From 1d0b64cf6c6c4f45ffc1f0d9501725b867e3b67c Mon Sep 17 00:00:00 2001
From: Arne Oslebo <arne.oslebo@uninett.no>
Date: Tue, 19 Jan 2021 11:09:04 +0100
Subject: [PATCH] moved building of images to dedicated build directory
---
group_vars/all/main.yml | 32 ++++++++----
.../{ => cassandra}/cassandrasupervisord.conf | 0
.../files/{ => cortex}/cortexsupervisord.conf | 0
.../{ => haproxy}/haproxysupervisord.conf | 0
.../{ => keycloak}/keycloaksupervisord.conf | 0
.../files/{ => kibana}/kibanasupervisord.conf | 0
.../files/{ => misp}/misp_rh-php72-php-fpm | 0
roles/build/files/misp/mispstart.sh | 25 ++++++++++
.../files/{ => misp}/mispsupervisord.conf | 0
.../files/{ => mysql}/mysqlsupervisord.conf | 0
.../files/{ => nifi}/nifisupervisord.conf | 0
.../files/{ => odfees}/odfesupervisord.conf | 0
.../{ => thehive}/thehivesupervisord.conf | 0
.../{ => zookeeper}/zookeepersupervisord.conf | 0
roles/build/tasks/cassandra.yml | 11 ----
roles/build/tasks/cortex.yml | 11 ----
roles/build/tasks/haproxy.yml | 10 ----
roles/build/tasks/keycloak.yml | 18 -------
roles/build/tasks/main.yml | 50 ++++++++++++++-----
roles/build/tasks/misp.yml | 15 ------
roles/build/tasks/mysql.yml | 10 ----
roles/build/tasks/nifi.yml | 11 ----
roles/build/tasks/odfees.yml | 18 -------
roles/build/tasks/odfekibana.yml | 22 --------
roles/build/tasks/openjdk.yml | 11 ----
roles/build/tasks/thehive.yml | 11 ----
roles/build/tasks/zookeeper.yml | 11 ----
.../Dockerfile.j2} | 0
roles/build/templates/keycloak/Dockerfile.j2 | 1 +
roles/build/templates/kibana/Dockerfile.j2 | 23 +++++++++
...ockerfile-odfeelastic.j2 => Dockerfile.j2} | 0
...Dockerfile-odfekibana.j2 => Dockerfile.j2} | 0
roles/cortex/templates/application.conf.j2 | 2 +-
.../templates/config/elasticsearch.yml.j2 | 8 +--
roles/odfekibana/templates/kibana.yml.j2 | 2 +-
roles/thehive/templates/application.conf.j2 | 2 +-
36 files changed, 115 insertions(+), 189 deletions(-)
rename roles/build/files/{ => cassandra}/cassandrasupervisord.conf (100%)
rename roles/build/files/{ => cortex}/cortexsupervisord.conf (100%)
rename roles/build/files/{ => haproxy}/haproxysupervisord.conf (100%)
rename roles/build/files/{ => keycloak}/keycloaksupervisord.conf (100%)
rename roles/build/files/{ => kibana}/kibanasupervisord.conf (100%)
rename roles/build/files/{ => misp}/misp_rh-php72-php-fpm (100%)
create mode 100644 roles/build/files/misp/mispstart.sh
rename roles/build/files/{ => misp}/mispsupervisord.conf (100%)
rename roles/build/files/{ => mysql}/mysqlsupervisord.conf (100%)
rename roles/build/files/{ => nifi}/nifisupervisord.conf (100%)
rename roles/build/files/{ => odfees}/odfesupervisord.conf (100%)
rename roles/build/files/{ => thehive}/thehivesupervisord.conf (100%)
rename roles/build/files/{ => zookeeper}/zookeepersupervisord.conf (100%)
delete mode 100644 roles/build/tasks/cassandra.yml
delete mode 100644 roles/build/tasks/cortex.yml
delete mode 100644 roles/build/tasks/haproxy.yml
delete mode 100644 roles/build/tasks/keycloak.yml
delete mode 100644 roles/build/tasks/misp.yml
delete mode 100644 roles/build/tasks/mysql.yml
delete mode 100644 roles/build/tasks/nifi.yml
delete mode 100644 roles/build/tasks/odfees.yml
delete mode 100644 roles/build/tasks/odfekibana.yml
delete mode 100644 roles/build/tasks/openjdk.yml
delete mode 100644 roles/build/tasks/thehive.yml
delete mode 100644 roles/build/tasks/zookeeper.yml
