Add fcct config for coreos user_data
Until now we had only the output of the Fedora CoreOS Configuration Transpiler. Add a yaml that can transpile it to an ignition file. The current ignition file was generate with version v0.4.0: podman run --rm -v ./fcct-config.yaml:/config.fcc:z \ quay.io/coreos/fcct:v0.4.0 \ --pretty --strict --input /config.fcc > ./user_data.json story: 2005201 task: 39027 Change-Id: I5cb78aa625c926e101424c04573002d05ac82a59 Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
This commit is contained in:
parent
f0f3bfb16d
commit
78435e4ff8
|
@ -0,0 +1,190 @@
|
|||
# Fedora CoreOS Configuration
|
||||
#
|
||||
# To generate user_data.json you need to use [0].
|
||||
# For detailed instructions, please refer to the upstream documentation [1].
|
||||
#
|
||||
# You can use podman or docker to generate the ignition formatted json:
|
||||
# podman run --rm \
|
||||
# -v ./fcct-config.yaml:/config.fcc:z \
|
||||
# quay.io/coreos/fcct:release \
|
||||
# --pretty --strict --input /config.fcc > ./user_data.json
|
||||
#
|
||||
# [0] https://github.com/coreos/fcct
|
||||
# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
|
||||
variant: fcos
|
||||
version: 1.0.0
|
||||
passwd:
|
||||
users:
|
||||
- name: core
|
||||
ssh_authorized_keys:
|
||||
- "__SSH_KEY_VALUE__"
|
||||
storage:
|
||||
directories:
|
||||
- path: /var/lib/cloud/data
|
||||
# 493 (decimal) == 755 (octal)
|
||||
mode: 493
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
- path: /var/lib/heat-cfntools
|
||||
# 493 (decimal) == 755 (octal)
|
||||
mode: 493
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
files:
|
||||
- path: /etc/hostname
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
group:
|
||||
name: root
|
||||
user:
|
||||
name: root
|
||||
contents:
|
||||
inline: |
|
||||
__HOSTNAME__
|
||||
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
|
||||
# 420 (decimal) == 644 (octal)
|
||||
mode: 420
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
contents:
|
||||
inline: |
|
||||
__OPENSTACK_CA__
|
||||
- path: /root/configure-agent-env.sh
|
||||
# 448 (decimal) == 700 (octal)
|
||||
mode: 448
|
||||
user:
|
||||
name: root
|
||||
group:
|
||||
name: root
|
||||
contents:
|
||||
inline: |
|
||||
#!/bin/bash
|
||||
|
||||
set -x
|
||||
set -e
|
||||
set +u
|
||||
|
||||
until [ -f /etc/pki/ca-trust/source/anchors/openstack-ca.pem ]
|
||||
do
|
||||
echo "waiting for /etc/pki/ca-trust/source/anchors/openstack-ca.pem"
|
||||
sleep 3s
|
||||
done
|
||||
|
||||
/usr/bin/update-ca-trust
|
||||
|
||||
HTTP_PROXY="__HTTP_PROXY__"
|
||||
HTTPS_PROXY="__HTTPS_PROXY__"
|
||||
NO_PROXY="__NO_PROXY__"
