From 70d303ccf54ec7b8051a4d1b240ba8c03271dcba Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Mon, 24 Feb 2014 12:48:16 +0100 Subject: [PATCH] chg: updated further the script for host installation. @wip This is still in development. --- precise/host/hooks/install | 256 ++++++++++++++++-- precise/host/src/bind9.patch | 39 --- precise/host/src/etc/bind/named.conf.options | 52 ++++ .../host/src/etc/ssh/lxc_git_access_id_rsa | 1 + 4 files changed, 280 insertions(+), 68 deletions(-) delete mode 100644 precise/host/src/bind9.patch create mode 100644 precise/host/src/etc/bind/named.conf.options create mode 120000 precise/host/src/etc/ssh/lxc_git_access_id_rsa diff --git a/precise/host/hooks/install b/precise/host/hooks/install index 21deb6d..980ad97 100755 --- a/precise/host/hooks/install +++ b/precise/host/hooks/install @@ -12,6 +12,16 @@ GIT_0K_BASE=${GIT_0K_BASE:-"git.0k.io:/var/git"} GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""} +#BTRFS_DEVICE= +BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"} +if [ -z "$BTRFS_DEVICE" ]; then + echo "You must set a BTRFS_DEVICE environement variable prior to executing this hook." + exit 1 +fi + +MAIL_NAME=${MAIL_NAME:-localhost} +MAIL_DOMAINNAME=${MAIL_DOMAINNAME:-"localdomain"} +MAIL_SATTELITE_RELAYHOST=${MAIL_SATTELITE_RELAYHOST:-} ## @@ -56,7 +66,10 @@ cat <> /etc/apt/sources.list deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main EOF +apt-get update +apt-get install -y --force-yes kal-scripts python-pip && +pip install shyaml ## ## More shell configurations (prompt, functions) @@ -106,36 +119,39 @@ prompt 1 EOF - - - -apt-get install -y kal-scripts python-pip -pip install shyaml - ## ## btrfs install ## -apt-get install btrfs-tools +apt-get install -y btrfs-tools + +echo "the following is dangerous code. Please execute yourself for now." +exit 1 +## Format the device and add entry in fstab + +mkfs.btrfs "$BTRFS_DEVICE" -root=/mnt/btrfs-root +UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)" +echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,auto 0 0" >> /etc/fstab -#mkdir /mnt/btrfs-root -p -#mount /mnt/btrfs-root +## Mount point and mount device +mkdir "$BTRFS_MOUNT_ROOT" -p +mount "$BTRFS_MOUNT_ROOT" -btrfs subvolume create $root/var -mkdir $root/var/{lib,cache,backups} -p -for d in $root/var/{lib,cache,backups}; do +## Build subvolume structure + +btrfs subvolume create $BTRFS_MOUNT_ROOT/var +mkdir $BTRFS_MOUNT_ROOT/var/{lib,cache,backups} -p +for d in $BTRFS_MOUNT_ROOT/var/{lib,cache,backups}; do btrfs subvolume create $d/lxc done -for d in $root/srv/{,lxc-datastore{,/config,/data}}; do +for d in $BTRFS_MOUNT_ROOT/srv/{,lxc-datastore{,/config,/data}}; do btrfs subvolume create $d done -mkdir srv/lxc - +## Add binds to /etc/fstab cat <> /etc/fstab @@ -151,18 +167,39 @@ EOF mkdir -p /var/backups/lxc /srv/lxc-datastore -## +## ## lxc tools ## apt-get install lxc -## mount all +mount -a all + mkdir -p /opt/apps ## -## Install 0k-manage for the handy oe command +## ssh config +## + + +cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa +chmod 0600 /etc/ssh/lxc_git_access_id_rsa + +cat <> ~/.ssh/config + +Host git.0k.io + User lxc-user + IdentityFile /etc/ssh/lxc_git_access_id_rsa + UserKnownHostsFile /dev/null + StrictHostKeyChecking no + Port 10022 + +EOF + + +## +## Install 0k-manage ## ( @@ -170,7 +207,7 @@ mkdir -p /opt/apps cd /opt/apps && git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" && cd /opt/apps/0k-manage && - git checkout 0k/dev/master + git checkout 0k/prod/master fi ) @@ -182,9 +219,16 @@ mkdir -p /opt/apps if ! [ -d "/opt/apps/0k-charms" ]; then cd /opt/apps && git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" && - cd /opt/apps/0k-manage && - git checkout 0k/dev/master + cd /opt/apps/0k-charms && + git checkout master fi + + if ! [ -d "/srv/charm-store" ]; then + mkdir -p /srv && + ln -sf /opt/apps/0k-charms/precise /srv/charm-store + fi + + ) @@ -198,7 +242,7 @@ mkdir -p /opt/apps git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" && cd /opt/apps/0k-manage && git checkout master && - ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ && + ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ && ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/ fi ) @@ -207,18 +251,24 @@ mkdir -p /opt/apps ## Patch some files ## -( - cd /etc && - cat /opt/apps/lxc-scripts/precise-12.04.patch | patch -p1 +stop lxc-net +( + cp src/etc/default/lxc /etc/default/lxc && + cp src/etc/init/lxc{,-net}.conf /etc/init ) +start lxc-net + ## ## Install dns waterfall ## apt-get install -y bind9 dnsmasq +echo "Change /etc/default/lxc accordingly (use 172.48.