Pulse Secure Linux client with openSUSE Leap 15.4 安裝小記

Pulse Secure Linux client with openSUSE Leap 15.4 安裝小記

OS: openSUSE Leap 15.4

Pulse Secure: 9.1

公司的 SSLVPN 用的是 Pulse Secure, 但是 openSUSE Leap 的參考文章相對少

今天就寫相關的安裝方式

參考台大的文章還有廠商的文章

• https://ccnet.ntu.edu.tw/vpn/Download/ 

取得套件 RPM

# wget  https://ccnet.ntu.edu.tw/vpn/Download/ps-pulse-linux-9.1r15.0-b15819-64bit-installer.rpm

先嘗試安裝

# rpm  -ivh  ps-pulse-linux-9.1r15.0-b15819-64bit-installer.rpm 

error: Failed dependencies:

gtkmm30 >= 3.22.2 is needed by pulsesecure-2:9.1-R15.x86_64

libbsd is needed by pulsesecure-2:9.1-R15.x86_64

libcurl >= 7.29.0 is needed by pulsesecure-2:9.1-R15.x86_64

nss-tools is needed by pulsesecure-2:9.1-R15.x86_64

webkit2gtk3 >= 2.24.4 is needed by pulsesecure-2:9.1-R15.x86_64

• 直接安裝會遇到相依性的問題

安裝 mozilla-nss-tools

# zypper  install  mozilla-nss-tools

The following 2 recommended packages were automatically selected:

  libfreebl3-hmac libsoftokn3-hmac

The following 6 NEW packages are going to be installed:

  libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss mozilla-nss-tools

6 new packages to install.

Overall download size: 2.1 MiB. Already cached: 0 B. After the operation, additional 5.2

MiB will be used.

Continue? [y/n/v/...? shows all options] (y):y

新增兩個 repo

# zypper   addrepo   https://download.opensuse.org/repositories/server:mail/openSUSE_Tumbleweed/server:mail.repo 

# zypper  addrepo  https://download.opensuse.org/repositories/devel:gcc:next/15.4/devel:gcc:next.repo 

更新 repo, 並信任相關 Key

# zypper  refresh

安裝 glibc 套件

# zypper  install  glibc

zypper install libbsd0-0.11.6-24.29.x86_64

Problem: the to be installed libbsd0-0.11.6-24.29.x86_64 requires 'libc.so.6(GLIBC_2.33)(64bit)', but this requirement cannot be provided

  not installable providers: glibc-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64[devel_gcc_next]

 Solution 1: Following actions will be done:

  install glibc-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64 from vendor obs://build.opensuse.org/devel:gcc

    replacing glibc-2.31-150300.41.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>

  install glibc-extra-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64 from vendor obs://build.opensuse.org/devel:gcc

    replacing glibc-extra-2.31-150300.41.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>

  install glibc-lang-2.36.9000.199.g589eda82bb-lp154.3834.1.noarch from vendor obs://build.opensuse.org/devel:gcc

    replacing glibc-lang-2.31-150300.41.1.noarch from vendor SUSE LLC <https://www.suse.com/>

  install glibc-locale-base-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64 from vendor obs://build.opensuse.org/devel:gcc

    replacing glibc-locale-base-2.31-150300.37.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>

  install nscd-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64 from vendor obs://build.opensuse.org/devel:gcc

    replacing nscd-2.31-150300.37.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>

  install glibc-locale-2.36.9000.199.g589eda82bb-lp154.3834.1.x86_64 from vendor obs://build.opensuse.org/devel:gcc

    replacing glibc-locale-2.31-150300.37.1.x86_64 from vendor SUSE LLC <https://www.suse.com/>

 Solution 2: do not install libbsd0-0.11.6-24.29.x86_64

 Solution 3: break libbsd0-0.11.6-24.29.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1

• 使用方案 1 安裝

安裝 pulse secure 套件

# zypper  install  ps-pulse-linux-9.1r15.0-b15819-64bit-installer.rpm

Loading repository data...

Reading installed packages...

Resolving package dependencies...

Problem: nothing provides 'libbsd' needed by the to be installed pulsesecure-2:9.1-R15.x86_64

 Solution 1: do not install pulsesecure-2:9.1-R15.x86_64

 Solution 2: break pulsesecure-2:9.1-R15.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/c/d/?] (c): 2

Resolving dependencies...

Resolving package dependencies...

The following 2 NEW packages are going to be installed:

  libXss1 pulsesecure

2 new packages to install.

Overall download size: 10.3 MiB. Already cached: 0 B. After the operation, additional 29.6 MiB will be used.

