opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
5c60bc2a48b97d9c7bad5d44f72f02a3978b09dc
cocos/hal/cloud/config.yaml
T
Jovan Djukic 5c60bc2a48 COCOS-407 - Add support for Linux IMA (#429) 
* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix
2025-05-14 13:03:56 +02:00

341 lines
13 KiB
YAML
Raw Blame History

#cloud-config
package_update: true
package_upgrade: false
users:
- default
- name: cocos_user
gecos: Default User
groups:
- sudo
- docker # Add cocos user to the docker group
sudo:
- ALL=(ALL:ALL) ALL
shell: /sbin/nologin
- name: algo_user
gecos: Algorithm User
groups:
- docker # Add to docker group for container execution
shell: /bin/bash
sudo:
- /usr/bin/python3 # Allow running Python
- /home/algo_user/.wasmtime/bin/wasmtime # Allow running Wasmtime
- /usr/bin/docker # Allow running Docker commands
packages:
- curl
- make
- git
- python3
- python3-dev
- net-tools # Add net-tools to install the 'route' command
- iptables-persistent # Add iptables-persistent to save firewall rules
- sudo # Ensure sudo is installed
write_files:
- path: /etc/cocos/certs/cert.pem
content: |
# Add certificate content here
permissions: "0644"
- path: /etc/cocos/certs/ca.pem
content: |
# Add CA certificate content here
permissions: "0644"
- path: /etc/cocos/certs/key.pem
content: |
# Add private key content here
permissions: "0600"
- path: /etc/cocos/environment
content: |
# Add environment variables here
permissions: "0644"
- path: /etc/systemd/system/cocos-agent.service
content: |
[Unit]
Description=Cocos AI agent
After=network.target
Before=docker.service
[Service]
WorkingDirectory=/cocos
StandardOutput=file:/var/log/cocos/agent.stdout
StandardError=file:/var/log/cocos/agent.stderr
EnvironmentFile=/etc/cocos/environment
ExecStartPre=/cocos_init/agent_setup.sh
ExecStart=/cocos_init/agent_start_script.sh
Restart=always
[Install]
WantedBy=default.target
permissions: "0644"
# Agent setup script
- path: /cocos_init/agent_setup.sh
content: |
#!/bin/sh
WORK_DIR="/cocos"
# IFACES are all network interfaces excluding lo (LOOPBACK) and sit interfaces
IFACES=$(ip link show | grep -vE 'LOOPBACK|sit*' | awk -F': ' '{print $2}')
# This for loop brings up all network interfaces in IFACES and dhclient obtains an IP address for the every interface
for IFACE in $IFACES; do
STATE=$(ip link show $IFACE | grep DOWN)
if [ -n "$STATE" ]; then
ip link set $IFACE up
fi
IP_ADDR=$(ip addr show $IFACE | grep 'inet ')
if [ -z "$IP_ADDR" ]; then
dhclient $IFACE
fi
done
if [ ! -d "$WORK_DIR" ]; then
mkdir -p $WORK_DIR
fi
# Resize the root filesystem to 100% of available space
ROOT_DEV=$(findmnt / -o SOURCE -n) # Get the root filesystem device
resize2fs "$ROOT_DEV" && echo "Root filesystem resized successfully" || echo "Failed to resize root filesystem"
permissions: "0755"
# Agent start script
- path: /cocos_init/agent_start_script.sh
content: |
#!/bin/sh
# Change the docker.service file to allow Docker to run in RAM
mkdir -p /etc/systemd/system/docker.service.d
# Create or overwrite the override.conf file with the new Environment variable
tee /etc/systemd/system/docker.service.d/override.conf > /dev/null <<EOF
[Service]
Environment=DOCKER_RAMDISK=true
EOF
systemctl daemon-reload
NUM_OF_PERMITED_IFACE=1
NUM_OF_IFACE=$(ip route | grep -Eo 'dev [a-z0-9]+' | awk '{ print $2 }' | grep -v '^docker' | sort | uniq | wc -l)
if [ $NUM_OF_IFACE -gt $NUM_OF_PERMITED_IFACE ]; then
echo "More than one network interface in the VM"
exit 1
fi
DEFAULT_IFACE=$(route | grep '^default' | grep -o '[^ ]*$')
AGENT_GRPC_HOST=$(ip -4 addr show $DEFAULT_IFACE | grep inet | awk '{print $2}' | cut -d/ -f1)
