Merge branch 'master' into local_openssl_tasks

2025-09-04 19:13:04 +02:00 · 2017-01-22 23:18:48 +03:00 · 2017-01-22 23:18:48 +03:00 · a4113c9e88
commit a4113c9e88
parent 599fb6eeee 569df11088
12 changed files with 80 additions and 55 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -45,7 +45,7 @@ install:

 script:
  - ansible-playbook deploy.yml --syntax-check
-  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor
+  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"

 after_script:
-  - ./tests/update-users.sh
+  - ./tests/update-users.sh
--- a/README.md
+++ b/README.md
@ -33,7 +33,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua

 macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt`
 
- Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt`
+ Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt`

 Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md)

@ -125,54 +125,7 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi

 Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35).

-## Troubleshooting
-
-### Error: "You have not agreed to the Xcode license agreements"
-
-On macOS, did you try to install the dependencies with pip and encounter the following error?
-
-```
-Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded
-  Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi
-
-You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements.
-
-    No working compiler found, or bogus compiler options
-    passed to the compiler from Python's distutils module.
-    See the error messages above.
-    (If they are about -mno-fused-madd and you are on OS/X 10.8,
-    see http://stackoverflow.com/questions/22313407/ .)
-
----------------------------------------
-Cleaning up...
-Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi
-Storing debug log for failure in /Users/algore/Library/Logs/pip.log
-```
-
-The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies.
-
-### Error: "fatal error: 'openssl/opensslv.h' file not found"
-
-On macOS, did you try to install pycrypto and encounter the following error?
-
-```
-build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found
-
-#include <openssl/opensslv.h>
-
-        ^
-
-1 error generated.
-
-error: command 'cc' failed with exit status 1
-
----------------------------------------
-Cleaning up...
-Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography
-Storing debug log for failure in /Users/algore/Library/Logs/pip.log
-```
-
-You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`.
+## [Troubleshooting](docs/Troubleshooting.md)

 ### Little Snitch is broken when connected to the VPN

--- a/ansible.cfg
+++ b/ansible.cfg
@ -3,7 +3,7 @@ inventory = inventory
 pipelining = True
 retry_files_enabled = False
 host_key_checking = False
-timeout = 30
+timeout = 60

 [paramiko_connection]
 record_host_keys = False
--- a/deploy.yml
+++ b/deploy.yml
@ -7,7 +7,7 @@
  pre_tasks:
    - name: Local pre-tasks
      include: playbooks/local.yml
-      tags: [ 'cloud' ]
+      tags: [ 'always' ]

  roles:
    - { role: cloud-digitalocean, tags: ['digitalocean'] }
--- a/docs/Troubleshooting.md
+++ b/docs/Troubleshooting.md
@ -0,0 +1,50 @@
+### Error: "You have not agreed to the Xcode license agreements"
+
+On macOS, did you try to install the dependencies with pip and encounter the following error?
+
+```
+Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded
+  Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi
+
+You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements.
+
+    No working compiler found, or bogus compiler options
+    passed to the compiler from Python's distutils module.
+    See the error messages above.
+    (If they are about -mno-fused-madd and you are on OS/X 10.8,
+    see http://stackoverflow.com/questions/22313407/ .)
+
+----------------------------------------
+Cleaning up...
+Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi
+Storing debug log for failure in /Users/algore/Library/Logs/pip.log
+```
+
+The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies.
+
+### Error: "fatal error: 'openssl/opensslv.h' file not found"
+
+On macOS, did you try to install pycrypto and encounter the following error?
+
+```
+build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found
+
+#include <openssl/opensslv.h>
+
+        ^
+
+1 error generated.
+
+error: command 'cc' failed with exit status 1
+
+----------------------------------------
+Cleaning up...
+Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography
+Storing debug log for failure in /Users/algore/Library/Logs/pip.log
+```
+
+You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`.
+
+### Various parts of the internet appear to be offline through the VPN
+
+The issue may related to the MTU size, try to use `ping` with the don't fragment bit and various packet size in order to determine the MTU size for your network and set up this properly on the physical adapter.
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@ -5,3 +5,10 @@
  raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
  tags:
    - update-alternatives
+
+- name: Ensure the algo ssh key exist on the server
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
+  tags: [ 'always' ]
--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,4 @@
-ansible>=2.1
+ansible>=2.1,<2.2.1
 dopy==0.3.5
 boto>=2.5
 boto3
@ -6,3 +6,4 @@ azure==2.0.0rc5
 apache-libcloud
 six
 pyopenssl
+jinja2==2.8
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -94,3 +94,12 @@
  sysctl: name=net.ipv6.conf.all.forwarding value=1
  tags:
    - always
+
+- name: Check apparmor support
+  shell: apparmor_status
+  ignore_errors: yes
+  register: apparmor_status
+
+- set_fact:
+    apparmor_enabled: true
+  when: '"profiles are in enforce mode" in apparmor_status.stdout'
--- a/roles/dns_adblocking/tasks/main.yml
+++ b/roles/dns_adblocking/tasks/main.yml
@ -6,6 +6,7 @@

 - name: Dnsmasq profile for apparmor configured
  template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
  notify:
    - restart dnsmasq

@ -14,6 +15,7 @@

 - name: Enforce the dnsmasq AppArmor policy
  shell: aa-enforce usr.sbin.dnsmasq
+  when: apparmor_enabled is defined and apparmor_enabled == true
  tags: ['apparmor']

 - name: Ensure that the dnsmasq service directory exist
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -14,11 +14,13 @@

 - name: Privoxy profile for apparmor configured
  template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
  notify:
    - restart privoxy

 - name: Enforce the privoxy AppArmor policy
  shell: aa-enforce usr.sbin.privoxy
+  when: apparmor_enabled is defined and apparmor_enabled == true
  tags: ['apparmor']

 - name: Ensure that the privoxy service directory exist
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -21,6 +21,7 @@

 - name: Enforcing ipsec with apparmor
  shell: aa-enforce "{{ item }}"
+  when: apparmor_enabled is defined and apparmor_enabled == true
  with_items:
    - /usr/lib/ipsec/charon
    - /usr/lib/ipsec/lookip
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@ -3,7 +3,7 @@ conn ikev2-{{ IP_subject_alt_name }}
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
-    compress=yes
+    compress=no
    dpddelay=35s

 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}