Continue? [y/n/v/...? shows all options] (y): y

Retrieving package libXss1-1.2.2-3.4.x86_64                                      (1/2),  12.5 KiB ( 14.2 KiB unpacked)

Retrieving: libXss1-1.2.2-3.4.x86_64.rpm .......................................................................[done]

Retrieving package pulsesecure-2:9.1-R15.x86_64                                  (2/2),  10.3 MiB ( 29.6 MiB unpacked)

ps-pulse-linux-9.1r15.0-b15819-64bit-installer.rpm:

    Package header is not signed!

pulsesecure-2:9.1-R15.x86_64 (Plain RPM files cache): Signature verification failed [6-File is unsigned]

Abort, retry, ignore? [a/r/i] (a): i

• 這邊使用方案 2 , 忽略相依性的方式來進行安裝, 並忽略簽章問題

安裝完畢就可以找到圖形介面的程式

點選 新增的 + 按鈕

輸入 名稱與 Server URL

點選 Connect 就可以進行連線

同場加映, 文字介面連線方式

建立憑證存放資料夾

# mkdir  -p  /etc/pki/ca-trust/extracted/openssl

建立檔案

# touch  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

使用 Brave 瀏覽器開啟之後要存取的網址, 例如 https://YOUR_SERVER_URL  

點選 鎖頭 -- > 點選 憑證有效的另開視窗

點選 詳細資訊

將 3 個憑證全部匯出

將憑證放入

# cat  /home/sakanamax/Builtin\ Object\ Token_TWCA\ Global\ Root\ CA  >  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# cat  /home/sakanamax/TWCA\ Secure\ SSL\ Certification\ Authority  >>  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# cat  /home/sakanamax/_.YOURS.com.tw  >>  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

• 公司憑證名稱記得換成自己的

進行連線 

# /opt/pulsesecure/bin/pulselauncher  -U  https://YOUR_SERVER_URL -u   YOUR_USER

• 實務上測試用一般使用者可以連線

• 輸入User Realm: 

• 輸入密碼

這樣之後就可以用 Pulse Secure 進行 SSLVPN 連線了

~ enjoy it

Reference

• https://ccnet.ntu.edu.tw/vpn/for-ubuntu.html

• 公司協力廠商協助

三大雲平台工具容器升級小記 - gcloud 406.0 / AWS Cli 2.8.5 / ansible 2.11.12

 三大雲平台工具容器升級小記 - gcloud 406.0 / AWS Cli 2.8.5 / ansible 2.11.12

OS: container with openSUSE Leap 15.4

• https://hub.docker.com/r/sakana/ansible_opensuse154  

上次升級是 2022/4 , 這次會來升級的原因是 

• OS 更新到 openSUSE Leap 15.4

• 更新 gcloud 以及 AWS Cli 版本

• Ansible 在 2.10 以後的版本, 有很多 module 被移動到 Ansible Collections, 也就是說現在不是如同 Ansible 官網上面的 pip3 install ‘ansible[azure]’ 的安裝方式. 接下來就是透過 collection 方式來進行安裝

• 參考網路上的文章 https://stackoverflow.com/questions/64921336/warning-ansible-2-10-3-does-not-provide-the-extra-azure

• 微軟官網文章  https://docs.microsoft.com/zh-tw/azure/developer/ansible/install-on-linux-vm?tabs=azure-cli 

• 這樣也是好事, 之前也是因為這樣報了一個 issue ( 目前還是有 Bug, 持續回報中 )

• https://github.com/Azure/azure-cli/issues/13209#issuecomment-725803465

同步紀錄一下目前 Azure CloudShell 上面的 Ansible 資訊

• Ansible: 2.13.3 / python 3.9.13 

先整理結果

升級前

OS: openSUSE Leap 15.3

awscli:  aws-cli/2.5.6 Python/3.9.11

gcloud: Google Cloud SDK 381.0.0

azure-cli: 2.35.0 (目前有 bug)

ansible: 2.11.10

升級後

OS: openSUSE Leap 15.4

awscli:  aws-cli/2.8.5 Python/3.9.11

gcloud: Google Cloud SDK 406.0.0

azure-cli: 2.35.0 (目前有 bug)

ansible: 2.11.12

AWS CLI v2 安裝文件

• https://docs.aws.amazon.com/zh_tw/cli/latest/userguide/install-cliv2-linux.html

GCP Cloud SDK 版本

• https://cloud.google.com/sdk/docs/downloads-versioned-archives?hl=zh-tw

另外執行 ansible --version 也會收到之後 ansible 需要 python 3.8 以上的告警, 訊息如下

[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 23

 2021, 15:41:43) [GCC]. This feature will be removed from ansible-core in 

version 2.12. Deprecation warnings can be disabled by setting 

deprecation_warnings=False in ansible.cfg.

