update

2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
--- a/ansible/roles/security-settings/files/containerd_default_config.toml
+++ b/ansible/roles/security-settings/files/containerd_default_config.toml
@@ -0,0 +1,39 @@
+version = 2
+root = "/var/lib/containerd"
+state = "/run/containerd"
+oom_score = 0
+
+[grpc]
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
+
+[debug]
+  level = "info"
+
+[metrics]
+  address = ""
+  grpc_histogram = false
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    sandbox_image = "registry.k8s.io/pause:3.7"
+    max_container_log_line_size = -1
+    enable_unprivileged_ports = false
+    enable_unprivileged_icmp = false
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      snapshotter = "overlayfs"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          runtime_engine = ""
+          runtime_root = ""
+          base_runtime_spec = "/etc/containerd/cri-base.json"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            systemdCgroup = true
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+          endpoint = ["https://registry-1.docker.io"]
+
--- a/ansible/roles/security-settings/files/containerd_dsk_config.toml
+++ b/ansible/roles/security-settings/files/containerd_dsk_config.toml
@@ -0,0 +1,60 @@
+version = 2
+root = "/var/lib/containerd"
+state = "/run/containerd"
+oom_score = 0
+
+[grpc]
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
+
+[debug]
+  level = "info"
+
+[metrics]
+  address = ""
+  grpc_histogram = false
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    sandbox_image = "registry.k8s.io/pause:3.7"
+    max_container_log_line_size = -1
+    enable_unprivileged_ports = false
+    enable_unprivileged_icmp = false
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      snapshotter = "overlayfs"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          runtime_engine = ""
+          runtime_root = ""
+          base_runtime_spec = "/etc/containerd/cri-base.json"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            systemdCgroup = true
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+          endpoint = ["https://registry-1.docker.io"]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.31.243:5000"]
+          endpoint = ["http://10.10.31.243:5000"]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.43.240:30500"]
+          endpoint = ["http://10.10.43.240:30500"]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.headers]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.configs]
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".tls]
+          insecure_skip_verify = true
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".auth]
+          username = "core"
+          password = "coreadmin1234"
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".tls]
+          insecure_skip_verify = true
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".auth]
+          username = "dsk"
+          password = "dskadmin1234"
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".auth]
+          username = "datasaker"
+          password = "dckr_pat_kQP6vcHm_jMChWd_zvgH_G3kucc"
+
--- a/ansible/roles/security-settings/files/login_banner
+++ b/ansible/roles/security-settings/files/login_banner
@@ -0,0 +1,20 @@
+#!/bin/sh
+printf '''
+  |-----------------------------------------------------------------|
+  | This system is for the use of authorized users only.            |
+  | Individuals using this computer system without authority, or in |
+  | excess of their authority, are subject to having all of their   |
+  | activities on this system monitored and recorded by system      |
+  | personnel.                                                      |
+  |                                                                 |
+  | In the course of monitoring individuals improperly using this   |
+  | system, or in the course of system maintenance, the activities  |
+  | of authorized users may also be monitored.                      |
+  |                                                                 |
+  | Anyone using this system expressly consents to such monitoring  |
+  | and is advised that if such monitoring reveals possible         |
+  | evidence of criminal activity, system personnel may provide the |
+  | evidence of such monitoring to law enforcement officials.       |
+  |-----------------------------------------------------------------|
+'''
+
--- a/ansible/roles/security-settings/files/systemd_limit.conf
+++ b/ansible/roles/security-settings/files/systemd_limit.conf
@@ -0,0 +1,3 @@
+#[Manager]
+#DefaultLimitNOFILE=65535:65535
+#DefaultLimitNPROC=65536:65536