The following describes the set of scripts needed to configure a Crucible appliance. This application stack consists of a single-node Docker swarm utilizing a Traefik reverse proxy. They are assembled using Docker Compose files on an Ubuntu 20.04 operating system.
- Create an Ubuntu 20.04 VM. The scripts should work with a default install.
- 30GB+ HD
- 4 processors
- 6GB RAM
- Clone this repository:
sudo git clone https://github.com/cmu-sei/Crucible.Appliance.git /deploy - Navigate to:
cd /deploy. vim envand set the variables based upon the comments. Pay close attention to theID_SERVERandSWARM_SERVERvalues; these need to match theDOMAIN.- Run
sudo /deploy/docs/appliance/scripts/prep.sh. This will install the binaries needed for the appliance, including Docker.prep.shcan take some time because it pulls any Docker images the appliance needs. - Run
newgrp dockerto verify that you have permissions to run Docker commands. - Verify that the
envfile has the values you want and run:sudo /deploy/docs/appliance/scripts/configure.sh - After the configure script finishes, it takes about five minutes for all the applications to be ready.
- To seed the databases with sample data, run:
sudo /deploy/docs/appliance/scripts/crucible-seed.shCaution! Be careful running this file as it drops the databases and re-creates them; resetting the data in Alloy, Caster, Player, Steamfitter, VM, and VM-console.
This appliance uses a Traefik reverse proxy so hostnames must be used when accessing the appliance applications. It's generally better to have a DNS server that you can place a wildcard entry for: *.crucible.io (DOMAIN in env file). However, a script is provided to generate a hosts entry that you can place into /etc/hosts.
Run /deploy/docs/appliance/scripts/generate-hosts.sh.
The script generates a command to run on your local workstation.
By default, the appliance generates a local certificate authority and issues a certificate for all the applications.
From your workstation, it may be convenient to install your Root CA cert from https://*.crucible.io. This can be found in the local nfs server at:
/mnt/data/certificates/sei-ca or by this URL: http://[IP-ADDRESS]:8000/appliance-ca.crt
If providing a certificate by some other means, be sure to coordinate its location with the Traefik stack: /deploy/traefik/traefik-stack-ssl.yml
For other certificates the applications need to trust, drop them in /mnt/data/certificates/sei-ca.
The identity server is configured with default settings. Look through the /deploy/docs/appliance/compose/identity/identity.conf file to edit them.
A default administrator account is configured there: admin@<DOMAIN> | <ADMIN_PASS> (default '321ChangeMe!').
Use that username and password to login and set up other accounts, or see below to reset the database.
For more information on Identity server, see the Identity Server Readme file.
Sometimes it may be necessary to reset the appliance, perhaps to change the domain name or the admin password. At this time, the appliance is limited to a full reset, selecting specific data to save is not possible.
Warning! Resetting the appliance deletes everything: all data and all certificates.
To reset the appliance, run: /deploy/docs/appliance/scripts/reset.sh.
| Application | Username | Password | Notes |
|---|---|---|---|
| Crucible apps | [email protected] | 321ChangeMe! | ADMIN_PASS |
| GitLab | root | 321ChangeMe! | Also connected to the identity server; click the foundry button under the login section |
| StackStorm | st2admin | 321ChangeMe! | ADMIN_PASS |
| Portainer | admin | 321ChangeMe! | ADMIN_PASS |
Replace crucible.io with the <DOMAIN> environment URL if changed.
| Application | URL |
|---|---|
| Alloy | alloy.crucible.io |
| Alloy API | alloy-api.crucible.io/api |
| Caster | caster.crucible.io |
| Caster API | caster-api.crucible.io/api |
| Identity | id.crucible.io |
| Identity API | id.crucible.io/api |
| Player | player.crucible.io |
| Player API | player-api.crucible.io/api |
| Steamfitter | steamfitter.crucible.io |
| Steamfitter API | steamfitter-api.crucible.io/api |
| VM | vm.crucible.io |
| VM API | vm-api.crucible.io/api |
| VM Console | vm-console.crucible.io |
| 3rd Party Applications | URL |
|---|---|
| GitLab | gitlab.crucible.io |
| Portainer | swarm.crucible.io |
| StackStorm | stackstorm.crucible.io |
| Kibana | kibana.crucible.io |
It's possible to override any variable within the env file with standard Linux environment variables. Linux environment variables will take precedent.
Note: This is untested.
This directory needs to be kept. All scripts are based on this directory. While it is possible to override the directory with the $DEPLOY environment variable it is best to leave it.
Note: This is untested.
son and soffare shell applications placed in /usr/local/bin. They are there to assist in the deployment and removal of Crucible applications. This is useful for when you need to modify settings of individual Crucible applications such as the various api-settings or ui-settings.
son & soff are non-destructive. No changes will be made to your data.
| command | notes |
|---|---|
| son | Deploy all applications |
| son player | Deploy only Player |
| son player caster | Deploy only Player and Caster |
| soff | Remove all applications |
| soff player | Remove only Player |
| soff player caster | Remove only Player and Caster |
son & soff search the /deploy directory for folders of applications to deploy. Due to the differences in our various environments, it is important to note:
On the appliance root level settings, folders are overridden by folders in /deploy/docs/appliance/compose.
If you find that your settings are not being applied check if a folder exists under this directory and modify your settings there.
Crucible can optionally be seeded with example data. Run: /deploy/docs/appliance/scripts/crucible-seed.sh
Warning: Doing so will reset the data in the appliance.
- Player: Two views are created, one for a standard view and one for an Alloy view.
- Alloy: One event connected to a Player View, Caster Directory, and Steamfitter Scenario.
- Caster: One Project that deploys a single Ubuntu VM and Distributed Portgroup.
- Requirements:
- vSphere server with a datacenter, cluster, and Distributed Virtual Switch.
- Ubuntu Template or VM with a snapshot taken.
- Within Caster make sure to customize
variables.auto.tfvarsfile with your environment information.
- Requirements:
- Steamfitter: One scenario template with four simple tasks configured.
Make sure you download the appliance certificate. The default location of this file is:
http://[IP-ADDRESS]:8000/appliance-ca.crt
Some applications such as VM and VM-console are set to Require Consent on the Identity server; open the application in a new tab to get the consent page.
The default vCenter Self-Signed certificates have an expiry that is too long for modern browsers. Go to the individual Esxi servers and accept those certificates.
Modules are well-documented in GitLab READMEs. Visit the GitLab repository for more in-depth instructions.
Crucible help documentation can be found here. Release notes and Readme files for individual apps in the Crucible stack can be found in their respective GitHub repositories.
Traefik Labs documentation, guides, configurations, and references can be found here.
Think you found a bug? Please report all Crucible bugs - including bugs for the individual Crucible apps - in the cmu-sei/crucible issue tracker.
Include as much detail as possible including steps to reproduce, specific app involved, and any error messages you may have received.
Have a good idea for a new feature? Submit all new feature requests through the cmu-sei/crucible issue tracker.
Include the reasons why you're requesting the new feature and how it might benefit other Crucible users.
Copyright 2021 Carnegie Mellon University. See the LICENSE.md file for details.