• 這個部份應該是因為 openSUSE Leap 15.x 還是基於 SLES 15, 所以 python 的策略是還在 3.6, 只能先這樣

這次的做法還是會透過 docker build 指令來進行

• 我有比較過 docker build 以及使用現有的 docker image 修改後再使用 docker commit 建立的 image 大小還是很有差異的

Dockerfile 的部分我是拿之前的 Dockerfile 來修改目前是  openSUSE Leap 15.3 

• 檔案在 Github 上面

• https://github.com/sakanamax/SA_dockerReading/tree/master/Dockerfile/ansible

修改細節

• 
  

• Update time

• Google SDK 版本還有下載的檔案路徑以及檔案名稱

列出 diff 的結果給大家參考

> diff  opensuseLeap153_ansible_20220417_Dockerfile opensuseLeap154_ansible_20221022_Dockerfile 

1,2c1,2

< # openSUSE Leap 15.3 with ansible, azure-cli, aws cli, gcloud

< FROM opensuse/leap:15.3

---

> # openSUSE Leap 15.4 with ansible, azure-cli, aws cli, gcloud

> FROM opensuse/leap:15.4

6c6

< # update time: 20220417

---

> # update time: 20221022

78,79c78,79

< RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \

<   tar zxvf google-cloud-sdk-381.0.0-linux-x86_64.tar.gz && \

---

> RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-406.0.0-linux-x86_64.tar.gz && \

>   tar zxvf google-cloud-sdk-406.0.0-linux-x86_64.tar.gz && \

Dockerfile 內容如下

• 我檔案的名稱取名爲 opensuseLeap154_ansible_20221022_Dockerfile

• https://github.com/sakanamax/SA_dockerReading/blob/master/Dockerfile/ansible/opensuseLeap154_ansible_20221022_Dockerfile   

# openSUSE Leap 15.4 with ansible, azure-cli, aws cli, gcloud

FROM opensuse/leap:15.4

# Author

# MAINTAINER 已經棄用, 之後要使用 LABEL 方式

# update time: 20221022

LABEL maintainer="sakana@cycu.org.tw"

# Set LANG for UTF-8 - for Chinese

ENV LANG C.UTF-8

# Install python3-pip, upgrade pip, ansible, boto, boto3

RUN zypper refresh && \

  zypper install -y python3-pip && \

  pip3 install --upgrade pip && \

  pip3 install ansible && \

  pip3 install boto boto3

# Install openssh, set ls alias

RUN zypper install -y openssh

RUN echo "alias ls='ls --color=tty'" >> /root/.bashrc

# Install wget, download azure_rm.py, set permission

RUN zypper install -y wget

# azure_rm.py no need to download 

# Starting with Ansible 2.8, Ansible provides an Azure dynamic-inventory plug-in

# https://docs.ansible.com/ansible/latest/plugins/inventory/azure_rm.html

# old azure_rm.py URL https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/azure_rm.py

# 

# Create working directory in /root

RUN mkdir /root/.azure && \

  mkdir /root/.aws && \

  mkdir /root/playbook && \

  mkdir -p /root/.config/gcloud && \

  wget https://raw.githubusercontent.com/sakanamax/LearnAnsible/master/template/ansible.cfg && \

  mv /ansible.cfg /root && \

  wget https://raw.githubusercontent.com/sakanamax/LearnAnsible/master/template/hosts && \

  mv /hosts /root

#### Azure #### 

# Install azure-cli

# 2020/11/29 Still have az login issue in Github https://github.com/Azure/azure-cli/issues/13209

RUN zypper install -y curl && \

  rpm --import https://packages.microsoft.com/keys/microsoft.asc && \

  zypper addrepo --name 'Azure CLI' --check https://packages.microsoft.com/yumrepos/azure-cli azure-cli && \

  zypper install --from azure-cli -y azure-cli

# Install Ansible azure module

# After ansible 2.10, some module move to ansible collect, change install method

RUN zypper install -y curl && \ 

  curl -O https://raw.githubusercontent.com/ansible-collections/azure/dev/requirements-azure.txt && \

  pip3 install -r requirements-azure.txt && \

  rm -f requirements-azure.txt && \

  ansible-galaxy collection install azure.azcollection

#install vim tar gzip jq unzip less bind-utils iputils groff

RUN zypper install -y vim tar gzip jq unzip less bind-utils iputils groff

RUN echo "set encoding=utf8" > /root/.vimrc

#### AWS ####

# Install awscli v1

#RUN pip3 install awscli

#RUN echo "source /usr/bin/aws_bash_completer" >> /root/.bashrc

# Install awscli v2

RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \

  unzip awscliv2.zip && \

  /aws/install

RUN echo "complete -C '/usr/local/bin/aws_completer' aws" >> /root/.bashrc

#### GCP ####

# Install google cloud SDK 381.0.0

ENV CLOUDSDK_CORE_DISABLE_PROMPTS 1

RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-406.0.0-linux-x86_64.tar.gz && \

  tar zxvf google-cloud-sdk-406.0.0-linux-x86_64.tar.gz && \

  /google-cloud-sdk/install.sh && \

  echo "if [ -f '/google-cloud-sdk/path.bash.inc' ]; then . '/google-cloud-sdk/path.bash.inc'; fi" >> /root/.bashrc && \

  echo "if [ -f '/google-cloud-sdk/completion.bash.inc' ]; then . '/google-cloud-sdk/completion.bash.inc'; fi" >> /root/.bashrc

