diff --git a/.gitignore b/.gitignore index 5c199eb..ef512e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ # ---> Ansible *.retry - +*.log diff --git a/README.md b/README.md index d5e90d8..d279632 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,338 @@ -# okdv3 +# OKD 3.11 Vagrant Development Environment -Creating OpenShift cluster in single node using Vagrant. \ No newline at end of file +A comprehensive Vagrant-based development environment for OKD (OpenShift Origin) 3.11, providing a multi-node cluster setup with authentication, persistent volumes, service registry, and S2I examples. + +## Table of Contents + +- [Overview](#overview) +- [Architecture](#architecture) +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Configuration Options](#configuration-options) +- [Post-Installation Setup](#post-installation-setup) +- [Examples and Use Cases](#examples-and-use-cases) +- [Troubleshooting](#troubleshooting) +- [Advanced Configuration](#advanced-configuration) + +## Overview + +This project creates a complete OKD 3.11 cluster using Vagrant with the following features: + +- **Multi-node setup**: Master, worker nodes, and dedicated storage/services node +- **Automated provisioning**: Full cluster deployment with Ansible playbooks +- **Multiple deployment options**: Full cluster, all-in-one, or custom configurations +- **Comprehensive examples**: Authentication, persistent volumes, S2I builds, and more +- **Production-ready**: HAProxy load balancer configuration included + +## Architecture + +### Full Cluster Setup (Default) + +| Machine | Address | Memory | CPUs | Roles | +|---------------------|---------------|--------|------|--------------------------| +| okd.example.com | 172.27.11.10 | 8GB | 4 | master, infra, etcd | +| node1.example.com | 172.27.11.20 | 4GB | 2 | compute node | +| node2.example.com | 172.27.11.30 | 4GB | 2 | compute node | +| extras.example.com | 172.27.11.40 | 256MB | 1 | storage (NFS), LDAP | + +**Total Resources Required**: ~16.25GB RAM, 9 CPU cores + +### Network Configuration + +- **Private Network**: 172.27.11.0/24 +- **Public Access**: Through nip.io wildcard DNS (*.172-27-11-10.nip.io) +- **Load Balancer**: HAProxy configuration provided for production use + +## Prerequisites + +### Software Requirements + +- **Vagrant** (latest version) +- **VirtualBox** or **libvirt** (KVM) +- **Minimum 16GB RAM** available for full setup +- **~50GB disk space** for all VMs + +### Supported Platforms + +- Linux (recommended) +- macOS +- Windows (with some limitations) + +## Installation + +### Quick Start - Full Cluster + +```bash +git clone +cd okdv3 +vagrant up +``` + +The installation process will: +1. Create and configure 4 virtual machines +2. Install required packages and dependencies +3. Run Ansible playbooks for OKD installation: + - `/root/openshift-ansible/playbooks/prerequisites.yml` + - `/root/openshift-ansible/playbooks/deploy_cluster.yml` + +**⏱️ Installation Time**: 60-90 minutes depending on hardware + +### Low Memory Setup (8GB or less) + +For systems with limited memory, use the all-in-one configuration: + +```bash +git clone +cd okdv3 +mv Vagrantfile Vagrantfile.full +mv Vagrantfile.allinone Vagrantfile +vagrant up +``` + +This creates only 2 VMs: +- **Master**: 4GB RAM (all services) +- **Extras**: 256MB RAM (NFS + LDAP) + +## Configuration Options + +### Vagrant Provider Support + +The project supports both VirtualBox and libvirt providers: + +```ruby +# VirtualBox (default) +vagrant up + +# libvirt/KVM +vagrant up --provider=libvirt +``` + +### Memory Optimization + +To reduce memory usage, edit the Ansible inventory (`files/hosts`) and disable metrics: + +```ini +openshift_metrics_install_metrics=false +``` + +This reduces master memory requirements from 8GB to ~2GB. + +### Disabled Services (for performance) + +The following services are disabled by default: +- `openshift_logging_install_logging=false` +- `openshift_enable_olm=false` +- `openshift_enable_service_catalog=false` +- `openshift_cluster_monitoring_operator_install=false` + +## Post-Installation