rename roles/build/templates/{odfees/Dockerfile-elastic.j2 => elasticsearch/Dockerfile.j2} (100%)
create mode 100644 roles/build/templates/kibana/Dockerfile.j2
rename roles/build/templates/odfees/{Dockerfile-odfeelastic.j2 => Dockerfile.j2} (100%)
rename roles/build/templates/odfekibana/{Dockerfile-odfekibana.j2 => Dockerfile.j2} (100%)
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index da6e6b4..63e2668 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1,6 +1,8 @@
---
-soctoolsproxy: "arne-centos2.cert-labs.uninett.no"
+soctoolsproxy: "<CHANGE_ME:hostname>"
+
+docker_build_dir: "{{playbook_dir}}/build"
# TheHive Button plugin
THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
@@ -10,7 +12,7 @@ THEHIVE_OWNER: "admin"
soctools_netname: "soctoolsnet"
soctools_network: "172.22.0.0/16"
-repo: gn43-dsl
+repo: soctools
version: 7
suffix: a20201004
@@ -45,14 +47,10 @@ cassandra_img: "{{repo}}/cassandra:{{version}}{{suffix}}"
thehive_name: "soctools-thehive"
thehive_img: "{{repo}}/thehive:{{version}}{{suffix}}"
-# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
-thehive_secret_key: "LcnI9eKLo33711BmCnzf6UM1y05pdmj3dlADL81PxuffWqhobRoiiGFftjNPKpmM"
cortex_name: "soctools-cortex"
cortex_img: "{{repo}}/cortex:{{version}}{{suffix}}"
cortex_elasticsearch_mem: "256m"
-# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
-cortex_secret_key: "9CZ844IcAp5dHjsgU4iuaEssdopLcS6opzhVP3Ys4t4eRpNlHmwZdtfveLEXpM9D"
sysctlconfig:
- { key: "net.core.rmem_max", val: "4194304" }
@@ -69,8 +67,6 @@ ca_cn: "SOCTOOLS-CA"
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
-# GENERATE 32-bit secure value
-odfekibana_cookie: "iroAm0ueIV7w6CS1WcJTwIV6R4d5RIAt"
#elk_version: "oss-7.6.1"
elk_version: "oss-7.4.2"
#odfeplugin_version: "1.7.0.0"
@@ -89,6 +85,20 @@ maxmind_key: ""
misp_dbname: "mispdb"
misp_dbuser: "misp"
-# misp_salt generated with: openssl rand -base64 32
-#misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
-#misp_crypto_pass: 1234567890 #TODO: Generate dynamically
+
+services:
+ - mysql
+ - haproxy
+ - openjdk
+ - zookeeper
+ - nifi
+ - elasticsearch
+ - kibana
+ - odfees
+ - odfekibana
+ - keycloak
+ - misp
+ - cassandra
+ - thehive
+ - cortex
+
diff --git a/roles/build/files/cassandrasupervisord.conf b/roles/build/files/cassandra/cassandrasupervisord.conf
similarity index 100%
rename from roles/build/files/cassandrasupervisord.conf
rename to roles/build/files/cassandra/cassandrasupervisord.conf
diff --git a/roles/build/files/cortexsupervisord.conf b/roles/build/files/cortex/cortexsupervisord.conf
similarity index 100%
rename from roles/build/files/cortexsupervisord.conf
rename to roles/build/files/cortex/cortexsupervisord.conf
diff --git a/roles/build/files/haproxysupervisord.conf b/roles/build/files/haproxy/haproxysupervisord.conf
similarity index 100%
rename from roles/build/files/haproxysupervisord.conf
rename to roles/build/files/haproxy/haproxysupervisord.conf
diff --git a/roles/build/files/keycloaksupervisord.conf b/roles/build/files/keycloak/keycloaksupervisord.conf
similarity index 100%
rename from roles/build/files/keycloaksupervisord.conf
rename to roles/build/files/keycloak/keycloaksupervisord.conf
diff --git a/roles/build/files/kibanasupervisord.conf b/roles/build/files/kibana/kibanasupervisord.conf
similarity index 100%
rename from roles/build/files/kibanasupervisord.conf
rename to roles/build/files/kibana/kibanasupervisord.conf
diff --git a/roles/build/files/misp_rh-php72-php-fpm b/roles/build/files/misp/misp_rh-php72-php-fpm
similarity index 100%
rename from roles/build/files/misp_rh-php72-php-fpm
rename to roles/build/files/misp/misp_rh-php72-php-fpm
diff --git a/roles/build/files/misp/mispstart.sh b/roles/build/files/misp/mispstart.sh
new file mode 100644
index 0000000..d6a5fc0
--- /dev/null
+++ b/roles/build/files/misp/mispstart.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#dockerfile from ansible
+
+# Check if run as root
+if [ "$EUID" -eq 0 ]; then
+ echo "Please DO NOT run the worker script as root"
+ exit 1
+fi
+
+PATH_TO_MISP='/var/www/MISP'
+RUN_PHP="/usr/bin/scl enable rh-php72"
+PHP_INI="/etc/opt/rh/rh-php72/php.ini"
+CAKE="${PATH_TO_MISP}/app/Console/cake"
+
+# Extract base directory where this script is and cd into it
+cd "${0%/*}"
+$RUN_PHP -- $CAKE CakeResque.CakeResque stop --all
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue default
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue prio
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue cache
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue email
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue update
+$RUN_PHP -- $CAKE CakeResque.CakeResque startscheduler --interval 5
+
+exit 0
diff --git a/roles/build/files/mispsupervisord.conf b/roles/build/files/misp/mispsupervisord.conf
similarity index 100%
rename from roles/build/files/mispsupervisord.conf
rename to roles/build/files/misp/mispsupervisord.conf
diff --git a/roles/build/files/mysqlsupervisord.conf b/roles/build/files/mysql/mysqlsupervisord.conf
similarity index 100%
rename from roles/build/files/mysqlsupervisord.conf
rename to roles/build/files/mysql/mysqlsupervisord.conf
diff --git a/roles/build/files/nifisupervisord.conf b/roles/build/files/nifi/nifisupervisord.conf
similarity index 100%
rename from roles/build/files/nifisupervisord.conf
rename to roles/build/files/nifi/nifisupervisord.conf
diff --git a/roles/build/files/odfesupervisord.conf b/roles/build/files/odfees/odfesupervisord.conf
similarity index 100%
rename from roles/build/files/odfesupervisord.conf
rename to roles/build/files/odfees/odfesupervisord.conf
diff --git a/roles/build/files/thehivesupervisord.conf b/roles/build/files/thehive/thehivesupervisord.conf
similarity index 100%
rename from roles/build/files/thehivesupervisord.conf
rename to roles/build/files/thehive/thehivesupervisord.conf
diff --git a/roles/build/files/zookeepersupervisord.conf b/roles/build/files/zookeeper/zookeepersupervisord.conf
similarity index 100%
rename from roles/build/files/zookeepersupervisord.conf
rename to roles/build/files/zookeeper/zookeepersupervisord.conf
diff --git a/roles/build/tasks/cassandra.yml b/roles/build/tasks/cassandra.yml
deleted file mode 100644
index 1c0a2c6..0000000
--- a/roles/build/tasks/cassandra.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure the cassandra Dockerfile
- template:
- src: cassandra/Dockerfile.j2
- dest: "{{role_path}}/files/cassandraDockerfile"
-
-- name: Build cassandra image
- command: docker build -t {{repo}}/cassandra:{{version}}{{suffix}} -f {{role_path}}/files/cassandraDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/cortex.yml b/roles/build/tasks/cortex.yml
deleted file mode 100644
index 9a5adbe..0000000
