From f1df30992395394a093598fc543addbfc780814c Mon Sep 17 00:00:00 2001 From: surtur Date: Fri, 14 May 2021 07:24:41 +0200 Subject: [PATCH] chore: update cloudinit configs * make sure ntp is enabled * set timezone * disable makecache timer * write dnf.conf * noatime on root fs * fix package installation and upgrades --- vms/cloudinit.host-attacker.cfg | 36 +++++++++++++++++++++++++++------ vms/cloudinit.host-defender.cfg | 36 +++++++++++++++++++++++++++------ vms/cloudinit.host-victim.cfg | 28 +++++++++++++++++++++---- vms/cloudinit.router.cfg | 27 +++++++++++++++++++++---- 4 files changed, 107 insertions(+), 20 deletions(-) diff --git a/vms/cloudinit.host-attacker.cfg b/vms/cloudinit.host-attacker.cfg index 46c1c3e..0a6cbfd 100644 --- a/vms/cloudinit.host-attacker.cfg +++ b/vms/cloudinit.host-attacker.cfg @@ -4,6 +4,26 @@ runcmd: - cat /etc/resolv.conf - uname -r + - timedatectl set-ntp 1 + - timedatectl set-timezone Europe/Bratislava + - systemctl disable --now dnf-makecache.timer + - dnf config-manager --set-enabled updates updates-testing + - dnf upgrade --refresh -y + - dnf distro-sync -y + - dnf clean all + - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab + +write_files: + - content: | + [main] + gpg_check=1 + installonly_limit=2 + clean_requirements_on_remove=True + fastestmirror=True + max_parallel_downloads=7 + path: /etc/dnf/dnf.conf + owner: root:root + permissions: '0644' ssh_pwauth: true chpasswd: @@ -41,9 +61,10 @@ hostname: ${hostname} # reboot after fqdn is set to update the info in libvirt's dnsmasq power_state: - delay: "+1" - mode: reboot - condition: true + delay: "+1" + mode: reboot + condition: true + timeout: 120 # seconds packages: - vim @@ -54,12 +75,15 @@ packages: - kernel-devel - kernel-headers - nmap - - python39 # for ansible - - "@Security Lab" + # use python3 instead of python39 or similar; python3 is certain to point to + # the latest python version available in the repositories (apart from + # python3-devel perhaps) + - python3 # for ansible + - "@security-lab" - sudo - tcpdump - tcpflow - tcptrack -package_upgrade: true +package_upgrade: false package_reboot_if_required: true diff --git a/vms/cloudinit.host-defender.cfg b/vms/cloudinit.host-defender.cfg index a8cf4e6..dc3d175 100644 --- a/vms/cloudinit.host-defender.cfg +++ b/vms/cloudinit.host-defender.cfg @@ -4,6 +4,26 @@ runcmd: - cat /etc/resolv.conf - uname -r + - timedatectl set-ntp 1 + - timedatectl set-timezone Europe/Bratislava + - systemctl disable --now dnf-makecache.timer + - dnf config-manager --set-enabled updates updates-testing + - dnf upgrade --refresh -y + - dnf distro-sync -y + - dnf clean all + - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab + +write_files: + - content: | + [main] + gpg_check=1 + installonly_limit=2 + clean_requirements_on_remove=True + fastestmirror=True + max_parallel_downloads=7 + path: /etc/dnf/dnf.conf + owner: root:root + permissions: '0644' ssh_pwauth: true chpasswd: @@ -35,9 +55,10 @@ hostname: ${hostname} # reboot after fqdn is set to update the info in libvirt's dnsmasq power_state: - delay: "+1" - mode: reboot - condition: true + delay: "+1" + mode: reboot + condition: true + timeout: 120 # seconds packages: - vim @@ -48,12 +69,15 @@ packages: - kernel-devel - kernel-headers - nmap - - python39 # for ansible - - "@Security Lab" + # use python3 instead of python39 or similar; python3 is certain to point to + # the latest python version available in the repositories (apart from + # python3-devel perhaps) + - python3 # for ansible + - "@security-lab" - sudo - tcpdump - tcpflow - tcptrack -package_upgrade: true +package_upgrade: false package_reboot_if_required: true diff --git a/vms/cloudinit.host-victim.cfg b/vms/cloudinit.host-victim.cfg index 78e8833..a1bc810 100644 --- a/vms/cloudinit.host-victim.cfg +++ b/vms/cloudinit.host-victim.cfg @@ -4,6 +4,23 @@ runcmd: - cat /etc/resolv.conf - uname -r + # - echo -e "[main]\ngpg_check=1\ninstallonly_limit=2\nclean_requirements_on_remove=True\nfastestmirror=True\nmax_parallel_downloads=7" > /etc/dnf/dnf.conf + - timedatectl set-ntp 1 + - timedatectl set-timezone Europe/Bratislava + - dnf config-manager --set-enabled cr powertools + - sed -i "s/xfs * defaults *1 1/ext4 noatime 0 0/" /etc/fstab + +write_files: + - content: | + [main] + gpg_check=1 + installonly_limit=2 + clean_requirements_on_remove=True + fastestmirror=True + max_parallel_downloads=7 + path: /etc/dnf/dnf.conf + owner: root:root + permissions: '0644' ssh_pwauth: true chpasswd: @@ -41,13 +58,16 @@ hostname: ${hostname} # reboot after fqdn is set to update the info in libvirt's dnsmasq power_state: - delay: "+1" - mode: reboot - condition: true + delay: "+1" + mode: reboot + condition: true packages: + # install python3; it's a metapackage that points to the latest available + # version in the distro repositories; currently python 3.7.x for centos8 + - python3 # for ansible - sudo - - python39 # for ansible + - vim package_upgrade: true package_reboot_if_required: true diff --git a/vms/cloudinit.router.cfg b/vms/cloudinit.router.cfg index eb7d049..abecf90 100644 --- a/vms/cloudinit.router.cfg +++ b/vms/cloudinit.router.cfg @@ -4,6 +4,22 @@ runcmd: - cat /etc/resolv.conf - uname -r + - timedatectl set-ntp 1 + - timedatectl set-timezone Europe/Bratislava + - dnf config-manager --set-enabled updates updates-testing + - sed -i "s/ext4 * defaults *1 1/ext4 noatime 0 0/" /etc/fstab + +write_files: + - content: | + [main] + gpg_check=1 + installonly_limit=2 + clean_requirements_on_remove=True + fastestmirror=True + max_parallel_downloads=7 + path: /etc/dnf/dnf.conf + owner: root:root + permissions: '0644' ssh_pwauth: true chpasswd: @@ -35,15 +51,18 @@ hostname: ${hostname} # reboot after fqdn is set to update the info in libvirt's dnsmasq power_state: - delay: "+1" - mode: reboot - condition: true + delay: "+1" + mode: reboot + condition: true packages: - vim - frr - htop - - python39 # for ansible + # use python3 instead of python39 or similar; python3 is certain to point to + # the latest python version available in the repositories (apart from + # python3-devel perhaps) + - python3 # for ansible - sudo package_upgrade: true