djpbessems/ClusterAPI.imageBuilder
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Test dependencies
Some checks failed
continuous-integration/drone Build is failing
Details

Browse Source
This commit is contained in:
Danny Bessems
2023-02-22 21:24:42 +01:00
commit f2b0a5e7c7
429 changed files with 20330 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
packer/goss/goss-command.yaml Normal file
View File

@ -0,0 +1,261 @@
command:
{{ if ne .Vars.OS "windows" }} # Linux Only
containerd --version | awk -F' ' '{print substr($3,2); }':
exit-status: 0
stdout: []
stderr: []
timeout: 0
crictl ps:
exit-status: 0
stdout: []
stderr: []
timeout: 0
{{if ne .Vars.containerd_wasm_shims_runtimes ""}}
containerd-shim-slight-v1:
exit-status: 1
stdout: [ ]
stderr: ["io.containerd.slight.v1: InvalidArgument(\"Shim namespace cannot be empty\")"]
timeout: 0
containerd-shim-spin-v1:
exit-status: 1
stdout: [ ]
stderr: ["io.containerd.spin.v1: InvalidArgument(\"Shim namespace cannot be empty\")"]
timeout: 0
grep -E 'io\.containerd\.(slight|spin)\.v1' /etc/containerd/config.toml:
exit-status: 0
stdout: [ ]
stderr: [ ]
timeout: 0
{{end}}
{{if eq .Vars.kubernetes_source_type "pkg"}}
{{if eq .Vars.kubernetes_cni_source_type "pkg"}}
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["coredns", "etcd", "kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler", "pause"]
{{end}}
{{end}}
{{if and (eq .Vars.kubernetes_source_type "http") (eq .Vars.kubernetes_cni_source_type "http") (not .Vars.kubernetes_load_additional_imgs)}}
# The second last pipe of awk is to take out arch from kube-apiserver-amd64 (i.e. amd64 or any other arch)
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler"]
{{end}}
{{if and (eq .Vars.kubernetes_source_type "http") (eq .Vars.kubernetes_cni_source_type "http") (.Vars.kubernetes_load_additional_imgs)}}
# The second last pipe of awk is to take out arch from kube-apiserver-amd64 (i.e. amd64 or any other arch)
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["coredns", "etcd", "kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler", "pause"]
{{end}}
{{if eq .Vars.kubernetes_source_type "http"}}
kubectl version --short --client=true -o json | jq .clientVersion.gitVersion | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
kubeadm version -o json | jq .clientVersion.gitVersion | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
kubelet --version | awk -F' ' '{print $2}' | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
{{end}}
{{if eq .Vars.kubernetes_cni_source_type "http"}}
/opt/cni/bin/host-device 2>&1 | awk -F' ' '{print substr($4,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_cni_version }}]
stderr: []
timeout: 0
{{end}}
{{if eq .Vars.OS "photon"}}
cat /sys/kernel/mm/transparent_hugepage/enabled:
exit-status: 0
stdout: ["always [madvise] never"]
stderr: []
timeout: 0
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "command"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
{{end}} #End linux only
{{ if eq .Vars.OS "windows" }} # Windows
automatic updates set to notify:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name AUOptions) -eq '2'"
stdout:
- "True"
timeout: 30000
automatic updates set to notify with correct type:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name AUOptions).GetType().Name -eq 'Int32'"
stdout:
- "True"
timeout: 30000
automatic updates are disabled:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name NoAutoUpdate) -eq '1'"
stdout:
- "True"
timeout: 30000
automatic updates are disabled with correct type:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name NoAutoUpdate).GetType().Name -eq 'Int32'"
stdout:
- "True"
timeout: 30000
kubectl version --client:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
- "windows"
- {{.Vars.arch}}
timeout: 30000
kubeadm version:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
- "windows"
- {{.Vars.arch}}
timeout: 30000
kubelet --version:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
timeout: 10000
{{ if eq .Vars.distribution_version "2019" }}
Windows build version is high enough:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name UBR).UBR -ge 1817"
stdout:
- "True"
timeout: 30000
Check HNS Control Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\hns\State" -Name HNSControlFlag).HNSControlFlag -eq 80"
stdout:
- True
timeout: 30000
Check WCIFS Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\wcifs' -Name WcifsSOPCountDisabled).WcifsSOPCountDisabled -eq 0"
stdout:
- True
timeout: 30000
{{end}}
{{ if eq .Vars.runtime "containerd" }}
Correct Containerd Version:
exec: "\"/Program Files/containerd/containerd.exe\" --version"
exit-status: 0
stdout:
- "{{.Vars.containerd_version}}"
timeout: 30000
Correct Containerd config:
exec: "\"/Program Files/containerd/containerd.exe\" config dump"
exit-status: 0
stdout:
- "sandbox_image = \"{{.Vars.pause_image}}\""
- "conf_dir = \"C:/etc/cni/net.d\""
- "bin_dir = \"C:/opt/cni/bin\""
- "root = \"C:\\\\ProgramData\\\\containerd\\\\root\""
- "state = \"C:\\\\ProgramData\\\\containerd\\\\state\""
timeout: 30000
Check Windows Defender Exclusions are in place:
exit-status: 0
exec: powershell -command "(Get-MpPreference | select ExclusionProcess)"
stdout:
- \Program Files\containerd\containerd.exe,
- \Program Files\containerd\ctr.exe
Check SMB CompartmentNamespace Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\hns\State' -Name EnableCompartmentNamespace).EnableCompartmentNamespace -eq 1"
stdout:
- True
timeout: 30000
Windows Port Range is Expanded:
exit-status: 0
exec: netsh int ipv4 show dynamicportrange tcp
stdout:
- "Start Port : 34000"
- "Number of Ports : 31536"
timeout: 30000
{{end}}
{{ if eq .Vars.runtime "docker-ee" }}
Correct Docker Version:
exec: "docker.exe version"
exit-status: 0
stdout:
- "{{.Vars.docker_ee_version}}"
timeout: 30000
{{end}}
{{if eq .Vars.PROVIDER "azure"}}
Verify firewall rule to block 168.63.129.16:80 for cve-2021-27075:
exit-status: 0
exec: powershell -command "(Get-NetFirewallRule -ErrorAction Stop -DisplayName 'Block-Outbound-168.63.129.16-port-80-for-cve-2021-27075').Enabled"
stdout:
- True
stderr: []
timeout: 30000
# this could be moved to place for other providers if they want to install it
Key Vault gMSA binary is installed:
exec: powershell -command "Test-Path -Path C:\Windows\System32\CCGAKVPlugin.dll"
exit-status: 0
stdout:
- "True"
timeout: 30000
Key Vault gMSA binary COM is registered:
exec: powershell -command "(Get-Item 'HKLM:SYSTEM\CurrentControlSet\Control\CCG\COMClasses\{CCC2A336-D7F3-4818-A213-272B7924213E}') | Ft -autosize -wrap"
exit-status: 0
stdout:
- "CCC2A336-D7F3-4818-A213-272B7924213E"
timeout: 30000
Key Vault gMSA binary is registered:
exec: powershell -command "Get-ItemProperty -Path 'HKLM:SOFTWARE\CLASSES\CLSID\{CCC2A336-D7F3-4818-A213-272B7924213E}\InprocServer32\'"
exit-status: 0
stdout:
- "C:\\Windows\\System32\\CCGAKVPlugin.dll"
timeout: 30000
Key Vault gMSA CCG interface is registered:
exec: powershell -command "(Get-Item 'HKLM:SOFTWARE\Classes\Interface\{6ECDA518-2010-4437-8BC3-46E752B7B172}') | Ft -autosize -wrap"
exit-status: 0
stdout:
- "ICcgDomainAuthCredentials"
timeout: 30000
{{end}}
{{ if ne .Vars.ssh_source_url "" }}
Check permission of OpenSSH directory for SYSTEM:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'NT AUTHORITY\SYSTEM' -and $_.FileSystemRights -eq 'FullControl'}) -ne $null"
exit-status: 0
stdout:
- True
timeout: 30000
Check permission of OpenSSH directory for Administrators:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'BUILTIN\Administrators' -and $_.FileSystemRights -eq 'FullControl'}) -ne $null"
exit-status: 0
stdout:
- True
timeout: 30000
Check permission of OpenSSH directory for Users:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'BUILTIN\Users' -and $_.FileSystemRights -eq 'ReadAndExecute, Synchronize'}) -eq $null"
exit-status: 0
stdout:
- True
timeout: 30000
{{end}}
{{end}} #end windows

17
packer/goss/goss-files.yaml Normal file
View File

@ -0,0 +1,17 @@
file:
{{range $name, $vers := index .Vars .Vars.OS "common-files"}}
{{ $name }}:
exists: {{ $vers.exists }}
filetype: {{ $vers.filetype }}
contains: {{ range $vers.contains}}
- {{.}}
{{end}}
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "files"}}
{{ $name }}:
exists: {{ $vers.exists }}
filetype: {{ $vers.filetype }}
contains: {{ range $vers.contains}}
- {{.}}
{{end}}
{{end}}

31
packer/goss/goss-kernel-params.yaml Normal file
View File

@ -0,0 +1,31 @@
{{ if ne .Vars.OS "windows" }}
kernel-param:
net.bridge.bridge-nf-call-iptables:
value: "1"
net.ipv6.conf.all.forwarding:
value: "1"
net.ipv6.conf.all.disable_ipv6:
value: "0"
net.ipv4.ip_forward:
value: "1"
net.bridge.bridge-nf-call-ip6tables:
value: "1"
vm.overcommit_memory:
value: "1"
kernel.panic:
value: "10"
kernel.panic_on_oops:
value: "1"
{{range $name, $vers := index .Vars .Vars.OS "common-kernel-param"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: "{{$val}}"
{{end}}
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "kernel-param"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: "{{$val}}"
{{end}}
{{end}}
{{end}}

86
packer/goss/goss-package.yaml Normal file
View File

@ -0,0 +1,86 @@
{{ if ne .Vars.OS "windows"}}
kubernetes_version: &kubernetes_version
versions:
or:
- contain-element:
match-regexp: "^\\Q{{ .Vars.kubernetes_deb_version }}\\E$"
- contain-element:
match-regexp: "^\\Q{{ .Vars.kubernetes_rpm_version }}\\E$"
kubernetes_cni_version: &kubernetes_cni_version
versions:
or:
- contain-element:
match-regexp: "^\\Q{{ .Vars.kubernetes_cni_deb_version }}\\E$"
- contain-element:
match-regexp: "^\\Q{{ .Vars.kubernetes_cni_rpm_version }}\\E$"
package:
# Flatcar uses Ignition instead of cloud-init
{{if ne .Vars.OS "flatcar"}}
cloud-init:
installed: true
{{end}}
ntp:
installed: false
{{if eq .Vars.kubernetes_source_type "pkg"}}
kubeadm:
installed: true
<<: *kubernetes_version
kubelet:
installed: true
<<: *kubernetes_version
kubectl:
installed: true
<<: *kubernetes_version
{{end}}
{{if eq .Vars.kubernetes_cni_source_type "pkg"}}
kubernetes-cni:
installed: true
<<: *kubernetes_cni_version
{{end}}
# Looping over common packages for an OS
{{range $name, $vers := index .Vars .Vars.OS "common-package"}}
{{$name}}:
installed: true
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
# Looping over provider specific packages for an OS
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "package"}}
{{$name}}:
installed: true
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
# Iterate thru different OS Versions like RHEL7/8, Photon 3/4(future) etc.
{{$distro_version := .Vars.OS_VERSION}}
{{range $component := index .Vars .Vars.OS .Vars.PROVIDER "os_version"}}
{{if eq $distro_version (index $component "distro_version")}}
{{ range $name, $vers := index $component "package"}}
{{$name}}:
installed: true
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
{{end}}
{{end}}
{{end}}
{{ if eq .Vars.OS "windows"}} # Windows
# Workaround until windows features are added to goss
command:
{{range $name, $vers := index .Vars .Vars.OS "common-windows-features"}}
"Windows Feature - {{ $name }}":
exec: powershell -command "(Get-WindowsFeature {{ $name }} | select *)"
exit-status: 0
stdout: {{range $vers.expected}}
- {{.}}
timeout: 60000
{{end}}
{{end}}
{{end}}

77
packer/goss/goss-service.yaml Normal file
View File

@ -0,0 +1,77 @@
service:
{{ if ne .Vars.OS "windows"}} # Linux
containerd:
enabled: true
running: true
dockerd:
enabled: false
running: false
kubelet:
enabled: true
running: false
conntrackd:
enabled: false
running: false
auditd:
enabled: true
running: true
{{if ne .Vars.OS "flatcar"}}
# Flatcar uses systemd-timesyncd instead of chronyd.
chronyd:
enabled: true
running: true
{{end}}
{{range $name, $vers := index .Vars .Vars.OS "common-service"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "service"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
{{end}}
{{ if eq .Vars.OS "windows"}} # Windows
# Workaround until windows services are added to goss
command:
{{range $name, $vers := index .Vars .Vars.OS "common-windows-service"}}
"Windows Service - {{ $name }}":
exec: powershell -command "(Get-Service {{ $name }} | select *)"
exit-status: 0
stdout: {{range $vers.expected}}
- {{.}}
{{end}}
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "windows-service"}}
"Windows Service - {{ $name }}":
exec: powershell -command "(Get-Service {{ $name }} | select *)"
exit-status: 0
stdout: {{range $vers.expected}}
- {{.}}
{{end}}
{{end}}
{{ if eq .Vars.runtime "docker-ee" }}
"Windows Service - docker":
exec: powershell -command "(Get-Service docker | select *)"
exit-status: 0
stdout:
- Automatic
- Running
{{end}}
{{ if eq .Vars.runtime "containerd"}}
"Windows Service - containerd":
exec: powershell -command "(Get-Service containerd | select *)"
exit-status: 0
stdout:
- Automatic
- Running
{{end}}
{{end}}

546
packer/goss/goss-vars.yaml Normal file
View File

@ -0,0 +1,546 @@
---
common_rpms: &common_rpms
audit:
ca-certificates:
cloud-init:
cloud-utils-growpart:
conntrack-tools:
chrony:
curl:
jq:
python3-pip:
socat:
sysstat:
yum-utils:
al2_rpms: &al2_rpms
ebtables:
python-netifaces:
python-requests:
rh7_rpms: &rh7_rpms
ebtables:
python-netifaces:
python-requests:
rh8_rpms: &rh8_rpms
nftables:
python3-netifaces:
python3-requests:
common_debs: &common_debs
auditd:
apt-transport-https:
conntrack:
chrony:
curl:
ebtables:
jq:
gnupg:
libnetfilter-acct1:
libnetfilter-cttimeout1:
libnetfilter-log1:
python3-distutils:
python3-netifaces:
python3-pip:
socat:
chrony_deb: &chrony_deb
chrony:
ntp:
skip: true
installed: false
common_photon_rpms: &common_photon_rpms
audit:
apparmor-parser:
conntrack-tools:
chrony:
distrib-compat:
ebtables:
net-tools:
openssl-c_rehash:
python3-pip:
rng-tools:
socat:
tar:
unzip:
photon_3_rpms: &photon_3_rpms
python-netifaces:
python-requests:
jq:
photon_4_rpms: &photon_4_rpms
jq:
arch: "amd64"
containerd_version: ""
containerd_wasm_shims_runtimes: ""
kubernetes_cni_source_type: ""
kubernetes_cni_version: ""
kubernetes_source_type: ""
kubernetes_version: ""
kubernetes_rpm_version: ""
kubernetes_deb_version: ""
kubernetes_cni_deb_version: ""
kubernetes_cni_rpm_version: ""
# When k8s and k8s cni source is http
kubernetes_load_additional_imgs: false
#windows variables
kubernetes_install_path: ""
windows_service_manager: ""
distribution_version: ""
runtime: ""
# OS Specific package/Command/Kernal Params etc...
# Structured in below format
# OS_NAME
# common-package:
# common-kernel-params:
# common-services:
# PROVIDER_NAME:
# package:
# command:
# service:
# ...
amazon linux:
common-package: *common_rpms
amazon:
service:
amazon-ssm-agent:
enabled: true
running: true
package:
awscli:
amazon-ssm-agent:
<<: *al2_rpms
centos:
common-package: *common_rpms
amazon:
package:
amazon-ssm-agent:
<<: *rh7_rpms
command:
pip3 list --format=columns | grep 'awscli' | awk -F' ' '{print $1}':
exit-status: 0
stdout: ["awscli"]
stderr: []
timeout: 0
azure:
package:
open-vm-tools:
azure-cli:
ova:
package:
python2-pip:
open-vm-tools:
<<: *rh7_rpms
qemu:
package:
open-vm-tools:
cloud-init:
cloud-utils-growpart:
python2-pip:
<<: *rh7_rpms
raw:
package:
cloud-init:
cloud-utils-growpart:
python2-pip:
flatcar:
common-service:
containerd:
enabled: true
running: true
systemd-timesyncd:
enabled: true
running: true
amazon:
command:
azure:
command:
qemu:
command:
raw:
command:
ova:
command:
nutanix:
command:
photon:
common-service:
apparmor:
enabled: false
running: false
common-kernel-param:
net.ipv4.tcp_limit_output_bytes:
value: "524288"
common-package:
<<: *common_photon_rpms
audit:
ova:
command:
grep apparmor=0 /boot/photon.cfg:
exit-status: 0
stdout: ["apparmor=0"]
stderr: []
timeout: 0
service:
networkd-dispatcher:
enabled: true
running: true
package:
open-vm-tools:
cloud-init:
cloud-utils:
python3-netifaces:
os_version:
- distro_version: "3"
package:
<<: *photon_3_rpms
- distro_version: "4"
package:
<<: *photon_4_rpms
rockylinux:
common-package: *common_rpms
amazon:
package:
amazon-ssm-agent:
<<: *rh8_rpms
command:
pip3 list --format=columns | grep 'awscli' | awk -F' ' '{print $1}':
exit-status: 0
stdout: [ "awscli" ]
stderr: [ ]
timeout: 0
service:
amazon-ssm-agent:
enabled: true
running: true
ova:
package:
open-vm-tools:
python2-pip:
<<: *rh8_rpms
qemu:
package:
open-vm-tools:
cloud-init:
cloud-utils:
python3-netifaces:
<<: *rh8_rpms
raw:
package:
cloud-init:
cloud-utils:
python3-netifaces:
<<: *rh8_rpms
nutanix:
package:
cloud-init:
python3-netifaces:
iscsi-initiator-utils:
nfs-utils:
lvm2:
xfsprogs:
<<: *rh8_rpms
service:
iscsid:
enabled: true
running: true
rhel:
common-package: *common_rpms
amazon:
package:
amazon-ssm-agent:
os_version:
- distro_version: "8"
package:
<<: *rh8_rpms
command:
pip3 list --format=columns | grep 'awscli' | awk -F' ' '{print $1}':
exit-status: 0
stdout: [ "awscli" ]
stderr: [ ]
timeout: 0
service:
amazon-ssm-agent:
enabled: true
running: true
azure:
package:
open-vm-tools:
azure-cli:
os_version:
- distro_version: "8"
package:
<<: *rh8_rpms
ova:
package:
python2-pip:
open-vm-tools:
os_version:
- distro_version: "7"
package:
<<: *rh7_rpms
- distro_version: "8"
package:
<<: *rh8_rpms
qemu:
package:
open-vm-tools:
cloud-init:
cloud-utils-growpart:
python2-pip:
<<: *rh7_rpms
raw:
package:
cloud-init:
cloud-utils-growpart:
python2-pip:
<<: *rh7_rpms
ubuntu:
common-kernel-param:
net.ipv4.conf.all.rp_filter:
value: "1"
common-package:
<<: *common_debs
common-service:
apt-daily.timer:
enabled: false
running: false
apt-daily-upgrade.timer:
enabled: false
running: false
azure:
command:
pip3 list --format=columns | grep 'azure-cli' | awk -F' ' '{print $1}':
exit-status: 0
stdout: ["azure-cli"]
stderr: []
timeout: 0
iptables -C FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -m comment --comment "block traffic to 168.63.129.16 for cve-2021-27075" -j DROP:
exit-status: 0
timeout: 0
package:
open-vm-tools:
linux-cloud-tools-virtual:
linux-tools-virtual:
<<: *chrony_deb
service:
chrony:
enabled: true
running: true
amazon:
service:
snap.amazon-ssm-agent.amazon-ssm-agent.service:
enabled: true
running: true
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
command:
snap list | grep 'amazon-ssm-agent' | awk -F' ' '{print $1}':
exit-status: 0
stdout: ["amazon-ssm-agent"]
stderr: []
timeout: 0
pip3 list --format=columns | grep 'awscli' | awk -F' ' '{print $1}':
exit-status: 0
stdout: ["awscli"]
stderr: []
timeout: 0
gcp:
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
command:
find -L /bin -maxdepth 1 -type f -executable -printf "%f\n" | grep -Fx 'gcloud':
exit-status: 0
stdout: ["gcloud"]
stderr: []
timeout: 0
oci:
service:
package:
command:
outscale:
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
ova:
service:
networkd-dispatcher:
enabled: true
running: true
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
open-vm-tools:
cloud-guest-utils:
cloud-initramfs-copymods:
cloud-initramfs-dyn-netconf:
qemu:
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
open-vm-tools:
cloud-guest-utils:
cloud-initramfs-copymods:
cloud-initramfs-dyn-netconf:
raw:
package:
cloud-guest-utils:
cloud-initramfs-copymods:
cloud-initramfs-dyn-netconf:
linux-cloud-tools-generic:
linux-tools-generic:
nutanix:
package:
linux-cloud-tools-virtual:
linux-tools-virtual:
cloud-guest-utils:
cloud-initramfs-copymods:
cloud-initramfs-dyn-netconf:
open-iscsi:
xfsprogs:
mdadm:
nfs-common:
service:
iscsid:
enabled: true
running: true
oracle linux:
common-kernel-param:
common-package:
<<: *common_rpms
common-service:
oci:
command:
service:
package:
<<: *rh8_rpms
# Windows specific variables
windows:
common-windows-features:
Hyper-V-PowerShell:
expected:
- Installed
Containers:
expected:
- Installed
common-files:
c:/etc/kubernetes/pki:
exists: true
filetype: directory
contains:
c:/etc/kubernetes:
exists: true
filetype: directory
contains:
c:/etc/kubernetes/manifests:
exists: true
filetype: directory
contains:
c:/var/log/kubelet:
exists: true
filetype: directory
contains:
common-windows-service:
cloudbase-init:
expected:
- Manual
- Stopped
kubelet:
expected:
- Automatic
- "/RequiredServices.+:.+(containerd|docker)/"
sshd:
expected:
- Automatic
- Running
azure:
windows-service:
files:
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init.conf':
exists: true
filetype: file
contains:
- "COM2,115200,N,8"
- "metadata_services=cloudbaseinit.metadata.services.azureservice.AzureService"
- "cloudbaseinit.plugins.common.ephemeraldisk.EphemeralDiskPlugin"
- "cloudbaseinit.plugins.windows.azureguestagent.AzureGuestAgentPlugin"
- "cloudbaseinit.plugins.common.mtu.MTUPlugin"
- "cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin"
ova:
windows-service:
vmtools:
expected:
- Automatic
- Running
files:
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init.conf':
exists: true
filetype: file
contains:
- "!/logging_serial_port=COM1,115200,N,8/"
- "cloudbaseinit.metadata.services.vmwareguestinfoservice.VMwareGuestInfoService"
- "cloudbaseinit.plugins.common.ephemeraldisk.EphemeralDiskPlugin"
- "cloudbaseinit.plugins.common.mtu.MTUPlugin"
- "cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin"
- "cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin"
- "cloudbaseinit.plugins.common.userdata.UserDataPlugin"
- "cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin"
- "cloudbaseinit.plugins.windows.createuser.CreateUserPlugin"
- "cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin"
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init-unattend.conf':
exists: true
filetype: file
contains:
- "metadata_services=cloudbaseinit.metadata.services.vmwareguestinfoservice.VMwareGuestInfoService"
amazon:
windows-service:
files:
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init.conf':
exists: true
filetype: file
contains:
- "!/logging_serial_port=COM1,115200,N,8/"
- "metadata_services=cloudbaseinit.metadata.services.ec2service.EC2Service"
- "cloudbaseinit.plugins.common.ephemeraldisk.EphemeralDiskPlugin"
- "cloudbaseinit.plugins.common.mtu.MTUPlugin"
- "cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin"
- "cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin"
nutanix:
windows-service:
files:
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init.conf':
exists: true
filetype: file
contains:
- "!/logging_serial_port=COM1,115200,N,8/"
- "cloudbaseinit.metadata.services.configdrive.ConfigDriveService"
- "cloudbaseinit.plugins.common.ephemeraldisk.EphemeralDiskPlugin"
- "cloudbaseinit.plugins.common.mtu.MTUPlugin"
- "cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin"
- "cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin"
- "cloudbaseinit.plugins.common.userdata.UserDataPlugin"
- "cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin"
- "cloudbaseinit.plugins.windows.createuser.CreateUserPlugin"
- "cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin"
'c:/program files/Cloudbase Solutions/Cloudbase-init/conf/cloudbase-init-unattend.conf':
exists: true
filetype: file
contains:
- "metadata_services=cloudbaseinit.metadata.services.base.EmptyMetadataService"

6
packer/goss/goss.yaml Normal file
View File

@ -0,0 +1,6 @@
gossfile:
goss-command.yaml: {}
goss-kernel-params.yaml: {}
goss-service.yaml: {}
goss-package.yaml: {}
goss-files.yaml: {}