Chef: Refactor Jenkins security script to own recipe file - security

I am currently using Chef's Jenkins supermarket cookbook to deploy an instance of Jenkins. As part of that deployment, my recipe includes installing Jenkins, installing specific plugin versions, enabling security and creating an Administrator account for Jenkins.
I'm currently using a single recipe file for this. The script that is executed to enable security and create the Administrator account is as follows:
jenkins_script 'activate global security' do
command <<-EOH.gsub(/^ {4}/, '')
import jenkins.model.*
import hudson.security.*
def instance = Jenkins.getInstance()
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount("Administrator","administrator_passwd")
instance.setSecurityRealm(hudsonRealm)
instance.save()
def strategy = new GlobalMatrixAuthorizationStrategy()
strategy.add(Jenkins.ADMINISTER, "Administrator")
instance.setAuthorizationStrategy(strategy)
instance.save()
EOH
notifies :restart, 'runit_service[jenkins]', :immediately
end
The script activates security, creates the Jenkins Administrator user with a password, and then restarts the Jenkins instance. From what I understand, the jenkins_script resource executes Java or Groovy command against the Jenkins master, and is not idempotent.
As the script is not idempotent, if the recipe is run on the node subsequent times after the initial run, the chef-client run fails as security is already enabled and the Administrator user has already been created.
My thoughts are to move this security enablement script to its' own recipe file, and then specify the recipe for security in the node's run list if enabling security is required. If security has already been enabled, we simple don't add / remove the security recipe from the run list.
Is this a sound approach to working around this problem?
If this is a sound approach, should it be as simple as just
creating another ruby file, dumping the security code in it, and
adding it to the node's run list after the recipe for the initial
Jenkins install?

You don't have to restart Jenkins to configure security.

When configuring security there are a few considerations you have to take into account. One is that it almost always works the first run, but you want to make sure that on repeated runs it continues to successfully apply desired changes.
There is an attribute for the executor protocol which defaults to remoting and you'll see warnings all over about using it because it is less secure and has been deprecated. Other options are https or ssh, with the latter being the option we decided to go with. If you configure it as the protocol but the SSH key provided to be used isn't associated with a user (user has to be created and then an SSH public key associated with them) then it will fall back to using anonymous (part of the cookbook) and so you need to ensure you either do all your "privileged" operations like plugin installation and reconfiguration scripts before you enable authentication, or ensure you have the authentication pre-configured to request SSH so that it immediately kicks in when the authentication is turned on.

Related

Azure DevOp - Set Screen Resolution interactive mode

Due to fact that my VM is opening in small resolution I've been facing lots of situations with flaky tests, mainly about "Element is not clickable" notification. The solution to my problem might be adding extensions and increase the resolution:
https://marketplace.visualstudio.com/items?itemName=ms-autotest.screen-resolution-utility-task
The problem is I don't exactly know where it should be placed inside my pipeline which looks like this:
In order to run successfully this extensions there is a need to fulfill requirements:
Agent must be configured to run as an interactive process with autologin enabled (Where I should enable that?)
Shall I configure it directly by the "Demands" section on mine "Restart" agent options? I've tried putting the extensions inside the "Restart" section between "Stop" and "Start" agent tasks but it failed...
You can either reconfig your agent to interactive mode(check below detailed steps), or install a new agent and config it to interactive mode on your VM. Check here to install a new self hosted agent and check for more configuration.
1,
To reconfig your agent to interative mode, you need cd to the agent installation folder and run.\config remove to remove it first as shown in below pic.
2,
After agent is removed, Run .\config to reconfig your agent, and choose interactive during the configuration. Please refer to below screenshot and be careful to choose the right option (Y/N) at the highlighted steps
3,
To start the interactive agent by run .\run
Above steps should be ran as administrator. I followed above steps and successfully run set screen resolution task.

Start Windows 10 sandbox in predefined state with additional software

Windows 10 has a new sandbox which is based on a very small and fast Hyper-V VM. With every start of the sandbox you get a "fresh" Windows and on every sandbox termination, all changes are discarded.
My question is: Is it possible to define in which state the sandbox starts? E.g. is it possible to start the VM with pre-installed reversing tools or a script that is automatically run, as soon as the system is booted?
Use case: Due to it's fast start-up time and "throw away" characteristics, the Windows 10 sandbox would be a dream for automated malware analysis.
You can somehow change the behavior of the sandbox. For example run a script at start up or disable network. See here for a how to: https://medium.com/#maarten.goet/how-windows-1903-makes-malware-analysis-easier-introducing-windows-sandbox-3ec791c8367
In general, sandbox startup can be controlled by a startup configuration file:
Windows Sandbox supports simple configuration files, which provide a
minimal set of customization parameters for Sandbox. ... Windows Sandbox
configuration files are formatted as XML and are associated with
Sandbox via the .wsb file extension.
The specific ability to execute a script upon sandbox startup is documented here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#logon-command
It says:
Logon command
Specifies a single command that will be invoked automatically after
the sandbox logs on. Apps in the sandbox are run under the container
user account. The container user account should be an administrator
account.
XML
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
Command: A path to an executable or script inside the container that
will be executed after signing in.
Note
Although very simple commands will work (such as launching an
executable or script), more complicated scenarios involving multiple
steps should be placed into a script file. This script file may be
mapped into the container via a shared folder, and then executed via
the LogonCommand directive.

