opengnsys
/
oglog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refs #643 add oglog proof of concept

pull/1/head
Natalia Serrano 2024-10-23 13:37:47 +02:00
parent e417ee2e8c
commit 339df575ba
2 changed files with 457 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

361
poc/Vagrantfile vendored 100644
View File

@ -0,0 +1,361 @@
OGLOG_PROVISION_SCRIPT = <<EOT
export OPENSEARCH_INITIAL_ADMIN_PASSWORD=CorrectHorse_BatteryStaple1
set -x
cat >>/etc/hosts <<EOF
192.168.60.10 oglog-os.mytld
192.168.60.10 oglog-osdb.mytld
192.168.60.10 oglog-jb.mytld
192.168.60.10 oglog-jrem.mytld
192.168.60.10 oglog-prom.mytld
192.168.60.10 oglog-graf.mytld
192.168.60.11 ogserver.mytld
192.168.60.12 ogagent-fb.mytld
192.168.60.12 ogagent.mytld
EOF
apt-get update
apt-get -y install \
ca-certificates \
gnupg2 \
lsb-release \
prometheus \
systemd-journal-remote
## tls
### la CA en todas partes
cp /vagrant/CA/certs/ca.crt.pem /etc/ssl/certs/
ln -s ca.crt.pem /etc/ssl/certs/$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0
## opensearch
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp |gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" >/etc/apt/sources.list.d/opensearch-2.x.list
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" >/etc/apt/sources.list.d/opensearch-dashboards-2.x.list
apt-get update
dpkg -i /vagrant/opensearch_2.16.0_amd64.deb /vagrant/opensearch-dashboards_2.16.0_amd64.deb ## 'apt-get install' se lo descarga de internet igualmente...
cp /vagrant/CA/certs/ca.crt.pem /etc/opensearch/
cp /vagrant/CA/certs/oglog-os.mytld.crt.pem /etc/opensearch/
cp /vagrant/CA/private/oglog-os.mytld.key.nopass.pem /etc/opensearch/oglog-os.mytld.key.pem
chown opensearch:opensearch /etc/opensearch/{ca.crt.pem,oglog-os.mytld.crt.pem,oglog-os.mytld.key.pem}
cp /vagrant/CA/certs/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/
cp /vagrant/CA/private/oglog-osdb.mytld.key.nopass.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
sed -i -e '/^plugins.security.ssl.http.pemcert_filepath:/ s/: .*/: oglog-os.mytld.crt.pem/' /etc/opensearch/opensearch.yml
sed -i -e '/^plugins.security.ssl.http.pemkey_filepath:/ s/: .*/: oglog-os.mytld.key.pem/' /etc/opensearch/opensearch.yml
sed -i -e '/^plugins.security.ssl.http.pemtrustedcas_filepath:/s/: .*/: ca.crt.pem/' /etc/opensearch/opensearch.yml
sed -i -e '/^#network.host/ s/.*/network.host: 192.168.60.10/' /etc/opensearch/opensearch.yml ## IP of network interface to listen on
cat >>/etc/opensearch/opensearch.yml <<EOF
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.clientauth_mode: REQUIRE
## https://opensearch.org/docs/latest/security/configuration/tls/
## use the Reload Certificates API to replace the expired certificates. Has to be done by a superadmin
## curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -X PUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts
plugins.security.ssl_cert_reload_enabled: true
EOF
cp -a /etc/opensearch-dashboards/opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml.dist
cat >/etc/opensearch-dashboards/opensearch_dashboards.yml <<EOF
server.host: 0.0.0.0
opensearch.hosts: ["https://oglog-os.mytld:9200"]
opensearch.username: "admin"
opensearch.password: "CorrectHorse_BatteryStaple1"
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/ca.crt.pem" ]
opensearch.ssl.alwaysPresentCertificate: true
