Skip to content

Commit

Permalink
Use official docker images and repack and install client
Browse files Browse the repository at this point in the history
  • Loading branch information
s-westphal committed Apr 18, 2024
1 parent 8721da0 commit 33a136c
Show file tree
Hide file tree
Showing 12 changed files with 132 additions and 213 deletions.
2 changes: 1 addition & 1 deletion installing-and-running-grr/advanced-usecases/sandbox.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ You will have to create a ```demo``` user first. The script will ask you for a p

You can create the ```demo``` user by executing the command listed in the box below.
```
docker exec -it sandbox-grr-admin-1 /grr/venv/bin/grr_config_updater add_user demo
docker exec -it sandbox-grr-admin-1 grr_config_updater add_user demo --secondary_configs /config/grr-server/server.local.yaml
```
With the ```demo``` user in place you can now point your browser to the GRR UI: [http://localhost:8000](http://localhost:8000)

Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-fleetspeak:3306)/fleetspeak"
https_config: <
listen_address: "0.0.0.0:9090"
certificates: "FRONTEND_CERTIFICATE"
key: "FRONTEND_KEY"
certificates: "FLEETSPEAK_CERT"
key: "FLEETSPEAK_KEY"
frontend_config: <
https_header_checksum_config: <
client_certificate_header: "x-client-certificate"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
Client.fleetspeak_enabled: true
ClientBuilder.fleetspeak_bundled: true
Client.foreman_check_frequency: 30

Logging.verbose: true
Logging.engines: file,stderr
Logging.path: /
Logging.filename: /grr-client.log

Client.executable_signing_public_key: "%(/config/public-key.pem|file)"
Target:Linux:
ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
Target:Windows:
ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
Target:Darwin:
ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
client_certificate_header: "x-client-certificate"
trusted_certs: "FRONTEND_CERTIFICATE"
trusted_certs: "TRUSTED_FLEETSPEAK_CERT"
server: "fleetspeak-server:10000"
client_label: ""
filesystem_handler: <
configuration_directory: "/config/"
state_file: "/fleetspeak.state"
configuration_directory:"/config/grr-client/"
state_file:"/fleetspeak.state"
>
streaming: true
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ name: "GRR"
factory: "Daemon"
config: {
[type.googleapis.com/fleetspeak.daemonservice.Config]: {
argv: "/grr/venv/bin/python"
argv: "python"
argv: "-m"
argv: "grr_response_client.grr_fs_client"
argv: "--config"
argv: "/grr/venv/install_data/etc/client.yaml"
argv: "grr_response_client.client"
argv: "--secondary_configs"
argv: "/config/grr-client/client.yaml"
}
}
Original file line number Diff line number Diff line change
@@ -1,42 +1,43 @@
Database.implementation: MysqlDB
Blobstore.implementation: DbBlobStore

API.DefaultRouter: ApiCallRouterWithoutChecks

Server.initialized: true
Server.fleetspeak_enabled: true
Server.fleetspeak_server: fleetspeak-admin:9091
FleetspeakFrontend Context:
Server.fleetspeak_message_listen_address: 0.0.0.0:11111

Mysql.host: mysql-grr
Mysql.port: 3306
Mysql.database_name: grr
Mysql.database: grr
Mysql.database_username: grr-user
Mysql.username: grr-user
Client.server_urls:
- http://localhost:8080/
Mysql.password: grr-password
Mysql.database_name: grr
Mysql.database_username: grr-user
Mysql.database_password: grr-password
Mysql.flow_processing_threads_max: 20

AdminUI.url: http://localhost:8000
AdminUI.bind: 0.0.0.0
AdminUI.headless: true
AdminUI.use_precompiled_js: true
AdminUI.csrf_secret_key: random_passphrase_123____PLEASE_REPLACE___

Logging.domain: localhost
Logging.verbose: true
Logging.engines: file,stderr
Logging.path: /grr
Logging.filename: /grr/grr-server.log
Monitoring.alert_email: grr-monitoring@localhost
Monitoring.emergency_access_email: grr-emergency@localhost
Mysql.database_password: grr-password
Mysql.password: grr-password
Mysql.flow_processing_threads_max: 20

