Merge branch 'develop' into dlpx/pr/rasantel/b46e023c-a6d9-4f5d-9d9c-22ad61395406

Author: Abhishek Shukla

debian/rules

@@ -158,6 +158,7 @@ DEPENDS += aptitude, \
 	   memstat, \
 	   mtr-tiny, \
 	   ncdu, \
+	   netcat-openbsd, \
 	   pciutils, \
 	   performance-diagnostics, \
 	   procinfo, \

files/common/etc/profile.d/set-umask-for-all-users.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+umask 027

files/common/lib/systemd/system/zfs-import-cache.service.d/override.conf

@@ -0,0 +1,11 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-import-cache.service runs, it could potentially try to import
+# a pool, which is not desired.
+#
+# To prevent this behavior, we explicitly disable this service from
+# running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container

files/common/lib/systemd/system/zfs-import-scan.service.d/override.conf

@@ -0,0 +1,11 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-import-scan.service runs, it could potentially try to import
+# a pool, which is not desired.
+#
+# To prevent this behavior, we explicitly disable this service from
+# running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container

files/common/lib/systemd/system/zfs-mount.service.d/override.conf

@@ -0,0 +1,13 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-mount.service runs, it'll automatically mount all "domain0"
+# mountpoints (or "dcenter" mountpoints for our DCenter systems). These
+# mounts in the container can then impact software running outside of
+# the container; e.g. "zfs destroy" can fail with EBUSY.
+#
+# Thus, to workaround this problem, we explicitly disable this service
+# from running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container

files/common/lib/systemd/system/zfs-share.service.d/override.conf

@@ -0,0 +1,13 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-share.service runs, it'll automatically mount all "domain0"
+# mountpoints (or "dcenter" mountpoints for our DCenter systems). These
+# mounts in the container can then impact software running outside of
+# the container; e.g. "zfs destroy" can fail with EBUSY.
+#
+# Thus, to workaround this problem, we explicitly disable this service
+# from running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container

files/common/usr/lib/sysctl.d/30-delphix-ports.conf

@@ -15,12 +15,17 @@
 #
 
 #
-# Local reserved ports for NFSv3
+# Local reserved ports
 # The persistent setting to back /proc/sys/net/ipv4/ip_local_reserved_ports
 #
+# iSCSI ports:
+# 53260 iSCSI listen for encrypted targets
+# 53261 srv side iSCSI stunnel listen
+#
+# NFS ports:
 # 54043 RPC mountd listen
 # 54044 RPC statd listen
 # 54045 RPC lockd/nlockmgr
 # 54046 srv side tunnel listen
 #
-net.ipv4.ip_local_reserved_ports = 54043-54046
+net.ipv4.ip_local_reserved_ports = 53260-53261,54043-54046

files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml

@@ -76,12 +76,16 @@
 #
 # Restrict cron permissions. All jobs are owned by root so there's no
 # reason to allow others any level of access. This is also necessary to
-# satisfy external auditing of CIS security benchmarks.
+# satisfy external auditing of CIS security benchmarks. Also ensuring
+# the permissions on /etc/ssh/sshd_config are configured.
 #
 - file:
-    path: /etc/crontab
+    path: "{{ item }}"
     state: file
     mode: 0600
+  with_items:
+    - /etc/crontab
+    - /etc/ssh/sshd_config
 
 - file:
     path: "{{ item }}"
@@ -228,34 +232,14 @@
     - 'delphix'
     - 'root'
 
-- lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: "^#?{{ item.key }} "
-    line: "{{ item.key }} {{ item.value }}"
-  with_items:
-    #
-    # Configure SSH to allow PAM "conversations" (interactions with the user).
-    #
-    - { key: "ChallengeResponseAuthentication", value: "yes" }
-    #
-    # Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and
-    # X11 forwarding. Note that this doesn't improve security unless users are
-    # also denied shell access.
-    #
-    - { key: "AllowAgentForwarding", value: "no" }
-    - { key: "AllowStreamLocalForwarding", value: "no" }
-    - { key: "AllowTcpForwarding", value: "no" }
-    - { key: "X11Forwarding", value: "no" }
-
 #
-# The CRA project mandated a 30 minute timeout for any idle connections.
-# By enabling an inactivity timeout we ensure that idle connections are
-# closed. Thus any sessions that are accidentally left opened at a
-# customer site will timeout preventing customers from gaining access to
-# our engine.
+# The 'ClientAliveInterval' setting determines the amount of time
+# (in seconds) the sshd server will wait to receive data from the
+# client before sending a request for response.
 #
 - set_fact:
-    ssh_client_alive_interval: "1800"
+    ssh_client_alive_interval: "300"
+    ssh_client_alive_count_max: "3"
 
 #
 # With that said (see comment above), the Azure marketplace does not
@@ -264,23 +248,39 @@
 #
 - set_fact:
     ssh_client_alive_interval: "180"
-  when: platform == "azure"
+    ssh_client_alive_count_max: "0"
+  when:
+    - platform == "azure"
 
