Merge branch 'master' of github.com:trailofbits/algo

2025-08-10 23:03:03 +02:00 · 2019-06-03 19:03:30 -04:00 · 2019-06-03 19:03:30 -04:00 · 6167e3af9c
commit 6167e3af9c
parent 0270facdc2 6b2defe470
5 changed files with 19 additions and 15 deletions
--- a/2
+++ b/2
@ -20,7 +20,7 @@ RUN apk --no-cache add ${BUILD_PACKAGES} && \
    python -m pip --no-cache-dir install virtualenv && \
    python -m virtualenv env && \
    source env/bin/activate && \
-    python -m pip --no-cache-dir install -r requirements.txt --no-use-pep51 && \
+    python -m pip --no-cache-dir install -r requirements.txt && \
    apk del ${BUILD_PACKAGES}
 COPY . .
 RUN chmod 0755 /algo/algo-docker.sh
--- a/docs/deploy-from-ansible.md
+++ b/docs/deploy-from-ansible.md
@ -83,9 +83,11 @@ Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cel
 - role: local, provider: local
-Required variables:
+This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables:
- server - IP address of your server
+- server - IP address of your server (or "localhost" if deploying to the local machine)
 - endpoint - public IP address of the server you're installing on
 - ssh_user - name of the SSH user you will use to install on the machine (passwordless login required). If `server=localhost`, this isn't required.
 - ca_password - Password for the private CA key
 Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag.
@ -249,16 +251,6 @@ Required variables:
 You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)
 ### Local
 Required variables:
 - server - IP or hostname to access the server via SSH
 - endpoint - Public IP address or domain name of your server
 - ssh_user
 ### Update users
 Playbook:
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@ -77,6 +77,13 @@ COMMIT
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 # Drop traffic to VPN clients from SSH tunnels
 -A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 # Drop traffic to the link-local network
 -A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
 # Drop traffic to the link-local network from SSH tunnels
 -A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--- a/roles/common/templates/rules.v6.j2
+++ b/roles/common/templates/rules.v6.j2
@ -87,6 +87,8 @@ COMMIT
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 # Drop traffic to VPN clients from SSH tunnels
 -A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -14,7 +14,10 @@
    - restart ssh
 - name: Ensure that the algo group exist
-  group: name=algo state=present
+  group:
    name: algo
    state: present
    gid: 15000
 - name: Ensure that the jail directory exist
  file:
@ -28,7 +31,7 @@
  - name: Ensure that the SSH users exist
    user:
      name: "{{ item }}"
-      groups: algo
+      group: algo
      home: '/var/jail/{{ item }}'
      createhome: yes
      generate_ssh_key: false