Pr/14

README.md

@@ -34,14 +34,13 @@ images:
 
 Bro only uses 2 interfaces because it can only be deployed in passive mode. By default, these interfaces are named *calico* and *passive*. 
 
-useHostNetworking is used in situations where container networking is insufficient (such as the lack of SR-IOV).  This allows the container to see all physical interfaces of the minions.  This has some security concerns due to the fact that Bro now have access to all physical networking.  When useHostNetworking is set, specify hostNetworkingInterface to match the physical interface of the minions being deployed to.  When useHostNetworking is specified, the container will still be joined to the Calico network, but the passive variable is ignored.
+useHostNetworking is used in situations where container networking is insufficient (such as the lack of SR-IOV).  This allows the container to see all physical interfaces of the minions.  This has some security concerns due to the fact that Bro now have access to all physical networking.  When useHostNetworking is set, Bro will listen on the passive interface you identified in the [EDCOP-CONFIGURESENSORS](https://github.com/sealingtech/EDCOP-CONFIGURESENSORS) deployment.  When useHostNetworking is specified, the container will still be joined to the Calico network, but the passive variable is ignored.
 
 ```
 networks:
   overlay: calico
   passive: passive
   useHostNetworking: false
-  hostNetworkingInterface: eth0
 ```
 
 To find the names of your networks, use the following command:

bro/templates/bro-daemonset.yaml

@@ -18,36 +18,55 @@ spec:
         release: {{ .Release.Name }}
       annotations:
         networks: '[
-        {{ if .Values.networks.useHostNetworking }}
+        {{- if .Values.networks.useHostNetworking }}
         { "name": "{{ .Values.networks.overlay }}" }
-        {{ else }}
+        {{- else }}
         { "name": "{{ .Values.networks.overlay }}" },
         { "name": "{{ .Values.networks.passive }}" }
-        {{ end }}
+        {{- end }}
       ]'
     spec:
-      {{ if .Values.networks.useHostNetworking }}hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet{{ end }}
+      {{- if .Values.networks.useHostNetworking }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      initContainers:
+      - name: verifynode
+        image: {{ .Values.images.runner }}
+        env:
+        - name: INTERFACE
+          valueFrom:
+            secretKeyRef:
+              name: passive-interface
+              key: interface
+        - name: STARTUP_SCRIPT
+          value: |
+            #!/bin/bash
+            set -e
+            sleep 10
+            if [ ! -f /sys/class/net/$INTERFACE/operstate ]; then
+            echo "Network interface '$INTERFACE' not found, exiting..."
+            exit 1
+            fi
       containers:
       - name: bro
         image: {{ .Values.images.bro }}
         imagePullPolicy: Always
-        env: 
-          {{ if .Values.networks.useHostNetworking }}
-          - name: INTERFACE
-            value: "{{ .Values.networks.hostNetworkingInterface }}"
-          {{ else }}
-          - name: INTERFACE
-            value: "net0"
-          {{ end }}
+        command: ["bash", "-c", "cp /tmp/bro/* /usr/local/bro/etc/ && /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"]
         securityContext:
+          runAsUser: 2001
+          fsGroup: 2001
           capabilities:
             add:
               - NET_ADMIN 
               - SYS_NICE #Used for CPU pinning
               - NET_RAW
-          runAsUser: 2001
-          fsGroup: 2001
+        env: 
+        - name: INTERFACE
+          valueFrom:
+            secretKeyRef:
+              name: passive-interface
+              key: interface
         resources:
           requests:
             cpu: "{{ .Values.broConfig.requests.cpu }}"
@@ -58,7 +77,7 @@ spec:
         volumeMounts:
         - mountPath: /usr/local/bro/logs/
           name: bro-logs 
-        - mountPath: /usr/local/bro/etc/
+        - mountPath: /tmp/bro/
           name: bro-etc-config 
         - mountPath: /usr/local/bro/share/bro/site/local.bro
           name: bro-site-config 
@@ -102,8 +121,6 @@ spec:
       - name: filebeat
         image: {{ .Values.images.filebeat }}
         imagePullPolicy: Always
-        securityContext:
-          privileged: true
         volumeMounts:
         - mountPath: /bro/
           name: bro-spool
@@ -135,6 +152,5 @@ spec:
           name: logstash-{{ template "bro.fullname" . }}-pipeline
 
       restartPolicy: Always
-      dnsPolicy: ClusterFirst
       nodeSelector:
         {{ .Values.nodeSelector.label }} : "true"

bro/templates/bro-etc-config.yaml

@@ -91,6 +91,9 @@ data:
     # changes, and a value of 0 means do not send mail.
     MailHostUpDown = 1
 
+    # Send Mail
+    SendMail = /usr/sbin/sendmail
+
     ###############################################
     # Logging Options
 
@@ -162,11 +165,7 @@ data:
     [worker-1]
     type=worker
     host=localhost
-    {{ if .Values.networks.useHostNetworking }}
-    interface=af_packet::{{ .Values.networks.hostNetworkingInterface }}
-    {{ else }}
-    interface=af_packet::net0
-    {{ end }}
+    interface=af_packet::${INTERFACE}
     {{ if .Values.broConfig.setCpuAffinity }}lb_method=custom
     lb_procs={{ .Values.broConfig.lbProcs }}
     pin_cpus={{ .Values.broConfig.pinCpus }}

bro/values.yaml

@@ -1,16 +1,16 @@
 # EDCOP Bro Chart values
 images:
-  bro: gcr.io/edcop-dev/dlohin-bro:23
+  bro: gcr.io/edcop-dev/mike-bro:5
   logstash: docker.elastic.co/logstash/logstash:6.4.0
   redis: redis:4.0.9
   filebeat: docker.elastic.co/beats/filebeat:6.4.0
+  runner: gcr.io/edcop-public/runner:8
 networks:
   # Overlay is the name of the default cni network
   overlay: calico
   # Passive is the name of the sriov interface
   passive: passive 
-  useHostNetworking: false  #If this option is set to true, the container will see all physical interfaces on the physical host it resides.  This has some security issues but can be useful in some situations. 
-  hostNetworkingInterface: eth0  #Only used with useHostNetworking is set to true.  Set this to the interface name of the adapter to listen on.
+  useHostNetworking: false  
 nodeSelector:
   label: sensor
 broConfig:

container/Dockerfile

@@ -1,7 +1,7 @@
 FROM centos:latest AS build
 RUN yum -y install epel-release
 RUN yum -y update && \
-        yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python-pip cmake librdkafka librdkafka-devel
+        yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python-pip cmake librdkafka librdkafka-devel sendmail
 RUN pip install bro-pkg
 RUN     wget https://www.bro.org/downloads/bro-2.5.5.tar.gz && \
         tar xzf bro-2.5.5.tar.gz && \
@@ -21,22 +21,31 @@ RUN echo "********Log files for Bro Packages*********" && \
 
 FROM centos:latest
 RUN yum -y install epel-release
-RUN yum -y install supervisor git wget libpcap GeoIP gperftools tcpdump cmake librdkafka iproute && \
+RUN yum -y install supervisor git wget libpcap GeoIP gperftools tcpdump cmake librdkafka iproute sendmail && \
     yum -y clean all && \
-    mkdir -p /conf/{plugins,site} 
+    mkdir -p /conf/{plugins,site}
+
 COPY --from=build /usr/local/bro/ /usr/local/bro
+
 ADD startbro.sh /startbro.sh
 ADD reset-network.sh /reset-network.sh
 ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
 ENV PATH="/usr/local/bro/bin/:${PATH}"
+ENV INTERFACE=eth0
+
 RUN chmod +x /startbro.sh
 RUN chmod +x /reset-network.sh
+
 #Used for allowing Bro to run as a regular user
 RUN /usr/local/bro/bin/broctl deploy
 RUN groupadd -g 2001 bro && \
     useradd -u 2001 -g bro bro -d /usr/local/bro/logs/ && \
-    chown -R bro:bro /usr/local/bro/logs/ /usr/local/bro/lib/bro/plugins /usr/local/bro/share/bro/site
+    chown -R bro:bro /usr/local/bro/logs/ /usr/local/bro/lib/bro/plugins /usr/local/bro/share/bro/site /usr/local/bro/etc/ 
+
 #Needed to run as a non-privileged user
 RUN setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
+RUN setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
+
 WORKDIR /usr/local/bro/logs/
 CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"]

container/node.cfg

@@ -13,7 +13,7 @@ host=localhost
 [worker-1]
 type=worker
 host=localhost
-interface=af_packet::net0
+interface=af_packet::${INTERFACE}
 lb_method=custom
 lb_procs=6
 pin_cpus=0,1,2,3,4,5

container/startbro.sh

@@ -8,6 +8,8 @@
 #CONTAINERINT is the interface within the Container
 CONTAINERINT=$INTERFACE
 
+sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg
+
 sudo chgrp $USER $(bro-config --site_dir) $(bro-config --plugin_dir)
 sudo chmod g+rwX $(bro-config --site_dir) $(bro-config --plugin_dir)
 

container/supervisord.conf

@@ -2,4 +2,4 @@
 nodaemon=true
 
 [program:bro]
-command=/usr/local/bro/bin/broctl deploy
+command=/bin/bash -c "sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg && /usr/local/bro/bin/broctl deploy"