Setup + +### 1. Access the Web Console + +Add the hostname to your system's hosts file: + +**Linux/macOS**: +```bash +echo '172.27.11.10 okd.example.com' | sudo tee -a /etc/hosts +``` + +**Windows**: +Edit `C:\Windows\System32\drivers\etc\hosts` and add: +``` +172.27.11.10 okd.example.com +``` + +### 2. Login Credentials + +- **Web Console**: https://okd.example.com:8443 +- **Username**: `developer` +- **Password**: `4linux` + +### 3. Accept SSL Certificates + +Visit and accept the self-signed certificate for metrics: +- https://hawkular-metrics.172-27-11-10.nip.io + +### 4. CLI Access + +SSH into the master node: +```bash +vagrant ssh master +oc login -u developer -p 4linux +``` + +## Examples and Use Cases + +### 1. Authentication (examples/authentication/) + +Configure different authentication methods: +- **HTPasswd**: File-based authentication +- **LDAP**: Directory-based authentication (pre-configured) + +Example HTPasswd setup: +```bash +vagrant ssh master +sudo htpasswd -bc /etc/origin/master/htpasswd myuser mypassword +# Update master-config.yaml and restart services +``` + +### 2. Persistent Volumes (examples/persistent-volumes/) + +Pre-configured NFS storage on the extras node: + +```bash +# Create NFS exports on extras node +vagrant ssh extras +sudo mkdir -p /srv/nfs/v{0,1,2,3,4} +sudo chmod 0700 /srv/nfs/v{0,1,2,3,4} +sudo chown nfsnobody: /srv/nfs/v{0,1,2,3,4} + +# Enable SELinux for NFS on all nodes +sudo setsebool -P virt_use_nfs 1 +``` + +Deploy persistent volumes: +```bash +vagrant ssh master +oc create -f /vagrant/examples/persistent-volumes/nfs-pv.yml +oc create -f /vagrant/examples/persistent-volumes/cache-pvc.yml +``` + +### 3. Container Registry (examples/registry/) + +Set up and configure the integrated container registry for storing images. + +### 4. Source-to-Image (S2I) (examples/s2i/) + +Custom S2I builder for lighttpd web server: +- Custom Dockerfile +- Build and run scripts +- Example application template + +Deploy the S2I example: +```bash +vagrant ssh master +oc create -f /vagrant/examples/template/lighttpd.yml +oc new-app lighttpd-s2i +``` + +## Troubleshooting + +### Common Issues + +#### 1. Insufficient Memory +**Error**: VM fails to start or OKD pods crash +**Solution**: +- Use all-in-one configuration +- Disable metrics: Set `openshift_metrics_install_metrics=false` + +#### 2. Network Issues +**Error**: Cannot access web console +**Solution**: +- Verify hosts file entry +- Check VM network: `vagrant ssh master -c "ip addr show"` +- Ensure no firewall blocking ports 8443, 80, 443 + +#### 3. Certificate Issues +**Error**: SSL certificate warnings +**Solution**: +- Accept self-signed certificates in browser +- For CLI: `oc login --insecure-skip-tls-verify=true` + +#### 4. Storage Issues +**Error**: PVCs stuck in pending +**Solution**: +```bash +# Check NFS service on extras node +vagrant ssh extras +sudo systemctl status nfs-server + +# Verify exports +sudo exportfs -v +``` + +### Debugging Commands + +```bash +# Check cluster status +vagrant ssh master +oc get nodes +oc get pods --all-namespaces + +# Check services +sudo systemctl status origin-master-api +sudo systemctl status origin-master-controllers + +# View logs +sudo journalctl -u origin-master-api -f +sudo journalctl -u origin-master-controllers -f +``` + +## Advanced Configuration + +### Custom Ansible Inventory + +The main configuration is in `files/hosts`. Key sections: + +```ini +[OSEv3:vars] +# Authentication +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] + +# Networking +openshift_master_default_subdomain='172-27-11-10.nip.io' + +# Docker configuration +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' + +# Disable checks (for development) +openshift_disable_check='disk_availability,memory_availability,docker_storage,package_availability,docker_image_availability,package_version' +``` + +### HAProxy Configuration + +Production-ready HAProxy configuration is provided in `haproxy/` directory: +- Load balancer configuration +- SSL termination +- Backend mapping for OpenShift