--- a/roles/build/tasks/cortex.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure the Cortex Dockerfile
- template:
- src: cortex/Dockerfile.j2
- dest: "{{role_path}}/files/cortexDockerfile"
-
-- name: Build the Cortex image
- command: docker build -t {{repo}}/cortex:{{version}}{{suffix}} -f {{role_path}}/files/cortexDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/haproxy.yml b/roles/build/tasks/haproxy.yml
deleted file mode 100644
index 9cb45f8..0000000
--- a/roles/build/tasks/haproxy.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-
-- name: Configure the haproxy Dockerfile
- template:
- src: haproxy/Dockerfile.j2
- dest: "{{role_path}}/files/haproxyDockerfile"
-
-- name: Build haproxy image
- command: docker build -t {{repo}}/haproxy:{{version}}{{suffix}} -f {{role_path}}/files/haproxyDockerfile {{role_path}}/files
-
diff --git a/roles/build/tasks/keycloak.yml b/roles/build/tasks/keycloak.yml
deleted file mode 100644
index f7a7c2b..0000000
--- a/roles/build/tasks/keycloak.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-- name: Configure the keycloak Dockerfile
- template:
- src: keycloak/Dockerfile.j2
- dest: "{{role_path}}/files/keycloakDockerfile"
-
-- name: Copy tools to build path
- command: "cp -av {{role_path}}/templates/keycloak/keycloak-tools/ {{role_path}}/files/keycloak-tools/"
-
-- name: Build keycloak image
- command: docker build -t {{repo}}/keycloak:{{version}}{{suffix}} -f {{role_path}}/files/keycloakDockerfile {{role_path}}/files
-
-- name: Remove tools from build path
- file:
- path: "{{role_path}}/files/keycloak-tools/"
- state: absent
-
diff --git a/roles/build/tasks/main.yml b/roles/build/tasks/main.yml
index e08a9cf..eee4ba0 100644
--- a/roles/build/tasks/main.yml
+++ b/roles/build/tasks/main.yml
@@ -6,15 +6,41 @@
fail_msg: "Review *all* settings in group_vars/all/main.yml"
- include: centos.yml
-- include: mysql.yml
-- include: haproxy.yml
-- include: openjdk.yml
-- include: zookeeper.yml
-- include: nifi.yml
-- include: odfees.yml
-- include: odfekibana.yml
-- include: keycloak.yml
-- include: misp.yml
-- include: cassandra.yml
-- include: thehive.yml
-- include: cortex.yml
+
+- name: Create main build dir
+ file:
+ path: "{{docker_build_dir}}"
+ state: directory
+
+- name: Create build dir
+ file:
+ path: "{{docker_build_dir}}/{{item}}"
+ state: directory
+ with_items: "{{services}}"
+
+- name: Configure the Dockerfile
+ template:
+ src: "{{item}}/Dockerfile.j2"
+ dest: "{{docker_build_dir}}/{{item}}/Dockerfile"
+ with_items: "{{services}}"
+
+- name: Copy thehive_button to build path
+ copy:
+ src: "{{role_path}}/templates/odfekibana/thehive_button"
+ dest: "{{docker_build_dir}}/odfekibana/"
+
+- name: Copy keycloak-tools to build path
+ copy:
+ src: "{{role_path}}/templates/keycloak/keycloak-tools"
+ dest: "{{docker_build_dir}}/keycloak/"
+
+- name: Copy build files
+ copy:
+ src: "files/{{item}}/"
+ dest: "{{docker_build_dir}}/{{item}}/"
+ with_items: "{{services}}"
+ ignore_errors: yes
+
+- name: Build image
+ command: docker build -t {{repo}}/{{item}}:{{version}}{{suffix}} -f {{docker_build_dir}}/{{item}}/Dockerfile {{docker_build_dir}}/{{item}}
+ with_items: "{{services}}"
diff --git a/roles/build/tasks/misp.yml b/roles/build/tasks/misp.yml
deleted file mode 100644
index 3bfe7c9..0000000
--- a/roles/build/tasks/misp.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-- name: Configure the misp Dockerfile