使用 docker build 指令建立 image

> docker build  -t  sakana/ansible_opensuse154:20221022  -f  ./opensuseLeap154_ansible_20221022_Dockerfile   .

• 使用 -f 指定 Dockerfile 名稱

• 最後是 ” . “ 目前的目錄

• 這邊有個網路問題自己小記一下, 不知為何, 在家中如果是用固定 IP, 可能是有走 IPv6, 在執行 docker build 就有連線問題, 切成浮動 IP 或是先 ping 外部 就沒有相關問題, 日後再研究

測試 container image

> docker  run  -v  ~/.aws:/root/.aws  -v  ~/.azure:/root/.azure  -v ~/.config/gcloud:/root/.config/gcloud  -it  sakana/ansible_opensuse154:20221022  /bin/bash

測試結果 OK, 建立  tag

• 這邊目前因為 openSUSE Leap 15 使用舊的 azure cli 以及相依性, 所以現在 az 指令會有問題, 已經 update issue 以及花了很多時間調整, 目前還是要等 openSUSE and Azure 看是否會有後續更新

• https://github.com/Azure/azure-cli/issues/13209

• 目前 az 指令可能會暫時透過 Azure cloud shell, ansible with Azure 目前有問題, 後面要再測試

觀察資訊

> docker  images

REPOSITORY                           TAG            IMAGE ID          CREATED          SIZE

sakana/ansible_opensuse154   20221022   d7eaacc18701   10 minutes ago   3.67GB

opensuse/leap                15.4       b59a33a9e95e   10 days ago      112MB

建立 tag 

> docker  tag  d7eaacc18701  sakana/ansible_opensuse154:latest

登入 docker

> docker  login

上傳 image

> docker  push  sakana/ansible_opensuse154:20221022

> docker  push  sakana/ansible_opensuse154:latest

完工, 以後使用就用

> docker  run  -v  ~/.aws:/root/.aws  -v  ~/.azure:/root/.azure  -v ~/.config/gcloud:/root/.config/gcloud  -it  sakana/ansible_opensuse154  /bin/bash

額外小記: 更新 blog 就會順道檢查 Azure 的認證資訊有沒有超過一年, 參考之前自己的筆記

• http://sakananote2.blogspot.com/2020/05/azure-dynamic-inventory-with-ansible.html

• 使用 az  ad  sp list  --all --output table | grep azure-cli 找出舊的認證, 

• 刪除他 ex: # az  ad  sp delete --id d06f8905-ad21-425b-9da5-3e0bcf22a853 

• 然後建立新的認證 ex: # az  ad  sp  create-for-rbac --query  '{"client_id": appId, "secret": password, "tenant": tenant}'

• 查詢 subscription_id, ex: # az  account  show  --query  "{ subscription_id: id }"

• 更新  ~/.azure/credentials 內的 client_id 以及 secret

~ enjoy it

Reference:

• https://sakananote2.blogspot.com/2022/04/ansible-21110-aws-cli-256-gcloud-3810.html 

• https://sakananote2.blogspot.com/2021/12/ansible-2116-aws-cli-245-gcloud-3650.html 

• http://sakananote2.blogspot.com/2021/05/ansible-2109-aws-cli-224-gcloud-3400.html 

• http://sakananote2.blogspot.com/2020/11/ansible-2103-azure-module.html 

• https://sakananote2.blogspot.com/2020/11/opensuse-leap-152-container.html

• https://stackoverflow.com/questions/64921336/warning-ansible-2-10-3-does-not-provide-the-extra-azure  

• http://sakananote2.blogspot.com/2020/08/opensuse-leap-152-container.html

• https://sakananote2.blogspot.com/2020/05/aws-cli-v2-with-opensuse-leap-151.html

• http://sakananote2.blogspot.com/2020/01/python-3-with-opensuse-leap-151.html

• http://sakananote2.blogspot.com/2019/06/awscli.html

• http://sakananote2.blogspot.com/2019/07/with-opensuse-leap-15-container.html

• http://sakananote2.blogspot.com/2019/05/ansible-azure-cli-awscli-gcloud-with.html

• http://sakananote2.blogspot.com/2019/11/with-opensuse-leap-151-container.html