136 lines
8.0 KiB
JSON
136 lines
8.0 KiB
JSON
{
|
|
"ignition": {
|
|
"version": "3.0.0"
|
|
},
|
|
"passwd": {
|
|
"users": [
|
|
{
|
|
"name": "core",
|
|
"sshAuthorizedKeys": [
|
|
"__SSH_KEY_VALUE__"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"storage": {
|
|
"directories": [
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/var/lib/cloud/data",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"mode": 493
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/var/lib/heat-cfntools",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"mode": 493
|
|
}
|
|
],
|
|
"files": [
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"overwrite": true,
|
|
"path": "/etc/selinux/config",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3D__SELINUX_MODE__%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20minimum%20-%20Modification%20of%20targeted%20policy.%20Only%20selected%20processes%20are%20protected.%0A%23%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dtargeted%0A"
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/etc/containers/libpod.conf",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,%23%20Maximum%20size%20of%20log%20files%20(in%20bytes)%0A%23%20-1%20is%20unlimited%0A%23%2050m%0Amax_log_size%20%3D%2052428800%0A"
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"overwrite": true,
|
|
"path": "/etc/hostname",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,__HOSTNAME__%0A"
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/etc/pki/ca-trust/source/anchors/openstack-ca.pem",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,__OPENSTACK_CA__%0A"
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/root/configure-agent-env.sh",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,%23!%2Fbin%2Fbash%0A%0Aset%20-x%0Aset%20-e%0Aset%20%2Bu%0A%0Auntil%20%5B%20-f%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%20%5D%0Ado%0A%20%20%20%20echo%20%22waiting%20for%20%2Fetc%2Fpki%2Fca-trust%2Fsource%2Fanchors%2Fopenstack-ca.pem%22%0A%20%20%20%20sleep%203s%0Adone%0A%0A%2Fusr%2Fbin%2Fupdate-ca-trust%0Amkdir%20%2Fetc%2Fkubernetes%2F%0Acp%20%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crt%20%2Fetc%2Fkubernetes%2Fca-bundle.crt%0A%0AHTTP_PROXY%3D%22__HTTP_PROXY__%22%0AHTTPS_PROXY%3D%22__HTTPS_PROXY__%22%0ANO_PROXY%3D%22__NO_PROXY__%22%0A%0Aif%20%5B%20-n%20%22%24%7BHTTP_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTP_PROXY%0A%20%20%20%20echo%20%22http_proxy%3D%24%7BHTTP_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BHTTPS_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20HTTPS_PROXY%0A%20%20%20%20echo%20%22https_proxy%3D%24%7BHTTPS_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0Aif%20%5B%20-n%20%22%24%7BNO_PROXY%7D%22%20%5D%3B%20then%0A%20%20%20%20export%20NO_PROXY%0A%20%20%20%20echo%20%22no_proxy%3D%24%7BNO_PROXY%7D%22%20%3E%3E%20%2Fetc%2Fenvironment%0Afi%0A%0A%23%20Create%20a%20keypair%20for%20the%20heat-container-agent%20to%0A%23%20access%20the%20node%20over%20ssh.%20It%20is%20useful%20to%20operate%0A%23%20in%20host%20mount%20namespace%20and%20apply%20configuration.%0Aid%0Amkdir%20-p%20%2Fsrv%2Fmagnum%2F.ssh%0Achmod%200700%20%2Fsrv%2Fmagnum%2F.ssh%0A%23touch%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Assh-keygen%20-q%20-t%20rsa%20-N%20''%20-f%20%2Ftmp%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Amv%20%2Ftmp%2Fheat_agent_rsa.pub%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0Achmod%200400%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%0A%23%20Add%20the%20public%20to%20the%20host%20authorized_keys%20file.%0Amkdir%20-p%20%2Froot%2F.ssh%0Achmod%200700%20%2Froot%2F.ssh%0Acat%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa.pub%20%3E%20%2Froot%2F.ssh%2Fauthorized_keys%0A%23%20Add%20localost%20to%20know_hosts%0Assh-keyscan%20127.0.0.1%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0A%23%20ssh%20configguration%20file%2C%20to%20be%20specified%20with%20ssh%20-F%0Acat%20%3E%20%2Fsrv%2Fmagnum%2F.ssh%2Fconfig%20%3C%3CEOF%0AHost%20localhost%0A%20%20%20%20%20HostName%20127.0.0.1%0A%20%20%20%20%20User%20root%0A%20%20%20%20%20IdentityFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fheat_agent_rsa%0A%20%20%20%20%20UserKnownHostsFile%20%2Fsrv%2Fmagnum%2F.ssh%2Fknown_hosts%0AEOF%0A%0Ased%20-i%20'%2F%5EPermitRootLogin%2F%20s%2F%20.*%2F%20without-password%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%23%20Security%20enhancement%3A%20Disable%20password%20authentication%0Ased%20-i%20'%2F%5EPasswordAuthentication%20yes%2F%20s%2F%20yes%2F%20no%2F'%20%2Fetc%2Fssh%2Fsshd_config%0A%0Asystemctl%20restart%20sshd%0A"
|
|
},
|
|
"mode": 448
|
|
},
|
|
{
|
|
"group": {
|
|
"name": "root"
|
|
},
|
|
"path": "/etc/zincati/config.d/90-disable-auto-updates.toml",
|
|
"user": {
|
|
"name": "root"
|
|
},
|
|
"contents": {
|
|
"source": "data:,%5Bupdates%5D%0Aenabled%20%3D%20false%0A"
|
|
},
|
|
"mode": 420
|
|
}
|
|
]
|
|
},
|
|
"systemd": {
|
|
"units": [
|
|
{
|
|
"contents": "[Unit]\nDescription=Configure heat agent environment\nAfter=sshd.service\n\n[Service]\nUser=root\nGroup=root\nType=simple\nExecStart=/bin/bash /root/configure-agent-env.sh\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n",
|
|
"enabled": true,
|
|
"name": "configure-agent-env.service"
|
|
},
|
|
{
|
|
"contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target configure-agent-env.service\nWants=network-online.target\n\n[Service]\nEnvironmentFile=-/etc/environment\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=-mv /var/lib/os-collect-config/local-data /var/lib/cloud/data/cfn-init-data\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman kill heat-container-agent\nExecStartPre=-/bin/podman rm heat-container-agent\nExecStartPre=-/bin/podman pull __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__\nExecStart=/bin/podman run \\\n --name heat-container-agent \\\n --privileged \\\n --net=host \\\n --volume /srv/magnum:/srv/magnum \\\n --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n --volume /run/systemd:/run/systemd \\\n --volume /etc/:/etc/ \\\n --volume /var/lib:/var/lib \\\n --volume /var/run:/var/run \\\n --volume /var/log:/var/log \\\n --volume /tmp:/tmp \\\n --volume /dev:/dev \\\n --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \\\n __CONTAINER_INFRA_PREFIX__heat-container-agent:__HEAT_CONTAINER_AGENT_TAG__ \\\n /usr/bin/start-heat-container-agent\nTimeoutStartSec=10min\n\nExecStop=/bin/podman stop heat-container-agent\n\n[Install]\nWantedBy=multi-user.target\n",
|
|
"enabled": true,
|
|
"name": "heat-container-agent.service"
|
|
}
|
|
]
|
|
}
|
|
}
|