wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

Ubuntu 20.04 support (#1782)

Browse source 
* ubuntu 20.04 support

* purge snapd for 20.04

* strongswan-starter fix
This commit is contained in:
Jack Ivanov 2020-05-10 13:48:30 +03:00 committed by GitHub
parent 7695372e2b
commit c14ff0d611
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 60 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/main.yml vendored
View file

@ -29,7 +29,7 @@ jobs:
runs-on: ubuntu-16.04 runs-on: ubuntu-16.04
strategy: strategy:
matrix: matrix:
UBUNTU_VERSION: ["18.04", "19.10"] UBUNTU_VERSION: ["18.04", "20.04"]
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@v1
- uses: actions/setup-python@v1 - uses: actions/setup-python@v1
@ -98,7 +98,7 @@ jobs:
runs-on: ubuntu-16.04 runs-on: ubuntu-16.04
strategy: strategy:
matrix: matrix:
UBUNTU_VERSION: ["18.04", "19.10"] UBUNTU_VERSION: ["18.04", "20.04"]
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@v1
- uses: actions/setup-python@v1 - uses: actions/setup-python@v1

20
config.cfg
View file

@ -156,10 +156,14 @@ SSH_keys:
cloud_providers: cloud_providers:
azure: azure:
size: Standard_B1S size: Standard_B1S
image: 19.10-DAILY image:
publisher: Canonical
offer: 0001-com-ubuntu-server-focal-daily
sku: 20_04-daily-lts
version: latest
digitalocean: digitalocean:
size: s-1vcpu-1gb size: s-1vcpu-1gb
image: "ubuntu-19-10-x64" image: "ubuntu-20-04-x64"
ec2: ec2:
# Change the encrypted flag to "false" to disable AWS volume encryption. # Change the encrypted flag to "false" to disable AWS volume encryption.
encrypted: true encrypted: true
@ -168,31 +172,31 @@ cloud_providers:
use_existing_eip: false use_existing_eip: false
size: t2.micro size: t2.micro
image: image:
name: "ubuntu-eoan-19.10" name: "ubuntu-focal-20.04"
owner: "099720109477" owner: "099720109477"
gce: gce:
size: f1-micro size: f1-micro
image: ubuntu-1910 image: ubuntu-2004-lts
external_static_ip: false external_static_ip: false
lightsail: lightsail:
size: nano_1_0 size: nano_1_0
image: ubuntu_18_04 image: ubuntu_18_04
scaleway: scaleway:
size: DEV1-S size: DEV1-S
image: Ubuntu Bionic Beaver image: Ubuntu 20.04 Focal Fossa
arch: x86_64 arch: x86_64
hetzner: hetzner:
server_type: cx11 server_type: cx11
image: ubuntu-18.04 image: ubuntu-20.04
openstack: openstack:
flavor_ram: ">=512" flavor_ram: ">=512"
image: Ubuntu-18.04 image: Ubuntu-18.04
cloudstack: cloudstack:
size: Micro size: Micro
image: Linux Ubuntu 19.10 64-bit image: Linux Ubuntu 20.04 LTS 64-bit
disk: 10 disk: 10
vultr: vultr:
os: Ubuntu 19.10 x64 os: Ubuntu 20.04 x64
size: 1024 MB RAM,25 GB SSD,1.00 TB BW size: 1024 MB RAM,25 GB SSD,1.00 TB BW
local: local:

2
docs/deploy-to-ubuntu.md
View file

@ -4,7 +4,7 @@ You can use Algo to configure a pre-existing server as an AlgoVPN rather than us
To perform a local installation, install the Algo scripts following the normal installation instructions, then choose: To perform a local installation, install the Algo scripts following the normal installation instructions, then choose:
``` ```
Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users) Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
``` ```
Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`). Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`).

2
docs/deploy-to-unsupported-cloud.md
View file

@ -2,7 +2,7 @@
Algo officially supports the [cloud providers listed here](https://github.com/trailofbits/algo/blob/master/README.md#deploy-the-algo-server). If you want to deploy Algo on another virtual hosting provider, that provider must support: Algo officially supports the [cloud providers listed here](https://github.com/trailofbits/algo/blob/master/README.md#deploy-the-algo-server). If you want to deploy Algo on another virtual hosting provider, that provider must support:
1. the base operating system image that Algo uses (Ubuntu 18.04 or 19.10), and 1. the base operating system image that Algo uses (Ubuntu 18.04 or 20.04), and
2. a minimum of certain kernel modules required for the strongSwan IPsec server. 2. a minimum of certain kernel modules required for the strongSwan IPsec server.
Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider. Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.

