Merge pull request #958 from proditis/master

proditis · web-flow · commit 3931abd7573e · 2023-08-15T14:03:52.000+03:00
Improvements to the docs, playbook and docker related files
diff --git a/ansible/files/ctables b/ansible/files/ctables
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# https://github.com/deitch/ctables
+#
+NSPID=${1}
+LINKFILE="/var/run/netns/${NSPID}"
+mkdir -p /var/run/netns
+/bin/rm -f "$LINKFILE"
+ln -s "/proc/$NSPID/ns/net" "$LINKFILE"
+ip netns exec ${NSPID} iptables -I INPUT -j REJECT
+ip netns exec ${NSPID} iptables -I INPUT -i lo -j ACCEPT
+ip netns exec ${NSPID} iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip netns exec ${NSPID} iptables -I INPUT -s 10.0.0.0/24 -j ACCEPT
+ip netns exec ${NSPID} iptables -I INPUT -s 10.10.0.0/16 -j ACCEPT
+ip netns exec ${NSPID} iptables -I OUTPUT -o lo -j ACCEPT
+ip netns exec ${NSPID} iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+/bin/rm -f "$LINKFILE"
+#. /etc/docker-extras.sh
+#if [ -f /proc/$NSPID/root/usr/bin/pkexec ]; then
+#        chmod -s /proc/$NSPID/root/usr/bin/pkexec
+#fi
diff --git a/ansible/files/dockerd-service-override.conf b/ansible/files/dockerd-service-override.conf
@@ -1,4 +1,4 @@
 # /etc/systemd/system/docker.service.d/override.conf
 [Service]
 ExecStart=
-ExecStart=/usr/bin/dockerd -H unix:// -H tcp://0.0.0.0:2376
+ExecStart=/usr/bin/dockerd
diff --git a/ansible/files/etc_network_interfaces.j2 b/ansible/files/etc_network_interfaces.j2
@@ -1,27 +1,6 @@
-# interfaces(5) file used by ifup(8) and ifdown(8)
-
-# Please note that this file is written to be used with dhcpcd
-# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
-
-# Include files from /etc/network/interfaces.d:
-source-directory /etc/network/interfaces.d
-
-auto lo
-iface lo inet loopback
-
-auto eth0
-iface eth0 inet static
-        address {{ansible_host}}
-        netmask {{ansible_default_ipv4.netmask}}
-        gateway {{ansible_default_ipv4.gateway}}
-
-allow-hotplug wlan0
-iface wlan0 inet manual
-    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
-
-allow-hotplug wlan1
-iface wlan1 inet manual
-    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
-
-# Include files from /etc/network/interfaces.d:
-source-directory /etc/network/interfaces.d
+auto {{network.driver_options.parent}}
+iface {{network.driver_options.parent}} inet static
+        address {{ipv4}}/16
+        gateway {{network.ipam_options[0].gateway}}
+        up ip link set {{network.driver_options.parent}} promisc on
+        mtu 1450
diff --git a/ansible/files/iptables_rules.v4 b/ansible/files/iptables_rules.v4
@@ -0,0 +1,40 @@
+# Generated by iptables-save v1.6.0 on Mon Sep 14 11:19:43 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
+-A DOCKER -i docker0 -j RETURN
+COMMIT
+# Completed on Mon Sep 14 11:19:43 2020
+# Generated by iptables-save v1.6.0 on Mon Sep 14 11:19:43 2020
+*filter
+:INPUT ACCEPT [2:104]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [49:13320]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+:DOCKER-USER - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
+{% for dict_item in PF_TABLES.target_network_ranges %}
+-A INPUT -s {{dict_item}}  -d {{ipv4}}/32 -j REJECT --reject-with icmp-port-unreachable
+{% endfor %}
+-A FORWARD -j DOCKER-USER
+-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -j RETURN
+-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -j RETURN
+-A DOCKER-USER -j RETURN
+COMMIT
+# Completed on Mon Sep 14 11:19:43 2020
diff --git a/ansible/playbooks/build-images.yml b/ansible/playbooks/build-images.yml
@@ -17,7 +17,7 @@
         args: "{{container.buildargs|default(omit)}}"
         nocache: yes
         pull: no
-      force: "{{force_build|default('no')}}"
-      rm: yes
+      force_source: "{{force_build|default('no')}}"
+      force_tag: "{{force_build|default('no')}}"
     when: container is defined and container.build is defined
     delegate_to: "{{BUILDER}}"
diff --git a/ansible/playbooks/feed-challenges.yml b/ansible/playbooks/feed-challenges.yml
@@ -6,10 +6,6 @@
   gather_facts: false
   connection: local
   serial: 1
-  vars:
-    TOKEN: randomtoken
-    mui:
-      URL: http://localhost:8080
   tasks:
   - name: Submit challenge
     delegate_to: 127.0.0.1
@@ -23,6 +19,9 @@
         author: "{{author|default(omit)}}"
         icon: "{{icon|default(omit)}}"
         name: "{{name}}"
+        public: "{{public|default(1)}}"
+        active: "{{active|default(1)}}"
+        timer: "{{timer|default(1)}}"
         category: "{{category}}"
         difficulty: "{{difficulty}}"
         player_type: "{{player_type}}"
diff --git a/ansible/templates/advanced-challenge.yml b/ansible/templates/advanced-challenge.yml
@@ -4,12 +4,15 @@ name: "Challenge name"
 category: Tutorial
 difficulty: easy
 player_type: offense
+timer: 0 # 0 Dont keep timer, 1 keep timer
+active: 1 # 1 = Active, 0 = Not active
+public: 1 # If the challenge is publicly accessible
 description: |
-  <p>multiline 
-  description, 
+  <p>multiline
+  description,
   must
-  keep the same 
-  indentation 
+  keep the same
+  indentation
   of lines</p>
 
 # empty line ends the description
@@ -23,4 +26,3 @@ questions:
        code: "answer3",
        weight: 1,
     }
-  
diff --git a/ansible/templates/simple-challenge.yml b/ansible/templates/simple-challenge.yml
@@ -4,6 +4,9 @@ name: "This is the challenge name"
 category: Tutorial # Free form
 difficulty: easy # Free form
 player_type: offense # offense or defense
+timer: 0 # 0 Dont keep timer, 1 keep timer
+active: 1 # 1 = Active, 0 = Not active
+public: 1 # If the challenge is publicly accessible
 # Optional filename that comes with the challenge
 # filename: challenge.zip
 description: "<p>Description of the challenge allows limited html</p>"
diff --git a/contrib/entrypoint-vpn.sh b/contrib/entrypoint-vpn.sh
@@ -14,7 +14,7 @@ if [ ! -f /etc/openvpn/.configured ]; then
     echo "00" > /etc/openvpn/crl/number
     echo "OPENVPN_ADMIN_PASSWORD">/etc/openvpn/private/mgmt.pwd
     openssl dhparam -out /etc/openvpn/dh.pem 2048
-    openvpn --genkey --secret /etc/openvpn/private/vpn-ta.key
+    openvpn --genkey secret /etc/openvpn/private/vpn-ta.key
     /var/www/echoCTF.RED/backend/yii migrate --interactive=0
     /var/www/echoCTF.RED/backend/yii migrate-sales/up --interactive=0
     /var/www/echoCTF.RED/backend/yii init_data --interactive=0
diff --git a/contrib/openvpn_tun0.conf b/contrib/openvpn_tun0.conf
@@ -25,6 +25,7 @@ persist-tun
 user _openvpn
 group _openvpn
 cipher AES-256-CBC
+data-ciphers AES-256-CBC
 auth SHA256
 
 ping 3
diff --git a/docs/ansible/DOCKER-TARGETS.md b/docs/ansible/DOCKER-TARGETS.md
@@ -93,6 +93,8 @@ And add links from the `variables.yml` file of each container into the
 ln -s ../../../Dockerfiles/example/variables.yml inventories/targets/host_vars/example.fqdn.com.yml
 ```
 
+NOTE: Ansible tries to access the `example.fqdn.com.yml` file relative to the `inventories/targets/host_vars` folder. You need to include the `../../../` part when creating the symbolic link for it to be able to find the variables.
+
 Alternatively you can generate both `hosts` and their corresponding `host_vars` by running the following from the ansible folder.
 ```sh
 INVENTORY="targets"
@@ -106,10 +108,42 @@ done
 
 In order to build the target images
 ```sh
-ansible-playbook gameplays/build-images.yml -i inventories/targets --extra-vars "BUILDER=localhost"
+ansible-playbook playbooks/build-images.yml -i inventories/targets --extra-vars "BUILDER=localhost" --extra-vars "DOCKER_REGISTRY=myregistry:5000" --extra-vars "DOCKER_REPOSITORY=targets"
 ```
 
 Feed the data to the backend
 ```sh
-ansible-playbook gameplays/feed-targets.yml -i inventories/targets  -e '{"mui":{"URL": "http://127.0.0.1:8080"}}'
+ansible-playbook playbooks/feed-targets.yml -i inventories/targets  -e '{"mui":{"URL": "http://127.0.0.1:8080"}}'
+```
+
+You can also create a `group_vars` for the targets to include all those extra-vars details and not having to type them again
+```yaml
+DOCKER_REGISTRY: "myregistry:5000"
+DOCKER_REPOSITORY: "targets"
+TOKEN: MyMUIToken
+mui:
+  URL: "{{MUI_URL|default('http://localhost:8080')}}"
+```
+
+## Alternative build
+You can also use the playbooks/build-squash.yml to build images with squashed layers. This however requires to add the option `"experimental": true,` to /etc/docker/daemon.json like so
+```json
+{
+  "experimental": true,
+  "insecure-registries":["myregistry:5555"]
+}
+```
+Once done restart the docker daemon for the changes to take effect and try to build your image
+```sh
+ansible-playbook playbooks/build-squash.yml -i inventories/targets
 ```
+
+This playbook provides a few tags to ease in managing single tasks, such as
+* build: Build image
+* push: Push image to registry
+* rmi: Remove the image from local images
+
+These tags can be used to perform a specific task or to skip some ie
+```sh
+ansible-playbook playbooks/build-squash.yml -i inventories/targets --skip-tags push,rmi
+```
