From ee14facdfa486aed11b8372de8dfd0d02c06b230 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Tue, 17 Jun 2025 16:16:33 -0400 Subject: [PATCH 01/11] set an inline bash script to set user as dibbs-user on cloud provisioners --- packer/ubuntu-server/ubuntu.pkr.hcl | 42 ++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/packer/ubuntu-server/ubuntu.pkr.hcl b/packer/ubuntu-server/ubuntu.pkr.hcl index a0c4f06..44d25e8 100644 --- a/packer/ubuntu-server/ubuntu.pkr.hcl +++ b/packer/ubuntu-server/ubuntu.pkr.hcl @@ -86,7 +86,7 @@ source "amazon-ebs" "aws-ami" { most_recent = true } - //TODO: CHANGE ME! Change the password to use the random one, too! + # Packer connects as ubuntu user during build, then we create dibbs-user via provisioning ssh_username = "ubuntu" launch_block_device_mappings { @@ -121,25 +121,45 @@ source "azure-arm" "azure-image" { managed_image_resource_group_name = "skylight-dibbs-vm1" os_type = "Linux" - //TODO: CHANGE ME! Change the password to use the random one, too! - ssh_username = "ubuntu" - + # Packer connects as ubuntu user during build, then we create dibbs-user via provisioning + ssh_username = "ubuntu" } build { name = "multi-cloud-build" sources = [ - "source.qemu.raw" - //"source.amazon-ebs.aws-ami", - //"source.azure-arm.azure-image" + "source.qemu.raw", + "source.amazon-ebs.aws-ami", + "source.azure-arm.azure-image" ] + # Create dibbs-user account on cloud instances during build + provisioner "shell" { + only = ["amazon-ebs.aws-ami", "azure-arm.azure-image"] + inline = [ + "sudo useradd -m -s /bin/bash -G sudo dibbs-user", + "echo 'dibbs-user:${var.ssh_password}' | sudo chpasswd", + "echo 'dibbs-user ALL=(ALL) ALL' | sudo tee /etc/sudoers.d/dibbs-user", + "sudo chmod 0440 /etc/sudoers.d/dibbs-user" + ] + } + provisioner "file" { source = "./jails/jail.local" destination = "~/jail.local" } + # Wait for dibbs-user to be created on cloud instances + provisioner "shell" { + only = ["amazon-ebs.aws-ami", "azure-arm.azure-image"] + inline = [ + "while ! id dibbs-user >/dev/null 2>&1; do echo 'Waiting for dibbs-user...'; sleep 5; done", + "echo 'dibbs-user is ready'" + ] + } + + # Switch to dibbs-user for subsequent provisioning on cloud instances provisioner "shell" { only = ["azure-arm.azure-image"] scripts = [ @@ -153,8 +173,6 @@ build { "USE_SUDO=sudo", "BUILD_TYPE=azure" ] - - //TODO: Add new password here! execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } @@ -168,11 +186,9 @@ build { environment_vars = [ "DIBBS_SERVICE=${var.dibbs_service}", "DIBBS_VERSION=${var.dibbs_version}", - "USE_SUDO=", + "USE_SUDO=sudo", "BUILD_TYPE=aws" ] - - //TODO: Add new password here! execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } @@ -203,4 +219,4 @@ build { source = "./scripts/apt-updates.sh.home" destination = "~/apt-updates.sh" } -} +} \ No newline at end of file From 073f1d282fd58f76fb8b6dcf4d57358bea486996 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Tue, 24 Jun 2025 16:36:22 -0400 Subject: [PATCH 02/11] create dibbs-user account on cloud provisioners --- packer/ubuntu-server/jails/jail.local | 2 +- packer/ubuntu-server/ubuntu.pkr.hcl | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/packer/ubuntu-server/jails/jail.local b/packer/ubuntu-server/jails/jail.local index e9c4d77..1263b8e 100644 --- a/packer/ubuntu-server/jails/jail.local +++ b/packer/ubuntu-server/jails/jail.local @@ -22,7 +22,7 @@ mta = sendmail # configured above. action_mw = %(action_)s %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] -action = $(action_)s +action = iptables [ssh] diff --git a/packer/ubuntu-server/ubuntu.pkr.hcl b/packer/ubuntu-server/ubuntu.pkr.hcl index 44d25e8..d89252b 100644 --- a/packer/ubuntu-server/ubuntu.pkr.hcl +++ b/packer/ubuntu-server/ubuntu.pkr.hcl @@ -141,7 +141,10 @@ build { "sudo useradd -m -s /bin/bash -G sudo dibbs-user", "echo 'dibbs-user:${var.ssh_password}' | sudo chpasswd", "echo 'dibbs-user ALL=(ALL) ALL' | sudo tee /etc/sudoers.d/dibbs-user", - "sudo chmod 0440 /etc/sudoers.d/dibbs-user" + "sudo chmod 0440 /etc/sudoers.d/dibbs-user" , + "sudo gpasswd -d ubuntu docker || true" , + "echo 'ubuntu ALL=(ALL) NOPASSWD: ALL, !