From 5a01de390dbc065999d77b5be9e1659d70870776 Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Mon, 21 Mar 2016 15:41:34 +0800 Subject: [PATCH] new: [host] separating host install in sub scripts. --- precise/host/hooks/install | 440 ------------------ precise/host/hooks/install.d/00-base.sh | 9 + precise/host/hooks/install.d/05-shyaml.sh | 7 + precise/host/hooks/install.d/10-gitconfig.sh | 51 ++ precise/host/hooks/install.d/15-etckeeper.sh | 17 + .../host/hooks/install.d/20-kal-scripts.sh | 23 + precise/host/hooks/install.d/30-customize.sh | 52 +++ precise/host/hooks/install.d/35-git-access.sh | 28 ++ precise/host/hooks/install.d/36-gitsub.sh | 20 + precise/host/hooks/install.d/40-btrfs.sh | 93 ++++ precise/host/hooks/install.d/50-lxc.sh | 8 + precise/host/hooks/install.d/70-0k.sh | 69 +++ .../host/hooks/install.d/80-dns-waterfall.sh | 111 +++++ precise/host/hooks/install.d/90-shorewall.sh | 73 +++ 14 files changed, 561 insertions(+), 440 deletions(-) delete mode 100755 precise/host/hooks/install create mode 100755 precise/host/hooks/install.d/00-base.sh create mode 100755 precise/host/hooks/install.d/05-shyaml.sh create mode 100755 precise/host/hooks/install.d/10-gitconfig.sh create mode 100755 precise/host/hooks/install.d/15-etckeeper.sh create mode 100755 precise/host/hooks/install.d/20-kal-scripts.sh create mode 100755 precise/host/hooks/install.d/30-customize.sh create mode 100755 precise/host/hooks/install.d/35-git-access.sh create mode 100755 precise/host/hooks/install.d/36-gitsub.sh create mode 100755 precise/host/hooks/install.d/40-btrfs.sh create mode 100755 precise/host/hooks/install.d/50-lxc.sh create mode 100755 precise/host/hooks/install.d/70-0k.sh create mode 100755 precise/host/hooks/install.d/80-dns-waterfall.sh create mode 100755 precise/host/hooks/install.d/90-shorewall.sh diff --git a/precise/host/hooks/install b/precise/host/hooks/install deleted file mode 100755 index 511fadc..0000000 --- a/precise/host/hooks/install +++ /dev/null @@ -1,440 +0,0 @@ -#!/bin/bash - -set -eux # -x for verbose logging to juju debug-log - -apt-get update -apt-get -y install bash-completion wget bzip2 git-core less language-pack-en python-software-properties tmux mosh sudo git - -## 0k git remote path -GIT_0K_BASE=${GIT_0K_BASE:-"git.0k.io:/var/git"} - -## 0k git remote options -GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""} - - -#BTRFS_DEVICE= -BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"} -if [ -z "$BTRFS_DEVICE" ]; then - echo "You must set a BTRFS_DEVICE environement variable prior to executing this hook." - exit 1 -fi - -MAIL_NAME=${MAIL_NAME:-localhost} -MAIL_DOMAINNAME=${MAIL_DOMAINNAME:-"localdomain"} -MAIL_SATTELITE_RELAYHOST=${MAIL_SATTELITE_RELAYHOST:-} - - -## -## etckeeper -## - -apt-get install etckeeper - -sed -i 's/#VCS="git"/VCS="git"/g' /etc/etckeeper/etckeeper.conf -sed -i 's/VCS="bzr"/#VCS="bzr"/g' /etc/etckeeper/etckeeper.conf - -etckeeper init - - -## -## Git utilities -## - -echo "[alias] - co = checkout - com = commit - st = status - ci = commit - -[color] - branch = auto - diff = auto - interactive = auto - status = auto - -" >> /etc/gitconfig - - - -## -## kal-scripts -## - -cat <> /etc/apt/sources.list - -## vlab's shell libraries -deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main - -EOF -apt-get update - -apt-get install -y --force-yes kal-scripts python-pip && -pip install shyaml - -## -## More shell configurations (prompt, functions) -## - -mkdir -p /etc/prompt - -cat < /etc/prompt/prompt.1.rc -PROMPT_COMMAND="" -parse_git_branch() { - ref=\$(git symbolic-ref HEAD 2> /dev/null) || return - echo -en ' (\033[0;32m'\${ref#refs/heads/}'\033[0m)' -} -export PS1="\[\033[0;37m\][\[\033[1;30m\]\u\[\033[0;37m\]@\[\033[1;30m\]\h\[\033[0;37m\]]-[\[\033[1;34m\]\w\[\033[0;37m\]]\\\$(parse_git_branch)\n\[\033[1;37m\]\\$ \[\033[0;37m\]" -EOF - -cat <> /root/.bashrc - -## History management - -export HISTCONTROL=ignoredups -export HISTSIZE=50000 -shopt -s histappend -PROMPT_COMMAND='history -a' - - -## Prompt easy management - -prompt() { - prompt_name="prompt.\$1.rc" - - for i in /etc/prompt ~/.prompt; do - [ -f "\$i/\$prompt_name" ] && - . "\$i/\$prompt_name" - done -} - - -## Git log command - -function glog() { - git log --graph --pretty=tformat:%C\(yellow\ normal\)%h%Creset\ %C\(blue\ normal\)%an%Creset\ %s\ %Cgreen%d%Creset -n 20 "\$@" -} - - -prompt 1 - -EOF - -## -## btrfs install -## - -apt-get install -y btrfs-tools - -echo "the following is dangerous code. Please execute yourself for now." -exit 1 -## Format the device and add entry in fstab - -mkfs.btrfs "$BTRFS_DEVICE" - -UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)" -echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,auto 0 0" >> /etc/fstab - -## Mount point and mount device - -mkdir "$BTRFS_MOUNT_ROOT" -p -mount "$BTRFS_MOUNT_ROOT" - -## Build subvolume structure - -btrfs subvolume create $BTRFS_MOUNT_ROOT/var -mkdir $BTRFS_MOUNT_ROOT/var/{lib,cache,backups} -p -for d in $BTRFS_MOUNT_ROOT/var/{lib,cache,backups}; do - btrfs subvolume create $d/lxc -done - -for d in $BTRFS_MOUNT_ROOT/srv/{,lxc-datastore{,/config,/data}}; do - btrfs subvolume create $d -done - -## Add binds to /etc/fstab - -cat <> /etc/fstab - -## binds - -/mnt/btrfs-root/var/lib/lxc /var/lib/lxc none bind,defaults,auto 0 0 -/mnt/btrfs-root/var/cache/lxc /var/cache/lxc none bind,defaults,auto 0 0 -/mnt/btrfs-root/var/backups/lxc /var/backups/lxc none bind,defaults,auto 0 0 -/mnt/btrfs-root/srv/lxc-datastore /srv/lxc-datastore none bind,defaults,auto 0 0 - - -EOF - -mkdir -p /var/backups/lxc /srv/lxc-datastore - -## -## lxc tools -## - -apt-get install lxc - -mount -a - - -mkdir -p /opt/apps - -## -## ssh config -## - - -cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa -chmod 0600 /etc/ssh/lxc_git_access_id_rsa - -cat <> ~/.ssh/config - -Host git.0k.io - User lxc-user - IdentityFile /etc/ssh/lxc_git_access_id_rsa - UserKnownHostsFile /dev/null - StrictHostKeyChecking no - Port 10022 - -EOF - - -## -## Install 0k-manage -## - -( - if ! [ -d "/opt/apps/0k-manage" ]; then - cd /opt/apps && - git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" && - cd /opt/apps/0k-manage && - git checkout 0k/prod/master - fi -) - -## -## Install 0k-charms -## - -( - if ! [ -d "/opt/apps/0k-charms" ]; then - cd /opt/apps && - git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" && - cd /opt/apps/0k-charms && - git checkout master - fi - - if ! [ -d "/srv/charm-store" ]; then - mkdir -p /srv && - ln -sf /opt/apps/0k-charms/precise /srv/charm-store - fi - - -) - - -## -## Install lxc-scripts -## - -( - if ! [ -d "/opt/apps/lxc-scripts" ]; then - cd /opt/apps && - git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" && - cd /opt/apps/0k-manage && - git checkout master && - ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ && - ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/ - fi -) - -## -## Patch some files -## - -stop lxc-net - -( - cp src/etc/default/lxc /etc/default/lxc && - cp src/etc/init/lxc{,-net}.conf /etc/init -) - -start lxc-net - -## -## Install dns waterfall -## - -apt-get install -y bind9 dnsmasq - -echo "Change /etc/default/lxc accordingly (use 172.48.