Debops or the NSA for complete devops solution to network security

bastion debops

Production Ready Configuration Management Suites

As far as I know, in the entire world, there are two open source, production-based, bespoke configuration management systems.

In other words, if you want to run a full data center, network, production system and you want a system that has been designed and built and TESTED in production already to work, you only have two options.

Sure you can make your own system and test everything together, you can make a bricolage of existing roles and custom roles and make it work. But there will always be a long tail of implementation issues.

One such project comes from the US federal government, the NSA, SIMP, is based on Redhat and uses Puppet. There is excellent documentation and its compliant with the highest security standards (docs).

The other comes from a medical university in Europe and is based on Debian. Being an Ubuntu user, I’ll start with the Debian system. The second system is called Debops, the Debian data center in a box.

Debops is a Debian Data Center in a Box

Debops is based on the concept of an Ansible controller, i.e. a desktop or laptop which acts as the controller for the entire network.

I am going to install a bastion server, a VMware based VM which will be encrypted and also act as the bastion server for the entire network. This way my laptop does not become the weakest link in the entire chain.

I am running the VMware bastion VM from the RAID drive, and will give it a static IP, from within the VM and also at the router. My Comcast business router has annoying IP reassignment settings that kick in at very unfortunate times, such as after a power out etc. I force them to stick with dedicated IP.

Bastion set-up

I installed the operating system on the server, configure bridged, static public and private IP, setup DNS with Cloudflare, VNC access and openssh-server. I also install Ubuntu Desktop, 1, because I have loads of RAM and 2 I want the flexibility of using VNC if needed. I know, shell purists roll their eyes now.

Install openssh-server, keygens, and then allow root login with keys, create a root password, and then connect locally and remotely ssh [email protected] This is super important as otherwise you will be locked out of ssh from remote and can only use VNC. Also when you run debops for the first time you debops adds root to the users for remote logins. I also had to su devekko to change from root to my main sudo user to run the debops python scripts.


ssh-copy-id [email protected]
ssh-copy-id [email protected]

Debops Install

Debops has excellent, if dense, docs, and we use the Install docs


sudo -H apt install python-pip

let’s also upgrade pip


sudo -H pip install --upgrade pip

Next we install Debops itself with PIP


sudo -H pip install debops

Install Ansible

Debops uses Ansible and we need that installed now, but let’s install the latest development version via GIT and run from source


cd /home/devekko
sudo apt install -y git wget curl
sudo apt install -y build-essential libssl-dev libffi-dev python-dev
sudo -H pip install paramiko PyYAML Jinja2 httplib2 six
git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
source /home/devekko/ansible/hacking/env-setup

now we have a Ansible running from source


ansible --version
ansible 2.3.0 (devel bd036c15e0) last updated 2017/02/19 16:06:37 (GMT -700)
config file =
configured module search path = Default w/o overrides

Starting Debops project

Now we begin our Debops project. Debops is designed to have separate projects for separate networks of servers and applications. From Getting Started installs the Debops roles, playbooks and some handy Python scripts for shortcuts to standard verbose Ansible


cd /home/devekko

debops-update
DebOps playbooks have not been found, installing into /home/devekko/.local/share/debops/debops-playbooks

for a total of 107 playbooks

Initiate Project


debops-init /home/devekko/devekko-io
Creating new DebOps project in /home/devekko/devekko-io ...

Inventory

We now add our bastion server to the inventory


cd devekko-io
vi ansible/inventory/hosts
[debops_all_hosts]
bastion ansible_connection=local

Now we run Debops on our Bastion server


debops
....

PLAY RECAP ******************************************************************************************
bastion : ok=218 changed=124 unreachable=0 failed=0

TASK: debops.dhparam : Generate Diffie-Hellman params on Ansible Controller - 224.43s
TASK: debops.apt : Update APT cache ------------------------------------ 19.12s
TASK: debops.apt_install : Install requested APT packages -------------- 13.19s
TASK: debops.core : Install required core packages --------------------- 12.88s
TASK: debops.sshd : Ensure OpenSSH support is installed ---------------- 10.40s
TASK: debops.ferm : Configure ip(6)tables rules ------------------------- 8.98s
TASK: debops.ferm : Ensure ferm is installed ---------------------------- 7.39s
TASK: debops.nullmailer : Install required packages --------------------- 6.48s
TASK: debops.auth : Install auth-related packages ----------------------- 5.56s
TASK: debops.atd : Install atd ------------------------------------------ 5.09s

now, Debops runs 107 playbooks and bootstraps your Bastion server as the Ansible controller

we now have Debops installed as a Bastion server which we can encrypt and backup and access from across the network

bastion debops
bastion debops

Ubuntu 17.04 Zesty Notes

Zesty

I am such a sucker for punishment

I am running Ubuntu 17.04 Zesty, due in April and its a little bit kind of broken

Virtualbox

Virtualbox is not yet packaged by Oracle so I had to install from source

Searching around I found devmanuals and had to install multiverse repositories

sudo add-apt-repository main
sudo add-apt-repository universe
sudo add-apt-repository restricted
sudo add-apt-repository multiverse

and

sudo apt update
sudo apt upgrade
sudo apt install virtualbox-source
sudo apt install virtualbox-dkms

since this is a new desktop

install apt-vim

apt-vim docs

curl -sL https://raw.githubusercontent.com/egalpin/apt-vim/master/install.sh | sh

then install vim-nerdtree

apt-vim install -y https://github.com/scrooloose/nerdtree.git

I then had to reboot and install the Virtualbox Extension pack

Command line screencasts with asciinema

Screencasting a bash session with Asciinema, a GPL Python terminal session recorder at github asciinema and website asciinema.org.

This can be useful for watching command line progress along with a blog post. Its also possible to copy and paste text from the asciinema, unlike a video.

On Mac Sierra

brew install asciinema

To create a new recording

asciinema rec [filename]

In my case I am installing a session where I install Middleman

asciinema rec middleman

to play the screencast locally

asciinema play middleman

To publish asciinema to the web and the public site you need to create an account using a password-less email registration and login system.

Visit the site asciinema.org, enter email, authorize email and account, then on command line.

asciinema auth

and then in browser confirm authorization and finally upload middleman installation

asciinema upload middleman

You can see the warts-and-all Middleman installation on another blog post http://blog.devekko.com/middleman-static-site-generator

Aegir 3.8 on Ubuntu 16.04 Xenial on LXD LXC (eventually)

I have decided to write some books and work on apps from those. One book will be on website building and the other will be on self-hosting.

Therefore I am going to record the set-up, customization, programming and themes of various systems for hosting.

One I know relatively well is Aegir, basically Drupal hosting Drupal with Drush. I am going to work through Aegir 3.8 on Ubuntu Xenial with PHP 7 which is twice as fast.

As a second step I use the Remote Import feature to import sites from an OVH server.

The plan is to build a Drupal 7 and a Drupal 8 site each using my emerging framework.

Community Organizing

For a maybe 12 months I volunteered as community organizer for the Aegir Project and co-founded and co-organized an event at the United Nations hosted within nyccamp and opencamps.org.

This event is called Aegir Summit and we had Richard Stallman of Free Software Foundation give the Aegir group a strategy session and he also gave the entire summit a presentation on Free Software. The 2015 Aegir Summit archive site has details on sessions etc and the 2016 Aegir Summit featured NASA hosting with Aegir by Mobomo.

The Aegir Summit mini site has some additional info as does the marketing site Aegir Hosting System and the community site. I also gave a talk at Stanford Drupal Camp (slides) and at SCALE as report-back sessions from the New York event, basically telling my story and advocating commercial free software.

Virtual Machine

Am working on LXD / LXC I use a partly pre-configured Xenial LXC container

launch a fresh LXC container

enter enter the container and change hostname, hosts and network

lxc exec aegir-devekko-io bash

update and upgrade the container

apt-update && apt-upgrade

edit the /etc/hostname

aegir-devekko-io

/etc/hosts files, I turn off ipv6 as I cant use DNS with ipv6 on my LAN and it creates issues


127.0.0.1 aegir.devekko.io aegir-devekko-io localhost
REDACTED aegir.devekko.io aegir-devekko-io localhost
10.1.10.115 aegir.devekko.io aegir-devekko-io localhost

/etc/network/interfaces.d/eth0.cfg

The primary network interface


auto eth0:0 eth0:1 
iface eth0:0 inet static 
address REDACTED/28 
gateway REDACTED

iface eth0:1 inet static 
address 10.1.10.115/24

dns-nameservers REDACTED 8.8.8.8 
dns-search devekko.io

 

Pre-requisites for Aegir 3.8

From the Aegir docs we first update and upgrade

apt update && apt upgrade

we then check DNS and hostname

uname -a
Linux aegir-devekko-io 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:50:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
hostname -i
127.0.0.1 REDACTED 10.1.10.115

install utilities

apt install git wget rsync

According to Aegir maintainer colan in response to my ISSUE on Drupal.org he does this for the Postfix MTA, I’ve been caught on this numerous times on Ubuntu and Aegir

apt install postfix bsd-mailx mutt

in Postfix config I choose Internet site and aegir.devekko.io as email domain

alter /etc/postfix/main.cf

inet_interfaces = 127.0.0.1

Install Aegir 3.9

add project repositories

echo "deb http://debian.aegirproject.org stable main" | sudo tee -a /etc/apt/sources.list.d/aegir-stable.list</pre>

and archive key to keyring

wget -q http://debian.aegirproject.org/key.asc -O- | sudo apt-key add -
sudo apt-get update
sudo apt update

Install Aegir 3.9 Debian Packages

sudo apt-get install aegir3

manually enter a Mysql password (some of the Ansible installers handle this)

choose an Aegir UI domain, Aegir is installed

start the file wall

sudo ufw allow http
Rules updated
Rules updated (v6)
[email protected]:~# sudo ufw enable
Firewall is active and enabled on system startup

Sites | aegir.devekko.io - Chromium_002

Note, I did actually have issues and had to autoremove and purge postfix and tried to manually install Php etc

Installation did finally work after considerable troubleshooting. I would say that there is defintely something happening during install on Xenial that is not being handled properly.

Aegir is installed, and now its time to add a Drupal 7 and a Drupal 8 site for my project.

More in later blog posts