2
docs/troubleshooting.md
View file

@ -283,7 +283,7 @@ TASK [wireguard : Generate public keys] ****************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"} fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"}
``` ```
This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04. You should upgrade your server to Ubuntu 18.04. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows: This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04 or later. You should upgrade your server to Ubuntu 18.04 or later. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows:
```ssh ```ssh
sudo rm -rf /etc/wireguard/*.lock sudo rm -rf /etc/wireguard/*.lock

2
input.yml
View file

@ -21,7 +21,7 @@
- { name: Scaleway, alias: scaleway} - { name: Scaleway, alias: scaleway}
- { name: OpenStack (DreamCompute optimised), alias: openstack } - { name: OpenStack (DreamCompute optimised), alias: openstack }
- { name: CloudStack (Exoscale optimised), alias: cloudstack } - { name: CloudStack (Exoscale optimised), alias: cloudstack }
- { name: "Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)", alias: local } - { name: "Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)", alias: local }
vars_files: vars_files:
- config.cfg - config.cfg

15
roles/cloud-azure/files/deployment.json
View file

@ -11,9 +11,18 @@
"vmSize": { "vmSize": {
"type": "string" "type": "string"
}, },
"imageReferencePublisher": {
"type": "string"
},
"imageReferenceOffer": {
"type": "string"
},
"imageReferenceSku": { "imageReferenceSku": {
"type": "string" "type": "string"
}, },
"imageReferenceVersion": {
"type": "string"
},
"SshPort": { "SshPort": {
"type": "int" "type": "int"
}, },
@ -182,10 +191,10 @@
}, },
"storageProfile": { "storageProfile": {
"imageReference": { "imageReference": {
"publisher": "Canonical", "publisher": "[parameters('imageReferencePublisher')]",
"offer": "UbuntuServer", "offer": "[parameters('imageReferenceOffer')]",
"sku": "[parameters('imageReferenceSku')]", "sku": "[parameters('imageReferenceSku')]",
"version": "latest" "version": "[parameters('imageReferenceVersion')]"
}, },
"osDisk": { "osDisk": {
"createOption": "FromImage" "createOption": "FromImage"

8
roles/cloud-azure/tasks/main.yml
View file

@ -29,8 +29,14 @@
value: "{{ wireguard_port }}" value: "{{ wireguard_port }}"
vmSize: vmSize:
value: "{{ cloud_providers.azure.size }}" value: "{{ cloud_providers.azure.size }}"
imageReferencePublisher:
value: "{{ cloud_providers.azure.image.publisher }}"
imageReferenceOffer:
value: "{{ cloud_providers.azure.image.offer }}"
imageReferenceSku: imageReferenceSku:
value: "{{ cloud_providers.azure.image }}" value: "{{ cloud_providers.azure.image.sku }}"
imageReferenceVersion:
value: "{{ cloud_providers.azure.image.version }}"
SshPort: SshPort:
value: "{{ ssh_port }}" value: "{{ ssh_port }}"
UserData: UserData:

2
roles/strongswan/defaults/main.yml
View file

@ -3,7 +3,7 @@ ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/"
ipsec_pki_path: "{{ ipsec_config_path }}/.pki/" ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
strongswan_shell: /usr/sbin/nologin strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/lib/strongswan strongswan_home: /var/lib/strongswan
strongswan_service: "{{ 'strongswan-starter' if ansible_distribution_major_version|int > 19 else 'strongswan' }}" strongswan_service: "{{ 'strongswan-starter' if ansible_facts['distribution_version'] is version('20.04', '>=') else 'strongswan' }}"
BetweenClients_DROP: true BetweenClients_DROP: true
algo_ondemand_cellular: false algo_ondemand_cellular: false
algo_ondemand_wifi: false algo_ondemand_wifi: false

20
roles/wireguard/tasks/ubuntu.yml
View file

@ -1,5 +1,6 @@
--- ---
- name: WireGuard repository configured - block:
- name: WireGuard repository configured
apt_repository: apt_repository:
repo: ppa:wireguard/wireguard repo: ppa:wireguard/wireguard
state: present state: present
@ -8,6 +9,15 @@
retries: 10 retries: 10
delay: 3 delay: 3
- name: Configure unattended-upgrades
copy:
src: 50-wireguard-unattended-upgrades
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
owner: root
group: root
mode: 0644
when: ansible_facts['distribution_version'] is version('20.04', '<')
- name: WireGuard installed - name: WireGuard installed
apt: apt:
name: wireguard name: wireguard
@ -19,14 +29,6 @@
dest: /etc/wireguard/.reload-module-on-update dest: /etc/wireguard/.reload-module-on-update
state: touch state: touch
- name: Configure unattended-upgrades
copy:
src: 50-wireguard-unattended-upgrades
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
owner: root
group: root
mode: 0644
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
service_name: "wg-quick@{{ wireguard_interface }}" service_name: "wg-quick@{{ wireguard_interface }}"

4
tests/pre-deploy.sh
View file

@ -25,6 +25,10 @@ lxc profile set default security.privileged true
lxc profile show default lxc profile show default
lxc launch ubuntu:${UBUNTU_VERSION} algo lxc launch ubuntu:${UBUNTU_VERSION} algo
if [[ ${UBUNTU_VERSION} == "20.04" ]]; then
lxc exec algo -- apt remove snapd --purge -y || true
fi
ip addr ip addr
until dig A +short algo.lxd @10.0.8.1 | grep -vE '^$' > /dev/null; do until dig A +short algo.lxd @10.0.8.1 | grep -vE '^$' > /dev/null; do