#NB) as prefix" -echo "and add HOST_EXTERNAL_DEVICE=" -exit 1 - -# edit /etc/dnsmaq.conf -echo " -server=$(. /etc/default/lxc && echo "$LXC_ADDR") -interface=lo -no-negcache -log-queries -log-facility=/var/log/dnsmasq.log -" >> /etc/dnsmasq.conf - -( - cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" && - sed -ri "s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")/g" "/etc/bind/named.conf.options" -) -## XXXvlab: Maybe we could change this in the service start/stop of the named daemon - -mkdir /var/log/named -p && -chown bind:bind /var/log/named - -/etc/init.d/bind9 restart -/etc/init.d/dnsmasq restart - -## -## Logrotate for dnsmasq and named -## - -cat < /etc/logrotate.d/dnsmasq - -/var/log/dnsmasq.log { - missingok - copytruncate - notifempty - compress - - postrotate - kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)" - endscript -} - -EOF - - -cat < /etc/logrotate.d/lxc-dnsmasq - -/var/log/lxc-dnsmasq.log { - missingok - copytruncate - notifempty - compress - - postrotate - kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)" - endscript -} - -EOF - -cat < /etc/logrotate.d/named -/var/log/named/*.log { - missingok - copytruncate - notifempty - compress -} -EOF - - -## -## shorewall -## - -apt-get install -y shorewall - -cat < /etc/shorewall/zones -fw firewall -net ipv4 -lan ipv4 -EOF - -cat < /etc/shorewall/interfaces -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 -## Uncomment to enable vpn setup -#vpn tun0 detect -lan lxcbr0 - routeback -EOF - -cat < /etc/shorewall/policy -#SOURCE DEST RULE LOG - -fw all ACCEPT -lan all ACCEPT -net all DROP info -all all DROP info -EOF - -cat < /etc/shorewall/rules -SSH/ACCEPT net fw -Ping/ACCEPT net fw - - -BEGIN SHELL - -host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")" - -for name in \$(lxc-ls-running); do - ip=\$(dig +short A "\$name") - [ -e "/var/lib/lxc/\$name/shorewall" ] && - cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \ - | sed -r "s/%%IP%%/\$ip/g" - -done - -true - -END SHELL - -EOF - - -cat < /etc/shorewall/masq -eth0 lxcbr0 -EOF - -## -## Mail facilities -## - -( - debconf-set-selections <<< "postfix postfix/mailname string ${MAIL_NAME}.${MAIL_DOMAINNAME}" && - debconf-set-selections <<< "postfix postfix/main_mailer_type select 'Local only'" && - - apt-get install -y postfix mailutils && - - postconf inet_interfaces=loopback-only && - - [ -z "$MAIL_SATTELITE_RELAYHOST" ] && postconf relayhost="$MAIL_SATTELITE_RELAYHOST" - postfix reload -) - -## -## Warnings -## - - -ln -sf /opt/apps/0k-manage/src/etc/cron.hourly/* /etc/cron.hourly/ -ln -sf /opt/apps/lxc-scripts/etc/cron.hourly/* /etc/cron.hourly/ - -## -## Backup lxc -## - -( - if ! [ -d "/opt/apps/0k-manage" ]; then - cd /opt/apps && - git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" && - cd /opt/apps/0k-manage && - git checkout 0k/prod/master - fi - - ## these are required by /etc/cron.hourly/lxc-backup - - pip install sact.epoch && - (cd /usr/local/lib/python2.7/dist-packages/; - mv zope zope-bad) && - pip install zope.interface --upgrade && - pip install zope.component --upgrade && - ln -sf /opt/apps/0k-manage/src/bin/* /usr/local/bin/ -) diff --git a/precise/host/hooks/install.d/00-base.sh b/precise/host/hooks/install.d/00-base.sh new file mode 100755 index 0000000..1936744 --- /dev/null +++ b/precise/host/hooks/install.d/00-base.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set +eux + +apt-get update +apt-get -y --force-yes install bash-completion wget bzip2 git-core \ + less language-pack-en python-software-properties tmux mosh \ + sudo git /etc/gitconfig +[alias] + co = checkout + com = commit + st = status + ci = commit + +[color] + branch = auto + diff = auto + interactive = auto + status = auto + +[core] + whitespace = fix + excludesfile = /etc/gitignore + +EOF + +cat < /etc/gitignore +docs/build/* +develop-eggs/* +*.pyc +*.o +.installed.cfg +eggs/* +*.egg-info/* +*.orig +dist/* +build/* +buildout.dev.cfg +*~ +*# +.