible_local.yml +++ b/ansible_local.yml @@ -101,10 +101,10 @@ that: - "'{{ansible_lsb.id}}' == '{{BOX_OS_NAME}}'" success_msg: "BOX_OS_FAMILY={{BOX_OS_FAMILY}}" - fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}} " + fail_msg: "ON tHE WRONG BOX {{ansible_lsb.id}}" when: - - ansible_connection != 'local' - - ansible_lsb.id|default('')" != '' +# - ansible_connection != 'local' + - ansible_lsb.id|default('') != '' ignore_errors: true - name: "check BOX_ANSIBLE_CONNECTIONS" @@ -148,39 +148,8 @@ check_mode: false when: ansible_connection == 'local' or ansible_connection == 'chroot' - - block: - - - name: "spinup libvirt hosts" - shell: | - sudo virsh net-list | grep -q default || \ - sudo virsh net-start default - sudo virsh list | grep -q "{{ inventory_hostname }}" || \ - sudo virsh start "{{ inventory_hostname }}" - delegate_to: localhost - become: yes - - - name: "spinup libvirt hosts" - # pip3.sh install ovirt-engine-sdk-python --break-system-packages - ovirt: - url: "qemu:///system" - instance_name: ubuntu18.04 - instance_cpus: "1" - state: started - # instance_rootpw - user: "{{ BOX_USER_NAME }}" # - password: "{{ BOX_USER_NAME }}" # "{{ ansible_ssh_user }} - become: yes - # msg: ovirtsdk required for this module - ignore_errors: true - - # required - tags: always - check_mode: false - when: ansible_connection == 'libvirt_qemu' - - block: - # after spinup - name: "we will use sudo and make it a prerequisite" shell: | [ -z "$TMPDIR" ] || [ -d "$TMPDIR" ] || mkdir -p "$TMPDIR" diff --git a/hosts.yml b/hosts.yml index 212ea1c..18c511f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -79,7 +79,6 @@ all: BOX_USR_LIB: lib BOX_DEFAULT_OUTPUT_IF: wlan4 BOX_PROXY_MODE: selektor - BOX_WHONIX_PROXY_HOST: "" BOX_GENTOO_DISTFILES_ARCHIVES: "/i/net/Http/distfiles.gentoo.org/distfiles" BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties # /usr/lib/jvm/openjdk-bin-*/conf/net.properties @@ -110,7 +109,6 @@ all: BOX_JAVA_NET_PROPERTIES: /etc/java-11-openjdk/net.properties - BOX_WHONIX_PROXY_HOST: "" BOX_PROXY_MODE: tor BOX_GENTOO_FROM_MP: "/mnt/linuxPen19" @@ -126,13 +124,45 @@ all: hosts: - gentoo1: + gentoo_overlay-2: - ansible_remote_addr: "gentoo1" - ansible_host: "gentoo1" + ansible_remote_addr: "gentoo_overlay-2" + ansible_host: "gentoo_overlay-2" ansible_ssh_user: "gentoo" BOX_SERVICE_MGR: "openrc" - BOX_HOST_NAME: "gentoo1" + BOX_HOST_NAME: "gentoo_overlay-2" + BOX_USER_NAME: "gentoo" + BOX_USER_GROUP: "adm" + BOX_ALSO_GROUP: "adm" + BOX_USER_HOME: "/home/gentoo" + BOX_OS_NAME: Gentoo + BOX_OS_FAMILY: Gentoo + BOX_OS_FLAVOR: "Gentoo" + BOX_PROXY_MODE: nat + BOX_USR_LIB: lib64 + BOX_DEFAULT_OUTPUT_IF: eth0 + BOX_PYTHON2_MINOR: "" + BOX_PYTHON3_MINOR: "3.11" + BASE_PORTAGE_PYTHON_MINOR: 3.11 + BOX_HOST_CONTAINER_MOUNTS: [] + BOX_GENTOO_DISTFILES_ARCHIVES: "/mnt/linuxPen19/usr/portage/distfiles" + BOX_PROXY_JAVA_NET_PROPERTIES: /etc/java-config-2/current-system-vm/jre/lib/net.properties + BOX_ALSO_USERS: + - gentoo + BOX_BASE_FEATURES: [] + BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker + BOX_GENTOO_FROM_MP: "/mnt/linuxPen19" + BOX_NBD_OVERLAY_NAME: "gentoo_overlay-2" # was gentoo1 + BOX_NBD_OVERLAY_BASE: "/a/tmp/GentooImgr/gentoo_base-2.qcow2" + BOX_NBD_OVERLAY_QCOW: "/a/tmp/GentooImgr/create-vm/images/gentoo_overlay-2.img" + + gentoo_vm-2: + # vm no overlay, copy of the overlay's base + ansible_remote_addr: "gentoo_vm-2" + ansible_host: "gentoo_vm-2" + ansible_ssh_user: "gentoo" + BOX_SERVICE_MGR: "openrc" + BOX_HOST_NAME: "gentoo_vm-2" BOX_USER_NAME: "gentoo" BOX_USER_GROUP: "adm" BOX_ALSO_GROUP: "adm" @@ -151,8 +181,10 @@ all: BOX_ALSO_USERS: - gentoo BOX_BASE_FEATURES: [] - BOX_TOXCORE_FEATURES: ['libvirt', 'docker'] + BOX_TOXCORE_FEATURES: ['libvirt'] # ', 'docker BOX_GENTOO_FROM_MP: "/mnt/linuxPen19" + BOX_VM_NAME: "gentoo_vm-2" # was gentoo1 + BOX_VM_QCOW: "/o/var/lib/libvirt/images/gentoo_vm-2.qcow2" ubuntu18.04: # /mnt @@ -187,11 +219,6 @@ all: # ansible_ssh_extra_args: "-o StrictHostKeyChecking=no" # ansible_ssh_host: "127.0.0.1" BOX_ROOT_GROUP: root - BOX_PROXY_MODE: client - http_proxy: "http://127.0.0.1:3128" - https_proxy: "http://127.0.0.1:9128" - socks_proxy: "socks5://127.0.0.1:9050" - no_proxy: "localhost,127.0.0.1,127.0.0.1" linux_chroot_group : @@ -261,7 +288,6 @@ all: # toxcore BOX_NBD_DEV: nbd1 BOX_NBD_MP: /mnt/gentoo - BOX_NBD_OVERLAY_NAME: "gentoo1" BOX_NBD_FILES: "/i/data/Agile/tmp/Topics/GentooImgr" BOX_NBD_PORTAGE_FILE: "{{AGI_NBD_FILES}}/portage-20231223.tar.xz" BOX_NBD_STAGE3_FILE: "{{AGI_NBD_FILES}}/stage3-amd64-openrc-20231217T170203Z.tar.xz" @@ -269,12 +295,10 @@ all: BOX_NBD_BASE_PROFILE: openrc BOX_NBD_BASE_DIR: "/a/tmp/GentooImgr" BOX_NBD_BASE_QCOW: "{{BOX_NBD_BASE_DIR}}/gentoo.qcow2" - BOX_NBD_OVERLAY_QCOW: "/o/var/lib/libvirt/images/gentoo1.qcow2" BOX_NBD_BASE_PUBKEY: "/root/.ssh/id_rsa-ansible.pub" # libvirt overlay BOX_NBD_OVERLAY_DIR: "/a/tmp/GentooImgr/create-vm" - BOX_NBD_OVERLAY_BASE: "/o/var/lib/libvirt/images/gentoo.qcow2.2" BOX_NBD_LOGLEVEL: 10 BOX_NBD_OVERLAY_GB: "20" BOX_NBD_OVERLAY_CPUS: 1 @@ -286,7 +310,6 @@ all: BOX_NBD_OVERLAY_PASS: "gentoo" BOX_GENTOOIMGR_CONFIGFILE: "/g/Agile/tmp/Topics/GentooImgr/base.json" - vars: # These come from the inventory overridden for connection = local,chroot in base_proxy.yml http_proxy: "" diff --git a/lib/plugins/#libvirt_qemu.py# b/lib/plugins/#libvirt_qemu.py# new file mode 100644 index 0000000..50191f9 --- /dev/null +++ b/lib/plugins/#libvirt_qemu.py# @@ -0,0 +1,370 @@ +# Based on local.py (c) 2012, Michael DeHaan +# Based on chroot.py (c) 2013, Maykel Moya +# (c) 2013, Michael Scherer +# (c) 2015, Toshio Kuratomi +# (c) 2017 Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +import sys +import time + +__metaclass__ = type + +DOCUMENTATION = """ + author: Jesse Pretorius + connection: community.libvirt.libvirt_qemu + short_description: Run tasks on libvirt/qemu virtual machines + description: + - Run commands or put/fetch files to libvirt/qemu virtual machines using the qemu agent API. + notes: + - Currently DOES NOT work