From 3e93fa63e93da3be4c4dc864479cd95ebac3aa52 Mon Sep 17 00:00:00 2001 From: havelight-ee Date: Tue, 20 Jun 2023 19:51:12 +0900 Subject: [PATCH] docker images update --- packer/ansible/docker_roles.yaml | 8 ++ packer/ansible/node_roles.yaml | 4 +- packer/ansible/roles/docker/handlers/main.yml | 10 +++ .../roles/docker/tasks/00-amazon-os-main.yml | 86 +++++++++++++++++++ .../roles/docker/tasks/00-ubuntu-os-main.yml | 66 ++++++++++++++ .../docker/tasks/01-amazon-os-docker.yml | 53 ++++++++++++ .../docker/tasks/01-ubuntu-os-docker.yml | 19 ++++ packer/ansible/roles/docker/tasks/main.yml | 19 ++++ packer/ansible/roles/docker/tasks/sysctl.yml | 8 ++ .../roles/docker/templates/common-auth.j2 | 27 ++++++ .../roles/docker/templates/daemon.json.j2 | 9 ++ .../roles/docker/templates/pwquality.conf.j2 | 50 +++++++++++ .../ansible/roles/docker/templates/sysctl.j2 | 82 ++++++++++++++++++ packer/ansible/roles/node/templates/sysctl.j2 | 3 + .../security-settings/files/allow_users.conf | 2 + .../security-settings/tasks/sshd_config.yml | 8 ++ packer/build_ami_security/command | 2 +- .../build_ami_security/docker-amazon.pkr.hcl | 49 +++++++++++ .../build_ami_security/docker-ubuntu.pkr.hcl | 49 +++++++++++ 19 files changed, 551 insertions(+), 3 deletions(-) create mode 100755 packer/ansible/docker_roles.yaml create mode 100644 packer/ansible/roles/docker/handlers/main.yml create mode 100644 packer/ansible/roles/docker/tasks/00-amazon-os-main.yml create mode 100644 packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml create mode 100644 packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml create mode 100644 packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml create mode 100644 packer/ansible/roles/docker/tasks/main.yml create mode 100755 packer/ansible/roles/docker/tasks/sysctl.yml create mode 100755 packer/ansible/roles/docker/templates/common-auth.j2 create mode 100755 packer/ansible/roles/docker/templates/daemon.json.j2 create mode 100755 packer/ansible/roles/docker/templates/pwquality.conf.j2 create mode 100755 packer/ansible/roles/docker/templates/sysctl.j2 create mode 100644 packer/ansible/roles/security-settings/files/allow_users.conf create mode 100644 packer/build_ami_security/docker-amazon.pkr.hcl create mode 100644 packer/build_ami_security/docker-ubuntu.pkr.hcl diff --git a/packer/ansible/docker_roles.yaml b/packer/ansible/docker_roles.yaml new file mode 100755 index 0000000..697fdfe --- /dev/null +++ b/packer/ansible/docker_roles.yaml @@ -0,0 +1,8 @@ +--- +- hosts: default + become: true + roles: + - docker + vars: + username: root + password: saasadmin1234!@#$ diff --git a/packer/ansible/node_roles.yaml b/packer/ansible/node_roles.yaml index 0c1395b..b0b8879 100755 --- a/packer/ansible/node_roles.yaml +++ b/packer/ansible/node_roles.yaml @@ -5,5 +5,5 @@ - node - security-settings vars: - username: - password: + username: root + password: saasadmin1234!@#$ diff --git a/packer/ansible/roles/docker/handlers/main.yml b/packer/ansible/roles/docker/handlers/main.yml new file mode 100644 index 0000000..dede1dc --- /dev/null +++ b/packer/ansible/roles/docker/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Reload systemd configuration + service: + daemon_reload: True + +- name: Restart docker service + service: + name: docker + enabled: true + state: restarted diff --git a/packer/ansible/roles/docker/tasks/00-amazon-os-main.yml b/packer/ansible/roles/docker/tasks/00-amazon-os-main.yml new file mode 100644 index 0000000..1c0e9b5 --- /dev/null +++ b/packer/ansible/roles/docker/tasks/00-amazon-os-main.yml @@ -0,0 +1,86 @@ +--- +- name: Update and upgrade yum packages + yum: + name: "*" + state: latest + +- name: Install yum packages + yum: + name: "{{ item }}" + state: present + with_items: + - python-pip + - yum-utils + - device-mapper-persistent-data + - lvm2 + - amazon-linux-extras + +- name: Add extras repository + shell: yum-config-manager --enable extras + +- name: Disable firewalld + systemd: name=firewalld state=stopped + ignore_errors: yes + tags: + - install + - atomic + - firewalld + +- name: Disable SWAP since kubernetes can't work with swap enabled (1/2) + command: 'swapoff -a' + + # - name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2) + # replace: + # path: /etc/fstab + # regexp: '^([^#].*?\sswap\s+sw\s+.*)$' + # replace: '# \1' + +- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2) + become: true + lineinfile: + path: /etc/fstab + regexp: '^/dev/mapper/.*swap' + line: '# {{ item }}' + # when: item is search('^/dev/mapper/.*swap') + loop: "{{ lookup('file', '/etc/fstab').split('\n') }}" + +- name: Add br_netfilter to module autoload + lineinfile: + path: /etc/modules-load.d/k8s2.conf + line: "{{ item }}" + create: true + with_items: + - 'overlay' + - 'br_netfilter' + +- name: Add br_netfilter to module autoload + modprobe: + name: "{{ item }}" + state: present + become: true + with_items: + - 'overlay' + - 'br_netfilter' + +- name: Add br_netfilter to module autoload + lineinfile: + path: /etc/sysctl.d/k8s.conf + line: "{{ item }}" + create: true + with_items: + - 'net.bridge.bridge-nf-call-iptables = 1' + - 'net.bridge.bridge-nf-call-ip6tables = 1' + - 'net.ipv4.ip_forward = 1' + +- name: Disable net.bridge.bridge-nf-call-iptables + sysctl: + name: "{{ item }}" + value: 1 + with_items: + - 'net.bridge.bridge-nf-call-iptables' + - 'net.bridge.bridge-nf-call-ip6tables' + +- name: Disable net.ipv4.ip_forward + sysctl: + name: net.ipv4.ip_forward + value: "1" diff --git a/packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml b/packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml new file mode 100644 index 0000000..56cc0b7 --- /dev/null +++ b/packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml @@ -0,0 +1,66 @@ +--- +- name: Update and upgrade apt packages + apt: + upgrade: yes + update_cache: yes + force_apt_get: yes + cache_valid_time: 86400 + +- name: Install apt packages + apt: + name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg', 'lsb-release'] + state: present + +- name: Disable ufw + command: 'ufw disable' + when: ansible_distribution_version == '20.04' + +- name: Disable SWAP since kubernetes can't work with swap enabled (1/2) + command: 'swapoff -a' + +- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2) + replace: + path: /etc/fstab + regexp: '^([^#].*?\sswap\s+sw\s+.*)$' + replace: '# \1' + +- name: Add br_netfilter to module autoload + lineinfile: + path: /etc/modules-load.d/k8s.conf + line: "{{ item }}" + create: true + with_items: + - 'overlay' + - 'br_netfilter' + +- name: Add br_netfilter to module autoload + modprobe: + name: "{{ item }}" + state: present + become: true + with_items: + - 'overlay' + - 'br_netfilter' + +- name: Add br_netfilter to module autoload + lineinfile: + path: /etc/sysctl.d/k8s.conf + line: "{{ item }}" + create: true + with_items: + - 'net.bridge.bridge-nf-call-iptables = 1' + - 'net.bridge.bridge-nf-call-ip6tables = 1' + - 'net.ipv4.ip_forward = 1' + +- name: Disable net.bridge.bridge-nf-call-iptables + sysctl: + name: "{{ item }}" + value: 1 + with_items: + - 'net.bridge.bridge-nf-call-iptables' + - 'net.bridge.bridge-nf-call-ip6tables' + +- name: Disable net.ipv4.ip_forward + sysctl: + name: net.ipv4.ip_forward + value: "1" diff --git a/packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml b/packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml new file mode 100644 index 0000000..95846cf --- /dev/null +++ b/packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml @@ -0,0 +1,53 @@ +--- +- name: Install docker-ce (centos) via amazon-linux-extras packages + shell: "amazon-linux-extras install docker -y" + +- name: Ensure Python pip packages are installed + pip: + name: "{{ item }}" + with_items: + - boto + - boto3 + - docker-compose + +#- name: Add docker script +# command: curl -fsSL https://get.docker.com -o /root/get-docker.sh +# +#- name: install docker +# command: sh /root/get-docker.sh +# +- name: Create docker configuration directory + file: + path: /etc/docker + state: directory + +#- name: Install required packages +# yum: +# name: ['docker-ce'] +# state: present +# notify: +# - Reload systemd configuration +# - Restart docker service + +- name: Configure docker + template: + src: daemon.json.j2 + dest: /etc/docker/daemon.json + notify: + - Reload systemd configuration + - Restart docker service + +#- name: Delete containerd config +# file: +# path: /etc/containerd/config.toml +# state: absent +# notify: +# - Restart containerd service + +- meta: flush_handlers + +- name: Enable docker service + service: + name: docker + enabled: True + state: started diff --git a/packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml b/packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml new file mode 100644 index 0000000..7399804 --- /dev/null +++ b/packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml @@ -0,0 +1,19 @@ +--- +- name: Add docker script + command: curl -fsSL https://get.docker.com -o /root/get-docker.sh + +- name: install docker + command: sh /root/get-docker.sh + +- name: Create docker configuration directory + file: + path: /etc/docker + state: directory + +- name: Configure docker + template: + src: daemon.json.j2 + dest: /etc/docker/daemon.json + notify: + - Reload systemd configuration + - Restart docker service diff --git a/packer/ansible/roles/docker/tasks/main.yml b/packer/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..a06b40b --- /dev/null +++ b/packer/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Gather Ansible Facts + ansible.builtin.setup: + +- include: 00-amazon-os-main.yml + tags: amazon + when: ansible_facts.os_family == 'RedHat' + +- include: 00-ubuntu-os-main.yml + tags: ubuntu + when: ansible_facts.os_family == 'Debian' + +- include: 01-amazon-os-docker.yml + tags: cent-docker + when: ansible_facts.os_family == 'RedHat' + +- include: 01-ubuntu-os-docker.yml + tags: ubuntu-docker + when: ansible_facts.os_family == 'Debian' diff --git a/packer/ansible/roles/docker/tasks/sysctl.yml b/packer/ansible/roles/docker/tasks/sysctl.yml new file mode 100755 index 0000000..52c98a9 --- /dev/null +++ b/packer/ansible/roles/docker/tasks/sysctl.yml @@ -0,0 +1,8 @@ +--- +- name: Add pam_tally2.so + template: + src: sysctl.j2 + dest: /etc/sysctl.conf + owner: root + group: root + mode: 0644 diff --git a/packer/ansible/roles/docker/templates/common-auth.j2 b/packer/ansible/roles/docker/templates/common-auth.j2 new file mode 100755 index 0000000..64a603b --- /dev/null +++ b/packer/ansible/roles/docker/templates/common-auth.j2 @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}} + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +auth required pam_permit.so +# since the modules above will each just jump around +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/packer/ansible/roles/docker/templates/daemon.json.j2 b/packer/ansible/roles/docker/templates/daemon.json.j2 new file mode 100755 index 0000000..6c2b554 --- /dev/null +++ b/packer/ansible/roles/docker/templates/daemon.json.j2 @@ -0,0 +1,9 @@ +{ + "exec-opts": ["native.cgroupdriver=systemd"], + "log-driver": "json-file", + "log-opts": { + "max-size": "100m" + }, + "storage-driver": "overlay2", + "insecure-registries": ["10.10.31.243:5000"] +} diff --git a/packer/ansible/roles/docker/templates/pwquality.conf.j2 b/packer/ansible/roles/docker/templates/pwquality.conf.j2 new file mode 100755 index 0000000..3ec2cbe --- /dev/null +++ b/packer/ansible/roles/docker/templates/pwquality.conf.j2 @@ -0,0 +1,50 @@ +# Configuration for systemwide password quality limits +# Defaults: +# +# Number of characters in the new password that must not be present in the +# old password. +# difok = 5 +# +# Minimum acceptable size for the new password (plus one if +# credits are not disabled which is the default). (See pam_cracklib manual.) +# Cannot be set to lower value than 6. +minlen = {{pwquality_minlen}} +# +# The maximum credit for having digits in the new password. If less than 0 +# it is the minimum number of digits in the new password. +dcredit = {{pwquality_dcredit}} +# +# The maximum credit for having uppercase characters in the new password. +# If less than 0 it is the minimum number of uppercase characters in the new +# password. +ucredit = {{pwquality_ucredit}} +# +# The maximum credit for having lowercase characters in the new password. +# If less than 0 it is the minimum number of lowercase characters in the new +# password. +lcredit = {{pwquality_lcredit}} +# +# The maximum credit for having other characters in the new password. +# If less than 0 it is the minimum number of other characters in the new +# password. +ocredit = {{pwquality_ocredit}} +# +# The minimum number of required classes of characters for the new +# password (digits, uppercase, lowercase, others). +# minclass = 0 +# +# The maximum number of allowed consecutive same characters in the new password. +# The check is disabled if the value is 0. +maxrepeat = {{pwquality_maxrepeat}} +# +# The maximum number of allowed consecutive characters of the same class in the +# new password. +# The check is disabled if the value is 0. +# maxclassrepeat = 0 +# +# Whether to check for the words from the passwd entry GECOS string of the user. +# The check is enabled if the value is not 0. +# gecoscheck = 0 +# +# Path to the cracklib dictionaries. Default is to use the cracklib default. +# dictpath = diff --git a/packer/ansible/roles/docker/templates/sysctl.j2 b/packer/ansible/roles/docker/templates/sysctl.j2 new file mode 100755 index 0000000..f8eff1d --- /dev/null +++ b/packer/ansible/roles/docker/templates/sysctl.j2 @@ -0,0 +1,82 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +################################################################### +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +#net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all, >1 bitmask of sysrq functions +# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +# for what other values do +#kernel.sysrq=438 + +vm.dirty_background_ratio = 5 +vm.dirty_ratio = 80 + +net.core.default_qdisc = fq +net.core.rmem_max = 268435456 +net.core.wmem_max = 268435456 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.all.arp_filter = 1 +net.ipv4.conf.all.arp_ignore = 1 +net.ipv4.conf.default.arp_filter = 1 +net.ipv4.tcp_congestion_control = htcp +net.ipv4.tcp_no_metrics_save = 1 +net.ipv4.tcp_rmem = 4096 87380 134217728 +net.ipv4.tcp_wmem = 4096 65536 134217728 diff --git a/packer/ansible/roles/node/templates/sysctl.j2 b/packer/ansible/roles/node/templates/sysctl.j2 index 5f2e952..f8eff1d 100644 --- a/packer/ansible/roles/node/templates/sysctl.j2 +++ b/packer/ansible/roles/node/templates/sysctl.j2 @@ -66,6 +66,9 @@ # for what other values do #kernel.sysrq=438 +vm.dirty_background_ratio = 5 +vm.dirty_ratio = 80 + net.core.default_qdisc = fq net.core.rmem_max = 268435456 net.core.wmem_max = 268435456 diff --git a/packer/ansible/roles/security-settings/files/allow_users.conf b/packer/ansible/roles/security-settings/files/allow_users.conf new file mode 100644 index 0000000..b8a221d --- /dev/null +++ b/packer/ansible/roles/security-settings/files/allow_users.conf @@ -0,0 +1,2 @@ +AllowUsers *@10.20.142.* +AllowUsers *@10.10.43.* diff --git a/packer/ansible/roles/security-settings/tasks/sshd_config.yml b/packer/ansible/roles/security-settings/tasks/sshd_config.yml index 438a65a..6e51765 100755 --- a/packer/ansible/roles/security-settings/tasks/sshd_config.yml +++ b/packer/ansible/roles/security-settings/tasks/sshd_config.yml @@ -21,3 +21,11 @@ group: root mode: 0640 notify: restart sshd + + #- name: SSH AllowUsers Setting + # copy: + # src: allow_users.conf + # dest: /etc/ssh/sshd_config.d/allow_users.conf + # owner: root + # group: root + # mode: 0644 diff --git a/packer/build_ami_security/command b/packer/build_ami_security/command index 411dc9b..188a074 100755 --- a/packer/build_ami_security/command +++ b/packer/build_ami_security/command @@ -1,4 +1,4 @@ -filename="datasaker-node-packer-ubuntu.pkr.hcl" +filename="docker-ubuntu.pkr.hcl" echo "packer init ${filename}" echo "packer fmt ${filename}" diff --git a/packer/build_ami_security/docker-amazon.pkr.hcl b/packer/build_ami_security/docker-amazon.pkr.hcl new file mode 100644 index 0000000..a8bbed0 --- /dev/null +++ b/packer/build_ami_security/docker-amazon.pkr.hcl @@ -0,0 +1,49 @@ +packer { + required_plugins { + amazon = { + version = ">= 0.0.2" + source = "github.com/hashicorp/amazon" + } + } +} + +variable "ami_prefix" { + type = string + default = "docker-amazonlinux" +} + +locals { + timestamp = regex_replace(timestamp(), "[- TZ:]", "") +} + +# source 블록에는 실제 빌드할 이미지에 대한 스펙을 정의 +source "amazon-ebs" "docker-amazonlinux" { + ami_name = "${var.ami_prefix}-${local.timestamp}" + instance_type = "t3.small" + region = "ap-northeast-2" + source_ami_filter { + filters = { + image-id = "ami-0eb14fe5735c13eb5" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["137112412989"] + } + tags = { + source_ami_name = "{{ .SourceAMIName }}" + } + ssh_username = "ec2-user" +} + +build { + name = "datasaker-packer" + sources = ["source.amazon-ebs.docker-amazonlinux"] + + provisioner "ansible" { + playbook_file = "../ansible/docker_roles.yaml" + user = "ec2-user" + extra_arguments = ["--become"] + ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"] + } +} diff --git a/packer/build_ami_security/docker-ubuntu.pkr.hcl b/packer/build_ami_security/docker-ubuntu.pkr.hcl new file mode 100644 index 0000000..21e0f05 --- /dev/null +++ b/packer/build_ami_security/docker-ubuntu.pkr.hcl @@ -0,0 +1,49 @@ +packer { + required_plugins { + amazon = { + version = ">= 0.0.2" + source = "github.com/hashicorp/amazon" + } + } +} + +variable "ami_prefix" { + type = string + default = "datasaker-node-ubuntu2004" +} + +locals { + timestamp = regex_replace(timestamp(), "[- TZ:]", "") +} + +# source 블록에는 실제 빌드할 이미지에 대한 스펙을 정의 +source "amazon-ebs" "datasaker-node-ubuntu2004" { + ami_name = "${var.ami_prefix}-${local.timestamp}" + instance_type = "t3.small" + region = "ap-northeast-2" + source_ami_filter { + filters = { + image-id = "ami-0be886bd314f8bd39" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["099720109477"] + } + tags = { + source_ami_name = "{{ .SourceAMIName }}" + } + ssh_username = "ubuntu" +} + +build { + name = "datasaker-packer" + sources = ["source.amazon-ebs.datasaker-node-ubuntu2004"] + + provisioner "ansible" { + playbook_file = "../ansible/docker_roles.yaml" + user = "ubuntu" + extra_arguments = ["--become"] + ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"] + } +}