From 0a4472a93c2fec6a62ba28a0751076ba9c984eca Mon Sep 17 00:00:00 2001 From: chokoblitz Date: Wed, 4 Dec 2024 15:08:11 +0100 Subject: [PATCH] add ubuntu 24.04 support --- ansible/install_cenclave/tasks/main.yml | 62 ++++++++++++- .../templates/default_certbot_nginx.conf.j2 | 14 --- .../templates/default_nginx.conf.j2 | 86 ------------------- .../templates/default_proxy_params.j2 | 4 - .../templates/default_vhost.conf.j2 | 26 ------ .../templates/letsencrypt.conf.j2 | 14 --- ansible/install_pccs/templates/pccs.conf.j2 | 33 +++++++ ansible/install_sgx_deps/tasks/main.yml | 5 -- .../baremetal_sgx_default_qcnl.conf.j2 | 6 +- ansible/main.yml | 28 +----- 10 files changed, 97 insertions(+), 181 deletions(-) delete mode 100644 ansible/install_pccs/templates/default_certbot_nginx.conf.j2 delete mode 100644 ansible/install_pccs/templates/default_nginx.conf.j2 delete mode 100644 ansible/install_pccs/templates/default_proxy_params.j2 delete mode 100644 ansible/install_pccs/templates/default_vhost.conf.j2 delete mode 100644 ansible/install_pccs/templates/letsencrypt.conf.j2 create mode 100644 ansible/install_pccs/templates/pccs.conf.j2 diff --git a/ansible/install_cenclave/tasks/main.yml b/ansible/install_cenclave/tasks/main.yml index 987dd83..84c53b8 100644 --- a/ansible/install_cenclave/tasks/main.yml +++ b/ansible/install_cenclave/tasks/main.yml @@ -20,7 +20,61 @@ - "/home/{{ ansible_user }}/.config/gramine/enclave-key.pem" - 3072 -- name: Install Cosmian Enclave CLI - pip: - name : cenclave - extra_args: --upgrade +- name: Check Ubuntu version + ansible.builtin.debug: + msg: "Ubuntu version is {{ ansible_distribution_version }}" + +- name: Print ansible_user + ansible.builtin.debug: + msg: "Ansible user is {{ ansible_user }}" + +- name: Install pipx and Cosmian Enclave CLI for Ubuntu 24.04 + block: + - name: Install pipx + ansible.builtin.apt: + name: pipx + state: latest + + - name: Install Cosmian Enclave CLI using pipx + become: false + community.general.pipx: + name: cenclave + state: latest + + - name: Ensure pipx is installed + become: false + ansible.builtin.command: + cmd: pipx ensurepath + + - name: Verify cenclave is available + become: false + ansible.builtin.command: + cmd: cenclave --version + register: cenclave_version + ignore_errors: false + + - name: Debug cenclave version + ansible.builtin.debug: + msg: "cenclave version: {{ cenclave_version.stdout }}" + + when: ansible_distribution_version == "24.04" + +- name: Install Cosmian Enclave CLI for Ubuntu 22.04 + block: + - name: Install Cosmian Enclave CLI using pip + ansible.builtin.pip: + name: cenclave + extra_args: --upgrade + + - name: Verify cenclave is available + become: false + ansible.builtin.command: + cmd: cenclave --version + register: cenclave_version + ignore_errors: false + + - name: Debug cenclave version + ansible.builtin.debug: + msg: "cenclave version: {{ cenclave_version.stdout }}" + + when: ansible_distribution_version == "22.04" diff --git a/ansible/install_pccs/templates/default_certbot_nginx.conf.j2 b/ansible/install_pccs/templates/default_certbot_nginx.conf.j2 deleted file mode 100644 index 50cc690..0000000 --- a/ansible/install_pccs/templates/default_certbot_nginx.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -ssl_session_cache shared:le_nginx_SSL:10m; -ssl_session_timeout 1440m; -ssl_session_tickets off; - -ssl_protocols TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers off; - -ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; \ No newline at end of file diff --git a/ansible/install_pccs/templates/default_nginx.conf.j2 b/ansible/install_pccs/templates/default_nginx.conf.j2 deleted file mode 100644 index c38d613..0000000 --- a/ansible/install_pccs/templates/default_nginx.conf.j2 +++ /dev/null @@ -1,86 +0,0 @@ -user www-data; -worker_processes auto; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - client_max_body_size 0; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} \ No newline at end of file diff --git a/ansible/install_pccs/templates/default_proxy_params.j2 b/ansible/install_pccs/templates/default_proxy_params.j2 deleted file mode 100644 index 11c0f2c..0000000 --- a/ansible/install_pccs/templates/default_proxy_params.j2 +++ /dev/null @@ -1,4 +0,0 @@ -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/ansible/install_pccs/templates/default_vhost.conf.j2 b/ansible/install_pccs/templates/default_vhost.conf.j2 deleted file mode 100644 index 39be710..0000000 --- a/ansible/install_pccs/templates/default_vhost.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ - -############ -# Backend -############ - -server { - listen 443 ssl default_server; - - server_name {{ pccs_domain_name }}; - - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - # try_files $uri $uri/ =404; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; - proxy_pass https://localhost:8081/; - proxy_http_version 1.1; - - } - - ssl_certificate /etc/letsencrypt/live/{{ pccs_domain_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ pccs_domain_name }}/privkey.pem; -} \ No newline at end of file diff --git a/ansible/install_pccs/templates/letsencrypt.conf.j2 b/ansible/install_pccs/templates/letsencrypt.conf.j2 deleted file mode 100644 index 35c5adf..0000000 --- a/ansible/install_pccs/templates/letsencrypt.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# renew_before_expiry = 30 days -version = 0.40.0 -archive_dir = /etc/letsencrypt/archive/{{pccs_domain_name}} -cert = /etc/letsencrypt/live/{{pccs_domain_name}}/cert.pem -privkey = /etc/letsencrypt/live/{{pccs_domain_name}}/privkey.pem -chain = /etc/letsencrypt/live/{{pccs_domain_name}}/chain.pem -fullchain = /etc/letsencrypt/live/{{pccs_domain_name}}/fullchain.pem - -# Options used in the renewal process -[renewalparams] -account = 8e7c5cb1d13133139d81160d91271eab -authenticator = nginx -installer = nginx -server = https://acme-v02.api.letsencrypt.org/directory \ No newline at end of file diff --git a/ansible/install_pccs/templates/pccs.conf.j2 b/ansible/install_pccs/templates/pccs.conf.j2 new file mode 100644 index 0000000..1e591d0 --- /dev/null +++ b/ansible/install_pccs/templates/pccs.conf.j2 @@ -0,0 +1,33 @@ +{ + "HTTPS_PORT" : 8081, + "hosts" : "127.0.0.1", + "uri": "https://api.trustedservices.intel.com/sgx/certification/v4/", + "ApiKey" : "{{ pccs_apikey }}", + "proxy" : "", + "RefreshSchedule": "0 0 1 * * *", + "UserTokenHash" : "{{ pccs_usertoken_hash }}", + "AdminTokenHash" : "{{ pccs_admintoken_hash }}", + "CachingFillMode" : "REQ", + "LogLevel" : "info", + "DB_CONFIG" : "{{ pccs_db_config }}", + "sqlite" : { + "database" : "{{ pccs_sqlite_db_name }}", + "username" : "{{ pccs_sqlite_cr_usr }}", + "password" : "{{ pccs_sqlite_usr_psswd }}", + "options" : { + "host": "{{ pccs_sqlite_options_host }}", + "dialect": "{{ pccs_sqlite_port_dialect }}", + "pool": { + "max": {{ pccs_sqlite_port_pool_max }}, + "min": {{ pccs_sqlite_port_pool_min }}, + "acquire": {{ pccs_sqlite_port_pool_acquire }}, + "idle": {{ pccs_sqlite_port_pool_idle }} + }, + "define": { + "freezeTableName": {{ pccs_sqlite_define_freezeTableName }} + }, + "logging" : {{ pccs_sqlite_logging }}, + "storage": "{{ pccs_sqlite_storage }}" + } + } +} \ No newline at end of file diff --git a/ansible/install_sgx_deps/tasks/main.yml b/ansible/install_sgx_deps/tasks/main.yml index e5be4ac..46c08c6 100644 --- a/ansible/install_sgx_deps/tasks/main.yml +++ b/ansible/install_sgx_deps/tasks/main.yml @@ -1,11 +1,6 @@ --- # tasks file for install_sgx_deps -- name: Debug ansible_facts - ansible.builtin.debug: - var: ansible_facts - - - name: Add official Intel APT repository block: - name: Download Intel GPG public key diff --git a/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 b/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 index 5fb4d0a..a4e9cac 100644 --- a/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 +++ b/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 @@ -2,10 +2,10 @@ // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them. //PCCS server address - "pccs_url": "https://{{ __pccs }}/sgx/certification/v4/", + "pccs_url": "https://localhost:8081", // To accept insecure HTTPS certificate, set this option to false - "use_secure_cert": true, + "use_secure_cert": false, // You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK // Certificates will always use the PCCS described in PCCS_URL. When COLLATERAL_SERVICE is not defined, both @@ -30,7 +30,7 @@ // If LOCAL_PCK_URL is defined, the QCNL will try to retrieve PCK cert chain from LOCAL_PCK_URL first, // and failover to PCCS_URL as in legacy mode. - //"local_pck_url": "http://localhost:8081/sgx/certification/v4/", + //"local_pck_url": "http://localhost:8081", // If LOCAL_PCK_URL is not defined, the QCNL will cache PCK certificates in memory by default. // The cached PCK certificates will expire after PCK_CACHE_EXPIRE_HOURS hours. diff --git a/ansible/main.yml b/ansible/main.yml index 7f479f6..6b1137f 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,43 +1,21 @@ --- -# - name: Collect and display virtualization facts -# hosts: all -# tasks: -# - name: Gather facts -# ansible.builtin.setup: - -# - name: Display virtualization facts -# ansible.builtin.debug: -# var: ansible_facts['virtualization_type'] - -# - name: Display all virtualization-related facts -# ansible.builtin.debug: -# var: ansible_facts['virtualization_role'] - -# - name: Display all virtualization-related facts -# ansible.builtin.debug: -# var: ansible_facts['virtualization_vendor'] - -# - name: Display all virtualization-related facts -# ansible.builtin.debug: -# var: ansible_facts['virtualization_technology'] - - name: Cosmian Enclave installation on Ubuntu hosts: all become: true - pre_tasks: - name: Check if the machine is bare-metal ansible.builtin.set_fact: - is_baremetal: "{{ ansible_facts['virtualization_type'] == 'baremetal' }}" - + is_baremetal: "{{ ansible_facts['virtualization_type'] == 'kvm' }}" + roles: - update_ubuntu - install_docker - install_sgx_deps tasks: + - name: Include role install_pccs for bare-metal only ansible.builtin.include_role: name: install_pccs