From 64a0c171f3b3e6335948d173a88a9cde867e34c0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 12 Aug 2024 12:47:04 -0400 Subject: [PATCH] ssh user, build cloud profiles and providers --- pillar/hypervisor/nodes.sls | 34 +++++++++++ pillar/top.sls | 1 + salt/libvirt/packages.sls | 5 ++ salt/libvirt/ssh/files/config | 2 + salt/libvirt/ssh/users.sls | 56 +++++++++++++++++++ .../{socloud.conf => socloud.conf.jinja} | 8 ++- .../salt/cloud/cloud.providers.d/libvirt.conf | 11 ---- .../cloud.providers.d/libvirt.conf.jinja | 19 +++++++ salt/salt/cloud/init.sls | 16 ++++++ setup/so-setup | 1 + 10 files changed, 140 insertions(+), 13 deletions(-) create mode 100644 pillar/hypervisor/nodes.sls create mode 100644 salt/libvirt/ssh/files/config create mode 100644 salt/libvirt/ssh/users.sls rename salt/salt/cloud/cloud.profiles.d/{socloud.conf => socloud.conf.jinja} (95%) delete mode 100644 salt/salt/cloud/cloud.providers.d/libvirt.conf create mode 100644 salt/salt/cloud/cloud.providers.d/libvirt.conf.jinja diff --git a/pillar/hypervisor/nodes.sls b/pillar/hypervisor/nodes.sls new file mode 100644 index 000000000..0cdec95d3 --- /dev/null +++ b/pillar/hypervisor/nodes.sls @@ -0,0 +1,34 @@ +{% set node_types = {} %} +{% for minionid, ip in salt.saltutil.runner( + 'mine.get', + tgt='G@role:so-hypervisor', + fun='network.ip_addrs', + tgt_type='compound') | dictsort() +%} + +# only add a node to the pillar if it returned an ip from the mine +{% if ip | length > 0%} +{% set hostname = minionid.split('_') | first %} +{% set node_type = minionid.split('_') | last %} +{% if node_type not in node_types.keys() %} +{% do node_types.update({node_type: {hostname: ip[0]}}) %} +{% else %} +{% if hostname not in node_types[node_type] %} +{% do node_types[node_type].update({hostname: ip[0]}) %} +{% else %} +{% do node_types[node_type][hostname].update(ip[0]) %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} + + +hypervisor: + nodes: +{% for node_type, values in node_types.items() %} + {{node_type}}: +{% for hostname, ip in values.items() %} + {{hostname}}: + ip: {{ip}} +{% endfor %} +{% endfor %} diff --git a/pillar/top.sls b/pillar/top.sls index 1a0d5f8c6..031ff5d3d 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -66,6 +66,7 @@ base: - kafka.nodes - kafka.soc_kafka - kafka.adv_kafka + - hypervisor.nodes - stig.soc_stig '*_sensor': diff --git a/salt/libvirt/packages.sls b/salt/libvirt/packages.sls index dc7db9cf8..bc39d4df1 100644 --- a/salt/libvirt/packages.sls +++ b/salt/libvirt/packages.sls @@ -6,6 +6,11 @@ install_libvirt-libs: pkg.installed: - name: libvirt-libs +# provides virsh +install_libvirt-client: + pkg.installed: + - name: libvirt-client + libvirt_python_wheel: file.recurse: - name: /opt/so/conf/libvirt/source-packages/libvirt-python diff --git a/salt/libvirt/ssh/files/config b/salt/libvirt/ssh/files/config new file mode 100644 index 000000000..25af86b73 --- /dev/null +++ b/salt/libvirt/ssh/files/config @@ -0,0 +1,2 @@ +Host * + IdentityFile /home/soqemussh/.ssh/id_ed25519 diff --git a/salt/libvirt/ssh/users.sls b/salt/libvirt/ssh/users.sls new file mode 100644 index 000000000..5913deb15 --- /dev/null +++ b/salt/libvirt/ssh/users.sls @@ -0,0 +1,56 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'vars/globals.map.jinja' import GLOBALS %} + +# used for qemu+ssh connection between manager and hypervisors +create_soqemussh_user: + user.present: + - name: soqemussh + - shell: /bin/bash + - home: /home/soqemussh +{% if not GLOBALS.is_manager %} + - groups: + - wheel +{% endif %} + +{% if GLOBALS.is_manager %} + +create_local_libvirt_ssh_key_dir: + file.directory: + - name: /opt/so/saltstack/local/salt/libvirt/ssh/keys + - user: socore + - group: socore + - mode: 755 + - makedirs: True + +# generate