CyRISをインストールしてみる(途中まで)
Cyber RangeのCyRISをインストールしてみました。
マニュアル はあるのですが、コマンドイメージや必要なパッケージの記載がないため苦戦しており、いまだに起動できていませんが、途中まで公開しておきます。
※本来は実機で動かすものなのですが、練習なので仮想マシンで試しています。
Cyber Range Organization and Design Chair
https://github.com/crond-jaist?_fsi=yQAhRMTi
CyRIS
https://github.com/crond-jaist/cyris/releases/
マニュアル
https://github.com/crond-jaist/cyris/releases/download/1.2/cyris-1.2-guide.pdf
(追記)「Cy-series インストールガイド」も参考になります
https://www.jaist.ac.jp/is/labs/chinen-lab/#products
必要パッケージインストール
$ sudo apt install net-tools ssh cpu-checker
事前準備
VMware Player上のLinuxで、KVMを使う
https://kazuhira-r.hatenablog.com/entry/20180727/1532703682
VMware Player上のLinuxでKVMを使うには、Intel VTを使うように設定しておく必要がある
プロセッサ→[Intel VT-x/EPT または AMD-V/RVI を仮想化]にチェック
ubuntu に qemu kvm を入れて仮想マシンを作る準備をする
https://takuya-1st.hatenablog.jp/entry/2021/01/06/164842
KVMが使えるか調べる
$ sudo apt install cpu-checker $ kvm-ok INFO: /dev/kvm exists KVM acceleration can be used
必要パッケージインストール
$ sudo apt -y install qemu-kvm libvirt-daemon-system libvirt-daemon virtinst bridge-utils libguestfs-tools virt-top git pssh sshpass netscript-2.4
確認
$ sudo systemctl status libvirtd ● libvirtd.service - Virtualization daemon Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor pres> Active: active (running) since Sat 2021-10-30 09:29:12 JST; 40s ago
ubuntu ユーザを追加して sudo 権限をつける
https://qiita.com/white_aspara25/items/c1b9d02310b4731bfbaa
ユーザの作成
$ sudo adduser cyuser
sudo グループにcyuserを追加
$ sudo gpasswd -a cyuser sudo Adding user cyuser to group sudo
パスワードなしでsudoできるように変更
$ sudo visudo # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL cyuser ALL=NOPASSWD: ALL ←追記
libvirt グループにcyuserを追加
$ sudo usermod -aG libvirt cyuser
(ubuntu16.04だと「libvirtd」なのでsudo usermod -aG libvirtd cyuser)
確認
$ su - cyuser $ id uid=1001(cyuser) gid=1001(cyuser) groups=1001(cyuser),27(sudo),135(libvirt)
ディレクトリ作成
$ mkdir .ssh $ chmod 700 .ssh $ ls -al drwx------ 2 cyuser cyuser 4096 Oct 30 10:07 .ssh
SSH鍵の生成
$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/cyuser/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/cyuser/.ssh/id_ed25519 Your public key has been saved in /home/cyuser/.ssh/id_ed25519.pub
確認
$ ls -la .ssh/ total 16 drwx------ 2 cyuser cyuser 4096 Oct 30 10:09 . drwxr-xr-x 3 cyuser cyuser 4096 Oct 30 10:07 .. -rw------- 1 cyuser cyuser 399 Oct 30 10:09 id_ed25519 -rw-r--r-- 1 cyuser cyuser 95 Oct 30 10:09 id_ed25519.pub
秘密鍵(id_ed25519)と公開鍵(id_ed25519.pub)が作成された
公開鍵をauthorized_keysとして用意し、自ホストにSSHログインできるようにしておく
$ pwd /home/cyuser/.ssh $ cp -p id_ed25519.pub authorized_keys $ chmod 600 authorized_keys
確認
$ ssh cyuser@localhost
ディレクトリ作成
$ mkdir -p .config/libvirt $ vi ~/.config/libvirt/libvirt.conf --- uri_default = "qemu:///system" ---
ベースイメージ(basevm.tgz)を保存するディレクトリ作成とダウンロード
$ mkdir images $ cd images $ wget https://github.com/crond-jaist/cyris/releases/download/1.2/basevm.tgz
解凍
$ tar zxvf basevm.tgz $ ls -ltrh total 5.8G -rw------- 1 cyuser cyuser 2.7K Dec 5 2020 basevm.xml -rw-rw-r-- 1 cyuser cyuser 2.9G Feb 17 2021 basevm
cyrisのダウンロード
$ sudo apt install git $ git clone https://github.com/crond-jaist/cyris
コンフィグ確認
$ cd cyris/ $ vi CONFIG [config] # The absolute path of the top CyRIS directory # (remember to have the slash "/" at the end of the path) cyris_path = /home/cyuser/cyris/ # The absolute path where cyber ranges are to be instantiated # (remember to have the slash "/" at the end of the path) cyber_range_dir = /home/cyuser/cyris/cyber_range/ # Information regarding the gateway # (details are not used if gw_mode is set to "off") gw_mode = off #gw_account = gw_user #gw_mgmt_addr = gw_hostname #gw_inside_addr = 172.16.1.1