routes + +### Provisioning Scripts + +Custom provisioning scripts in `provision/` directory: +- `master.sh`: Master node setup +- `node.sh`: Worker node configuration +- `extras.sh`: Storage and LDAP setup +- `allinone.sh`: All-in-one deployment + +### File Structure + +``` +okdv3/ +├── Vagrantfile # Main cluster configuration +├── Vagrantfile.allinone # Single-node configuration +├── Vagrantfile.full # Full cluster backup +├── files/ +│ ├── hosts # Ansible inventory +│ ├── hosts-allinone # Single-node inventory +│ ├── key # SSH private key +│ ├── key.pub # SSH public key +│ └── *.ldif # LDAP configuration +├── provision/ # Provisioning scripts +├── examples/ # Usage examples +│ ├── authentication/ # Auth configuration +│ ├── persistent-volumes/ # Storage examples +│ ├── registry/ # Container registry +│ ├── s2i/ # Source-to-Image +│ └── template/ # Application templates +└── haproxy/ # Load balancer config +``` + +--- + +## Contributing + +Feel free to submit issues, feature requests, and pull requests to improve this OKD development environment. + +## License + +This project is provided as-is for educational and development purposes. diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..5fb49e9 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,34 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +vms = { + 'node1' => {'memory' => '4096', 'cpus' => 2, 'ip' => '20', 'host' => 'node1', 'provision' => 'node.sh'}, + 'node2' => {'memory' => '4096', 'cpus' => 2, 'ip' => '30', 'host' => 'node2', 'provision' => 'node.sh'}, + 'extras' => {'memory' => '256', 'cpus' => 1, 'ip' => '40', 'host' => 'extras', 'provision' => 'extras.sh'}, + 'master' => {'memory' => '8192', 'cpus' => 4, 'ip' => '10', 'host' => 'okd', 'provision' => 'master.sh'} +} + +Vagrant.configure('2') do |config| + + config.vm.box = 'centos/7' + config.vm.box_check_update = false + + vms.each do |name, conf| + config.vm.define "#{name}" do |k| + k.vm.hostname = "#{conf['host']}.example.com" + k.vm.network 'private_network', ip: "172.27.11.#{conf['ip']}" + k.vm.provider 'virtualbox' do |vb| + vb.memory = conf['memory'] + vb.cpus = conf['cpus'] + end + k.vm.provider 'libvirt' do |lv| + lv.memory = conf['memory'] + lv.cpus = conf['cpus'] + lv.cputopology :sockets => 1, :cores => conf['cpus'], :threads => '1' + end + k.vm.provision 'shell', path: "provision/#{conf['provision']}" + end + end + + config.vm.provision 'shell', path: 'provision/provision.sh' +end diff --git a/Vagrantfile.allinone b/Vagrantfile.allinone new file mode 100644 index 0000000..7c07b55 --- /dev/null +++ b/Vagrantfile.allinone @@ -0,0 +1,32 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +vms = { + 'extras' => {'memory' => '256', 'cpus' => 1, 'ip' => '40', 'host' => 'extras', 'provision' => 'extras.sh'}, + 'master' => {'memory' => '4096', 'cpus' => 4, 'ip' => '10', 'host' => 'okd', 'provision' => 'allinone.sh'} +} + +Vagrant.configure('2') do |config| + + config.vm.box = 'centos/7' + config.vm.box_check_update = false + + vms.each do |name, conf| + config.vm.define "#{name}" do |k| + k.vm.hostname = "#{conf['host']}.example.com" + k.vm.network 'private_network', ip: "172.27.11.#{conf['ip']}" + k.vm.provider 'virtualbox' do |vb| + vb.memory = conf['memory'] + vb.cpus = conf['cpus'] + end + k.vm.provider 'libvirt' do |lv| + lv.memory = conf['memory'] + lv.cpus = conf['cpus'] + lv.cputopology :sockets => 1, :cores => conf['cpus'], :threads => '1' + end + k.vm.provision 'shell', path: "provision/#{conf['provision']}" + end + end + + config.vm.provision 'shell', path: 'provision/provision.sh' +end diff --git a/Vagrantfile.full b/Vagrantfile.full new file mode 100644 index 0000000..fae052c --- /dev/null +++ b/Vagrantfile.full @@ -0,0 +1,34 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +vms = { + 'node1' => {'memory' => '2048', 'cpus' => 2, 'ip' => '20', 'host' => 'node1', 'provision' => 'node.sh'}, + 'node2' => {'memory' => '2048', 'cpus' => 2, 'ip' => '30', 'host' => 'node2', 'provision' => 'node.sh'}, + 'extras' => {'memory' => '256', 'cpus' => 1, 'ip' => '40', 'host' => 'extras', 'provision' => 'extras.sh'}, + 'master' => {'memory' => '6144', 'cpus' => 4, 'ip' => '10', 'host' => 'okd', 'provision' => 'master.sh'} +} + +Vagrant.configure('2') do |config| + + config.vm.box = 'centos/7' + config.vm.box_check_update = false + + vms.each do |name, conf| + config.vm.define "#{name}" do |k| + k.vm.hostname = "#{conf['host']}.example.com" + k.vm.network 'private_network', ip: "172.27.11.