Packer build for VirtualBox

Signed-off-by: Bas Meijer <[email protected]>

.ansible-lint

@@ -0,0 +1,8 @@
+---
+# https://ansible-lint.readthedocs.io/en/latest/default_rules/
+exclude_paths:
+  - ./.tox
+  - ./roles/RHEL8-STIG
+skip_list:
+  - experimental  # all rules tagged as experimental
+...

.gitattributes

@@ -0,0 +1,19 @@
+# https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github
+# Default behaviour
+* text=auto
+
+# Scripts should have Unix endings
+*.py text eol=lf
+*.sh text eol=lf
+
+# Windows Batch or PowerShell scripts should have CRLF endings
+*.bat text eol=crlf
+*.ps1 text eol=crlf
+
+# adding github settings to show correct language
+*.md linguist-documentation
+*.yml linguist-detectable=true
+*.j2 linguist-detectable=true
+*.py linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.sh linguist-detectable=true

.gitignore

@@ -0,0 +1,5 @@
+.vagrant/
+.vscode/
+Brewfile.lock.json
+output-rhel8/
+roles/RHEL8-STIG

.pre-commit-config.yaml

@@ -0,0 +1,43 @@
+---
+# https://pre-commit.com/hooks.html
+default_language_version:
+  python: python3.8
+exclude: .venv
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.4.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: forbid-new-submodules
+      - id: requirements-txt-fixer
+      - id: trailing-whitespace
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.26.0
+    hooks:
+      - id: yamllint
+        args: [-c=.yamllint]
+
+  - repo: https://github.com/ansible-community/ansible-lint.git
+    rev: v6.4.0
+    hooks:
+      - id: ansible-lint
+        files: \.yml$
+
+  - repo: https://github.com/robertdebock/pre-commit
+    rev: v1.2.2
+    hooks:
+      - id: ansible_role_find_unused_variable
+      - id: ansible_role_find_empty_files
+      - id: ansible_role_find_empty_directories
+
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 2.1.5  # or specific git tag
+    hooks:
+      - id: shellcheck

.yamllint

@@ -0,0 +1,30 @@
+---
+# https://yamllint.readthedocs.io/en/stable/rules.html
+extends: default
+ignore: |
+  .tox/
+  .cache
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  indentation:
+    indent-sequences: consistent
+    spaces: 2
+    level: error
+  line-length:
+    max: 120
+    level: warning
+  key-duplicates: enable
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: false
+...

Brewfile

@@ -0,0 +1,4 @@
+cask "vagrant"
+cask "virtualbox"
+cask "virtualbox-extension-pack"
+brew "packer"

Makefile

@@ -0,0 +1,22 @@
+ANSIBLE_DEBUG=1
+lint:
+	vagrant validate
+	packer validate rhel8.pkr.hcl
+	ansible-inventory --graph
+	ansible-lint vagrant-playbook.yml
+
+clean: lint
+	@vagrant destroy -f
+	@vagrant box remove rhel8-disa-stig || /usr/bin/true
+	@rm -rf output-rhel8 .vagrant
+
+output-rhel8/rhel8.box:
+	packer build rhel8.pkr.hcl
+
+virtualbox: output-rhel8/rhel8.box
+	vagrant box add --force --name rhel8-disa-stig output-rhel8/rhel8.box
+	vagrant up rhel8-disa-stig
+
+image: output-rhel8/rhel8.box
+
+all: clean virtualbox

README.md

@@ -0,0 +1,28 @@
+# Provisioning
+
+We create an image with Hashicorp Packer and then use it to create a VM with Vagrant.
+
+`make all`
+
+All you need is to download the RHEL 8.5 ISO and put it in /Users/Shared/rhel-8.5-x86_64-dvd.iso or be logged in to the Red Hat Customer Portal and have the ISO downloaded.
+
+## Packer will create a DISA-STIG compliant image
+
+`make image`
+
+## Vagrant will create a VM from the image and mount the DVD as Yum repo.
+
+`make virtualbox`
+
+# Requirements
+
+### macOS computer
+
+These programs can be installed manually, or with `brew bundle`.
+### Apps
+- Packer
+- VirtualBox
+- Vagrante
+
+### Ansible
+run `source install.rc` in a terminal to create a Python virtualenv.

Vagrantfile

@@ -0,0 +1,55 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+
+  if Vagrant.has_plugin?("vagrant-vbguest")
+    config.vbguest.auto_update = false
+  end
+
+  config.ssh.insert_key = false
+  config.ssh.verify_host_key = false
+  config.vm.box_check_update = false
+
+
+  config.vm.provision :ansible do |ansible|
+    ansible.compatibility_mode = "2.0"
+    ansible_inventory = "inventories/vagrant.ini"
+    ansible.galaxy_role_file = "roles/requirements.yml"
+    ansible.galaxy_roles_path = "roles"
+    ansible.playbook = "vagrant-playbook.yml"
+    ansible.verbose = "v"
+    ansible.groups = {
+      "podman" => ["rhel8-disa-stig"],
+    }
+  end
+
+  config.vm.define 'rhel8-disa-stig', autostart: true, primary: true do |rhel8|
+    rhel8.vm.box = 'rhel8-disa-stig'
+    rhel8.vm.hostname = 'rhel8-disa-stig'
+    rhel8.vm.synced_folder ".", disabled: true
+    rhel8.vm.provider :virtualbox do |virtualbox|
+      virtualbox.name = 'rhel8-disa-stig'
+      virtualbox.gui = false
+      virtualbox.customize ["modifyvm", :id,
+        "--boot1", "disk",
+        "--boot2", "net",
+        "--boot3", "none",
+        "--boot4", "none",
+        "--audio", "none",
+        "--cpus", 2,
+        "--memory", 4096,
+        "--vrde", "on",
+        "--graphicscontroller", "VMSVGA",
+        "--vram", "128"
+      ]
+      virtualbox.customize ["storageattach", :id,
+        "--device", "0",
+        "--medium", "/Users/Shared/rhel-8.5-x86_64-dvd.iso",
+        "--port", "1",
+        "--storagectl", "SATA Controller",
+        "--type", "dvddrive"
+      ]
+    end
+  end
+end

Vagrantfile.template

@@ -0,0 +1,38 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+
+  if Vagrant.has_plugin?("vagrant-vbguest")
+    config.vbguest.auto_update = false
+  end
+
+  config.ssh.insert_key = false
+  config.ssh.verify_host_key = false
+  config.vm.box_check_update = false
+  config.vm.synced_folder ".""", "/vagrant", id: "vagrant-root", disabled: true
+
+  config.vm.define 'rhel8' do |srv|
+    srv.vm.box = 'rhel8-disa-stig'
+    srv.vm.hostname = 'rhel8-disa-stig'
+    srv.vm.network 'private_network', ip: '192.168.56.8'
+    srv.vm.provider :virtualbox do |virtualbox|
+      virtualbox.name = 'rhel8'
+      virtualbox.gui = false
+      virtualbox.customize ["modifyvm", :id, "--memory", 4096]
+      virtualbox.customize ["modifyvm", :id,
+        "--boot1", "disk",
+        "--boot2", "net",
+        "--boot3", "none",
+        "--boot4", "none",
+        "--audio", "none",
+        "--cpus", 2,
+        "--memory", 4096,
+        "--vrde", "on",
+        "--graphicscontroller", "VMSVGA",
+        "--vram", "128"
+      ]
+    end
+  end
+
+end

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory = inventory/vagrant.ini
+callbacks_enabled = profile_tasks,timer

disa-stig-playbook.yml

@@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook -K
+---
+
+- name: Provision RHEL8 VM
+  hosts: all:!localhost
+  become: true
+  gather_facts: true
+  collections: community.general
+
+  vars_files:
+    - stig-vars.yml
+
+  roles:
+    - role: rhel8_fixes
+    - role: RHEL8-STIG
+      tags: run_audit
+...

install.rc

@@ -0,0 +1,6 @@
+# source this file in bash to create a Python 3 virtualenv with Ansible
+python3 -m venv ~/py3 --prompt '\[\e[31;40m\]A\[\e[m\]'
+source ~/py3/bin/activate
+python3 -m pip install --upgrade pip
+pip3 install wheel
+pip3 install -r requirements.txt

inventory/vagrant.ini

@@ -0,0 +1,12 @@
+[local]
+localhost ansible_ssh_host=127.0.0.1  ansible_connection=local ansible_python_interpreter=python3
+
+[vagrant:vars]
+ansible_ssh_user=vagrant
+ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key
+
+[vagrant:children]
+example
+
+[example]
+rhel8-disa-stig ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222

kickstart/ks.cfg

@@ -12,8 +12,7 @@ lang en_US.UTF-8
 timezone Europe/Amsterdam --isUtc
 
 # Network information
-network --bootproto=dhcp
-network --hostname=rhel8
+network --bootproto=dhcp --hostname=rhel8
 
 rootpw vagrant
 firewall --enabled --ssh
@@ -58,7 +57,7 @@ services --enabled=NetworkManager,sshd
 selinux --enforcing
 
 user --name=vagrant --plaintext --password=vagrant --groups=wheel
-reboot
+reboot --eject
 %packages
 @Base
 @Core

register.yml

@@ -0,0 +1,20 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- name: Provision RHEL8 VM
+  hosts: all:!localhost
+  become: true
+  gather_facts: true
+
+  tasks:
+    - name: Register RHEL 8
+      redhat_subscription:
+        state: present
+        username: "{{ lookup('env','RH_USER') }}"
+        password: "{{ lookup('env','RH_PASS') }}"
+        syspurpose:
+          role: "Red Hat Enterprise Server"
+          usage: "Development/Test"
+          service_level_agreement: "Self-Support"
+
+...