Skip to content

Commit f37f5a4

Browse files
0intro0intro
committed
Run unattended upgrade on deployment on Azure
This change runs unattended upgrade on deployment on Azure. It should allow the Agentless Scanner instance to get the most recent security fixes since the last published image.
1 parent 05abda9 commit f37f5a4

File tree

4 files changed

+47
-2
lines changed

4 files changed

+47
-2
lines changed

azure/arm/install.sh

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ apt install -y curl
2727
apt remove -y libx11-6
2828
apt autoremove -y
2929

30+
# Perform unattended upgrades
31+
unattended-upgrade -v
32+
3033
re='@Microsoft.KeyVault\(SecretUri=(https://.*)\)'
3134
if [[ "${api_key}" =~ $re ]]; then
3235
echo "Datadog API key is a Key Vault reference"
@@ -73,6 +76,24 @@ Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
7376
Unattended-Upgrade::Automatic-Reboot-Time "now";
7477
EOF
7578

79+
# Perform unattended upgrades 10 min after boot, then every 3 hours
80+
cat << EOF > /etc/systemd/system/apt-daily-upgrade.timer
81+
[Unit]
82+
Description=Daily apt upgrade and clean activities
83+
After=apt-daily.timer
84+
85+
[Timer]
86+
OnActiveSec=10min
87+
OnCalendar=0/3:00:00
88+
Persistent=true
89+
90+
[Install]
91+
WantedBy=timers.target
92+
EOF
93+
94+
systemctl daemon-reload
95+
systemctl restart apt-daily-upgrade.timer
96+
7697
# Activate agentless scanner logging
7798
mkdir -p /etc/datadog-agent/conf.d/agentless-scanner.d
7899
cat <<EOF > /etc/datadog-agent/conf.d/agentless-scanner.d/conf.yaml

