Issue #846: Code changes for cobbler port change on leap

Signed-off-by: Bhagyashree-shetty <Bhagyashree_Shetty@dellteam.com>

control_plane/input_params/security_vars.yml

@@ -50,3 +50,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -159,3 +159,26 @@
     msg: "{{ alert_email_warning_msg }}"
   tags: security
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

control_plane/roles/control_plane_security/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

control_plane/roles/control_plane_security/tasks/main.yml

@@ -53,6 +53,9 @@
     - name: Alert configuration
       include_tasks: configure_alerting.yml
       when: alert_email_address | length > 1
+
+    - name: Configure ssh access to login node
+      include_tasks: configure_sshd.yml
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml

control_plane/roles/provision_cobbler/files/Dockerfile_leap

@@ -65,7 +65,6 @@ EXPOSE 69 80 443 25151
 
 VOLUME [ "/srv/www/cobbler", "/var/lib/cobbler/backup", "/mnt" ]
 
-RUN systemctl enable apache2
 RUN systemctl enable dhcpd
 
 CMD ["sbin/init"]

control_plane/roles/provision_cobbler/files/cobbler_configurations_leap.yml

@@ -44,6 +44,27 @@
     shell: echo "LoadModule wsgi_module modules/mod_wsgi_python3.so" >/etc/apache2/conf.d/wsgi.conf
     changed_when: false
 
+  - name: Change http port to 8000
+    replace:
+      path: "/etc/apache2/listen.conf"
+      regexp: '^Listen 80'
+      replace: 'Listen 8000'
+    changed_when: false
+
+  - name: Change https port to 8008
+    replace:
+      path: "/etc/apache2/listen.conf"
+      regexp: '^\s.*Listen 443'
+      replace: '                Listen 8008'
+    changed_when: false
+
+  - name: Change http port to 8000
+    replace:
+      path: "/etc/apache2/vhosts.d/cobbler.conf"
+      regexp: '^<VirtualHost.*'
+      replace: '<VirtualHost *:8000>'
+    changed_when: false
+
   - name: Add interface to the /etc/sysconfig/dhcpd
     replace:
       path: "/etc/sysconfig/dhcpd"
@@ -55,6 +76,7 @@
     with_items:
       - cobblerd
       - tftp
+      - apache2
     changed_when: false
 
   - name: Restart httpd

control_plane/roles/provision_cobbler/files/temp_leap15.xml

@@ -5,7 +5,7 @@
     <init>
       <info_file>
         <![CDATA[
-          install: http://ip/cblr/links/leap-x86_64/
+          install: http://ip:port/cblr/links/leap-x86_64/
           textmode: 1]]>
       </info_file>
     </init>

control_plane/roles/provision_cobbler/tasks/provision_password.yml

@@ -105,7 +105,7 @@
       replace:
         path: "{{ role_path }}/files/{{ cobbler_kickstart_file }}"
         regexp: '^          install: http://ip/cblr/links/leap-x86_64/'
-        replace: '          install: http://{{ hpc_ip }}/cblr/links/leap-x86_64/'
+        replace: '          install: http://{{ hpc_ip }}:{{ http_port }}/cblr/links/leap-x86_64/'
       tags: install
 
     - name: Configure kickstart file leap - nic

omnia_security_config.yml

@@ -40,3 +40,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -63,3 +63,26 @@
   debug:
     msg: "{{ alert_email_warning_msg }}"
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

roles/login_node/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

roles/login_node/tasks/main.yml

@@ -36,6 +36,9 @@
         - name: Alert configuration
           include_tasks: configure_alerting.yml
           when: hostvars['127.0.0.1']['alert_email_address'] | length > 1
+
+        - name: Configure ssh access to login node
+          include_tasks: configure_sshd.yml
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml