I had a mission to package deal the CIS CAT Professional benchmark auditing instrument for Home windows and Linux. The distinctive Home windows challenges I skilled are relevant anytime you both must extract Java for Home windows or extract any gzipped or tar archive on Home windows – with out utilizing 7zip. CIS CAT Professional requires Java and I wished to create a zero footprint Java set up that may very well be cleanly worn out by deleting a folder. This permits the automation to be extra readily used on manufacturing methods as a result of it gained’t drive a Java set up, nor compete with an present model of Java. (I discover it ironic that CIS CAT requires Java – after which often flags the copy of Java it’s utilizing as an issue)
7zip has had a fair proportion of safety vulnerabilities – consequently putting in or utilizing it may set off quite a lot of safety bells the place I work – so it was required to have an answer that was 7zip-less.
Whereas it’s greater than a bit irritating that Java is just offered by Oracle as a gzipped tarball for Home windows, this technique will work high-quality for anything that’s solely offered for Home windows as a gzipped tarball.
Making use of Infrastructure as Code: Rules of Minimalism
The time period Infrastructure as Code is thrown round so much and but with out very many specifics on how adopting this strategy would inform coding selections. Generally individuals consider it completely when it comes to desired state configuration administration platforms like Chef, Puppet or Ansible. I’ve heard others reference it purely as organising issues apart from precise finish nodes – like what Terraform does.
After I consider Infrastructure as Code it’s all inclusive – whether or not crucial or declarative or whether or not OS oriented or hypervisor oriented. To me a pure definition of Infrastructure as Code means each final scrape of your configuration might be checked into supply management and that the onerous core disciplines of conventional improvement are utilized (e.g. structured code, plenty of testing, and so on.)
Put one other means, if the underside of the stack crucial code (that at all times underlies declarative methods) stays as the fast and soiled admin coding of the previous – it might be the achiles heal of the remainder of the stack!
In the event you’re fortunate sufficient to reside in a pure PaaS or FaaS (Serverless) world – then this crucial degree most likely doesn’t exist (however then you definately would additionally not have made it thus far on this article 😉 )
For a very long time I’ve felt that minimalizing code round essentially the most pragmatic implementation made it extra versatile than I initially anticipated in engineering it – it was a repeating theme. Not too long ago I discovered that precise thought asserted within the e-book FIRE: How Quick, Cheap, Restrained, and Elegant Strategies Ignite Innovation. I see it repeatedly that selecting rudamentary implementations often will increase their scope by scale back the assumptions. This facet of coding is considerably distinctive to growing automation for a broad viewers as a result of enterprise purposes depend on bringing all dependencies with them (a minimum of those with effectively written set up code do 😉 )
In working with working system provisioning and software program deployment automation, I often cope with bootstrap automation – a system that doesn’t have extras and could also be in a construct surroundings the place it can’t simply get to extras. Moreover, I often should go from freshly booted OS to finish working software program stack in a single set of orchestration. Coping with these constraints routinely causes me to cut back the exterior dependencies I tackle something that doesn’t ship on the field. It’s why I code in PowerShell and Bash – normally the shipped model of those languages is adequate for something I wish to do. Decreasing dependencies not solely means I can get to the true work of configuration sooner, it means you don’t soil the system with a bunch of installations that don’t have anything to do with the ultimate software program stack that may run on it. As well as, within the Home windows world we always cope with the truth that exe and msi based mostly installers often require particular dealing with like reboots – what a painful scenario to be in merely since you want a given utility to automate an set up.
The primary part in a minimalistic strategy is to ask “Is there something on the machine that may already do that activity?”
.NET (and due to this fact PowerShell) has a category for traditional .zip extracts (system.io.compression.filesystem) and at first blush this class appears to include some try to deal with linux archive expertise – however it’s not full and undoubtedly doesn’t deal with each gzip and tar.
In actual fact, utilizing system.io.compression.filesystem is one other train in minimalism – it has the next advantages over utilizing Home windows Explorer’s unzip functionality which you discover in lots of code samples:
- It really works on non-GUI OS variants reminiscent of Server Core, Containers and Nano Server (Home windows explorer calls don’t)
- It has improbable model attain, engaged on PowerShell 2 via 6 (Server 2008 R2 via 2019) – the *-Archive CMDLets are solely on later variations of Home windows.
Different Choices Investigated:
- Very current variations of Home windows ship with Tar – however the Microsoft compiled model of tar will not be accessible for obtain on any earlier model of Home windows.
- A binary compiled by a 3rd social gathering (with the choices as tar for home windows) will not be accessible both.
- Most different third social gathering tars depend on heavy runtime libraries like Cygwin – a little bit of overkill to untar one file 🙁
One other IaC precept I apply is that software program and utilities wanted just for set up or just for a short lived objective, shouldn’t be totally put in and built-in (even when eliminated later) if in any respect doable. It is a barely greater scoped “minimalism” than what kind of code and utilities are used to carry out the set up. On this case it impacts each the set up automation and the general thought of placing CIS CAT on a system. The rationale for placing CIS CAT on any system doesn’t should do with the what the software program stack on that system is designed to do for purchasers – so effort ought to be made to reduce any impression it might have on the goal system. Within the case of CIS CAT we’ve got a particular concern in that it is perhaps the one purpose Java must be placed on a given system – so it ought to be remoted and straightforward to wash off. This degree of minimalism, then, informs us that the design of constructing the CIS CAT and Java set up self-isolated and straightforward to wash off applies to each Linux and Home windows.
