Open teddytpc1 opened 3 weeks ago
For the Vagrant base box generation, I created two script:
.box
file.generate_base_box.sh
script. It is executed inside the VM, and configured the VM: creates user, installs packages and Guest Additions, and clean up.These scripts are useful to avoid making this Vagrant base box manually.
Here are the two scripts:
Here is the ouput of the Vagrant base box generation:
The scripts have been updated:
generate_base_box.sh
script has been modified. A command to generate a .ova
has been added. This file is necessary for the OVA generation in jenkins (to create the AMI base)package_vagrant_box() {
vagrant package --base al2023 --output al2023.box
vboxmanage export al2023 -o "${AL2023_OVA_OUTPUT}"
}
setup.sh
script has been modified. The password authentication has been enabled in order to adapt it as it is done for the OVA generation.# Enable SSH password authentication
configure_ssh() {
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
}
Here are the two scripts:
With this:
al2023.box
file can be uploaded to packages-dev.wazuh.com/vms/ova
to generate the OVA locally.al2023.ova
can be uploaded to packages-dev.wazuh.com/vms/ova
, and then , used for the AMI base build.Packages_builder_OVA
Jenkins pipeline.I have performed the build of the OVA in local, using the generate_ova.sh
script located at the wazuh-packages/ova
folder.
I encountered a problem while generating the AMI base from the .OVA file:
aws ec2 describe-import-image-tasks --import-task-ids import-ami-0960d6036dbffd06b --profile production --region us-west-1
{
"ImportImageTasks": [
{
"Description": "AL2023_OVA_base",
"ImportTaskId": "import-ami-0960d6036dbffd06b",
"SnapshotDetails": [
{
"DiskImageSize": 707566592.0,
"Format": "VMDK",
"Status": "completed",
"UserBucket": {
"S3Bucket": "packages-dev.wazuh.com",
"S3Key": "vms/ova/al2023.ova"
}
}
],
"Status": "deleted",
"StatusMessage": "ClientError: BLSC-style GRUB found, but unable to detect default kernel",
"Tags": []
}
]
}
al2023.ova
file after applying the change. al2023.ova
file uploaded to S3 and I re-uploaded the new OVA file.aws ec2 describe-import-image-tasks --import-task-ids import-ami-0ee9d832fae852d9b --profile production --region us-west-1
{
"ImportImageTasks": [
{
"Description": "AL2023_OVA_base",
"ImportTaskId": "import-ami-0ee9d832fae852d9b",
"SnapshotDetails": [
{
"DiskImageSize": 712344064.0,
"Format": "VMDK",
"Status": "completed",
"UserBucket": {
"S3Bucket": "packages-dev.wazuh.com",
"S3Key": "vms/ova/al2023.ova"
}
}
],
"Status": "deleting",
"StatusMessage": "ClientError: Unsupported kernel version 6.1.91-99.172.amzn2023.x86_64",
"Tags": []
}
]
}
The error ClientError: Unsupported kernel version 6.1.91-99.172.amzn2023.x86_64
reports that the OS is not supported. As it is specified in https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-troubleshooting.html and https://docs.aws.amazon.com/vm-import/latest/userguide/prerequisites.html#vmimport-operating-systems, it seems that the Amazon Linux 2023 OS is not supported in the VM import EC2 feature.
To solve this (or avoid this problem), the token approach is to launch an EC2 instance form the Amazon Linux 2023 AMI (from AWS marketplace), tune and clean up the EC2 instance and generate an AMI from the instance. This new AMI will be the base for the OVA and AMI generation in Jenkins.
I launched an AL2023 EC2 instance using the ami-067d1e60475437da2
using the Allocator module.
I updated Amazon Linux 2023 version: dnf upgrade --releasever=2023.4.20240528
After this and rebooting the machine, the kernel version of the machine is updated:
Before:
[ec2-user@ip-172-31-79-103 ~]$ uname -r
6.1.55-75.123.amzn2023.x86_64
After:
[ec2-user@ip-172-31-79-103 ~]$ uname -r
6.1.91-99.172.amzn2023.x86_64
Created the wazuh-user
user with wazuh
as password. Created its home folder as specified in the setup.sh
script:
> ssh -i packages-2985-amazon-2023-key-8320 wazuh-user@ec2-X-XXX-XX-XXX.compute-1.amazonaws.com -p2200
wazuh-user@ec2-X-XXX-XX-XXX.compute-1.amazonaws.com's password:
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[wazuh-user@ip-172-31-79-103 ~]$ sudo su
[root@ip-172-31-79-103 wazuh-user]#
Install VBox Guest Additions.
