diff --git a/CHANGELOG.md b/CHANGELOG.md index 5821629e..50816488 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,21 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.05.1] 2022-05-12 + +### Added + +* docker : Introduce new default settings + allow to change the docker data directory +* docker : Introduce new variables to tweak daemon settings + +### Changed + +* evocheck: upstream release 22.05 + +### Removed + +* docker : Removed Debian Jessie support + ## [22.05] 2022-05-10 ### Added diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 6393a962..5b64f342 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -1,14 +1,24 @@ --- -# If docher_home sets to /home/, the partition should be mounted with exec -# option. -docker_home: /srv/docker +# If docher_home sets to /home/, the partition should be mounted with exec option. +docker_home: /var/lib/docker docker_tmpdir: "{{docker_home}}/tmp" -docker_remote_access_enabled: True +# Chose to use iptables instead of docker-proxy userland process +docker_conf_use_iptables: False + +# Disable the possibility for containers processes to gain new privileges +docker_conf_no_newprivileges: False + +# Disable all default network connectivity +docker_conf_disable_default_networking: False + +# Remote access +docker_remote_access_enabled: False docker_daemon_port: 2376 docker_daemon_listening_ip: 0.0.0.0 -docker_tls_enabled: True +# TLS +docker_tls_enabled: False docker_tls_path: "{{docker_home}}/tls" docker_tls_ca: ca/ca.pem docker_tls_ca_key: ca/ca-key.pem diff --git a/docker-host/files/docker_preferences b/docker-host/files/docker_preferences deleted file mode 100644 index 1a68427d..00000000 --- a/docker-host/files/docker_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: python-docker -Pin: release a=jessie-backports -Pin-Priority: 999 diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml deleted file mode 100644 index e7c7e94f..00000000 --- a/docker-host/tasks/jessie_backports.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- include_role: - name: evolix/apt - tasks_from: backports.yml - tags: - - packages - -- name: Prefer python-docker package from jessie-backports - copy: - src: docker_preferences - dest: /etc/apt/preferences.d/999-docker - force: yes - mode: "0640" - register: docker_apt_preferences - tags: - - packages - -- name: update apt - apt: - update_cache: yes - when: docker_apt_preferences is changed - tags: - - packages diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 026181f6..b430de6f 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -15,17 +15,6 @@ - ca-certificates - gnupg2 state: present - update_cache: yes - -- name: Add Docker repository - apt_repository: - repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - state: present - update_cache: no - filename: docker.list - -- include: jessie_backports.yml - when: ansible_distribution_release == 'jessie' - name: Add Docker's official GPG key copy: @@ -36,6 +25,12 @@ owner: root group: root +- name: Add Docker repository + apt_repository: + repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + state: present + filename: docker.list + - name: Install Docker apt: name: @@ -62,19 +57,6 @@ dest: /etc/docker/daemon.json notify: restart docker -- name: Create override directory for docker unit - file: - name: /etc/systemd/system/docker.service.d/ - state: directory - mode: "0755" - -- name: Remove options in ExecStart from docker unit - copy: - src: docker.conf - dest: /etc/systemd/system/docker.service.d/ - mode: "0644" - notify: reload systemd - - name: Creating Docker tmp directory file: path: "{{ docker_tmpdir }}" diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index ab6cac19..c73268d9 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -1,13 +1,37 @@ { - "debug": false + "debug": false, + + {# Docker data-dir (default to /var/lib/docker) #} + "data-root": "{{ docker_home }}", + + {# Keep containers running while docker daemon downtime #} + "live-restore": true, + + {# Turn on user namespace remaping #} + "userns-remap": "default", + + {% if docker_conf_use_iptables %} + {# Use iptables instead of docker-proxy #} + "userland-proxy": false, + "iptables": true, + {% endif %} + + {# Disable the possibility for containers processes to gain new privileges #} + "no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}, + + {% if docker_conf_disable_default_networking %} + {# Disable all default network connectivity #} + "bridge": "none", + "icc": false, + {% endif %} + {% if docker_tls_enabled %} - , "tls": true, "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", "tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}", - "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}" + "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}", {% endif %} - , + {% if docker_remote_access_enabled %} "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] {% else %} diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 4f24ae79..cf901bb0 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.04.1" +VERSION="22.05" readonly VERSION # base functions @@ -601,14 +601,17 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do - # If rsync is not limited by "one-file-system" - # then we verify that every mount is excluded - if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" - not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") - for mount in ${not_excluded}; do - failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" - done + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi fi done } @@ -1429,7 +1432,7 @@ get_version() { grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 ;; minifirewall) - ${command} status | head -1 | cut -d ' ' -f 3 + ${command} version | head -1 | cut -d ' ' -f 3 ;; ## Let's try the --version flag before falling back to grep for the constant kvmstats) diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 17943994..6588c469 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,29 +10,37 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-enabled alert5 -q + systemctl is-active alert5 | grep -q "^active$" fi } is_minifirewall_enabled() { # TODO: instead of nested conditionals, we could loop with many possible paths # and grep the first found, or error if none is found - if test -f /etc/rc2.d/S*alert5; then - grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 + if [ -f /etc/systemd/system/minifirewall.service ]; then + systemctl is-enabled minifirewall 2>&1 > /dev/null else - if test -f /usr/share/scripts/alert5.sh; then - grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh + if test -f /etc/rc2.d/S*alert5; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 else - return_critical "No Alert5 scripts has been found." + if test -f /usr/share/scripts/alert5.sh; then + grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh + else + return_critical "No Alert5 scripts has been found." + fi fi fi } is_minifirewall_started() { - if test -x /usr/share/scripts/minifirewall_status; then - /usr/share/scripts/minifirewall_status > /dev/null + if [ -f /etc/systemd/system/minifirewall.service ]; then + systemctl is-active minifirewall 2>&1 > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + if test -x /usr/share/scripts/minifirewall_status; then + /usr/share/scripts/minifirewall_status > /dev/null + else + /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + fi fi } @@ -61,9 +69,9 @@ main() { fi else if is_minifirewall_started; then - return_warning "Minifirewall is started, but disabled in alert5." + return_warning "Minifirewall is started, but disabled in alert5 or systemd." else - return_ok "Minifirewall is not started, but disabled in alert5." + return_ok "Minifirewall is not started, but disabled in alert5 or systemd." fi fi else