Bamboo 5.5.0 - How to delete a remote agent's capability via the bamboo-capabilities.properties file?

I am currently trying to automate the process of bamboo remote agent installation and uninstallation. I have run into a problem in regards to adding and removing capabilities.
What I am trying to automate:
(The following is what I do on the bamboo server via the GUI, I want to do this on the remote agent machine via bash script.)
I install the remote agent on a VM machine, then start it up. I go to the bamboo interface and click on the newly created agent's name.
I add a custom capability type, for the key I put 'buildserver' and for the value I put the name of the agent.
I add an 'Executable' capability of type 'Command' with Executable label 'cygwin' and path 'C:\cygwin64\bin\bash'
I navigate to the git executable, and remove it by clicking 'delete.' <--- (the problem step)
what I've done.
I have looked here and found a way to automate steps 1-3 using the following "bamboo-capabilities.properties" file:
buildserver="AGENTNAME"
system.builder.command.cygwin="C:\cygwin64\bin\bash"
However I am stuck on how I would remove the git capability (step 4.) I've tried something appending something like this to the file:
system.git.executable=""
but it does not seem to do anything. Does anyone know how I would do this? There seems to be very little documentation about this online.
Thanks very much.
I never found a way to get around this, but I found a workaround. I later learned the point of removing git in my situation was to allow a shared capability that was also called git to take precedence. My workaround was to set the non-shared capability to the value of the shared capability. I am not 100% sure that this does the same thing, and I am not in a position to test it yet, but as a capability seems to be only a key-value pair I don't see why it wouldn't.... will update if anything breaks.

Problem performing svn export using Hudson that run as a service

I have a script that perform a build as well as performing svn export. When I run hudson manually, by running it from a root user, I can do a build and svn export without a problem.
If I call hudson using a service (chkconfig), hudson runs okay. SVN checkout (assume this is URL1) is also fine since the credential is stored in hudson config. However, when my script tries to perform svn export (different from URL1; let's say this is URL2), it always fail. It says "Password for 'root': Authentication realm". This is basically error because my build server cannot provide the necessary credential to login into svn. This is what I don't understand, because I store the svn credential in my root account, and have no problem performing svn update/svn info to URL2 from the shell or when I start hudson manually (not as service).
My guess right now is that when we are running an app as a service, it does not load some/all stored user configurations? Any idea how can I force the service to load my svn credential? Any other solution/insight is also welcome.
Btw, my build server is running Red Hat 5.6
Thanks!!!
Can't give you a detailed answer, but one of the differences between an interactive shell and when running as a service is the first starts up by reading ~/.bash_profile, while the second runs ~/.bashrc
Try to compare the two!
Comparing the output of env in both contexts (within hudson and within your shell) should help you troubleshoot this.
By default, SVN stores user credential in their corresponding home directory. When a server is restarted, it will not load your profile (in my case, /etc/profile) as pointed by Tobu. So to solve this problem, we simply need to set the HOME folder to the correct location. Modify your service script for your apps to include the following line:
HOME=/<<user home folder location>>
This solves my problem.

Setting up a local SVN repository with encrypted passwords with TortoiseSVN

I am planning on using a local repository, using only TortoiseSVN's "create repository here" feature.
The repo is created and I can read and write to it just fine. The problem is that I can't get authentication to work. I thought I wanted Windows authentication, but I actually want the simple text-file based authentication so I can force the current system user (i.e. any person can be using the same Windows account and I want to differentiate between them) to provide their name and password. I haven't found any information on how to do this without svnserve running.
So far, I have modified svnserve.conf like this:
anon-access = read
auth-access = write
password-db = passwd
realm = LocalOnly
I didn't mess with the [sasl] section.
I also modified passwd:
[users]
harry = teH0wLIpW0gyQ
I am trying to use encrypted passwords created with a simple perl script. However, regardless of what I do with the repo (i.e. including writing to the repo), I am never prompted for a password.
I tried clearing TortoiseSVN's authentication cache since I do connect to a remote repo, but this didn't matter at all.
Has anyone tried this and succeeded? Or is it not possible without svnserve?
Not possible without svnserve - it takes care of the challenge/response.
Try Subversion Edge. you can edit the file you are mentioning using the GUI provided by the tool. It uses its own http server(not svnserve or IIS).
Unfortunately your best bet with a local repository is to use your file system permissions. A simple and free option for a server (that's easy to manager) would be VisualSVN Server. You can hang it off or a workstation or drop it on a public webserver somewhere. I now have mine setup with a reverse proxy with IIS7 so it's integrated with the rest of my web site.

Resources