#* +*.swp +*_flymake.* +.svn + +EOF + + + +git config --global user.email "default@$(hostname)" +git config --global user.name "default" + diff --git a/precise/host/hooks/install.d/15-etckeeper.sh b/precise/host/hooks/install.d/15-etckeeper.sh new file mode 100755 index 0000000..1c55b81 --- /dev/null +++ b/precise/host/hooks/install.d/15-etckeeper.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set +eux + +[ "$DOCKER" ] && exit 0 + +## +## etckeeper +## + +apt-get install -y etckeeper /etc/apt/sources.list.d/kalysto.org.list + +## vlab's shell libraries +deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main + +EOF + + ## Update only this repo: + apt-get update -o Dir::Etc::sourcelist="sources.list.d/kalysto.org.list" \ + -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" +fi + +apt-get install -y --force-yes kal-scripts diff --git a/precise/host/hooks/install.d/30-customize.sh b/precise/host/hooks/install.d/30-customize.sh new file mode 100755 index 0000000..a100fa7 --- /dev/null +++ b/precise/host/hooks/install.d/30-customize.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +## Requires kal-script + + +## +## More shell configurations (prompt, functions) +## + +mkdir -p /etc/prompt + +cat < /etc/prompt/prompt.1.rc +PROMPT_COMMAND="" +parse_git_branch() { + ref=\$(git symbolic-ref HEAD 2> /dev/null) || return + echo -en ' (\033[0;32m'\${ref#refs/heads/}'\033[0m)' +} +export PS1="\[\033[0;37m\][\[\033[1;30m\]\u\[\033[0;37m\]@\[\033[1;30m\]\H\[\033[0;37m\]]-[\[\033[1;34m\]\w\[\033[0;37m\]]\\\$(parse_git_branch)\n\[\033[1;37m\]\\$ \[\033[0;37m\]" +EOF + +cat <> /root/.bashrc + +## History management + +export HISTCONTROL=ignoredups +export HISTSIZE=50000 +shopt -s histappend +PROMPT_COMMAND='history -a' + + +## Prompt easy management + +prompt() { + prompt_name="prompt.\$1.rc" + + for i in /etc/prompt ~/.prompt; do + [ -f "\$i/\$prompt_name" ] && + . "\$i/\$prompt_name" + done +} + + +## Git log command + +function glog() { + git log --graph --pretty=tformat:%C\(yellow\ normal\)%h%Creset\ %C\(blue\ normal\)%an%Creset\ %s\ %Cgreen%d%Creset -n 20 "\$@" +} + +prompt 1 + +EOF + diff --git a/precise/host/hooks/install.d/35-git-access.sh b/precise/host/hooks/install.d/35-git-access.sh new file mode 100755 index 0000000..45e0ff2 --- /dev/null +++ b/precise/host/hooks/install.d/35-git-access.sh @@ -0,0 +1,28 @@ +#!/bin/bash + + +## +## ssh config +## + +cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa +chmod 0600 /etc/ssh/lxc_git_access_id_rsa + +SSH_CONFIG_DIR=~/.ssh + +mkdir -p "$SSH_CONFIG_DIR" + +if ! grep '^Host 0k-ro' "$SSH_CONFIG_DIR"/config >/dev/null 2>&1; then + cat <> "$SSH_CONFIG_DIR"/config + +Host 0k-ro + Hostname git.0k.io + Port 10022 + User lxc-user + IdentityFile /etc/ssh/lxc_git_access_id_rsa + UserKnownHostsFile /dev/null + StrictHostKeyChecking no + +EOF + +fi diff --git a/precise/host/hooks/install.d/36-gitsub.sh b/precise/host/hooks/install.d/36-gitsub.sh new file mode 100755 index 0000000..7e43796 --- /dev/null +++ b/precise/host/hooks/install.d/36-gitsub.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -eux # -x for verbose logging to juju debug-log + + +## 0k git remote path +GIT_0K_BASE=${GIT_0K_BASE:-"0k-ro:/var/git"} + +## 0k git remote options +GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""} + + +## +## install git sub +## + +mkdir -p /opt/apps && +cd /opt/apps && +git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE"/0k/git-sub && +ln -sf /opt/apps/git-sub/bin/git-sub /usr/lib/git-core/ diff --git a/precise/host/hooks/install.d/40-btrfs.sh b/precise/host/hooks/install.d/40-btrfs.sh new file mode 100755 index 0000000..d8cf903 --- /dev/null +++ b/precise/host/hooks/install.d/40-btrfs.