Removed ec2-user
user and amazon-ssm-agent
package.
Restored 22 SSH port.
General clean up
All the commands executed in the instance were the following:
sudo useradd -m -s /bin/bash wazuh-user
echo "wazuh-user:wazuh" | sudo chpasswd
sudo mkdir -p /home/wazuh-user/.ssh
sudo wget -nv https://raw.githubusercontent.com/hashicorp/vagrant/main/keys/vagrant.pub -O /home/wazuh-user/.ssh/authorized_keys
sudo chmod 600 /home/wazuh-user/.ssh/authorized_keys
sudo chmod 700 /home/wazuh-user/.ssh
sudo chown -R wazuh-user:wazuh-user /home/wazuh-user
echo 'wazuh-user ALL=(ALL) NOPASSWD: ALL' | sudo tee /etc/sudoers.d/wazuh-user
sudo chmod 440 /etc/sudoers.d/wazuh-user
sudo yum -y install network-scripts git
sudo dnf remove $(dnf repoquery --installonly --latest-limit=-1)
sudo userdel -r ec2-user || true
sudo yum -y remove amazon-ssm-agent
KERNEL_VERSION=$(ls /lib/modules)
VIRTUALBOX_VERSION=$(wget -q http://download.virtualbox.org/virtualbox/LATEST.TXT -O -)
wget -nv https://download.virtualbox.org/virtualbox/${VIRTUALBOX_VERSION}/VBoxGuestAdditions_${VIRTUALBOX_VERSION}.iso -O /root/VBoxGuestAdditions.iso
sudo mount -o ro,loop /root/VBoxGuestAdditions.iso /mnt
sudo sh /mnt/VBoxLinuxAdditions.run || true
sudo umount /mnt
rm -f /root/VBoxGuestAdditions.iso
sudo /etc/kernel/postinst.d/vboxadd ${KERNEL_VERSION}
sudo /sbin/depmod ${KERNEL_VERSION}
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo sed -i "s/Port\s2200/Port 22/" /etc/ssh/sshd_config
sudo systemctl restart sshd
sudo yum clean all
sudo rm -rf /var/cache/yum/*
sudo yum remove -y amazon-ssm-agent
sudo rm -rf /var/log/*
sudo rm -rf /tmp/*
sudo yum autoremove
sudo rm ~/.ssh/*
sudo su
rm -rf /root/.ssh/*
cat /dev/null > /root/.bash_history && history -c && exit
cat /dev/null > ~/.bash_history && history -c && sudo shutdown -h now
After this, and ensuring that the instance was accessible with the wazuh-user:wazuh
credentials through the 22 port, and with the instance stopped, I created the AMI from the AWS console (Images > Create image and Templates, add it a name (Amazon-Linux2023-for-OVA-wp2985) and a description. Resulting AMI: ami-07603f0193a47fe67
It seems that the AMI is not bootable, maybe for the disks clean up. It is necessary to recreate it
I rebuilt the AMI but it seems that the changed done in the /etc/ssh/sshd_config
is not being saved as I can not log with the created wazuh-user
user. The PasswordAuthentication
option is set to no
although I changed it in the instance from the AMI is built:
[ec2-user@ip-172-31-91-150 ~]$ sudo grep PasswordAuthentication /etc/ssh/sshd_config
# Explicitly disable PasswordAuthentication. By presetting it, we
PasswordAuthentication no
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
I noticed that it is necessary to change the /etc/cloud/cloud.cfg
file as is specified in https://stackoverflow.com/questions/18344390/how-do-i-get-aws-ec2-to-not-reset-my-sshd-config-file
A new version 2023.4.20240611.0
of AL2023 has been released. It is necessary to:
After a meeting with @teddytpc1 and @c-bordon, it has been decided the following:
ami-08a0d1e16fc3f61ea
.2023.4.20240611
, released today.
[ec2-user@ip-172-31-44-85 ~]$ dnf list system-release
Amazon Linux 2023 repository 40 MB/s | 25 MB 00:00
Amazon Linux 2023 Kernel Livepatch repository 658 kB/s | 165 kB 00:00
History database cannot be created, using in-memory database instead: SQLite error on "/var/lib/dnf/history.sqlite": Open failed: unable to open database file
Installed Packages
system-release.noarch 2023.4.20240611-1.amzn2023 @System
[ec2-user@ip-172-31-44-85 ~]$
The Vagrant box has been rebuilt using the generate_base_box.sh
script and it is working as expected.
