Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

Add CentOS 8 support for ansible-ssh-hardening #247

Closed
rndmh3ro opened this issue Oct 4, 2019 · 3 comments
Closed

Add CentOS 8 support for ansible-ssh-hardening #247

rndmh3ro opened this issue Oct 4, 2019 · 3 comments
Labels
enhancement hacktoberfest

Comments

@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 4, 2019
edited
Loading

We'd like to support CentOS8!

Ideally we'd have testing for:

Docker-Image that should be used: https://cloud.docker.com/repository/docker/rndmh3ro/docker-centos8-ansible
@rndmh3ro rndmh3ro changed the title Add CentOS 8 support for Ansible roles Add CentOS 8 support Oct 4, 2019
@rndmh3ro rndmh3ro changed the title Add CentOS 8 support Add CentOS 8 support for ssh-hardening Oct 4, 2019
@rndmh3ro rndmh3ro changed the title Add CentOS 8 support for ssh-hardening Add CentOS 8 support for ansible-ssh-hardening Oct 4, 2019
@123Haynes 123Haynes mentioned this issue Oct 7, 2019
Closed
@123Haynes
Copy link

@rndmh3ro Can you verify that the docker image that should be used works correctly please?
I get the message
"Waiting for SSH service on localhost:32768, retrying in 3 seconds"
indefinitely when I execute kitchen test after adding centos8.

Full log:

-----> Creating <ssh-centos8-ansible-latest>...
       Sending build context to Docker daemon  3.072kB
       Step 1/17 : FROM rndmh3ro/docker-centos8-ansible:latest
        ---> 675840b3a8ce
       Step 2/17 : ENV container docker
        ---> Using cache
        ---> 76a2f19862ce
       Step 3/17 : RUN yum clean all
        ---> Using cache
        ---> b9c357edef06
       Step 4/17 : RUN yum install -y sudo openssh-server openssh-clients which curl
        ---> Using cache
        ---> c9b73433af75
       Step 5/17 : RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
        ---> Using cache
        ---> dbf2c6d4df94
       Step 6/17 : RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
        ---> Using cache
        ---> 1fc382fc58b2
       Step 7/17 : RUN if ! getent passwd kitchen; then                 useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen;               fi
        ---> Using cache
        ---> 4248de155735
       Step 8/17 : RUN echo "kitchen ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
        ---> Using cache
        ---> dc257c60ea64
       Step 9/17 : RUN echo "Defaults !requiretty" >> /etc/sudoers
        ---> Using cache
        ---> aba00b4aeb09
       Step 10/17 : RUN mkdir -p /home/kitchen/.ssh
        ---> Using cache
        ---> 4db9d28eeb92
       Step 11/17 : RUN chown -R kitchen /home/kitchen/.ssh
        ---> Using cache
        ---> dbcb6a240c87
       Step 12/17 : RUN chmod 0700 /home/kitchen/.ssh
        ---> Using cache
        ---> 31abef638f7f
       Step 13/17 : RUN touch /home/kitchen/.ssh/authorized_keys
        ---> Using cache
        ---> 6cbc8583539d
       Step 14/17 : RUN chown kitchen /home/kitchen/.ssh/authorized_keys
        ---> Using cache
        ---> af1980165a1f
       Step 15/17 : RUN chmod 0600 /home/kitchen/.ssh/authorized_keys
        ---> Using cache
        ---> 28af8a5ae0bc
       Step 16/17 : RUN mkdir -p /run/sshd
        ---> Using cache
        ---> 68c86bba2745
       Step 17/17 : RUN echo ssh-rsa\ AAAAB3NzaC1yc2EAAAADAQABAAABAQDTDxwmQNoEIijN2hs9BvIWUUf5oJ69LTkmouZeO450AMkJLkB/UEdIMhf6xi32b8H2PYSuJNXFwTrYvEpCuFnqIn2v0//ywq\+e4\+wlJ42MOzoZKui5PqocVsoXTdThjabcFRRLUrx9\+PPGkXhEfe\+NmywCd2WcCE6wvejFq6vsBrtto9DsPgKI\+LCCPLq4NKw3M3/0pRD\+JJp5XS7\+AJep8DaoK9MSbWL48Gog9mCpJvxjEeTL4HDBVoYnkQSLp3qG/K0uEHHtO3/fpQuKEfumFY/4m\+S7dfrfCilsIddOJs/LsBi47NZ/cn4zzaS8sQg0zh9SFHaBuR8teXMP9h3N\ kitchen_docker_key >> /home/kitchen/.ssh/authorized_keys
        ---> Using cache
        ---> aa466cc25048
       Successfully built aa466cc25048
       7c8d0f2c04dbbac40805b8b99cf324bbdf446aeecf4e48a5f115b272243e8f60
       0.0.0.0:32770
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds
       Waiting for SSH service on localhost:32770, retrying in 3 seconds

@rndmh3ro
Copy link
Member Author

rndmh3ro commented Oct 8, 2019

Well, the image itself works correctly. However test-kitchen + systemd + centos 8 are apparently a bad mix.

The best I could manage is this so far:

- name: centos8-ansible-latest
  driver:
    image: rndmh3ro/docker-centos8-ansible:latest
    platform: centos
  provisioner:
    ansible_binary_path: "/usr/local/bin"
    provision_command:
      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
      - systemctl --now enable sshd.service

This makes the container start and execute ansible, however it won't find the sshd-service, thus failing at the restart-handler. If kitchen is then run again, at least it won't fail and you can verify the build.. There are then some inspec-failures that need to be handled.

@schurzi schurzi mentioned this issue Jul 15, 2020
Merged
@rndmh3ro
Copy link
Member Author

Fixed by #309

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement hacktoberfest
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Testsupport for centos 8 123Haynes/ansible-ssh-hardening
2 participants
@123Haynes @rndmh3ro