0k
/
0k-charms
6
3
Fork 2
Code Issues 11 Pull Requests 6 Releases Wiki Activity
Browse Source

new: [host] separating host install in sub scripts.

postgres
Valentin Lab 9 years ago
parent
e5fe18ca43
commit
5a01de390d
14 changed files with 561 additions and 440 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 440
      precise/host/hooks/install
  2. 9
      precise/host/hooks/install.d/00-base.sh
  3. 7
      precise/host/hooks/install.d/05-shyaml.sh
  4. 51
      precise/host/hooks/install.d/10-gitconfig.sh
  5. 17
      precise/host/hooks/install.d/15-etckeeper.sh
  6. 23
      precise/host/hooks/install.d/20-kal-scripts.sh
  7. 52
      precise/host/hooks/install.d/30-customize.sh
  8. 28
      precise/host/hooks/install.d/35-git-access.sh
  9. 20
      precise/host/hooks/install.d/36-gitsub.sh
  10. 93
      precise/host/hooks/install.d/40-btrfs.sh
  11. 8
      precise/host/hooks/install.d/50-lxc.sh
  12. 69
      precise/host/hooks/install.d/70-0k.sh
  13. 111
      precise/host/hooks/install.d/80-dns-waterfall.sh
  14. 73
      precise/host/hooks/install.d/90-shorewall.sh