EOF
systemctl enable --now opensearch.service opensearch-dashboards.service
## journal-remote
cp /vagrant/CA/certs/oglog-jrem.mytld.crt.pem /etc/systemd/
cp /vagrant/CA/private/oglog-jrem.mytld.key.nopass.pem /etc/systemd/oglog-jrem.mytld.key.pem
chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.crt.pem /etc/systemd/oglog-jrem.mytld.key.pem
install --owner systemd-journal-remote --group systemd-journal-remote --mode 0750 --directory /var/log/journal/remote/
sed -i -e '/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%' /etc/systemd/journal-remote.conf
sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf
#sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%' /etc/systemd/journal-remote.conf ## esta se ignora
systemctl enable --now systemd-journal-remote.service
## prometheus
cp /vagrant/CA/certs/oglog-prom.mytld.crt.pem /etc/prometheus/
cp /vagrant/CA/private/oglog-prom.mytld.key.nopass.pem /etc/prometheus/oglog-prom.mytld.key.pem
chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.crt.pem /etc/prometheus/oglog-prom.mytld.key.pem
cat >>/etc/prometheus/prometheus.yml <<EOF
- job_name: ogserver
static_configs:
- targets: ['ogserver.mytld:9100']
- job_name: ogagent
static_configs:
- targets: ['ogagent.mytld:9100']
EOF
cat >/etc/prometheus/web-config.yml <<EOF
tls_server_config:
cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
key_file: /etc/prometheus/oglog-prom.mytld.key.pem
EOF
sed -i -e '/^ARGS/s%"$%--web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus
systemctl restart prometheus
## journalbeat
apt-get install --yes /vagrant/journalbeat-oss-7.12.1-amd64.deb
cp /vagrant/CA/certs/oglog-jb.mytld.crt.pem /etc/journalbeat/
cp /vagrant/CA/private/oglog-jb.mytld.key.nopass.pem /etc/journalbeat/oglog-jb.mytld.key.pem
cat >/etc/journalbeat/journalbeat.yml <<EOF
journalbeat.inputs:
- paths:
- "/var/log/journal"
- "/var/log/journal/remote"
seek: cursor
setup.template.settings:
index.number_of_shards: 1
output.elasticsearch:
hosts: ["oglog-os.mytld:9200"]
username: "admin"
password: "CorrectHorse_BatteryStaple1"
protocol: "https"
ssl.enabled: true
ssl.verification_mode: full
## este no deberia hacer falta porque el ca.crt es trusted a nivel de sistema
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"
processors:
- add_docker_metadata: ~
seccomp.enabled: false
EOF
systemctl enable --now journalbeat
## grafana
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor >/etc/apt/keyrings/grafana.gpg
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list
apt-get update
apt-get install --yes grafana
cp /vagrant/CA/certs/oglog-graf.mytld.crt.pem /etc/grafana/
cp /vagrant/CA/private/oglog-graf.mytld.key.nopass.pem /etc/grafana/oglog-graf.mytld.key.pem
chown grafana:grafana /etc/grafana/oglog-graf.mytld.crt.pem /etc/grafana/oglog-graf.mytld.key.pem
cp -a /etc/grafana/grafana.ini /etc/grafana/grafana.ini.dist
cat >/etc/grafana/grafana.ini <<EOF
[server]
protocol = https
cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
cert_key = /etc/grafana/oglog-graf.mytld.key.pem
[analytics]
reporting_enabled = false
check_for_updates = false
check_for_plugin_updates = false
EOF
systemctl enable --now grafana-server
EOT
OGSERVER_PROVISION_SCRIPT = <<EOT
set -x
cat >>/etc/hosts <<EOF
192.168.60.10 oglog-os.mytld
192.168.60.10 oglog-osdb.mytld
