From c26b05b731cd8d79f06f1f2ed0a77bd3e30363f0 Mon Sep 17 00:00:00 2001 From: Daniel Ferreira Lopes <35694604+df3l0p@users.noreply.github.com> Date: Sun, 5 Jan 2025 19:04:40 +0100 Subject: [PATCH] Upgrade playbook to 24.04 and Fix for Apple M4 and java (#37) # Summary This PR adds many things: * Upgrade sandbox to 24.04 * Fix issues on Apple M4 and macOS 15.2 with Java. More information [here](https://forum.parallels.com/threads/parallels-desktop-for-mac-computers-with-apple-silicon-m4-chips.365676/page-8#post-936240) or [here](https://github.com/corretto/corretto-21/issues/85) * Update Vagrantfile to use `.fetch` to avoid unspecified parameters * Disables ipv6 * Removes unwanted packages such as `whoopsie`, `apport`, ... * Improves `apt` ansible instructions with caching There is an issue with `protonvpn-cli` on Ubuntu 24.04 with `python3.12` when we run `protonvpn-cli login`. It's likely related to incompatibilities with python3.12 and older versions. I documented a workaround where login works with a proxy (burp here). --- README.md | 4 +- Vagrantfile | 14 ++--- config/targets.yaml | 6 +- res/ansible/files/.keep | 0 res/ansible/files/grub.d/disable-ipv6.cfg | 2 + res/ansible/files/grub.d/disable-sve.cfg | 4 ++ res/ansible/main.yml | 74 +++++++++++++++++------ res/ansible/pre-main.yml | 22 +++++++ res/ansible/vars/jammy.yml | 12 +++- res/ansible/vars/noble.yml | 31 ++++++++++ 10 files changed, 137 insertions(+), 32 deletions(-) delete mode 100644 res/ansible/files/.keep create mode 100644 res/ansible/files/grub.d/disable-ipv6.cfg create mode 100644 res/ansible/files/grub.d/disable-sve.cfg create mode 100644 res/ansible/pre-main.yml create mode 100644 res/ansible/vars/noble.yml diff --git a/README.md b/README.md index 1e61c84..05f43f3 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Depending on the ansible provider, you can run playbooks manually for troublesho Connect to your instance with `vagrant ssh` and execute the following ```bash ansible -i localhost -m ping -ansible-playbook -i localhost, -c local /vagrant/res/ansible/main.yml --tags some_tags +ansible-playbook -i localhost, -c local /path/to/share/res/ansible/main.yml --tags some_tags # if use `vagrant ssh` and you get an error related to encoding issues, use: # export LC_ALL=C.UTF-8 ``` @@ -38,7 +38,7 @@ ansible-playbook -i localhost, -c local /vagrant/res/ansible/main.yml --tags som You need ansible to be installed on the host to do that. ```bash -python3 -m pip install ansible +python3 -m pip install --break-system-packages ansible ``` You can run the playbook with diff --git a/Vagrantfile b/Vagrantfile index 94006d5..2afcb46 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -45,9 +45,9 @@ Vagrant.configure("2") do |config| targets&.each do |name, target| config.vm.define name do |build| build.vm.provider "parallels" do |prl, override| - override.vm.box = target["parallels"]["box"] - if not target["parallels"]["version"].empty? - override.vm.box_version = target["parallels"]["version"] + override.vm.box = target.fetch("parallels", {}).fetch("box") + if not target.fetch("parallels", {}).fetch("version", "").empty? + override.vm.box_version = target.fetch("parallels", {}).fetch("version", "") end prl.name = name @@ -70,9 +70,9 @@ Vagrant.configure("2") do |config| end build.vm.provider :virtualbox do |vb, override| - override.vm.box = target["virtualbox"]["box"] - if not target["virtualbox"]["version"].empty? - override.vm.box_version = target["virtualbox"]["version"] + override.vm.box = target.fetch("virtualbox", {})["box"] + if not target.fetch("virtualbox", {}).fetch("version", "").empty? + override.vm.box_version = target.fetch("virtualbox", {}).fetch("version", "") end vb.name = name @@ -118,7 +118,7 @@ Vagrant.configure("2") do |config| end # Test if ip is provided - if not target["ip"].empty? + if not target.fetch("ip", "").empty? build.vm.network "private_network", ip: target["ip"] end diff --git