(ubunt 20.04)
python2インストール
$ sudo apt install -y python2 $ sudo ln -s /usr/bin/python2 /usr/bin/python $ ls -l /usr/bin/python lrwxrwxrwx 1 root root 16 Oct 30 10:49 /usr/bin/python -> /usr/bin/python2
python2環境作成
$ curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py $ sudo python2 get-pip.py $ pip2 --version pip 20.3.4 from /usr/local/lib/python2.7/dist-packages/pip (python 2.7) $ pip2 install pyyaml $ pip2 install paramiko $ pip2 install boto3
(ubunt18.04)
pipインストール
sudo apt install python-pip pip install pyyaml paramiko boto3
(ubuntu16.04だとpyyaml paramikoのインストールが失敗するため、以下のようにバージョン指定してpipを更新)
$ python -m pip install --upgrade pip==20.0.1
(ubuntu16.04のみ)pip更新で以下エラーが出るようになったので対処
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
$ sudo rm -r /usr/lib/python2.7/dist-packages/OpenSSL/ $ sudo pip install pyopenssl
(参考)https://yuis-programming.com/?p=1929
起動
$ /home/cyuser/cyris/main/cyris.py /home/cyuser/cyris/examples/basic.yml /home/cyuser/cyris/CONFIG /home/cyuser/.local/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.hazmat.backends import default_backend ######################################################################### CyRIS v1.2: Cyber Range Instantiation System ######################################################################### * INFO: cyris: Parse the configuration file. * INFO: cyris: Check that prerequisite conditions are met. * INFO: cyris: Parse the cyber range description. /home/cyuser/cyris/main/check_description.py:61: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. doc = yaml.load(f) /home/cyuser/cyris/main/cyris.py:331: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. doc = yaml.load(f) * INFO: cyris: Perform the initial setup. * INFO: cyris: Copy the base images. * INFO: cyris: Start the base VMs. * INFO: cyris: Check that the base VMs are up. * INFO: cyris: Prepare the base VMs for setup. Host 192.168.122.100 not found in /home/cyuser/.ssh/known_hosts * INFO: cyris: Configure the base VMs for training. * INFO: cyris: - Configure guest: desktop * INFO: cyris: Shut down the base VMs before cloning. * INFO: cyris: Distribute the base images for cloning. * INFO: cyris: Start the cloned base images. * INFO: cyris: Wait for the cloned VMs to start. * ERROR: cyris: Cannot connect to VM. Check the log file for details: /home/cyuser/cyris/cyber_range/123/creation.log ------------------------------------------------------------------------- * INFO: cyris: Cyber range creation status: FAILURE Check the log file for details: /home/cyuser/cyris/cyber_range/123/creation.log -------------------------------------------------------------------------
失敗(未解決)とりあえずここまで
以下、雑多なメモ書きです
virshコマンドの使い方
https://qiita.com/hana_shin/items/3fc67e2e6132bd534932
$ virsh list --all Id Name State ------------------------------------ - desktop_cr123_1_1 shut off
以下で「virsh start desktop_cr123_1_1」が失敗している模様
cyris-master/instantiation/vm_clone/vm_clone_xml.sh
手動でも失敗
$ virsh start desktop_cr123_1_1 error: Failed to start domain desktop_cr123_1_1 error: Cannot get interface MTU on 'br123-1-1': No such device
「br123-1-1」はどうすれば・・・ 自分で作る?