192.168.60.10 oglog-jb.mytld
192.168.60.10 oglog-jrem.mytld
192.168.60.10 oglog-prom.mytld
192.168.60.10 oglog-graf.mytld
192.168.60.11 ogserver.mytld
192.168.60.12 ogagent-fb.mytld
192.168.60.12 ogagent.mytld
EOF
apt-get update
apt-get -y install \
prometheus-node-exporter \
systemd-journal-remote
## tls
### la CA en todas partes
cp /vagrant/CA/certs/ca.crt.pem /etc/ssl/certs/
ln -s ca.crt.pem /etc/ssl/certs/$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0
### el de ogserver
cp /vagrant/CA/certs/ogserver.mytld.crt.pem /etc/ssl/certs/
cp /vagrant/CA/private/ogserver.mytld.key.nopass.pem /etc/ssl/private/ogserver.mytld.key.pem
## journal-upload
sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' /usr/lib/systemd/system/systemd-journal-upload.service
sed -i -e '/User/ s/.*/User=root/' /usr/lib/systemd/system/systemd-journal-upload.service
systemctl daemon-reload
sed -i -e '/URL/ s%.*%URL=https://oglog-jrem.mytld:19532%' /etc/systemd/journal-upload.conf
sed -i -e '/ServerKeyFile/ s%.*%ServerKeyFile=/etc/ssl/private/ogserver.mytld.key.pem%' /etc/systemd/journal-upload.conf
sed -i -e '/ServerCertificateFile/ s%.*%ServerCertificateFile=/etc/ssl/certs/ogserver.mytld.crt.pem%' /etc/systemd/journal-upload.conf
sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/ssl/certs/ca.crt.pem%' /etc/systemd/journal-upload.conf
systemctl enable --now systemd-journal-upload
## node-exporter
## (nada, el prometheus se conecta a nosotros)
EOT
OGAGENT_PROVISION_SCRIPT = <<EOT
set -x
cat >>/etc/hosts <<EOF
192.168.60.10 oglog-os.mytld
192.168.60.10 oglog-osdb.mytld
192.168.60.10 oglog-jb.mytld
192.168.60.10 oglog-jrem.mytld
192.168.60.10 oglog-prom.mytld
192.168.60.10 oglog-graf.mytld
192.168.60.11 ogserver.mytld
192.168.60.12 ogagent-fb.mytld
192.168.60.12 ogagent.mytld
EOF
apt-get update
apt-get -y install \
prometheus-node-exporter
## tls
### la CA en todas partes
cp /vagrant/CA/certs/ca.crt.pem /etc/ssl/certs/
ln -s ca.crt.pem /etc/ssl/certs/$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0
## ogagent
apt-get install --yes /vagrant/ogagent_1.3.4-1_all.deb
sed -i -e '/^remote=/s/192.168.2.10/192.168.1.249/' /usr/share/OGAgent/cfg/ogagent.cfg
/etc/init.d/ogagent start
## filebeat
apt-get install --yes /vagrant/filebeat-oss-7.12.1-amd64.deb
cp /vagrant/CA/certs/ogagent-fb.mytld.crt.pem /etc/filebeat/
cp /vagrant/CA/private/ogagent-fb.mytld.key.nopass.pem /etc/filebeat/ogagent-fb.mytld.key.pem
cat >/etc/filebeat/filebeat.yml <<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/opengnsys.log
- /home/*/opengnsys.log
setup.template.settings:
index.number_of_shards: 1
output.elasticsearch:
hosts: ["oglog-os.mytld:9200"]
username: "admin"
password: "CorrectHorse_BatteryStaple1"
protocol: "https"
ssl.enabled: true
ssl.verification_mode: full
ssl.certificate: "/etc/filebeat/ogagent-fb.mytld.crt.pem"
ssl.key: "/etc/filebeat/ogagent-fb.mytld.key.pem"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
seccomp.enabled: false
EOF
systemctl enable --now filebeat
## journal-remote
## (nada, en los agentes no lo montamos)
## node-exporter
## (nada, el prometheus se conecta a nosotros)
EOT
###################################################################################################
