From 38914fb8271eb3cb8de57316ac2008ff2709415c Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Fri, 13 Jan 2017 03:14:05 +0100 Subject: [PATCH 1/9] Updated README.md (#214) Just added -y to apt-get so it doesn't prompt for prerequisites install. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 41db6bcd..f1bdebcd 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt` - Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md) From d23c952a4e67d247799e2a56bf44ab71735dba83 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 14 Jan 2017 19:37:47 +0300 Subject: [PATCH 2/9] Add the algo ssh key to any server (prevent fails when a user wants to update-users on a server deployed by algo but not with the algo ssh key) --- deploy.yml | 2 +- playbooks/common.yml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/deploy.yml b/deploy.yml index 649481e3..7b7e9ef3 100644 --- a/deploy.yml +++ b/deploy.yml @@ -7,7 +7,7 @@ pre_tasks: - name: Local pre-tasks include: playbooks/local.yml - tags: [ 'cloud' ] + tags: [ 'always' ] roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } diff --git a/playbooks/common.yml b/playbooks/common.yml index 36a051c6..c195b13d 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -5,3 +5,10 @@ raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 tags: - update-alternatives + +- name: Ensure the algo ssh key exist on the server + authorized_key: + user: "{{ ansible_ssh_user }}" + state: present + key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" + tags: [ 'always' ] From c84abee047d8c525b729cc67812b64668b52c590 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 14 Jan 2017 19:38:03 +0300 Subject: [PATCH 3/9] increase timeouts --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index e7173fa8..8c63b5ea 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,7 +3,7 @@ inventory = inventory pipelining = True retry_files_enabled = False host_key_checking = False -timeout = 30 +timeout = 60 [paramiko_connection] record_host_keys = False From 3e852caf041b0b36b21d9cc7d49007ad0cbd1fb3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 14 Jan 2017 19:56:23 +0300 Subject: [PATCH 4/9] disable compression #146 --- roles/vpn/templates/client_ipsec.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 32a71f79..ffdbcc89 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -3,7 +3,7 @@ conn ikev2-{{ IP_subject_alt_name }} rekey=no dpdaction=clear keyexchange=ikev2 - compress=yes + compress=no dpddelay=35s {% if Win10_Enabled is defined and Win10_Enabled == "Y" %} From ea4e82d66d22cdc4aa3eddd2d5b23a4928c280e3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 14 Jan 2017 20:07:52 +0300 Subject: [PATCH 5/9] move troubleshooting from the landing readme page --- README.md | 49 +---------------------------------------- docs/Troubleshooting.md | 46 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 48 deletions(-) create mode 100644 docs/Troubleshooting.md diff --git a/README.md b/README.md index f1bdebcd..fdae5875 100644 --- a/README.md +++ b/README.md @@ -125,54 +125,7 @@ OpenVPN does not have out-of-the-box client support on any major desktop or mobi Alpine Linux is not supported out-of-the-box by any major cloud provider. We are interested in supporting Free-, Open-, and HardenedBSD. Follow along or contribute to our BSD support in [this issue](https://github.com/trailofbits/algo/issues/35). -## Troubleshooting - -### Error: "You have not agreed to the Xcode license agreements" - -On macOS, did you try to install the dependencies with pip and encounter the following error? - -``` -Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded - Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi - -You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements. - - No working compiler found, or bogus compiler options - passed to the compiler from Python's distutils module. - See the error messages above. - (If they are about -mno-fused-madd and you are on OS/X 10.8, - see http://stackoverflow.com/questions/22313407/ .) - ----------------------------------------- -Cleaning up... -Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi -Storing debug log for failure in /Users/algore/Library/Logs/pip.log -``` - -The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies. - -### Error: "fatal error: 'openssl/opensslv.h' file not found" - -On macOS, did you try to install pycrypto and encounter the following error? - -``` -build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found - -#include - - ^ - -1 error generated. - -error: command 'cc' failed with exit status 1 - ----------------------------------------- -Cleaning up... -Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography -Storing debug log for failure in /Users/algore/Library/Logs/pip.log -``` - -You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. +## [Troubleshooting](docs/Troubleshooting.md) ### Little Snitch is broken when connected to the VPN diff --git a/docs/Troubleshooting.md b/docs/Troubleshooting.md new file mode 100644 index 00000000..2d82ba11 --- /dev/null +++ b/docs/Troubleshooting.md @@ -0,0 +1,46 @@ +### Error: "You have not agreed to the Xcode license agreements" + +On macOS, did you try to install the dependencies with pip and encounter the following error? + +``` +Downloading cffi-1.9.1.tar.gz (407kB): 407kB downloaded + Running setup.py (path:/private/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi + +You have not agreed to the Xcode license agreements, please run 'xcodebuild -license' (for user-level acceptance) or 'sudo xcodebuild -license' (for system-wide acceptance) from within a Terminal window to review and agree