0k
/
0k-charms
6
3
Fork 2
Code Issues 11 Pull Requests 6 Releases Wiki Activity
Browse Source

chg: updated further the script for host installation. @wip 

This is still in development.
postgres
Valentin Lab 11 years ago
parent
cf356f947b
commit
70d303ccf5
4 changed files with 280 additions and 68 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 256
      precise/host/hooks/install
  2. 39
      precise/host/src/bind9.patch
  3. 52
      precise/host/src/etc/bind/named.conf.options
  4. 1
      precise/host/src/etc/ssh/lxc_git_access_id_rsa

256
precise/host/hooks/install
View File

@ -12,6 +12,16 @@ GIT_0K_BASE=${GIT_0K_BASE:-"git.0k.io:/var/git"}
GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""} GIT_0K_CLONE_OPTIONS=${GIT_0K_CLONE_OPTIONS:-""}
#BTRFS_DEVICE=
BTRFS_MOUNT_ROOT=${BTRFS_MOUNT_ROOT:-"/mnt/btrfs-root"}
if [ -z "$BTRFS_DEVICE" ]; then
echo "You must set a BTRFS_DEVICE environement variable prior to executing this hook."
exit 1
fi
MAIL_NAME=${MAIL_NAME:-localhost}
MAIL_DOMAINNAME=${MAIL_DOMAINNAME:-"localdomain"}
MAIL_SATTELITE_RELAYHOST=${MAIL_SATTELITE_RELAYHOST:-}
## ##
@ -56,7 +66,10 @@ cat <<EOF >> /etc/apt/sources.list
deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main deb http://deb.kalysto.org no-dist kal-alpha kal-beta kal-main
EOF EOF
apt-get update
apt-get install -y --force-yes kal-scripts python-pip &&
pip install shyaml
## ##
## More shell configurations (prompt, functions) ## More shell configurations (prompt, functions)
@ -106,36 +119,39 @@ prompt 1
EOF EOF
apt-get install -y kal-scripts python-pip
pip install shyaml
## ##
## btrfs install ## btrfs install
## ##
apt-get install btrfs-tools
apt-get install -y btrfs-tools
echo "the following is dangerous code. Please execute yourself for now."
exit 1
## Format the device and add entry in fstab
mkfs.btrfs "$BTRFS_DEVICE"
root=/mnt/btrfs-root
UUID="$(blkid -s UUID $BTRFS_DEVICE -o value)"
echo "UUID=$UUID $BTRFS_MOUNT_ROOT btrfs defaults,relatime,compress=lzo,auto 0 0" >> /etc/fstab
#mkdir /mnt/btrfs-root -p
#mount /mnt/btrfs-root
## Mount point and mount device
mkdir "$BTRFS_MOUNT_ROOT" -p
mount "$BTRFS_MOUNT_ROOT"
btrfs subvolume create $root/var
mkdir $root/var/{lib,cache,backups} -p
for d in $root/var/{lib,cache,backups}; do
## Build subvolume structure
btrfs subvolume create $BTRFS_MOUNT_ROOT/var
mkdir $BTRFS_MOUNT_ROOT/var/{lib,cache,backups} -p
for d in $BTRFS_MOUNT_ROOT/var/{lib,cache,backups}; do
btrfs subvolume create $d/lxc btrfs subvolume create $d/lxc
done done
for d in $root/srv/{,lxc-datastore{,/config,/data}}; do
for d in $BTRFS_MOUNT_ROOT/srv/{,lxc-datastore{,/config,/data}}; do
btrfs subvolume create $d btrfs subvolume create $d
done done
mkdir srv/lxc
## Add binds to /etc/fstab
cat <<EOF >> /etc/fstab cat <<EOF >> /etc/fstab
@ -151,18 +167,39 @@ EOF
mkdir -p /var/backups/lxc /srv/lxc-datastore mkdir -p /var/backups/lxc /srv/lxc-datastore
##
##
## lxc tools ## lxc tools
## ##
apt-get install lxc apt-get install lxc
## mount all
mount -a all
mkdir -p /opt/apps mkdir -p /opt/apps
## ##
## Install 0k-manage for the handy oe command
## ssh config
##
cp src/etc/ssh/lxc_git_access_id_rsa /etc/ssh/lxc_git_access_id_rsa
chmod 0600 /etc/ssh/lxc_git_access_id_rsa
cat <<EOF >> ~/.ssh/config
Host git.0k.io
User lxc-user
IdentityFile /etc/ssh/lxc_git_access_id_rsa
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
Port 10022
EOF
##
## Install 0k-manage
## ##
( (
@ -170,7 +207,7 @@ mkdir -p /opt/apps
cd /opt/apps && cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" && git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" &&
cd /opt/apps/0k-manage && cd /opt/apps/0k-manage &&
git checkout 0k/dev/master
git checkout 0k/prod/master
fi fi
) )
@ -182,9 +219,16 @@ mkdir -p /opt/apps
if ! [ -d "/opt/apps/0k-charms" ]; then if ! [ -d "/opt/apps/0k-charms" ]; then
cd /opt/apps && cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" && git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-charms.git" &&
cd /opt/apps/0k-manage &&
git checkout 0k/dev/master
cd /opt/apps/0k-charms &&
git checkout master
fi fi
if ! [ -d "/srv/charm-store" ]; then
mkdir -p /srv &&
ln -sf /opt/apps/0k-charms/precise /srv/charm-store
fi
) )
@ -198,7 +242,7 @@ mkdir -p /opt/apps
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" && git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/lxc-scripts.git" &&
cd /opt/apps/0k-manage && cd /opt/apps/0k-manage &&
git checkout master && git checkout master &&
ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ &&
ln -sf /opt/apps/lxc-scripts/bin/lxc-* /usr/local/sbin/ &&
ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/ ln -sf /opt/apps/lxc-scripts/usr/lib/lxc/templates/lxc-0k-ubuntu-cloud /usr/lib/lxc/templates/
fi fi
) )
@ -207,18 +251,24 @@ mkdir -p /opt/apps
## Patch some files ## Patch some files
## ##
(
cd /etc &&
cat /opt/apps/lxc-scripts/precise-12.04.patch | patch -p1
stop lxc-net
(
cp src/etc/default/lxc /etc/default/lxc &&
cp src/etc/init/lxc{,-net}.conf /etc/init
) )
start lxc-net
## ##
## Install dns waterfall ## Install dns waterfall
## ##
apt-get install -y bind9 dnsmasq apt-get install -y bind9 dnsmasq
echo "Change /etc/default/lxc accordingly (use 172.48.#NB) as prefix"
echo "and add HOST_EXTERNAL_DEVICE="
exit 1
# edit /etc/dnsmaq.conf # edit /etc/dnsmaq.conf
echo " echo "
@ -230,13 +280,161 @@ log-facility=/var/log/dnsmasq.log
" >> /etc/dnsmasq.conf " >> /etc/dnsmasq.conf
( (
cd /etc &&
cat src/bind9.patch | patch -p1 &&
sed -ri s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")
cp "src/etc/bind/named.conf.options" "/etc/bind/named.conf.options" &&
sed -ri "s/%%EXTERNAL_IP%%/$(. /etc/default/lxc && ifip "$HOST_EXTERNAL_DEVICE")/g" "/etc/bind/named.conf.options"
) )
## XXXvlab: Maybe we could change this in the service start/stop of the named daemon
mkdir /var/log/named -p && mkdir /var/log/named -p &&
chown bind:bind /var/log/named chown bind:bind /var/log/named
/etc/init.d/bind9 restart
/etc/init.d/dnsmasq restart
##
## Logrotate for dnsmasq and named
##
cat <<EOF > /etc/logrotate.d/dnsmasq
/var/log/dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/dnsmasq/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/lxc-dnsmasq
/var/log/lxc-dnsmasq.log {
missingok
copytruncate
notifempty
compress
postrotate
kill -s SIGUSR2 "\$(cat /var/run/lxc/dnsmasq.pid)"
endscript
}
EOF
cat <<EOF > /etc/logrotate.d/named
/var/log/named/*.log {
missingok
copytruncate
notifempty
compress
}
EOF
##
## shorewall
##
apt-get install -y shorewall
cat <<EOF > /etc/shorewall/zones
fw firewall
net ipv4
lan ipv4
EOF
cat <<EOF > /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
## Uncomment to enable vpn setup
#vpn tun0 detect
lan lxcbr0 - routeback
EOF
cat <<EOF > /etc/shorewall/policy
#SOURCE DEST RULE LOG
fw all ACCEPT
lan all ACCEPT
net all DROP info
all all DROP info
EOF
cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT net fw
Ping/ACCEPT net fw
BEGIN SHELL
host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"
for name in \$(lxc-ls-running); do
ip=\$(dig +short A "\$name")
[ -e "/var/lib/lxc/\$name/shorewall" ] &&
cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
| sed -r "s/%%IP%%/\$ip/g"
done
true
END SHELL
EOF
cat <<EOF > /etc/shorewall/masq
eth0 lxcbr0
EOF
##
## Mail facilities
##
(
debconf-set-selections <<< "postfix postfix/mailname string ${MAIL_NAME}.${MAIL_DOMAINNAME}" &&
debconf-set-selections <<< "postfix postfix/main_mailer_type select 'Local only'" &&
apt-get install -y postfix mailutils &&
postconf inet_interfaces=loopback-only &&
[ -z "$MAIL_SATTELITE_RELAYHOST" ] && postconf relayhost="$MAIL_SATTELITE_RELAYHOST"
postfix reload
)
##
## Warnings
##
ln -sf /opt/apps/0k-manage/src/etc/cron.hourly/* /etc/cron.hourly/
ln -sf /opt/apps/lxc-scripts/etc/cron.hourly/* /etc/cron.hourly/
##
## Backup lxc
##
(
if ! [ -d "/opt/apps/0k-manage" ]; then
cd /opt/apps &&
git clone $GIT_0K_CLONE_OPTIONS "$GIT_0K_BASE/0k/0k-manage.git" &&
cd /opt/apps/0k-manage &&
git checkout 0k/prod/master
fi
## these are required by /etc/cron.hourly/lxc-backup
pip install sact.epoch &&
(cd /usr/local/lib/python2.7/dist-packages/;
mv zope zope-bad) &&
pip install zope.interface --upgrade &&
pip install zope.component --upgrade &&
ln -sf /opt/apps/0k-manage/src/bin/* /usr/local/bin/
)

39
precise/host/src/bind9.patch
View File

@ -1,39 +0,0 @@
diff --git a/bind/named.conf.options b/bind/named.conf.options
index 5b1981d..c1fd78c 100644
--- a/bind/named.conf.options
+++ b/bind/named.conf.options
@@ -21,8 +21,32 @@ options {
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
- listen-on-v6 { ::1; };
- listen-on { 127.0.0.1; };
+ //listen-on-v6 { ::1; };
+ listen-on { 178.33.122.174; };
// allow-recursion { 127.0.0.1; };
};
+
+logging {
+ channel warning
+ {
+ file "/var/log/named/dns.warnings.log";
+ severity warning;
+ print-category yes;
+ print-severity yes;
+ print-time yes;
+ };
+
+ channel general_dns
+ {
+ file "/var/log/named/dns.log";
+ severity info;
+ print-category yes;
+ print-severity yes;
+ print-time yes;
+ };
+
+ category default { warning; } ;
+ category queries { general_dns; } ;
+};
+

52
precise/host/src/etc/bind/named.conf.options
View File

@ -0,0 +1,52 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { ::1; };
listen-on { %%EXTERNAL_IP%%; };
// allow-recursion { 127.0.0.1; };
};
logging {
channel warning
{
file "/var/log/named/dns.warnings.log";
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{
file "/var/log/named/dns.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; } ;
category queries { general_dns; } ;
};

1
precise/host/src/etc/ssh/lxc_git_access_id_rsa
View File

@ -0,0 +1 @@
../../../../base-0k/src/etc/ssh/lxc_git_access_id_rsa
Write Preview
Loading…
Cancel
Save