Merge pull request #746 from cisagov/improvement/bullseye_to_bookworm

Upgrade select CyHy instances from Debian Bullseye to Debian Bookworm
cisagov · Mar 6, 2024 · 4b794f2 · 4b794f2
2 parents bd817ec + 8812309
commit 4b794f2
Show file tree

Hide file tree

Showing 24 changed files with 264 additions and 26 deletions.
diff --git a/ansible/roles/client_cert_update/meta/main.yml b/ansible/roles/client_cert_update/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        - bookworm
   role_name: client_cert_update
diff --git a/ansible/roles/code_gov_update/meta/main.yml b/ansible/roles/code_gov_update/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        - bookworm
   role_name: code_gov_update
diff --git a/ansible/roles/cyhy_mailer/meta/main.yml b/ansible/roles/cyhy_mailer/meta/main.yml
@@ -13,5 +13,5 @@ galaxy_info:
     - name: Debian
       versions:
         - buster
-        - bullseye
+        - bookworm
   role_name: cyhy_mailer
diff --git a/ansible/roles/cyhy_ops/meta/main.yml b/ansible/roles/cyhy_ops/meta/main.yml
@@ -13,5 +13,5 @@ galaxy_info:
     - name: Debian
       versions:
         - buster
-        - bullseye
+        - bookworm
   role_name: cyhy_ops
diff --git a/ansible/roles/groups/meta/main.yml b/ansible/roles/groups/meta/main.yml
@@ -13,5 +13,5 @@ galaxy_info:
     - name: Debian
       versions:
         - buster
-        - bullseye
+        - bookworm
   role_name: groups
diff --git a/ansible/roles/mgmt_ops/meta/main.yml b/ansible/roles/mgmt_ops/meta/main.yml
@@ -13,5 +13,5 @@ galaxy_info:
     - name: Debian
       versions:
         - buster
-        - bullseye
+        - bookworm
   role_name: mgmt_ops
diff --git a/ansible/roles/nessus/meta/main.yml b/ansible/roles/nessus/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        - bookworm
   role_name: nessus
diff --git a/ansible/roles/nessus/tasks/main.yml b/ansible/roles/nessus/tasks/main.yml
@@ -57,9 +57,9 @@
 
     # The expect Ansible module requires pexpect
     - name: Install pexpect
-      ansible.builtin.pip:
-        name:
-          - pexpect
+      ansible.builtin.apt:
+        name: python3-pexpect
+        state: present
       when: username not in nessus_users.stdout
 
     - name: Create scanner user if necessary

diff --git a/ansible/roles/orchestrator/meta/main.yml b/ansible/roles/orchestrator/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        - bookworm
   role_name: orchestrator
diff --git a/ansible/roles/swap/meta/main.yml b/ansible/roles/swap/meta/main.yml
@@ -13,5 +13,5 @@ galaxy_info:
     - name: Debian
       versions:
         - buster
-        - bullseye
+        - bookworm
   role_name: swap
diff --git a/ansible/roles/vdp_scanner/meta/main.yml b/ansible/roles/vdp_scanner/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        - bookworm
   role_name: vdp_scanner
diff --git a/packer/ansible/bookworm.yml b/packer/ansible/bookworm.yml
@@ -0,0 +1,12 @@
+---
+- hosts: bastion,docker,nessus,nmap
+  name: Perform additional tasks to support Debian Bookworm
+  become: yes
+  become_method: ansible.builtin.sudo
+  tasks:
+    # We have a cloud-init script to fix the Netplan configuration that needs
+    # this Python package.
+    - name: Ensure the PyYAML package is installed
+      ansible.builtin.package:
+        name:
+          - python3-yaml
diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
@@ -2,6 +2,9 @@
 - name: Import base image playbook
   ansible.builtin.import_playbook: base.yml
 
+- name: Import Debian Bookworm playbook
+  ansible.builtin.import_playbook: bookworm.yml
+
 - name: Import AWS playbook
   ansible.builtin.import_playbook: aws.yml
 

diff --git a/packer/bastion.json b/packer/bastion.json
@@ -25,7 +25,7 @@
       "region": "{{user `build_region`}}",
       "source_ami_filter": {
         "filters": {
-          "name": "debian-11-amd64-*",
+          "name": "debian-12-amd64-*",
           "root-device-type": "ebs",
           "virtualization-type": "hvm"
         },
@@ -38,7 +38,7 @@
       "tags": {
         "Application": "Cyber Hygiene",
         "Base_AMI_Name": "{{ .SourceAMIName }}",
-        "OS_Version": "Debian Bullseye",
+        "OS_Version": "Debian Bookworm",
         "Release": "Latest",
         "Team": "VM Fusion - Development"
       },