#NB) as prefix" +echo "and add HOST_EXTERNAL_DEVICE=" +exit 1 # edit /etc/dnsmaq.conf echo " @@ -230,13 +280,161 @@ log-facility=/var/log/dnsmasq.log " >> /etc/dnsmasq.conf ( - cd /etc && - cat src/bind9.patch | patch -p1 && - sed -ri s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE") + cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" && + sed -ri "s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")/g" "/etc/bind/named.conf.options" ) +## XXXvlab: Maybe we could change this in the service start/stop of the named daemon + mkdir /var/log/named -p && chown bind:bind /var/log/named +/etc/init.d/bind9 restart +/etc/init.d/dnsmasq restart + +## +## Logrotate for dnsmasq and named +## + +cat < /etc/logrotate.d/dnsmasq + +/var/log/dnsmasq.log { + missingok + copytruncate + notifempty + compress + + postrotate + kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)" + endscript +} + +EOF + + +cat < /etc/logrotate.d/lxc-dnsmasq + +/var/log/lxc-dnsmasq.log { + missingok + copytruncate + notifempty + compress + + postrotate + kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)" + endscript +} + +EOF + +cat < /etc/logrotate.d/named +/var/log/named/*.log { + missingok + copytruncate + notifempty + compress +} +EOF + + +## +## shorewall +## + +apt-get install -y shorewall + +cat < /etc/shorewall/zones +fw firewall +net ipv4 +lan ipv4 +EOF + +cat < /etc/shorewall/interfaces +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 +## Uncomment to enable vpn setup +#vpn tun0 detect +lan lxcbr0 - routeback +EOF + +cat < /etc/shorewall/policy +#SOURCE DEST RULE LOG + +fw all ACCEPT +lan all ACCEPT +net all DROP info +all all DROP info +EOF + +cat < /etc/shorewall/rules +SSH/ACCEPT net fw +Ping/ACCEPT net fw + + +BEGIN SHELL + +host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")" + +for name in \$(lxc-ls-running); do + ip=\$(dig +short A "\$name") + [ -e "/var/lib/lxc/\$name/shorewall" ] && + cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \ + | sed -r "s/%%IP%%/\$ip/g" + +done +true +END SHELL +EOF + + +cat < /etc/shorewall/masq +eth0 lxcbr0 +EOF + +## +## Mail facilities +## + +( + debconf-set-selections <<< "postfix postfix/mailname string ${MAIL_NAME}.${MAIL_DOMAINNAME}" && + debconf-set-selections <<< "postfix postfix/main_mailer_type select 'Local only'" && + + apt-get install -y postfix mailutils && + + postconf inet_interfaces=loopback-only && + + [ -z "$MAIL_SATTELITE_RELAYHOST" ] && postconf relayhost="$MAIL_SATTELITE_RELAYHOST" + postfix reload +) + +## +## Warnings +## + + +ln -sf /opt/apps/0k-manage/src/etc/cron.hourly/* /etc/cron.hourly/ +ln -sf /opt/apps/lxc-scripts/etc/cron.hourly/* /etc/cron.hourly/ + +## +## Backup lxc +## + +( + if ! [ -d "/opt/apps/0k-manage" ]; then + cd /opt/apps && + git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" && + cd /opt/apps/0k-manage && + git checkout 0k/prod/master + fi + + ## these are required by /etc/cron.hourly/lxc-backup + + pip install sact.epoch && + (cd /usr/local/lib/python2.7/dist-packages/; + mv zope zope-bad) && + pip install zope.interface --upgrade && + pip install zope.component --upgrade && + ln -sf /opt/apps/0k-manage/src/bin/* /usr/local/bin/ +) diff --git a/precise/host/src/bind9.patch b/precise/host/src/bind9.patch deleted file mode 100644 index 149272a..0000000 --- a/precise/host/src/bind9.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/bind/named.conf.options b/bind/named.conf.options -index 5b1981d..c1fd78c 100644 ---- a/bind/named.conf.options -+++ b/bind/named.conf.options -@@ -21,8 +21,32 @@ options { - dnssec-validation auto; - - auth-nxdomain no; # conform to RFC1035 -- listen-on-v6 { ::1; }; -- listen-on { 127.0.0.1; }; -+ //listen-on-v6 { ::1; }; -+ listen-on { 178.33.122.174; }; - // allow-recursion { 127.0.0.1; }; - }; - -+ -+logging { -+ channel warning -+ { -+ file "/var/log/named/dns.warnings.log"; -+ severity warning; -+ print-category yes; -+ print-severity yes; -+ print-time yes; -+ }; -+ -+ channel general_dns -+ { -+ file "/var/log/named/dns.log"; -+ severity info; -+ print-category yes; -+ print-severity yes; -+ print-time yes; -+ }; -+ -+ category default { warning; } ; -+ category queries { general_dns; } ; -+}; -+ diff --git a/precise/host/src/etc/bind/named.conf.options b/precise/host/src/etc/bind/named.conf.options new file mode 100644 index 0000000..a1fca35 --- /dev/null +++ b/precise/host/src/etc/bind/named.conf.options @@ -0,0 +1,52 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + //listen-on-v6 { ::1; }; + listen-on { %%EXTERNAL_IP%%; }; +// allow-recursion { 127.0.0.1; }; +}; + + +logging { + channel warning + { + file "/var/log/named/dns.warnings.log"; + severity warning; + print-category yes; + print-severity yes; + print-time yes; + }; + + channel general_dns + { + file "/var/log/named/dns.log"; + severity info; + print-category yes; + print-severity yes; + print-time yes; + }; + + category default { warning; } ; + category queries { general_dns; } ; +}; + diff --git a/precise/host/src/etc/ssh/lxc_git_access_id_rsa b/precise/host/src/etc/ssh/lxc_git_access_id_rsa new file mode 120000 index 0000000..8479bb9 --- /dev/null +++ b/precise/host/src/etc/ssh/lxc_git_access_id_rsa @@ -0,0 +1 @@ +../../../../base-0k/src/etc/ssh/lxc_git_access_id_rsa \ No newline at end of file