Initial setup of a FreeBSD VPS

Archives Ansible Project
1

Hello, list–

First of all, I’m new here, and have only begun to learn about Ansible, but so far I am really impressed with the tool and the documentation. So, many thanks to the devs for that.

Anyway, I have a cloud VPS account with a hosting provider, where I plan on setting up some number of web servers, and probably other servers for backend services like databases. My OS of choice is FreeBSD 10; as far as I can tell, my provider (Greenqloud) does not give me the ability to replicate a fully-configured VPS, so I want to use Ansible to configure the system and install the necessary software. Now, FreeBSD doesn’t have Python installed by default, and there are some security measures I want to take before I start installing anything. Like this:

  1. Create a normal user account, and set its password.
  2. Disallow root logins.
  3. Change the SSHD port.
  4. Upload an authorized_keys file for the normal user.
  5. Disallow password authentication (actually it’s PAM challenge-response … but anyway, I want to allow only public key authentication).
  6. Install python, py-simplejson, and sudo.

So, a couple of questions about this: I understand that if I did step 6 first, I could probably do everything else with standard modules. But I feel it is important to tighten up SSH access first. Or do you think I’m being too paranoid? Once upon a time I might have thought so, but then I found out how many hits I was getting on port 22 from random hosts all over the world–scared the bejeezus out of me. Anyway, do you agree with my approach in principle?

The other thing I’m wondering is how to set the password for the new user. The documentation for the ‘pw’ utility states that it is possible to read a password from stdin or specified file descriptor, and you can also pass an encrypted password on the command line, but you cannot directly pass a clear-text password on the command line. So, any suggestions on this would be appreciated (and BTW, the default shell is csh).

Thanks for all info!

2

Oh, I should add that Greenqloud has partial support for the EC2 API. I’m not really familiar with EC2 yet, but I have the impression it wouldn’t help with this situation. Please let me know if I’m mistaken about that!

3

So I was working on a freebsd bootstrapping howto for ansible. I have not had time

https://docs.google.com/document/d/1Mt2bMDHjLvvdQ5BnnfxqUo13EHJhvWqtCwQJM18ozJ4/edit?usp=sharing

from what you mention my instructions for 10 might be wrong, but the ones for 8&9 might work.

4

IMO doing #6 first is only couple of seconds difference, so if you instantiate your server and do above steps all from within the same playbook - for somebody to hit your machine before you tighten the rules and guess the password would be incredibly lucky, not to mention that port scanning usually takes a long time too since I would imagine your provider would be doing some preliminary “cleaning” of traffic and would drop fast-rate port scans at the gate. In other words - if from the moment of server instantiation to execution of #6 you spent, say 2 minutes - probability is very low/unlikely that anything would happen to your box.

5

Hi, Brian--

So I was working on a freebsd bootstrapping howto for ansible. I have not
had time

https://docs.google.com/document/d/1Mt2bMDHjLvvdQ5BnnfxqUo13EHJhvWqtCwQJM18ozJ4/edit?usp=sharing

Well, it's a start. Thanks for working on it.

from what you mention my instructions for 10 might be wrong,

If you're referring to Python being preinstalled, yes, it looks to me
like that is nonstandard. I set up a test box using the stock "Disc 1"
ISO image of FreeBSD 10.0. Like the Greencloud VM, it was Pythonless.

[Brief aside here: I'm a long-time Linux user and fairly new to BSD,
but I'm really liking the fact that I can install the latest release
of FreeBSD on a 17-year

BTW, I tried a few ad hoc commands on the test machine, but they did
not work. I had no problem interactively from my desktop Linux box

6

[OOPS ... accidentally sent an incomplete reply. Stupid fingers]

Hi, Brian--

So I was working on a freebsd bootstrapping howto for ansible. I have not
had time

https://docs.google.com/document/d/1Mt2bMDHjLvvdQ5BnnfxqUo13EHJhvWqtCwQJM18ozJ4/edit?usp=sharing

Well, it's a start. Thanks for working on it.

from what you mention my instructions for 10 might be wrong,

If you're referring to Python being preinstalled, yes, it looks to me
like that is nonstandard. I set up a test box using the stock "Disc 1"
ISO image of FreeBSD 10.0. Like the Greencloud VM, it was Pythonless.

[Brief aside here: I'm a long-time Linux user and fairly new to BSD,
but I'm really liking the fact that I can install the latest release
of FreeBSD on a 17-year-old laptop and put it to good use. I don't
think any normal Linux distro would run on that box]

BTW, I tried sending a few ad hoc commands to the test machine last
night, but they did
not work. I had no problem interactively from my desktop Linux box,
but the ansible commands would just hang. The logfile on the BSD box
showed the login attempts, with no errors ... I imagine that means the
password was never sent. Maybe the problem was using the -k command
line switch to get a password prompt? From the docs I thought that was
the right thing to do, but maybe not. Have to try it again your way
when I get home.

Eventually I gave up and wrote a shell script. But I still want to use
ansible for this if I can--seems much more robust.

7

Hi, Dmitry--

8

are the commands using sudo? I had issues with some versions and/or configs
of sudo on BSD.

I'm no BSD expert but I've used it in a few jobs, I don't currently use it
but I try to keep my proficiency at least up to date and keep ansible
working with it to make an eventual transition back seamless :wink:

9

I updated the document as per feedback, thanks!​

10

Hi, Brian--

are the commands using sudo? I had issues with some versions and/or configs
of sudo on BSD.

