diff options
Diffstat (limited to 'roles/atomic_proxy')
-rw-r--r-- | roles/atomic_proxy/README.md | 56 | ||||
-rw-r--r-- | roles/atomic_proxy/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/atomic_proxy/files/ctr-proxy-1.service | 37 | ||||
-rw-r--r-- | roles/atomic_proxy/files/ctr-proxy-monitoring-1.service | 37 | ||||
-rw-r--r-- | roles/atomic_proxy/files/ctr-proxy-puppet-1.service | 37 | ||||
-rw-r--r-- | roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json | 29 | ||||
-rw-r--r-- | roles/atomic_proxy/files/puppet/auth.conf | 116 | ||||
-rwxr-xr-x | roles/atomic_proxy/files/setup-proxy-containers.sh | 43 | ||||
-rw-r--r-- | roles/atomic_proxy/handlers/main.yml | 2 | ||||
-rw-r--r-- | roles/atomic_proxy/meta/main.yml | 21 | ||||
-rw-r--r-- | roles/atomic_proxy/tasks/main.yml | 21 | ||||
-rw-r--r-- | roles/atomic_proxy/tasks/setup_puppet.yml | 24 | ||||
-rw-r--r-- | roles/atomic_proxy/templates/puppet/puppet.conf.j2 | 40 | ||||
-rwxr-xr-x | roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2 | 16 | ||||
-rw-r--r-- | roles/atomic_proxy/vars/main.yml | 2 |
15 files changed, 483 insertions, 0 deletions
diff --git a/roles/atomic_proxy/README.md b/roles/atomic_proxy/README.md new file mode 100644 index 000000000..348eaee1f --- /dev/null +++ b/roles/atomic_proxy/README.md @@ -0,0 +1,56 @@ +Role Name +======== + +The purpose of this role is to do common configurations for all RHEL atomic hosts. + + +Requirements +------------ + +None + + +Role Variables +-------------- + +None + + +Dependencies +------------ + +None + + +Example Playbook +------------------------- + +From a group playbook: + + hosts: servers + roles: + - ../../roles/atomic_proxy + + +License +------- + +Copyright 2012-2014 Red Hat, Inc., All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + + +Author Information +------------------ + +Thomas Wiest <twiest@redhat.com> diff --git a/roles/atomic_proxy/defaults/main.yml b/roles/atomic_proxy/defaults/main.yml new file mode 100644 index 000000000..0da428c27 --- /dev/null +++ b/roles/atomic_proxy/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for atomic_proxy diff --git a/roles/atomic_proxy/files/ctr-proxy-1.service b/roles/atomic_proxy/files/ctr-proxy-1.service new file mode 100644 index 000000000..c532eb8e8 --- /dev/null +++ b/roles/atomic_proxy/files/ctr-proxy-1.service @@ -0,0 +1,37 @@ + + +[Unit] +Description=Container proxy-1 + + +[Service] +Type=simple +TimeoutStartSec=5m +Slice=container-small.slice + +ExecStartPre=-/usr/bin/docker rm "proxy-1" + +ExecStart=/usr/bin/docker run --rm --name "proxy-1" \ + --volumes-from proxy-shared-data-1 \ + -a stdout -a stderr -p 80:80 -p 443:443 -p 4999:4999 \ + "proxy:latest" + +ExecStartPost=-/usr/bin/gear init --post "proxy-1" "proxy:latest" +ExecReload=-/usr/bin/docker stop "proxy-1" +ExecReload=-/usr/bin/docker rm "proxy-1" +ExecStop=-/usr/bin/docker stop "proxy-1" + +[Install] +WantedBy=container.target + +# Container information +X-ContainerId=proxy-1 +X-ContainerImage=proxy:latest +X-ContainerUserId= +X-ContainerRequestId=LwiWtYWaAvSavH6Ze53QJg +X-ContainerType=simple +X-PortMapping=80:80 +X-PortMapping=443:443 +X-PortMapping=4999:4999 + + diff --git a/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service b/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service new file mode 100644 index 000000000..7a91ea02c --- /dev/null +++ b/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service @@ -0,0 +1,37 @@ + + +[Unit] +Description=Container proxy-monitoring-1 + + +[Service] +Type=simple +TimeoutStartSec=5m +Slice=container-small.slice + +ExecStartPre=-/usr/bin/docker rm "proxy-monitoring-1" + +ExecStart=/usr/bin/docker run --rm --name "proxy-monitoring-1" \ + --volumes-from proxy-shared-data-1 \ + -a stdout -a stderr \ + "monitoring:latest" + +ExecStartPost=-/usr/bin/gear init --post "proxy-monitoring-1" "monitoring:latest" +ExecReload=-/usr/bin/docker stop "proxy-monitoring-1" +ExecReload=-/usr/bin/docker rm "proxy-monitoring-1" +ExecStop=-/usr/bin/docker