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +## +## btrfs install +## + +#BTRFS_DEVICE= +BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"} +if [ -z "$BTRFS_DEVICE" ]; then + echo "You must set a BTRFS_DEVICE environment variable prior to executing this hook." + exit 1 +fi + +apt-get install -y btrfs-tools + +if [ "$FORCE" != "yes" ]; then + echo "the following is dangerous code. Please execute with FORCE=yes." + echo "it DELETES directory /var/lib/docker if you have one." + exit 1 +fi + +## "$BTRFS_DEVICE" device should not be mounted +if mount | egrep ^"$BTRFS_DEVICE\s+" >/dev/null 2>&1; then + umount "$BTRFS_DEVICE" || { + echo "Can't umount $BTRFS_DEVICE. Aborting script." + exit 1 + } + echo "Unmounted $BTRFS_DEVICE." +fi + + +if egrep ^"$BTRFS_DEVICE\s+" /etc/fstab >/dev/null 2>&1; then + sed -r -i "\%^$BTRFS_DEVICE\s+%d" /etc/fstab || { + echo "Couldn't remove device $BTRFS_DEVICE from fstab." + exit 1 + } + echo "Removed device $BTRFS_DEVICE from fstab." +fi + + +## Format the device and add entry in fstab + +mkfs.btrfs -f "$BTRFS_DEVICE" + +## No need of UID it seems: +# UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)" +# echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,space_cache,auto 0 0" >> /etc/fstab +echo "$BTRFS_DEVICE $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,space_cache,auto 0 0" >> /etc/fstab + + +## Mount point and mount device + +mkdir "$BTRFS_MOUNT_ROOT" -p +mount "$BTRFS_MOUNT_ROOT" + + +if [ -d /var/lib/docker ] ; then + RESTART_DOCKER=yes + service docker stop + ## XXXvlab: moving doesn't work and is not desirable, as we want docker + ## to setup and detect new underlying btrfs system. + # mv "/var/lib/docker/"* "$BTRFS_MOUNT_ROOT/var/lib/docker" + rm -rf /var/lib/docker/* +fi + + +## Build subvolume structure + +for d in /home /var{/{lib,cache,backups}/lxc,/lib/docker} \ + /var/backups/snapshot \ + /srv/{lxc,docker}-datastore{,/config,/data}; do + mkdir -p "$(dirname "$BTRFS_MOUNT_ROOT$d")" ## creates parent directory of subvolume + btrfs subvolume create "$BTRFS_MOUNT_ROOT$d" + mkdir -p "$d" + + binds=$(cat /etc/fstab | egrep '\s+none\s+' | grep bind | grep -v '^\s+#' | sed -r 's/^\s*([^ ]+).*$/\1/g') + for b in $binds; do + if [[ "$BTRFS_MOUNT_ROOT$d/" == "$b/"* ]]; then + echo "Directory '$d' is already available via bind '$b'." + continue 2 + fi + done + + ## Add bind to /etc/fstab + echo "$BTRFS_MOUNT_ROOT$d $d none bind,defaults,auto 0 0" >> /etc/fstab +done + + +## Mount all binds + +mount -a + +[ -z "$RESTART_DOCKER" ] || service docker start diff --git a/precise/host/hooks/install.d/50-lxc.sh b/precise/host/hooks/install.d/50-lxc.sh new file mode 100755 index 0000000..42de331 --- /dev/null +++ b/precise/host/hooks/install.d/50-lxc.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +apt-get install lxc -y --force-yes > /etc/default/lxc + } + [ -d /usr/share/lxc/templates ] && { + ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/share/lxc/templates + echo TEMPLATE_PATH=/usr/share/lxc/templates >> /etc/default/lxc + } + fi +) diff --git a/precise/host/hooks/install.d/80-dns-waterfall.sh b/precise/host/hooks/install.d/80-dns-waterfall.sh new file mode 100755 index 0000000..3a90b12 --- /dev/null +++ b/precise/host/hooks/install.d/80-dns-waterfall.sh @@ -0,0 +1,111 @@ +#!