Here’s a abstract of the advantages of utilizing the tarball reasonably than installer version:
- By not totally putting in Java we don’t change the configuration of the machine in ways in which don’t at all times again out cleanly (e.g. the system path)
- By not totally putting in Java we don’t create challenges for native purposes which are utilizing Java (by upgrading it or eradicating older variations)
- We will choose a model of Java that solely issues itself with compatibility with the precise app we’re utilizing (CIS-CAT on this case)
- It is rather simple to wash up when the aim is momentary.
- We will help a simple to wash off set up of CIS CAT for Home windows and Linux for CIS CAT 3 & 4 (4 complete editions). CIS CAT has a “disolvable bundle” – nevertheless, you’ll be able to’t choose the Java model and it’s only for Home windows and solely CIS CAT v3.
Choices
I ought to point out that I attempted tartool.exe – which relies on the meeting we are going to find yourself utilizing – sadly, tartool was insisting that I set up .NET 3.5 / 2.0. Not solely do I not need this outdated model of .NET on my system – however for a lot of variations of Home windows this explicit optionally available OS characteristic have to be retrieved from Microsoft and it often fails to deploy.
Since that is primarily for situations in Amazon, Amazon’s Corretto Java was tried (which does come as a Zip). Nonetheless, it was incompatible with a minimum of among the CIS CAT exams.
I lastly settled on calling the meeting ICSharpCode.SharpZipLib.dll immediately from PowerShell to untar the Oracle version.
The next code downloads and extracts SharpZipLib after which makes use of it to extract Java. Look intently as a result of the strains to amass SharpZipLib embrace a bit, however surprisingly useful secret – .nupkg recordsdata are actually simply .zip recordsdata. This implies any .nupkg file you discover on nuget.org or chocolatey.org might be minimalized by downloading them, extracting them and utilizing their contents. In actual fact, the Common OpenSSH Installer I created takes benefit of precisely this reality to be usable for non-chocolatey installs!
One other level of IaC minimalism – it seems SharpZipLib is now accessible with the “Set up-Package deal” command – nevertheless, under I’ve chosen a direct .zip obtain for these causes:
- many instances I’ve to automate for off the shelf configurations of Home windows, and earlier than PowerShell 5, there was no package deal administration.
- my use of SharpZipLib may also not depart any residue on the system – clear up with a easy delete – this isn’t how package deal administration works.
- If my utilization of package deal administration is the primary on the given machine (very frequent with deployment automation) I’ve to make use of a number of instructions and switches for all of the underlying items and components (package deal supplier, package deal supply) to be routinely configured and used. This additional soils the system with configurations that aren’t simple to return to a pristine state.
- the situation of the extracted meeting can transfer round when utilizing package deal administration and I don’t wish to should probe to seek out it.
The Code
Invoke-WebRequest -uri 'https://github.com/icsharpcode/SharpZipLib/releases/obtain/v1.1.0/SharpZipLib.1.1.0.nupkg' -outfile "$PWD/SharpZipLib.1.1.0.nupkg"
Add-Kind -assembly "system.io.compression.filesystem"
[io.compression.zipfile]::ExtractToDirectory("$PWD/SharpZipLib.1.1.0.nupkg","$PWD")
Write-host "Untaring Java..."
Add-Kind -Path "$PWDlibnet45ICSharpCode.SharpZipLib.dll"
$gzippedtarball = [IO.File]::OpenRead("$PWDjre-8u212-windows-x64.tar.gz")
$inStream=New-Object -TypeName ICSharpCode.SharpZipLib.GZip.GZipInputStream $gzippedtarball
$tarIn = New-Object -TypeName ICSharpCode.SharpZipLib.Tar.TarInputStream $inStream
$archive = [ICSharpCode.SharpZipLib.Tar.TarArchive]::CreateInputTarArchive($tarIn)
$archive.ExtractContents($PWD)
$env:JRE_HOME="$PWDjre1.8.0_212"
$env:PATH="$env:JRE_HOMEbin;$env:PATH"
Why Not Simply Re-Zip It Darwin?
In any case that, chances are you’ll marvel “Why not simply untar and rezip the Java archive.” The explanations that I’d not do which are rooted in onerous expertise, they’re as follows:
- The extra human procedures there are for a re-release – the extra possible there can be procrastination in taking new variations – and on this case, that is Java!
- The extra human procedures there are for a re-release, the extra possible that steps can be missed.
- At any time when a file bundle is extracted, there may be at all times the danger that somebody decides to lean up what’s included into the brand new bundle (yep, seen it too many instances).
- When coping with installers, I at all times favor to make use of the seller file immediately – this manner I’m utilizing a recognized preparation and it could even have vendor checksums that may be checked.
- If I guarantee my resolution can cope with the unique file, then it might additionally probably obtain that file routinely (not at all times your best option for different causes).
Abstract of Infrastructure as Code Rules Adopted in This Resolution
- Be minimalistic in automation dependencies.
- Anytime you might be putting in one thing for administration or administration or troubleshooting, attempt to not use package deal managers in order that these things and their dependencies is not going to shift the combination of software program utilized in the principle software program stack.
- Use services exterior of your chosen language with the intention to improve the vary of “supported targets”. As an example, on this resolution we used “system.io.compression.filesystem” for the broadest doable common unzip help – non-GUI home windows and PowerShell 2 via 6. One other instance is favoring schtasks.exe over PowerShell ScheduledTask CMDLets.
- Decrease soiling of the system utilizing remoted, file solely (moveable) installs when ever doable – this makes them simple to wash up.
- In the event you want help for PowerShell variations that don’t have built-in package deal administration, obtain the .nupkgs and deal with them manually.
- Downloading and extracting .nupkgs prevents any scripts inside them from working and soiling the configuration.