azure/arm/main.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"_generator": {
77
"name": "bicep",
88
"version": "0.33.93.31351",
9-
"templateHash": "14928090243574688269"
9+
"templateHash": "18381383220572173991"
1010
}
1111
},
1212
"functions": [
@@ -140,7 +140,7 @@
140140
}
141141
},
142142
"variables": {
143-
"$fxv#0": "#!/bin/bash\nset +x\nset -u\nset -e\nset -o pipefail\n\nfatal_error () {\n printf \"FATAL ERROR: shutting down\\n\"\n shutdown -h now\n}\n\ntrap 'fatal_error' ERR\n\n# Remove SSH mock public key\nsed -i '/.*${ssh_mock_public_key}.*/d' '${ssh_authorized_keys_file}'\n\n# Enable the nbd module\nmodprobe nbd nbds_max=128\necho \"nbd\" > /etc/modules-load.d/nbd.conf\necho \"options nbd nbds_max=128\" > /etc/modprobe.d/nbd.conf\n\n# Install requirements\napt update\napt install -y curl\n\n# Remove uneeded packages\napt remove -y libx11-6\napt autoremove -y\n\nre='@Microsoft.KeyVault\\(SecretUri=(https://.*)\\)'\nif [[ \"${api_key}\" =~ $re ]]; then\n echo \"Datadog API key is a Key Vault reference\"\n DD_API_KEY=\"ENC[${api_key}]\"\nelse\n DD_API_KEY=\"${api_key}\"\nfi\n\n# Append the last 6 bytes of the VM UUID to prevent hostname collisions\nVM_ID=$(cat /sys/devices/virtual/dmi/id/product_uuid)\nDD_HOSTNAME=\"$(hostname)-${VM_ID:(-12)}\"\nDD_SITE=\"${site}\"\nDD_AGENTLESS_VERSION=\"${scanner_version}\"\nDD_AGENTLESS_CHANNEL=\"${scanner_channel}\"\n\nhostnamectl hostname \"$DD_HOSTNAME\"\n\n# Install the agent\nDD_INSTALL_ONLY=true \\\n DD_API_KEY=\"TBD\" \\\n DD_SITE=\"$DD_SITE\" \\\n DD_HOSTNAME=\"$DD_HOSTNAME\" \\\n bash -c \"$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)\"\n\n# Install the agentless-scanner\necho \"deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ $DD_AGENTLESS_CHANNEL agentless-scanner\" >> /etc/apt/sources.list.d/datadog.list\napt update\nagentless_pkg_pattern=\"([[:digit:]]:)?$DD_AGENTLESS_VERSION(\\.[[:digit:]]+){0,1}(~rc\\.[[:digit:]]+)?(-[[:digit:]])?\"\nagentless_version_custom=\"$(apt-cache madison datadog-agentless-scanner | grep -E \"$agentless_pkg_pattern\" -om1)\" || true\nif [ -z \"$agentless_version_custom\" ]; then\n printf \"Could not find a version of datadog-agentless-scanner from %s\" \"$DD_AGENTLESS_VERSION\"\n exit 1\nfi\n# We mask/unmask because apt auto-starts the service, and we do\n# not want to start it before the configuration is in place.\nsystemctl mask datadog-agentless-scanner.service\napt install -y \"datadog-agentless-scanner=$agentless_version_custom\"\nsystemctl unmask datadog-agentless-scanner.service\n\n# Adding automatic reboot on kernel updates\ncat << EOF >> /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"now\";\nEOF\n\n# Activate agentless scanner logging\nmkdir -p /etc/datadog-agent/conf.d/agentless-scanner.d\ncat <<EOF > /etc/datadog-agent/conf.d/agentless-scanner.d/conf.yaml\nlogs:\n - type: file\n path: \"/var/log/datadog/agentless-scanner.log\"\n service: \"agentless-scanner\"\n source: go\n sourcecategory: sourcecode\nEOF\n\nchown -R dd-agent: /etc/datadog-agent/conf.d/agentless-scanner.d\n\n# Custom configuration for agent\ncat <<EOF > /etc/datadog-agent/datadog.yaml\napi_key: $DD_API_KEY\nsite: $DD_SITE\nhostname: $DD_HOSTNAME\nlogs_enabled: true\nec2_prefer_imdsv2: true\nsecret_backend_command: /usr/local/bin/dd-secret-backend\nEOF\n\ncat <<EOF > /usr/local/bin/dd-secret-backend\n#!/bin/bash\ndatadog-agentless-scanner secrets || exit 1\nEOF\nchown dd-agent: /usr/local/bin/dd-secret-backend\nchmod 700 /usr/local/bin/dd-secret-backend\n\ncat <<EOF > /etc/datadog-agent/agentless-scanner.yaml\nhostname: $DD_HOSTNAME\napi_key: $DD_API_KEY\nsite: $DD_SITE\nazure_client_id: ${azure_client_id}\ninstallation_mode: terraform\ninstallation_version: 0.11.6\nEOF\n\nchown dd-agent: /etc/datadog-agent/agentless-scanner.yaml\nchmod 600 /etc/datadog-agent/agentless-scanner.yaml\n\n# Restart the agent\nsystemctl restart datadog-agent\n\n# Stop the scanner after 24 hours. This will cause the health\n# probe to fail and trigger an automatic instance replacement.\nsystemd-run --on-boot=24h systemctl stop datadog-agentless-scanner\n\n# Enable and start datadog-agentless-scaner\nsystemctl enable --now datadog-agentless-scanner\n",
143+
"$fxv#0": "#!/bin/bash\nset +x\nset -u\nset -e\nset -o pipefail\n\nfatal_error () {\n printf \"FATAL ERROR: shutting down\\n\"\n shutdown -h now\n}\n\ntrap 'fatal_error' ERR\n\n# Remove SSH mock public key\nsed -i '/.*${ssh_mock_public_key}.*/d' '${ssh_authorized_keys_file}'\n\n# Enable the nbd module\nmodprobe nbd nbds_max=128\necho \"nbd\" > /etc/modules-load.d/nbd.conf\necho \"options nbd nbds_max=128\" > /etc/modprobe.d/nbd.conf\n\n# Install requirements\napt update\napt install -y curl\n\n# Remove uneeded packages\napt remove -y libx11-6\napt autoremove -y\n\n# Perform unattended upgrades\nunattended-upgrade -v\n\nre='@Microsoft.KeyVault\\(SecretUri=(https://.*)\\)'\nif [[ \"${api_key}\" =~ $re ]]; then\n echo \"Datadog API key is a Key Vault reference\"\n DD_API_KEY=\"ENC[${api_key}]\"\nelse\n DD_API_KEY=\"${api_key}\"\nfi\n\n# Append the last 6 bytes of the VM UUID to prevent hostname collisions\nVM_ID=$(cat /sys/devices/virtual/dmi/id/product_uuid)\nDD_HOSTNAME=\"$(hostname)-${VM_ID:(-12)}\"\nDD_SITE=\"${site}\"\nDD_AGENTLESS_VERSION=\"${scanner_version}\"\nDD_AGENTLESS_CHANNEL=\"${scanner_channel}\"\n\nhostnamectl hostname \"$DD_HOSTNAME\"\n\n# Install the agent\nDD_INSTALL_ONLY=true \\\n DD_API_KEY=\"TBD\" \\\n DD_SITE=\"$DD_SITE\" \\\n DD_HOSTNAME=\"$DD_HOSTNAME\" \\\n bash -c \"$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)\"\n\n# Install the agentless-scanner\necho \"deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ $DD_AGENTLESS_CHANNEL agentless-scanner\" >> /etc/apt/sources.list.d/datadog.list\napt update\nagentless_pkg_pattern=\"([[:digit:]]:)?$DD_AGENTLESS_VERSION(\\.[[:digit:]]+){0,1}(~rc\\.[[:digit:]]+)?(-[[:digit:]])?\"\nagentless_version_custom=\"$(apt-cache madison datadog-agentless-scanner | grep -E \"$agentless_pkg_pattern\" -om1)\" || true\nif [ -z \"$agentless_version_custom\" ]; then\n printf \"Could not find a version of datadog-agentless-scanner from %s\" \"$DD_AGENTLESS_VERSION\"\n exit 1\nfi\n# We mask/unmask because apt auto-starts the service, and we do\n# not want to start it before the configuration is in place.\nsystemctl mask datadog-agentless-scanner.service\napt install -y \"datadog-agentless-scanner=$agentless_version_custom\"\nsystemctl unmask datadog-agentless-scanner.service\n\n# Adding automatic reboot on kernel updates\ncat << EOF >> /etc/apt/apt.conf.d/50unattended-upgrades\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"now\";\nEOF\n\n# Perform unattended upgrades 10 min after boot, then every 3 hours\ncat << EOF > /etc/systemd/system/apt-daily-upgrade.timer\n[Unit]\nDescription=Daily apt upgrade and clean activities\nAfter=apt-daily.timer\n\n[Timer]\nOnActiveSec=10min\nOnCalendar=0/3:00:00\nPersistent=true\n\n[Install]\nWantedBy=timers.target\nEOF\n\nsystemctl daemon-reload\nsystemctl restart apt-daily-upgrade.timer\n\n# Activate agentless scanner logging\nmkdir -p /etc/datadog-agent/conf.d/agentless-scanner.d\ncat <<EOF > /etc/datadog-agent/conf.d/agentless-scanner.d/conf.yaml\nlogs:\n - type: file\n path: \"/var/log/datadog/agentless-scanner.log\"\n service: \"agentless-scanner\"\n source: go\n sourcecategory: sourcecode\nEOF\n\nchown -R dd-agent: /etc/datadog-agent/conf.d/agentless-scanner.d\n\n# Custom configuration for agent\ncat <<EOF > /etc/datadog-agent/datadog.yaml\napi_key: $DD_API_KEY\nsite: $DD_SITE\nhostname: $DD_HOSTNAME\nlogs_enabled: true\nec2_prefer_imdsv2: true\nsecret_backend_command: /usr/local/bin/dd-secret-backend\nEOF\n\ncat <<EOF > /usr/local/bin/dd-secret-backend\n#!/bin/bash\ndatadog-agentless-scanner secrets || exit 1\nEOF\nchown dd-agent: /usr/local/bin/dd-secret-backend\nchmod 700 /usr/local/bin/dd-secret-backend\n\ncat <<EOF > /etc/datadog-agent/agentless-scanner.yaml\nhostname: $DD_HOSTNAME\napi_key: $DD_API_KEY\nsite: $DD_SITE\nazure_client_id: ${azure_client_id}\ninstallation_mode: terraform\ninstallation_version: 0.11.6\nEOF\n\nchown dd-agent: /etc/datadog-agent/agentless-scanner.yaml\nchmod 600 /etc/datadog-agent/agentless-scanner.yaml\n\n# Restart the agent\nsystemctl restart datadog-agent\n\n# Stop the scanner after 24 hours. This will cause the health\n# probe to fail and trigger an automatic instance replacement.\nsystemd-run --on-boot=24h systemctl stop datadog-agentless-scanner\n\n# Enable and start datadog-agentless-scaner\nsystemctl enable --now datadog-agentless-scanner\n",
144144
"sshMockPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWFDAB+VRKsHvHjIyiEN9izvhaosXAUMG1jPMo9hcnE",
145145
"sshAuthorizedKeysFile": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
146146
"tags": "[union(parameters('resourceTags'), createObject('Datadog', 'true', 'DatadogAgentlessScanner', 'true'))]",