/usr/bin/docker' | sudo tee /etc/sudoers.d/ubuntu-docker-block", + "sudo chmod 0440 /etc/sudoers.d/ubuntu-docker-block" ] } @@ -173,7 +176,7 @@ build { "USE_SUDO=sudo", "BUILD_TYPE=azure" ] - execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" + execute_command = "echo '${var.ssh_password}' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } provisioner "shell" { @@ -189,7 +192,7 @@ build { "USE_SUDO=sudo", "BUILD_TYPE=aws" ] - execute_command = "echo 'ubuntu' | {{.Vars}} sudo -S -E bash '{{.Path}}'" + execute_command = "echo '${var.ssh_password}' | {{.Vars}} sudo -S -E bash '{{.Path}}'" } provisioner "shell" { From 1e42ba1cb3090f36f81670706137919b6d109418 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Wed, 25 Jun 2025 23:01:05 -0400 Subject: [PATCH 03/11] modify workflow to include random password --- .github/workflows/packMachines.yml | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 2e76499..feacd7c 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -77,26 +77,38 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV shell: bash + - name: Install Supporting Packages + run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl whois + + - name: Generate random password and hash + id: generate_password + run: | + plain_pass=$(openssl rand -base64 12) + hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") + echo "ssh_password=$plain_pass" >> $GITHUB_OUTPUT + echo "password_hash=$hashed_pass" >> $GITHUB_OUTPUT + + - name: Render cloud-init user-data with password hash + working-directory: ./packer/ubuntu-server/http + run: | + sed "s|{{password_hash}}|${{ steps.generate_password.outputs.password_hash }}|" user-data-template.yaml > user-data - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 with: version: 1.11.2 - - name: Install Supporting Packages - run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl - - name: Run `packer init` working-directory: ./packer/ubuntu-server run: packer init . - name: Run `packer validate` working-directory: ./packer/ubuntu-server - run: packer validate --var dibbs_service=${{ matrix.service }} --var dibbs_version=main . + run: packer validate --var dibbs_service=${{ matrix.service }} --var dibbs_version=main --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . - name: Run `packer build` working-directory: ./packer/ubuntu-server - run: packer build --var dibbs_service=${{ matrix.service }} --var dibbs_version=main . + run: packer build --var dibbs_service=${{ matrix.service }} --var dibbs_version=main --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . packer_build_repository_dispatch: From 8ca9836aa6ac9c59ff89a0b0ec773617ad87e61a Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Wed, 25 Jun 2025 23:11:42 -0400 Subject: [PATCH 04/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index feacd7c..1a3fe87 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -192,13 +192,28 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV shell: bash + - name: Install QEMU + run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl whois + + - name: Generate random password and hash + id: generate_password + run: | + plain_pass=$(openssl rand -base64 12) + hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") + echo "ssh_password=$plain_pass" >> $GITHUB_OUTPUT + echo "password_hash=$hashed_pass" >> $GITHUB_OUTPUT + + - name: Render cloud-init user-data + working-directory: ./packer/ubuntu-server/http + run: | + sed "s|{{password_hash}}|${{ steps.generate_password.outputs.password_hash }}|" user-data-template.yaml > user-data + - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 with: version: 1.11.2 - - name: Install QEMU - run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 + - name: Run `packer init ${{ inputs.service }}` working-directory: ./packer/ubuntu-server @@ -206,10 +221,12 @@ jobs: - name: Run `packer validate ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} . + run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + - name: Run `packer build ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} . + run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + ## TODO: Decide how to export artifact. \ No newline at end of file From 995b16dd5d21022ad44c3dd94ec2fa47d70d4d32 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Wed, 25 Jun 2025 23:37:45 -0400 Subject: [PATCH 05/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 1a3fe87..91a5e1b 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -195,18 +195,21 @@ jobs: - name: Install QEMU run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl whois - - name: Generate random password and hash - id: generate_password + - name: Generate user-data with hashed password + working-directory: ./packer/ubuntu-server run: | - plain_pass=$(openssl rand -base64 12) - hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - echo "ssh_password=$plain_pass" >> $GITHUB_OUTPUT - echo "password_hash=$hashed_pass" >> $GITHUB_OUTPUT + sudo apt-get update && sudo apt-get install -y whois - - name: Render cloud-init user-data - working-directory: ./packer/ubuntu-server/http - run: | - sed "s|{{password_hash}}|${{ steps.generate_password.outputs.password_hash }}|" user-data-template.yaml > user-data + plain_pass=$(openssl rand -base64 12) + echo "Random password: $plain_pass" + echo "PLAIN_PASSWORD=$plain_pass" >> $GITHUB_ENV + + hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") + + sed "s|{{password_hash}}|$hashed_pass|" user-data > user-data-final + mv user-data-final user-data + + echo "user-data file is ready with hashed password." - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 From 01c4f44cc9c35d93b931f419566a9e640b5922a1 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Wed, 25 Jun 2025 23:47:32 -0400 Subject: [PATCH 06/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 91a5e1b..6c405d0 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -206,8 +206,8 @@ jobs: hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - sed "s|{{password_hash}}|$hashed_pass|" user-data > user-data-final - mv user-data-final user-data + sed "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data > ./packer/ubuntu-server/http/user-data-final + mv ./packer/ubuntu-server/http/user-data-final ./packer/ubuntu-server/http/user-data echo "user-data file is ready with hashed password." From fb009e785f465e4ce433337202e0d6f4a7e56c59 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Thu, 26 Jun 2025 13:05:01 -0400 Subject: [PATCH 07/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 6c405d0..8583e91 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -206,8 +206,7 @@ jobs: hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - sed "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data > ./packer/ubuntu-server/http/user-data-final - mv ./packer/ubuntu-server/http/user-data-final ./packer/ubuntu-server/http/user-data + sed "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data echo "user-data file is ready with hashed password." From 857f8f4232d36decd1152e61c4e2ed64c38db8d7 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Thu, 26 Jun 2025 13:20:20 -0400 Subject: [PATCH 08/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 8583e91..026bb0a 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -206,7 +206,7 @@ jobs: hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - sed "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data + sed -i "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data echo "user-data file is ready with hashed password." From c942ebcb9326a2276c94a411c6df1037a544f298 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Thu, 26 Jun 2025 16:35:09 -0400 Subject: [PATCH 09/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index 026bb0a..e237beb 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -199,14 +199,13 @@ jobs: working-directory: ./packer/ubuntu-server run: | sudo apt-get update && sudo apt-get install -y whois - - plain_pass=$(openssl rand -base64 12) - echo "Random password: $plain_pass" + plain_pass=$(openssl rand -base64 12) + echo "Random password: $plain_pass" echo "PLAIN_PASSWORD=$plain_pass" >> $GITHUB_ENV hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - sed -i "s|{{password_hash}}|$hashed_pass|" ./packer/ubuntu-server/http/user-data + sed -i "s|{{password_hash}}|$hashed_pass|" http/user-data echo "user-data file is ready with hashed password." From 908a180decc60f15f377d565ba0aa573296b14f5 Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Thu, 26 Jun 2025 17:18:06 -0400 Subject: [PATCH 10/11] modify build workflow dispatch job to include random password --- .github/workflows/packMachines.