Merge branch 'unstable' into stable
This commit is contained in:
commit
840ebeb076
15
CHANGELOG.md
15
CHANGELOG.md
|
@ -22,6 +22,21 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [22.05.1] 2022-05-12
|
||||
|
||||
### Added
|
||||
|
||||
* docker : Introduce new default settings + allow to change the docker data directory
|
||||
* docker : Introduce new variables to tweak daemon settings
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.05
|
||||
|
||||
### Removed
|
||||
|
||||
* docker : Removed Debian Jessie support
|
||||
|
||||
## [22.05] 2022-05-10
|
||||
|
||||
### Added
|
||||
|
|
|
@ -1,14 +1,24 @@
|
|||
---
|
||||
# If docher_home sets to /home/, the partition should be mounted with exec
|
||||
# option.
|
||||
docker_home: /srv/docker
|
||||
# If docher_home sets to /home/, the partition should be mounted with exec option.
|
||||
docker_home: /var/lib/docker
|
||||
docker_tmpdir: "{{docker_home}}/tmp"
|
||||
|
||||
docker_remote_access_enabled: True
|
||||
# Chose to use iptables instead of docker-proxy userland process
|
||||
docker_conf_use_iptables: False
|
||||
|
||||
# Disable the possibility for containers processes to gain new privileges
|
||||
docker_conf_no_newprivileges: False
|
||||
|
||||
# Disable all default network connectivity
|
||||
docker_conf_disable_default_networking: False
|
||||
|
||||
# Remote access
|
||||
docker_remote_access_enabled: False
|
||||
docker_daemon_port: 2376
|
||||
docker_daemon_listening_ip: 0.0.0.0
|
||||
|
||||
docker_tls_enabled: True
|
||||
# TLS
|
||||
docker_tls_enabled: False
|
||||
docker_tls_path: "{{docker_home}}/tls"
|
||||
docker_tls_ca: ca/ca.pem
|
||||
docker_tls_ca_key: ca/ca-key.pem
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Package: python-docker
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 999
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
- include_role:
|
||||
name: evolix/apt
|
||||
tasks_from: backports.yml
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Prefer python-docker package from jessie-backports
|
||||
copy:
|
||||
src: docker_preferences
|
||||
dest: /etc/apt/preferences.d/999-docker
|
||||
force: yes
|
||||
mode: "0640"
|
||||
register: docker_apt_preferences
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: update apt
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: docker_apt_preferences is changed
|
||||
tags:
|
||||
- packages
|
|
@ -15,17 +15,6 @@
|
|||
- ca-certificates
|
||||
- gnupg2
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Add Docker repository
|
||||
apt_repository:
|
||||
repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||
state: present
|
||||
update_cache: no
|
||||
filename: docker.list
|
||||
|
||||
- include: jessie_backports.yml
|
||||
when: ansible_distribution_release == 'jessie'
|
||||
|
||||
- name: Add Docker's official GPG key
|
||||
copy:
|
||||
|
@ -36,6 +25,12 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Docker repository
|
||||
apt_repository:
|
||||
repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||
state: present
|
||||
filename: docker.list
|
||||
|
||||
- name: Install Docker
|
||||
apt:
|
||||
name:
|
||||
|
@ -62,19 +57,6 @@
|
|||
dest: /etc/docker/daemon.json
|
||||
notify: restart docker
|
||||
|
||||
- name: Create override directory for docker unit
|
||||
file:
|
||||
name: /etc/systemd/system/docker.service.d/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Remove options in ExecStart from docker unit
|
||||
copy:
|
||||
src: docker.conf
|
||||
dest: /etc/systemd/system/docker.service.d/
|
||||
mode: "0644"
|
||||
notify: reload systemd
|
||||
|
||||
- name: Creating Docker tmp directory
|
||||
file:
|
||||
path: "{{ docker_tmpdir }}"
|
||||
|
|
|
@ -1,13 +1,37 @@
|
|||
{
|
||||
"debug": false
|
||||
"debug": false,
|
||||
|
||||
{# Docker data-dir (default to /var/lib/docker) #}
|
||||
"data-root": "{{ docker_home }}",
|
||||
|
||||
{# Keep containers running while docker daemon downtime #}
|
||||
"live-restore": true,
|
||||
|
||||
{# Turn on user namespace remaping #}
|
||||
"userns-remap": "default",
|
||||
|
||||
{% if docker_conf_use_iptables %}
|
||||
{# Use iptables instead of docker-proxy #}
|
||||
"userland-proxy": false,
|
||||
"iptables": true,
|
||||
{% endif %}
|
||||
|
||||