azure/modules/custom-data/templates/install.sh.tftpl

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ apt install -y curl
2424
apt remove -y libx11-6
2525
apt autoremove -y
2626

27+
# Perform unattended upgrades
28+
unattended-upgrade -v
29+
2730
re='@Microsoft.KeyVault\(SecretUri=(https://.*)\)'
2831
if [[ "${api_key}" =~ $re ]]; then
2932
echo "Datadog API key is a Key Vault reference"
@@ -71,6 +74,24 @@ Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
7174
Unattended-Upgrade::Automatic-Reboot-Time "now";
7275
EOF
7376

77+
# Perform unattended upgrades 10 min after boot, then every 3 hours
78+
cat << EOF > /etc/systemd/system/apt-daily-upgrade.timer
79+
[Unit]
80+
Description=Daily apt upgrade and clean activities
81+
After=apt-daily.timer
82+
83+
[Timer]
84+
OnActiveSec=10min
85+
OnCalendar=0/3:00:00
86+
Persistent=true
87+
88+
[Install]
89+
WantedBy=timers.target
90+
EOF
91+
92+
systemctl daemon-reload
93+
systemctl restart apt-daily-upgrade.timer
94+
7495
# Activate agentless scanner logging
7596
mkdir -p /etc/datadog-agent/conf.d/agentless-scanner.d
7697
cat <<EOF > /etc/datadog-agent/conf.d/agentless-scanner.d/conf.yaml

modules/user_data/templates/install.sh.tftpl

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ apt autoremove -y
2727
# Perform unattended upgrades
2828
unattended-upgrade -v
2929

30+
# Perform unattended upgrades
31+
unattended-upgrade -v
32+
3033
# Get IMDS metadata to fetch the API Key from SecretsManager (without having to install awscli)
3134
IMDS_TOKEN=$( curl -sSL -XPUT "http://169.254.169.254/latest/api/token" -H "X-AWS-EC2-Metadata-Token-TTL-Seconds: 30")
3235
IMDS_INSTANCE_ID=$(curl -sSL -XGET "http://169.254.169.254/latest/meta-data/instance-id" -H "X-AWS-EC2-Metadata-Token: $IMDS_TOKEN")

0 commit comments

Comments
 (0)