#{conf['ip']}" + k.vm.provider 'virtualbox' do |vb| + vb.memory = conf['memory'] + vb.cpus = conf['cpus'] + end + k.vm.provider 'libvirt' do |lv| + lv.memory = conf['memory'] + lv.cpus = conf['cpus'] + lv.cputopology :sockets => 1, :cores => conf['cpus'], :threads => '1' + end + k.vm.provision 'shell', path: "provision/#{conf['provision']}" + end + end + + config.vm.provision 'shell', path: 'provision/provision.sh' +end diff --git a/examples/authentication/README.md b/examples/authentication/README.md new file mode 100644 index 0000000..416de99 --- /dev/null +++ b/examples/authentication/README.md @@ -0,0 +1,47 @@ +OKD - Authentication +==================== + +OKD suport a lot of authentication methods such as LDAP, HTPasswd, Keystone and so on. +By default OKD will grant access to any user and any password because **AllowAllPasswordIdentityProvider** is probably enabled. + +HTPasswd +-------- + +Just to simplify and create the simplest secure authentication, login through ssh in [okd.example.com:8443](okd.example.com:8443) and create an **htpasswd** file with an user and a password: + + htpasswd -bc /etc/origin/master/htpasswd okd pass123 + +Verify if the password match the user you choose: + + htpasswd -v /etc/origin/master/htpasswd okd + +Now, go to the **master-config.yml** in */etc/origin/master/master-config.yaml* and change the only **identityProvider**: + + ... + identityProviders: + - challenge: true + login: true + mappingMethod: claim + name: allow_all + provider: + apiVersion: v1 + kind: AllowAllPasswordIdentityProvider + ... + - name: htpasswd + challenge: true + login: true + mappingMethod: claim + provider: + apiVersion: v1 + kind: HTPasswdPasswordIdentityProvider + file: /etc/origin/master/htpasswd + +Restar the master api and controllers to apply the new configuration: + + /usr/local/bin/master-restart api + /usr/local/bin/master-restart controllers + +Try login trough the **webconsole** or **cli** and after that you can see the user you created with: + + oc get user + oc get identity diff --git a/examples/persistent-volumes/README.md b/examples/persistent-volumes/README.md new file mode 100644 index 0000000..30d2374 --- /dev/null +++ b/examples/persistent-volumes/README.md @@ -0,0 +1,119 @@ +OKD - Volumes +============= + +Volumes is a way that containers can share data between pods. Persistent Volumes is the way that pods can share volumes between another pods or even clusters. + +Once you had provisioned your OKD cluster, you can go to the **storage** machine and create some NFS mount points: + +``` +mkdir -p /srv/nfs/v{0,1,2,3,4} +chmod 0700 /srv/nfs/v{0,1,2,3,4} +chown nfsnobody: /srv/nfs/v{0,1,2,3,4} + +cat > /etc/exports < 5000/TCP 3d +``` + +E faça login utilizando o comando **docker** e o token do usuário: + +``` +docker login -u user -p $(oc whoami -t) 172.30.136.192:5000 +``` + +Podemos utilizar o exemplo de s2i gerado nos tutoriais presentes neste repositório, para isso será preciso gerar uma nova tag para a imagem e então enviá-la para o registry: + +``` +docker tag lighttpd-centos7 172.30.136.192:5000/openshift/lighttpd-centos7 +docker push 172.30.136.192:5000/openshift/lighttpd-centos7 +oc get images | grep lighttpd-centos7 +``` + +Subindo no namespace **openshift** esta imagem ficará disponível para todo os projetos. Mas também é possível subir em qualquer outro namespace. + +### Certificado auto-assinado + +Caso o registry utilize um certificado auto-assinado, você pode adicionar a faixa de IP do OKD dentro da diretiva **insecure-registry** do Docker: + +**/etc/sysconfig/docker** +``` +# /etc/sysconfig/docker + +# Modify these options if