From f19c88018f6b28005beedbbb81dfcbb88471d691 Mon Sep 17 00:00:00 2001
From: Rob Kooper <kooper@illinois.edu>
Date: Thu, 5 Sep 2024 22:00:37 -0500
Subject: [PATCH] remove snap

---
 CHANGELOG.md                                  |  6 +++++
 terraform/modules/cluster/nodes.tf            |  3 ++-
 .../modules/cluster/templates/user_data.tmpl  | 25 ++++++++++++++++---
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8214f3b..d7fc799 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## Unreleased
+
+### Changed
+- if ncsa_security, disable snap
+- if ncsa_security, limit ssh hosts to ncsa only
+
 ## 3.2.0 - 2024-08-04
 
 This allows to create a cluster that is RKE2 or K3S as well as RKE1. RKE1 is deprecated and will stop to be supported on July 31st, 2025. If you want to use either RKE2 or K3S you will need to change the `network_plugin`.
diff --git a/terraform/modules/cluster/nodes.tf b/terraform/modules/cluster/nodes.tf
index 94e56d0..2de8b27 100644
--- a/terraform/modules/cluster/nodes.tf
+++ b/terraform/modules/cluster/nodes.tf
@@ -65,7 +65,8 @@ resource "openstack_compute_instance_v2" "machine" {
     node_options   = lookup(local.node_options, each.value.role, "--worker")
     node_labels    = join(" ", [for l in each.value.labels : format("-l %s", replace(l, " ", "_"))])
     ncsa_security  = var.ncsa_security
-    taiga_enabled  = var.taiga_enabled
+    taiga_enabled  = var.taiga_enabled 
+    network_cidr   = var.network_cidr
     install_docker = local.rke1 && var.install_docker
   }))
 
diff --git a/terraform/modules/cluster/templates/user_data.tmpl b/terraform/modules/cluster/templates/user_data.tmpl
index 592be8f..b01889b 100644
--- a/terraform/modules/cluster/templates/user_data.tmpl
+++ b/terraform/modules/cluster/templates/user_data.tmpl
@@ -12,10 +12,6 @@ package_upgrade: true
 # install some packages
 packages:
   - chrony
-%{ if username == "centos" }
-  - iscsi-initiator-utils
-  - nfs-utils
-%{ endif }
 %{ if username == "ubuntu" }
   - open-iscsi
   - nfs-common
@@ -61,6 +57,11 @@ write_files:
            PubkeyAuthentication yes
            AuthorizedKeysFile .ssh/authorized_keys
            AuthenticationMethods publickey
+    # Allow cluster network
+    Match Address "${network_cidr}"
+           PubkeyAuthentication yes
+           AuthorizedKeysFile .ssh/authorized_keys
+           AuthenticationMethods publickey
 
     # Qualys Scanner
     Match User qualys
@@ -118,6 +119,17 @@ write_files:
     net.ipv6.conf.all.disable_ipv6 = 1
     net.ipv6.conf.default.disable_ipv6 = 1
 %{ endif }
+%{ if ncsa_security }
+%{ if username == "ubuntu" }
+- path: /etc/apt/preferences.d/nosnap.pref
+  permissions: "0644"
+  owner: root:root
+  content: |
+    Package: snapd
+    Pin: release a=*
+    Pin-Priority: -1
+%{ endif }
+%{ endif }
 %{ if username == "ubuntu" }
 - path: /etc/sysctl.d/50-increase-inotify.conf
   permissions: "0644"
@@ -156,6 +168,11 @@ write_files:
     # clean up default pool sources if we are using ncsa security
     sed -i 's/^pool/# pool/' /etc/chrony/chrony.conf
     systemctl restart chronyd
+    # remove snap
+    snap remove --purge lxd
+    snap remove --purge core20
+    snap remove --purge snapd
+    apt-get purge --auto-remove -y snapd
 %{ endif }
 %{ endif }
 %{ if username == "ubuntu" }
-- 
GitLab