diff --git a/CHANGELOG b/CHANGELOG index 8d8fda7..86c45a7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed +- [SYSCTL] Comment each setting and improve compatibility with hbsd14 +### Fixed +- [RESOLV] Nameserver in jails ## [2.1.18] - 2025-10-24 diff --git a/etc/sysctl.conf b/etc/sysctl.conf index ca9763b..89c1724 100644 --- a/etc/sysctl.conf +++ b/etc/sysctl.conf @@ -1,90 +1,92 @@ -kern.coredump=0 -kern.ipc.maxsockbuf=67108864 -kern.ipc.soacceptqueue=4096 +# http://netlab.dhis.org/download/software/os_cfg/FBSD/13/base/etc/sysctl.conf +# http://netlab.dhis.org/download/software/os_cfg/FBSD/14/base/etc/sysctl.conf -#Wires all shared pages, making them unswappable -kern.ipc.shm_use_phys=1 -kern.maxfiles=204800 -kern.maxfilesperproc=128000 -kern.maxprocperuid=64000 -kern.maxvnodes=250000 -kern.sched.interact=5 -kern.sched.slice=1 -kern.sugid_coredump=0 -kern.threads.max_threads_per_proc=4096 -kern.msgbuf_show_timestamp=1 +kern.coredump=0 # Disable core dumps (prevents leaking sensitive memory data) +kern.ipc.maxsockbuf=67108864 # Maximum socket buffer size (64 MB) +kern.ipc.soacceptqueue=4096 # Max listen queue depth for TCP connections -net.inet.carp.log=1 -net.inet.carp.preempt=1 +kern.ipc.shm_use_phys=1 # Lock shared memory segments in RAM (avoid swapping, improve IPC perf) +kern.maxfiles=204800 # System-wide open file descriptor limit +kern.maxfilesperproc=128000 # Per-process open file descriptor limit +kern.maxprocperuid=64000 # Maximum number of processes per user ID +kern.maxvnodes=250000 # Maximum number of vnodes (filesystem inode cache) +kern.sched.interact=5 # Scheduler interactivity bias (lower = less interactive favoring) +kern.sched.slice=1 # Scheduler time slice (ms) +kern.sugid_coredump=0 # Disable core dumps for setuid/setgid binaries +kern.threads.max_threads_per_proc=4096 # Max threads per process +kern.msgbuf_show_timestamp=1 # Include timestamps in kernel message buffer (dmesg) -net.inet.ip.intr_queue_maxlen=4096 -net.inet.ip.maxfragpackets=0 -net.inet.ip.maxfragsperpacket=0 -net.inet.ip.process_options=0 -net.inet.ip.random_id=1 -net.inet.ip.redirect=0 -net.inet.ip.sourceroute=0 -net.inet.ip.accept_sourceroute=0 -net.inet.ip.ttl=128 +net.inet.carp.log=1 # Enable CARP (failover) logging +net.inet.carp.preempt=1 # Allow CARP preemption for faster master failover -net.inet.icmp.maskrepl=0 -net.inet.icmp.log_redirect=0 -net.inet.icmp.drop_redirect=1 +net.inet.ip.intr_queue_maxlen=4096 # Max length of IP input queue +net.inet.ip.maxfragpackets=0 # Disable fragmented packet reassembly (DoS protection) +net.inet.ip.maxfragsperpacket=0 # Limit per-packet fragmentation +net.inet.ip.process_options=0 # Ignore IP options (security hardening) +net.inet.ip.random_id=1 # Randomize IP ID field (prevent fingerprinting) +net.inet.ip.redirect=0 # Ignore ICMP redirects (anti-MITM) +net.inet.ip.sourceroute=0 # Disable source routing +net.inet.ip.accept_sourceroute=0 # Refuse source-routed packets +net.inet.ip.ttl=128 # Default IP Time-To-Live value -net.inet.tcp.abc_l_var=44 +net.inet.icmp.maskrepl=0 # Do not reply to ICMP address mask requests +net.inet.icmp.log_redirect=0 # Do not log ICMP redirects +net.inet.icmp.drop_redirect=1 # Drop ICMP redirects entirely -#Let applications manage Keepalive -net.inet.tcp.always_keepalive=0 +net.inet.tcp.abc_l_var=44 # Adjust congestion control ABC variable (RFC 3465) -#Stops creating any state (nor socket neither compressed tcpw) for the TCP connection where both endpoints were local. -net.inet.tcp.nolocaltimewait=1 +net.inet.tcp.always_keepalive=0 # Disable global TCP keepalive, let apps decide -net.inet.tcp.delayed_ack=1 -net.inet.tcp.blackhole=2 -net.inet.tcp.drop_synfin=1 -net.inet.tcp.ecn.enable=1 -net.inet.tcp.fast_finwait2_recycle=1 -net.inet.tcp.icmp_may_rst=0 -net.inet.tcp.initcwnd_segments=44 -net.inet.tcp.isn_reseed_interval=4500 -net.inet.tcp.keepcnt=3 -net.inet.tcp.keepidle=10000 -net.inet.tcp.keepintvl=5000 -net.inet.tcp.minmss=536 -net.inet.tcp.maxtcptw=200000 -net.inet.tcp.msl=5000 -net.inet.tcp.recvbuf_auto=1 -net.inet.tcp.recvbuf_max=16777216 -net.inet.tcp.sendbuf_auto=1 -net.inet.tcp.sendbuf_inc=131072 -net.inet.tcp.sendbuf_max=16777216 -net.inet.tcp.syncache.rexmtlimit=0 -net.inet.tcp.syncookies=0 -net.inet.tcp.tso=0 +net.inet.tcp.nolocaltimewait=1 # Skip TIME_WAIT for loopback connections -net.inet.udp.blackhole=1 +net.inet.tcp.delayed_ack=1 # Delay ACKs to piggyback with outgoing data +net.inet.tcp.blackhole=2 # Drop TCP packets to closed ports (no RST) +net.inet.tcp.drop_synfin=1 # Drop packets with SYN+FIN flags (scans/attacks) +net.inet.tcp.ecn.enable=1 # Enable Explicit Congestion Notification (RFC 3168) +# deprecated in 14.x -> +net.inet.tcp.fast_finwait2_recycle=1 # Recycle FIN_WAIT_2 sockets faster +net.inet.tcp.icmp_may_rst=0 # Do not reset TCP on ICMP errors +net.inet.tcp.initcwnd_segments=44 # Initial congestion window size (segments) +net.inet.tcp.isn_reseed_interval=4500 # ISN generator reseed interval (sec) +net.inet.tcp.keepcnt=3 # Number of keepalive probes before closing +net.inet.tcp.keepidle=10000 # Idle time before first keepalive (ms) +net.inet.tcp.keepintvl=5000 # Interval between keepalive probes (ms) +net.inet.tcp.minmss=536 # Minimum TCP MSS +net.inet.tcp.msl=5000 # Maximum Segment Lifetime (ms) +net.inet.tcp.recvbuf_auto=1 # Enable automatic receive buffer tuning +net.inet.tcp.recvbuf_max=16777216 # Max receive buffer size (16 MB) +net.inet.tcp.sendbuf_auto=1 # Enable automatic send buffer tuning +net.inet.tcp.sendbuf_inc=131072 # Incremental send buffer growth step (128 KB) +net.inet.tcp.sendbuf_max=16777216 # Max send buffer size (16 MB) +net.inet.tcp.syncache.rexmtlimit=0 # Disable SYN cache retransmit limit +net.inet.tcp.syncookies=0 # Disable SYN cookies (only needed during SYN flood) +net.inet.tcp.tso=0 # Disable TCP Segmentation Offload (can cause driver issues) -net.inet6.icmp6.nodeinfo=0 -net.inet6.icmp6.rediraccept=0 -net.inet6.ip6.accept_rtadv=0 -net.inet6.ip6.auto_linklocal=0 -net.inet6.ip6.maxfragpackets=0 -net.inet6.ip6.maxfrags=0 -net.inet6.ip6.prefer_tempaddr=1 -net.inet6.ip6.use_tempaddr=1 -net.inet6.ip6.use_deprecated=0 +net.inet.udp.blackhole=1 # Drop UDP packets to closed ports (no ICMP unreachable) -net.local.dgram.maxdgram=65535 -net.local.dgram.recvspace=65535 +net.inet6.icmp6.nodeinfo=0 # Disable ICMPv6 Node Information responses +net.inet6.icmp6.rediraccept=0 # Reject ICMPv6 redirects +net.inet6.ip6.accept_rtadv=0 # Disable IPv6 Router Advertisements (no autoconf) +# read-only now, use ifconfig instead -> +net.inet6.ip6.auto_linklocal=0 # Do not auto-generate link-local addresses +net.inet6.ip6.maxfragpackets=0 # Disable IPv6 fragment reassembly +net.inet6.ip6.maxfrags=0 # Limit fragment buffer usage +net.inet6.ip6.prefer_tempaddr=1 # Prefer temporary (privacy) addresses +net.inet6.ip6.use_tempaddr=1 # Enable IPv6 temporary address generation +net.inet6.ip6.use_deprecated=0 # Do not use deprecated IPv6 addresses -security.bsd.hardlink_check_gid=1 -security.bsd.hardlink_check_uid=1 -security.bsd.see_other_gids=0 -security.bsd.see_other_uids=0 -security.bsd.stack_guard_page=1 -security.bsd.unprivileged_proc_debug=0 -security.bsd.unprivileged_read_msgbuf=0 +net.local.dgram.maxdgram=65535 # Max datagram size for UNIX domain sockets +net.local.dgram.recvspace=65535 # Receive buffer size for UNIX domain sockets -vfs.zfs.vdev.async_read_max_active=6 -vfs.zfs.vdev.sync_read_max_active=20 -vfs.read_max=128 +security.bsd.hardlink_check_gid=1 # Prevent hardlinking across GIDs (privilege restriction) +security.bsd.hardlink_check_uid=1 # Prevent hardlinking across UIDs (mitigate privilege escalation) +security.bsd.see_other_gids=0 # Hide processes of other GIDs (isolation) +security.bsd.see_other_uids=0 # Hide processes of other UIDs (privacy) +security.bsd.stack_guard_page=1 # Enable stack guard page (stack overflow protection) +security.bsd.unprivileged_proc_debug=0 # Disallow ptrace/debug on other users’ processes +security.bsd.unprivileged_read_msgbuf=0 # Prevent non-root users from reading kernel message buffer + +vfs.zfs.bclone_enabled=1 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). +vfs.zfs.vdev.async_read_max_active=6 # Max active async ZFS reads per vdev +vfs.zfs.vdev.sync_read_max_active=20 # Max active sync ZFS reads per vdev +vfs.read_max=128 # Max number of blocks per read-ahead operation diff --git a/home/vlt-adm/system/configure_jail_hosts.sh b/home/vlt-adm/system/configure_jail_hosts.sh index 580819b..135f1be 100644 --- a/home/vlt-adm/system/configure_jail_hosts.sh +++ b/home/vlt-adm/system/configure_jail_hosts.sh @@ -15,20 +15,43 @@ JAIL_NAME="$1" TARGET="/zroot/${JAIL_NAME}" # Configure /etc/hosts of jail -/bin/echo "::1 localhost" > ${TARGET}/etc/hosts -/bin/echo "127.0.0.1 localhost" >> ${TARGET}/etc/hosts -/bin/echo "fd00::202 mongodb" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.2 mongodb" >> ${TARGET}/etc/hosts -/bin/echo "fd00::203 redis" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.3 redis" >> ${TARGET}/etc/hosts -/bin/echo "fd00::204 rsyslog" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.4 rsyslog" >> ${TARGET}/etc/hosts -/bin/echo "fd00::205 haproxy" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.5 haproxy" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.6 apache" >> ${TARGET}/etc/hosts -/bin/echo "fd00::206 apache" >> ${TARGET}/etc/hosts -/bin/echo "127.0.0.7 portal" >> ${TARGET}/etc/hosts -/bin/echo "fd00::207 portal" >> ${TARGET}/etc/hosts +cat << EOF > ${TARGET}/etc/hosts +127.0.0.1 localhost +::1 localhost +127.0.0.2 mongodb +fd00::202 mongodb +127.0.0.3 redis +fd00::203 redis +127.0.0.4 rsyslog +fd00::204 rsyslog +127.0.0.5 haproxy +fd00::205 haproxy +127.0.0.6 apache +fd00::206 apache +127.0.0.7 portal +fd00::207 portal +EOF # Host's dnsmasq resolver is used by jails -> local loopback of the jail -echo "nameserver ${JAIL_NAME}" > ${TARGET}/etc/resolv.conf +case "$JAIL_NAME" in + mongodb) + /bin/echo "nameserver 127.0.0.2" > ${TARGET}/etc/resolv.conf + ;; + redis) + /bin/echo "nameserver 127.0.0.3" > ${TARGET}/etc/resolv.conf + ;; + rsyslog) + /bin/echo "nameserver 127.0.0.4" > ${TARGET}/etc/resolv.conf + ;; + haproxy) + /bin/echo "nameserver 127.0.0.5" > ${TARGET}/etc/resolv.conf + ;; + apache) + /bin/echo "nameserver 127.0.0.6" > ${TARGET}/etc/resolv.conf + ;; + portal) + /bin/echo "nameserver 127.0.0.7" > ${TARGET}/etc/resolv.conf + ;; + *) + ;; +esac diff --git a/home/vlt-adm/system/network-ips.sh b/home/vlt-adm/system/network-ips.sh index 17dac91..720c760 100644 --- a/home/vlt-adm/system/network-ips.sh +++ b/home/vlt-adm/system/network-ips.sh @@ -34,7 +34,7 @@ if /sbin/ifconfig | grep -q "$management_ip"; then # The Node has been removed of the replicaset, restart mongodb to re-initiate /usr/sbin/jexec mongodb service mongod restart - # If boostrap has already be done, + # If bootstrap has already be done, if /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py is_node_bootstrapped >/dev/null 2>&1 ; then # Update node network ips in Mongo /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c "from system.cluster.models import Node ; n = Node.objects.get(name=\"`hostname`\") ; n.management_ip = \"$management_ip\" ; n.internet_ip = \"$internet_ip\" ; n.backends_outgoing_ip = \"$backends_outgoing_ip\" ; n.logom_outgoing_ip = \"$logom_outgoing_ip\" ; n.save()" diff --git a/home/vlt-adm/system/register_vulture_repos.sh b/home/vlt-adm/system/register_vulture_repos.sh index 24183ea..4ed5d88 100644 --- a/home/vlt-adm/system/register_vulture_repos.sh +++ b/home/vlt-adm/system/register_vulture_repos.sh @@ -1,11 +1,13 @@ #!/usr/bin/env sh # Usage update_repositories [prefix_dir] +OS_RELEASE=`/usr/bin/grep 'branch="' $1/etc/hbsd-update.conf | /usr/bin/sed 's/branch="\(.*\)"/\1/'` +OS_BRANCH_VERSION=`/usr/bin/grep 'os_version="' $1/etc/hbsd-update.conf | /usr/bin/sed 's/os_version="\(.*\)"/\1/'` pkg_url="http://pkg.vultureproject.org/" vulture_conf="Vulture.conf" pkg_ca="pkg.vultureproject.org" -update_url="http://updates.vultureproject.org/" -vulture_update_conf="hbsd-update.conf" +update_url="http://hbsd.vultureproject.org/" +vulture_update_conf="hbsd-update-${OS_RELEASE}-${OS_BRANCH_VERSION}.conf" vulture_update_ca="ca.vultureproject.org" temp_dir=$(mktemp -d) @@ -45,8 +47,8 @@ update_repositories() { /bin/echo "[-]${_log_header} Done" fi - /bin/mkdir -p "${prefix_dir}/usr/local/etc/pkg/repos" - /usr/bin/printf "# HardenedBSD are now disabled by default on Vulture\n# Vulture repositories should be enough to go by, but you can delete this file if you want to enable default HBSD repos again\nHardenedBSD: { enabled: no }\n" > ${prefix_dir}/usr/local/etc/pkg/repos/HardenedBSD.disabled.conf + # /bin/mkdir -p "${prefix_dir}/usr/local/etc/pkg/repos" + # /usr/bin/printf "# HardenedBSD are now disabled by default on Vulture\n# Vulture repositories should be enough to go by, but you can delete this file if you want to enable default HBSD repos again\nHardenedBSD: { enabled: no }\n" > ${prefix_dir}/usr/local/etc/pkg/repos/HardenedBSD.disabled.conf /bin/echo -n "[*]${_log_header} Backing up default configurations:" for conf in ${prefix_dir}/etc/hbsd-update*.conf ; do @@ -68,15 +70,15 @@ update_repositories() { fi if [ ! -f ${temp_dir}/${vulture_conf} ]; then - /usr/local/bin/wget -q ${pkg_url}${vulture_conf} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download ${vulture_conf}" + /usr/bin/fetch -q -o "${temp_dir}" ${pkg_url}${vulture_conf} || finalize 1 "[/] Failed to download $vulture_conf" /bin/echo -n "." fi - /bin/cp -f "${temp_dir}/${vulture_conf}" "${prefix_dir}/etc/pkg/${vulture_conf}" + /usr/bin/sed "s/current/${OS_RELEASE}/" "${temp_dir}/${vulture_conf}" > "${prefix_dir}/etc/pkg/${vulture_conf}" /bin/echo -n "." if [ ! -f ${temp_dir}/${pkg_ca} ]; then - /usr/local/bin/wget -q ${pkg_url}${pkg_ca} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $pkg_ca" + /usr/bin/fetch -q -o "${temp_dir}" ${pkg_url}${pkg_ca} || finalize 1 "[/] Failed to download $pkg_ca" /bin/echo -n "." fi @@ -84,15 +86,15 @@ update_repositories() { /bin/echo -n "." if [ ! -f ${temp_dir}/${vulture_update_conf} ]; then - /usr/local/bin/wget -q ${update_url}${vulture_update_conf} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $vulture_update_conf" + /usr/bin/fetch -q -o "${temp_dir}" ${update_url}${vulture_update_conf} || finalize 1 "[/] Failed to download $vulture_update_conf" /bin/echo -n "." fi - /bin/mkdir -p "${prefix_dir}/etc" && /bin/cp -f "${temp_dir}/${vulture_update_conf}" "${prefix_dir}/etc/${vulture_update_conf}" + /bin/mkdir -p "${prefix_dir}/etc" && /bin/cp -f "${temp_dir}/${vulture_update_conf}" "${prefix_dir}/etc/hbsd-update.conf" /bin/echo -n "." if [ ! -f ${temp_dir}/${vulture_update_ca} ]; then - /usr/local/bin/wget -q ${update_url}${vulture_update_ca} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $vulture_update_ca" + /usr/bin/fetch -q -o "${temp_dir}" ${update_url}${vulture_update_ca} || finalize 1 "[/] Failed to download $vulture_update_ca" /bin/echo -n "." fi diff --git a/home/vlt-adm/system/write_hostname.sh b/home/vlt-adm/system/write_hostname.sh index f7d3d10..9a41ba6 100644 --- a/home/vlt-adm/system/write_hostname.sh +++ b/home/vlt-adm/system/write_hostname.sh @@ -70,11 +70,32 @@ fi /bin/cp /etc/hosts /zroot/mongodb/etc/hosts /usr/bin/sed -i '' "s/$ip/127.0.0.2/" /zroot/mongodb/etc/hosts -#Copy hosts file to jails -for jail in apache mongodb redis rsyslog haproxy portal; do +# Copy hosts file to jails +for jail in mongodb redis rsyslog haproxy apache portal; do #TODO deprecate file /bin/echo "${hostname}" > /zroot/${jail}/etc/host-hostname - /bin/echo "nameserver ${jail}" > /zroot/${jail}/etc/resolv.conf + case "$jail" in + mongodb) + /bin/echo "nameserver 127.0.0.2" > /zroot/${jail}/etc/resolv.conf + ;; + redis) + /bin/echo "nameserver 127.0.0.3" > /zroot/${jail}/etc/resolv.conf + ;; + rsyslog) + /bin/echo "nameserver 127.0.0.4" > /zroot/${jail}/etc/resolv.conf + ;; + haproxy) + /bin/echo "nameserver 127.0.0.5" > /zroot/${jail}/etc/resolv.conf + ;; + apache) + /bin/echo "nameserver 127.0.0.6" > /zroot/${jail}/etc/resolv.conf + ;; + portal) + /bin/echo "nameserver 127.0.0.7" > /zroot/${jail}/etc/resolv.conf + ;; + *) + ;; + esac done # Reload dnsmasq service to account for potential changes in /etc/hosts