to the Xcode license agreements. + + No working compiler found, or bogus compiler options + passed to the compiler from Python's distutils module. + See the error messages above. + (If they are about -mno-fused-madd and you are on OS/X 10.8, + see http://stackoverflow.com/questions/22313407/ .) + +---------------------------------------- +Cleaning up... +Command python setup.py egg_info failed with error code 1 in /private/tmp/pip_build_root/cffi +Storing debug log for failure in /Users/algore/Library/Logs/pip.log +``` + +The Xcode compiler is installed but requires you to accept its license agreement prior to using it. Run `xcodebuild -license` to agree and then retry installing the dependencies. + +### Error: "fatal error: 'openssl/opensslv.h' file not found" + +On macOS, did you try to install pycrypto and encounter the following error? + +``` +build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found + +#include + + ^ + +1 error generated. + +error: command 'cc' failed with exit status 1 + +---------------------------------------- +Cleaning up... +Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_root/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-sREEE5-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_root/cryptography +Storing debug log for failure in /Users/algore/Library/Logs/pip.log +``` + +You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. From 1681b98eb2109716c6b1bdfb7d1b1dd140c263bf Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 14 Jan 2017 20:27:18 +0300 Subject: [PATCH 6/9] update the troubleshooting page #146 --- docs/Troubleshooting.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/Troubleshooting.md b/docs/Troubleshooting.md index 2d82ba11..33faf5ab 100644 --- a/docs/Troubleshooting.md +++ b/docs/Troubleshooting.md @@ -44,3 +44,7 @@ Storing debug log for failure in /Users/algore/Library/Logs/pip.log ``` You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. + +### Various parts of the internet appear to be offline through the VPN + +The issue may related to the MTU size, try to use `ping` with the don't fragment bit and various packet size in order to determine the MTU size for your network and set up this properly on the physical adapter. From 2798f84d3fdbaf8289ebbe9ec384a266d8ad4b1d Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 16 Jan 2017 00:17:47 +0300 Subject: [PATCH 7/9] ensure that apparmor is supported by the kernel #215 --- .travis.yml | 2 +- roles/common/tasks/main.yml | 9 +++++++++ roles/dns_adblocking/tasks/main.yml | 2 ++ roles/proxy/tasks/main.yml | 2 ++ roles/vpn/tasks/main.yml | 1 + 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b3cde5ea..76d8bb2c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -45,4 +45,4 @@ install: script: - ansible-playbook deploy.yml --syntax-check - - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor + - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 79c7cfeb..1262d3fc 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -94,3 +94,12 @@ sysctl: name=net.ipv6.conf.all.forwarding value=1 tags: - always + +- name: Check apparmor support + shell: apparmor_status + ignore_errors: yes + register: apparmor_status + +- set_fact: + apparmor_enabled: true + when: '"profiles are in enforce mode" in apparmor_status.stdout' diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index e3692bbf..bf589319 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -6,6 +6,7 @@ - name: Dnsmasq profile for apparmor configured template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 + when: apparmor_enabled is defined and apparmor_enabled == true notify: - restart dnsmasq @@ -14,6 +15,7 @@ - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq + when: apparmor_enabled is defined and apparmor_enabled == true tags: ['apparmor'] - name: Ensure that the dnsmasq service directory exist diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 9117dfb7..0af30dfc 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -14,11 +14,13 @@ - name: Privoxy profile for apparmor configured template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600 + when: apparmor_enabled is defined and apparmor_enabled == true notify: - restart privoxy - name: Enforce the privoxy AppArmor policy shell: aa-enforce usr.sbin.privoxy + when: apparmor_enabled is defined and apparmor_enabled == true tags: ['apparmor'] - name: Ensure that the privoxy service directory exist diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 0ec3a180..1770ac54 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -15,6 +15,7 @@ - name: Enforcing ipsec with apparmor shell: aa-enforce "{{ item }}" + when: apparmor_enabled is defined and apparmor_enabled == true with_items: - /usr/lib/ipsec/charon - /usr/lib/ipsec/lookip From 2027d23c5511ae8d9c991d9232146fd5f652aa4f Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 22 Jan 2017 22:56:17 +0300 Subject: [PATCH 8/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fdae5875..6689abca 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt` - Linux (deb-based): `sudo easy_install pip && sudo apt-get update && sudo apt-get install build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md) From 569df11088e9f2598400fb03076b825ab80ab73b Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 22 Jan 2017 23:06:32 +0300 Subject: [PATCH 9/9] Prevent ansible and Jinja2 from updates #220 (#221) --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 706af7f2..dac22242 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -ansible>=2.1 +ansible>=2.1,<2.2.1 dopy==0.3.5 boto>=2.5 boto3 @@ -6,3 +6,4 @@ azure==2.0.0rc5 apache-libcloud six pyopenssl +jinja2==2.8