|
||||
|
||||
if [ -n "${HTTP_PROXY}" ]; then
|
||||
export HTTP_PROXY
|
||||
echo "http_proxy=${HTTP_PROXY}" >> /etc/environment
|
||||
fi
|
||||
|
||||
if [ -n "${HTTPS_PROXY}" ]; then
|
||||
export HTTPS_PROXY
|
||||
echo "https_proxy=${HTTPS_PROXY}" >> /etc/environment
|
||||
fi
|
||||
|
||||
if [ -n "${NO_PROXY}" ]; then
|
||||
export NO_PROXY
|
||||
echo "no_proxy=${NO_PROXY}" >> /etc/environment
|
||||
fi
|
||||
|
||||
# Create a keypair for the heat-container-agent to
|
||||
# access the node over ssh. It is useful to operate
|
||||
# in host mount namespace and apply configuration.
|
||||
id
|
||||
mkdir -p /srv/magnum/.ssh
|
||||
chmod 0700 /srv/magnum/.ssh
|
||||
#touch /srv/magnum/.ssh/heat_agent_rsa
|
||||
ssh-keygen -q -t rsa -N '' -f /tmp/heat_agent_rsa
|
||||
mv /tmp/heat_agent_rsa /srv/magnum/.ssh/heat_agent_rsa
|
||||
mv /tmp/heat_agent_rsa.pub /srv/magnum/.ssh/heat_agent_rsa.pub
|
||||
chmod 0400 /srv/magnum/.ssh/heat_agent_rsa
|
||||
chmod 0400 /srv/magnum/.ssh/heat_agent_rsa.pub
|
||||
# Add the public to the host authorized_keys file.
|
||||
mkdir -p /root/.ssh
|
||||
chmod 0700 /root/.ssh
|
||||
cat /srv/magnum/.ssh/heat_agent_rsa.pub > /root/.ssh/authorized_keys
|
||||
# Add localost to know_hosts
|
||||
ssh-keyscan 127.0.0.1 > /srv/magnum/.ssh/known_hosts
|
||||
# ssh configguration file, to be specified with ssh -F
|
||||
cat > /srv/magnum/.ssh/config <<EOF
|
||||
Host localhost
|
||||
HostName 127.0.0.1
|
||||
User root
|
||||
IdentityFile /srv/magnum/.ssh/heat_agent_rsa
|
||||
UserKnownHostsFile /srv/magnum/.ssh/known_hosts
|
||||
EOF
|
||||
|
||||
sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config
|
||||
# Security enhancement: Disable password authentication
|
||||
sed -i '/^PasswordAuthentication yes/ s/ yes/ no/' /etc/ssh/sshd_config
|
||||
|
||||
systemctl restart sshd
|
||||
systemd:
|
||||
units:
|
||||
- name: configure-agent-env.service
|
||||
enabled: true
|
||||
contents: |
|
||||
[Unit]
|
||||
Description=Configure heat agent environment
|
||||
After=sshd.service
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
Group=root
|
||||
Type=simple
|
||||
ExecStart=/bin/bash /root/configure-agent-env.sh
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
- name: heat-container-agent.service
|
||||
enabled: true
|
||||
contents: |
|
||||
[Unit]
|
||||
Description=Run heat-container-agent
|
||||
After=network-online.target configure-agent-env.service
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/environment
|
||||
ExecStartPre=mkdir -p /var/lib/heat-container-agent
|
||||
ExecStartPre=mkdir -p /var/run/heat-config
|
||||
ExecStartPre=mkdir -p /var/run/os-collect-config
|
||||
ExecStartPre=mkdir -p /opt/stack/os-config-refresh
|
||||
ExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data
|
||||
ExecStartPre=mkdir -p /srv/magnum
|
||||
ExecStartPre=-/bin/podman kill heat-container-agent
|
||||
ExecStartPre=-/bin/podman rm heat-container-agent
|
||||
ExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__
|
||||
ExecStart=/bin/podman run \
|
||||
--name heat-container-agent \
|
||||
--privileged \
|
||||
--net=host \
|
||||
--volume /srv/magnum:/srv/magnum \
|
||||
--volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \
|
||||
--volume /run/systemd:/run/systemd \
|
||||
--volume /etc/:/etc/ \
|
||||
--volume /var/lib:/var/lib \
|
||||
--volume /var/run:/var/run \
|
||||
--volume /var/log:/var/log \
|
||||
--volume /tmp:/tmp \
|
||||
--volume /dev:/dev \
|
||||
--env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \
|
||||
__CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \
|
||||
/usr/bin/start-heat-container-agent
|
||||
TimeoutStartSec=10min
|
||||
|
||||
ExecStop=/bin/podman stop heat-container-agent
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -648,20 +648,20 @@ resources:
|
|||
- str_replace:
|
||||
template: {get_file: user_data.json}
|
||||
params:
|
||||
$HOSTNAME: {get_param: name}
|
||||
$SSH_KEY_VALUE: {get_param: ssh_public_key}
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
$CONTAINER_INFRA_PREFIX:
|
||||
__HOSTNAME__: {get_param: name}
|
||||
__SSH_KEY_VALUE__: {get_param: ssh_public_key}
|
||||
__OPENSTACK_CA__: {get_param: openstack_ca}
|
||||
__CONTAINER_INFRA_PREFIX__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: container_infra_prefix
|
||||
- ""
|
||||
- "docker.io/openstackmagnum/"
|
||||
- get_param: container_infra_prefix
|
||||
$HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag}
|
||||
$HTTP_PROXY: {get_param: http_proxy}
|
||||
$HTTPS_PROXY: {get_param: https_proxy}
|
||||
$NO_PROXY: {get_param: no_proxy}
|
||||
__HEAT_CONTAINER_AGENT_TAG__: {get_param: heat_container_agent_tag}
|
||||
__HTTP_PROXY__: {get_param: http_proxy}
|
||||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
|
||||
master_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -367,20 +367,20 @@ resources:
|
|||
- str_replace:
|
||||
template: {get_file: user_data.json}
|
||||
params:
|
||||
$HOSTNAME: {get_param: name}
|
||||
$SSH_KEY_VALUE: {get_param: ssh_public_key}
|
||||
$OPENSTACK_CA: {get_param: openstack_ca}
|
||||
$CONTAINER_INFRA_PREFIX:
|
||||
__HOSTNAME__: {get_param: name}
|
||||
__SSH_KEY_VALUE__: {get_param: ssh_public_key}
|
||||
__OPENSTACK_CA__: {get_param: openstack_ca}
|
||||
__CONTAINER_INFRA_PREFIX__:
|
||||
if:
|
||||
- equals:
|
||||
- get_param: container_infra_prefix
|
||||
- ""
|
||||
- "docker.io/openstackmagnum/"
|
||||
- get_param: container_infra_prefix
|
||||
$HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag}
|
||||
$HTTP_PROXY: {get_param: http_proxy}
|
||||
$HTTPS_PROXY: {get_param: https_proxy}
|
||||
$NO_PROXY: {get_param: no_proxy}
|
||||
__HEAT_CONTAINER_AGENT_TAG__: {get_param: heat_container_agent_tag}
|
||||
__HTTP_PROXY__: {get_param: http_proxy}
|
||||
__HTTPS_PROXY__: {get_param: https_proxy}
|
||||
__NO_PROXY__: {get_param: no_proxy}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
|
|
@ -17,68 +17,91 @@
|
|||
{
|
||||
"name": "core",
|
||||
"sshAuthorizedKeys": [
|
||||
"$SSH_KEY_VALUE"
|
||||
"__SSH_KEY_VALUE__"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"storage": {
|
||||
"directories":[
|
||||
{
|
||||
"path": "/var/lib/cloud/data",
|
||||
"group": {"name": "root"},
|
||||
"user": {"name": "root"},
|
||||
"mode": 644
|
||||
},
|
||||
{
|
||||
"path": "/var/lib/heat-cfntools",
|
||||
"group": {"name": "root"},
|
||||
"user": {"name": "root"},
|
||||
"mode": 644
|
||||
}
|
||||
],
|
||||
"files": [
|
||||
{
|
||||
"filesystem": "root",
|
||||
"path": "/etc/hostname",
|
||||
"mode": 420,
|
||||
"contents": { "source": "data:,$HOSTNAME" }
|
||||
},
|
||||
{
|
||||
"filesystem": "root",
|
||||
"group": {"name": "root"},
|
||||
"path": "/etc/pki/ca-trust/source/anchors/openstack-ca.pem",
|
||||
"user": {"name": "root"},
|
||||
"contents": {
|
||||
"source": "data:,$OPENSTACK_CA",
|
||||
"verification": {}
|
||||
},
|
||||
"mode": 644
|
||||
},
|
||||
{
|
||||
"user": {"name": "root"},
|
||||
"group": {"name": "root"},
|
||||
"mode": 700,
|
||||
"path": "/root/configure-agent-env.sh",
|
||||
"contents": {
|
||||
"source": "data:,%23%21%2Fbin%2Fbash%0A%0Aset%20-x%0Aset%20-e%0Aset%20%2Bu%0A%0Auntil%20%5B%20-f%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%20%5D%0Ado%0A%20%20%20%20echo%20%22waiting%20for%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%22%0A%20%20%20%20sleep%203s%0Adone%0A%2Fusr%2Fbin%2Fupdate-ca-trust%0A%0AHTTP_PROXY%3D%22$HTTP_PROXY%22%0AHTTPS_PROXY%3D%22$HTTPS_PROXY%22%0ANO_PROXY%3D%22$NO_PROXY%22%0ACONTAINER_INFRA_PREFIX%3D%22$CONTAINER_INFRA_PREFIX%22%0AHEAT_CONTAINER_AGENT_TAG%3D%22$HEAT_CONTAINER_AGENT_TAG%22%0A%0A%0Aif%20%5B%20-n%20%22%24%7BHTTP_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTP_PROXY%0A%20%20%20%20echo%20%22http_proxy%3D%24%7BHTTP_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BHTTPS_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTPS_PROXY%0A%20%20%20%20echo%20%22https_proxy%3D%24%7BHTTPS_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BNO_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20NO_PROXY%0A%20%20%20%20echo%20%22no_proxy%3D%24%7BNO_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0A%23%20Create%20a%20keypair%20for%20the%20heat-container-agent%20to%0A%23%20access%20the%20node%20over%20ssh.