the key pair and put the pub key in salt local files roots +generate_ssh_key_soqemussh: + cmd.run: + - name: ssh-keygen -q -N '' -t ed25519 -f /home/soqemussh/.ssh/id_ed25519 + - runas: soqemussh + - unless: test -f /home/soqemussh/.ssh/id_ed25519 + - require: + - user: create_soqemussh_user + +soqemussh_ssh_key_to_local: + cmd.run: + - name: cp /home/soqemussh/.ssh/id_ed25519.pub /opt/so/saltstack/local/salt/libvirt/ssh/keys + - onchanges: + - cmd: generate_ssh_key_soqemussh + +qemu_ssh_client_config: + file.managed: + - name: /root/.ssh/config + - source: salt://libvirt/ssh/files/config + +{% else %} + +soqemussh_pub_key: + ssh_auth.present: + - user: soqemussh + - source: salt://libvirt/ssh_keys/id_ed25519.pub + +{% endif %} diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja similarity index 95% rename from salt/salt/cloud/cloud.profiles.d/socloud.conf rename to salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja index 9949e219d..da8044323 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja @@ -49,8 +49,10 @@ sensor: sls_list: - setHostname -core: - provider: kvm-via-ssh +{%- for hv in HYPERVISORS %} + +core-{{hv}}: + provider: kvm-ssh-{{hv}} base_domain: jppol9vm ip_source: qemu-agent ssh_username: onionuser @@ -64,3 +66,5 @@ core: startup_states: sls sls_list: - setHostname + +{%- endfor %} diff --git a/salt/salt/cloud/cloud.providers.d/libvirt.conf b/salt/salt/cloud/cloud.providers.d/libvirt.conf deleted file mode 100644 index 587653010..000000000 --- a/salt/salt/cloud/cloud.providers.d/libvirt.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Set up a provider with qemu+ssh protocol -kvm-via-ssh: - driver: libvirt - url: qemu+ssh://onionuser@jpphype1/system?socket=/var/run/libvirt/libvirt-sock - -# Or connect to a local libvirt instance -#local-kvm: -# driver: libvirt -# url: qemu:///system - # work around flag for XML validation errors while cloning -# validate_xml: no diff --git a/salt/salt/cloud/cloud.providers.d/libvirt.conf.jinja b/salt/salt/cloud/cloud.providers.d/libvirt.conf.jinja new file mode 100644 index 000000000..5ead21f1f --- /dev/null +++ b/salt/salt/cloud/cloud.providers.d/libvirt.conf.jinja @@ -0,0 +1,19 @@ +# Set up a provider with qemu+ssh protocol +#kvm-ssh-jpphype1: +# driver: libvirt +# url: qemu+ssh://soqemussh@jpphype1/system?socket=/var/run/libvirt/libvirt-sock + +{%- for hv in HYPERVISORS %} + +kvm-ssh-{{hv}}: + driver: libvirt + url: qemu+ssh://soqemussh@{{hv}}/system?socket=/var/run/libvirt/libvirt-sock + +{%- endfor %} + +# Or connect to a local libvirt instance +#local-kvm: +# driver: libvirt +# url: qemu:///system + # work around flag for XML validation errors while cloning +# validate_xml: no diff --git a/salt/salt/cloud/init.sls b/salt/salt/cloud/init.sls index baaf44e88..60ee23067 100644 --- a/salt/salt/cloud/init.sls +++ b/salt/salt/cloud/init.sls @@ -15,6 +15,22 @@ install_salt_cloud: - name: salt-cloud - version: {{SALTVERSION}} +cloud_providers: + file.managed: + - name: /etc/salt/cloud.providers.d/libvirt.conf + - source: salt://salt/cloud/cloud.providers.d/libvirt.conf.jinja + - defaults: + HYPERVISORS: {{pillar.hypervisor.nodes}} + - template: jinja + +cloud_profiles: + file.managed: + - name: /etc/salt/cloud.profiles.d/socloud.conf + - source: salt://salt/cloud/cloud.profiles.d/socloud.conf.jinja + - defaults: + HYPERVISORS: {{pillar.hypervisor.nodes}} + - template: jinja + {% else %} {{sls}}_state_not_allowed: diff --git a/setup/so-setup b/setup/so-setup index 5ae0a5218..1c7efbd68 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -629,6 +629,7 @@ if ! [[ -f $install_opt_file ]]; then check_requirements networking_needful configure_hyper_bridge + MNIC=br0 collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection