Skip to content

Commit

Permalink
infra: VSTS agent improvements (digital-asset#369)
Browse files Browse the repository at this point in the history 
* infra: replace the debian image by ubuntu 16.04

be closer to what the azure vmImage is using

* infra: limit access to the PAT token
  • Loading branch information
Jonas Chevalier authored Apr 11, 2019
1 parent 78d77d0 commit 6f90fda
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 15 deletions.
13 changes: 6 additions & 7 deletions infra/vsts_agent_linux.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ resource "google_compute_instance_template" "vsts-agent-linux" {
disk {
disk_size_gb = 100
disk_type = "pd-ssd"
source_image = "debian-cloud/debian-9"
source_image = "ubuntu-os-cloud/ubuntu-1604-lts"
}

lifecycle {
Expand All @@ -53,12 +53,11 @@ resource "google_compute_instance_template" "vsts-agent-linux" {

shutdown-script = <<EOS
#!/usr/bin/env bash
su --login vsts <<SHUTDOWN_AGENT
cd agent
./config.sh remove \
--unattended \
--auth PAT \
--token '${secret_resource.vsts-token.value}'
set -euo pipefail
cd /home/vsts/agent
su vsts <<SHUTDOWN_AGENT
export VSTS_AGENT_INPUT_TOKEN='${secret_resource.vsts-token.value}'
./config.sh remove --unattended --auth PAT
SHUTDOWN_AGENT
EOS
}
Expand Down
22 changes: 14 additions & 8 deletions infra/vsts_agent_linux_startup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,28 +5,30 @@
# Agent startup script
set -euo pipefail

# Hardening
## Hardening

# Commit harakiri on failure
trap "shutdown -h now" EXIT

# replace the default nameserver to not use the metadata server
echo "nameserver 8.8.8.8" > /etc/resolv.conf

# block the metadata server for non-root processes
# this blocks the DNS resolver
#iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

# delete self
rm -vf "$0"

# Install system dependencies
apt update
## Install system dependencies
apt-get update -q
apt-get install -qy \
curl sudo \
bzip2 rsync \
jq liblttng-ust0 libcurl3 libkrb5-3 libicu57 zlib1g \
jq liblttng-ust0 libcurl3 libkrb5-3 libicu55 zlib1g \
git \
netcat

# Install the VSTS agent
## Install the VSTS agent
groupadd --gid 3000 vsts
useradd \
--create-home \
Expand Down Expand Up @@ -77,6 +79,10 @@ set -u
--url "https://$VSTS_ACCOUNT.visualstudio.com"
AGENT_SETUP

## Hardening

chown --recursive root:root /home/vsts/agent/{*.sh,bin,externals}

## Install Nix

# This needs to run inside of a user with sudo access
Expand All @@ -97,7 +103,7 @@ systemctl restart nix-daemon

## Finish

# TODO: is this "webserver" necessary?
# run the fake local webserver, taken from the docker image
web-server() {
while true; do
printf 'HTTP/1.1 302 Found\r\nLocation: https://%s.visualstudio.com/_admin/_AgentPool\r\n\r\n' "${vsts_account}" | nc -l -p 80 -q 0 > /dev/null
Expand Down

0 comments on commit 6f90fda

Please sign in to comment.