cookbook 'sanitize', '= 1.0.0'
sanitize
(19) Versions
1.0.0
-
Follow3
Sanitizes system by providing a sane default configuration
cookbook 'sanitize', '= 1.0.0', :supermarket
knife supermarket install sanitize
knife supermarket download sanitize
Description
This cookbook aims to normalize setup of a fresh server and set sane
defaults for global settings, and work with various initial
environments (tested on EC2 images, Hetzner "minimal" installations,
and debootstrap-created LXC images). At the moment it supports only
Ubuntu, Debian support is planned.
It calls recipes chef-client::config
and omnibus_updater
, and
works only with Omnibus Chef client package.
This cookbook is developed on GitHub at
https://github.com/3ofcoins/chef-cookbook-sanitize
Requirements
- apt
- chef-client
- iptables
- omnibus_updater
Attributes
sanitize.iptables
-- if false, does not install and configure
iptables; defaults to true.sanitize.ip6tables
-- if false, does not install base ip6tables
rules along with iptables; defaults to truesanitize.keep_access
-- if true, don't disable direct access users
(ubuntu user or root password); defaults to false.-
sanitize.ports
-- ifsanitize.iptables
is true, specifies TCP
ports to open. It is a dictionary, where keys are port numbers or
service names, and values can be:-
true
-- open port for any source address -
false
-- don't open port - a string -- will be used as
--src
argument toiptables
- an array of strings -- for many different
--src
entries - TODO: It should be possible to specify a node search query
-
If the key is a list of ports (port,port
) or a range
(port1:port2
), then the multiport
iptables module will be used.
If the value is true
and sanitize.ip6tables
is true
, the port
will be open in ip6tables; ip6tables treats strings as false.
Default:
default['sanitize']['ports']['ssh'] = true
-
sanitize.accept_interfaces
-- ifsanitize.iptables
is true, specifies interfaces to unconditionally accept traffic. It should be a dictionary, where key is name of interface, and value should be true to accept traffic, or false to not accept (which lets overridetrue
values). Default:
default['sanitize']['accept_interfaces']['lo'] = true
-
sanitize.apt_repositories
-- dictionary of APT repositories to add. Key is repository name, value is remaining attributes of theapt_repository
resource provided by theapt
cookbook (see http://community.opscode.com/cookbooks/apt). If you setdistribution
to"lsb_codename"
,node['lsb']['codename']
attribute will be used instead.:
Ubuntu's PPAs can be specified as a simple string, or as a ppa
key; the second form allows for customizing some of the attributes.
:sanitize => { :apt_repositories => { :percona => { :uri => 'http://repo.percona.com/apt', :distribution => 'lsb_codename', :components => [ 'main' ], :deb_src => true, :keyserver => 'hkp://keys.gnupg.net', :key => '1C4CBDCDCD2EFD2A' }, :ruby_ng => 'ppa:brightbox/ruby-ng', :nginx => { :ppa => 'nginx/stable', :distribution => 'precise' # force distribution regardless of lsb.codename } }}
sanitize.install_packages
-- a list of packages to install on all
machines; defaults to an empty list.-
sanitize.chef_gems
-- Chef gems to install. By default, installs
chef-helpers, chef-sugar, chef-rewind, and
chef-vault. Keys are gem names, values can be:-
false
-- skip the package (use that to override defaults; you can also set version to false) -
true
-- install best version available, don't upgrade (equivalent to just writingchef_gem "gem_name"
in recipe code) - string with version requirement
- directory, where following keys are recognized:
-
version
-false
,true
(default), or version string -
require
-true
(default) means require gem after installing;false
means don't require anything; if a string is given, it's name of library to require.
-
Example (which is also the default set of gems):
:sanitize => { :chef_gems => { 'chef-helpers' => '~> 0.1', 'chef-sugar' => { :version => '~> 1.1', :require => 'chef/sugar' }, 'chef-rewind' => { :version => '~> 0.0.8', :require => 'chef/rewind' }, :chef-vault => '~> 2.1' } }
-
sanitize.locale.default="en_US.UTF-8"
,sanitize.locale.available=[]
-- list of locales to make available on the server, and a locale to set as default.
