diff --git a/.travis.yml b/.travis.yml index 191ebfdd..904dbdbe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -45,7 +45,7 @@ install: script: - ansible-playbook deploy.yml --syntax-check - - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor + - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" after_script: - - ./tests/update-users.sh + - ./tests/update-users.sh \ No newline at end of file diff --git a/README.md b/README.md index 41db6bcd..6689abca 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt` - Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md) @@ -125,54 +125,7 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35). -## Troubleshooting - -### Error: "You have not agreed to the Xcode license agreements" - -On macOS, did you try to install the dependencies with pip and encounter the following error? - -``` -Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded - Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi - -You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements. - - No working compiler found, or bogus compiler options - passed to the compiler from Python's distutils module. - See the error messages above. - (If they are about -mno-fused-madd and you are on OS/X 10.8, - see http://stackoverflow.com/questions/22313407/ .) - ----------------------------------------- -Cleaning up... -Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi -Storing debug log for failure in /Users/algore/Library/Logs/pip.log -``` - -The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies. - -### Error: "fatal error: 'openssl/opensslv.h' file not found" - -On macOS, did you try to install pycrypto and encounter the following error? - -``` -build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found - -#include - - ^ - -1 error generated. - -error: command 'cc' failed with exit status 1 - ----------------------------------------- -Cleaning up... -Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography -Storing debug log for failure in /Users/algore/Library/Logs/pip.log -``` - -You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. +## [Troubleshooting](docs/Troubleshooting.md) ### Little Snitch is broken when connected to the VPN diff --git a/ansible.cfg b/ansible.cfg index e7173fa8..8c63b5ea 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,7 +3,7 @@ inventory = inventory pipelining = True retry_files_enabled = False host_key_checking = False -timeout = 30 +timeout = 60 [paramiko_connection] record_host_keys = False diff --git a/deploy.yml b/deploy.yml index 08303fb3..f396d9e7 100644 --- a/deploy.yml +++ b/deploy.yml @@ -7,7 +7,7 @@ pre_tasks: - name: Local pre-tasks include: playbooks/local.yml - tags: [ 'cloud' ] + tags: [ 'always' ] roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } diff --git a/docs/Troubleshooting.md b/docs/Troubleshooting.md new file mode 100644 index 00000000..33faf5ab --- /dev/null +++ b/docs/Troubleshooting.md @@ -0,0 +1,50 @@ +### Error: "You have not agreed to the Xcode license agreements" + +On macOS, did you try to install the dependencies with pip and encounter the following error? + +``` +Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded + Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi + +You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements. + + No working compiler found, or bogus compiler options + passed to the compiler from Python's distutils module. + See the error messages above. + (If they are about -mno-fused-madd and you are on OS/X 10.8, + see http://stackoverflow.com/questions/22313407/ .) + +---------------------------------------- +Cleaning up... +Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi +Storing debug log for failure in /Users/algore/Library/Logs/pip.log +``` + +The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies. + +### Error: "fatal error: 'openssl/opensslv.h' file not found" + +On macOS, did you try to install pycrypto and encounter the following error? + +``` +build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found + +#include + + ^ + +1 error generated. + +error: command 'cc' failed with exit status 1 + +---------------------------------------- +Cleaning up... +Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography +Storing debug log for failure in /Users/algore/Library/Logs/pip.log +``` + +You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. + +### Various parts of the internet appear to be offline through the VPN + +The issue may related to the MTU size, try to use `ping` with the don't fragment bit and various packet size in order to determine the MTU size for your network and set up this properly on the physical adapter. diff --git a/playbooks/common.yml b/playbooks/common.yml index 36a051c6..c195b13d 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -5,3 +5,10 @@ raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 tags: - update-alternatives + +- name: Ensure the algo ssh key exist on the server + authorized_key: + user: "{{ ansible_ssh_user }}" + state: present + key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" + tags: [ 'always' ] diff --git a/requirements.txt b/requirements.txt index 706af7f2..dac22242 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -ansible>=2.1 +ansible>=2.1,<2.2.1 dopy==0.3.5 boto>=2.5 boto3 @@ -6,3 +6,4 @@ azure==2.0.0rc5 apache-libcloud six pyopenssl +jinja2==2.8 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 79c7cfeb..1262d3fc 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -94,3 +94,12 @@ sysctl: name=net.ipv6.conf.all.forwarding value=1 tags: - always + +- name: Check apparmor support + shell: apparmor_status + ignore_errors: yes + register: apparmor_status + +- set_fact: + apparmor_enabled: true + when: '"profiles are in enforce mode" in apparmor_status.stdout' diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index e3692bbf..bf589319 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -6,6 +6,7 @@ - name: Dnsmasq profile for apparmor configured template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 + when: apparmor_enabled is defined and apparmor_enabled == true notify: - restart dnsmasq @@ -14,6 +15,7 @@ - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq + when: apparmor_enabled is defined and apparmor_enabled == true tags: ['apparmor'] - name: Ensure that the dnsmasq service directory exist diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 9117dfb7..0af30dfc 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -14,11 +14,13 @@ - name: Privoxy profile for apparmor configured template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600 + when: apparmor_enabled is defined and apparmor_enabled == true notify: - restart privoxy - name: Enforce the privoxy AppArmor policy shell: aa-enforce usr.sbin.privoxy + when: apparmor_enabled is defined and apparmor_enabled == true tags: ['apparmor'] - name: Ensure that the privoxy service directory exist diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index e0a70c4a..16b0bf14 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -21,6 +21,7 @@ - name: Enforcing ipsec with apparmor shell: aa-enforce "{{ item }}" + when: apparmor_enabled is defined and apparmor_enabled == true with_items: - /usr/lib/ipsec/charon - /usr/lib/ipsec/lookip diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 32a71f79..ffdbcc89 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -3,7 +3,7 @@ conn ikev2-{{ IP_subject_alt_name }} rekey=no dpdaction=clear keyexchange=ikev2 - compress=yes + compress=no dpddelay=35s {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}