diff --git a/packer/docker.json b/packer/docker.json
@@ -25,7 +25,7 @@
       "region": "{{user `build_region`}}",
       "source_ami_filter": {
         "filters": {
-          "name": "debian-11-amd64-*",
+          "name": "debian-12-amd64-*",
           "root-device-type": "ebs",
           "virtualization-type": "hvm"
         },
@@ -38,7 +38,7 @@
       "tags": {
         "Application": "Cyber Hygiene",
         "Base_AMI_Name": "{{ .SourceAMIName }}",
-        "OS_Version": "Debian Bullseye",
+        "OS_Version": "Debian Bookworm",
         "Release": "Latest",
         "Team": "VM Fusion - Development"
       },

diff --git a/packer/nessus.json b/packer/nessus.json
@@ -25,7 +25,7 @@
       "region": "{{user `build_region`}}",
       "source_ami_filter": {
         "filters": {
-          "name": "debian-11-amd64-*",
+          "name": "debian-12-amd64-*",
           "root-device-type": "ebs",
           "virtualization-type": "hvm"
         },
@@ -38,7 +38,7 @@
       "tags": {
         "Application": "Cyber Hygiene",
         "Base_AMI_Name": "{{ .SourceAMIName }}",
-        "OS_Version": "Debian Bullseye",
+        "OS_Version": "Debian Bookworm",
         "Release": "Latest",
         "Team": "VM Fusion - Development"
       },

diff --git a/packer/nmap.json b/packer/nmap.json
@@ -25,7 +25,7 @@
       "region": "{{user `build_region`}}",
       "source_ami_filter": {
         "filters": {
-          "name": "debian-11-amd64-*",
+          "name": "debian-12-amd64-*",
           "root-device-type": "ebs",
           "virtualization-type": "hvm"
         },
@@ -38,7 +38,7 @@
       "tags": {
         "Application": "Cyber Hygiene",
         "Base_AMI_Name": "{{ .SourceAMIName }}",
-        "OS_Version": "Debian Bullseye",
+        "OS_Version": "Debian Bookworm",
         "Release": "Latest",
         "Team": "VM Fusion - Development"
       },

diff --git a/terraform/bod_bastion_cloud_init.tf b/terraform/bod_bastion_cloud_init.tf
@@ -15,4 +15,42 @@ data "cloudinit_config" "bod_bastion_cloud_init_tasks" {
     filename     = "set_hostname.yml"
     merge_type   = "list(append)+dict(recurse_array)+str()"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/bod_docker_cloud_init.tf b/terraform/bod_docker_cloud_init.tf
@@ -86,4 +86,42 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
     content_type = "text/x-shellscript"
     filename     = "04_cyhy_docker_chown_vdp_output_directory.sh"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/cloud-init/fix_dhcp.tpl.py b/terraform/cloud-init/fix_dhcp.tpl.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+"""Append the necessary DHCP options to the Netplan configuration.
+
+The Netplan configuration is created by cloud-init, but it needs to be
+slightly modified and reapplied.  This script takes care of the
+modification.
+See these issues for more details:
+- cisagov/skeleton-packer#300
+- canonical/cloud-init#4764
+This file is a template.  It should be processed by Terraform.
+"""
+
+# Third-Party Libraries
+import yaml
+
+# Inputs from Terraform
+NETPLAN_CONFIG = "${netplan_config}"
+
+with open(NETPLAN_CONFIG) as f:
+    # Load the current Netplan configuration
+    config = yaml.safe_load(f)
+    # Add a dhcp4-overrides section to each network
+    config["network"]["ethernets"] = {
+        k: v | {"dhcp4-overrides": {"use-domains": True}}
+        for (k, v) in config["network"]["ethernets"].items()
+    }
+
+# Write the results back out to the Netplan configuration file
+with open(NETPLAN_CONFIG, "w") as f:
+    f.write(yaml.dump(config))
diff --git a/terraform/cloud-init/fix_dhcp.yml b/terraform/cloud-init/fix_dhcp.yml
@@ -0,0 +1,7 @@
+---
+
+# There is a Python script that fixes the DHCP4 options in the Netplan
+# configuration already generated by cloud-init.  The following simply
+# reapplies the Netplan configuration after the modification.
+runcmd:
+  - [netplan, apply]
diff --git a/terraform/cyhy_bastion_cloud_init.tf b/terraform/cyhy_bastion_cloud_init.tf
@@ -15,4 +15,42 @@ data "cloudinit_config" "cyhy_bastion_cloud_init_tasks" {
     filename     = "set_hostname.yml"
     merge_type   = "list(append)+dict(recurse_array)+str()"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/cyhy_nessus_cloud_init.tf b/terraform/cyhy_nessus_cloud_init.tf
@@ -64,4 +64,42 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_nessus_chown_runner_directory.sh"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }