it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enable firewall activation for exam-mode

Browse source 
For working exam-mode we need to block direct internet access by firewall.
Users have to use squid-proxy on firewall, which can be disabled for exam-users.
To allow VM-traffic (anonymous user), we use a local squid server with users
kerberos-ticket to authenticate on the parent squid.

When using VMs on teacherdevices offsite, the local squid has to use direct internet access.
So we need two squid configs. When switching between offsite and onsite,
the squid has to be restartet with corresponding config.
This commit is contained in:
Raphael Dannecker 2024-12-11 13:09:30 +01:00
parent 99d7bd64db
commit 23a9b6ff97
6 changed files with 46 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
roles/lmn_vm/files/usersquid.service Normal file
View file

@ -0,0 +1,10 @@
[Unit]
Description=Run squid in usermode using user kerberos ticket
[Service]
Type=simple
ExecStart=/usr/local/bin/startusersquid.sh
Restart=on-failure
#[Install]
#WantedBy=default.target

6
roles/lmn_vm/files/vm-run
View file

@ -287,11 +287,7 @@ fi
VM_NAME=$1 VM_NAME=$1
# check, if we have to start squid systemctl --user restart usersquid.service &
if ! killall -s 0 squid; then
echo "starting squid."
/usr/sbin/squid -f /etc/squid/squid-usermode.conf
fi
# check, if persistent VM is really wanted # check, if persistent VM is really wanted
if [[ "${PERSISTENT}" == 1 ]] && [[ ! -f "${VM_DIR_PERSISTENT}/${VM_NAME}.qcow2" ]]; then if [[ "${PERSISTENT}" == 1 ]] && [[ ! -f "${VM_DIR_PERSISTENT}/${VM_NAME}.qcow2" ]]; then

5
roles/lmn_vm/handlers/main.yml
View file

@ -3,6 +3,11 @@
name: libvirtd.service name: libvirtd.service
listen: reload libvirtd listen: reload libvirtd
- name: Just force systemd to reread configs
ansible.builtin.systemd_service:
daemon_reload: true
listen: daemon reload
- name: Run update-desktop-database - name: Run update-desktop-database
command: update-desktop-database "{{ item }}" command: update-desktop-database "{{ item }}"
loop: loop:

20
roles/lmn_vm/tasks/main.yml
View file

@ -147,9 +147,25 @@
- name: Deploy squid user mode configuration - name: Deploy squid user mode configuration
template: template:
src: squid-usermode.conf.j2 src: "{{ item }}.j2"
dest: /etc/squid/squid-usermode.conf dest: "/etc/squid/{{ item }}"
mode: '0644' mode: '0644'
loop:
- squid-usermode.conf
- squid-usermode-external.conf
- name: Deploy startusersquid script
template:
src: startusersquid.sh.j2
dest: /usr/local/bin/startusersquid.sh
mode: '0755'
notify: daemon reload
- name: Provide usersquid service
copy:
src: usersquid.service
dest: /etc/systemd/user/usersquid.service
mode: 0644
- name: Deploy sudo configurations - name: Deploy sudo configurations
copy: copy:

11
roles/lmn_vm/templates/squid-usermode-external.conf.j2 Normal file
View file

@ -0,0 +1,11 @@
acl local-servers dstdomain .{{ domain }}
cache_peer firewall.{{ domain }} parent 3128 0 no-query default login=NEGOTIATE auth-no-keytab
never_direct deny local-servers
always_direct allow all
#access_log stdio:/tmp/access.log squid
access_log none
cache_log /dev/null
logfile_rotate 0
pid_filename none
http_port 192.168.122.1:3128
http_access allow all

2
roles/lmn_vm/templates/squid-usermode.conf.j2
View file

@ -1,7 +1,7 @@
acl local-servers dstdomain .{{ domain }} acl local-servers dstdomain .{{ domain }}
cache_peer firewall.{{ domain }} parent 3128 0 no-query default login=NEGOTIATE auth-no-keytab cache_peer firewall.{{ domain }} parent 3128 0 no-query default login=NEGOTIATE auth-no-keytab
never_direct deny local-servers never_direct deny local-servers
always_direct allow all never_direct allow all
#access_log stdio:/tmp/access.log squid #access_log stdio:/tmp/access.log squid
access_log none access_log none
cache_log /dev/null cache_log /dev/null