%20It%20is%20useful%20to%20operate%0A%23%20in%20host%20mount%20namespace%20and%20apply%20configuration.%0Aid%0Amkdir%20-p%20%2Fsrv%2Fmagnum%2F.ssh%0Achmod%200700%20%2Fsrv%2Fmagnum%2F.ssh%0A%23touch%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Assh-keygen%20-q%20-t%20rsa%20-N%20%27%27%20-f%20%2Ftmp%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa.pub%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0A%23%20Add%20the%20public%20to%20the%20host%20authorized_keys%20file.%0Amkdir%20-p%20%2Froot%2F.ssh%0Achmod%200700%20%2Froot%2F.ssh%0Acat%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%20%3E%20%2Froot%2F.ssh%2Fauthorized_keys%0A%23%20Add%20localost%20to%20know_hosts%0Assh-keyscan%20127.0.0.1%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0A%23%20ssh%20configguration%20file%2C%20to%20be%20specified%20with%20ssh%20-F%0Acat%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fconfig%20%3C%3CEOF%0AHost%20localhost%0A%20%20%20%20%20HostName%20127.0.0.1%0A%20%20%20%20%20User%20root%0A%20%20%20%20%20IdentityFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0A%20%20%20%20%20UserKnownHostsFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0AEOF%0A%0Ased%20-i%20%27%2F%5EPermitRootLogin%2F%20s%2F%20.%2A%2F%20without-password%2F%27%20%2Fetc%2Fssh%2Fsshd_config%0A%23%20Security%20enhancement%3A%20Disable%20password%20authentication%0Ased%20-i%20%27%2F%5EPasswordAuthentication%20yes%2F%20s%2F%20yes%2F%20no%2F%27%20%2Fetc%2Fssh%2Fsshd_config%0A%0Asystemctl%20restart%20sshd",
|
||||
"verification": {}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"systemd": {
|
||||
"units": [
|
||||
"directories": [
|
||||
{
|
||||
"name": "configure-agent-env.service",
|
||||
"enabled": true,
|
||||
"contents": "[Unit]\nDescription=Configure heat agent environment\nAfter=sshd.service\n\n[Service]\nUser=root\nGroup=root\nType=simple\nExecStart=/bin/bash /root/configure-agent-env.sh\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target"
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/var/lib/cloud/data",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"mode": 493
|
||||
},
|
||||
{
|
||||
"name": "heat-container-agent.service",
|
||||
"enabled": true,
|
||||
"contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target configure-agent-env.service\nWants=network-online.target\n\n[Service]\nEnvironmentFile=-/etc/environment\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman kill heat-container-agent\nExecStartPre=-/bin/podman rm heat-container-agent\nExecStartPre=-/bin/podman pull $CONTAINER_INFRA_PREFIXheat-container-agent:$HEAT_CONTAINER_AGENT_TAG\nExecStart=/bin/podman run \\\n --name heat-container-agent \\\n --privileged \\\n --volume /srv/magnum:/srv/magnum \\\n --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n --volume /run/systemd:/run/systemd \\\n --volume /etc/:/etc/ \\\n --volume /var/lib:/var/lib \\\n --volume /var/run:/var/run \\\n --volume /var/log:/var/log \\\n --volume /tmp:/tmp \\\n --volume /dev:/dev \\\n --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt --net=host \\\n $CONTAINER_INFRA_PREFIXheat-container-agent:$HEAT_CONTAINER_AGENT_TAG \\\n /usr/bin/start-heat-container-agent\nTimeoutStartSec=10min\n\nExecStop=/bin/podman stop heat-container-agent\n\n[Install]\nWantedBy=multi-user.target\n"
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/var/lib/heat-cfntools",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"mode": 493
|
||||
}
|
||||
]
|
||||
],
|
||||
"files": [
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/etc/hostname",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"contents": {
|
||||
"source": "data:,__HOSTNAME__%0A",
|
||||
"verification": {}
|
||||
},
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/etc/pki/ca-trust/source/anchors/openstack-ca.pem",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"contents": {
|
||||
"source": "data:,__OPENSTACK_CA__%0A",
|
||||
"verification": {}
|
||||
},
|
||||
"mode": 420
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"name": "root"
|
||||
},
|
||||
"path": "/root/configure-agent-env.sh",
|
||||
"user": {
|
||||
"name": "root"
|
||||
},
|
||||
"contents": {
