docker images update

packer/ansible/roles/docker/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Reload systemd configuration
+  service:
+    daemon_reload: True
+
+- name: Restart docker service
+  service:
+    name: docker
+    enabled: true
+    state: restarted

packer/ansible/roles/docker/tasks/00-amazon-os-main.yml

@@ -0,0 +1,86 @@
+---
+- name: Update and upgrade yum packages
+  yum:
+    name: "*"
+    state: latest
+
+- name: Install yum packages
+  yum:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - python-pip
+    - yum-utils
+    - device-mapper-persistent-data
+    - lvm2
+    - amazon-linux-extras      
+
+- name: Add extras repository
+  shell: yum-config-manager --enable extras
+
+- name: Disable firewalld
+  systemd: name=firewalld state=stopped
+  ignore_errors: yes
+  tags:
+   - install
+   - atomic
+   - firewalld
+
+- name: Disable SWAP since kubernetes can't work with swap enabled (1/2)
+  command: 'swapoff -a'
+
+    # - name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
+    #   replace:
+    #     path: /etc/fstab
+    #     regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
+    #     replace: '# \1'
+
+- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
+  become: true
+  lineinfile:
+    path: /etc/fstab
+    regexp: '^/dev/mapper/.*swap'
+    line: '# {{ item }}'
+      #  when: item is search('^/dev/mapper/.*swap')
+  loop: "{{ lookup('file', '/etc/fstab').split('\n') }}"
+
+- name: Add br_netfilter to module autoload
+  lineinfile:
+    path: /etc/modules-load.d/k8s2.conf
+    line: "{{ item }}"
+    create: true
+  with_items:
+    - 'overlay'
+    - 'br_netfilter'
+
+- name: Add br_netfilter to module autoload
+  modprobe:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - 'overlay'
+    - 'br_netfilter'
+
+- name: Add br_netfilter to module autoload
+  lineinfile:
+    path: /etc/sysctl.d/k8s.conf
+    line: "{{ item }}"
+    create: true
+  with_items:
+    - 'net.bridge.bridge-nf-call-iptables  = 1'
+    - 'net.bridge.bridge-nf-call-ip6tables = 1'
+    - 'net.ipv4.ip_forward                 = 1'
+
+- name: Disable net.bridge.bridge-nf-call-iptables
+  sysctl:
+    name: "{{ item }}"
+    value: 1
+  with_items:
+    - 'net.bridge.bridge-nf-call-iptables'
+    - 'net.bridge.bridge-nf-call-ip6tables'
+
+- name: Disable net.ipv4.ip_forward
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"

packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml

@@ -0,0 +1,66 @@
+---
+- name: Update and upgrade apt packages
+  apt:
+    upgrade: yes
+    update_cache: yes
+    force_apt_get: yes
+    cache_valid_time: 86400
+
+- name: Install apt packages
+  apt:
+    name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg', 'lsb-release']
+    state: present
+
+- name: Disable ufw 
+  command: 'ufw disable'
+  when: ansible_distribution_version == '20.04'
+
+- name: Disable SWAP since kubernetes can't work with swap enabled (1/2)
+  command: 'swapoff -a'
+
+- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
+  replace:
+    path: /etc/fstab
+    regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
+    replace: '# \1'
+
+- name: Add br_netfilter to module autoload
+  lineinfile:
+    path: /etc/modules-load.d/k8s.conf
+    line: "{{ item }}"
+    create: true
+  with_items:
+    - 'overlay'
+    - 'br_netfilter'
+
+- name: Add br_netfilter to module autoload
+  modprobe:
+    name: "{{ item }}"
+    state: present
+  become: true
+  with_items:
+    - 'overlay'
+    - 'br_netfilter'
+
+- name: Add br_netfilter to module autoload
+  lineinfile:
+    path: /etc/sysctl.d/k8s.conf
+    line: "{{ item }}"
+    create: true
+  with_items:
+    - 'net.bridge.bridge-nf-call-iptables  = 1'
+    - 'net.bridge.bridge-nf-call-ip6tables = 1'
+    - 'net.ipv4.ip_forward                 = 1'
+
+- name: Disable net.bridge.bridge-nf-call-iptables
+  sysctl:
+    name: "{{ item }}"
+    value: 1
+  with_items:
+    - 'net.bridge.bridge-nf-call-iptables'
+    - 'net.bridge.bridge-nf-call-ip6tables'
+
+- name: Disable net.ipv4.ip_forward
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"

packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml

@@ -0,0 +1,53 @@
+---
+- name: Install docker-ce (centos) via amazon-linux-extras packages
+  shell: "amazon-linux-extras install docker -y"
+
+- name: Ensure Python pip packages are installed
+  pip:
+    name: "{{ item }}"
+  with_items:
+    - boto
+    - boto3
+    - docker-compose
+
+#- name: Add docker script
+#  command: curl -fsSL https://get.docker.com -o /root/get-docker.sh
+#
+#- name: install docker
+#  command: sh /root/get-docker.sh
+#
+- name: Create docker configuration directory
+  file:
+    path: /etc/docker
+    state: directory
+
+#- name: Install required packages
+#  yum:
+#    name: ['docker-ce']
+#    state: present
+#  notify:
+#    - Reload systemd configuration
+#    - Restart docker service
+
+- name: Configure docker
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+  notify:
+    - Reload systemd configuration
+    - Restart docker service
+
+#- name: Delete containerd config
+#  file:
+#    path: /etc/containerd/config.toml
+#    state: absent
+#  notify:
+#    - Restart containerd service
+
+- meta: flush_handlers
+
+- name: Enable docker service
+  service:
+    name: docker
+    enabled: True
+    state: started

packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml

@@ -0,0 +1,19 @@
+---
+- name: Add docker script
+  command: curl -fsSL https://get.docker.com -o /root/get-docker.sh
+
+- name: install docker
+  command: sh /root/get-docker.sh
+
+- name: Create docker configuration directory
+  file:
+    path: /etc/docker
+    state: directory
+
+- name: Configure docker
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+  notify:
+    - Reload systemd configuration
+    - Restart docker service

packer/ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Gather Ansible Facts
+  ansible.builtin.setup:
+
+- include: 00-amazon-os-main.yml
+  tags: amazon
+  when: ansible_facts.os_family == 'RedHat' 
+
+- include: 00-ubuntu-os-main.yml
+  tags: ubuntu
+  when: ansible_facts.os_family == 'Debian'
+
+- include: 01-amazon-os-docker.yml
+  tags: cent-docker
+  when: ansible_facts.os_family == 'RedHat'
+
+- include: 01-ubuntu-os-docker.yml
+  tags: ubuntu-docker
+  when: ansible_facts.os_family == 'Debian'

packer/ansible/roles/docker/tasks/sysctl.yml

@@ -0,0 +1,8 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: sysctl.j2
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: 0644

packer/ansible/roles/docker/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
+
+# here are the per-package modules (the "Primary" block)
+auth    [success=1 default=ignore]      pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+auth    required                        pam_permit.so
+# since the modules above will each just jump around
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so
+# end of pam-auth-update config

packer/ansible/roles/docker/templates/daemon.json.j2

@@ -0,0 +1,9 @@
+{
+  "exec-opts": ["native.cgroupdriver=systemd"],
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "100m"
+  },
+  "storage-driver": "overlay2",
+  "insecure-registries": ["10.10.31.243:5000"]
+}

packer/ansible/roles/docker/templates/pwquality.conf.j2

@@ -0,0 +1,50 @@
+# Configuration for systemwide password quality limits
+# Defaults:
+#
+# Number of characters in the new password that must not be present in the
+# old password.
+# difok = 5
+#
+# Minimum acceptable size for the new password (plus one if
+# credits are not disabled which is the default). (See pam_cracklib manual.)
+# Cannot be set to lower value than 6.
+minlen = {{pwquality_minlen}}
+#
+# The maximum credit for having digits in the new password. If less than 0
+# it is the minimum number of digits in the new password.
+dcredit = {{pwquality_dcredit}}
+#
+# The maximum credit for having uppercase characters in the new password.
+# If less than 0 it is the minimum number of uppercase characters in the new
+# password.
+ucredit = {{pwquality_ucredit}}
+#
+# The maximum credit for having lowercase characters in the new password.
+# If less than 0 it is the minimum number of lowercase characters in the new
+# password.
+lcredit = {{pwquality_lcredit}}
+#
+# The maximum credit for having other characters in the new password.
+# If less than 0 it is the minimum number of other characters in the new
+# password.
+ocredit = {{pwquality_ocredit}}
+#
+# The minimum number of required classes of characters for the new
+# password (digits, uppercase, lowercase, others).
+# minclass = 0
+#
+# The maximum number of allowed consecutive same characters in the new password.
+# The check is disabled if the value is 0.
+maxrepeat = {{pwquality_maxrepeat}}
+#
+# The maximum number of allowed consecutive characters of the same class in the
+# new password.
+# The check is disabled if the value is 0.
+# maxclassrepeat = 0
+#
+# Whether to check for the words from the passwd entry GECOS string of the user.
+# The check is enabled if the value is not 0.
+# gecoscheck = 0
+#
+# Path to the cracklib dictionaries. Default is to use the cracklib default.
+# dictpath =

packer/ansible/roles/docker/templates/sysctl.j2

@@ -0,0 +1,82 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additional system variables.
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+###################################################################
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+#net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#
+
+###################################################################
+# Magic system request Key
+# 0=disable, 1=enable all, >1 bitmask of sysrq functions
+# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
+# for what other values do
+#kernel.sysrq=438
+
+vm.dirty_background_ratio = 5
+vm.dirty_ratio = 80
+
+net.core.default_qdisc = fq
+net.core.rmem_max = 268435456
+net.core.wmem_max = 268435456
+net.ipv4.conf.all.arp_announce = 2
+net.ipv4.conf.all.arp_filter = 1
+net.ipv4.conf.all.arp_ignore = 1
+net.ipv4.conf.default.arp_filter = 1
+net.ipv4.tcp_congestion_control = htcp
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_rmem = 4096 87380 134217728
+net.ipv4.tcp_wmem = 4096 65536 134217728

packer/ansible/roles/node/templates/sysctl.j2

@@ -66,6 +66,9 @@
 # for what other values do
 #kernel.sysrq=438
 
+vm.dirty_background_ratio = 5
+vm.dirty_ratio = 80
+
 net.core.default_qdisc = fq
 net.core.rmem_max = 268435456
 net.core.wmem_max = 268435456

packer/ansible/roles/security-settings/files/allow_users.conf

@@ -0,0 +1,2 @@
+AllowUsers *@10.20.142.*
+AllowUsers *@10.10.43.*

packer/ansible/roles/security-settings/tasks/sshd_config.yml

@@ -21,3 +21,11 @@
     group: root
     mode: 0640
   notify: restart sshd
+
+    #- name: SSH AllowUsers Setting
+    #  copy:
+    #    src: allow_users.conf
+    #    dest: /etc/ssh/sshd_config.d/allow_users.conf
+    #    owner: root
+    #    group: root
+    #    mode: 0644