You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
120 lines
3.8 KiB
120 lines
3.8 KiB
#!/bin/bash |
|
# |
|
# Used environment variables: |
|
# |
|
# - Hostname |
|
# - FreeIPAIP |
|
# - DirectoryManagerPassword |
|
# - AdminPassword |
|
# - UndercloudFQDN |
|
# - HostsSecret |
|
# - ProvisioningCIDR: If set, it adds the given CIDR to the provisioning |
|
# interface (which is hardcoded to eth1) |
|
# - UsingNovajoin: If unset, we pre-provision the service principals |
|
# needed for the overcloud deploy. If set, we skip this, |
|
# since novajoin will do it. |
|
# |
|
set -eux |
|
|
|
if [ -f "~/freeipa-setup.env" ]; then |
|
source ~/freeipa-setup.env |
|
elif [ -f "/tmp/freeipa-setup.env" ]; then |
|
source /tmp/freeipa-setup.env |
|
fi |
|
|
|
export Hostname=${Hostname:-""} |
|
export FreeIPAIP=${FreeIPAIP:-""} |
|
export DirectoryManagerPassword=${DirectoryManagerPassword:-""} |
|
export AdminPassword=${AdminPassword:-""} |
|
export UndercloudFQDN=${UndercloudFQDN:-""} |
|
export HostsSecret=${HostsSecret:-""} |
|
export ProvisioningCIDR=${ProvisioningCIDR:-""} |
|
export UsingNovajoin=${UsingNovajoin:-""} |
|
|
|
if [ -n "$ProvisioningCIDR" ]; then |
|
# Add address to provisioning network interface |
|
ip link set dev eth1 up |
|
ip addr add $ProvisioningCIDR dev eth1 |
|
fi |
|
|
|
# Set DNS servers |
|
echo "nameserver 8.8.8.8" >> /etc/resolv.conf |
|
echo "nameserver 8.8.4.4" >> /etc/resolv.conf |
|
|
|
yum -q -y remove openstack-dashboard |
|
|
|
# Install the needed packages |
|
yum -q install -y ipa-server ipa-server-dns epel-release rng-tools mod_nss git |
|
yum -q install -y haveged |
|
|
|
# Prepare hostname |
|
hostnamectl set-hostname --static $Hostname |
|
|
|
echo $FreeIPAIP `hostname` | tee -a /etc/hosts |
|
|
|
# Set iptables rules |
|
cat << EOF > freeipa-iptables-rules.txt |
|
# Firewall configuration written by system-config-firewall |
|
# Manual customization of this file is not recommended. |
|
*filter |
|
:INPUT ACCEPT [0:0] |
|
:FORWARD ACCEPT [0:0] |
|
:OUTPUT ACCEPT [0:0] |
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
-A INPUT -p icmp -j ACCEPT |
|
-A INPUT -i lo -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT |
|
#TCP ports for FreeIPA |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT |
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT |
|
#UDP ports for FreeIPA |
|
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT |
|
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT |
|
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT |
|
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT |
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited |
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
|
COMMIT |
|
EOF |
|
|
|
iptables-restore < freeipa-iptables-rules.txt |
|
|
|
# Entropy generation; otherwise, ipa-server-install will lag. |
|
chkconfig haveged on |
|
systemctl start haveged |
|
|
|
# Remove conflicting httpd configuration |
|
rm -f /etc/httpd/conf.d/ssl.conf |
|
|
|
# Set up FreeIPA |
|
ipa-server-install -U -r `hostname -d|tr "[a-z]" "[A-Z]"` \ |
|
-p $DirectoryManagerPassword -a $AdminPassword \ |
|
--hostname `hostname -f` \ |
|
--ip-address=$FreeIPAIP \ |
|
--setup-dns --auto-forwarders --auto-reverse |
|
|
|
# Authenticate |
|
echo $AdminPassword | kinit admin |
|
|
|
# Verify we have TGT |
|
klist |
|
|
|
if [ "$?" = '1' ]; then |
|
exit 1 |
|
fi |
|
|
|
if [ -z "$UsingNovajoin" ]; then |
|
# Create undercloud host |
|
ipa host-add $UndercloudFQDN --password=$HostsSecret --force |
|
|
|
# Create overcloud nodes and services |
|
git clone https://github.com/JAORMX/freeipa-tripleo-incubator.git |
|
cd freeipa-tripleo-incubator |
|
python create_ipa_tripleo_host_setup.py -w $HostsSecret -d $(hostname -d) \ |
|
--controller-count 1 --compute-count 1 |
|
fi
|
|
|