with selinux set to enforcing in the VM. + - Requires the qemu-agent installed in the VM. + - Requires access to the qemu-ga commands guest-exec, guest-exec-status, guest-file-close, guest-file-open, guest-file-read, guest-file-write. + version_added: "2.10" + options: + remote_addr: + description: Virtual machine name + default: inventory_hostname + vars: + - name: ansible_host + executable: + description: Shell to use for execution inside container + default: /bin/sh + vars: + - name: ansible_executable + virt_uri: + description: libvirt URI to connect to to access the virtual machine + default: qemu:///system + vars: + - name: ansible_libvirt_uri + timeout: + description: timeout for libvirt to connect to access the virtual machine + required: false + type: int + default: 10 +""" + +import base64 +import json +import libvirt +import libvirt_qemu +import shlex +import traceback + +from ansible import constants as C +from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound +from ansible.module_utils._text import to_bytes, to_native, to_text +from ansible.plugins.connection import ConnectionBase, BUFSIZE +from ansible.plugins.shell.powershell import _parse_clixml +from ansible.utils.display import Display +from ansible.plugins.callback.minimal import CallbackModule +from functools import partial +from os.path import exists, getsize + +display = Display() + +iMAX_WAIT = 10 # sec. + +REQUIRED_CAPABILITIES = [ + {'enabled': True, 'name': 'guest-exec', 'success-response': True}, + {'enabled': True, 'name': 'guest-exec-status', 'success-response': True}, + {'enabled': True, 'name': 'guest-file-close', 'success-response': True}, + {'enabled': True, 'name': 'guest-file-open', 'success-response': True}, + {'enabled': True, 'name': 'guest-file-read', 'success-response': True}, + {'enabled': True, 'name': 'guest-file-write', 'success-response': True} +] + + +class Connection(ConnectionBase): + ''' Local libvirt qemu based connections ''' + + transport = 'community.libvirt.libvirt_qemu' + # TODO(odyssey4me): + # Figure out why pipelining does not work and fix it + has_pipelining = False + has_tty = False + + def __init__(self, play_context, new_stdin, *args, **kwargs): + super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs) + + self._host = self._play_context.remote_addr + + # Windows operates differently from a POSIX connection/shell plugin, + # we need to set various properties to ensure SSH on Windows continues + # to work + if getattr(self._shell, "_IS_WINDOWS", False): + self.has_native_async = True + self.always_pipeline_modules = True + self.module_implementation_preferences = ('.ps1', '.exe', '') + self.allow_executable = False + self._timeout = sgelf.get_option('timeout', 10) + + def _connect(self): + ''' connect to the virtual machine; nothing to do here ''' + super(Connection, self)._connect() + if not self._connected: + + self._virt_uri = self.get_option('virt_uri') + + self._display.vvv(u"CONNECT TO {0}".format(self._virt_uri), host=self._host) + try: + self.conn = libvirt.open(self._virt_uri) + except libvirt.libvirtError as err: + self._display.vv(u"ERROR: libvirtError CONNECT TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host) + self._connected = False + raise AnsibleConnectionFailure(to_native(err)) + + self._display.vvv(u"FIND DOMAIN {0}".format(self._host), host=self._host) + try: + self.domain = self.conn.lookupByName(self._host) + except libvirt.libvirtError as err: + raise AnsibleConnectionFailure(to_native(err)) + + request_cap = json.dumps({'execute': 'guest-info'}) + response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0)) + self.capabilities = response_cap['return']['supported_commands'] + self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host) + missing_caps = [] + for cap in REQUIRED_CAPABILITIES: + if cap not in self.capabilities: + missing_caps.append(cap['name']) + if len(missing_caps) > 0: + self._display.vvv(u"REQUIRED CAPABILITIES MISSING: {0}".format(missing_caps), host=self._host) + raise AnsibleConnectionFailure('Domain does not have required capabilities') + + display.vvv(u"ESTABLISH {0} CONNECTION".format(self.transport), host=self._host) + self._connected = True + + def exec_command(self, cmd, in_data=None, sudoable=True, timeout=None): + """ execute a command on the virtual machine host """ + super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) + + self._display.vvv(u"EXEC {0}".format(cmd), host=self._host) + if timeout is None: + timeout = self._timeout + + cmd_args_list = shlex.split(to_native(cmd, errors='surrogate_or_strict')) + + if getattr(self._shell, "_IS_WINDOWS", False): + # Become method 'runas' is done in the wrapper that is executed, + # need to disable sudoable so the bare_run is not waiting for a + # prompt that will not occur + sudoable = False + + # Generate powershell commands + cmd_args_list = self._shell._encode_script(cmd, as_list=True, strict_mode=False, preserve_rc=False) + + # TODO(odyssey4me): + # Implement buffering much like the other connection plugins + # Implement 'env' for the environment settings + # Implement 'input-data' for whatever it might be useful for + request_exec = { + 'execute': 'guest-exec', + 'arguments': { + 'path': cmd_args_list[0], + 'capture-output': True, + 'arg': cmd_args_list[1:] + } + } + request_exec_json = json.dumps(request_exec) + + display.vvv("GA send: {0}".format(request_exec_json), host=self._host) +# sys.stderr.write("GA send: {0}\n".format(request_exec_json)) + command_start = time.clock_gettime(time.CLOCK_MONOTONIC) + # TODO(odyssey4me): + # Add timeout parameter + flags = 0 + try: + result_exec = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_exec_json, timeout, flags)) + except libvirt.libvirtError as err: + self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host) + sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err))) + self._connected = False + raise AnsibleConnectionFailure(to_native(err)) + + display.vvv(u"GA return: {0}".format(result_exec), host=self._host) + + request_status = { + 'execute': 'guest-exec-status', + 'arguments': { + 'pid': result_exec['return']['pid'] + } + } + request_status_json = json.dumps(request_status) + + display.vvv(u"GA send: {0}".format(request_status_json), host=self._host) + + # TODO(odyssey4me): + # Work out a better way to wait until the command has exited + max_time = iMAX_WAIT + time.clock_gettime(time.CLOCK_MONOTONIC) + result_status = { + 'return': dict(exited=False), + } + while not result_status['return']['exited']: + # Wait for 5% of the time already elapsed + sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100) + if sleep_time < 0.0002: + sleep_time = 0.0002 + elif sleep_time > 1: + sleep_time = 1 + time.sleep(sleep_time) + result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0)) + if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time: + err = 'timeout' + self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host) + sys.stderr.write(u"ERROR: libvirtError EXEC TO {0}\n{1}\n".format(self._virt_uri, to_native(err))) + self._connected = False + raise AnsibleConnectionFailure(to_native(err)) + + display.vvv(u"GA return: {0}".format(result_status), host=self._host) + + while not result_status['return']['exited']: + result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0)) + + display.vvv(u"GA return: {0}".format(result_status), host=self._host) + + if result_status['return'].get('out-data'): + stdout = base64.b64decode(result_status['return']['out-data']) + else: + stdout = b'' + + if result_status['return'].get('err-data'): + stderr = base64.b64decode(result_status['return']['err-data']) + else: + stderr = b'' + + # Decode xml from windows + if getattr(self._shell, "_IS_WINDOWS", False) and stdout.startswith(b"#< CLIXML"): + stdout = _parse_clixml(stdout) + + display.vvv(u"GA stdout: {0}".format(to_text(stdout)), host=self._host) + display.vvv(u"GA stderr: {0}".format(to_text(stderr)), host=self._host) + + return result_status['return']['exitcode'], stdout, stderr + + def put_file(self, in_path, out_path): + ''' transfer a file from local to domain ''' + super(Connection, self).put_file(in_path, out_path) + display.vvv("PUT %s TO %s" % (in_path, out_path), host=self._host) + + if not exists(to_bytes(in_path, errors='surrogate_or_strict')): + raise AnsibleFileNotFound( + "file or module does not exist: %s" % in_path) + + request_handle = { + 'execute': 'guest-file-open', + 'arguments': { + 'path': out_path, + 'mode': 'wb+' + } + } + request_handle_json = json.dumps(request_handle) + + display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host) + + result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0)) + + display.vvv(u"GA return: {0}".format(result_handle), host=self._host) + + # TODO(odyssey4me): + # Handle exception for file/path IOError + with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as in_file: + for chunk in iter(partial(in_file.read, BUFSIZE), b''): + try: + request_write = { + 'execute': 'guest-file-write', + 'arguments': { + 'handle': result_handle['return'], + 'buf-b64': base64.b64encode(chunk).decode() + } + } + request_write_json = json.dumps(request_write) + + display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host) + + result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0)) + + display.vvvvv(u"GA return: {0}".format(result_write), host=self._host) + + except Exception: + traceback.print_exc() + raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path)) + + request_close = { + 'execute': 'guest-file-close', + 'arguments': { + 'handle': result_handle['return'] + } + } + request_close_json = json.dumps(request_close) + + display.vvv(u"GA send: {0}".format(request_close_json), host=self._host) + + result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0)) + + display.vvv(u"GA return: {0}".format(result_close), host=self._host) + + def fetch_file(self, in_path, out_path): + ''' fetch a file from domain to local ''' + super(Connection, self).fetch_file(in_path, out_path) + display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self._host) + + request_handle = { + 'execute': 'guest-file-open', + 'arguments': { + 'path': in_path, + 'mode': 'r' + } + } + request_handle_json = json.dumps(request_handle) + + display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host) + + result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0)) + + display.vvv(u"GA return: {0}".format(result_handle), host=self._host) + + request_read = { + 'execute': 'guest-file-read', + 'arguments': { + 'handle': result_handle['return'], + 'count': BUFSIZE + } + } + request_read_json = json.dumps(request_read) + + display.vvv(u"GA send: {0}".format(request_read_json), host=self._host) + + with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file: + try: + result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0)) + display.vvvvv(u"GA return: {0}".format(result_read), host=self._host) + out_file.write(base64.b64decode(result_read['return']['buf-b64'])) + while not result_read['return']['eof']: + result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0)) + display.vvvvv(u"GA return: {0}".format(result_read), host=self._host) + out_file.write(base64.b64decode(result_read['return']['buf-b64'])) + + except Exception: + traceback.print_exc() + raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path)) + + request_close = { + 'execute': 'guest-file-close', + 'arguments': { + 'handle': result_handle['return'] + } + } + request_close_json = json.dumps(request_close) + + display.vvv(u"GA send: {0}".format(request_close_json), host=self._host) + + result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0)) + + display.vvv(u"GA return: {0}".format(result_close), host=self._host) + + def close(self): + ''' terminate the connection; nothing to do here ''' + super(Connection, self).close() + self._connected = False diff --git a/lib/plugins/libvirt_qemu.py b/lib/plugins/libvirt_qemu.py index ff93508..e3c6950 100644 --- a/lib/plugins/libvirt_qemu.py +++ b/lib/plugins/libvirt_qemu.py @@ -42,7 +42,7 @@ DOCUMENTATION = """ description: timeout for libvirt to connect to access the virtual machine required: false type: int - default: 5 + default: 10 """ import base64 @@ -98,7 +98,7 @@ class Connection(ConnectionBase): self.always_pipeline_modules = True self.module_implementation_preferences = ('.ps1', '.exe', '') self.allow_executable = False - self._timeout = self.get_option('timeout', 5) + self._timeout = self.get_option('timeout', 10) def _connect(self): ''' connect to the virtual machine; nothing to do here ''' @@ -122,7 +122,7 @@ class Connection(ConnectionBase): raise AnsibleConnectionFailure(to_native(err)) request_cap = json.dumps({'execute': 'guest-info'}) - response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, 5, 0)) + response_cap = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_cap, self._timeout, 0)) self.capabilities = response_cap['return']['supported_commands'] self._display.vvvvv(u"GUEST CAPABILITIES: {0}".format(self.capabilities), host=self._host) missing_caps = [] @@ -201,7 +201,9 @@ class Connection(ConnectionBase): result_status = { 'return': dict(exited=False), } - while not result_status['return']['exited']: + i=0 + while not result_status['return']['exited'] and i < 20: + i = i + 1 # Wait for 5% of the time already elapsed sleep_time = (time.clock_gettime(time.CLOCK_MONOTONIC) - command_start) * (5 / 100) if sleep_time < 0.0002: @@ -209,7 +211,7 @@ class Connection(ConnectionBase): elif sleep_time > 1: sleep_time = 1 time.sleep(sleep_time) - result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0)) + result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0)) if time.clock_gettime(time.CLOCK_MONOTONIC) > max_time: err = 'timeout' self._display.vv(u"ERROR: libvirtError EXEC TO {0}\n{1}".format(self._virt_uri, to_native(err)), host=self._host) @@ -220,7 +222,7 @@ class Connection(ConnectionBase): display.vvv(u"GA return: {0}".format(result_status), host=self._host) while not result_status['return']['exited']: - result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, 5, 0)) + result_status = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_status_json, self._timeout, 0)) display.vvv(u"GA return: {0}".format(result_status), host=self._host) @@ -263,7 +265,7 @@ class Connection(ConnectionBase): display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host) - result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0)) + result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0)) display.vvv(u"GA return: {0}".format(result_handle), host=self._host) @@ -283,7 +285,7 @@ class Connection(ConnectionBase): display.vvvvv(u"GA send: {0}".format(request_write_json), host=self._host) - result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, 5, 0)) + result_write = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_write_json, self._timeout, 0)) display.vvvvv(u"GA return: {0}".format(result_write), host=self._host) @@ -301,7 +303,7 @@ class Connection(ConnectionBase): display.vvv(u"GA send: {0}".format(request_close_json), host=self._host) - result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0)) + result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0)) display.vvv(u"GA return: {0}".format(result_close), host=self._host) @@ -321,7 +323,7 @@ class Connection(ConnectionBase): display.vvv(u"GA send: {0}".format(request_handle_json), host=self._host) - result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, 5, 0)) + result_handle = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_handle_json, self._timeout, 0)) display.vvv(u"GA return: {0}".format(result_handle), host=self._host) @@ -338,11 +340,11 @@ class Connection(ConnectionBase): with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file: try: - result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0)) + result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0)) display.vvvvv(u"GA return: {0}".format(result_read), host=self._host) out_file.write(base64.b64decode(result_read['return']['buf-b64'])) while not result_read['return']['eof']: - result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, 5, 0)) + result_read = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_read_json, self._timeout, 0)) display.vvvvv(u"GA return: {0}".format(result_read), host=self._host) out_file.write(base64.b64decode(result_read['return']['buf-b64'])) @@ -360,7 +362,7 @@ class Connection(ConnectionBase): display.vvv(u"GA send: {0}".format(request_close_json), host=self._host) - result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, 5, 0)) + result_close = json.loads(libvirt_qemu.qemuAgentCommand(self.domain, request_close_json, self._timeout, 0)) display.vvv(u"GA return: {0}".format(result_close), host=self._host) diff --git a/roles/ansible-gentoo_install/defaults/main.yml b/roles/ansible-gentoo_install/defaults/main.yml index b0d37f3..1db4379 100644 --- a/roles/ansible-gentoo_install/defaults/main.yml +++ b/roles/ansible-gentoo_install/defaults/main.yml @@ -14,7 +14,7 @@ AGI_PROXY_MODE: "{{PROXY_MODE|default('')}}" AGI_use_local_kernel: false AGI_install_disklabel: msdos -AGI_install_timezone: UTC +AGI_install_timezone: "{{ BASE_TIMEZONE|default('Etc/UTC') }}" AGI_install_locales: - en_US ISO-8859-1 - en_US.UTF-8 UTF-8 @@ -28,9 +28,9 @@ AGI_install_network_interfaces: config: dhcp AGI_container_disk: /dev/vda -AGI_install_syslog_daemon: syslog-ng # app-admin/sysklogd -AGI_install_cron_daemon: cronie -AGI_install_bootloader: syslinux +AGI_install_syslog_daemon: syslog-ng # sysklogd +AGI_install_cron_daemon: cronie # +AGI_install_bootloader: syslinux # grub:2 AGI_install_syslinux_kernel_line: # this is required I think @@ -48,11 +48,11 @@ AGI_install_syslinux_kernel_line: # =0x37f works too - vga=789 # these may not all be needed or useful in a container - - pti=on - - iommu=pt - - amd_iommu=on - - intel_iommu=on - - debug +# - pti=on +# - iommu=pt +# - amd_iommu=on +# - intel_iommu=on +# - debug # remove the unused ones: AGI_install_syslinux_c32: diff --git a/roles/ansible-gentoo_install/files/firewall.conf b/roles/ansible-gentoo_install/files/firewall.conf new file mode 100644 index 0000000..95be870 --- /dev/null +++ b/roles/ansible-gentoo_install/files/firewall.conf @@ -0,0 +1,171 @@ +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:LIBVIRT_PRT - [0:0] +-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid +-A POSTROUTING -j LIBVIRT_PRT +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 + +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:LIBVIRT_PRT - [0:0] + +# was ! -o lo +-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53 +-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53 + +# .onion mapped addresses redirection to Tor. +-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040 +## Log. +-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid +-A POSTROUTING -j LIBVIRT_PRT +-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN +-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:LIBVIRT_FWI - [0:0] +:LIBVIRT_FWO - [0:0] +:LIBVIRT_FWX - [0:0] +:LIBVIRT_INP - [0:0] +:LIBVIRT_OUT - [0:0] + +## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS +-A INPUT -f -j DROP +## DROP INCOMING MALFORMED XMAS PACKETS +-A INPUT -p tcp --tcp-flags ALL ALL -j DROP +## DROP INCOMING MALFORMED NULL PACKETS +-A INPUT -p tcp --tcp-flags ALL NONE -j DROP + +-A INPUT -i lo -j ACCEPT +## Traffic on the loopback interface is accepted. +-A INPUT -i lo -j ACCEPT +## Established incoming connections are accepted. RELATED? +-A INPUT -m state --state ESTABLISHED -j ACCEPT +### this is required for outgoing pings +-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid +-A INPUT -i wlan6 -p icmp -j ACCEPT + +# let dhcp through? - YES +-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP +-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP +-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP + -A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT + +# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67 +-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid +# -A INPUT -i wlan6 -p udp -j DROP +-A INPUT -i wlan6 -j DROP + +-A INPUT -j LIBVIRT_INP + +-A FORWARD -j LIBVIRT_FWX +-A FORWARD -j LIBVIRT_FWI +-A FORWARD -j LIBVIRT_FWO +#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid +## Traffic on the loopback interface is accepted. +-A OUTPUT -o lo -j ACCEPT + +## Existing connections are accepted. +-A OUTPUT -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid +-A OUTPUT -o wlan6 -p icmp -j ACCEPT +# st-routers.mcast.net. +-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT + +## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, +-A OUTPUT -d 192.168.1.0/24 -j ACCEPT +-A OUTPUT -d 10.0.2.0/24 -j ACCEPT + +# gateway +#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT + +-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT +-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP +-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP +#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP +-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP +-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP + +# The ntp user is allowed to connect to services listening on the ntp port... +# If root runs ntpdate manually you will see requests to port 53 UID=0 +#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " +-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT +-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT +#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: " +-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable +#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT +-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT + +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT +-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT +-A OUTPUT -j LIBVIRT_OUT +-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT + +-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT +-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT + +-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT + +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT + +-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT + +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 diff --git a/roles/ansible-gentoo_install/tasks/bootloader.yml b/roles/ansible-gentoo_install/tasks/bootloader.yml index 9d3fd89..9a9dfcf 100644 --- a/roles/ansible-gentoo_install/tasks/bootloader.yml +++ b/roles/ansible-gentoo_install/tasks/bootloader.yml @@ -42,8 +42,8 @@ label pentoo2019-Pen19-6.1.52-pentoo_2023_09_30_0x037f menu label pentoo2019_Pen19_6.1.52-pentoo_2023_09_30_0x037f menu default - kernel vmlinuz-6.1.52-pentoo_2023_09_30 - INITRD initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img + kernel /vmlinuz-6.1.52-pentoo_2023_09_30 + INITRD /initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img # was vga=0x315 APPEND root=LABEL=root {{''.join(AGI_install_syslinux_kernel_commands)}} @@ -106,7 +106,39 @@ -i /etc/default/grub grub-script-check /etc/default/grub - when: AGI_install_bootloader == 'grub:2' + - name: roles/ansible-gentoo_install/tasks/ + shell: | + LINE="rd.skipfsck=1 ipv6.disable=1 console=ttys0 lang=en keymap=us " + # LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none " + LINE="$LINE intel_iommu=on vga=0x315 text + df | grep /boot || mount /dev/vda1 /boot + [ -d /boot/grub ] || exit 2 + [ -f /boot/grub/grub.cfg ] || exit 3 + cd / + # boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img + + - name: /etc/default/grub + lineinfile: + dest: /etc/default/grub + line: '{{item.from}}="{{item.to}}"' + regexp: '^#*{{item.from}}=.*' + with_items: + # Append parameters to the linux kernel command line for non-recovery entries + - from: GRUB_CMDLINE_LINUX_DEFAULT + to: " rd.skipfsck=1 ipv6.disable=1 console=ttyS0 lang=en keymap=us intel_iommu=on vga=0x315 text" + # The resolution used on graphical terminal. + # Note that you can use only modes which your graphic card supports via VBE. + # You can see them in real GRUB with the command `vbeinfo'. + - from: GRUB_GFXMODE + to: 640x480 + # Set to 'text' to force the Linux kernel to boot in normal text + - from: GRUB_GFXPAYLOAD_LINUX + to: text + # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel + - from: GRUB_DISABLE_LINUX_UUID + to: true + + when: AGI_install_bootloader == 'grub:2' - name: fstab root lineinfile: @@ -151,54 +183,36 @@ dest: /etc/conf.d/consolefont line: 'consolefont="ter-v{{AGI_consolefont_font_size}}b"' regexp: '^consolefont=.*' - -- name: /etc/default/grub - lineinfile: - dest: /etc/default/grub - line: '{{item.from}}="{{item.to}}"' - regexp: '^#*{{item.from}}=.*' - with_items: - # Append parameters to the linux kernel command line for non-recovery entries - - from: GRUB_CMDLINE_LINUX_DEFAULT - to: " rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us intel_iommu=on vga=0x315 text" - # The resolution used on graphical terminal. - # Note that you can use only modes which your graphic card supports via VBE. - # You can see them in real GRUB with the command `vbeinfo'. - - from: GRUB_GFXMODE - to: 640x480 - # Set to 'text' to force the Linux kernel to boot in normal text - - from: GRUB_GFXPAYLOAD_LINUX - to: text - # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel - - from: GRUB_DISABLE_LINUX_UUID - to: true - -- name: roles/ansible-gentoo_install/tasks/ - shell: | - LINE="rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us " - # LINE="$LINE pti=on doscsi iommu=pt amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none " - LINE="$LINE intel_iommu=on vga=0x315 text - df | grep /boot || mount /dev/vda1 /boot - [ -d /boot/grub ] || exit 2 - [ -f /boot/grub/grub.cfg ] || exit 3 - cd / -# ln -s boot/vmlinuz* vmlinuz - # boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img - ln -s boot/initramfs* initrd.img - + - name: consolefont shell: | - cat >> /etc/rc.local << EOF + grep -q /etc/init.d/consolefont /etc/rc.local || \ + cat >> /etc/rc.local << EOF + #!/bin/sh /etc/init.d consolefont stop /etc/init.d consolefont start - stty -F /dev/tty1 cols 80 rows 24 + # these are right for ter-v28b consolefont + if tty|grep -q /dev/ttyS0 ; then + stty cols 80 rows 35 + elif tty|grep -q /dev/tty[1-6] ; then + stty cols 80 rows 22 + fi EOF - bash /etc/rc.local + chmod 755 /etc/rc.local ignore_errors: true - name: rc-update add bootlogd boot shell: | + [ -d /etc/modules-load.d ] || mkdir /etc/modules-load.d + [ -f /etc/modules-load.d/virtio.conf ] || \ + echo "{{'\n'.join(AGI_bootstrap_modules)}}" \ + > /etc/modules-load.d/virtio.conf rc-update add consolefont rc-update | grep -q 'bootlogd .* boot' || \ rc-update add bootlogd boot + grep -q '^s0:' /etc/inittab || \ + sed -e 's/^#s0:/s0:/' /etc/inittab + + exit 0 + diff --git a/roles/ansible-gentoo_install/tasks/chroot.yml b/roles/ansible-gentoo_install/tasks/chroot.yml index 8e20109..d52b8cb 100644 --- a/roles/ansible-gentoo_install/tasks/chroot.yml +++ b/roles/ansible-gentoo_install/tasks/chroot.yml @@ -18,9 +18,11 @@ - name: copy resolv.conf into chroot copy: - src: /etc/resolv.conf - dest: "{{AGI_NBD_MP}}/etc/resolv.conf" + src: "/{{item}}" + dest: "{{AGI_NBD_MP}}/{{item}}" + mode: '0644' remote_src: yes + with_items: "{{AGI_bootstrap_files}}" when: not ansible_check_mode - name: mount /proc in chroot diff --git a/roles/ansible-gentoo_install/tasks/libvirt.yml b/roles/ansible-gentoo_install/tasks/libvirt.yml new file mode 100644 index 0000000..e6b8255 --- /dev/null +++ b/roles/ansible-gentoo_install/tasks/libvirt.yml @@ -0,0 +1,23 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +# localhost +--- +- name: "DEBUG: ansible-gentoo_install libvirt" + debug: + verbosity: 1 + msg: "DEBUG: ansible-gentoo_install libvirt" + +- name: test we are NOT in the chroot + shell: | + [ -n "{{AGI_NBD_MP}}" ] || exit 2 + [ -d "{{AGI_NBD_MP}}" ] || exit 3 + check_mode: false + +# - name: setup libvirt network +# - name: setup libvirt iptables +# net.ipv4.conf.virbr1.forwarding = 1 +# net.ipv4.ip_forward = 1 +# mkdir /etc/libvirt/qemu +# qemu-ga -D > /etc/libvirt/qemu/qemu-ga.conf +# for elt in unix-listen virtio-serial isa-serial vsock-listen ; do +# /etc/conf.d/qemu-ga + diff --git a/roles/ansible-gentoo_install/tasks/local.yml b/roles/ansible-gentoo_install/tasks/local.yml index d844bd0..66cd1f4 100644 --- a/roles/ansible-gentoo_install/tasks/local.yml +++ b/roles/ansible-gentoo_install/tasks/local.yml @@ -85,6 +85,7 @@ state: mounted check_mode: false + - include: libvirt.yml - include: tarball.yml - include: copy.yml when: AGI_use_local_kernel diff --git a/roles/ansible-gentoo_install/tasks/main.yml b/roles/ansible-gentoo_install/tasks/main.yml index a5083b0..4c36cd5 100644 --- a/roles/ansible-gentoo_install/tasks/main.yml +++ b/roles/ansible-gentoo_install/tasks/main.yml @@ -131,13 +131,10 @@ var: ansible_gentooimgr_out check_mode: false - when: - - ansible_connection in ['chroot', 'local', 'libvirt_qemu'] - - ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', ''] -# - nbd_disk|default('') == AGI_NBD_DISK -- name: include_tasks local.yml - include_tasks: local.yml + - name: include_tasks local.yml + include_tasks: local.yml + when: - ansible_connection in ['chroot', 'local'] - ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', ''] diff --git a/roles/ansible-gentoo_install/tasks/misc.yml b/roles/ansible-gentoo_install/tasks/misc.yml index ed8b303..3794523 100644 --- a/roles/ansible-gentoo_install/tasks/misc.yml +++ b/roles/ansible-gentoo_install/tasks/misc.yml @@ -15,6 +15,10 @@ for elt in {{ AGI_bootstrap_mountpoints|join(' ') }} ; do [ -d $elt ] || mkdir $elt done + # 700 files from ansible umask + find /usr/local/*bin/ /usr/local/etc/ -name '*sh' -exec chmod 755 {} \; + find /usr/local/ -type f -exec chown ${BOX_USER_NAME}:${BOX_USER_GROUP} {} \; + exit 0 when: AGI_bootstrap_mountpoints|default([])|length > 0 @@ -32,7 +36,7 @@ dest: /etc/localtime src: /usr/share/zoneinfo/{{ AGI_install_timezone }} state: link - force: yes + force: no - name: configure locales lineinfile: diff --git a/roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf b/roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf new file mode 100644 index 0000000..95be870 --- /dev/null +++ b/roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf @@ -0,0 +1,171 @@ +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:LIBVIRT_PRT - [0:0] +-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid +-A POSTROUTING -j LIBVIRT_PRT +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 + +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:LIBVIRT_PRT - [0:0] + +# was ! -o lo +-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53 +-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53 + +# .onion mapped addresses redirection to Tor. +-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040 +## Log. +-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid +-A POSTROUTING -j LIBVIRT_PRT +-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN +-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 +# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020 +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:LIBVIRT_FWI - [0:0] +:LIBVIRT_FWO - [0:0] +:LIBVIRT_FWX - [0:0] +:LIBVIRT_INP - [0:0] +:LIBVIRT_OUT - [0:0] + +## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS +-A INPUT -f -j DROP +## DROP INCOMING MALFORMED XMAS PACKETS +-A INPUT -p tcp --tcp-flags ALL ALL -j DROP +## DROP INCOMING MALFORMED NULL PACKETS +-A INPUT -p tcp --tcp-flags ALL NONE -j DROP + +-A INPUT -i lo -j ACCEPT +## Traffic on the loopback interface is accepted. +-A INPUT -i lo -j ACCEPT +## Established incoming connections are accepted. RELATED? +-A INPUT -m state --state ESTABLISHED -j ACCEPT +### this is required for outgoing pings +-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid +-A INPUT -i wlan6 -p icmp -j ACCEPT + +# let dhcp through? - YES +-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP +-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP +-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP +-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP + -A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT + +# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67 +-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid +# -A INPUT -i wlan6 -p udp -j DROP +-A INPUT -i wlan6 -j DROP + +-A INPUT -j LIBVIRT_INP + +-A FORWARD -j LIBVIRT_FWX +-A FORWARD -j LIBVIRT_FWI +-A FORWARD -j LIBVIRT_FWO +#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid +## Traffic on the loopback interface is accepted. +-A OUTPUT -o lo -j ACCEPT + +## Existing connections are accepted. +-A OUTPUT -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid +-A OUTPUT -o wlan6 -p icmp -j ACCEPT +# st-routers.mcast.net. +-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT + +## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, +-A OUTPUT -d 192.168.1.0/24 -j ACCEPT +-A OUTPUT -d 10.0.2.0/24 -j ACCEPT + +# gateway +#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT + +-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT +-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP +-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP +#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP +-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP +-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP + +# The ntp user is allowed to connect to services listening on the ntp port... +# If root runs ntpdate manually you will see requests to port 53 UID=0 +#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " +-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT +-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT +#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: " +-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable +#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT +-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT + +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: " +-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT +-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT +-A OUTPUT -j LIBVIRT_OUT +-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT + +-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT +-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT + +-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT + +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT + +-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT + +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT +COMMIT +# Completed on Wed Nov 4 01:14:37 2020 diff --git a/roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml b/roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml new file mode 100644 index 0000000..6aac0be --- /dev/null +++ b/roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml @@ -0,0 +1,18 @@ + + + + External + + + + + + + + + diff --git a/roles/ansible-gentoo_install/vars/target_Gentoo2.yml b/roles/ansible-gentoo_install/vars/target_Gentoo2.yml index d77cdf5..301bf38 100644 --- a/roles/ansible-gentoo_install/vars/target_Gentoo2.yml +++ b/roles/ansible-gentoo_install/vars/target_Gentoo2.yml @@ -27,6 +27,9 @@ AGI_bootstrap_links: - from: /var/db/repos/gentoo to: /usr/portage +AGI_bootstrap_modules: + - virtio_console + # NO LEADING / AGI_bootstrap_dirs: - usr/local/etc/local.d @@ -49,6 +52,8 @@ AGI_bootstrap_files: - usr/local/etc/local.d/local.bash - usr/local/bin/usr_local_tput.bash - usr/local/bin/proxy_export.bash + - etc/hosts + - etc/resolv.conf AGI_bootstrap_uris: - http://distfiles.gentoo.org/distfiles/00/elfutils-0.190.tar.bz2 @@ -56,24 +61,35 @@ AGI_bootstrap_uris: - http://distfiles.gentoo.org/distfiles/60/shared-mime-info-2.2.tar.gz - http://distfiles.gentoo.org/distfiles/fc/qemu-8.0.3.tar.xz +AGI_bootstrap_pips3: + - negotiator-guest + +# proxy_pkgs_inst: AGI_bootstrap_pkgs: - app-admin/sudo - sys-boot/grub:2 + - sys-boot/syslinux - app-editors/mg - qemu-guest-agent - - app-admin/logrotate - - "sys-process/{{ AGI_install_cron_daemon }}" - - "{{ AGI_install_syslog_daemon}}" - - "sys-boot/{{ AGI_install_bootloader }}" - - media-fonts/terminus-font - sys-apps/gptfdisk - net-analyzer/openbsd-netcat + - app-admin/logrotate + - "sys-process/{{ AGI_install_cron_daemon }}" + - "app-admin/{{ AGI_install_syslog_daemon}}" + - "sys-boot/{{ AGI_install_bootloader }}" + - media-fonts/terminus-font + - net-misc/curl + - app-arch/unzip + - net-libs/pacparser - sys-process/lsof - dev-util/strace - - sys-libs/gpm - app-portage/eix - - net-misc/curl + - sys-libs/gpm - linux-firmware + - net-dns/bind-tools +# - www-client/lynx + - app-admin/supervisor + - dev-python/pip AGI_cloud_pkgs: # get these from base.json @@ -94,4 +110,3 @@ AGI_cloud_pkgs: # get these from config.json # - app-emulation/cloud-init # - sys-block/open-iscsi - diff --git a/roles/toxcore/vars/mask.txt b/roles/toxcore/vars/mask.txt new file mode 100644 index 0000000..dfb7e17 --- /dev/null +++ b/roles/toxcore/vars/mask.txt @@ -0,0 +1,15 @@ + +# /etc/portage/package.mask/2023_BROKEN.txt qemu + =app-emulation/qemu-guest-agent-8.0.2% + +# /etc/portage/package.mask/2023_BROKEN.txt qemu + =app-emulation/qemu-guest-agent-8.0.0% + +# /etc/portage/package.mask/2023_BROKEN.txt qemu + =app-emulation/qemu-guest-agent-8.0.3% + +# /etc/portage/package.mask/2023_BROKEN.txt libvirt + =app-emulation/libvirt-9.4.0-r1% + +# /etc/portage/package.mask/2022_BLOCKED.txt docker + app-containers/docker-compose% diff --git a/roles/toxcore/vars/use.txt b/roles/toxcore/vars/use.txt new file mode 100644 index 0000000..a47eb42 --- /dev/null +++ b/roles/toxcore/vars/use.txt @@ -0,0 +1,114 @@ + +# /etc/portage/package.use/2017-01-01_libguestfs.txt iptables + net-firewall/iptables% nftables ipv6 + +# /etc/portage/package.use/2017-08_testdisk.txt testdisk + app-admin/testdisk% ntfs qt5 -ewf + +# /etc/portage/package.use/2020-01_static-libs.txt zstd + app-arch/zstd% static-libs + +# /etc/portage/package.use/2020-03_jq.txt jq + app-misc/jq% oniguruma + +# /etc/portage/package.use/2016-11_world.txt libvpx + media-libs/libvpx% svc + +# /etc/portage/package.use/2019-02_electron.txt libvpx + media-libs/libvpx% postproc svc + +# /etc/portage/package.use/2021-04_world.txt libxcb + x11-libs/libxcb% xkb + +# /etc/portage/package.use/2018-01_qt.txt libxkbcommon + x11-libs/libxkbcommon% X tools + +# /etc/portage/package.use/2020-01_readline.txt libxml2 + dev-libs/libxml2% -readline + +# /etc/portage/package.use/2021-00_verify-sig.txt libxml2 + dev-libs/libxml2:2% verify-sig + +# /etc/portage/package.use/2021-04_world.txt libxml2 + dev-libs/libxml2% python icu ipv6 lzma + +# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python + dev-python/libvirt-python% verify-sig + +# /etc/portage/package.use/2021-08_wafw00f.txt requests + dev-python/requests% socks5 + +# /etc/portage/package.use/2020-00_dbus.txt dbus + sys-apps/dbus% X elogind -systemd + +# /etc/portage/package.use/2020-01_dbus.txt dbus + sys-apps/dbus% X elogind -systemd + +# /etc/portage/package.use/2021-01_wayland.txt gtk+ + x11-libs/gtk+% X -wayland + +# /etc/portage/package.use/2021-04_world.txt vte + x11-libs/vte% crypt -icu introspection vala -debug -gtk-doc -systemd -vanilla + +# /etc/portage/package.use/2022-01_xterms.txt vte + x11-libs/vte% vanilla + +# /etc/portage/package.use/2021-00_verify-sig.txt zfs-kmod + sys-fs/zfs-kmod% verify-sig + +# /etc/portage/package.use/2021-00_verify-sig.txt zfs + sys-fs/zfs% verify-sig + +# /etc/portage/package.use/2021-00_verify-sig.txt zfs + sys-fs/zfs-kmod% verify-sig + +# /etc/portage/package.use/2020-01_nls.txt qemu + app-emulation/qemu% -nls + +# /etc/portage/package.use/2021-04_qemu.txt qemu + app-emulation/qemu% -accessibility aio alsa bzip2 caps -capstone curl -debug doc fdt filecaps -fuse -glusterfs gnutls gtk -infiniband -io-uring -iscsi -jack -jemalloc jpeg lzo -multipath ncurses -nfs -nls numa opengl -oss pin-upstream-blobs plugins png -pulseaudio python -rbd sasl sdl sdl-image seccomp -selinux -slirp -smartcard snappy spice ssh -static -static-user -systemtap -test -udev usb usbredir vde vhost-net vhost-user-fs virgl virtfs vnc vte xattr -xen xfs zstd # + +# /etc/portage/package.use/2023-00_python-3.11.txt qemu + app-emulation/qemu% -python_single_target_python3_10 python_single_target_python3_11 python_single_target_python3_11 -python_single_target_python3_10 + +# /etc/portage/package.use/2019-11_aqemu.txt aqemu + app-emulation/aqemu% vnc + +# /etc/portage/package.use/2019-09_spice-gtk.txt spice-gtk + >=net-misc/spice-gtk-0.35% usbredir + +# /etc/portage/package.use/2020-01_polkit.txt spice-gtk + net-misc/spice-gtk% policykit + +# /etc/portage/package.use/2020-01_polkit.txt libvirt + app-emulation/libvirt% apparmor audit -bash-completion caps -dbus -dtrace -firewalld fuse -glusterfs -iscsi -iscsi-direct libssh libvirtd lvm lxc -macvtap -nfs -nls numa -openvz parted pcap -policykit qemu -rbd -sasl -selinux udev vepa verify-sig virt-network virtualbox -wireshark-plugins -xen -zfs + +# /etc/portage/package.use/2020-10_nfs.txt libvirt + app-emulation/libvirt% -nfs + +# /etc/portage/package.use/2021-00_verify-sig.txt libvirt + app-emulation/libvirt% verify-sig + +# /etc/portage/package.use/2021-00_verify-sig.txt libvirt + dev-python/libvirt-python% verify-sig + +# /etc/portage/package.use/2020-01_polkit.txt virt-manager + app-emulation/virt-manager% gtk -policykit virtualbox libvirtd caps dbus fuse libssh lxc macvtap numa parted pcap policykit qemu vepa virt-network + +# /etc/portage/package.use/2019-11_qxl.txt xf86-video-qxl + x11-drivers/xf86-video-qxl% xspice + +# /etc/portage/package.use/2019-11_libguestfs.txt libguestfs + app-emulation/libguestfs% parted virtualbox libvirt -erlang -lua perl fuse gtk inspect-icons introspection -ocaml python -ruby + +# /etc/portage/package.use/2023-00_python-3.11.txt libguestfs + app-emulation/libguestfs% python_single_target_python3_11 + +# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python + dev-python/libvirt-python% verify-sig + +# /etc/portage/package.use/2017-02_docker.txt tini + sys-process/tini% static args + +# /etc/portage/package.use/2017-02_docker.txt docker + app-containers/docker% btrfs