252 lines
8.1 KiB
YAML
252 lines
8.1 KiB
YAML
# Fedora CoreOS Configuration
|
|
#
|
|
# To generate user_data.json you need to use [0].
|
|
# For detailed instructions, please refer to the upstream documentation [1].
|
|
#
|
|
# You can use podman or docker to generate the ignition formatted json:
|
|
# podman run --rm \
|
|
# -v $(pwd)/fcct-config.yaml:/config.fcc \
|
|
# quay.io/coreos/fcct:release \
|
|
# --pretty --strict /config.fcc > ./user_data.json
|
|
#
|
|
# [0] https://github.com/coreos/fcct
|
|
# [1] https://github.com/coreos/fedora-coreos-docs/blob/master/modules/ROOT/pages/producing-ign.adoc
|
|
variant: fcos
|
|
version: 1.0.0
|
|
passwd:
|
|
users:
|
|
- name: core
|
|
ssh_authorized_keys:
|
|
- "__SSH_KEY_VALUE__"
|
|
storage:
|
|
directories:
|
|
- path: /var/lib/cloud/data
|
|
# 493 (decimal) == 755 (octal)
|
|
mode: 493
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
- path: /var/lib/heat-cfntools
|
|
# 493 (decimal) == 755 (octal)
|
|
mode: 493
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
files:
|
|
- path: /etc/selinux/config
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
group:
|
|
name: root
|
|
user:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
# This file controls the state of SELinux on the system.
|
|
# SELINUX= can take one of these three values:
|
|
# enforcing - SELinux security policy is enforced.
|
|
# permissive - SELinux prints warnings instead of enforcing.
|
|
# disabled - No SELinux policy is loaded.
|
|
SELINUX=__SELINUX_MODE__
|
|
# SELINUXTYPE= can take one of these three values:
|
|
# targeted - Targeted processes are protected,
|
|
# minimum - Modification of targeted policy. Only selected processes are protected.
|
|
# mls - Multi Level Security protection.
|
|
SELINUXTYPE=targeted
|
|
overwrite: true
|
|
- path: /etc/containers/libpod.conf
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
# Maximum size of log files (in bytes)
|
|
# -1 is unlimited
|
|
# 50m
|
|
max_log_size = 52428800
|
|
- path: /etc/containers/__REGISTRIES_CONF__
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
append:
|
|
- inline: |
|
|
[[registry]]
|
|
location = "__INSECURE_REGISTRY_URL__"
|
|
insecure = true
|
|
- path: /etc/hostname
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
group:
|
|
name: root
|
|
user:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
__HOSTNAME__
|
|
overwrite: true
|
|
- path: /etc/pki/ca-trust/source/anchors/openstack-ca.pem
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
__OPENSTACK_CA__
|
|
- path: /root/configure-agent-env.sh
|
|
# 448 (decimal) == 700 (octal)
|
|
mode: 448
|
|
user:
|
|
name: root
|
|
group:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
#!/bin/bash
|
|
|
|
set -x
|
|
set -e
|
|
set +u
|
|
|
|
until [ -f /etc/pki/ca-trust/source/anchors/openstack-ca.pem ]
|
|
do
|
|
echo "waiting for /etc/pki/ca-trust/source/anchors/openstack-ca.pem"
|
|
sleep 3s
|
|
done
|
|
|
|
/usr/bin/update-ca-trust
|
|
mkdir /etc/kubernetes/
|
|
cp /etc/pki/tls/certs/ca-bundle.crt /etc/kubernetes/ca-bundle.crt
|
|
|
|
HTTP_PROXY="__HTTP_PROXY__"
|
|
HTTPS_PROXY="__HTTPS_PROXY__"
|
|
NO_PROXY="__NO_PROXY__"
|
|
|
|
if [ -n "${HTTP_PROXY}" ]; then
|
|
export HTTP_PROXY
|
|
echo "http_proxy=${HTTP_PROXY}" >> /etc/environment
|
|
fi
|
|
|
|
if [ -n "${HTTPS_PROXY}" ]; then
|
|
export HTTPS_PROXY
|
|
echo "https_proxy=${HTTPS_PROXY}" >> /etc/environment
|
|
fi
|
|
|
|
if [ -n "${NO_PROXY}" ]; then
|
|
export NO_PROXY
|
|
echo "no_proxy=${NO_PROXY}" >> /etc/environment
|
|
fi
|
|
|
|
# Create a keypair for the heat-container-agent to
|
|
# access the node over ssh. It is useful to operate
|
|
# in host mount namespace and apply configuration.
|
|
id
|
|
mkdir -p /srv/magnum/.ssh
|
|
chmod 0700 /srv/magnum/.ssh
|
|
#touch /srv/magnum/.ssh/heat_agent_rsa
|
|
ssh-keygen -q -t rsa -N '' -f /tmp/heat_agent_rsa
|
|
mv /tmp/heat_agent_rsa /srv/magnum/.ssh/heat_agent_rsa
|
|
mv /tmp/heat_agent_rsa.pub /srv/magnum/.ssh/heat_agent_rsa.pub
|
|
chmod 0400 /srv/magnum/.ssh/heat_agent_rsa
|
|
chmod 0400 /srv/magnum/.ssh/heat_agent_rsa.pub
|
|
# Add the public to the host authorized_keys file.
|
|
mkdir -p /root/.ssh
|
|
chmod 0700 /root/.ssh
|
|
cat /srv/magnum/.ssh/heat_agent_rsa.pub > /root/.ssh/authorized_keys
|
|
# Add localost to know_hosts
|
|
ssh-keyscan 127.0.0.1 > /srv/magnum/.ssh/known_hosts
|
|
# ssh configguration file, to be specified with ssh -F
|
|
cat > /srv/magnum/.ssh/config <<EOF
|
|
Host localhost
|
|
HostName 127.0.0.1
|
|
User root
|
|
IdentityFile /srv/magnum/.ssh/heat_agent_rsa
|
|
UserKnownHostsFile /srv/magnum/.ssh/known_hosts
|
|
EOF
|
|
|
|
sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config
|
|
# Security enhancement: Disable password authentication
|
|
sed -i '/^PasswordAuthentication yes/ s/ yes/ no/' /etc/ssh/sshd_config
|
|
|
|
systemctl restart sshd
|
|
- path: /etc/zincati/config.d/90-disable-auto-updates.toml
|
|
# 420 (decimal) == 644 (octal)
|
|
mode: 420
|
|
group:
|
|
name: root
|
|
user:
|
|
name: root
|
|
contents:
|
|
inline: |
|
|
[updates]
|
|
enabled = false
|
|
|
|
systemd:
|
|
units:
|
|
- name: configure-agent-env.service
|
|
enabled: true
|
|
contents: |
|
|
[Unit]
|
|
Description=Configure heat agent environment
|
|
After=sshd.service
|
|
|
|
[Service]
|
|
User=root
|
|
Group=root
|
|
Type=simple
|
|
ExecStart=/bin/bash /root/configure-agent-env.sh
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
- name: heat-container-agent.service
|
|
enabled: true
|
|
contents: |
|
|
[Unit]
|
|
Description=Run heat-container-agent
|
|
After=network-online.target configure-agent-env.service
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
EnvironmentFile=-/etc/environment
|
|
ExecStartPre=mkdir -p /var/lib/heat-container-agent
|
|
ExecStartPre=mkdir -p /var/run/heat-config
|
|
ExecStartPre=mkdir -p /var/run/os-collect-config
|
|
ExecStartPre=mkdir -p /opt/stack/os-config-refresh
|
|
ExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data
|
|
ExecStartPre=mkdir -p /srv/magnum
|
|
ExecStartPre=-/bin/podman kill heat-container-agent
|
|
ExecStartPre=-/bin/podman rm heat-container-agent
|
|
ExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__
|
|
ExecStart=/bin/podman run \
|
|
--name heat-container-agent \
|
|
--privileged \
|
|
--net=host \
|
|
--volume /srv/magnum:/srv/magnum \
|
|
--volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \
|
|
--volume /run/systemd:/run/systemd \
|
|
--volume /etc/:/etc/ \
|
|
--volume /var/lib:/var/lib \
|
|
--volume /var/run:/var/run \
|
|
--volume /var/log:/var/log \
|
|
--volume /tmp:/tmp \
|
|
--volume /dev:/dev \
|
|
--env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \
|
|
__CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \
|
|
/usr/bin/start-heat-container-agent
|
|
TimeoutStartSec=10min
|
|
|
|
ExecStop=/bin/podman stop heat-container-agent
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|