/bin/bash + + +[ "$LXC_NETWORK" ] || { + echo "You must set \$LXC_NETWORK (to something like 172.160.0 ) before using this script." + exit 1 +} + +HOST_EXTERNAL_DEVICE=${HOST_EXTERNAL_DEVICE:-eth0} + +apt-get install -y bind9 dnsmasq + +echo HOST_EXTERNAL_DEVICE="$HOST_EXTERNAL_DEVICE" >> /etc/default/lxc +sed -ri "s%10\.0\.3\.%$LXC_NETWORK.%g;s%^#LXC_DHCP_CONFILE=%LXC_DHCP_CONFILE=%g" /etc/default/lxc-net + +LXC_ADDR=$(. /etc/default/lxc && echo "$LXC_ADDR") +if [ -z "$LXC_ADDR" ]; then + LXC_ADDR=$(. <(cat /usr/lib/x86_64-linux-gnu/lxc/lxc-net | grep ^LXC_ADDR | head -n 1) && echo "$LXC_ADDR") +fi + +HOST_IP=$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE") + +echo " +server=$LXC_ADDR +interface=lo +no-negcache +log-queries +log-facility=/var/log/dnsmasq.log +" >> /etc/dnsmasq.conf + +echo " +server=${HOST_IP} +log-queries +no-negcache +log-facility=/var/log/lxc-dnsmasq.log +" >> /etc/lxc/dnsmasq.conf + +( + cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" && + sed -ri "s/%%EXTERNAL_IP%%/$HOST_IP/g" "/etc/bind/named.conf.options" +) +## XXXvlab: Maybe we could change this in the service start/stop of the named daemon + +mkdir /var/log/named -p && +chown bind:bind /var/log/named + +/etc/init.d/bind9 restart +/etc/init.d/dnsmasq restart +service lxc restart +service lxc-net restart ## had to 'brctl delbr lxcbr0' myself + +cp /etc/resolv.conf{,.orig} +cat < /etc/resolv.conf +nameserver 127.0.0.1 +#domain . ## didn't work on 12.04 +search localdomain ## imperfect, we don't want to search www.localdomain +EOF + +## +## Logrotate for dnsmasq and named +## + +cat < /etc/logrotate.d/dnsmasq + +/var/log/dnsmasq.log { + missingok + copytruncate + notifempty + compress + + postrotate + kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)" + endscript +} + +EOF + + +cat < /etc/logrotate.d/lxc-dnsmasq + +/var/log/lxc-dnsmasq.log { + missingok + copytruncate + notifempty + compress + + postrotate + kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)" + endscript +} + +EOF + +cat < /etc/logrotate.d/named +/var/log/named/*.log { + missingok + copytruncate + notifempty + compress +} +EOF + +## +## Testing +## + +# lsof -i4tcp:53 -n +# netstat -ltnp | grep :53 +# ping HOST +# host HOST +# tcpdump diff --git a/precise/host/hooks/install.d/90-shorewall.sh b/precise/host/hooks/install.d/90-shorewall.sh new file mode 100755 index 0000000..dbcdc81 --- /dev/null +++ b/precise/host/hooks/install.d/90-shorewall.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +## +## shorewall +## + +apt-get install -y shorewall + +cat < /etc/shorewall/zones +fw firewall +net ipv4 +lan ipv4 +EOF + +cat < /etc/shorewall/interfaces +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 +## Uncomment to enable vpn setup +#vpn tun0 detect +lan lxcbr0 - routeback +EOF + +cat < /etc/shorewall/policy +#SOURCE DEST RULE LOG + +fw all ACCEPT +lan all ACCEPT +net all DROP info +all all DROP info +EOF + +cat < /etc/shorewall/rules +SSH/ACCEPT net fw +Ping/ACCEPT net fw + + +BEGIN SHELL + +host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")" + +for name in \$(lxc-ls-running); do + ip=\$(dig +short A "\$name") + [ -e "/var/lib/lxc/\$name/shorewall" ] && + cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \ + | sed -r "s/%%IP%%/\$ip/g" + +done + +true + +END SHELL + +EOF + +cat < /etc/shorewall/masq +eth0 lxcbr0 +EOF + +cat < /etc/shorewall/start +## correct a bug that prevent DHCP packet to be correctly sent between +## LXC, preventing them to receive an IP. + +. /etc/default/lxc + +if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then + source_file=/etc/init/lxc-net.conf + code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g') + echo "Adding LXC rules:" + echo "\$code" + eval "\$code" +fi + +EOF