export AGENT_GRPC_HOST
exec /bin/cocos-agent
permissions: "0755"
# Firewall configuration script
- path: /cocos_init/setup_firewall.sh
content: |
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow port 7002 (TCP) for incoming connections
iptables -A INPUT -p tcp --dport 7002 -j ACCEPT
# Save rules to persist after reboot
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4
echo "Firewall configured to allow only port 7002"
permissions: "0755"
# Setup script for algo_user
- path: /cocos_init/setup_algo_user.sh
content: |
#!/bin/bash
# Create datasets directory with the right permissions
mkdir -p /datasets
chown root:root /datasets
chmod 755 /datasets
# Create a home directory for algo_user
mkdir -p /home/algo_user
chown algo_user:algo_user /home/algo_user
chmod 750 /home/algo_user
# Set up Wasmtime for algo_user
mkdir -p /home/algo_user/.wasmtime/bin
# Link system Wasmtime to user's directory
ln -s /root/.wasmtime/bin/wasmtime /home/algo_user/.wasmtime/bin/wasmtime
chown -R algo_user:algo_user /home/algo_user/.wasmtime
# Configure sudoers for algo_user
cat > /etc/sudoers.d/algo_user << EOF
algo_user ALL=(ALL) NOPASSWD: /usr/bin/python3
algo_user ALL=(ALL) NOPASSWD: /home/algo_user/.wasmtime/bin/wasmtime
algo_user ALL=(ALL) NOPASSWD: /usr/bin/docker
Defaults:algo_user !requiretty
EOF
chmod 440 /etc/sudoers.d/algo_user
# Create a .bashrc file that restricts navigation to /datasets
cat > /home/algo_user/.bashrc << EOF
# .bashrc for algo_user
# Restrict navigation outside /datasets
function cd() {
if [[ "\$1" == /* && "\$1" != "/datasets"* && "\$1" != "/home/algo_user"* ]]; then
echo "Access denied: You can only access files in /datasets or your home directory"
return 1
else
builtin cd "\$1"
fi
}
# Set PATH to include necessary binaries
export PATH=/usr/bin:/bin:/usr/local/bin:/home/algo_user/.wasmtime/bin
# Set default directory
if [[ \$PWD != "/datasets"* && \$PWD != "/home/algo_user"* ]]; then
cd /datasets
fi
EOF
chown algo_user:algo_user /home/algo_user/.bashrc
chmod 644 /home/algo_user/.bashrc
echo "algo_user setup completed successfully"
permissions: "0755"
# IMA setup for first boot
- path: /cocos_init/linux_ima_init.sh
content: |
#!/bin/bash
GRUB_FILE="/etc/default/grub"
if ! grep -q '^GRUB_CMDLINE_LINUX=.*ima_policy' "$GRUB_FILE"; then
echo "First boot, rebooting with fix IMA appraise policy"
NEW_PARAMS='ima_policy=tcb'
# Modify the GRUB_CMDLINE_LINUX line
sed -i -E \
"s#^(GRUB_CMDLINE_LINUX=\")(.*)(\")#\1\2 $NEW_PARAMS\3#" \
"$GRUB_FILE"
echo "Updated GRUB_CMDLINE_LINUX:"
grep "^GRUB_CMDLINE_LINUX=" "$GRUB_FILE"
sudo update-grub
sudo reboot
else
sudo find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;
fi
permissions: "0755"
runcmd:
# Enable Linux IMA with fix policy
- echo "Enable Linux IMA with fix policy and rebooting if necessary"
- sh /cocos_init/linux_ima_init.sh
# Create necessary directories
- mkdir -p /cocos
- mkdir -p /cocos_init
- mkdir -p /var/log/cocos
- mkdir -p /etc/cocos
# Download the cocos-agent binary
- echo "[ COCOS AGENT SETUP ] Downloading the cocos-agent binary..."
- curl -L -O -J https://github.com/smithjilks/cocos/releases/download/v1.0.0/cocos-agent --progress-bar && echo "[ COCOS AGENT SETUP ] cocos-agent binary downloaded successfully" || echo "Failed to download cocos-agent binary"
# Install the agent binary
- echo "[ COCOS AGENT SETUP ] Installing cocos-agent binary..."
- install -D -m 0755 cocos-agent /bin/cocos-agent && echo "[ COCOS AGENT SETUP ] cocos-agent binary installed successfully" || echo "[ COCOS AGENT SETUP ] Failed to install cocos-agent binary"
# Install Wasmtime
- echo "Installing Wasmtime runtime..."
- curl https://wasmtime.dev/install.sh -sSf | bash && echo "Wasmtime installed successfully" || echo "Failed to install Wasmtime"
- echo "Configuring Wasmtime environment variables..."
- echo "export WASMTIME_HOME=$HOME/.wasmtime" >> /etc/profile.d/wasm_env.sh
- echo "export PATH=\$WASMTIME_HOME/bin:\$PATH" >> /etc/profile.d/wasm_env.sh
- . /etc/profile.d/wasm_env.sh && echo "Wasmtime environment variables configured successfully" || echo "Failed to configure Wasmtime environment variables"
# Install Docker
- echo "Starting Docker installation..."
- curl -fsSL https://get.docker.com -o get-docker.sh && echo "Docker install script downloaded successfully" || echo "Failed to download Docker install script"
- sh ./get-docker.sh && echo "Docker installed successfully" || echo "Failed to install Docker"
- usermod -aG docker cocos_user && echo "Added cocos_user to the docker group" || echo "Failed to add cocos_user to the docker group"
# Disable SSH service
- echo "Disabling SSH service..."
- systemctl disable ssh.service && echo "SSH service disabled successfully" || echo "Failed to disable SSH service"
- systemctl disable sshd.service && echo "SSHD service disabled successfully" || echo "Failed to disable SSHD service"
- systemctl stop ssh.service && echo "SSH service stopped successfully" || echo "Failed to stop SSH service"
- systemctl stop sshd.service && echo "SSHD service stopped successfully" || echo "Failed to stop SSHD service"
# Completely remove SSH server
- echo "Removing SSH server..."
- apt-get purge -y openssh-server && echo "SSH server removed successfully" || echo "Failed to remove SSH server"
- apt-get autoremove -y && echo "Removed dependencies successfully" || echo "Failed to remove dependencies"
# Set up firewall to only allow port 7002
- echo "Setting up firewall..."
- bash /cocos_init/setup_firewall.sh && echo "Firewall configured successfully" || echo "Failed to configure firewall"
# Ensure iptables rules persist after reboot
- echo "Ensuring iptables rules persist after reboot..."
- systemctl enable netfilter-persistent && echo "netfilter-persistent service enabled successfully" || echo "Failed to enable netfilter-persistent service"
- systemctl start netfilter-persistent && echo "netfilter-persistent service started successfully" || echo "Failed to start netfilter-persistent service"
# Set up algo_user environment
- echo "Setting up algo_user environment..."
- bash /cocos_init/setup_algo_user.sh && echo "algo_user environment setup successfully" || echo "Failed to set up algo_user environment"
# Create datasets directory and set permissions
- echo "Creating datasets directory..."
- mkdir -p /datasets && echo "datasets directory created successfully" || echo "Failed to create datasets directory"
- chown root:root /datasets && echo "datasets ownership set successfully" || echo "Failed to set datasets ownership"
- chmod 755 /datasets && echo "datasets permissions set successfully" || echo "Failed to set datasets permissions"
# Add algo_user to the docker group
- echo "Adding algo_user to the docker group..."
- usermod -aG docker algo_user && echo "Added algo_user to the docker group" || echo "Failed to add algo_user to the docker group"
# Reload systemd and enable the service
- echo "[ COCOS AGENT SETUP ] Reloading systemd daemon..."
- systemctl daemon-reload && echo "[ COCOS AGENT SETUP ] Systemd daemon reloaded successfully" || echo "[ COCOS AGENT SETUP ] Failed to reload systemd daemon"
- echo "[ COCOS AGENT SETUP ] Enabling cocos-agent.service..."
- systemctl enable cocos-agent.service && echo "[ COCOS AGENT SETUP ] cocos-agent.service enabled successfully" || echo "[ COCOS AGENT SETUP ] Failed to enable cocos-agent.service"
- echo "[ COCOS AGENT SETUP ] Starting cocos-agent.service..."
- systemctl start cocos-agent.service && echo "[ COCOS AGENT SETUP ] cocos-agent.service started successfully" || echo "[ COCOS AGENT SETUP ] Failed to start cocos-agent.service"
final_message: "Cocos agent and algo_user setup complete. Verify logs to confirm successful service startup."
Reference in New Issue View Git Blame Copy Permalink