 - lineinfile:
     path: /etc/ssh/sshd_config
     regexp: "^#?{{ item.key }} "
     line: "{{ item.key }} {{ item.value }}"
   with_items:
-    - { key: "ClientAliveInterval", value: "{{ ssh_client_alive_interval }}" }
-    - { key: "ClientAliveCountMax", value: "0" }
-  when:
     #
-    # For developer convenience, we only enable the CRA mandated timeout
-    # for external variants. The idle timeout can be a burden when we
-    # need to run long running processes over SSH on our internal
-    # systems (e.g. for development, testing, etc).
+    # Configure SSH to allow PAM "conversations" (interactions with the user).
     #
-    - variant is regex("external-.*")
+    - { key: "ChallengeResponseAuthentication", value: "yes" }
+    #
+    # Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and
+    # X11 forwarding. Note that this doesn't improve security unless users are
+    # also denied shell access.
+    #
+    - { key: "AllowAgentForwarding", value: "no" }
+    - { key: "AllowStreamLocalForwarding", value: "no" }
+    - { key: "AllowTcpForwarding", value: "no" }
+    - { key: "Ciphers", value: "[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]" }
+    - { key: "ClientAliveCountMax", value: "{{ ssh_client_alive_count_max }}" }
+    - { key: "ClientAliveInterval", value: "{{ ssh_client_alive_interval }}" }
+    - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" }
+    - { key: "KexAlgorithms", value: "curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"}
+    - { key: "LoginGraceTime", value: "60"}
+    - { key: "MACs", value: "[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512"}
+    - { key: "MaxAuthTries", value: "4" }
+    - { key: "MaxStartups", value: "10:30:60"}
+    - { key: "PermitRootLogin", value: "no" }
+    - { key: "X11Forwarding", value: "no" }
+  notify: "sshd config changed"
 
 - blockinfile:
     path: /etc/profile
@@ -300,12 +300,18 @@
     #
     - variant is regex("external-.*")
 #
-# Harden the appliance by disabling SFTP.
+# Harden the appliance by disabling SFTP on external variants.
 #
 - replace:
     path: /etc/ssh/sshd_config
     regexp: '^(Subsystem.*sftp.*)'
     replace: '#\1'
+  when:
+    #
+    # Disable sftp on external variants and leave it enabled on internal
+    # variants for developer convenience and to facilitate test automation.
+    #
+    - variant is regex("external-.*")
 
 #
 # Ssh leads to the CLI, not bash, so let's remove all the linuxy shell goodies,
@@ -322,36 +328,13 @@
     replace: '#\1'
 
 #
-# Prevent sshd from offering weak message authentication codes to clients.
+# Restrict su access to users that are part of the root group (gid 0).
+# On a Delphix engine, this is restricted to the delphix user.
 #
-# The "MACs" configuration parameter in sshd_config takes a list of algorithms
-# as its parameter. This list may be prefixed by a '+' or '-' operator
-# (indicating that the given list should be appended to or removed from the
-# existing MAC set, respectively), or neither operator (indicating that the
-# given list should replace the existing MAC set). If there already exists a
-# "MACs -..."  line, we can append to this list. If otherwise, we need to add
-# this as a separate line in the configuration.
-#
-- shell: grep -c -E "^MACs(\s+)-" /etc/ssh/sshd_config || true
-  register: grep_sshd_config_macs_to_remove
-
-- shell: grep -c -E "^MACs(\s+)-(.*)hmac-sha1\*,umac-64\*" /etc/ssh/sshd_config || true
-  register: grep_sshd_config_macs_already_removed
-
-- lineinfile:
-    path: /etc/ssh/sshd_config
-    backrefs: yes
-    regexp: '^MACs[\s]+-(.*)$'
-    line: 'MACs -\1,hmac-sha1*,umac-64*'
-  notify: "sshd config changed"
-  when: grep_sshd_config_macs_to_remove.stdout != "0" and grep_sshd_config_macs_already_removed == "0"
-
-- lineinfile:
-    path: /etc/ssh/sshd_config
-    insertafter: EOF
-    line: "MACs -hmac-sha1*,umac-64*"
-  notify: "sshd config changed"
-  when: grep_sshd_config_macs_to_remove.stdout == "0"
+- replace:
+    dest: /etc/pam.d/su
+    regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$'
+    replace: '\1'
 
 #
 # Enable SNMP client tools to load MIBs by default.
@@ -681,3 +664,30 @@
   when:
     - variant == "internal-buildserver"
     - not ansible_is_chroot
+
+- name: Add systemctl bash completion
+  copy:
+    dest: "/etc/bash_completion.d/systemctl"
+    content: |
+      if [[ -r /usr/share/bash-completion/completions/systemctl ]]; then
+        . /usr/share/bash-completion/completions/systemctl && complete -F _systemctl systemctl
+      fi
+
+- name: Source bash completion
+  blockinfile:
+    dest: "/export/home/delphix/.bashrc"
+    block: |
+      . /etc/bash_completion.d/systemctl
+      . /etc/bash_completion.d/zfs
+      PATH=$PATH:/opt/delphix/server/bin
+
+#
+# CIS: Set default umask (DLPX-87205)
+# We need to set default umask as 027 in the /etc/bash.bashrc file,
+# so that the same can be applied for all the users on the engine.
+#
+- blockinfile:
+    path: /etc/bash.bashrc
+    block: |
+      # Set default umask value.
+      umask 027

files/oci/etc/cloud/cloud.cfg.d/99-delphix-datasource.cfg

@@ -1 +1 @@
-datasource_list: [ OpenStack ]
+datasource_list: [ Oracle ]