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index e237beb..a0227c8 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -222,12 +222,12 @@ jobs: - name: Run `packer validate ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + run: packer validate --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ env.PLAIN_PASSWORD }}' . - name: Run `packer build ${{ inputs.service }}` working-directory: ./packer/ubuntu-server - run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + run: packer build --var dibbs_service=${{ inputs.service }} --var dibbs_version=${{ inputs.version }} --var ssh_password='${{ env.PLAIN_PASSWORD }}' . ## TODO: Decide how to export artifact. \ No newline at end of file From db2123aa79edbeeb0b6bbb0599535c55dd412f5b Mon Sep 17 00:00:00 2001 From: EmmanuelNwa247 Date: Fri, 27 Jun 2025 16:49:19 -0400 Subject: [PATCH 11/11] final clean up to add randomized password --- .github/workflows/packMachines.yml | 32 +++++++----------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/.github/workflows/packMachines.yml b/.github/workflows/packMachines.yml index a0227c8..b55ab5a 100644 --- a/.github/workflows/packMachines.yml +++ b/.github/workflows/packMachines.yml @@ -77,38 +77,25 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV shell: bash - - name: Install Supporting Packages - run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl whois - - - name: Generate random password and hash - id: generate_password - run: | - plain_pass=$(openssl rand -base64 12) - hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - echo "ssh_password=$plain_pass" >> $GITHUB_OUTPUT - echo "password_hash=$hashed_pass" >> $GITHUB_OUTPUT - - - name: Render cloud-init user-data with password hash - working-directory: ./packer/ubuntu-server/http - run: | - sed "s|{{password_hash}}|${{ steps.generate_password.outputs.password_hash }}|" user-data-template.yaml > user-data - - name: Set up Packer uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 with: version: 1.11.2 + - name: Install Supporting Packages + run: sudo apt-get update && sudo apt-get install -y qemu-system-x86 openssl + - name: Run `packer init` working-directory: ./packer/ubuntu-server run: packer init . - name: Run `packer validate` working-directory: ./packer/ubuntu-server - run: packer validate --var dibbs_service=${{ matrix.service }} --var dibbs_version=main --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + run: packer validate --var dibbs_service=${{ matrix.service }} --var dibbs_version=main . - name: Run `packer build` working-directory: ./packer/ubuntu-server - run: packer build --var dibbs_service=${{ matrix.service }} --var dibbs_version=main --var ssh_password='${{ steps.generate_password.outputs.ssh_password }}' . + run: packer build --var dibbs_service=${{ matrix.service }} --var dibbs_version=main . packer_build_repository_dispatch: @@ -198,15 +185,11 @@ jobs: - name: Generate user-data with hashed password working-directory: ./packer/ubuntu-server run: | - sudo apt-get update && sudo apt-get install -y whois plain_pass=$(openssl rand -base64 12) echo "Random password: $plain_pass" echo "PLAIN_PASSWORD=$plain_pass" >> $GITHUB_ENV - - hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") - - sed -i "s|{{password_hash}}|$hashed_pass|" http/user-data - + hashed_pass=$(mkpasswd --method=SHA-512 "$plain_pass") + sed -i "s|{{password_hash}}|$hashed_pass|g" http/user-data echo "user-data file is ready with hashed password." - name: Set up Packer @@ -215,7 +198,6 @@ jobs: version: 1.11.2 - - name: Run `packer init ${{ inputs.service }}` working-directory: ./packer/ubuntu-server run: packer init .