Saltstack 2019.2.5 on OpenBSD 6.6

by

Download ports

This will not always work.
This is not the recommended way and its not a clean way.
This method is only to make it work.

Maybe remove option –single-version-externally-managed not recognized from /usr/ports/lang/python/python.mk

Search for “single-version-externally-managed” in /usr/ports/lang/python/python.port.mk


cp -r /usr/ports/sysutil/salt /usr/ports/sysutil/salt2019.2.5

cd /usr/ports/sysutil/salt2019.2.5
rm -rf patches
Edit distinfo with the new version and correct hash/size
Edit Makefile to the following

# $OpenBSD: Makefile,v 1.135 2019/07/12 20:49:51 sthen Exp $

# optional dependencies
# https://github.com/saltstack/salt/blob/develop/doc/conf.py#L54
# libvirt-python
# py-GitPython
# py-croniter
# py-django
# py-libcloud (cloud-requirements.txt)
# py-mako
# py-mongo
# py-mysql
# py-pyinotify
# py-openssl
# py-redis
# rabbitmq

COMMENT =               remote execution and configuration management system

MODPY_EGG_VERSION =     2019.2.5
DISTNAME =              salt-${MODPY_EGG_VERSION}
REVISION =              0

CATEGORIES =            sysutils net devel

HOMEPAGE =              http://saltstack.org/

MAINTAINER =            Jasper Lievisse Adriaanse <[email protected]>

# Apache 2.0
PERMIT_PACKAGE =        Yes

MODPY_PI =              Yes
MODPY_VERSION =         ${MODPY_DEFAULT_VERSION_3}
MODPY_SETUPTOOLS =      No

MODULES =               lang/python

BUILD_DEPENDS =         textproc/py-yaml${MODPY_FLAVOR} \
                        www/py-jinja2${MODPY_FLAVOR} \
                        www/py-requests${MODPY_FLAVOR}

# requirements/base.txt
RUN_DEPENDS =           net/py-msgpack${MODPY_FLAVOR} \
                        net/py-msgpack${MODPY_FLAVOR} \
                        textproc/py-MarkupSafe${MODPY_FLAVOR} \
                        textproc/py-yaml${MODPY_FLAVOR} \
                        www/py-jinja2${MODPY_FLAVOR} \
                        www/py-requests${MODPY_FLAVOR} \
                        www/py-tornado${MODPY_FLAVOR}

# requirements/zeromq.txt
RUN_DEPENDS +=          net/py-zmq${MODPY_FLAVOR} \
                        security/py-cryptodome${MODPY_FLAVOR}

# salt/output/progress.py
RUN_DEPENDS +=          devel/py-progressbar${MODPY_FLAVOR}

# salt/modules/x509.py
RUN_DEPENDS +=          security/py-M2Crypto${MODPY_FLAVOR}

# max openfiles, soft: 3072, hard: 4096; DBus system session running...
TEST_IS_INTERACTIVE =   Yes
PORTHOME =              ${WRKDIST}
TEST_DEPENDS =          databases/py-mysql${MODPY_FLAVOR} \
                        devel/git \
                        devel/py-gitpython${MODPY_FLAVOR} \
                        devel/py-pip${MODPY_FLAVOR} \
                        devel/py-six${MODPY_FLAVOR} \
                        devel/py-virtualenv${MODPY_FLAVOR} \
                        devel/subversion \
                        net/py-libcloud${MODPY_FLAVOR} \
                        net/rabbitmq \
                        sysutils/salt-testing \
                        www/py-CherryPy${MODPY_FLAVOR}

# https://github.com/saltstack/salt/pull/45164
post-extract:
        cp ${FILESDIR}/{pf,vmctl}.py ${WRKSRC}/salt/modules/

pre-configure:
        ${SUBST_CMD} ${WRKSRC}/salt/returners/zabbix_return.py
        sed -i 's,share/man,man,g' ${WRKSRC}/setup.py
        sed -i 's,^#user: root,user: _salt,' ${WRKSRC}/conf/{master,proxy}

post-install:
        ${INSTALL_DATA_DIR} ${PREFIX}/share/examples
        cp -R ${WRKSRC}/conf ${PREFIX}/share/examples/salt

do-test:
        cd ${WRKSRC} && \
                ${MODPY_BIN} tests/runtests.py -v

.include <bsd.port.mk>

Then run

make plist

make package
/usr/ports/packages/amd64/all/salt-2019.2.5p0.tgz

The package is unsigned and when installing it the option “-D unsigned” must be used. (https://man.openbsd.org/pkg_add)

Done

Salt Capirca for BSD

by
Firewall

Use Salt to generate firewall rules for Open/Free-BSD
Google Capirca
Salt capirca_acl

This is not tested yet.
Since the syntax of pf.conf is not exactly the same between Free/Open-BSD some functions/attributes may not work(?)

Pillar-data:

acl:
  - my-filter:
      terms:
        - my-term:
            source_port: [1234, 1235]
            action: reject
        - my-other-term:
            source_port:
              - [5678, 5680]
            protocol: tcp
            action: accept
sudo salt freebsd* capirca.get_policy_config packetfilter
freebsd-lab:
    # Packetfilter my-filter Policy
    # $Date: 2020/08/19 $
    # inet
    
    # term my-term
    block return quick inet from { any } port { 1235 1234 } to { any } flags S/SA
    
    # term my-other-term
    pass quick inet proto { tcp } from { any } port { 5678:5680 } to { any } flags S/SA keep state

How to apply to pf.conf

/etc/pf.conf:
  file.managed:
    - contents: {{ salt.capirca.get_policy_config('packetfilter') }}

Build custom OpenBSD

by

https://man.openbsd.org/release

dd if=/dev/zero of=mydisk.img bs=1 count=0 seek=2G

vnconfig mydisk.img

fdisk -iy vnd0

disklabel -E vnd0
add slice a with all the storage

newfs /dev/vnd0a


mount /dev/vnd0a /mnt/
cd /mnt/

tar zxvfph base67.tgz

cp /etc/resolv.conf /mnt/etc
cp /etc/installurl /mnt/etc

cd /mnt/dev/
./MAKEDEV all

#If you want to make it bootable copy the kernel
cp /bsd /mnt/

chroot /mnt/ /bin/sh

#Set root password
passwd root

#Create a fstab
#sd0a

# cat /etc/boot.conf
set tty com0
stty com0 115200

#cat /etc/ttys
#tty00   "/usr/libexec/getty std.9600"   vt220   on secure
tty00   "/usr/libexec/getty std.115200"   vt220   on secure

Good idea now is to bake a backup of the image.

Other good stuff to consider:

  • Allow ssh?
  • Create additional users?
  • No network configuration has been made yet

Test the image

OpenBSD has vmd with vmctl that allows you to run a virtual machine easily.

vmctl start -m 1G -i 1 -b /bsd -d mydisk.img "myvm" -c
  • m – memory
  • i – #nr of interfaces (network)
  • b – bios/kernel
  • d – disk
  • c – attach console after start

Categories BSD