Linux: Add first networking challenge: Firewall management (#9)

Author: ryapric

.github/workflows/main.yaml

@@ -0,0 +1,22 @@
+name: main
+
+on:
+  push:
+    branches: ['**']
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Go 1.19+
+      uses: actions/setup-go@v4
+      with:
+        go-version: '>=1.19'
+
+    # Linux workshop
+    - name: CI
+      run: 'cd ./linux && bash ./scripts/ci.sh'

linux/Makefile

@@ -1,8 +1,11 @@
 local_team_servers := $(shell vagrant status | grep -E -o 'team[0-9]+')
 
+ci:
+	@bash ./scripts/ci.sh
+
 up-local:
-	@vagrant up db
-	@vagrant up $(local_team_servers)
+# NOTE: --parallel might not work for all providers, but does for libvirt
+	@vagrant up --parallel
 
 up-aws:
 	@terraform -chdir=./terraform apply

linux/Vagrantfile

@@ -1,3 +1,7 @@
+# Allows for setting an env var for fewer (or more) team servers, for different
+# testing scenarios & hardware
+num_team_servers = Integer(ENV["num_team_servers"].nil? ? 2 : ENV["num_team_servers"])
+
 Vagrant.configure("2") do |config|
   box = "debian/bookworm64" # Debian 12
 
@@ -26,27 +30,33 @@ Vagrant.configure("2") do |config|
     db.vm.box = box
 
     db.vm.network "private_network", ip: db_addr
-    db.vm.network "forwarded_port", guest: 5432, host: 5432, protocol: "tcp"
-    db.vm.network "forwarded_port", guest: 8080, host: 8080, protocol: "tcp"
+    db.vm.network "forwarded_port", guest: 5432, host: 5432, protocol: "tcp" # DB
+    db.vm.network "forwarded_port", guest: 8000, host: 8000, protocol: "tcp" # Dummy web app
+    db.vm.network "forwarded_port", guest: 8080, host: 8080, protocol: "tcp" # Score dashboard
 
     db.vm.synced_folder ".", "/vagrant", disabled: true
 
     db.vm.provision "file", source: "./scripts", destination: "/tmp/scripts"
+    db.vm.provision "file", source: "./services", destination: "/tmp/services"
     db.vm.provision "file", source: "./score-server", destination: "/tmp/score-server"
+    db.vm.provision "file", source: "./dummy-web-app", destination: "/tmp/dummy-web-app"
 
     db.vm.provision "shell",
       inline: <<-SCRIPT
+        #!/usr/bin/env bash
+        set -euo pipefail
+
         # Need both running here for Vagrant -- other platforms should ONLY have 2332
-        sudo sh -c 'grep 2332 /etc/ssh/sshd_config || printf "Port 2332\nPort 22\n" >> /etc/ssh/sshd_config'
+        sudo sh -c 'grep -q 2332 /etc/ssh/sshd_config || printf "Port 2332\nPort 22\n" >> /etc/ssh/sshd_config'
         sudo systemctl restart ssh
 
-        rm -rf /root/score-server
-        sudo cp -r /tmp/score-server /root/score-server
+        rm -rf /root/{score-server,services,dummy-web-app}
+        sudo cp -r /tmp/{score-server,services,dummy-web-app} /root/
         bash /tmp/scripts/init-db.sh
       SCRIPT
   end
 
-  (1..2).each do |i|
+  (1..num_team_servers).each do |i|
     config.vm.define "team#{i}" do |team|
       team.vm.box = box
 
@@ -63,8 +73,11 @@ Vagrant.configure("2") do |config|
 
       team.vm.provision "shell",
         inline: <<-SCRIPT
+          #!/usr/bin/env bash
+          set -euo pipefail
+
           # Need both running here for Vagrant -- other platforms should ONLY have 2332
-          sudo sh -c 'grep 2332 /etc/ssh/sshd_config || printf "Port 2332\nPort 22\n" >> /etc/ssh/sshd_config'
+          sudo sh -c 'grep -q 2332 /etc/ssh/sshd_config || printf "Port 2332\nPort 22\n" >> /etc/ssh/sshd_config'
           sudo systemctl restart ssh
 
           export team_name="Team-#{i}"

linux/dummy-web-app/README.md

@@ -0,0 +1,7 @@
+dummy-web-app
+=============
+
+`dummy-web-app` provides a no-op endpoint for participants in the OSC Linux
+Workshop to hit as part of Challenge 5. The server itself is (supposed to be)
+always running just fine, but Challenge 5 prevents teams from hitting the server
+until they open a client-side firewall ruile.

linux/dummy-web-app/go.mod

@@ -0,0 +1,7 @@
+module github.com/opensourcecorp/workshops/linux/dummy-web-app
+
+go 1.19
+
+require github.com/sirupsen/logrus v1.9.3
+
+require golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect

linux/dummy-web-app/go.sum

@@ -0,0 +1,15 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

linux/dummy-web-app/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+)
+
+func getRoot(w http.ResponseWriter, r *http.Request) {
+	log.Println("hit on /")
+	_, err := fmt.Fprint(w, "You fixed it! But we're busy printing money over here, so... get lost.\n")
+	if err != nil {
+		logrus.Fatalf("writing to RepsonseWriter: %v", err)
+	}
+}
+
+func getHealth(w http.ResponseWriter, r *http.Request) {
+	log.Println("hit on /health")
+	_, err := fmt.Fprint(w, "ok\n")
+	if err != nil {
+		logrus.Fatalf("writing to RepsonseWriter: %v", err)
+	}
+}
+
+func main() {
+	addr := ":8000"
+
+	http.HandleFunc("/", getRoot)
+	http.HandleFunc("/health", getHealth)
+
+	log.Printf("starting server on %s\n", addr)
+	if err := http.ListenAndServe(addr, nil); err != nil {
+		logrus.Fatalf("starting server: %v", err)
+	}
+}

linux/instructions/step_0.md linux/instructions/challenge_0.mdlinux/instructions/step_0.md renamed to linux/instructions/challenge_0.md

@@ -0,0 +1,13 @@
+Challenge 1: Rebuild the app binary
+===================================
+
+You hop into the production server and need to figure out why the application
+isn't running. Based on the architecture diagram for the app and your knowledge
+of your company's deployment pipelines, you know the source code for it should
+have been dumped into the directory `/opt/app`. That's probably the best place
+to start looking; as a first step, see if you can get the app binary built. Note
+that the application is written in Go, so you might need to look up how to build
+a Go binary.
+
+Take note of any error messages when trying to build it, and fix any issues you
+find.

linux/instructions/challenge_1.md

@@ -1,5 +1,5 @@
-Step 2: Make binary more accessible
-===================================
+Challenge 2: Make binary more accessible
+========================================
 
 You got the binary rebuilt, great work! However, the app is in kind of a weird
 place on the filesystem -- there's nothing *wrong* with apps being under the