/home/cyuser/cyris/cyber_range/123/create_bridges.sh は関係あるのか?
~/cyris/cyber_range/123/create_bridges.sh ーーーーー sudo -S /home/cyuser/cyris/instantiation/vm_clone/create_bridges/01_write_bridge_config.sh 123-1-1 123.1.1.1 sudo -S ifup br123-1-1 & wait echo " bridges are up" ーーーーー
/home/cyuser/cyris/instantiation/vm_clone/create_bridges/01_write_bridge_config.sh
ーーーーー #!/bin/bash bridge_id=$1 bridge_addr=$2 # create logical interfaces and bridges configuration NEWLINE=$'\n' config="${NEW_LINE} auto eth${bridge_id}${NEW_LINE} iface eth${bridge_id} inet manual${NEW_LINE} ${NEW_LINE} auto br${bridge_id}${NEW_LINE} iface br${bridge_id} inet static${NEW_LINE} address ${bridge_addr}${NEW_LINE} netmask 255.255.255.0${NEW_LINE} bridge_ports eth${bridge_id}${NEW_LINE} bridge_stp off${NEW_LINE} bridge_fd 0" flock -x /etc/network/interfaces echo "${config}" >> /etc/network/interfaces ーーーーー
/etc/network/interfacesに実行のたび、追記されている
auto eth123-1-1 iface eth123-1-1 inet manual auto br123-1-1 iface br123-1-1 inet static address 123.1.1.1 netmask 255.255.255.0 bridge_ports eth123-1-1 bridge_stp off bridge_fd 0
$ sudo -S ifup br123-1-1 $ ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.125 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 2400:4051:8962:cc00:e58c:d56b:f29e:8908 prefixlen 64 scopeid 0x0<global> inet6 fe80::529c:9c42:a302:a9ee prefixlen 64 scopeid 0x20<link> inet6 2400:4051:8962:cc00:cdd9:8eed:958f:9718 prefixlen 64 scopeid 0x0<global> ether 00:0c:29:36:3b:8c txqueuelen 1000 (Ethernet) RX packets 10778 bytes 2079020 (2.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6198 bytes 1171740 (1.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 5096 bytes 752817 (752.8 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5096 bytes 752817 (752.8 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:13:b7:7c txqueuelen 1000 (Ethernet) RX packets 310 bytes 53458 (53.4 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 423 bytes 62566 (62.5 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
できていない
Ubuntu 20.04 LTSで固定IPアドレスの設定
https://qiita.com/zen3/items/757f96cbe522a9ad397d
Ubuntu 20.04 LTS Serverでの固定IPアドレス設定。
17.10から、IPアドレスの変更が/etc/network/interfacesをいじる方式からNetplanへ変更になっているのでメモ。(18.04 LTSも)
とのこと
/etc/netplan/99_config.yaml を作成する必要あり?
