Upgrade select CyHy instances from Debian Bullseye to Debian Bookworm #746
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With the release of Debian Bookworm on 2023-06-10 it makes sense to migrate our Debian Bullseye Packer configurations to Debian Bookworm.
Update the platforms supported for all of the Ansible roles defined in this repository.
We prefer to install the system package for Python packages whenever possible. This is especially important with Debian Bookworm because you cannot modify the system Python environment directly (with pip) by default. Switching from installing the pexpect package directly with pip to installing the python3-pexpect package is a suitable resolution.
Debian Bookworm switches DNS management from resolvconf to systemd-resolved. This change results in Bookworm instances having an incompatible hostname resolution configuration. Since we rely on cloud-init to automatically configure some of our DNS settings we need to adjust the configuration of Netplan (used by cloud-init) to get the correct configuration for our system. The issue is that Netplan uses a default of false for the value of dhcp4-overrides.use-domains and cloud-init does not explicitly set this key or provide a means to do so. We remedy this by modifying the cloud-init configuration of Bookworm instances to use a Python script to adjust the Netplan configuration and then re-apply Netplan to enable our desired configuration. Co-authored-by: Shane Frasier <[email protected]>
mcdonnnj
added
improvement
mcdonnnj
requested review from
dav3r,
felddy,
jasonodoom and
jsf9k
as code owners
9 tasks
dav3r
approved these changes
Feb 15, 2024
jsf9k
approved these changes
Feb 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🗣 Description
This pull request is focused on basing the
bastion,docker,nessus, andnmapAMIs on Debian Bookworm (latest release) instead of Debian Bullseye. This includes updating the AMI configurations, adjusting metadata for Ansible roles defined in this project, and adjusting thecloud-initconfigurations.This mirrors the work in cisagov/skeleton-packer#242.
💭 Motivation and context
It is good to stay up-to-date and all of the instances being updated have public IPs so it is extra important to update them accordingly.
🧪 Testing
Automated tests pass. I deployed this configuration in my test environment and verified that I was able to reach the new instances over SSH and that the cyhy-commander functioned as expected with the new scanner instances.
✅ Pre-approval checklist
to reflect the changes in this PR.