From 794db6717cf0a46ce6d7fb29e87f53e0faee88d9 Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Tue, 3 Jun 2025 23:51:27 -0300 Subject: [PATCH] feat(gb-infra): Enhance security and resource management by adding fail2ban installation, updating bot and email scripts for improved configuration, and implementing container size limits --- gb-infra/README.md | 3 + .../opt/gbo/tenants/default/bot/bot.sh | 75 +++++++++++++------ .../opt/gbo/tenants/default/email/email.sh | 47 ++++++------ .../default/shared/scripts/check-space.sh | 5 ++ .../tenants/default/shared/scripts/limits.sh | 49 ++++++++++-- .../default/shared/scripts/set-size-5GB.sh | 33 ++++++++ .../opt/gbo/tenants/default/social/.sh | 1 + 7 files changed, 162 insertions(+), 51 deletions(-) create mode 100644 gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh create mode 100644 gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh create mode 100644 gb-infra/src/templates/opt/gbo/tenants/default/social/.sh diff --git a/gb-infra/README.md b/gb-infra/README.md index c8efeb6..d310daa 100644 --- a/gb-infra/README.md +++ b/gb-infra/README.md @@ -7,6 +7,9 @@ rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o # Security +apt update && apt install -y fail2ban +systemctl enable fail2ban + apt update && apt install -y fail2ban iptables-persistent diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh b/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh index 42e6376..65e3025 100644 --- a/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh +++ b/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh @@ -1,6 +1,6 @@ #!/bin/bash -HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/botserver" +HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/bot" HOST_DATA="$HOST_BASE/data" HOST_CONF="$HOST_BASE/conf" HOST_LOGS="$HOST_BASE/logs" @@ -8,59 +8,90 @@ HOST_LOGS="$HOST_BASE/logs" mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS" chmod -R 750 "$HOST_BASE" -lxc launch images:debian/12 "$PARAM_TENANT"-botserver -c security.privileged=true +lxc launch images:debian/12 "$PARAM_TENANT"-bot -c security.privileged=true sleep 15 -lxc exec "$PARAM_TENANT"-botserver -- bash -c " +lxc exec "$PARAM_TENANT"-bot -- bash -c " apt-get update && apt-get install -y \ build-essential cmake git pkg-config libjpeg-dev libtiff-dev \ libpng-dev libavcodec-dev libavformat-dev libswscale-dev \ libv4l-dev libatlas-base-dev gfortran python3-dev cpulimit \ expect libxtst-dev libpng-dev +sudo apt-get install -y libcairo2-dev libpango1.0-dev libgif-dev librsvg2-dev +sudo apt install xvfb -y + +sudo apt install -y \ + libnss3 \ + libatk1.0-0 \ + libatk-bridge2.0-0 \ + libcups2 \ + libdrm2 \ + libxkbcommon0 \ + libxcomposite1 \ + libxdamage1 \ + libxfixes3 \ + libxrandr2 \ + libgbm1 \ + libasound2 \ + libpangocairo-1.0-0 + export OPENCV4NODEJS_DISABLE_AUTOBUILD=1 export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu -useradd --system --no-create-home --shell /bin/false botserver +useradd --system --no-create-home --shell /bin/false bot " -BOT_UID=$(lxc exec "$PARAM_TENANT"-botserver -- id -u botserver) -BOT_GID=$(lxc exec "$PARAM_TENANT"-botserver -- id -g botserver) +BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u bot) +BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g bot) HOST_BOT_UID=$((100000 + BOT_UID)) HOST_BOT_GID=$((100000 + BOT_GID)) chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE" -lxc config device add "$PARAM_TENANT"-botserver botdata disk source="$HOST_DATA" path=/var/lib/botserver -lxc config device add "$PARAM_TENANT"-botserver botconf disk source="$HOST_CONF" path=/etc/botserver -lxc config device add "$PARAM_TENANT"-botserver botlogs disk source="$HOST_LOGS" path=/var/log/botserver +lxc config device