440
precise/host/hooks/install
View File

@ -1,440 +0,0 @@
#!/bin/bash
set -eux # -x for verbose logging to juju debug-log
apt-get update
apt-get -y install bash-completion wget bzip2 git-core less language-pack-en python-software-properties tmux mosh sudo git
## 0k git remote path
GIT_0K_BASE=${GIT_0K_BASE:-"git.0k.io:/var/git"}
## 0k git remote options
GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""}
#BTRFS_DEVICE=
BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"}
if [ -z "$BTRFS_DEVICE" ]; then
echo "You must set a BTRFS_DEVICE environement variable prior to executing this hook."
exit 1
fi
MAIL_NAME=${MAIL_NAME:-localhost}
MAIL_DOMAINNAME=${MAIL_DOMAINNAME:-"localdomain"}
MAIL_SATTELITE_RELAYHOST=${MAIL_SATTELITE_RELAYHOST:-}
##
## etckeeper
##
apt-get install etckeeper
sed -i 's/#VCS="git"/VCS="git"/g' /etc/etckeeper/etckeeper.conf
sed -i 's/VCS="bzr"/#VCS="bzr"/g' /etc/etckeeper/etckeeper.conf
etckeeper init
##
## Git utilities
##
echo "[alias]
co = checkout
com = commit
st = status
ci = commit
[color]
branch = auto
diff = auto
interactive = auto
status = auto
" >> /etc/gitconfig
##
## kal-scripts
##
cat <<EOF >> /etc/apt/sources.list
## vlab's shell libraries
deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main
EOF
apt-get update
apt-get install -y --force-yes kal-scripts python-pip &&
pip install shyaml
##
## More shell configurations (prompt, functions)
##
mkdir -p /etc/prompt
cat <<EOF > /etc/prompt/prompt.1.rc
PROMPT_COMMAND=""
parse_git_branch() {
ref=\$(git symbolic-ref HEAD 2> /dev/null) || return
echo -en ' (\033[0;32m'\${ref#refs/heads/}'\033[0m)'
}
export PS1="\[\033[0;37m\][\[\033[1;30m\]\u\[\033[0;37m\]@\[\033[1;30m\]\h\[\033[0;37m\]]-[\[\033[1;34m\]\w\[\033[0;37m\]]\\\$(parse_git_branch)\n\[\033[1;37m\]\\$ \[\033[0;37m\]"
EOF
cat <<EOF >> /root/.bashrc
## History management
export HISTCONTROL=ignoredups
export HISTSIZE=50000
shopt -s histappend
PROMPT_COMMAND='history -a'
## Prompt easy management
prompt() {
prompt_name="prompt.\$1.rc"
for i in /etc/prompt ~/.prompt; do
[ -f "\$i/\$prompt_name" ] &&
. "\$i/\$prompt_name"
done
}
## Git log command
function glog() {
git log --graph --pretty=tformat:%C\(yellow\ normal\)%h%Creset\ %C\(blue\ normal\)%an%Creset\ %s\ %Cgreen%d%Creset -n 20 "\$@"
}
prompt 1
EOF
##
## btrfs install
##
apt-get install -y btrfs-tools
echo "the following is dangerous code. Please execute yourself for now."
exit 1
## Format the device and add entry in fstab
mkfs.btrfs "$BTRFS_DEVICE"
UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)"
echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,auto 0 0" >> /etc/fstab
## Mount point and mount device
mkdir "$BTRFS_MOUNT_ROOT" -p
mount "$BTRFS_MOUNT_ROOT"
## Build subvolume structure
btrfs subvolume create $BTRFS_MOUNT_ROOT/var
mkdir $BTRFS_MOUNT_ROOT/var/{lib,cache,backups} -p
for d in $BTRFS_MOUNT_ROOT/var/{lib,cache,backups}; do
btrfs subvolume create $d/lxc
done
for d in $BTRFS_MOUNT_ROOT/srv/{,lxc-datastore{,/config,/data}}; do
btrfs subvolume create $d
done
## Add binds to /etc/fstab
cat <<EOF >> /etc/fstab
## binds
/mnt/btrfs-root/var/lib/lxc /var/lib/lxc none bind,defaults,auto 0 0
/mnt/btrfs-root/var/cache/lxc /var/cache/lxc none bind,defaults,auto 0 0
/mnt/btrfs-root/var/backups/lxc /var/backups/lxc none bind,defaults,auto 0 0
/mnt/btrfs-root/srv/lxc-datastore /srv/lxc-datastore none bind,defaults,auto 0 0
EOF
mkdir -p /var/backups/lxc /srv/lxc-datastore
##
## lxc tools
##
apt-get install lxc
mount -a
mkdir -p /opt/apps
##
## ssh config
##
cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa
chmod 0600 /etc/ssh/lxc_git_access_id_rsa
cat <<EOF >> ~/.ssh/config
Host git.0k.io
User lxc-user
IdentityFile /etc/ssh/lxc_git_access_id_rsa
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
Port 10022
EOF
##
## Install 0k-manage
##
(
if ! [ -d "/opt/apps/0k-manage" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" &&
cd /opt/apps/0k-manage &&
git checkout 0k/prod/master
fi
)
##
## Install 0k-charms
##
(
if ! [ -d "/opt/apps/0k-charms" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" &&
cd /opt/apps/0k-charms &&
git checkout master
fi
if ! [ -d "/srv/charm-store" ]; then
mkdir -p /srv &&
ln -sf /opt/apps/0k-charms/precise /srv/charm-store
fi
)
##
## Install lxc-scripts
##
(
if ! [ -d "/opt/apps/lxc-scripts" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" &&
cd /opt/apps/0k-manage &&
git checkout master &&
ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ &&
ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/
fi
)
##
## Patch some files
##
stop lxc-net
(
cp src/etc/default/lxc /etc/default/lxc &&
cp src/etc/init/lxc{,-net}.conf /etc/init
)
start lxc-net
##
## Install dns waterfall
##
apt-get install -y bind9 dnsmasq
echo "Change /etc/default/lxc accordingly (use 172.48.#NB) as prefix"
echo "and add HOST_EXTERNAL_DEVICE="
exit 1
# edit /etc/dnsmaq.conf
echo "
server=$(. /etc/default/lxc && echo "$LXC_ADDR")
interface=lo
no-negcache
log-queries
log-facility=/var/log/dnsmasq.log
" >> /etc/dnsmasq.conf
(
cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" &&
sed -ri "s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")/g" "/etc/bind/named.conf.options"
)
## XXXvlab: Maybe we could change this in the service start/stop of the named daemon
mkdir /var/log/named -p &&
chown bind:bind /var/log/named
/etc/init.d/bind9 restart
/etc/init.d/dnsmasq restart
##
## Logrotate for dnsmasq and named
##
cat <<EOF > /etc/logrotate.d/dnsmasq
/var/log/dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/lxc-dnsmasq
/var/log/lxc-dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/named
/var/log/named/*.log {
missingok
copytruncate
notifempty
compress
}
EOF
##
## shorewall
##
apt-get install -y shorewall
cat <<EOF > /etc/shorewall/zones
fw firewall
net ipv4
lan ipv4
EOF
cat <<EOF > /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
## Uncomment to enable vpn setup
#vpn tun0 detect
lan lxcbr0 - routeback
EOF
cat <<EOF > /etc/shorewall/policy
#SOURCE DEST RULE LOG
fw all ACCEPT
lan all ACCEPT
net all DROP info
all all DROP info
EOF
cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT net fw
Ping/ACCEPT net fw
BEGIN SHELL
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
for name in \$(lxc-ls-running); do
ip=\$(dig +short A "\$name")
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
| sed -r "s/%%IP%%/\$ip/g"
done
true
END SHELL
EOF
cat <<EOF > /etc/shorewall/masq
eth0 lxcbr0
EOF
##
## Mail facilities
##
(
debconf-set-selections <<< "postfix postfix/mailname string ${MAIL_NAME}.${MAIL_DOMAINNAME}" &&
debconf-set-selections <<< "postfix postfix/main_mailer_type select 'Local only'" &&
apt-get install -y postfix mailutils &&
postconf inet_interfaces=loopback-only &&
[ -z "$MAIL_SATTELITE_RELAYHOST" ] && postconf relayhost="$MAIL_SATTELITE_RELAYHOST"
postfix reload
)
##
## Warnings
##
ln -sf /opt/apps/0k-manage/src/etc/cron.hourly/* /etc/cron.hourly/
ln -sf /opt/apps/lxc-scripts/etc/cron.hourly/* /etc/cron.hourly/
##
## Backup lxc
##
(
if ! [ -d "/opt/apps/0k-manage" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" &&
cd /opt/apps/0k-manage &&
git checkout 0k/prod/master
fi
## these are required by /etc/cron.hourly/lxc-backup
pip install sact.epoch &&
(cd /usr/local/lib/python2.7/dist-packages/;
mv zope zope-bad) &&
pip install zope.interface --upgrade &&
pip install zope.component --upgrade &&
ln -sf /opt/apps/0k-manage/src/bin/* /usr/local/bin/
)

9
precise/host/hooks/install.d/00-base.sh
View File

@ -0,0 +1,9 @@
#!/bin/bash
set +eux
apt-get update
apt-get -y --force-yes install bash-completion wget bzip2 git-core \
less language-pack-en python-software-properties tmux mosh \
sudo git </dev/null

7
precise/host/hooks/install.d/05-shyaml.sh
View File

@ -0,0 +1,7 @@
#!/bin/bash
## For shyaml
apt-get install -y --force-yes python-pip libyaml-dev python-dev </dev/null
pip install shyaml

51
precise/host/hooks/install.d/10-gitconfig.sh
View File

@ -0,0 +1,51 @@
#!/bin/bash
##
## Git utilities
##
cat <<EOF > /etc/gitconfig
[alias]
co = checkout
com = commit
st = status
ci = commit
[color]
branch = auto
diff = auto
interactive = auto
status = auto
[core]
whitespace = fix
excludesfile = /etc/gitignore
EOF
cat <<EOF > /etc/gitignore
docs/build/*
develop-eggs/*
*.pyc
*.o
.installed.cfg
eggs/*
*.egg-info/*
*.orig
dist/*
build/*
buildout.dev.cfg
*~
*#
.#*
*.swp
*_flymake.*
.svn
EOF
git config --global user.email "default@$(hostname)"
git config --global user.name "default"

17
precise/host/hooks/install.d/15-etckeeper.sh
View File

@ -0,0 +1,17 @@
#!/bin/bash
set +eux
[ "$DOCKER" ] && exit 0
##
## etckeeper
##
apt-get install -y etckeeper </dev/null
sed -i 's/#VCS="git"/VCS="git"/g;s/VCS="bzr"/#VCS="bzr"/g' \
/etc/etckeeper/etckeeper.conf
etckeeper init

