From a2fdc509e16f90a40ef29a559ce0fdea8c9355d3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 30 May 2019 20:57:47 +0200 Subject: [PATCH] Support for Ubuntu 19.04 (#1405) * Ubuntu 19.04 * Azure to 19.04 --- .travis.yml | 111 ++++++++++-------- README.md | 8 +- config.cfg | 10 +- docs/cloud-do.md | 6 +- docs/deploy-to-ubuntu.md | 2 +- docs/deploy-to-unsupported-cloud.md | 2 +- docs/index.md | 2 +- input.yml | 2 +- .../files/apparmor.profile.dnscrypt-proxy | 2 +- roles/dns_encryption/tasks/ubuntu.yml | 3 +- roles/strongswan/tasks/ubuntu.yml | 29 +++-- tests/pre-deploy.sh | 2 +- 12 files changed, 103 insertions(+), 76 deletions(-) diff --git a/.travis.yml b/.travis.yml index e799b05..c730000 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,56 +51,73 @@ custom_scripts: - sudo env "PATH=$PATH" ./tests/ipsec-client.sh - sudo ./tests/ssh-tunnel.sh +stages: + - &tests-and-linters + stage: Tests + name: code checks and linters + addons: + apt: + packages: + - shellcheck + script: + - pip install ansible-lint + - shellcheck algo install.sh + - ansible-playbook main.yml --syntax-check + - ansible-lint -v *.yml + + - &deploy-local + stage: Deploy + name: local deployment from docker + addons: + apt: + sources: *default_sources + packages: *default_packages + before_install: *provisioning + before_script: + - docker build -t travis/algo . + - ./tests/local-deploy.sh + - ./tests/update-users.sh + script: *tests + + - &deploy-cloudinit + stage: Deploy + name: cloud-init deployment + addons: + apt: + sources: *default_sources + packages: *default_packages + env: DEPLOY=cloud-init + before_install: *provisioning + before_script: + - until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done + - ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & ) + - | + until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do + echo 'Cloud init is not finished. Sleep for 30 seconds'; + sleep 30; + done + - sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml + - sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ . + - sudo lxc file pull algo/root/algo-configs.tar ./ + - sudo tar -C ./configs -zxf algo-configs.tar + script: *tests + matrix: fast_finish: true include: - - stage: Tests - name: code checks and linters - addons: - apt: - packages: - - shellcheck - script: - - pip install ansible-lint - - shellcheck algo install.sh - - ansible-playbook main.yml --syntax-check - - ansible-lint -v roles/*/*/*.yml playbooks/*.yml *.yml - - - stage: Deploy - name: local deployment from docker - addons: - apt: - sources: *default_sources - packages: *default_packages - env: DEPLOY=docker - before_install: *provisioning - before_script: - - docker build -t travis/algo . - - ./tests/local-deploy.sh - - ./tests/update-users.sh - script: *tests - - - stage: Deploy - name: cloud-init deployment - addons: - apt: - sources: *default_sources - packages: *default_packages - env: DEPLOY=cloud-init - before_install: *provisioning - before_script: - - until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done - - ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & ) - - | - until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do - echo 'Cloud init is not finished. Sleep for 30 seconds'; - sleep 30; - done - - sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml - - sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ . - - sudo lxc file pull algo/root/algo-configs.tar ./ - - sudo tar -C ./configs -zxf algo-configs.tar - script: *tests + - <<: *tests-and-linters + - <<: *deploy-local + name: 'Ubuntu 18.04: local deployment from docker' + env: DEPLOY=docker UBUNTU_VERSION=18.04 + - <<: *deploy-local + name: 'Ubuntu 19.04: local deployment from docker' + env: DEPLOY=docker UBUNTU_VERSION=19.04 + - <<: *deploy-cloudinit + name: 'Ubuntu 18.04: cloud-init deployment' + env: DEPLOY=cloud-init UBUNTU_VERSION=18.04 + - <<: *deploy-cloudinit + name: 'Ubuntu 19.04: cloud-init deployment' + env: DEPLOY=cloud-init UBUNTU_VERSION=19.04 notifications: email: false diff --git a/README.md b/README.md index 0b17b0b..d458055 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC * Blocks ads with a local DNS resolver (optional) * Sets up limited SSH users for tunneling traffic (optional) * Based on current versions of Ubuntu and strongSwan -* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu 18.04 LTS server +* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu server ## Anti-features @@ -93,9 +93,9 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device. -On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. +On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. -On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) +On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md). @@ -122,7 +122,7 @@ Network Manager does not support AES-GCM. In order to support Linux Desktop clie Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. -#### Ubuntu Server 18.04 example +#### Ubuntu Server example 1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan 2. `/etc/ipsec.d/certs`: copy `.crt` from `algo-master/configs//ipsec/manual/.crt` diff --git a/config.cfg b/config.cfg index 3b6745a..c4698ac 100644 --- a/config.cfg +++ b/config.cfg @@ -126,10 +126,10 @@ SSH_keys: cloud_providers: azure: size: Basic_A0 - image: 18.04-LTS + image: 19.04 digitalocean: size: s-1vcpu-1gb - image: "ubuntu-18-04-x64" + image: "ubuntu-19-04-x64" ec2: # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest. # Warning: the