add "$PARAM_TENANT"-bot botdata disk source="$HOST_DATA" path=/opt/gbo/data +lxc config device add "$PARAM_TENANT"-bot botconf disk source="$HOST_CONF" path=/opt/gbo/conf +lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=/opt/gbo/logs -lxc exec "$PARAM_TENANT"-botserver -- bash -c " -mkdir -p /var/lib/botserver /etc/botserver /var/log/botserver -chown -R botserver:botserver /var/lib/botserver /etc/botserver /var/log/botserver +lxc exec "$PARAM_TENANT"-bot -- bash -c " +mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs +chown -R bot:bot /opt/gbo/data /opt/gbo/conf /opt/gbo/logs -cat > /etc/systemd/system/botserver.service < /etc/systemd/system/bot.service </dev/null || true -lxc config device add "$PARAM_TENANT"-botserver bot-proxy proxy \ +lxc config device remove "$PARAM_TENANT"-bot bot-proxy 2>/dev/null || true +lxc config device add "$PARAM_TENANT"-bot bot-proxy proxy \ listen=tcp:0.0.0.0:"$PARAM_BOT_PORT" \ connect=tcp:127.0.0.1:"$PARAM_BOT_PORT" \ No newline at end of file diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh index 7c77945..e61a413 100644 --- a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh +++ b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh @@ -95,32 +95,35 @@ systemctl start email # Get container IP CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}') -# Setup port forwarding -echo "[HOST] Setting up port forwarding..." + declare -A PORTS=( - ["email"]="$PARAM_EMAIL_SMTP_PORT" - ["http"]="$PARAM_EMAIL_HTTP_PORT" - ["imap"]="$PARAM_EMAIL_IMAP_PORT" - ["imaps"]="$PARAM_EMAIL_IMAPS_PORT" - ["pop3"]="$PARAM_EMAIL_POP3_PORT" - ["pop3s"]="$PARAM_EMAIL_POP3S_PORT" - ["submission"]="$PARAM_EMAIL_SUBMISSION_PORT" - ["submissions"]="$PARAM_EMAIL_SUBMISSIONS_PORT" - ["sieve"]="$PARAM_EMAIL_SIEVE_PORT" + ["smtp"]="25" + ["submission"]="587" + ["submissions"]="465" + ["imap"]="143" + ["imaps"]="993" + ["sieve"]="4190" ) for service in "${!PORTS[@]}"; do - # Container proxy device - lxc config device remove "$PARAM_TENANT"-email "$service-proxy" 2>/dev/null || true - lxc config device add "$PARAM_TENANT"-email "$service-proxy" proxy \ - listen=tcp:0.0.0.0:"${PORTS[$service]}" \ - connect=tcp:127.0.0.1:"${PORTS[$service]}" + port="${PORTS[$service]}" - # Host port forwarding - sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport "${PORTS[$service]}" -j DNAT --to-destination "$CONTAINER_IP":"${PORTS[$service]}" + # Add LXC proxy device + lxc config device remove pragmatismo-email "${service}-proxy" 2>/dev/null || true + lxc config device add pragmatismo-email "${service}-proxy" proxy \ + listen=tcp:0.0.0.0:"${port}" \ + connect=tcp:"${CONTAINER_IP}":"${port}" \ + bind=host \ + nat=false + + # Add correct iptables rules + sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport ${port} -j DNAT --to-destination ${CONTAINER_IP}:${port} + sudo iptables -A FORWARD -p tcp --dport ${port} -j ACCEPT done -# Save iptables rules again -if command -v iptables-persistent >/dev/null; then - sudo iptables-save | sudo tee /etc/iptables/rules.v4 -fi +# Enable IP forwarding +echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf +sudo sysctl -p + +# Save rules +sudo iptables-save | sudo tee /etc/iptables/rules.v4 \ No newline at end of file diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh new file mode 100644 index 0000000..173252b --- /dev/null +++ b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh @@ -0,0 +1,5 @@ +printf "%-20s %-10s %-10s %-10s %-6s %s\n" "CONTAINER" "USED" "AVAIL" "TOTAL" "USE%" "MOUNT" +for container in $(lxc list -c n --format csv); do + disk_info=$(lxc exec $container -- df -h / --output=used,avail,size,pcent | tail -n 1) + printf "%-20s %s\n" "$container" "$disk_info" +done \ No newline at end of file diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh index e985b86..2b86f1f 100644 --- a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh +++ b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh @@ -1,17 +1,52 @@ +#!