{# Disable the possibility for containers processes to gain new privileges #}
|
||||
"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }},
|
||||
|
||||
{% if docker_conf_disable_default_networking %}
|
||||
{# Disable all default network connectivity #}
|
||||
"bridge": "none",
|
||||
"icc": false,
|
||||
{% endif %}
|
||||
|
||||
{% if docker_tls_enabled %}
|
||||
,
|
||||
"tls": true,
|
||||
"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",
|
||||
"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}",
|
||||
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
|
||||
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}",
|
||||
{% endif %}
|
||||
,
|
||||
|
||||
{% if docker_remote_access_enabled %}
|
||||
"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
|
||||
{% else %}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.04.1"
|
||||
VERSION="22.05"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -601,14 +601,17 @@ check_evobackup_exclude_mount() {
|
|||
|
||||
# shellcheck disable=SC2044
|
||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||
# If rsync is not limited by "one-file-system"
|
||||
# then we verify that every mount is excluded
|
||||
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||
for mount in ${not_excluded}; do
|
||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||
done
|
||||
# if the file seems to be a backup script, with an Rsync invocation
|
||||
if grep -q "^\s*rsync" "${evobackup_file}"; then
|
||||
# If rsync is not limited by "one-file-system"
|
||||
# then we verify that every mount is excluded
|
||||
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||
for mount in ${not_excluded}; do
|
||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
@ -1429,7 +1432,7 @@ get_version() {
|
|||
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
|
||||
;;
|
||||
minifirewall)
|
||||
${command} status | head -1 | cut -d ' ' -f 3
|
||||
${command} version | head -1 | cut -d ' ' -f 3
|
||||
;;
|
||||
## Let's try the --version flag before falling back to grep for the constant
|
||||
kvmstats)
|
||||
|
|
|
@ -10,29 +10,37 @@ is_alert5_enabled() {
|
|||
if test -f /etc/init.d/alert5; then
|
||||
test -f /etc/rc2.d/S*alert5
|
||||
else
|
||||
systemctl is-enabled alert5 -q
|
||||
systemctl is-active alert5 | grep -q "^active$"
|
||||
fi
|
||||
}
|
||||
|
||||
is_minifirewall_enabled() {
|
||||
# TODO: instead of nested conditionals, we could loop with many possible paths
|
||||
# and grep the first found, or error if none is found
|
||||
if test -f /etc/rc2.d/S*alert5; then
|
||||
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
|
||||
if [ -f /etc/systemd/system/minifirewall.service ]; then
|
||||
systemctl is-enabled minifirewall 2>&1 > /dev/null
|
||||
else
|
||||
if test -f /usr/share/scripts/alert5.sh; then
|
||||
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
|
||||
if test -f /etc/rc2.d/S*alert5; then
|
||||
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
|
||||
else
|
||||
return_critical "No Alert5 scripts has been found."
|
||||
if test -f /usr/share/scripts/alert5.sh; then
|
||||
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
|
||||
else
|
||||
return_critical "No Alert5 scripts has been found."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
is_minifirewall_started() {
|
||||
if test -x /usr/share/scripts/minifirewall_status; then
|
||||
/usr/share/scripts/minifirewall_status > /dev/null
|
||||
if [ -f /etc/systemd/system/minifirewall.service ]; then
|
||||
systemctl is-active minifirewall 2>&1 > /dev/null
|
||||
else
|
||||
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
if test -x /usr/share/scripts/minifirewall_status; then
|
||||
/usr/share/scripts/minifirewall_status > /dev/null
|
||||
else
|
||||
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -61,9 +69,9 @@ main() {
|
|||
fi
|
||||
else
|
||||
if is_minifirewall_started; then
|
||||
return_warning "Minifirewall is started, but disabled in alert5."
|
||||
return_warning "Minifirewall is started, but disabled in alert5 or systemd."
|
||||
else
|
||||
return_ok "Minifirewall is not started, but disabled in alert5."
|
||||
return_ok "Minifirewall is not started, but disabled in alert5 or systemd."
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
|
Loading…
Reference in a new issue