- template:
- src: misp/Dockerfile.j2
- dest: "{{role_path}}/files/mispDockerfile"
-
-- name: Configure the misp worker startscript
- template:
- src: misp/start.sh.j2
- dest: "{{role_path}}/files/mispstart.sh"
-
-- name: Build misp image
- command: docker build -t {{repo}}/misp:{{version}}{{suffix}} -f {{role_path}}/files/mispDockerfile {{role_path}}/files
-
diff --git a/roles/build/tasks/mysql.yml b/roles/build/tasks/mysql.yml
deleted file mode 100644
index 75d9625..0000000
--- a/roles/build/tasks/mysql.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-
-- name: Configure the mysql Dockerfile
- template:
- src: mysql/Dockerfile.j2
- dest: "{{role_path}}/files/mysqlDockerfile"
-
-- name: Build mysql image
- command: docker build -t {{repo}}/mysql:{{version}}{{suffix}} -f {{role_path}}/files/mysqlDockerfile {{role_path}}/files
-
diff --git a/roles/build/tasks/nifi.yml b/roles/build/tasks/nifi.yml
deleted file mode 100644
index 423978d..0000000
--- a/roles/build/tasks/nifi.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure the nifi Dockerfile
- template:
- src: nifi/Dockerfile.j2
- dest: "{{role_path}}/files/nifiDockerfile"
-
-- name: Build nifi image
- command: docker build -t {{repo}}/nifi:{{version}}{{suffix}} -f {{role_path}}/files/nifiDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/odfees.yml b/roles/build/tasks/odfees.yml
deleted file mode 100644
index 5741223..0000000
--- a/roles/build/tasks/odfees.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-- name: Configure elasticsearch Dockerfile
- template:
- src: odfees/Dockerfile-elastic.j2
- dest: "{{role_path}}/files/elasticDockerfile"
-
-- name: Build elasticsearch image
- command: docker build -t {{repo}}/elasticsearch:{{version}}{{suffix}} -f {{role_path}}/files/elasticDockerfile {{role_path}}/files
-
-- name: Configure odfe elasticsearch Dockerfile
- template:
- src: odfees/Dockerfile-odfeelastic.j2
- dest: "{{role_path}}/files/odfeesDockerfile"
-
-- name: Build odfe elasticsearch image
- command: docker build -t {{repo}}/odfees:{{version}}{{suffix}} -f {{role_path}}/files/odfeesDockerfile {{role_path}}/files
-
diff --git a/roles/build/tasks/odfekibana.yml b/roles/build/tasks/odfekibana.yml
deleted file mode 100644
index 8e1980a..0000000
--- a/roles/build/tasks/odfekibana.yml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-
-- name: Configure kibana Dockerfile
- template:
- src: odfekibana/Dockerfile-kibana.j2
- dest: "{{role_path}}/files/kibanaDockerfile"
-
-- name: Copy tools to build path
- command: "cp -av {{role_path}}/templates/odfekibana/thehive_button/ {{role_path}}/files/thehive_button/"
-
-- name: Build kibana image
- command: docker build -t {{repo}}/kibana:{{version}}{{suffix}} -f {{role_path}}/files/kibanaDockerfile {{role_path}}/files
-
-- name: Configure odfe kibana Dockerfile
- template:
- src: odfekibana/Dockerfile-odfekibana.j2
- dest: "{{role_path}}/files/odfekibanaDockerfile"
-
-- name: Build odfe kibana image
- command: docker build -t {{repo}}/odfekibana:{{version}}{{suffix}} -f {{role_path}}/files/odfekibanaDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/openjdk.yml b/roles/build/tasks/openjdk.yml
deleted file mode 100644
index 8754ac7..0000000
--- a/roles/build/tasks/openjdk.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure the openjdk Dockerfile
- template:
- src: openjdk/Dockerfile.j2
- dest: "{{role_path}}/files/openjdkDockerfile"
-
-- name: Build openjdk image
- command: docker build -t {{repo}}/openjdk:{{version}}{{suffix}} -f {{role_path}}/files/openjdkDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/thehive.yml b/roles/build/tasks/thehive.yml
deleted file mode 100644
index 35fe08e..0000000
--- a/roles/build/tasks/thehive.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure theHive Dockerfile
- template:
- src: thehive/Dockerfile.j2
- dest: "{{role_path}}/files/thehiveDockerfile"
-
-- name: Build theHive image
- command: docker build -t {{repo}}/thehive:{{version}}{{suffix}} -f {{role_path}}/files/thehiveDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/tasks/zookeeper.yml b/roles/build/tasks/zookeeper.yml
deleted file mode 100644
index a61a6b3..0000000
--- a/roles/build/tasks/zookeeper.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Configure the zookeeper Dockerfile
- template:
- src: zookeeper/Dockerfile.j2
- dest: "{{role_path}}/files/zookeeperDockerfile"
-
-- name: Build zookeeper image
- command: docker build -t {{repo}}/zookeeper:{{version}}{{suffix}} -f {{role_path}}/files/zookeeperDockerfile {{role_path}}/files
-
-
diff --git a/roles/build/templates/odfees/Dockerfile-elastic.j2 b/roles/build/templates/elasticsearch/Dockerfile.j2
similarity index 100%
rename from roles/build/templates/odfees/Dockerfile-elastic.j2
rename to roles/build/templates/elasticsearch/Dockerfile.j2
diff --git a/roles/build/templates/keycloak/Dockerfile.j2 b/roles/build/templates/keycloak/Dockerfile.j2
index f6c1206..561a646 100644
--- a/roles/build/templates/keycloak/Dockerfile.j2
+++ b/roles/build/templates/keycloak/Dockerfile.j2
@@ -27,6 +27,7 @@ RUN yum -y install openssl supervisor rsync && yum -y clean all && \
adduser -u 1000 -g 0 -d /opt/jboss jboss && \
chown -R jboss:root /opt/jboss && \
chmod -R g+rwX /opt/jboss && \
+ chmod a+x /opt/jboss/tools/x509.sh && \
mkdir -p /etc/x509/{https,ca} && chown -R jboss:root /etc/x509/{https,ca}
ENV PATH="/opt/jboss/keycloak/bin:${PATH}"
diff --git a/roles/build/templates/kibana/Dockerfile.j2 b/roles/build/templates/kibana/Dockerfile.j2
new file mode 100644
index 0000000..ef2a476
--- /dev/null
+++ b/roles/build/templates/kibana/Dockerfile.j2
@@ -0,0 +1,23 @@
+FROM {{repo}}/centos:{{version}}{{suffix}}
+
+RUN yum install -y supervisor
+RUN yum clean all
+
+ENV PATH="/usr/share/kibana/bin:${PATH}"
+
+RUN groupadd -g 1000 kibana && \
+ adduser -u 1000 -g 1000 -d /usr/share/kibana kibana
+
+WORKDIR /usr/share/kibana
+
+RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
+ rpm -Uvh https://artifacts.elastic.co/downloads/kibana/kibana-{{elk_version}}-x86_64.rpm && \
+ cp -a /etc/kibana/ /usr/share/kibana/config/ && \
+ chown -R kibana /usr/share/kibana/config/
+
+RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
+
+EXPOSE 5601
+COPY kibanasupervisord.conf /etc/supervisord.conf
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
+
diff --git a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 b/roles/build/templates/odfees/Dockerfile.j2
similarity index 100%
rename from roles/build/templates/odfees/Dockerfile-odfeelastic.j2
rename to roles/build/templates/odfees/Dockerfile.j2
diff --git a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 b/roles/build/templates/odfekibana/Dockerfile.j2
