From 0aff90cf95c18ac0f5d7719bf577ea46068c7246 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 14 Apr 2020 13:55:07 -0400 Subject: [PATCH 01/12] iiab-diagnostics: redact most passwords (WiFi passwords especially) --- scripts/iiab-diagnostics | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics index f5ab6b9c9..302c9c6e3 100755 --- a/scripts/iiab-diagnostics +++ b/scripts/iiab-diagnostics @@ -38,7 +38,8 @@ function cat_file_raw() { # $1 = path/filename; $2 = # of lines, for tail echo "FILE EXISTS BUT IS EMPTY!" >> $outfile elif [ $# -eq 1 ]; then echo >> $outfile - cat $1 | iconv -t UTF-8//IGNORE >> $outfile + # Redact most passwords from /etc/hostapd/hostapd.conf, /etc/wpa_supplicant/wpa_supplicant.conf, /etc/iiab/local_vars.yml -- not much to worry about in /etc/iiab/iiab.ini + cat $1 | sed -e 's/^\(\s*psk=\).*/\1[REDACTED]/; s/^\(\s*wpa_passphrase=\).*/\1[REDACTED]/; s/^\([^#].*assword:\).*/\1 [REDACTED]/' | iconv -t UTF-8//IGNORE >> $outfile else # e.g. last 100 lines, maximum echo " ...ITS LAST $2 LINES FOLLOW..." >> $outfile echo >> $outfile @@ -150,13 +151,13 @@ cat_file /etc/iiab/openvpn_handle cat_file /.iiab-image cat_file /etc/iiab/iiab.env cat_file /etc/iiab/iiab.ini -cat_file /etc/iiab/local_vars.yml +cat_file /etc/iiab/local_vars.yml # Redacts most passwords above cat_file /etc/iiab/iiab_state.yml -cat_file /etc/iiab/config_vars.yml +#cat_file /etc/iiab/config_vars.yml # No longer common cat_file /etc/resolv.conf cat_file /etc/network/interfaces -cat_file /etc/hostapd/hostapd.conf # Auto-redact password? -#cat_file /etc/wpa_supplicant/wpa_supplicant.conf # Auto-redact password? +cat_file /etc/hostapd/hostapd.conf # Redacts most passwords above +cat_file /etc/wpa_supplicant/wpa_supplicant.conf # Redacts most passwords above # Record all Ansible variables: SLOW! OUTPUT TOO LARGE? #pushd /opt/iiab/iiab > /dev/null @@ -169,8 +170,8 @@ echo -e "\n\n\n\n3. CONTENT OF DIRECTORIES (1-LEVEL DEEP)\n" >> $outfile cat_dir /etc/network/interfaces.d cat_dir /etc/systemd/network cat_dir /etc/NetworkManager/system-connections -cat_dir /etc/netplan -#cat_dir /etc/sysconfig/network-scripts/if-cfg* # No longer common. +cat_dir /etc/netplan # Redacts most passwords above +#cat_dir /etc/sysconfig/network-scripts/if-cfg* # No longer common #cat_dir /etc/network # Above file /etc/network/interfaces suffices echo -e "\n 4. Output of Commands:\n" @@ -187,15 +188,16 @@ cat_cmd 'ip route' 'Routing table' cat_cmd 'netstat -rn' 'Routing table (old view)' cat_cmd 'brctl show' 'Bridge for LAN side' cat_cmd 'sudo netstat -natp' 'Ports/Services in use' -cat_cmd 'systemctl status dnsmasq' 'Is dnsmasq Ok?' +cat_cmd 'systemctl status dnsmasq' 'Is dnsmasq running?' cat_cmd 'sudo journalctl -b 0 -u dnsmasq' 'dnsmasq log' cat_cmd 'networkctl' 'systemd-networkd status' cat_cmd 'nmcli d' 'NetworkManager status' cat_cmd 'sudo journalctl -b 0 -u networkd-dispatcher' 'networkd-dispatcher log' cat_cmd 'iw dev' 'List wireless interfaces' -cat_cmd 'systemctl status hostapd' 'Is hostapd Ok?' +cat_cmd 'systemctl status hostapd' 'Downstream Wi-Fi: Is hostapd running?' +cat_cmd 'ls -l /etc/wpa_supplicant' 'Upstream Wi-Fi' cat_cmd 'ps -AH' 'Process hierarchy: staging of hostapd & wpa_supplicant?' -cat_cmd 'dmesg | grep brcm' 'Diagnostic messages: RPi WiFi firmware' +cat_cmd 'dmesg | grep brcm' 'Diagnostic messages: RPi Wi-Fi firmware' cat_cmd 'env' 'Environment variables' #cat_cmd 'ansible localhost -m setup 2>/dev/null' 'All Ansible facts' # For cleaner scraping of Ansible vars, consider "./runrole all-vars /tmp/all-ansible-vars" 27-31 lines above? From c9ad4684be2ad6d0a5d0b691ae7514f89a49d005 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 14 Apr 2020 14:00:29 -0400 Subject: [PATCH 02/12] Don't publish transmission_password during IIAB install --- roles/transmission/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/transmission/tasks/main.yml b/roles/transmission/tasks/main.yml index 2abc6efe5..24258f981 100644 --- a/roles/transmission/tasks/main.yml +++ b/roles/transmission/tasks/main.yml @@ -103,5 +103,6 @@ value: "{{ transmission_kalite_languages }}" - option: transmission_username value: "{{ transmission_username }}" - - option: transmission_password - value: "{{ transmission_password }}" + # 2020-04-14: better to redact passwords from /etc/iiab/iiab.ini etc, so iiab-diagnostics command doesn't publish these, etc + #- option: transmission_password + # value: "{{ transmission_password }}" From 825f37c070e04b31b93c5b0fa2874822ebf3f4b6 Mon Sep 17 00:00:00 2001 From: A Holt Date: Wed, 15 Apr 2020 09:33:44 -0400 Subject: [PATCH 03/12] Update iiab-diagnostics.README.md --- scripts/iiab-diagnostics.README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md index 0b968226d..4a44a6311 100644 --- a/scripts/iiab-diagnostics.README.md +++ b/scripts/iiab-diagnostics.README.md @@ -60,4 +60,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things: ## Source Code -Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 104-214 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. +Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 105-216 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. From 8e5449cc8351660b01e825a121841fec2906807c Mon Sep 17 00:00:00 2001 From: A Holt Date: Wed, 15 Apr 2020 09:47:50 -0400 Subject: [PATCH 04/12] Update iiab-diagnostics.README.md --- scripts/iiab-diagnostics.README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md index 4a44a6311..782720f40 100644 --- a/scripts/iiab-diagnostics.README.md +++ b/scripts/iiab-diagnostics.README.md @@ -2,7 +2,9 @@ To streamline troubleshooting of remote Internet-in-a-Box (IIAB) installations, we bundle up common machine/software diagnostics, all together in 1 human-readable small file, that can be easily circulated online AND offline. -The ``pastebinit`` command can then be used to auto-upload this file, creating a short URL that makes it easier to pass around. +Passwords (including Wi-Fi passwords) are auto-redacted from this file, to protect your community confidentiality. + +The ``pastebinit`` command can then be used to auto-upload this file, creating a short URL that makes it much easier to circulate among [volunteers](http://internet-in-a-box.org/pages/contributing.html). But first off, the file is compiled by harvesting 1 + 6 kinds of things: From 955d5ba214eee479fc7c3e9dcff06de6642eb09a Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 16 Apr 2020 23:50:01 -0400 Subject: [PATCH 05/12] Recommend Ansible 2.9.7 --- scripts/ansible | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible b/scripts/ansible index 2e7875ea5..985d1d636 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -1,7 +1,7 @@ #!/bin/bash -e CURR_VER="undefined" # Ansible version you currently have installed -GOOD_VER="2.9.6" # For XO laptops (pip install) & CentOS (yum install rpm) +GOOD_VER="2.9.7" # For XO laptops (pip install) & CentOS (yum install rpm) # On other OS's we attempt the latest from PPA, which might be more recent export DEBIAN_FRONTEND=noninteractive From e47e43e0174238f6b99e5c88d1a7ead2fc50f36b Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 16 Apr 2020 23:50:23 -0400 Subject: [PATCH 06/12] Recommend Ansible 2.9.7 --- scripts/ansible-2.9.x | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible-2.9.x b/scripts/ansible-2.9.x index 81bfce59a..1f071bb9e 100755 --- a/scripts/ansible-2.9.x +++ b/scripts/ansible-2.9.x @@ -1,7 +1,7 @@ #!/bin/bash -e CURR_VER="undefined" # Ansible version you currently have installed -GOOD_VER="2.9.6" # For XO laptops (pip install) & CentOS (yum install rpm) +GOOD_VER="2.9.7" # For XO laptops (pip install) & CentOS (yum install rpm) # On other OS's we attempt the latest from PPA, which might be more recent export DEBIAN_FRONTEND=noninteractive From 8d666a5fb401ef448becc7372b00552a7ae92c62 Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 16 Apr 2020 23:50:50 -0400 Subject: [PATCH 07/12] Recommend Ansible 2.8.11 --- scripts/ansible-2.8.x | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ansible-2.8.x b/scripts/ansible-2.8.x index 4d57bd1d1..304ee6f85 100755 --- a/scripts/ansible-2.8.x +++ b/scripts/ansible-2.8.x @@ -1,7 +1,7 @@ #!/bin/bash -e CURR_VER="undefined" # Ansible version you currently have installed -GOOD_VER="2.8.10" # For XO laptops (pip install) & CentOS (yum install rpm) +GOOD_VER="2.8.11" # For XO laptops (pip install) & CentOS (yum install rpm) # On other OS's we attempt the latest from PPA, which might be more recent export DEBIAN_FRONTEND=noninteractive From db67c122c3bb9b54e24ae2287ecc7fb9967a5510 Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 16 Apr 2020 23:53:19 -0400 Subject: [PATCH 08/12] Mandate Ansible 2.8.11+ --- iiab-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iiab-install b/iiab-install index e2ef4a173..8a4a18560 100755 --- a/iiab-install +++ b/iiab-install @@ -11,7 +11,7 @@ CWD=`pwd` OS=`grep ^ID= /etc/*release|cut -d= -f2` OS=${OS//\"/} MIN_RPI_KERN=4.19.97 # If using Raspbian, 'rpi-update' should no longer be nec -- please use Raspbian 2020-02-13 or higher: https://github.com/iiab/iiab/issues/1993 -MIN_ANSIBLE_VER=2.8.10 # Ansible 2.8.3 and 2.8.6 have serious bugs, preventing their use with IIAB. +MIN_ANSIBLE_VER=2.8.11 # Ansible 2.8.3 and 2.8.6 have serious bugs, preventing their use with IIAB. if [ ! -f /etc/iiab/local_vars.yml ]; then From 2ca7ac9a0045179d250227b8dc4d6c0257668d62 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Fri, 17 Apr 2020 06:43:45 -0500 Subject: [PATCH 09/12] https://bugs.launchpad.net/ubuntu/+bug/1872897 --- roles/1-prep/tasks/raspberry_pi.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/1-prep/tasks/raspberry_pi.yml b/roles/1-prep/tasks/raspberry_pi.yml index 75d06b593..adb7a0a46 100644 --- a/roles/1-prep/tasks/raspberry_pi.yml +++ b/roles/1-prep/tasks/raspberry_pi.yml @@ -24,12 +24,12 @@ state: present when: rtc_id is defined and rtc_id != "none" and is_ubuntu -- name: Enable bluetooth in /boot/firmware/syscfg.txt on Ubuntu (needs reboot) - lineinfile: - path: /boot/firmware/syscfg.txt - regexp: '^include*' - line: 'include btcfg.txt' - when: is_ubuntu +#- name: Enable bluetooth in /boot/firmware/syscfg.txt on Ubuntu (needs reboot) +# lineinfile: +# path: /boot/firmware/syscfg.txt +# regexp: '^include*' +# line: 'include btcfg.txt' +# when: is_ubuntu - name: 'Ensure packages are installed: dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools' package: From bad4481e2406d5d0f2c4f29274d83686ba668710 Mon Sep 17 00:00:00 2001 From: George Hunt Date: Fri, 17 Apr 2020 20:42:46 -0700 Subject: [PATCH 10/12] google is almost an essential url, so do not divert it --- roles/captiveportal/templates/checkurls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/captiveportal/templates/checkurls b/roles/captiveportal/templates/checkurls index e71d4f375..c1b0d810e 100755 --- a/roles/captiveportal/templates/checkurls +++ b/roles/captiveportal/templates/checkurls @@ -16,7 +16,7 @@ teredo.ipv6.microsoft.com.nsatc.net captive.apple.com init-p01st.push.apple.com connectivitycheck.android.com -www.google.com +#www.google.com mtalk.google.com alt4-mtalk.google.com alt6-mtalk.google.com From d56af73a93bd5d6f22f4ca93914733a585e446ce Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 18 Apr 2020 07:26:43 -0700 Subject: [PATCH 11/12] remove msd.com for captive portal diversion --- roles/captiveportal/templates/checkurls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/captiveportal/templates/checkurls b/roles/captiveportal/templates/checkurls index c1b0d810e..61719651f 100755 --- a/roles/captiveportal/templates/checkurls +++ b/roles/captiveportal/templates/checkurls @@ -10,7 +10,7 @@ ipv6.msftncsi.com.edgesuite.net www.msftncsi.com www.msftncsi.com.edgesuite.net www.msftconnecttest.com -www.msn.com +#www.msn.com teredo.ipv6.microsoft.com teredo.ipv6.microsoft.com.nsatc.net captive.apple.com From 6cb7a4a88da1b2e590bd5b7c3572211e6db37c3d Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 18 Apr 2020 11:34:19 -0400 Subject: [PATCH 12/12] Comment out both kolibri.service timeout settings --- roles/kolibri/templates/kolibri.service.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/kolibri/templates/kolibri.service.j2 b/roles/kolibri/templates/kolibri.service.j2 index 80faf1850..84515d3f8 100644 --- a/roles/kolibri/templates/kolibri.service.j2 +++ b/roles/kolibri/templates/kolibri.service.j2 @@ -10,8 +10,10 @@ Environment=KOLIBRI_HTTP_PORT={{ kolibri_http_port }} Environment=KOLIBRI_URL_PATH_PREFIX={{ kolibri_url_without_slash }} User={{ kolibri_user }} Group={{ apache_user }} -TimeoutStartSec=infinity -TimeoutStopSec=10 +# 2020-04-18 @jvonau: comment out both timeouts for now, in favor of 90 seconds +# or whatever systemd / Kolibri favor? https://github.com/iiab/iiab/issues/2318 +# TimeoutStartSec=infinity +# TimeoutStopSec=10 ExecStart={{ kolibri_exec_path }} start ExecStop={{ kolibri_exec_path }} stop