a/config/targets.yaml b/config/targets.yaml index 79f20d6..cd55c23 100644 --- a/config/targets.yaml +++ b/config/targets.yaml @@ -4,11 +4,11 @@ targets: box: ubuntu/jammy64 version: 20230510.0.0 parallels: - box: bento/ubuntu-22.04-arm64 - version: 202401.31.0 + box: bento/ubuntu-24.04 + version: 202407.22.0 # other ranges could fail? # see: https://github.com/hashicorp/vagrant/issues/12557 - ip: 192.168.56.105 + ip: 192.168.56.105 # doesn't work on parallels cpus: 3 memory: 4096 vram: 32 diff --git a/res/ansible/files/.keep b/res/ansible/files/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/res/ansible/files/grub.d/disable-ipv6.cfg b/res/ansible/files/grub.d/disable-ipv6.cfg new file mode 100644 index 0000000..c2c1ec0 --- /dev/null +++ b/res/ansible/files/grub.d/disable-ipv6.cfg @@ -0,0 +1,2 @@ +# https://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently +GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} ipv6.disable=1" diff --git a/res/ansible/files/grub.d/disable-sve.cfg b/res/ansible/files/grub.d/disable-sve.cfg new file mode 100644 index 0000000..47ac54f --- /dev/null +++ b/res/ansible/files/grub.d/disable-sve.cfg @@ -0,0 +1,4 @@ +# there is currently an issue with Apple M4 and macOS 15.2 with java +# see https://forum.parallels.com/threads/parallels-desktop-for-mac-computers-with-apple-silicon-m4-chips.365676/page-8#post-936240 +# also https://github.com/corretto/corretto-21/issues/85 +GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} arm64.nosve" diff --git a/res/ansible/main.yml b/res/ansible/main.yml index 896533b..46a9f34 100644 --- a/res/ansible/main.yml +++ b/res/ansible/main.yml @@ -24,10 +24,21 @@ tags: - set-vars + - name: Remove unwanted packages + ansible.builtin.apt: + pkg: + "{{ unwanted }}" + state: absent + update_cache: yes + cache_valid_time: 86400 + tags: + - remove-unwanted + - name: Update all packages to the latest version apt: - state: latest + upgrade: yes update_cache: yes + cache_valid_time: 86400 tags: - install-update @@ -36,7 +47,8 @@ pkg: "{{ packages }}" state: latest - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: - install-base-packages @@ -47,7 +59,8 @@ pkg: - docker.io state: latest - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: - install-docker @@ -148,11 +161,17 @@ - python3 - python3-pip state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-oletools - name: Olevba - Installation - ansible.builtin.shell: python3 -m pip install --upgrade pip oletools + ansible.builtin.pip: + name: + - oletools + state: latest + break_system_packages: true + become_user: vagrant tags: install-oletools ## pdfid, pdf-parser (DidierStensSuite) @@ -162,7 +181,8 @@ name: - poppler-utils state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-pdftools - name: Pdftools - Cloning pdf github tools @@ -202,13 +222,14 @@ name: - tesseract-ocr state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-tesseract - name: Tesseract - install language package ansible.builtin.get_url: url: "https://github.com/tesseract-ocr/tessdata/raw/4.00/{{ item }}.traineddata" - dest: /usr/share/tesseract-ocr/4.00/tessdata/ + dest: /usr/share/tesseract-ocr/5/tessdata/ with_items: - fra - eng @@ -225,7 +246,8 @@ - wget - unzip state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-ghidra - name: Ghidra - Set the PATH environment for JAVA @@ -271,7 +293,7 @@ - name: Ghidra - Download source ansible.builtin.get_url: #todo(dfelo): use var for version. - url: https://github.com/NationalSecurityAgency/ghidra/archive/refs/tags/Ghidra_11.2_build.zip + url: https://github.com/NationalSecurityAgency/ghidra/archive/refs/tags/Ghidra_11.2.1_build.zip dest: /tmp/ghidra.zip tags: install-ghidra @@ -367,7 +389,8 @@ ansible.builtin.apt: name: brave-browser state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-brave ## Yara @@ -376,7 +399,8 @@ ansible.builtin.apt: name: yara state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-yara - name: Yara - Check if yara_scan exists in .zshrc @@ -407,7 +431,8 @@ - clamav - clamav-daemon state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-clamav - name: ClamAV - Disable real time scanning @@ -416,7 +441,8 @@ - clamav - clamav-daemon state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-clamav - name: ClamAV - Ensure clamav-daemon is stopped and disabled @@ -451,14 +477,15 @@ apt: name: code state: present - update_cache: no + update_cache: yes + cache_valid_time: 86400 tags: install-vscode ## Golang ######################################### - name: Golang - Downloading get_url: - url: "https://dl.google.com/go/go1.20.5.linux-{{ apt_arch }}.tar.gz" + url: "https://dl.google.com/go/go1.23.4.linux-{{ apt_arch }}.tar.gz" dest: /tmp/go.tar.gz mode: '0755' tags: install-golang @@ -543,9 +570,9 @@ - name: ProtonVPN - Download deb ansible.builtin.get_url: - url: https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.3-3_all.deb + url: https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.6_all.deb dest: /tmp/package.deb - checksum: sha256:de7ef83a663049b5244736d3eabaacec003eb294a4d6024a8fbe0394f22cc4e5 + checksum: sha256:e5e03976d0980bafdf07da2f71b14fbc883c091e72b16772199742c98473002f tags: - install-protonvpn @@ -568,11 +595,20 @@ - pyopenssl - cryptography state: latest + break_system_packages: true + become_user: vagrant tags: - install-protonvpn - name: ansible.builtin.debug: - msg: Make sure to REBOOT for protonVPN to work + msg: | + Reboot for protonvpn to work! + For an unknown reason, protonvpn-cli login doesn't work without a proxy. + Run the following to login: + openssl x509 -inform der -in ~/Desktop/burp.cer -outform PEM -out ~/Desktop/burp.pem + sudo cp ~/Desktop/burp.pem /usr/local/share/ca-certificates/burp.pem + export http_proxy=http://localhost:8080 && export https_proxy=http://localhost:8080 && export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/burp.pem + protonvpn-cli login tags: - install-protonvpn diff --git a/res/ansible/pre-main.yml b/res/ansible/pre-main.yml new file mode 100644 index 0000000..d86c234 --- /dev/null +++ b/res/ansible/pre-main.yml @@ -0,0 +1,22 @@ +- hosts: all + gather_facts: yes + become: yes + handlers: + - name: Update GRUB configuration + ansible.builtin.command: update-grub + tasks: + - name: Copy files to /etc/grub.d/ + copy: + src: "{{ item }}" # Path to the source file on the control node + dest: "/etc/default/grub.d/" # Path to the destination on the target node + owner: root + group: root + mode: 0755 + with_fileglob: + - "files/grub.d/*.cfg" + notify: + - Update GRUB configuration + - name: + ansible.builtin.debug: + msg: | + "Please reboot the system to apply the changes." diff --git a/res/ansible/vars/jammy.yml b/res/ansible/vars/jammy.yml index 9fd4ef4..6cda3c0 100644 --- a/res/ansible/vars/jammy.yml +++ b/res/ansible/vars/jammy.yml @@ -6,7 +6,6 @@ packages: - zsh - vim-gtk - terminator - - vim-gtk - kmod - unzip - git @@ -18,3 +17,14 @@ packages: - mpack # used for unpacking eml files. # network tools - nmap +unwanted: + - apport + - apport-symptoms + - popularity-contest + - ubuntu-report + - whoopsie + # cloud + - cloud-init + - cloud-guest-utils + - cloud-initramfs-copymods + - cloud-initramfs-dyn-netconf diff --git a/res/ansible/vars/noble.yml b/res/ansible/vars/noble.yml new file mode 100644 index 0000000..72d254e --- /dev/null +++ b/res/ansible/vars/noble.yml @@ -0,0 +1,31 @@ +packages: + # GUI + - ubuntu-desktop # this is for gnome4 + # base tools + - zsh + - vim-gtk3 + - terminator + - kmod + - unzip + - git + - firefox + - chromium-browser + # basic forensic tools + - libimage-exiftool-perl + - binwalk + - mpack # used for unpacking eml files. + # network tools + - nmap +unwanted: + - apport + - apport-symptoms + - popularity-contest + - ubuntu-report + - whoopsie + # cloud + - cloud-init + - cloud-guest-utils + - cloud-initramfs-copymods + - cloud-initramfs-dyn-netconf + # misc + - qrtr-tools