Add suricata support (#6)

* Initial suricata templates * install suricata-update service * added suricata configuration Co-authored-by: Stefan Majer <[email protected]>
metal-stack · Apr 22, 2020 · 4751eba · 4751eba
1 parent 989055e
commit 4751eba
Show file tree

Hide file tree

Showing 14 changed files with 2,041 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -31,20 +31,23 @@ release: bin/$(BINARY) validate
 	tar -czvf metal-networker.tgz \
 		-C ./bin metal-networker \
 		-C ../internal/netconf/ \
+			droptailer.service.tpl \
+			firewall_policy_controller.service.tpl \
+			frr.firewall.tpl \
+			frr.machine.tpl \
+			hostname.tpl \
+			hosts.tpl \
 			interfaces.firewall.tpl \
 			interfaces.machine.tpl \
-			frr.machine.tpl \
-			frr.firewall.tpl \
+			nftables_exporter.service.tpl \
+			node_exporter.service.tpl \
 			rules.v4.tpl \
 			rules.v6.tpl \
+			suricata_config.yaml.tpl \
+			suricata_defaults.tpl \
+			suricata_update.service.tpl \
 			systemd.link.tpl \
-			systemd.network.tpl \
-			hosts.tpl \
-			hostname.tpl \
-			droptailer.service.tpl \
-			firewall_policy_controller.service.tpl \
-			nftables_exporter.service.tpl \
-			node_exporter.service.tpl
+			systemd.network.tpl
 
 .PHONY: validate
 validate:

diff --git a/internal/netconf/configurator.go b/internal/netconf/configurator.go
@@ -122,6 +122,24 @@ func (configurator FirewallConfigurator) Configure() {
 			mustEnableUnit(u.unit)
 		}
 	}
+
+	src = mustTmpFile("suricata_")
+	applier, err = NewSuricataDefaultsApplier(kb, src)
+
+	if err != nil {
+		log.Warnf("failed to configure suricata defaults: %v", err)
+	}
+
+	applyAndCleanUp(applier, TplSuricataDefaults, src, "/etc/default/suricata", FileModeSixFourFour)
+
+	src = mustTmpFile("suricata.yaml_")
+	applier, err = NewSuricataConfigApplier(kb, src)
+
+	if err != nil {
+		log.Warnf("failed to configure suricata: %v", err)
+	}
+
+	applyAndCleanUp(applier, TplSuricataConfig, src, "/etc/suricata/suricata.yaml", FileModeSixFourFour)
 }
 
 func (configurator FirewallConfigurator) getUnits() []unitConfiguration {
@@ -158,6 +176,14 @@ func (configurator FirewallConfigurator) getUnits() []unitConfiguration {
 			},
 			enabled: true,
 		},
+		{
+			unit:         SystemdUnitSuricataUpdate,
+			templateFile: TplSuricataUpdate,
+			constructApplier: func(kb KnowledgeBase, v ServiceValidator) (net.Applier, error) {
+				return NewSuricataUpdateServiceApplier(kb, v)
+			},
+			enabled: true,
+		},
 	}
 }
 

diff --git a/internal/netconf/nftables_exporter.service.tpl b/internal/netconf/nftables_exporter.service.tpl
@@ -5,6 +5,7 @@ Description=Nftables exporter - provides prometheus metrics for nftables
 After=network.target
 
 [Service]
+LimitMEMLOCK=infinity
 ExecStart=/bin/ip vrf exec {{ .TenantVrf }} /usr/local/bin/nftables_exporter --config=/etc/nftables_exporter.yaml
 Restart=always
 RestartSec=30

diff --git a/internal/netconf/node_exporter.service.tpl b/internal/netconf/node_exporter.service.tpl
@@ -5,6 +5,7 @@ Description=Node exporter - provides prometheus metrics about the node
 After=network.target
 
 [Service]
+LimitMEMLOCK=infinity
 ExecStart=/bin/ip vrf exec {{ .TenantVrf }} /usr/local/bin/node_exporter --collector.tcpstat
 Restart=always
 RestartSec=30

diff --git a/internal/netconf/service_test.go b/internal/netconf/service_test.go
@@ -23,6 +23,8 @@ func TestServices(t *testing.T) {
 	assert.NoError(err)
 	nftablesExporterApplier, err := NewNftablesExporterServiceApplier(kb, v)
 	assert.NoError(err)
+	suApplier, err := NewSuricataUpdateServiceApplier(kb, v)
+	assert.NoError(err)
 
 	tests := []struct {
 		applier  net.Applier
@@ -49,6 +51,11 @@ func TestServices(t *testing.T) {
 			expected: "testdata/nftables-exporter.service",
 			template: TplNftablesExporter,
 		},
+		{
+			applier:  suApplier,
+			expected: "testdata/suricata-update.service",
+			template: TplSuricataUpdate,
+		},
 	}
 
 	for _, test := range tests {

diff --git a/internal/netconf/suricata_config.go b/internal/netconf/suricata_config.go
@@ -0,0 +1,37 @@
+package netconf
+
+import (
+	"github.com/metal-stack/metal-networker/pkg/net"
+)
+
+// TplSuricataConfig is the name of the template for the suricata configuration.
+const TplSuricataConfig = "suricata_config.yaml.tpl"
+
+// SuricataConfigData represents the information required to render suricata configuration.
+type SuricataConfigData struct {
+	Comment         string
+	DefaultRouteVrf string
+}
+
+// SuricataConfigValidator can validate configuration for suricata.
+type SuricataConfigValidator struct {
+	path string
+}
+
+// NewSuricataConfigApplier constructs a new instance of this type.
+func NewSuricataConfigApplier(kb KnowledgeBase, tmpFile string) (net.Applier, error) {
+	defaultRouteVrf, err := getDefaultRouteVRFName(kb)
+	if err != nil {
+		return nil, err
+	}
+
+	data := SuricataUpdateData{Comment: versionHeader(kb.Machineuuid), DefaultRouteVrf: defaultRouteVrf}
+	validator := SuricataConfigValidator{tmpFile}
+
+	return net.NewNetworkApplier(data, validator, nil), nil
+}
+
+// Validate validates suricata configuration.
+func (v SuricataConfigValidator) Validate() error {
+	return nil
+}