No, sudo isn't installed at the point I am trying to run these
commands--and I'm not trying to use it in any case. But I believe I've
found the problem. The default SSHD config on FreeBSD uses PAM
challenge-response authentication. When I set
"ChallengeResponseAuthentication no" and "PasswordAuthentication yes,"
I am able to run the ansible raw command. Even though the two methods
look the same to the console user, apparently the 'sshpass' program
that ansible uses under the hood can't handle PAM authentication.

I also discovered that GreenQloud generates an SSH keypair for root
when you create the server. So maybe I can just use public key auth
from the beginning. Except I don't know where the private key is :-/

11

Hi again--

I updated the document as per feedback, thanks!

Um, I hate to be the bearer of bad news, but the pkg_* commands are
deprecated. Everybody is supposed to switch to the new package
manager, pkgng, which uses the single command 'pkg' with various
subcommands. FreeBSD 10 uses pkgng by default; on older versions, you
have to install it from the ports collection. And with the default
installation, you need to initialize the system. So the sequence goes
like this:

  pkg # First time only; initializes the pkgng system. There
is a prompt asking if you want to proceed [y/N];
                  # don't know how ansible handles that. Fortunately
on my GreenQloud server this step has already
                  # been done; maybe other cloud providers do the same.
  pkg install -y python py27-simplejson sudo
                  # The -y switch means to bypass the [y/N] prompt.
Also, I know Python 2.7 has a JSON library built in,
                  # but I thought I read somewhere in the ansible
docs that the third-party simplejson module was
                  # required.

If you need more information, check
http://www.freebsd.org/doc/handbook/pkgng-intro.html

12

no news, I was aware of pkgng but not sure on how to bypass the initialization, since pkg_add still works I chose to use that.​

13

ansible works with 2.7 no need for extra json install, simplejson is recommended when using earlier python versions.​

14

My OS of choice is FreeBSD 10; as far as I can tell, my provider (Greenqloud)

Hi Matt…
Before I go on to comment on your ansible+FreeBSD questions… just a quick comment on Greenqloud… Be a little ware of them… at the moment.
They have lost 2 FreeBSD VMs… and I mean completely, totally lost…

I am currently using Rackspace, but just started testing https://www.vultr.com
Vultr has some very competitive prices.

does not give me the ability to replicate a fully-configured VPS

… and no ETA when they will have it either…

, so I want to use Ansible to configure the system and install the necessary software

The way I do it with providers that don’t provide cloning/imaging is to have a prep script where I setup the minimum needed to make the machine an ansible target.
It varies from provider to provider what you get pre-installed so I end up slightly changing the script.

If you like I can send you my script… Just let me know and I will send it to you outside the list… since it has little to do with Ansible per se…

Now, FreeBSD doesn’t have Python installed by default

But many providers have it installed by the time you get the VM.

  1. Create a normal user account, and set its password.

I let Ansible do all of the user management.

  1. Disallow root logins.

I do this

#Allow ansible master as root
Match Address #.#.#.#
PermitRootLogin yes

  1. Change the SSHD port.

I have not done it yet, but I am thinking I will let ansible manage the /etc/ssh/sshd file.

  1. Upload an authorized_keys file for the normal user.

Currently I upload the key for the root user so between the IP requirement and the key requirement only the ansible machine can login to the machine as root.

  1. Disallow password authentication (actually it’s PAM challenge-response … but anyway, I want to allow only public key authentication).

Agree…

  1. Install python, py-simplejson, and sudo.

In my particular case I let ansible do that too.

So, a couple of questions about this: I understand that if I did step 6 first
, I could probably do everything else with standard modules
. But I feel it is important to tighten up SSH access first

Do both at the same time…

Or do you think I’m being too paranoid?

Not at all. I think it makes perfect sense… not root login, ssh key logins only and change port…

do you agree with my approach in principle?

Yes.

The other thing I’m wondering is how to set the password for the new user

I let ansible manage all my users

The documentation for the ‘pw’ utility states that it is possible to read a password from stdin

The user module for ansible can create a user and give it a password.

I consider myself an ansible newbie myself, but I would be more than happy to share with you my freebsd-base role.
Once I have more knowledge… and more time… I am thinking of starting to contribute to galaxy, the ansible repository, for FreeBSD oriented modules… or help with existing ones to make them FreeBSD aware.

By the way… are you having any issues installing from ports with ansible? Just filled a bug report… I am able to install using the pkg module, but not ports. At least the two that I tried to far both failed… I don’t go exploring for the sake of exploring… I use ansible to manage infrastructure for clients and have a smaller set of clients using FreeBSD… so have not tried other ports…

Would be curious to know if the issue I am having something others are having to… Was just on my way to post about that… when I saw your post…

15

… wary

16

Argh… I though I had reviewed the post…

  1. Install python, py-simplejson, and sudo.
    In my particular case I let ansible do that too.

I meant I let ansible install sudo… I use a script to prep the machine for ansible and depending on the provider that may include setting up python… but only for providers that don’t have imaging/cloning.

For those that allow imaging/cloning like Rackspace I prep an ansible client and then create clones from the image so they are ready to be managed by ansible.

In the case of Rackspace they allow you to also setup a key so in addition to using the image I also have the ansible master’s public key installed.