23
precise/host/hooks/install.d/20-kal-scripts.sh
View File

@ -0,0 +1,23 @@
#!/bin/bash
set -eux
##
## kal-scripts
##
if ! [ -e /etc/apt/sources.list.d/kalysto.org.list ]; then
cat <<EOF > /etc/apt/sources.list.d/kalysto.org.list
## vlab's shell libraries
deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main
EOF
## Update only this repo:
apt-get update -o Dir::Etc::sourcelist="sources.list.d/kalysto.org.list" \
-o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0"
fi
apt-get install -y --force-yes kal-scripts

52
precise/host/hooks/install.d/30-customize.sh
View File

@ -0,0 +1,52 @@
#!/bin/bash
## Requires kal-script
##
## More shell configurations (prompt, functions)
##
mkdir -p /etc/prompt
cat <<EOF > /etc/prompt/prompt.1.rc
PROMPT_COMMAND=""
parse_git_branch() {
ref=\$(git symbolic-ref HEAD 2> /dev/null) || return
echo -en ' (\033[0;32m'\${ref#refs/heads/}'\033[0m)'
}
export PS1="\[\033[0;37m\][\[\033[1;30m\]\u\[\033[0;37m\]@\[\033[1;30m\]\H\[\033[0;37m\]]-[\[\033[1;34m\]\w\[\033[0;37m\]]\\\$(parse_git_branch)\n\[\033[1;37m\]\\$ \[\033[0;37m\]"
EOF
cat <<EOF >> /root/.bashrc
## History management
export HISTCONTROL=ignoredups
export HISTSIZE=50000
shopt -s histappend
PROMPT_COMMAND='history -a'
## Prompt easy management
prompt() {
prompt_name="prompt.\$1.rc"
for i in /etc/prompt ~/.prompt; do
[ -f "\$i/\$prompt_name" ] &&
. "\$i/\$prompt_name"
done
}
## Git log command
function glog() {
git log --graph --pretty=tformat:%C\(yellow\ normal\)%h%Creset\ %C\(blue\ normal\)%an%Creset\ %s\ %Cgreen%d%Creset -n 20 "\$@"
}
prompt 1
EOF

28
precise/host/hooks/install.d/35-git-access.sh
View File

@ -0,0 +1,28 @@
#!/bin/bash
##
## ssh config
##
cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa
chmod 0600 /etc/ssh/lxc_git_access_id_rsa
SSH_CONFIG_DIR=~/.ssh
mkdir -p "$SSH_CONFIG_DIR"
if ! grep '^Host 0k-ro' "$SSH_CONFIG_DIR"/config >/dev/null 2>&1; then
cat <<EOF >> "$SSH_CONFIG_DIR"/config
Host 0k-ro
Hostname git.0k.io
Port 10022
User lxc-user
IdentityFile /etc/ssh/lxc_git_access_id_rsa
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
EOF
fi

20
precise/host/hooks/install.d/36-gitsub.sh
View File

@ -0,0 +1,20 @@
#!/bin/bash
set -eux # -x for verbose logging to juju debug-log
## 0k git remote path
GIT_0K_BASE=${GIT_0K_BASE:-"0k-ro:/var/git"}
## 0k git remote options
GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""}
##
## install git sub
##
mkdir -p /opt/apps &&
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE"/0k/git-sub &&
ln -sf /opt/apps/git-sub/bin/git-sub /usr/lib/git-core/