Algo script will take approximately 6 minutes longer to complete. @@ -139,11 +139,11 @@ cloud_providers: use_existing_eip: false size: t2.micro image: - name: "ubuntu-bionic-18.04" + name: "ubuntu-disco-19.04" owner: "099720109477" gce: size: f1-micro - image: ubuntu-1804 + image: ubuntu-1904 external_static_ip: false lightsail: size: nano_1_0 @@ -156,7 +156,7 @@ cloud_providers: flavor_ram: ">=512" image: Ubuntu-18.04 vultr: - os: Ubuntu 18.04 x64 + os: Ubuntu 19.04 x64 size: 1024 MB RAM,25 GB SSD,1.00 TB BW local: diff --git a/docs/cloud-do.md b/docs/cloud-do.md index c4230a9..3c6a0a5 100644 --- a/docs/cloud-do.md +++ b/docs/cloud-do.md @@ -34,8 +34,8 @@ What provider would you like to use? 6. Google Compute Engine 7. Scaleway 8. OpenStack (DreamCompute optimised) - 9. Install to existing Ubuntu 18.04 server (Advanced) - + 9. Install to existing Ubuntu server (Advanced) + Enter the number of your desired provider : 1 @@ -68,7 +68,7 @@ What region should the server be located in? 7. sfo2 San Francisco 2 8. sgp1 Singapore 1 9. tor1 Toronto 1 - + Enter the number of your desired region [6] : diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md index 29a54e6..794cf5f 100644 --- a/docs/deploy-to-ubuntu.md +++ b/docs/deploy-to-ubuntu.md @@ -4,7 +4,7 @@ You can use Algo to configure a local server as an AlgoVPN rather than create an Install the Algo scripts on your server and follow the normal installation instructions, then choose: ``` -Install to existing Ubuntu 18.04 server (Advanced) +Install to existing Ubuntu 18.04 or 19.04 server (Advanced) ``` Make sure your server is running the operating system specified. diff --git a/docs/deploy-to-unsupported-cloud.md b/docs/deploy-to-unsupported-cloud.md index 7fd176f..e6d03e8 100644 --- a/docs/deploy-to-unsupported-cloud.md +++ b/docs/deploy-to-unsupported-cloud.md @@ -2,7 +2,7 @@ Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support: -1. the base operating system image that Algo uses (Ubuntu 18.04), and +1. the base operating system image that Algo uses (Ubuntu 18.04, 19.04), and 2. a minimum of certain kernel modules required for the strongSwan IPsec server. Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider. diff --git a/docs/index.md b/docs/index.md index 0221405..118a655 100644 --- a/docs/index.md +++ b/docs/index.md @@ -22,7 +22,7 @@ - Configure [Vultr](cloud-vultr.md) * Advanced Deployment - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server - - Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server + - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md) * [FAQ](faq.md) * [Firewalls](firewalls.md) diff --git a/input.yml b/input.yml index fa4984b..659977a 100644 --- a/input.yml +++ b/input.yml @@ -20,7 +20,7 @@ - { name: Google Compute Engine, alias: gce } - { name: Scaleway, alias: scaleway} - { name: OpenStack (DreamCompute optimised), alias: openstack } - - { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local } + - { name: Install to existing Ubuntu 18.04 or 19.04 server (Advanced), alias: local } vars_files: - config.cfg diff --git a/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy b/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy index c225868..51de03f 100644 --- a/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy +++ b/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy @@ -1,6 +1,6 @@ #include -/usr/bin/dnscrypt-proxy flags=(attach_disconnected) { +/usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) { #include #include #include diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index 76f0e15..198da88 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -2,8 +2,9 @@ - name: Add the repository apt_repository: state: present - codename: bionic + codename: "{{ ansible_distribution_release }}" repo: ppa:shevchuk/dnscrypt-proxy + when: ansible_distribution_version is version_compare('19.04', '<') register: result until: result is succeeded retries: 10 diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml index afaffa3..f85293e 100644 --- a/roles/strongswan/tasks/ubuntu.yml +++ b/roles/strongswan/tasks/ubuntu.yml @@ -10,17 +10,26 @@ update_cache: yes install_recommends: yes -- name: Ubuntu | Enforcing ipsec with apparmor - command: aa-enforce "{{ item }}" +- block: + # https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238 + - name: Ubuntu | Charon profile for apparmor configured + copy: + dest: /etc/apparmor.d/local/usr.lib.ipsec.charon + content: ' capability setpcap,' + owner: root + group: root + mode: 0644 + notify: restart strongswan + + - name: Ubuntu | Enforcing ipsec with apparmor + command: aa-enforce "{{ item }}" + changed_when: false + with_items: + - /usr/lib/ipsec/charon + - /usr/lib/ipsec/lookip + - /usr/lib/ipsec/stroke + tags: apparmor when: apparmor_enabled|default(false)|bool - changed_when: false - with_items: - - /usr/lib/ipsec/charon - - /usr/lib/ipsec/lookip - - /usr/lib/ipsec/stroke - notify: - - restart apparmor - tags: ['apparmor'] - name: Ubuntu | Enable services service: name={{ item }} enabled=yes diff --git a/tests/pre-deploy.sh b/tests/pre-deploy.sh index 764eb67..e56922d 100755 --- a/tests/pre-deploy.sh +++ b/tests/pre-deploy.sh @@ -19,7 +19,7 @@ systemctl restart lxd-bridge.service lxd-containers.service lxd.service lxc profile set default raw.lxc lxc.aa_profile=unconfined lxc profile set default security.privileged true lxc profile show default -lxc launch ubuntu:18.04 algo +lxc launch ubuntu:${UBUNTU_VERSION} algo ip addr