/usr/bin/env bash + +# Define container limits in an associative array +declare -A container_limits=( + # Pattern Memory CPU Allowance + ["*alm*"]="5126MB:15ms/100ms" + ["*email*"]="1024MB:15ms/100ms" + ["*webmail*"]="1024MB:20ms/100ms" + ["*bot*"]="2048MB:20ms/100ms" + ["*drive*"]="1024MB:20ms/100ms" +) + +# Default values (for containers that don't match any pattern) +DEFAULT_MEMORY="1024MB" +DEFAULT_CPU_ALLOWANCE="15ms/100ms" +CPU_COUNT=1 +CPU_PRIORITY=10 + +# Configure all containers for container in $(lxc list -c n --format csv); do - lxc config set "$container" limits.memory 2048MB - lxc config set "$container" limits.cpu.allowance "20ms/100ms" - lxc config set "$container" limits.cpu 1 - lxc config set "$container" limits.cpu.priority 1 + echo "Configuring $container..." + + memory=$DEFAULT_MEMORY + cpu_allowance=$DEFAULT_CPU_ALLOWANCE + + # Check if container matches any pattern + for pattern in "${!container_limits[@]}"; do + if [[ $container == $pattern ]]; then + IFS=':' read -r memory cpu_allowance <<< "${container_limits[$pattern]}" + break + fi + done + + # Apply configuration + lxc config set "$container" limits.memory "$memory" + lxc config set "$container" limits.cpu.allowance "$cpu_allowance" + lxc config set "$container" limits.cpu "$CPU_COUNT" + lxc config set "$container" limits.cpu.priority "$CPU_PRIORITY" done -# Restart all containers (gracefully) +# Restart all containers +echo "Restarting containers..." for container in $(lxc list -c n --format csv); do echo "Restarting $container..." - lxc restart "$container" # --force ensures a hard restart if needed + lxc restart "$container" done -# Check limits for all containers +# Verify configuration +echo "Verifying limits..." for container in $(lxc list -c n --format csv); do echo "--- $container ---" lxc config show "$container" | grep -E "memory|cpu" diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh new file mode 100644 index 0000000..b5b23d5 --- /dev/null +++ b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh @@ -0,0 +1,33 @@ +for container in $(lxc list --format csv -c n); do + echo "Processing $container..." + + # Stop container safely + lxc stop "$container" + + # Set new 5GB limit (works for most drivers) + if ! lxc config device override "$container" root size=5GB; then + echo "Failed to set config, trying alternative method..." + lxc config device set "$container" root size=5GB + fi + + # Start container + lxc start "$container" + + # Find root device inside container + ROOT_DEV=$(lxc exec "$container" -- df / --output=source | tail -1) + + # Resize filesystem (with proper error handling) + if lxc exec "$container" -- which resize2fs >/dev/null 2>&1; then + echo "Resizing filesystem for $container..." + if [[ "$ROOT_DEV" == /dev/* ]]; then + lxc exec "$container" -- growpart "$(dirname "$ROOT_DEV")" "$(basename "$ROOT_DEV")" + lxc exec "$container" -- resize2fs "$ROOT_DEV" + else + echo "Non-standard root device $ROOT_DEV - manual resize needed" + fi + else + echo "resize2fs not available in $container - install it first" + fi + + echo "Completed $container" +done \ No newline at end of file diff --git a/gb-infra/src/templates/opt/gbo/tenants/default/social/.sh b/gb-infra/src/templates/opt/gbo/tenants/default/social/.sh new file mode 100644 index 0000000..1db61e5 --- /dev/null +++ b/gb-infra/src/templates/opt/gbo/tenants/default/social/.sh @@ -0,0 +1 @@ +https://www.brasil247.com/mundo/meta-quer-automatizar-totalmente-publicidade-com-ia-ate-2026-diz-wsj \ No newline at end of file