|
||||
"source": "data:,%23!%2Fbin%2Fbash%0A%0Aset%20-x%0Aset%20-e%0Aset%20%2Bu%0A%0Auntil%20%5B%20-f%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%20%5D%0Ado%0A%20%20%20%20echo%20%22waiting%20for%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%22%0A%20%20%20%20sleep%203s%0Adone%0A%0A%2Fusr%2Fbin%2Fupdate-ca-trust%0A%0AHTTP_PROXY%3D%22__HTTP_PROXY__%22%0AHTTPS_PROXY%3D%22__HTTPS_PROXY__%22%0ANO_PROXY%3D%22__NO_PROXY__%22%0A%0Aif%20%5B%20-n%20%22%24%7BHTTP_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTP_PROXY%0A%20%20%20%20echo%20%22http_proxy%3D%24%7BHTTP_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BHTTPS_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTPS_PROXY%0A%20%20%20%20echo%20%22https_proxy%3D%24%7BHTTPS_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BNO_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20NO_PROXY%0A%20%20%20%20echo%20%22no_proxy%3D%24%7BNO_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0A%23%20Create%20a%20keypair%20for%20the%20heat-container-agent%20to%0A%23%20access%20the%20node%20over%20ssh.%20It%20is%20useful%20to%20operate%0A%23%20in%20host%20mount%20namespace%20and%20apply%20configuration.%0Aid%0Amkdir%20-p%20%2Fsrv%2Fmagnum%2F.ssh%0Achmod%200700%20%2Fsrv%2Fmagnum%2F.ssh%0A%23touch%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Assh-keygen%20-q%20-t%20rsa%20-N%20''%20-f%20%2Ftmp%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa.pub%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0A%23%20Add%20the%20public%20to%20the%20host%20authorized_keys%20file.%0Amkdir%20-p%20%2Froot%2F.ssh%0Achmod%200700%20%2Froot%2F.ssh%0Acat%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%20%3E%20%2Froot%2F.ssh%2Fauthorized_keys%0A%23%20Add%20localost%20to%20know_hosts%0Assh-keyscan%20127.0.0.1%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0A%23%20ssh%20configguration%20file%2C%20to%20be%20specified%20with%20ssh%20-F%0Acat%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fconfig%20%3C%3CEOF%0AHost%20localhost%0A%20%20%20%20%20HostName%20127.0.0.1%0A%20%20%20%20%20User%20root%0A%20%20%20%20%20IdentityFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0A%20%20%20%20%20UserKnownHostsFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0AEOF%0A%0Ased%20-i%20'%2F%5EPermitRootLogin%2F%20s%2F%20.*%2F%20without-password%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%23%20Security%20enhancement%3A%20Disable%20password%20authentication%0Ased%20-i%20'%2F%5EPasswordAuthentication%20yes%2F%20s%2F%20yes%2F%20no%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%0Asystemctl%20restart%20sshd%0A",
|
||||
"verification": {}
|
||||
},
|
||||
"mode": 448
|
||||
}
|
||||
]
|
||||
},
|
||||
"systemd": {
|
||||
"units": [
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Configure heat agent environment\nAfter=sshd.service\n\n[Service]\nUser=root\nGroup=root\nType=simple\nExecStart=/bin/bash /root/configure-agent-env.sh\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "configure-agent-env.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target configure-agent-env.service\nWants=network-online.target\n\n[Service]\nEnvironmentFile=-/etc/environment\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman kill heat-container-agent\nExecStartPre=-/bin/podman rm heat-container-agent\nExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__\nExecStart=/bin/podman run \\\n --name heat-container-agent \\\n --privileged \\\n --net=host \\\n --volume /srv/magnum:/srv/magnum \\\n --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n --volume /run/systemd:/run/systemd \\\n --volume /etc/:/etc/ \\\n --volume /var/lib:/var/lib \\\n --volume /var/run:/var/run \\\n --volume /var/log:/var/log \\\n --volume /tmp:/tmp \\\n --volume /dev:/dev \\\n --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \\\n __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \\\n /usr/bin/start-heat-container-agent\nTimeoutStartSec=10min\n\nExecStop=/bin/podman stop heat-container-agent\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "heat-container-agent.service"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue