From 78435e4ff82470a37044ce45908692d78d140b63 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date: Tue, 10 Mar 2020 19:55:28 +0100
Subject: [PATCH] Add fcct config for coreos user_data

Until now we had only the output of the Fedora
CoreOS Configuration Transpiler. Add a yaml
that can transpile it to an ignition file.

The current ignition file was generate with
version v0.4.0:
podman run --rm -v ./fcct-config.yaml:/config.fcc:z \
quay.io/coreos/fcct:v0.4.0 \
--pretty --strict --input /config.fcc > ./user_data.json

story: 2005201
task: 39027

Change-Id: I5cb78aa625c926e101424c04573002d05ac82a59
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
---
 .../templates/fcct-config.yaml                | 190 ++++++++++++++++++
 .../templates/kubemaster.yaml                 |  16 +-
 .../templates/kubeminion.yaml                 |  16 +-
 .../templates/user_data.json                  | 133 +++++++-----
 4 files changed, 284 insertions(+), 71 deletions(-)
 create mode 100644 magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml

diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
new file mode 100644
index 0000000000..cfe145880f
--- /dev/null
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fcct-config.yaml
@@ -0,0 +1,190 @@
+# Fedora CoreOS Configuration
+#
+# To generate user_data.json you need to use [0].
+# For detailed instructions, please refer to the upstream documentation [1].
+#
+# You can use podman or docker to generate the ignition formatted json:
+# podman run --rm \
+# -v ./fcct-config.yaml:/config.fcc:z \
+# quay.io/coreos/fcct:release \
+# --pretty --strict --input /config.fcc > ./user_data.json
+#
+# [0] https://github.com/coreos/fcct
+# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
+variant: fcos
+version: 1.0.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - "__SSH_KEY_VALUE__"
+storage:
+  directories:
+    - path: /var/lib/cloud/data
+      # 493 (decimal) == 755 (octal)
+      mode: 493
+      user:
+        name: root
+      group:
+        name: root
+    - path: /var/lib/heat-cfntools
+      # 493 (decimal) == 755 (octal)
+      mode: 493
+      user:
+        name: root
+      group:
+        name: root
+  files:
+    - path: /etc/hostname
+      # 420 (decimal) == 644 (octal)
+      mode: 420
+      group:
+        name: root
+      user:
+        name: root
+      contents:
+        inline: |
+          __HOSTNAME__
+    - path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
+      # 420 (decimal) == 644 (octal)
+      mode: 420
+      user:
+        name: root
+      group:
+        name: root
+      contents:
+        inline: |
+          __OPENSTACK_CA__
+    - path: /root/configure-agent-env.sh
+      # 448 (decimal) == 700 (octal)
+      mode: 448
+      user:
+        name: root
+      group:
+        name: root
+      contents:
+        inline: |
+          #!/bin/bash
+          
+          set -x
+          set -e
+          set +u
+          
+          until [ -f /etc/pki/ca-trust/source/anchors/openstack-ca.pem ]
+          do
+              echo "waiting for /etc/pki/ca-trust/source/anchors/openstack-ca.pem"
+              sleep 3s
+          done
+
+          /usr/bin/update-ca-trust
+          
+          HTTP_PROXY="__HTTP_PROXY__"
+          HTTPS_PROXY="__HTTPS_PROXY__"
+          NO_PROXY="__NO_PROXY__"
+          
+          if [ -n "${HTTP_PROXY}" ]; then
+              export HTTP_PROXY
+              echo "http_proxy=${HTTP_PROXY}" >> /etc/environment
+          fi
+          
+          if [ -n "${HTTPS_PROXY}" ]; then
+              export HTTPS_PROXY
+              echo "https_proxy=${HTTPS_PROXY}" >> /etc/environment
+          fi
+          
+          if [ -n "${NO_PROXY}" ]; then
+              export NO_PROXY
+              echo "no_proxy=${NO_PROXY}" >> /etc/environment
+          fi
+          
+          # Create a keypair for the heat-container-agent to
+          # access the node over ssh. It is useful to operate
+          # in host mount namespace and apply configuration.
+          id
+          mkdir -p /srv/magnum/.ssh
+          chmod 0700 /srv/magnum/.ssh
+          #touch /srv/magnum/.ssh/heat_agent_rsa
+          ssh-keygen -q -t rsa -N '' -f /tmp/heat_agent_rsa
+          mv /tmp/heat_agent_rsa /srv/magnum/.ssh/heat_agent_rsa
+          mv /tmp/heat_agent_rsa.pub /srv/magnum/.ssh/heat_agent_rsa.pub
+          chmod 0400 /srv/magnum/.ssh/heat_agent_rsa
+          chmod 0400 /srv/magnum/.ssh/heat_agent_rsa.pub
+          # Add the public to the host authorized_keys file.
+          mkdir -p /root/.ssh
+          chmod 0700 /root/.ssh
+          cat /srv/magnum/.ssh/heat_agent_rsa.pub > /root/.ssh/authorized_keys
+          # Add localost to know_hosts
+          ssh-keyscan 127.0.0.1 > /srv/magnum/.ssh/known_hosts
+          # ssh configguration file, to be specified with ssh -F
+          cat > /srv/magnum/.ssh/config <<EOF
+          Host localhost
+               HostName 127.0.0.1
+               User root
+               IdentityFile /srv/magnum/.ssh/heat_agent_rsa
+               UserKnownHostsFile /srv/magnum/.ssh/known_hosts
+          EOF
+          
+          sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config
+          # Security enhancement: Disable password authentication
+          sed -i '/^PasswordAuthentication yes/ s/ yes/ no/' /etc/ssh/sshd_config
+
+          systemctl restart sshd
+systemd:
+  units:
+    - name: configure-agent-env.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Configure heat agent environment
+        After=sshd.service
+        
+        [Service]
+        User=root
+        Group=root
+        Type=simple
+        ExecStart=/bin/bash /root/configure-agent-env.sh
+        Restart=on-failure
+        
+        [Install]
+        WantedBy=multi-user.target
+    - name: heat-container-agent.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Run heat-container-agent
+        After=network-online.target configure-agent-env.service
+        Wants=network-online.target
+        
+        [Service]
+        EnvironmentFile=-/etc/environment
+        ExecStartPre=mkdir -p /var/lib/heat-container-agent
+        ExecStartPre=mkdir -p /var/run/heat-config
+        ExecStartPre=mkdir -p /var/run/os-collect-config
+        ExecStartPre=mkdir -p /opt/stack/os-config-refresh
+        ExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data
+        ExecStartPre=mkdir -p /srv/magnum
+        ExecStartPre=-/bin/podman kill heat-container-agent
+        ExecStartPre=-/bin/podman rm heat-container-agent
+        ExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__
+        ExecStart=/bin/podman run \
+                --name heat-container-agent \
+                --privileged \
+                --net=host \
+                --volume /srv/magnum:/srv/magnum \
+                --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \
+                --volume /run/systemd:/run/systemd \
+                --volume /etc/:/etc/ \
+                --volume /var/lib:/var/lib \
+                --volume /var/run:/var/run \
+                --volume /var/log:/var/log \
+                --volume /tmp:/tmp \
+                --volume /dev:/dev \
+                --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \
+                __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \
+                /usr/bin/start-heat-container-agent
+        TimeoutStartSec=10min
+        
+        ExecStop=/bin/podman stop heat-container-agent
+        
+        [Install]
+        WantedBy=multi-user.target
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
index e37334ad51..ea63a848f1 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -648,20 +648,20 @@ resources:
             - str_replace:
                 template: {get_file: user_data.json}
                 params:
-                  $HOSTNAME: {get_param: name}
-                  $SSH_KEY_VALUE: {get_param: ssh_public_key}
-                  $OPENSTACK_CA: {get_param: openstack_ca}
-                  $CONTAINER_INFRA_PREFIX:
+                  __HOSTNAME__: {get_param: name}
+                  __SSH_KEY_VALUE__: {get_param: ssh_public_key}
+                  __OPENSTACK_CA__: {get_param: openstack_ca}
+                  __CONTAINER_INFRA_PREFIX__:
                     if:
                       - equals:
                         - get_param: container_infra_prefix
                         - ""
                       - "docker.io/openstackmagnum/"
                       - get_param: container_infra_prefix
-                  $HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag}
-                  $HTTP_PROXY: {get_param: http_proxy}
-                  $HTTPS_PROXY: {get_param: https_proxy}
-                  $NO_PROXY: {get_param: no_proxy}
+                  __HEAT_CONTAINER_AGENT_TAG__: {get_param: heat_container_agent_tag}
+                  __HTTP_PROXY__: {get_param: http_proxy}
+                  __HTTPS_PROXY__: {get_param: https_proxy}
+                  __NO_PROXY__: {get_param: no_proxy}
 
   master_config:
     type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
index 8c58d426cd..0077163b93 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml
@@ -367,20 +367,20 @@ resources:
             - str_replace:
                 template: {get_file: user_data.json}
                 params:
-                  $HOSTNAME: {get_param: name}
-                  $SSH_KEY_VALUE: {get_param: ssh_public_key}
-                  $OPENSTACK_CA: {get_param: openstack_ca}
-                  $CONTAINER_INFRA_PREFIX:
+                  __HOSTNAME__: {get_param: name}
+                  __SSH_KEY_VALUE__: {get_param: ssh_public_key}
+                  __OPENSTACK_CA__: {get_param: openstack_ca}
+                  __CONTAINER_INFRA_PREFIX__:
                     if:
                       - equals:
                         - get_param: container_infra_prefix
                         - ""
                       - "docker.io/openstackmagnum/"
                       - get_param: container_infra_prefix
-                  $HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag}
-                  $HTTP_PROXY: {get_param: http_proxy}
-                  $HTTPS_PROXY: {get_param: https_proxy}
-                  $NO_PROXY: {get_param: no_proxy}
+                  __HEAT_CONTAINER_AGENT_TAG__: {get_param: heat_container_agent_tag}
+                  __HTTP_PROXY__: {get_param: http_proxy}
+                  __HTTPS_PROXY__: {get_param: https_proxy}
+                  __NO_PROXY__: {get_param: no_proxy}
 
   ######################################################################
   #
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
index a7c30793bd..42fa5e4659 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/user_data.json
@@ -17,68 +17,91 @@
       {
         "name": "core",
         "sshAuthorizedKeys": [
-          "$SSH_KEY_VALUE"
+          "__SSH_KEY_VALUE__"
         ]
       }
     ]
   },
   "storage": {
-      "directories":[
-        {
-          "path": "/var/lib/cloud/data",
-          "group": {"name": "root"},
-          "user": {"name": "root"},
-          "mode": 644
-        },
-        {
-          "path": "/var/lib/heat-cfntools",
-          "group": {"name": "root"},
-          "user": {"name": "root"},
-          "mode": 644
-        }
-      ],
-      "files": [
-        {
-          "filesystem": "root",
-          "path": "/etc/hostname",
-          "mode": 420,
-          "contents": { "source": "data:,$HOSTNAME" }
-        },
-        {
-          "filesystem": "root",
-          "group": {"name": "root"},
-          "path": "/etc/pki/ca-trust/source/anchors/openstack-ca.pem",
-          "user": {"name": "root"},
-          "contents": {
-            "source": "data:,$OPENSTACK_CA",
-            "verification": {}
-          },
-          "mode": 644
-        },
-        {
-          "user": {"name": "root"},
-          "group": {"name": "root"},
-          "mode": 700,
-          "path": "/root/configure-agent-env.sh",
-          "contents": {
-            "source": "data:,%23%21%2Fbin%2Fbash%0A%0Aset%20-x%0Aset%20-e%0Aset%20%2Bu%0A%0Auntil%20%5B%20-f%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%20%5D%0Ado%0A%20%20%20%20echo%20%22waiting%20for%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%22%0A%20%20%20%20sleep%203s%0Adone%0A%2Fusr%2Fbin%2Fupdate-ca-trust%0A%0AHTTP_PROXY%3D%22$HTTP_PROXY%22%0AHTTPS_PROXY%3D%22$HTTPS_PROXY%22%0ANO_PROXY%3D%22$NO_PROXY%22%0ACONTAINER_INFRA_PREFIX%3D%22$CONTAINER_INFRA_PREFIX%22%0AHEAT_CONTAINER_AGENT_TAG%3D%22$HEAT_CONTAINER_AGENT_TAG%22%0A%0A%0Aif%20%5B%20-n%20%22%24%7BHTTP_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTP_PROXY%0A%20%20%20%20echo%20%22http_proxy%3D%24%7BHTTP_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BHTTPS_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTPS_PROXY%0A%20%20%20%20echo%20%22https_proxy%3D%24%7BHTTPS_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BNO_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20NO_PROXY%0A%20%20%20%20echo%20%22no_proxy%3D%24%7BNO_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0A%23%20Create%20a%20keypair%20for%20the%20heat-container-agent%20to%0A%23%20access%20the%20node%20over%20ssh.%20It%20is%20useful%20to%20operate%0A%23%20in%20host%20mount%20namespace%20and%20apply%20configuration.%0Aid%0Amkdir%20-p%20%2Fsrv%2Fmagnum%2F.ssh%0Achmod%200700%20%2Fsrv%2Fmagnum%2F.ssh%0A%23touch%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Assh-keygen%20-q%20-t%20rsa%20-N%20%27%27%20-f%20%2Ftmp%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa.pub%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0A%23%20Add%20the%20public%20to%20the%20host%20authorized_keys%20file.%0Amkdir%20-p%20%2Froot%2F.ssh%0Achmod%200700%20%2Froot%2F.ssh%0Acat%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%20%3E%20%2Froot%2F.ssh%2Fauthorized_keys%0A%23%20Add%20localost%20to%20know_hosts%0Assh-keyscan%20127.0.0.1%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0A%23%20ssh%20configguration%20file%2C%20to%20be%20specified%20with%20ssh%20-F%0Acat%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fconfig%20%3C%3CEOF%0AHost%20localhost%0A%20%20%20%20%20HostName%20127.0.0.1%0A%20%20%20%20%20User%20root%0A%20%20%20%20%20IdentityFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0A%20%20%20%20%20UserKnownHostsFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0AEOF%0A%0Ased%20-i%20%27%2F%5EPermitRootLogin%2F%20s%2F%20.%2A%2F%20without-password%2F%27%20%2Fetc%2Fssh%2Fsshd_config%0A%23%20Security%20enhancement%3A%20Disable%20password%20authentication%0Ased%20-i%20%27%2F%5EPasswordAuthentication%20yes%2F%20s%2F%20yes%2F%20no%2F%27%20%2Fetc%2Fssh%2Fsshd_config%0A%0Asystemctl%20restart%20sshd",
-            "verification": {}
-          }
-        }
-      ]
-  },
-  "systemd": {
-      "units": [
+    "directories": [
       {
-          "name": "configure-agent-env.service",
-          "enabled": true,
-          "contents": "[Unit]\nDescription=Configure heat agent environment\nAfter=sshd.service\n\n[Service]\nUser=root\nGroup=root\nType=simple\nExecStart=/bin/bash /root/configure-agent-env.sh\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target"
+        "group": {
+          "name": "root"
+        },
+        "path": "/var/lib/cloud/data",
+        "user": {
+          "name": "root"
+        },
+        "mode": 493
       },
       {
-        "name": "heat-container-agent.service",
-        "enabled": true,
-        "contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target configure-agent-env.service\nWants=network-online.target\n\n[Service]\nEnvironmentFile=-/etc/environment\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman kill heat-container-agent\nExecStartPre=-/bin/podman rm heat-container-agent\nExecStartPre=-/bin/podman pull $CONTAINER_INFRA_PREFIXheat-container-agent:$HEAT_CONTAINER_AGENT_TAG\nExecStart=/bin/podman run \\\n        --name heat-container-agent \\\n        --privileged \\\n        --volume /srv/magnum:/srv/magnum \\\n        --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n        --volume /run/systemd:/run/systemd \\\n        --volume /etc/:/etc/ \\\n        --volume /var/lib:/var/lib \\\n        --volume /var/run:/var/run \\\n        --volume /var/log:/var/log \\\n        --volume /tmp:/tmp \\\n        --volume /dev:/dev \\\n        --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt --net=host \\\n        $CONTAINER_INFRA_PREFIXheat-container-agent:$HEAT_CONTAINER_AGENT_TAG \\\n        /usr/bin/start-heat-container-agent\nTimeoutStartSec=10min\n\nExecStop=/bin/podman stop heat-container-agent\n\n[Install]\nWantedBy=multi-user.target\n"
+        "group": {
+          "name": "root"
+        },
+        "path": "/var/lib/heat-cfntools",
+        "user": {
+          "name": "root"
+        },
+        "mode": 493
       }
-      ]
+    ],
+    "files": [
+      {
+        "group": {
+          "name": "root"
+        },
+        "path": "/etc/hostname",
+        "user": {
+          "name": "root"
+        },
+        "contents": {
+          "source": "data:,__HOSTNAME__%0A",
+          "verification": {}
+        },
+        "mode": 420
+      },
+      {
+        "group": {
+          "name": "root"
+        },
+        "path": "/etc/pki/ca-trust/source/anchors/openstack-ca.pem",
+        "user": {
+          "name": "root"
+        },
+        "contents": {
+          "source": "data:,__OPENSTACK_CA__%0A",
+          "verification": {}
+        },
+        "mode": 420
+      },
+      {
+        "group": {
+          "name": "root"
+        },
+        "path": "/root/configure-agent-env.sh",
+        "user": {
+          "name": "root"
+        },
+        "contents": {
+          "source": "data:,%23!%2Fbin%2Fbash%0A%0Aset%20-x%0Aset%20-e%0Aset%20%2Bu%0A%0Auntil%20%5B%20-f%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%20%5D%0Ado%0A%20%20%20%20echo%20%22waiting%20for%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%22%0A%20%20%20%20sleep%203s%0Adone%0A%0A%2Fusr%2Fbin%2Fupdate-ca-trust%0A%0AHTTP_PROXY%3D%22__HTTP_PROXY__%22%0AHTTPS_PROXY%3D%22__HTTPS_PROXY__%22%0ANO_PROXY%3D%22__NO_PROXY__%22%0A%0Aif%20%5B%20-n%20%22%24%7BHTTP_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTP_PROXY%0A%20%20%20%20echo%20%22http_proxy%3D%24%7BHTTP_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BHTTPS_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTPS_PROXY%0A%20%20%20%20echo%20%22https_proxy%3D%24%7BHTTPS_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BNO_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20NO_PROXY%0A%20%20%20%20echo%20%22no_proxy%3D%24%7BNO_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0A%23%20Create%20a%20keypair%20for%20the%20heat-container-agent%20to%0A%23%20access%20the%20node%20over%20ssh.%20It%20is%20useful%20to%20operate%0A%23%20in%20host%20mount%20namespace%20and%20apply%20configuration.%0Aid%0Amkdir%20-p%20%2Fsrv%2Fmagnum%2F.ssh%0Achmod%200700%20%2Fsrv%2Fmagnum%2F.ssh%0A%23touch%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Assh-keygen%20-q%20-t%20rsa%20-N%20''%20-f%20%2Ftmp%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa.pub%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0A%23%20Add%20the%20public%20to%20the%20host%20authorized_keys%20file.%0Amkdir%20-p%20%2Froot%2F.ssh%0Achmod%200700%20%2Froot%2F.ssh%0Acat%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%20%3E%20%2Froot%2F.ssh%2Fauthorized_keys%0A%23%20Add%20localost%20to%20know_hosts%0Assh-keyscan%20127.0.0.1%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0A%23%20ssh%20configguration%20file%2C%20to%20be%20specified%20with%20ssh%20-F%0Acat%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fconfig%20%3C%3CEOF%0AHost%20localhost%0A%20%20%20%20%20HostName%20127.0.0.1%0A%20%20%20%20%20User%20root%0A%20%20%20%20%20IdentityFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0A%20%20%20%20%20UserKnownHostsFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0AEOF%0A%0Ased%20-i%20'%2F%5EPermitRootLogin%2F%20s%2F%20.*%2F%20without-password%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%23%20Security%20enhancement%3A%20Disable%20password%20authentication%0Ased%20-i%20'%2F%5EPasswordAuthentication%20yes%2F%20s%2F%20yes%2F%20no%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%0Asystemctl%20restart%20sshd%0A",
+          "verification": {}
+        },
+        "mode": 448
+      }
+    ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "contents": "[Unit]\nDescription=Configure heat agent environment\nAfter=sshd.service\n\n[Service]\nUser=root\nGroup=root\nType=simple\nExecStart=/bin/bash /root/configure-agent-env.sh\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n",
+        "enabled": true,
+        "name": "configure-agent-env.service"
+      },
+      {
+        "contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target configure-agent-env.service\nWants=network-online.target\n\n[Service]\nEnvironmentFile=-/etc/environment\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman kill heat-container-agent\nExecStartPre=-/bin/podman rm heat-container-agent\nExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__\nExecStart=/bin/podman run \\\n        --name heat-container-agent \\\n        --privileged \\\n        --net=host \\\n        --volume /srv/magnum:/srv/magnum \\\n        --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n        --volume /run/systemd:/run/systemd \\\n        --volume /etc/:/etc/ \\\n        --volume /var/lib:/var/lib \\\n        --volume /var/run:/var/run \\\n        --volume /var/log:/var/log \\\n        --volume /tmp:/tmp \\\n        --volume /dev:/dev \\\n        --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \\\n        __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \\\n        /usr/bin/start-heat-container-agent\nTimeoutStartSec=10min\n\nExecStop=/bin/podman stop heat-container-agent\n\n[Install]\nWantedBy=multi-user.target\n",
+        "enabled": true,
+        "name": "heat-container-agent.service"
+      }
+    ]
   }
-}
+}
\ No newline at end of file