Usage
Include recipe[sanitize]
in your run list after your user accounts
are created and sudo and ssh is configured, and otherwise as early as
possible. In particular, if you use omnibus_updater
cookbook, it
should be after sanitize
in the run list.
sanitize::default
This is the default "base settings" setup. It should be called
after shell user accounts and sudo are configured, as it locks
default login user and direct root access.
- Deletes
ubuntu
system user - Locks system password for
root
user (assumes that only sudo is used to elevate privileges) - Ensure all FHS-provided directories exist by creating some that
have been found missing on some of the installation (namely,
/opt
) - Sets locale to
en_US.UTF-8
, generates this locale, sets time zone to UTC - Changes mode of
/var/log/chef/client.log
to0600
-- readable only for root, as it may contain sensitive data - Deletes annoying
motd.d
files - Installs vim and sets it as a default system editor
- Installs and configures iptables, opens SSH port (optional, but enabled by default)
- Installs
can-has
command as a symlink toapt-get
- Runs
chef-client::config
andomnibus_updater
recipes
Roadmap
Plans for future, in no particular order:
- Depend on and include
openssh-server
; configure SSH known hosts, provide sane SSH server and client configuration defaults - Provide hooks (definitions / LWRP / library) for other cookbooks for commonly used facilities, such as opening up common ports, "backend" http service, SSL keys management, maybe some other "library" functions like helpers for encrypted data bags
- Test with test-kitchen
Dependent cookbooks
apt >= 0.0.0 |
chef-client >= 0.0.0 |
dmg >= 0.0.0 |
homebrew >= 0.0.0 |
iptables >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Changes
1.0.0
Not an "it's mature and stable" 1.0, but a major version bump due to
incompatibilities.
-
Breaking changes
- Stop installing
chef_gem
s (usegem
declaration in some cookbook's metadata instead) - Drop support of Ubuntu below 14.04 and whatever was supported on OSX
- Stop forcing log file mode (chef-client cookbook has a
chef_client.log_perm
attribute now) - Don't call
omnibus_updater
(which has been deprecated in favour ofchef_client_updater
anyway), leave it to the user - Depend on chef-client 12.14 for Ruby 2.3
- Stop installing
Configure iptables prefix & suffix to work with new iptables
cookbookAdd
sanitize.accept_interfaces
attributeAdd ip6tables
Deprecation fix on
user
resourceFollow Foodcritic & Rubocop suggestions
0.5.5
- Install package
tzdata
, it is apparently missing too
0.5.4
- Install package
locales
to fix https://bugs.launchpad.net/cloud-images/+bug/1682305
0.5.3
-
sanitize.locale.available
&sanitize.locale.default
attributes
0.5.2
- Fix dependencies
0.5.1
- Drop helpers recipe, install gems instead
0.5.0
- New recipe to install chef-helpers and chef-sugar.
0.4.2
- Support Ubuntu PPAs
0.4.1
- Refactor iptables code, support multiport module.
- Don't bomb on OSX
0.4.0
- Split into multiple cookbooks
0.3.1
- Don't upload backup files
0.3.0
- include recipe
chef-client::config
- add attribute
sanitize.keep_access
to enable debugging access problems - don't lock down logfile if it doesn't exist
- don't include
build-essential
recipe, Omnibus Chef includes ruby-shadow - include recipe
omnibus_updater
- unbreak bootstrap: continue Chef run if deleting
ubuntu
user is not possible
0.2.1
- Include trailing newline in /etc/timezone to avoid regeneration
- Don't run locale-gen if system knows about en_US.UTF-8
0.2.0
- Chef 11 compatibility
- Configure iptables not only for ssh
- Use
user
resource instead ofusermod
/userdel
hacks
0.1.0
- Initial release of sanitize
Check the Markdown Syntax Guide for help with Markdown.
The Github Flavored Markdown page describes the differences between markdown on github and standard markdown.
Collaborator Number Metric
1.0.0 failed this metric
Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
License Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 failed this metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
License Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric