CI/CD For Networking Part 2

published: 24th of January 2018

Intro

When using PKI certificates is critical that both DNS is working correctly and that hosts have their time synced via a reliable NTP server. In this part of the series I will build a utility server that will act as the DNS, NTP and root certificate authority. The utility server will use Centos 7 minimal as the OS with the firewall service disabled and SELinux set to permissive.

DNS

The DNS service will be provided by dnsmasq as it's lightweight and easy to setup.

cmd 
sudo yum install -y dnsmasq

Create a dnsmasq user and group and assign the user to the group.

cmd 
sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq

Backup the old /etc/dnsmasq.conf configuration file.

cmd 
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old

Create an /etc/dnsmasq.conf file with the following contents.

file 
# /etc/dnsmasq.conf

listen-address=127.0.0.1,192.168.121.120
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
domain-needed
domain=lab.local
expand-hosts
bogus-priv
dns-forward-max=150
cache-size=1000
no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll

Create an /etc/resolv.dnsmasq file that uses google DNS as the upstream DNS servers.

file 
# /etc/resolv.dnsmasq

nameserver 8.8.8.8
nameserver 8.8.4.4

Set the nameserver attribute in /etc/resolv.conf file to use a loopback address.

file 
# /etc/resolv.conf

nameserver 127.0.0.1

Add the device host to IP address mappings to the /etc/hosts file.

file 
# /etc/hosts

192.168.121.120 util
192.168.121.121 jenkins
192.168.121.122 gitlab
192.168.121.123 awx
192.168.121.124 netq
Note
When the /etc/hosts file is updated the dnsmasq service needs to be restarted to update its DNS cache.

The dnsmasq configuration can be tested for syntax errors with the dnsmasq --test command.

cmd 
sudo dnsmasq --test

# output

dnsmasq: syntax check OK.

Start and enable the dnsmasq service.

cmd 
sudo systemctl start dnsmasq
sudo systemctl enable dnsmasq

The hosts in this lab get their management IP addresses via DHCP. An update to the /etc/sysconfig/network-scripts/ifcfg-eth0 file is required to use the local dnsmasq service.

file 
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
PERSISTENT_DHCLIENT="yes"

# add the following

DNS1="127.0.0.1"
PEERDNS=no

Restart the network service.

cmd 
sudo systemctl restart network

NTP

Install the ntp service.

cmd 
sudo yum install -y ntp

Backup the old /etc/ntp.conf configuration file.

cmd 
sudo mv /etc/ntp.conf /etc/ntp.conf.old

Create an /etc/ntp.conf file with the following contents.

cmd 
# /etc/ntp.conf

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.
restrict 127.0.0.1
restrict ::1

# Hosts on local network are less restricted.
restrict 192.168.121.0 mask 255.255.255.0 nomodify notrap

# Use NTP servers.
server time.google.com iburst
server time.apple.com iburst

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
Note
The subnet that can query the NTP server is restricted to 192.168.121.0/24 and the upstream NTP servers are set to the Google and Apple stratum 1 time servers.

Start and enable the ntp service.

cmd 
sudo systemctl start ntpd
sudo systemctl enable ntpd

Test the connection to the NTP servers with the ntpq -p command.

cmd 
ntpq -p

# output

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time4.google.co .GOOG.           1 u   15 1024  377  141.819   48.513  57.598
+ussjc2-ntp-002. .GPSs.           1 u  115 1024  377  218.000   18.940  32.073

Root CA

The root CA server will provide certificate signing services. The openssl package will be used to generate the root certificate and to also sign the hosts certificates.

Note
I will be using a minimal configuration that is not very secure, please don't use this method in production.

Generate a signing key.

cmd 
openssl genrsa -out ROOTCA.key 2048

Create a self-signed certificate using the signing key just created.

cmd 
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
    -subj "/C=AU/ST=NSW/L=NSW/O=LAB/CN=util.lab.local" \
    -out ROOTCA.pem

Move the certificates to the /etc/ssl/certs directory and update the permissions and ownership to the root user.

cmd 
sudo mv ROOTCA.* /etc/ssl/certs/ ; cd /etc/ssl/certs/
sudo chown root:root ROOTCA.*
sudo chmod 0644 ROOTCA.pem
sudo chmod 0400 ROOTCA.key

Once this is done the ROOTCA.pem will need to be imported into the trusted certificate store of the host devices. The host themselves will need to generate a certificate signing request and have the certificate signed by the root CA.

Outro

Now that the utility server is configured with DNS, NTP and certificate services let move onto Part 3 of this series: Gitlab Installation.

https://www.techrepublic.com/article/how-to-configure-dnsmasq-on-fedora-desktop-and-server/

https://www.server-world.info/en/note?os=CentOS_7&p=dnsmasq

https://www.server-world.info/en/note?os=CentOS_7&p=ntp

https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/