Merge branch 'remove-snap' into 'main'

remove snap See merge request !8

Merge branch 'remove-snap' into 'main'
6579db03 · Rob Kooper · 96b9da0d · f19c8801 · 6579db03 · 6579db03
Commit 6579db03 authored 6 months ago by Rob Kooper
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+## Unreleased
+### Changed
+- if ncsa_security, disable snap
+- if ncsa_security, limit ssh hosts to ncsa only
 ## 3.2.0 - 2024-08-04
 This allows to create a cluster that is RKE2 or K3S as well as RKE1. RKE1 is deprecated and will stop to be supported on July 31st, 2025. If you want to use either RKE2 or K3S you will need to change the `network_plugin`.

--- a/terraform/modules/cluster/nodes.tf
+++ b/terraform/modules/cluster/nodes.tf
@@ -65,7 +65,8 @@ resource "openstack_compute_instance_v2" "machine" {
    node_options   = lookup(local.node_options, each.value.role, "--worker")
    node_labels    = join(" ", [for l in each.value.labels : format("-l %s", replace(l, " ", "_"))])
    ncsa_security  = var.ncsa_security
-    taiga_enabled  = var.taiga_enabled
+    taiga_enabled  = var.taiga_enabled 
+    network_cidr   = var.network_cidr
    install_docker = local.rke1 && var.install_docker
  }))

--- a/terraform/modules/cluster/templates/user_data.tmpl
+++ b/terraform/modules/cluster/templates/user_data.tmpl
@@ -12,10 +12,6 @@ package_upgrade: true
 # install some packages
 packages:
  - chrony
-%{ if username == "centos" }
-  - iscsi-initiator-utils
-  - nfs-utils
-%{ endif }
 %{ if username == "ubuntu" }
  - open-iscsi
  - nfs-common
@@ -61,6 +57,11 @@ write_files:
           PubkeyAuthentication yes
           AuthorizedKeysFile .ssh/authorized_keys
           AuthenticationMethods publickey
+    # Allow cluster network
+    Match Address "${network_cidr}"
+           PubkeyAuthentication yes
+           AuthorizedKeysFile .ssh/authorized_keys
+           AuthenticationMethods publickey
    # Qualys Scanner
    Match User qualys
@@ -118,6 +119,17 @@ write_files:
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
 %{ endif }
+%{ if ncsa_security }
+%{ if username == "ubuntu" }
+- path: /etc/apt/preferences.d/nosnap.pref
+  permissions: "0644"
+  owner: root:root
+  content: |
+    Package: snapd
+    Pin: release a=*
+    Pin-Priority: -1
+%{ endif }
+%{ endif }
 %{ if username == "ubuntu" }
 - path: /etc/sysctl.d/50-increase-inotify.conf
  permissions: "0644"
@@ -156,6 +168,11 @@ write_files:
    # clean up default pool sources if we are using ncsa security
    sed -i 's/^pool/# pool/' /etc/chrony/chrony.conf
    systemctl restart chronyd
+    # remove snap
+    snap remove --purge lxd
+    snap remove --purge core20
+    snap remove --purge snapd
+    apt-get purge --auto-remove -y snapd
 %{ endif }
 %{ endif }
 %{ if username == "ubuntu" }