Separate cuckoo #53
Merged
Separate cuckoo #53
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With API mode there is no longer any reason to install and run cuckoo services as the peekaboo user. Since we're installing in API mode by default and upstream (us, Peekaboo) is in the process of deprecating and removing embedded mode, separate cuckoo services out with their own cuckoo user. This should also remove the last interdependency between cuckoo and peekaboo requiring them to run on the same machine, as can be seen by the creation of the peekaboo user moving down to after cuckoo installation in the playbook.
All main cuckoo services need to talk to the database and throw errors if it's not up yet. No big problem because systemd will restart them but spams the logs and can be avoided.
cuckoo's been warning of a low file descriptor limit. Raise it as requested.
The cuckoo main services can't run without mysql. So make it a hard requirement in the systemd units so that systemd starts it automatically if one of those services is started. We're ignoring postgresql here because this installer does not support postgres. An admin can still make it work with postgres using suitable local systemd drop-in configs.
Sync our configuration with the current state of the upstream sample configuration. This only affects comments documenting changed defaults.
Install Peekaboo and Cuckoo systemd depencencies in the respective plays so they can be more clearly separated. Make python 2 package installation for Peekaboo dependant on configured python version in preparation for default python version switch.
Since Peekaboo is deprecating python 2 as per scVENUS/Peekaboo#129 we switch to python 3 as default python version for Peekaboo now. Closes scVENUS#51.
python-setuptools and python-pip are not required because the virtualenv
command from python{,3}-virtualenv automatically installs them into the
new venv.
Install mysqlclient python package explicitly because the mysql meta
package would pull in MySQL-python for python2 and mysqlclient for
python3. The former is unmaintained since 2014 but does not need
libmysqlclient-dev installed. We prefer the latter for consistency which
supports python 2 and 3 but needs libmysqlclient-dev installed. But we
did install that anyway for the python3 install option of peekaboo.
sqlite3 was never strictly required by anything.
Add variable and temporary password lookup and storage file to automatically generate and embed into the config files of cuckoo and peekaboo a random API token. Does not work right now since cuckoo does not accept the cuckoo.cuckoo.api_token setting from our custom.kv.conf. More work required. Closes scVENUS#43.
Move the installation of tcpdump down to after the cuckoo user has been created so it can be owned by the cuckoo group. Tweak file permissions so that only the cuckoo group is allowed to execute it. This, together with the existing file capabilities configuration allows the cuckoo user and only the cuckoo user to use it without root privileges. Fix the host assignment to be the cuckoo server while at it. Closes scVENUS#52.
Closed
We need essential developer tools to install python modules for cuckoo and peekaboo which contain C or other compiled language bindings or components. So install build-essential on both cuckoo and peekaboo machines. Closes scVENUS#55.
Cuckoo stats the sniffer during configuration initialisation and croaks if it can't be read: The configuration value '/usr/sbin/tcpdump' found for auxiliary:sniffer:tcpdump is invalid. Please update your configuration!
michaelweiser
commented
Feb 6, 2020
Jack28
requested changes
Feb 6, 2020
|
Okay, so regarding the missing gcc discussed in #55: Turns out, So our dependency on |
Since cuckoo ignores our api token provided in the custom.kv.conf, we hack it into the config retroactively. Doesn't hurt if it starts to honour the setting in the future. Closes scVENUS#43. (really, really) Closes scVENUS#56.
The installer would fail if the mysql server package is already installed but the service not started because we relied on the package installation to start the service immediately. Make that explicit.
michaelweiser
force-pushed
the
separate-cuckoo
branch
from
a6f31bd to
2e639ec
Compare
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A number of fixes broadly centered around separating cuckoo from peekaboo now that we're no longer using embed mode by default. Fix up systemd unit ordering and dependency package installation. Switch to python 3 for peekaboo by default. Also try to tackle automatic cuckoo api token generation and securing tcpdump access.