similarity index 100%
rename from roles/build/templates/odfekibana/Dockerfile-odfekibana.j2
rename to roles/build/templates/odfekibana/Dockerfile.j2
diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2
index 4d1ff58..c7f8b0a 100644
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -6,7 +6,7 @@
#
# IMPORTANT: If you deploy your application to several instances, make
# sure to use the same key.
-play.http.secret.key="{{cortex_secret_key}}"
+play.http.secret.key='{{lookup("password", "{{playbook_dir}}/secrets/passwords/cortex_secret_key")}}'
## ElasticSearch
search {
diff --git a/roles/odfees/templates/config/elasticsearch.yml.j2 b/roles/odfees/templates/config/elasticsearch.yml.j2
index 5cae9eb..5e8e18f 100644
--- a/roles/odfees/templates/config/elasticsearch.yml.j2
+++ b/roles/odfees/templates/config/elasticsearch.yml.j2
@@ -30,11 +30,11 @@ cluster.initial_master_nodes:
opendistro_security.ssl.transport.keystore_type: pkcs12
opendistro_security.ssl.transport.keystore_filepath: {{ inventory_hostname }}.p12
-opendistro_security.ssl.transport.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
+opendistro_security.ssl.transport.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
#opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.truststore_type: jks
opendistro_security.ssl.transport.truststore_filepath: cacerts.jks
-opendistro_security.ssl.transport.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}
+opendistro_security.ssl.transport.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
@@ -42,10 +42,10 @@ opendistro_security.ssl.http.enabled: true
# opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.keystore_type: pkcs12
opendistro_security.ssl.http.keystore_filepath: {{ inventory_hostname }}.p12
-opendistro_security.ssl.http.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
+opendistro_security.ssl.http.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
opendistro_security.ssl.http.truststore_type: jks
opendistro_security.ssl.http.truststore_filepath: cacerts.jks
-opendistro_security.ssl.http.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}
+opendistro_security.ssl.http.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
#opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
#opendistro_security.ssl.http.clientauth_mode: optional
opendistro_security.allow_unsafe_democertificates: false
diff --git a/roles/odfekibana/templates/kibana.yml.j2 b/roles/odfekibana/templates/kibana.yml.j2
index aa445d7..e676b37 100644
--- a/roles/odfekibana/templates/kibana.yml.j2
+++ b/roles/odfekibana/templates/kibana.yml.j2
@@ -46,7 +46,7 @@ opendistro_security.openid.root_ca: "/usr/share/kibana/config/ca.crt"
opendistro_security.openid.base_redirect_url: "https://{{soctoolsproxy}}:5601"
opendistro_security.cookie.secure: true
-opendistro_security.cookie.password: "{{odfekibana_cookie}}"
+opendistro_security.cookie.password: {{lookup("password", "{{playbook_dir}}/secrets/passwords/kibana_cookiepassword length=32")}}
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/{{inventory_hostname}}.key
diff --git a/roles/thehive/templates/application.conf.j2 b/roles/thehive/templates/application.conf.j2
index 6fa36eb..d25e059 100644
--- a/roles/thehive/templates/application.conf.j2
+++ b/roles/thehive/templates/application.conf.j2
@@ -5,7 +5,7 @@
## Include Play secret key
# More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret
#include "/etc/thehive/secret.conf"
-play.http.secret.key="{{thehive_secret_key}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_secret_key')}}"
## Database configuration
db.janusgraph {
--
GitLab