マニュアルより
ーーーーー CyRISを動作させるには、物理ホストにUbuntu OSがインストールされている必要があります。 弊社では、Ubuntu Server 16.04 LTSおよび18.04 LTSでCyRISが正しく動作することを確認しています。 ーーーーー
18.04 LTSも設定方法変わっているらしいのだが、上記は本当か?→18.04でもifconfigでインターフェースできてなかった
16.04 LTSなら手っ取り早く動くのでは?(サポート切れているが)→16.04でもifconfigでインターフェースできてなかった
$ brctl show bridge name bridge id STP enabled interfaces virbr0 8000.52540013b77c yes virbr0-nic
/etc/netplan/99_config.yaml ーーーーー network: version: 2 renderer: networkd ethernets: eth123-1-1: dhcp4: false dhcp6: false bridges: br0: interfaces: [eth123-1-1] dhcp4: false dhcp6: false addresses: [123.1.1.1/24] gateway4: 192.168.122.1 nameservers: addresses: [192.168.122.1, 8.8.8.8, 8.8.4.4] parameters: forward-delay: 0 stp: false optional: true ーーーーー
$ sudo netplan apply
$ ifconfig br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 123.1.1.1 netmask 255.255.255.0 broadcast 123.1.1.255 inet6 fe80::64c7:31ff:fecd:7b97 prefixlen 64 scopeid 0x20<link> ether 66:c7:31:cd:7b:97 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 39 bytes 5064 (5.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
上記のような感じでNWインターフェースを作成する?
Ubuntu18.04はPython 2.7.17 (default, Feb 27 2021, 15:10:58)
Ubuntu16.04で動かない問題の対処
Python 2.7.12 (default, Mar 1 2021, 11:38:31)
$ /home/cyuser/cyris/main/cyris.py /home/cyuser/cyris/examples/basic.yml /home/cyuser/cyris/CONFIG /home/cyuser/.local/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.hazmat.backends import default_backend Traceback (most recent call last): File "/home/cyuser/cyris/main/cyris.py", line 33, in <module> import boto3 File "/home/cyuser/.local/lib/python2.7/site-packages/boto3/__init__.py", line 16, in <module> from boto3.session import Session File "/home/cyuser/.local/lib/python2.7/site-packages/boto3/session.py", line 17, in <module> import botocore.session File "/home/cyuser/.local/lib/python2.7/site-packages/botocore/session.py", line 30, in <module> import botocore.client File "/home/cyuser/.local/lib/python2.7/site-packages/botocore/client.py", line 16, in <module> from botocore.args import ClientArgsCreator File "/home/cyuser/.local/lib/python2.7/site-packages/botocore/args.py", line 26, in <module> from botocore.signers import RequestSigner File "/home/cyuser/.local/lib/python2.7/site-packages/botocore/signers.py", line 19, in <module> import botocore.auth File "/home/cyuser/.local/lib/python2.7/site-packages/botocore/auth.py", line 121 pairs.append(f'{quoted_key}={quoted_value}') ^ SyntaxError: invalid syntax
以下のようにバージョンを合わせたら「invalid syntax」になる問題は解決した
$ pip install boto3==1.17.112
$ pip list Package Version ------------------ -------- adium-theme-ubuntu 0.3.4 bcrypt 3.1.7 boto3 1.17.112 botocore 1.20.112 cffi 1.15.0 chardet 2.3.0 cryptography 3.3.2 enum34 1.1.2 futures 3.3.0 idna 2.0 ipaddr 2.1.11 ipaddress 1.0.16 jmespath 0.10.0 libvirt-python 1.3.1 ndg-httpsclient 0.4.0 paramiko 2.8.0 pip 20.0.1 pssh 2.3.1 pyasn1 0.1.9 pycparser 2.20 pygobject 3.20.0 PyNaCl 1.4.0 pyOpenSSL 0.15.1 python-dateutil 2.8.2 PyYAML 5.4.1 requests 2.9.1 s3transfer 0.4.2 setuptools 20.7.0 six 1.16.0 unity-lens-photos 1.0 urllib3 1.26.7 wheel 0.29.0