FreeBSD: bootstrapping a system for DevOps
ฝัง
- เผยแพร่เมื่อ 21 พ.ค. 2024
- In this video I will show one possible way to bootstrap a FreeBSD machine to be used in DevOps, CI/CD, context. I am assuming that the machine you want to use has been installed from the official DVD and only an extra account, with the user in the wheel group, has been created. Nothing more is required to provision the machine!
NOTE:
1) this method makes usage of plain-text passwords and, even worse, explicitly discloses these in the Ansible files; to be used in practice, the passwords should never be hard coded, and we would strongly suggest to use SSH keys instead... but again... this is only a demonstration; in case you want to use the method in practice, after provisioning the machine, make sure that SSH with password login is disabled!
2) A much easier way to start with DevOps, Ansible, etc, is to create a "golden image" with sudo or doas pre-installed and configured, so that you can avoid all what is being done in this video... You can use what is in this video to create the golden image, though, instead of bootstrapping manually... :-)
#freebsd - วิทยาศาสตร์และเทคโนโลยี
![[UNCUT] ฝันรักห้วงนิทรา | EP.9 (3/4)](http://i.ytimg.com/vi/ikd1tEhXbp8/mqdefault.jpg)
Above my level of understanding FreeBSD, but you know, I'm glad as I can watch from yourself and learn..... thank you!
Glad that I can put out some useful things out there. But, as always, do consider hardening the system, especially if it is exposed on the internet...
This video is very good in step by step explanation how FreeBSD/(potentially Linux) mailware might work if an attacker knows both user and root passwords and ssh login by password is working. After doas (or any other similar software) is installed, some PAM configuration might be tampered to never log attempts to do things as a superuser.
Yes, you are absolutely right. If a system is exposed to the internet it should be hardened. Just try to deploy a machine in AWS and you will see than in a matter of minutes, all sorts of random IP addresses will be trying to brute-force it...
7:23. Yes very simple:-)
Always trying to go by the KISS principle :-)
Thats nice. Used to do those kind of thing with ''expect'' script over ssh or rsh session
Yes - that is also an awesome way to do it. Unfortunately the Ansible connection does not work with expect or, if it does, I am now aware of how to make it work... But expect might be also a very simple solution, especially to bootstrap local machine deployments, e.g. when using bhyve or VirtualBox :-)