## logs de sistema y aplicación:
## - el journal-remote (journal-upload.conf) de los demás servidores (pero no los agentes) se conecta al journal-remote de oglog (journal-remote.conf)
## - el journalbeat de oglog se conecta al opensearch en el propio oglog
##
## logs del agente:
## - el filebeat de cada máquina se conecta al opensearch de oglog
##
## monitorización
## - el prometheus de oglog se conecta al node-exporter de cada máquina
## - el grafana de oglog se conecta al prometheus en el propio oglog
##
###################################################################################################
Vagrant.configure("2") do |config|
config.vm.define :oglog do |oglog|
oglog.vm.box = "alvistack/ubuntu-24.04"
oglog.vm.network :private_network, ip: "192.168.60.10"
oglog.vm.hostname = "oglog.mytld"
oglog.vm.provider "virtualbox" do |vb|
vb.name = "oglog"
vb.memory = 3072
end
oglog.vm.provision "shell", inline: OGLOG_PROVISION_SCRIPT
end
config.vm.define :ogserver do |ogserver|
ogserver.vm.box = "alvistack/ubuntu-24.04"
ogserver.vm.network :private_network, ip: "192.168.60.11"
ogserver.vm.hostname = "ogserver.mytld"
ogserver.vm.provider "virtualbox" do |vb|
vb.name = "ogserver"
vb.memory = 1536
end
ogserver.vm.provision "shell", inline: OGSERVER_PROVISION_SCRIPT
end
config.vm.define :ogagent do |ogagent|
ogagent.vm.box = "alvistack/ubuntu-24.04"
ogagent.vm.network :private_network, ip: "192.168.60.12"
ogagent.vm.hostname = "ogagent.mytld"
ogagent.vm.provider "virtualbox" do |vb|
vb.name = "ogagent"
vb.memory = 1536
end
ogagent.vm.provision "shell", inline: OGAGENT_PROVISION_SCRIPT
end
end

96
poc/mkcerts.sh 100755
View File

@ -0,0 +1,96 @@
#!/bin/bash
rm -rf CA
mkdir CA
cd CA
cat >openssl.cnf <<EOF
[ca]
default_ca = CA_default
[CA_default]
dir = $PWD
EOF
cat >>openssl.cnf <<'EOF'
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
default_md = sha256
policy = policy_loose
copy_extensions = copy
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.crt.pem
[policy_loose]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
default_md = sha256
[req_distinguished_name]
countryName = Country Name (2 letter code)
EOF
mkdir certs csr newcerts private; chmod 0700 private; touch index.txt; echo 1000 >serial
function gen_cert() {
ITEM="$1"
PRIVKEY_PASS="$2"
CA_PASS_FILE="$3"
FILE_PRIVKEY_PASS="./$ITEM-pass"
KEY_FILE="private/$ITEM.key.pem"
KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem"
SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM"
ADDEXT="subjectAltName=DNS:$ITEM"
CSR="csr/$ITEM.csr.pem"
CERT_FILE="certs/$ITEM.crt.pem"
touch "$FILE_PRIVKEY_PASS"
chmod 0600 "$FILE_PRIVKEY_PASS"
echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS"
openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
}
## gen CA
CA_PASS=CorrectHorseBatteryStapleCA
CA_PASS_FILE=./ca-pass
touch "$CA_PASS_FILE"
chmod 0600 "$CA_PASS_FILE"
echo "$CA_PASS" >"$CA_PASS_FILE"
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem
## todos estos en oglog
gen_cert oglog-os.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE"
gen_cert oglog-jb.mytld CorrectHorseBatteryStapleOglogJB "$CA_PASS_FILE"
gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE"
gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE"
## esto podria ser ogcore, ogboot...
gen_cert ogserver.mytld CorrectHorseBatteryStapleOgserver "$CA_PASS_FILE"
## filebeat del agente
gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE"
cd ..