Frontend.certificate: |
FRONTEND_CERTIFICATE
Client.executable_signing_public_key: |
%(/config/public-key.pem|file)
PrivateKeys.executable_signing_private_key: |
%(/config/private-key.pem|file)
AdminUI.csrf_secret_key: O$YTx01F2BuxgT4DoVSI hJVuhWOxyuuxJhg#lg96ARF_fWLabzN5kjAy0UBcI9GDrUPo1v
b7PyF3vj4pqRrc8oegeJ8XgIyI5X
Server.fleetspeak_enabled: true
Client.fleetspeak_enabled: true
ClientBuilder.fleetspeak_bundled: true
Target:Linux:
ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/linux_client.config
Target:Windows:
ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/windows_client.config
Target:Darwin:
ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/darwin_client.config
Server.fleetspeak_server: fleetspeak-admin:9091
FleetspeakFrontend Context:
Server.fleetspeak_message_listen_address: 0.0.0.0:11111
Server.initialized: true
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
&& apt-get -qq update -y \
&& apt-get -qq install --no-install-recommends -y curl
COPY --chmod=777 "$ENVOY_CONFIG" /etc/envoy.yaml
COPY --chmod=644 cert.pem /etc/cert.pem
COPY --chmod=644 key.pem /etc/key.pem
COPY --chmod=644 fleetspeak-cert.pem /etc/cert.pem
COPY --chmod=644 fleetspeak-key.pem /etc/key.pem
CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]

FROM envoy-base as envoy-admin
Expand Down

This file was deleted.

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,26 +1,36 @@
#!/bin/bash
openssl ecparam -list_curves

# generate a private key for a curve
openssl ecparam -name prime256v1 -genkey -noout -out key.pem

# optional: generate corresponding public key
#openssl ec -in key.pem -pubout -out public-key.pem

# create a self-signed certificate
openssl req -new -x509 -key key.pem -out cert.pem -days 365 -subj "/C=AU/CN=fleetspeak-server" -addext "subjectAltName = DNS:fleetspeak-server"

export FRONTEND_PEM="$(cat cert.pem | sed 's/^/ /g' | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/g')"
export FRONTEND_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' cert.pem)
export FRONTEND_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' key.pem)
set -ex

echo $FRONTEND_PEM
echo $FRONTEND_CERT
echo $FRONTEND_KEY

sed -i "s@FRONTEND_CERTIFICATE@${FRONTEND_PEM}@" ./config/grr-server/server.local.yaml

sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/fleetspeak-frontend/components.textproto
sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/grr-client/config.textproto
openssl ecparam -list_curves

sed -i 's@FRONTEND_KEY@'"$FRONTEND_KEY"'@' ./config/fleetspeak-frontend/components.textproto
# Generate key pair .pem files, which is linked in the GRR client and
# server configs (client.yaml, server.local.yaml).
openssl ecparam -name prime256v1 -genkey -noout -out config/private-key.pem
openssl ec -in config/private-key.pem -pubout -out config/public-key.pem

# Create a CA/trusted private key and cert for Fleetspeak.
openssl ecparam -name prime256v1 -genkey -noout \
-out fleetspeak-ca-key.pem
openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA"\
-key fleetspeak-ca-key.pem \
-out fleetspeak-ca-cert.pem \

# Create keys for CA signed key and cert for fleetspeak. Resulting files are also
# copied in the envoy container, see containers/envoy/Dockerfile).
openssl ecparam -name prime256v1 -genkey -noout \
-out fleetspeak-key.pem
openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA" -addext "subjectAltName = DNS:fleetspeak-server" \
-key fleetspeak-key.pem \
-out fleetspeak-cert.pem \
-CA fleetspeak-ca-cert.pem \
-CAkey fleetspeak-ca-key.pem

# Replace placeholders in fleetspeak and grr-client textproto files.
TRUSTED_FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-ca-cert.pem)
FLEETSPEAK_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-key.pem)
FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-cert.pem)

sed -i 's@FLEETSPEAK_CERT@'"$FLEETSPEAK_CERT"'@' ./config/fleetspeak-frontend/components.textproto
sed -i 's@FLEETSPEAK_KEY@'"$FLEETSPEAK_KEY"'@' ./config/fleetspeak-frontend/components.textproto
sed -i 's@TRUSTED_FLEETSPEAK_CERT@'"$TRUSTED_FLEETSPEAK_CERT"'@' ./config/grr-client/config.textproto
Loading

0 comments on commit 33a136c

Please sign in to comment.