diff --git a/keylime-ansible-gcp/README.md b/keylime-ansible-gcp/README.md index 5b68aa6..888b42c 100644 --- a/keylime-ansible-gcp/README.md +++ b/keylime-ansible-gcp/README.md @@ -1,7 +1,5 @@ # Ansible Keylime for Google Cloud -Ansible role to deploy [Keylime](https://github.com/keylime/keylime) with the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM. - -This role is currently configured to work with a Fedora 35 instance on Google Cloud with the vTPM enabled. +Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with [Keylime](https://github.com/keylime/keylime) and the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM. Contributions are welcome, should anyone wish to have this role provision other Linux distributions. @@ -10,11 +8,29 @@ For details on using Keylime, please consult the For details on the Rust agent, please consult the [repository](https://github.com/keylime/rust-keylime). +## Configuration +1. Install dependecies for the Ansible - GCP module +`$ pip3 install requests google-auth` +2. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use. +3. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts) +4. Add path to ssh key to ansible config (/etc/ansible/ansible.conf) \ +Note: the ssh private key is in the downloaded file. Extract it, place it in its own file, set adequate permissions, and add the path to this newly created file to the ansible config. \ +Example:\ +[defaults] \ +private_key_file = /home/user/my_key + +5. Set environment variables \ +`$ export GCP_PROJECT=""` \ +`$ export GCP_CRED_KIND="serviceaccount"`\ +`$ export GCP_CRED_FILE=""` \ +`$ export GCP_ZONE=""` \ +`$ export GCP_REGION=""` + ## Usage -Run the playbook against your target remote host(s). Note: the hosts must have the vTPM enabled in the Google Cloud Console. +Run the playbook to create and set up an instance. ```bash -ansible-playbook -i your_hosts playbook.yml +ansible-playbook playbook.yml ``` ## Getting started with Keylime The best way to get started is to read the [Keylime diff --git a/keylime-ansible-gcp/playbook.yml b/keylime-ansible-gcp/playbook.yml index 9d20aca..bcac0fe 100644 --- a/keylime-ansible-gcp/playbook.yml +++ b/keylime-ansible-gcp/playbook.yml @@ -1,5 +1,20 @@ --- -- hosts: all +- hosts: localhost + roles: + - create-gcp + gather_facts: no + connection: local + vars: + - gcp_project: "{{ lookup('ansible.builtin.env','GCP_PROJECT') }}" + - gcp_cred_kind: "{{ lookup('ansible.builtin.env','GCP_CRED_KIND') }}" + - gcp_cred_file: "{{ lookup('ansible.builtin.env','GCP_CRED_FILE') }}" + - zone: "{{ lookup('ansible.builtin.env','GCP_ZONE') }}" + - region: "{{ lookup('ansible.builtin.env','GCP_REGION') }}" + post_tasks: + - name: Wait to SSH into instance + wait_for: delay=5 sleep=5 host={{ address.address }} port=22 state=started timeout=100 + +- hosts: gcp_instance become: true become_user: root pre_tasks: @@ -19,4 +34,4 @@ name: libselinux-python3 state: present roles: - - keylime-gcp \ No newline at end of file + - keylime-gcp diff --git a/keylime-ansible-gcp/roles/create-gcp/defaults/main.yml b/keylime-ansible-gcp/roles/create-gcp/defaults/main.yml new file mode 100644 index 0000000..3bf5aba --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for ansible-keylime diff --git a/keylime-ansible-gcp/roles/create-gcp/handlers/main.yml b/keylime-ansible-gcp/roles/create-gcp/handlers/main.yml new file mode 100644 index 0000000..470cec6 --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# handlers file for ansible-keylime +#- name: restart apache +# command: service https restart +# args: +# warn: no diff --git a/keylime-ansible-gcp/roles/create-gcp/meta/main.yml b/keylime-ansible-gcp/roles/create-gcp/meta/main.yml new file mode 100644 index 0000000..1768c2d --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/meta/main.yml @@ -0,0 +1,12 @@ +--- +galaxy_info: + author: Avery Blanchard + description: Keylime GCP + company: Red Hat + min_ansible_version: 2.9 + platforms: + - name: Fedora + versions: + - 35 + galaxy_tags: [] +dependencies: [] diff --git a/keylime-ansible-gcp/roles/create-gcp/tasks/gcp.yml b/keylime-ansible-gcp/roles/create-gcp/tasks/gcp.yml new file mode 100644 index 0000000..1418374 --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/tasks/gcp.yml @@ -0,0 +1,67 @@ +- name: Create disk mapped from Fedora image + google.cloud.gcp_compute_disk: + name: disk-instance + size_gb: 50 + source_image: /projects/fedora-cloud/global/images/fedora-cloud-base-gcp-35-1-2-x86-64 + zone: "{{ zone }}" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/compute + state: present + register: disk + +- name: Create IPv4 public instance address + google.cloud.gcp_compute_address: + name: address-instance + region: "{{ region }}" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/compute + state: present + register: address + +- name: Create the Fedora instance + google.cloud.gcp_compute_instance: + name: test + machine_type: e2-medium + disks: + - auto_delete: 'true' + boot: 'true' + source: "{{ disk }}" + shielded_instance_config: + enable_integrity_monitoring: 'no' + enable_secure_boot: 'no' + enable_vtpm: 'yes' + network_interfaces: + - network: null + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: "{{ zone }}" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + service_accounts: + - email: '279379130830-compute@developer.gserviceaccount.com' + scopes: + - https://www.googleapis.com/auth/devstorage.read_only + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring.write + - https://www.googleapis.com/auth/service.management.readonly + - https://www.googleapis.com/auth/servicecontrol + - https://www.googleapis.com/auth/trace.append + state: present + +- name: Add new GCP instance to hosts + add_host: + hostname: "{{ address.address }}" + groups: gcp_instance + +- name: Show instance details + debug: + msg: "New GCP instance accessible at {{ address.address }}." diff --git a/keylime-ansible-gcp/roles/create-gcp/tasks/main.yml b/keylime-ansible-gcp/roles/create-gcp/tasks/main.yml new file mode 100644 index 0000000..a79e128 --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/tasks/main.yml @@ -0,0 +1 @@ +- include: gcp.yml diff --git a/keylime-ansible-gcp/roles/create-gcp/vars/main.yml b/keylime-ansible-gcp/roles/create-gcp/vars/main.yml new file mode 100644 index 0000000..e870fb7 --- /dev/null +++ b/keylime-ansible-gcp/roles/create-gcp/vars/main.yml @@ -0,0 +1,4 @@ +--- +# Section for vars +shell_profiles: + - .bash_profile diff --git a/keylime-ansible-gcp/roles/keylime-gcp/tasks/keylime.yml b/keylime-ansible-gcp/roles/keylime-gcp/tasks/keylime.yml index 421e449..99be163 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/tasks/keylime.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/tasks/keylime.yml @@ -36,4 +36,4 @@ path: /etc/keylime.conf regexp: '^tpm_hash_alg' line: tpm_hash_alg = sha256 - changed_when: false \ No newline at end of file + changed_when: false diff --git a/keylime-ansible-gcp/roles/keylime-gcp/tasks/main.yml b/keylime-ansible-gcp/roles/keylime-gcp/tasks/main.yml index ab9e74b..6d7e343 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/tasks/main.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/tasks/main.yml @@ -2,4 +2,4 @@ - include: git-repos.yml - include: keylime.yml - include: rust-install.yml -- include: rust-keylime.yml \ No newline at end of file +- include: rust-keylime.yml diff --git a/keylime-ansible-gcp/roles/keylime-gcp/tasks/packages.yml b/keylime-ansible-gcp/roles/keylime-gcp/tasks/packages.yml index 8afa44d..bfaf97f 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/tasks/packages.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/tasks/packages.yml @@ -71,5 +71,6 @@ - openssl-devel - zeromq-devel - libarchive-devel + - cargo - state: latest \ No newline at end of file + state: latest diff --git a/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-install.yml b/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-install.yml index 7068b2f..fd99d85 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-install.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-install.yml @@ -6,4 +6,4 @@ shell: "source $HOME/.cargo/env" args: chdir: /root/ - changed_when: false \ No newline at end of file + changed_when: false diff --git a/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-keylime.yml b/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-keylime.yml index de5c906..7c14b0d 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-keylime.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/tasks/rust-keylime.yml @@ -4,6 +4,12 @@ chdir: /root/rust-keylime changed_when: false +- name: Run Cargo build + shell: "cargo build" + args: + chdir: /root/rust-keylime + changed_when: false + - name: Set TPM2TOOLS_TCTI environment variable lineinfile: dest: /etc/environment diff --git a/keylime-ansible-gcp/roles/keylime-gcp/vars/main.yml b/keylime-ansible-gcp/roles/keylime-gcp/vars/main.yml index 7bb336e..05e2ab4 100644 --- a/keylime-ansible-gcp/roles/keylime-gcp/vars/main.yml +++ b/keylime-ansible-gcp/roles/keylime-gcp/vars/main.yml @@ -45,4 +45,4 @@ cargo_packages: # Kernel resource manager os_environment: - key: TPM2TOOLS_TCTI - value : "device:/dev/tpmrm0" \ No newline at end of file + value : "device:/dev/tpmrm0" diff --git a/keylime-ansible-gcp/tests/inventory b/keylime-ansible-gcp/tests/inventory index 878877b..2fbb50c 100644 --- a/keylime-ansible-gcp/tests/inventory +++ b/keylime-ansible-gcp/tests/inventory @@ -1,2 +1 @@ localhost -