This commit is contained in:
8
ansible/roles/providers/files/etc/azure/iptables
Normal file
8
ansible/roles/providers/files/etc/azure/iptables
Normal file
@ -0,0 +1,8 @@
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -m comment --comment "block traffic to 168.63.129.16 for cve-2021-27075" -j DROP
|
||||
-A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
|
||||
-A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP
|
||||
COMMIT
|
||||
@ -0,0 +1,67 @@
|
||||
## This yaml formated config file handles setting
|
||||
## logger information. The values that are necessary to be set
|
||||
## are seen at the bottom. The top '_log' are only used to remove
|
||||
## redundency in a syslog and fallback-to-file case.
|
||||
##
|
||||
## The 'log_cfgs' entry defines a list of logger configs
|
||||
## Each entry in the list is tried, and the first one that
|
||||
## works is used. If a log_cfg list entry is an array, it will
|
||||
## be joined with '\n'.
|
||||
_log:
|
||||
- &log_base |
|
||||
[loggers]
|
||||
keys=root,cloudinit
|
||||
|
||||
[handlers]
|
||||
keys=consoleHandler,cloudLogHandler
|
||||
|
||||
[formatters]
|
||||
keys=simpleFormatter,arg0Formatter
|
||||
|
||||
[logger_root]
|
||||
level=DEBUG
|
||||
formatter=arg0Formatter
|
||||
handlers=consoleHandler,cloudLogHandler
|
||||
|
||||
[logger_cloudinit]
|
||||
level=DEBUG
|
||||
qualname=cloudinit
|
||||
handlers=
|
||||
propagate=1
|
||||
|
||||
[handler_consoleHandler]
|
||||
class=StreamHandler
|
||||
level=WARNING
|
||||
formatter=arg0Formatter
|
||||
args=(sys.stderr,)
|
||||
|
||||
[formatter_arg0Formatter]
|
||||
format=%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
|
||||
|
||||
[formatter_simpleFormatter]
|
||||
format=[CLOUDINIT]%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
|
||||
- &log_file |
|
||||
[handler_cloudLogHandler]
|
||||
class=FileHandler
|
||||
level=DEBUG
|
||||
formatter=arg0Formatter
|
||||
args=('/var/log/cloud-init.log',)
|
||||
- &log_syslog |
|
||||
[handler_cloudLogHandler]
|
||||
class=handlers.SysLogHandler
|
||||
level=DEBUG
|
||||
formatter=simpleFormatter
|
||||
args=("/dev/log", handlers.SysLogHandler.LOG_USER)
|
||||
|
||||
log_cfgs:
|
||||
# These will be joined into a string that defines the configuration
|
||||
- [ *log_base, *log_syslog ]
|
||||
# These will be joined into a string that defines the configuration
|
||||
- [ *log_base, *log_file ]
|
||||
# A file path can also be used
|
||||
# - /etc/log.conf
|
||||
|
||||
# this tells cloud-init to redirect its stdout and stderr to
|
||||
# 'tee -a /var/log/cloud-init-output.log' so the user can see output
|
||||
# there without needing to look on the console.
|
||||
output: {all: '| python3 -c ''import sys,time;sys.stdout.write("".join(( " ".join((time.strftime("[%Y-%m-%d %H:%M:%S]", time.localtime()), line)) for line in sys.stdin )))'' | tee -a /var/log/cloud-init-output.log'}
|
||||
@ -0,0 +1,2 @@
|
||||
disable-ec2-metadata: false
|
||||
datasource_list: [ Outscale ]
|
||||
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This is a networkd-dispatcher script for chronyd to handle its NTP
|
||||
# sources. It sets the NTP sources online or offline when a network
|
||||
# interface is configured or removed. On DHCP change, chrony will
|
||||
# update its NTP sources passed from DHCP options.
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
|
||||
|
||||
clear_servers_from_dhcp() {
|
||||
if [ -f "$DHCP_SERVER_FILE" ]; then
|
||||
rm -f "$DHCP_SERVER_FILE"
|
||||
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "$STATE" = "no-carrier" ]; then
|
||||
clear_servers_from_dhcp
|
||||
# The onoffline command tells chronyd to switch all sources to
|
||||
# the online (routable) or offline (off) status according to the current network configuration.
|
||||
chronyc onoffline > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This is a networkd-dispatcher script for chronyd to handle its NTP
|
||||
# sources. It sets the NTP sources online or offline when a network
|
||||
# interface is configured or removed. On DHCP change, chrony will
|
||||
# update its NTP sources passed from DHCP options.
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
|
||||
|
||||
clear_servers_from_dhcp() {
|
||||
if [ -f "$DHCP_SERVER_FILE" ]; then
|
||||
rm -f "$DHCP_SERVER_FILE"
|
||||
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "$STATE" = "off" ]; then
|
||||
clear_servers_from_dhcp
|
||||
# The onoffline command tells chronyd to switch all sources to
|
||||
# the online (routable) or offline (off) status according to the current network configuration.
|
||||
chronyc onoffline > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This is a networkd-dispatcher script for chronyd to handle its NTP
|
||||
# sources. It sets the NTP sources online or offline when a network
|
||||
# interface is configured or removed. On DHCP change, chrony will
|
||||
# update its NTP sources passed from DHCP options.
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
|
||||
|
||||
add_servers_from_dhcp() {
|
||||
if [ -f "$DHCP_SERVER_FILE" ]; then
|
||||
rm -f "$DHCP_SERVER_FILE"
|
||||
fi
|
||||
echo "$json" | jq -r 'select(.NTP !=null) .NTP[]' >> $DHCP_SERVER_FILE
|
||||
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
|
||||
}
|
||||
|
||||
if [ "$STATE" = "routable" ]; then
|
||||
add_servers_from_dhcp
|
||||
# The onoffline command tells chronyd to switch all sources to
|
||||
# the online (routable) or offline (off) status according to the current network configuration.
|
||||
chronyc onoffline > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -0,0 +1,3 @@
|
||||
[Unit]
|
||||
After=containerd.service
|
||||
Wants=containerd.service
|
||||
@ -0,0 +1,3 @@
|
||||
[Unit]
|
||||
After=containerd.service
|
||||
Wants=containerd.service
|
||||
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Modify cloud-init config
|
||||
After=cloud-final.service
|
||||
AssertFileIsExecutable=/usr/local/bin/modify-cloud-init-cfg.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=cloud-init.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/modify-cloud-init-cfg.sh
|
||||
SuccessExitStatus=0
|
||||
@ -0,0 +1,3 @@
|
||||
[guestinfo]
|
||||
exclude-nics=antrea-*,cali*,cilium*,lxc*,ovs-system,br*,flannel*,veth*,vxlan_sys_*,genev_sys_*,gre_sys_*,stt_sys_*,????????-??????
|
||||
|
||||
BIN
ansible/roles/providers/files/tmp/cloud-init_22.2-outscale.deb
Normal file
BIN
ansible/roles/providers/files/tmp/cloud-init_22.2-outscale.deb
Normal file
Binary file not shown.
@ -0,0 +1 @@
|
||||
ERROR_ON_USER_DATA_FAILURE = False
|
||||
251
ansible/roles/providers/files/usr/libexec/chrony-helper
Normal file
251
ansible/roles/providers/files/usr/libexec/chrony-helper
Normal file
@ -0,0 +1,251 @@
|
||||
#!/bin/bash
|
||||
# This script configures running chronyd to use NTP servers obtained from
|
||||
# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
|
||||
# externally (e.g. by a dhclient script). Files with servers from DNS SRV
|
||||
# records are updated here using the dig utility. The script can also list
|
||||
# and set static sources in the chronyd configuration file.
|
||||
|
||||
chronyc=/usr/bin/chronyc
|
||||
chrony_conf=/etc/chrony.conf
|
||||
chrony_service=chronyd.service
|
||||
helper_dir=/var/run/chrony-helper
|
||||
added_servers_file=$helper_dir/added_servers
|
||||
|
||||
network_sysconfig_file=/etc/sysconfig/network
|
||||
dhclient_servers_files=/var/lib/dhclient/chrony.servers.*
|
||||
dnssrv_servers_files=$helper_dir/dnssrv@*
|
||||
dnssrv_timer_prefix=chrony-dnssrv@
|
||||
|
||||
chrony_command() {
|
||||
$chronyc -a -n -m "$1"
|
||||
}
|
||||
|
||||
is_running() {
|
||||
chrony_command "tracking" &> /dev/null
|
||||
}
|
||||
|
||||
is_update_needed() {
|
||||
for file in $dhclient_servers_files $dnssrv_servers_files \
|
||||
$added_servers_file; do
|
||||
[ -e "$file" ] && return 0
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
update_daemon() {
|
||||
local all_servers_with_args all_servers added_servers
|
||||
|
||||
if ! is_running; then
|
||||
rm -f $added_servers_file
|
||||
return 0
|
||||
fi
|
||||
|
||||
all_servers_with_args=$(
|
||||
cat $dhclient_servers_files $dnssrv_servers_files 2> /dev/null)
|
||||
|
||||
all_servers=$(
|
||||
echo "$all_servers_with_args" |
|
||||
while read server serverargs; do
|
||||
echo "$server"
|
||||
done | sort -u)
|
||||
added_servers=$( (
|
||||
cat $added_servers_file 2> /dev/null
|
||||
echo "$all_servers_with_args" |
|
||||
while read server serverargs; do
|
||||
[ -z "$server" ] && continue
|
||||
chrony_command "add server $server $serverargs" &> /dev/null &&
|
||||
echo "$server"
|
||||
done) | sort -u)
|
||||
|
||||
comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
|
||||
while read server; do
|
||||
chrony_command "delete $server" &> /dev/null
|
||||
done
|
||||
|
||||
added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
|
||||
|
||||
[ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file ||
|
||||
rm -f $added_servers_file
|
||||
}
|
||||
|
||||
get_dnssrv_servers() {
|
||||
local name=$1
|
||||
|
||||
if ! command -v dig &> /dev/null; then
|
||||
echo "Missing dig (DNS lookup utility)" >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
(
|
||||
. $network_sysconfig_file &> /dev/null
|
||||
|
||||
output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null)
|
||||
[ $? -ne 0 ] && return 0
|
||||
|
||||
echo "$output" | while read prio weight port target; do
|
||||
server=${target%.}
|
||||
[ -z "$server" ] && continue
|
||||
echo "$server port $port ${NTPSERVERARGS:-iburst}"
|
||||
done
|
||||
)
|
||||
}
|
||||
|
||||
check_dnssrv_name() {
|
||||
local name=$1
|
||||
|
||||
if [ -z "$name" ]; then
|
||||
echo "No DNS SRV name specified" >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ "${name:0:9}" != _ntp._udp ]; then
|
||||
echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
update_dnssrv_servers() {
|
||||
local name=$1
|
||||
local srv_file=$helper_dir/dnssrv@$name servers
|
||||
|
||||
check_dnssrv_name "$name" || return 1
|
||||
|
||||
servers=$(get_dnssrv_servers "$name")
|
||||
[ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file"
|
||||
}
|
||||
|
||||
set_dnssrv_timer() {
|
||||
local state=$1 name=$2
|
||||
local srv_file=$helper_dir/dnssrv@$name servers
|
||||
local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer
|
||||
|
||||
check_dnssrv_name "$name" || return 1
|
||||
|
||||
if [ "$state" = enable ]; then
|
||||
systemctl enable "$timer"
|
||||
systemctl start "$timer"
|
||||
elif [ "$state" = disable ]; then
|
||||
systemctl stop "$timer"
|
||||
systemctl disable "$timer"
|
||||
rm -f "$srv_file"
|
||||
fi
|
||||
}
|
||||
|
||||
list_dnssrv_timers() {
|
||||
systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
|
||||
sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
|
||||
while read -r name; do
|
||||
systemd-escape --unescape "$name"
|
||||
done
|
||||
}
|
||||
|
||||
prepare_helper_dir() {
|
||||
mkdir -p $helper_dir
|
||||
exec 100> $helper_dir/lock
|
||||
if ! flock -w 20 100; then
|
||||
echo "Failed to lock $helper_dir" >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
is_source_line() {
|
||||
local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
|
||||
[[ "$1" =~ $pattern ]]
|
||||
}
|
||||
|
||||
list_static_sources() {
|
||||
while read line; do
|
||||
is_source_line "$line" && echo "$line" || :
|
||||
done < $chrony_conf
|
||||
}
|
||||
|
||||
set_static_sources() {
|
||||
local new_config tmp_conf
|
||||
|
||||
new_config=$(
|
||||
sources=$(
|
||||
while read line; do
|
||||
is_source_line "$line" && echo "$line"
|
||||
done)
|
||||
|
||||
while read line; do
|
||||
if ! is_source_line "$line"; then
|
||||
echo "$line"
|
||||
continue
|
||||
fi
|
||||
|
||||
tmp_sources=$(
|
||||
local removed=0
|
||||
|
||||
echo "$sources" | while read line2; do
|
||||
[ "$removed" -ne 0 -o "$line" != "$line2" ] && \
|
||||
echo "$line2" || removed=1
|
||||
done)
|
||||
|
||||
[ "$sources" == "$tmp_sources" ] && continue
|
||||
sources=$tmp_sources
|
||||
echo "$line"
|
||||
done < $chrony_conf
|
||||
|
||||
echo "$sources"
|
||||
)
|
||||
|
||||
tmp_conf=${chrony_conf}.tmp
|
||||
|
||||
cp -a $chrony_conf $tmp_conf &&
|
||||
echo "$new_config" > $tmp_conf &&
|
||||
mv $tmp_conf $chrony_conf || return 1
|
||||
|
||||
systemctl try-restart $chrony_service
|
||||
}
|
||||
|
||||
print_help() {
|
||||
echo "Usage: $0 COMMAND"
|
||||
echo
|
||||
echo "Commands:"
|
||||
echo " update-daemon"
|
||||
echo " update-dnssrv-servers NAME"
|
||||
echo " enable-dnssrv NAME"
|
||||
echo " disable-dnssrv NAME"
|
||||
echo " list-dnssrv"
|
||||
echo " list-static-sources"
|
||||
echo " set-static-sources < sources.list"
|
||||
echo " is-running"
|
||||
echo " command CHRONYC-COMMAND"
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
update-daemon|add-dhclient-servers|remove-dhclient-servers)
|
||||
is_update_needed || exit 0
|
||||
prepare_helper_dir && update_daemon
|
||||
;;
|
||||
update-dnssrv-servers)
|
||||
prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
|
||||
;;
|
||||
enable-dnssrv)
|
||||
set_dnssrv_timer enable "$2"
|
||||
;;
|
||||
disable-dnssrv)
|
||||
set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
|
||||
;;
|
||||
list-dnssrv)
|
||||
list_dnssrv_timers
|
||||
;;
|
||||
list-static-sources)
|
||||
list_static_sources
|
||||
;;
|
||||
set-static-sources)
|
||||
set_static_sources
|
||||
;;
|
||||
is-running)
|
||||
is_running
|
||||
;;
|
||||
command|forced-command)
|
||||
chrony_command "$2"
|
||||
;;
|
||||
*)
|
||||
print_help
|
||||
exit 2
|
||||
esac
|
||||
|
||||
exit $?
|
||||
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
sed -i 's/preserve_hostname'":"' false/preserve_hostname'":"' true/' /etc/cloud/cloud.cfg
|
||||
Reference in New Issue
Block a user