stop "proxy-monitoring-1" + +[Install] +WantedBy=container.target + +# Container information +X-ContainerId=proxy-monitoring-1 +X-ContainerImage=monitoring:latest +X-ContainerUserId= +X-ContainerRequestId=LwiWtYWaAvSavH6Ze53QJg +X-ContainerType=simple +X-PortMapping=80:80 +X-PortMapping=443:443 +X-PortMapping=4999:4999 + + diff --git a/roles/atomic_proxy/files/ctr-proxy-puppet-1.service b/roles/atomic_proxy/files/ctr-proxy-puppet-1.service new file mode 100644 index 000000000..c1f4d9b13 --- /dev/null +++ b/roles/atomic_proxy/files/ctr-proxy-puppet-1.service @@ -0,0 +1,37 @@ + + +[Unit] +Description=Container proxy-puppet-1 + + +[Service] +Type=simple +TimeoutStartSec=5m +Slice=container-small.slice + + +ExecStartPre=-/usr/bin/docker rm "proxy-puppet-1" + +ExecStart=/usr/bin/docker run --rm --name "proxy-puppet-1" \ + --volumes-from proxy-shared-data-1 \ + -v /var/lib/docker/volumes/proxy_puppet/var/lib/puppet/ssl:/var/lib/puppet/ssl \ + -v /var/lib/docker/volumes/proxy_puppet/etc/puppet:/etc/puppet \ + -a stdout -a stderr \ + "puppet:latest" +# Set links (requires container have a name) +ExecStartPost=-/usr/bin/gear init --post "proxy-puppet-1" "puppet:latest" +ExecReload=-/usr/bin/docker stop "proxy-puppet-1" +ExecReload=-/usr/bin/docker rm "proxy-puppet-1" +ExecStop=-/usr/bin/docker stop "proxy-puppet-1" + +[Install] +WantedBy=container.target + +# Container information +X-ContainerId=proxy-puppet-1 +X-ContainerImage=puppet:latest +X-ContainerUserId= +X-ContainerRequestId=Ky0lhw0onwoSDJR4GK6t3g +X-ContainerType=simple + + diff --git a/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json b/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json new file mode 100644 index 000000000..c15835d48 --- /dev/null +++ b/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json @@ -0,0 +1,29 @@ +{ + "Containers":[ + { + "Name":"proxy-puppet", + "Count":1, + "Image":"puppet:latest", + "PublicPorts":[ + ] + }, + { + "Name":"proxy", + "Count":1, + "Image":"proxy:latest", + "PublicPorts":[ + {"Internal":80,"External":80}, + {"Internal":443,"External":443}, + {"Internal":4999,"External":4999} + ] + }, + { + "Name":"proxy-monitoring", + "Count":1, + "Image":"monitoring:latest", + "PublicPorts":[ + ] + } + ], + "RandomizeIds": false +} diff --git a/roles/atomic_proxy/files/puppet/auth.conf b/roles/atomic_proxy/files/puppet/auth.conf new file mode 100644 index 000000000..b31906bae --- /dev/null +++ b/roles/atomic_proxy/files/puppet/auth.conf @@ -0,0 +1,116 @@ +# This is the default auth.conf file, which implements the default rules +# used by the puppet master. (That is, the rules below will still apply +# even if this file is deleted.) +# +# The ACLs are evaluated in top-down order. More specific stanzas should +# be towards the top of the file and more general ones at the bottom; +# otherwise, the general rules may "steal" requests that should be +# governed by the specific rules. +# +# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete +# description of auth.conf's behavior. +# +# Supported syntax: +# Each stanza in auth.conf starts with a path to match, followed +# by optional modifiers, and finally, a series of allow or deny +# directives. +# +# Example Stanza +# --------------------------------- +# path /path/to/resource # simple prefix match +# # path ~ regex # alternately, regex match +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|backreference|*|regex] +# deny [host|backreference|*|regex] +# allow_ip [ip|cidr|ip_wildcard|*] +# deny_ip [ip|cidr|ip_wildcard|*] +# +# The path match can either be a simple prefix match or a regular +# expression. `path /file` would match both `/file_metadata` and +# `/file_content`. Regex matches allow the use of backreferences +# in the allow/deny directives. +# +# The regex syntax is the same as for Ruby regex, and captures backreferences +# for use in the `allow` and `deny` lines of that stanza +# +# Examples: +# +# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). +# +# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. +# +# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. +# +# environment:: restrict an ACL to a comma-separated list of environments +# method:: restrict an ACL to a comma-separated list of HTTP methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACLs - these rules apply only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their own reports +path ~ ^/report/([^/]+)$ +method save +allow $1 + +# Allow all nodes to access all file services; this is necessary for +# pluginsync, file serving from modules, and file serving from custom +# mount points (see fileserver.conf). Note that the `/file` prefix matches +# requests to both the file_metadata and file_content paths. See "Examples" +# above if you need more granular access control for custom mount points. +path /file +allow * + +### Unauthenticated ACLs, for clients without valid certificates; authenticated +### clients can also access these paths, though they rarely need to. + +# allow access to the CA certificate; unauthenticated nodes need this +# in order to validate the puppet master's certificate +path /certificate/ca +auth any +method find +allow * + +# allow nodes to retrieve the certificate they requested earlier +path /certificate/ +auth any +method find +allow * + +# allow nodes to request a new certificate +path /certificate_request +auth any +method find, save +allow * + +# deny everything else; this ACL is not strictly necessary, but +# illustrates the default policy. +path / +auth any diff --git a/roles/atomic_proxy/files/setup-proxy-containers.sh b/roles/atomic_proxy/files/setup-proxy-containers.sh new file mode 100755 index 000000000..d047c96c1 --- /dev/null +++ b/roles/atomic_proxy/files/setup-proxy-containers.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +function fail { + msg=$1 + echo + echo $msg + echo + exit 5 +} + + +NUM_DATA_CTR=$(docker ps -a | grep -c proxy-shared-data-1) +[ "$NUM_DATA_CTR" -ne 0 ] && fail "ERROR: proxy-shared-data-1 exists" + + +# pre-cache the container images +echo +timeout --signal TERM --kill-after 30 600 docker pull busybox:latest || fail "ERROR: docker pull of busybox failed" + +echo +# WORKAROUND: Setup the shared data container +/usr/bin/docker run --name "proxy-shared-data-1" \ + -v /shared/etc/haproxy \ + -v /shared/etc/httpd \ + -v /shared/etc/openshift \ + -v /shared/etc/pki \ + -v /shared/var/run/ctr-ipc \ + -v /shared/var/lib/haproxy \ + -v /shared/usr/local \ + "busybox:latest" true + +# WORKAROUND: These are because we're not using a pod yet +cp /usr/local/etc/ctr-proxy-1.service /usr/local/etc/ctr-proxy-puppet-1.service /usr/local/etc/ctr-proxy-monitoring-1.service /etc/systemd/system/ + +systemctl daemon-reload + +echo +echo -n "sleeping 10 seconds for systemd reload to take affect..." +sleep 10 +echo " Done." + +# Start the services +systemctl start ctr-proxy-puppet-1 ctr-proxy-1 ctr-proxy-monitoring-1 diff --git a/roles/atomic_proxy/handlers/main.yml b/roles/atomic_proxy/handlers/main.yml new file mode 100644 index 000000000..8de31258f --- /dev/null +++ b/roles/atomic_proxy/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for atomic_proxy diff --git a/roles/atomic_proxy/meta/main.yml b/roles/atomic_proxy/meta/main.yml new file mode 100644 index 000000000..a92d685b1 --- /dev/null +++ b/roles/atomic_proxy/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Thomas Wiest + description: Common base RHEL atomic configurations + company: Red Hat + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: Apache + min_ansible_version: 1.2 + platforms: + - name: EL + versions: + - 7 +dependencies: + # This is the role's PRIVATE counterpart, which is used. + - ../../../../../atomic_private/ansible/roles/atomic_proxy diff --git a/roles/atomic_proxy/tasks/main.yml b/roles/atomic_proxy/tasks/main.yml new file mode 100644 index 000000000..d5a5a0a47 --- /dev/null +++ b/roles/atomic_proxy/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: upload sbin scripts + copy: > + src={{ item }} + dest=/usr/local/sbin/{{ item }} + mode=0750 + with_items: + - setup-proxy-containers.sh + +- name: upload /usr/local/etc files + copy: > + src={{ item }} + dest=/usr/local/etc/{{ item }} + mode=0640 + with_items: + - proxy_containers_deploy_descriptor.json + - ctr-proxy-1.service + - ctr-proxy-puppet-1.service + - ctr-proxy-monitoring-1.service + +- include: setup_puppet.yml diff --git a/roles/atomic_proxy/tasks/setup_puppet.yml b/roles/atomic_proxy/tasks/setup_puppet.yml new file mode 100644 index 000000000..e711d06c1 --- /dev/null +++ b/roles/atomic_proxy/tasks/setup_puppet.yml @@ -0,0 +1,24 @@ +--- +- name: make puppet conf dir + file: > + dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet + mode=755 + owner=root + group=root + state=directory + +- name: upload puppet auth config + copy: > + src=puppet/auth.conf + dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet/auth.conf + mode=0644 + owner=root + group=root + +- name: upload puppet config + template: > + src=puppet/puppet.conf.j2 + dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet/puppet.conf + mode=0644 + owner=root + group=root diff --git a/roles/atomic_proxy/templates/puppet/puppet.conf.j2 b/roles/atomic_proxy/templates/puppet/puppet.conf.j2 new file mode 100644 index 000000000..9a47ab11c --- /dev/null +++ b/roles/atomic_proxy/templates/puppet/puppet.conf.j2 @@ -0,0 +1,40 @@ +[main] + # we need to override the host name of the container + certname = ctr-proxy.stg.rhcloud.com + + # The Puppet log directory. + # The default value is '$vardir/log'. + logdir = /var/log/puppet + + # Where Puppet PID files are kept. + # The default value is '$vardir/run'. + rundir = /var/run/puppet + + # Where SSL certificates are kept. + # The default value is '$confdir/ssl'. + ssldir = $vardir/ssl + manifest = $manifestdir/site.pp + manifestdir = /var/lib/puppet/environments/pub/$environment/manifests + environment = {{ oo_env_long }} + modulepath = /var/lib/puppet/environments/pub/$environment/modules:/var/lib/puppet/environments/pri/$environment/modules:/var/lib/puppet/environments/pri/production/modules:$confdir/modules:/usr/share/puppet/modules + +[agent] + # The file in which puppetd stores a list of the classes + # associated with the retrieved configuratiion. Can be loaded in + # the separate ``puppet`` executable using the ``--loadclasses`` + # option. + # The default value is '$confdir/classes.txt'. + classfile = $vardir/classes.txt + + # Where puppetd caches the local configuration. An + # extension indicating the cache format is added automatically. + # The default value is '$confdir/localconfig'. + localconfig = $vardir/localconfig + server = puppet.ops.rhcloud.com + environment = {{ oo_env_long }} + pluginsync = true + graph = true + configtimeout = 600 + report = true + runinterval = 3600 + splay = true diff --git a/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2 b/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2 new file mode 100755 index 000000000..d9aa2d811 --- /dev/null +++ b/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2 @@ -0,0 +1,16 @@ +#!/bin/bash + +VOL_DIR=/var/lib/docker/volumes/proxy +SSH_CMD="ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null" + +mkdir -p ${VOL_DIR}/etc/haproxy/ +rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/haproxy/ ${VOL_DIR}/etc/haproxy/ + +mkdir -p ${VOL_DIR}/etc/httpd/ +rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/httpd/ ${VOL_DIR}/etc/httpd/ + +mkdir -p ${VOL_DIR}/etc/pki/tls/ +rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/pki/tls/ ${VOL_DIR}/etc/pki/tls/ + +# We need to disable the haproxy chroot +sed -i -re 's/^(\s+)chroot/\1#chroot/' /var/lib/docker/volumes/proxy/etc/haproxy/haproxy.cfg diff --git a/roles/atomic_proxy/vars/main.yml b/roles/atomic_proxy/vars/main.yml new file mode 100644 index 000000000..1f90492fd --- /dev/null +++ b/roles/atomic_proxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +oo_proxy_puppet_volume_dir: /var/lib/docker/volumes/proxy_puppet |