93
precise/host/hooks/install.d/40-btrfs.sh
View File

@ -0,0 +1,93 @@
#!/bin/bash
##
## btrfs install
##
#BTRFS_DEVICE=
BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"}
if [ -z "$BTRFS_DEVICE" ]; then
echo "You must set a BTRFS_DEVICE environment variable prior to executing this hook."
exit 1
fi
apt-get install -y btrfs-tools
if [ "$FORCE" != "yes" ]; then
echo "the following is dangerous code. Please execute with FORCE=yes."
echo "it DELETES directory /var/lib/docker if you have one."
exit 1
fi
## "$BTRFS_DEVICE" device should not be mounted
if mount | egrep ^"$BTRFS_DEVICE\s+" >/dev/null 2>&1; then
umount "$BTRFS_DEVICE" || {
echo "Can't umount $BTRFS_DEVICE. Aborting script."
exit 1
}
echo "Unmounted $BTRFS_DEVICE."
fi
if egrep ^"$BTRFS_DEVICE\s+" /etc/fstab >/dev/null 2>&1; then
sed -r -i "\%^$BTRFS_DEVICE\s+%d" /etc/fstab || {
echo "Couldn't remove device $BTRFS_DEVICE from fstab."
exit 1
}
echo "Removed device $BTRFS_DEVICE from fstab."
fi
## Format the device and add entry in fstab
mkfs.btrfs -f "$BTRFS_DEVICE"
## No need of UID it seems:
# UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)"
# echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,space_cache,auto 0 0" >> /etc/fstab
echo "$BTRFS_DEVICE $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,space_cache,auto 0 0" >> /etc/fstab
## Mount point and mount device
mkdir "$BTRFS_MOUNT_ROOT" -p
mount "$BTRFS_MOUNT_ROOT"
if [ -d /var/lib/docker ] ; then
RESTART_DOCKER=yes
service docker stop
## XXXvlab: moving doesn't work and is not desirable, as we want docker
## to setup and detect new underlying btrfs system.
# mv "/var/lib/docker/"* "$BTRFS_MOUNT_ROOT/var/lib/docker"
rm -rf /var/lib/docker/*
fi
## Build subvolume structure
for d in /home /var{/{lib,cache,backups}/lxc,/lib/docker} \
/var/backups/snapshot \
/srv/{lxc,docker}-datastore{,/config,/data}; do
mkdir -p "$(dirname "$BTRFS_MOUNT_ROOT$d")" ## creates parent directory of subvolume
btrfs subvolume create "$BTRFS_MOUNT_ROOT$d"
mkdir -p "$d"
binds=$(cat /etc/fstab | egrep '\s+none\s+' | grep bind | grep -v '^\s+#' | sed -r 's/^\s*([^ ]+).*$/\1/g')
for b in $binds; do
if [[ "$BTRFS_MOUNT_ROOT$d/" == "$b/"* ]]; then
echo "Directory '$d' is already available via bind '$b'."
continue 2
fi
done
## Add bind to /etc/fstab
echo "$BTRFS_MOUNT_ROOT$d $d none bind,defaults,auto 0 0" >> /etc/fstab
done
## Mount all binds
mount -a
[ -z "$RESTART_DOCKER" ] || service docker start

8
precise/host/hooks/install.d/50-lxc.sh
View File

@ -0,0 +1,8 @@
#!/bin/bash
apt-get install lxc -y --force-yes </dev/null
## required to access the created lxc !
if ! [ -e ~/.ssh/id_rsa ]; then
ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa -q
fi

69
precise/host/hooks/install.d/70-0k.sh
View File

@ -0,0 +1,69 @@
#!/bin/bash
## 0k git remote path
GIT_0K_BASE=${GIT_0K_BASE:-"0k-ro:/var/git"}
## 0k git remote options
GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""}
##
## Install 0k-manage
##
mkdir -p /opt/apps
(
if ! [ -d "/opt/apps/0k-manage" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" &&
cd /opt/apps/0k-manage &&
git checkout 0k/prod/master
fi
)
##
## Install 0k-charms
##
(
if ! [ -d "/opt/apps/0k-charms" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" &&
cd /opt/apps/0k-charms &&
git checkout master
fi
if ! [ -d "/srv/charm-store" ]; then
mkdir -p /srv/charm-store &&
find /opt/apps/0k-charms -type d -exec /usr/bin/test -e {}/metadata.yml \
-o -e {}/metadata.yaml \; -print | while read f; do
ln -sf "$f" /srv/charm-store/
done
fi
)
##
## Install lxc-scripts
##
(
if ! [ -d "/opt/apps/lxc-scripts" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" &&
cd /opt/apps/0k-manage &&
git checkout master &&
ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ &&
[ -d /usr/lib/lxc/templates ] && {
ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/
echo TEMPLATE_PATH=/usr/lib/lxc/templates >> /etc/default/lxc
}
[ -d /usr/share/lxc/templates ] && {
ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/share/lxc/templates
echo TEMPLATE_PATH=/usr/share/lxc/templates >> /etc/default/lxc
}
fi
)