I tested the script in two different ways: putting it in the userData, in the instance launch form; and executing it into a running VMs. They both worked as expected:
The instance with the userData script attached:
ssh wazuh-user@ec2-X-X-X-XXX.compute-1.amazonaws.com
wazuh-user@ec2-X-X-X-XXX.compute-1.amazonaws.com's password:
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Jun 11 16:01:21 2024 from XXX.XX.XX.XXX
[wazuh-user@ip-172-31-22-52 ~]$
Executing the script on a running VM:
[wazuh-user@ip-172-31-44-85 ~]$ sudo bash test.sh
userdel: user 'ec2-user' does not exist
No match for argument: amazon-ssm-agent
No packages marked for removal.
Dependencies resolved.
Nothing to do.
Complete!
Amazon Linux 2023 repository 38 MB/s | 25 MB 00:00
Amazon Linux 2023 Kernel Livepatch repository 700 kB/s | 165 kB 00:00
Package network-scripts-10.09-1.amzn2023.0.2.x86_64 is already installed.
Package git-2.40.1-1.amzn2023.0.3.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
2024-06-11 15:54:01 URL:https://download.virtualbox.org/virtualbox/7.0.18/VBoxGuestAdditions_7.0.18.iso [52887552/52887552] -> "/root/VBoxGuestAdditions.iso" [1]
Verifying archive integrity... 100% MD5 checksums are OK. All good.
Uncompressing VirtualBox 7.0.18 Guest Additions for Linux 100%
VirtualBox Guest Additions installer
Removing installed version 7.0.18 of VirtualBox Guest Additions...
Copying additional installer modules ...
Installing additional modules ...
VirtualBox Guest Additions: Starting.
VirtualBox Guest Additions: Setting up modules
VirtualBox Guest Additions: Building the VirtualBox Guest Additions kernel
modules. This may take a while.
VirtualBox Guest Additions: To build modules for other installed kernels, run
VirtualBox Guest Additions: /sbin/rcvboxadd quicksetup <version>
VirtualBox Guest Additions: or
VirtualBox Guest Additions: /sbin/rcvboxadd quicksetup all
VirtualBox Guest Additions: Kernel headers not found for target kernel
6.1.92-99.174.amzn2023.x86_64. Please install them and execute
/sbin/rcvboxadd setup
ValueError: File context for /opt/VBoxGuestAdditions-7.0.18/other/mount.vboxsf already defined
VirtualBox Guest Additions: reloading kernel modules and services
VirtualBox Guest Additions: unable to load vboxguest kernel module, see dmesg
VirtualBox Guest Additions: kernel modules and services were not reloaded
The log file /var/log/vboxadd-setup.log may contain further information.
ValueError: Port tcp/22 already defined
sudo: firewall-offline-cmd: command not found
sudo: firewall-cmd: command not found
Cloud-init v. 22.2.2 running 'init' at Tue, 11 Jun 2024 15:55:10 +0000. Up 5925.58 seconds.
ci-info: ++++++++++++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++++++++++++
ci-info: +--------+------+-----------------------------+---------------+--------+-------------------+
ci-info: | Device | Up | Address | Mask | Scope | Hw-Address |
ci-info: +--------+------+-----------------------------+---------------+--------+-------------------+
ci-info: | enX0 | True | 172.31.44.85 | 255.255.240.0 | global | 0e:f2:b0:a1:3a:c3 |
ci-info: | enX0 | True | fe80::cf2:b0ff:fea1:3ac3/64 | . | link | 0e:f2:b0:a1:3a:c3 |
ci-info: | lo | True | 127.0.0.1 | 255.0.0.0 | host | . |
ci-info: | lo | True | ::1/128 | . | host | . |
ci-info: +--------+------+-----------------------------+---------------+--------+-------------------+
ci-info: ++++++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++++
ci-info: +-------+-------------+-------------+-----------------+-----------+-------+
ci-info: | Route | Destination | Gateway | Genmask | Interface | Flags |
ci-info: +-------+-------------+-------------+-----------------+-----------+-------+
ci-info: | 0 | 0.0.0.0 | 172.31.32.1 | 0.0.0.0 | enX0 | UG |
ci-info: | 1 | 172.31.0.2 | 172.31.32.1 | 255.255.255.255 | enX0 | UGH |
ci-info: | 2 | 172.31.32.0 | 0.0.0.0 | 255.255.240.0 | enX0 | U |
ci-info: | 3 | 172.31.32.1 | 0.0.0.0 | 255.255.255.255 | enX0 | UH |
ci-info: +-------+-------------+-------------+-----------------+-----------+-------+
ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++
ci-info: +-------+-------------+---------+-----------+-------+
ci-info: | Route | Destination | Gateway | Interface | Flags |
ci-info: +-------+-------------+---------+-----------+-------+
ci-info: | 0 | fe80::/64 | :: | enX0 | U |
ci-info: | 2 | local | :: | enX0 | U |
ci-info: | 3 | multicast | :: | enX0 | U |
ci-info: +-------+-------------+---------+-----------+-------+
2024-06-11 15:55:11,218 - schema.py[WARNING]: Invalid cloud-config provided: Please run 'sudo cloud-init schema --system' to see the schema errors.
Generating public/private ed25519 key pair.
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub
The key fingerprint is:
SHA256:+yGMPVL4KKwv/rhTSx3K41SpJNfH7kWTKJMKr8LORsw root@ip-172-31-44-85.ec2.internal
The key's randomart image is:
+--[ED25519 256]--+
| |
| |
| . + . . |
| o o O.+ + |
|o B *.*S. . |
| E .@ .B... |
|o *oo+.B.. |
|oo+oo. ..+ . |
|o==*o . |
+----[SHA256]-----+
Generating public/private ecdsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub
The key fingerprint is:
SHA256:tq8TvDXqWtLi/w7iku6YxW4MpSSXWnQ5fqB6FIlhiTg root@ip-172-31-44-85.ec2.internal
The key's randomart image is:
+---[ECDSA 256]---+
|++.. . |
|E.+ = |
| o * o |
|. B o . |
| O o . .S |
|o +. oo.o |
| . oo.+ == . |
| ==o =+o |
| o++.+++=+ |
+----[SHA256]-----+
Cloud-init v. 22.2.2 running 'modules:config' at Tue, 11 Jun 2024 15:55:11 +0000. Up 5926.63 seconds.
2024-06-11 15:55:11,818 - cc_set_passwords.py[WARNING]: DEPRECATION: The chpasswd multiline string format is deprecated and will be removed from a future version of cloud-init. Use the list format instead.
Cloud-init v. 22.2.2 running 'modules:final' at Tue, 11 Jun 2024 15:55:12 +0000. Up 5927.14 seconds.
Cloud-init v. 22.2.2 finished at Tue, 11 Jun 2024 15:55:12 +0000. Datasource DataSourceEc2. Up 5927.41 seconds
17 files removed
Amazon Linux 2023 repository 40 MB/s | 25 MB 00:00
Amazon Linux 2023 Kernel Livepatch repository 805 kB/s | 165 kB 00:00
Dependencies resolved.
Nothing to do.
Complete!
The built script to generate the AMI is the following:
al2023.box
Vagrant base box of S3. al2023.ova
file as it can't be used. See https://github.com/wazuh/wazuh-packages/issues/2985#issuecomment-2158374348ami-0d17f3ba8eb787cb3
Packages_builder_OVA.groovy
pipeline.Packages_builder_OVA.groovy
pipeline. https://ci.wazuh.info/job/Packages_Builder_OVA/358/consoleThe OVA build in Jenkins failed here: https://ci.wazuh.info/job/Packages_Builder_OVA/358/console
The reported error is the following: ClientError: BLSC-style GRUB found, but unable to detect default kernel
. This error was also reported here, when trying to upload the .ova
file associated with the Vagrant base box. This error is related to the VM import/export feature of EC2, which seems not to support importing/exporting AMIs that have AL2023 as OS.
In this case, the pipeline performs the following steps:
.ova
file.For this reason, we are blocked as AL2023 is not listed in the following documentation as a supported OS: https://docs.aws.amazon.com/vm-import/latest/userguide/prerequisites.html#vmimport-operating-systems
A possible workaround could be modify the pipeline. The approach would consist in:
wazuh-packages
repository would be cloned and the OVA would be generated with the generate_ova.sh
script. This script generates the .ova
file. Related: https://documentation.wazuh.com/current/development/packaging/generate-ova.html.ova
file generated to S3 with AWS CLI.
Description
We need to change the OVA OS to AL2023
Tasks
NOTE: the tests can be made using the 4.8.0 packages.