111
precise/host/hooks/install.d/80-dns-waterfall.sh
View File

@ -0,0 +1,111 @@
#!/bin/bash
[ "$LXC_NETWORK" ] || {
echo "You must set \$LXC_NETWORK (to something like 172.160.0 ) before using this script."
exit 1
}
HOST_EXTERNAL_DEVICE=${HOST_EXTERNAL_DEVICE:-eth0}
apt-get install -y bind9 dnsmasq
echo HOST_EXTERNAL_DEVICE="$HOST_EXTERNAL_DEVICE" >> /etc/default/lxc
sed -ri "s%10\.0\.3\.%$LXC_NETWORK.%g;s%^#LXC_DHCP_CONFILE=%LXC_DHCP_CONFILE=%g" /etc/default/lxc-net
LXC_ADDR=$(. /etc/default/lxc && echo "$LXC_ADDR")
if [ -z "$LXC_ADDR" ]; then
LXC_ADDR=$(. <(cat /usr/lib/x86_64-linux-gnu/lxc/lxc-net | grep ^LXC_ADDR | head -n 1) && echo "$LXC_ADDR")
fi
HOST_IP=$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")
echo "
server=$LXC_ADDR
interface=lo
no-negcache
log-queries
log-facility=/var/log/dnsmasq.log
" >> /etc/dnsmasq.conf
echo "
server=${HOST_IP}
log-queries
no-negcache
log-facility=/var/log/lxc-dnsmasq.log
" >> /etc/lxc/dnsmasq.conf
(
cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" &&
sed -ri "s/%%EXTERNAL_IP%%/$HOST_IP/g" "/etc/bind/named.conf.options"
)
## XXXvlab: Maybe we could change this in the service start/stop of the named daemon
mkdir /var/log/named -p &&
chown bind:bind /var/log/named
/etc/init.d/bind9 restart
/etc/init.d/dnsmasq restart
service lxc restart
service lxc-net restart ## had to 'brctl delbr lxcbr0' myself
cp /etc/resolv.conf{,.orig}
cat <<EOF > /etc/resolv.conf
nameserver 127.0.0.1
#domain . ## didn't work on 12.04
search localdomain ## imperfect, we don't want to search www.localdomain
EOF
##
## Logrotate for dnsmasq and named
##
cat <<EOF > /etc/logrotate.d/dnsmasq
/var/log/dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/lxc-dnsmasq
/var/log/lxc-dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/named
/var/log/named/*.log {
missingok
copytruncate
notifempty
compress
}
EOF
##
## Testing
##
# lsof -i4tcp:53 -n
# netstat -ltnp | grep :53
# ping HOST
# host HOST
# tcpdump

73
precise/host/hooks/install.d/90-shorewall.sh
View File

@ -0,0 +1,73 @@
#!/bin/bash
##
## shorewall
##
apt-get install -y shorewall
cat <<EOF > /etc/shorewall/zones
fw firewall
net ipv4
lan ipv4
EOF
cat <<EOF > /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
## Uncomment to enable vpn setup
#vpn tun0 detect
lan lxcbr0 - routeback
EOF
cat <<EOF > /etc/shorewall/policy
#SOURCE DEST RULE LOG
fw all ACCEPT
lan all ACCEPT
net all DROP info
all all DROP info
EOF
cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT net fw
Ping/ACCEPT net fw
BEGIN SHELL
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
for name in \$(lxc-ls-running); do
ip=\$(dig +short A "\$name")
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
| sed -r "s/%%IP%%/\$ip/g"
done
true
END SHELL
EOF
cat <<EOF > /etc/shorewall/masq
eth0 lxcbr0
EOF
cat <<EOF > /etc/shorewall/start
## correct a bug that prevent DHCP packet to be correctly sent between
## LXC, preventing them to receive an IP.
. /etc/default/lxc
if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
source_file=/etc/init/lxc-net.conf
code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
echo "Adding LXC rules:"
echo "\$code"
eval "\$code"
fi
EOF
Write Preview
Loading…
Cancel
Save