you want to change the way the docker daemon runs +OPTIONS=' --selinux-enabled --signature-verification=False --insecure-registry=172.30.0.0/16' +... +``` diff --git a/examples/s2i/Dockerfile b/examples/s2i/Dockerfile new file mode 100644 index 0000000..f5dc884 --- /dev/null +++ b/examples/s2i/Dockerfile @@ -0,0 +1,42 @@ +# lighttpd-centos7 +FROM openshift/base-centos7 + +# TODO: Put the maintainer name in the image metadata +LABEL maintainer="Hector Vido " + +# TODO: Rename the builder environment variable to inform users about application you provide them +ENV LIGHTTPD_VERSION=1.4.53 + +# TODO: Set labels used in OpenShift to describe the builder image +LABEL io.k8s.description="Platform for serving static HTML files" \ + io.k8s.display-name="Lighttpd 1.4.53" \ + io.openshift.expose-services="8080:http" \ + io.openshift.tags="builder,html,lighttpd" + +# TODO: Install required packages here: +# RUN yum install -y ... && yum clean all -y +RUN yum install -y epel-release && yum install -y lighttpd && yum clean all -y + +# TODO (optional): Copy the builder files into /opt/app-root +# COPY .// /opt/app-root/ +# Defines the location of the S2I +LABEL io.openshift.s2i.scripts-url=image:///usr/libexec/s2i + +# TODO: Copy the S2I scripts to /usr/libexec/s2i, since openshift/base-centos7 image +# sets io.openshift.s2i.scripts-url label that way, or update that label +COPY ./s2i/bin/ /usr/libexec/s2i + +# Copy the lighttpd configuration file +COPY ./etc/ /opt/app-root/etc + +# TODO: Drop the root user and make the content of /opt/app-root owned by user 1001 +RUN chown -R 1001:1001 /opt/app-root + +# This default user is created in the openshift/base-centos7 image +USER 1001 + +# TODO: Set the default port for applications built using this image +EXPOSE 8080 + +# TODO: Set the default CMD for the image +CMD ["/usr/libexec/s2i/usage"] diff --git a/examples/s2i/README.md b/examples/s2i/README.md new file mode 100644 index 0000000..ef39361 --- /dev/null +++ b/examples/s2i/README.md @@ -0,0 +1,218 @@ +Source to Image - s2i +===================== + +Este tutorial é uma leve modificação de [https://blog.openshift.com/create-s2i-builder-image/](https://blog.openshift.com/create-s2i-builder-image/). + +O s2i é uma ferramenta muito útil para criar imagens construtoras, muito utilizada no **Openshift 3**. +A principal vantagem é prevenir que os desenvolvedores utilizem comandos de sistema durante a criação da imagem e fornecer um ambiente padrão de boas práticas para suas aplicações. + +Baixe o binário **s2i** em [https://github.com/openshift/source-to-image/releases/tag/v1.1.14](https://github.com/openshift/source-to-image/releases/tag/v1.1.14) e instale em sua máquina: + +## Primeiro + +``` +wget https://github.com/openshift/source-to-image/releases/download/v1.1.14/source-to-image-v1.1.14-874754de-linux-amd64.tar.gz +tar -xzf source-to-image-v1.1.14-874754de-linux-amd64.tar.gz +mv s2i /usr/bin/ +``` +## Segundo + +O seguinte comando criará uma pasta chamada **s2i-lighttpd** que ao final criará uma imagem chamada **lighttpd-centos7**: + +``` +s2i create lighttpd-centos7 s2i-lighttpd +``` + +O conteúdo do diretório será semelhante ao seguinte: + +``` +find s2i-lighttpd/ + +s2i-lighttpd/ +s2i-lighttpd/s2i +s2i-lighttpd/s2i/bin +s2i-lighttpd/s2i/bin/assemble +s2i-lighttpd/s2i/bin/run +s2i-lighttpd/s2i/bin/usage +s2i-lighttpd/s2i/bin/save-artifacts +s2i-lighttpd/Dockerfile +s2i-lighttpd/README.md +s2i-lighttpd/test +s2i-lighttpd/test/test-app +s2i-lighttpd/test/test-app/index.html +s2i-lighttpd/test/run +s2i-lighttpd/Makefile +``` + +## Terceiro + +Modifique o Dockerfile para que fique semelhante ao conteúdo a seguir: + +**Dockerfile** + +``` +# lighttpd-centos7 +FROM openshift/base-centos7 + +# TODO: Put the maintainer name in the image metadata +LABEL maintainer="Hector Vido " + +# TODO: Rename the builder environment variable to inform users about application you provide them +ENV LIGHTTPD_VERSION=1.4.53 + +# TODO: Set labels used in OpenShift to describe the builder image +LABEL io.k8s.description="Platform for serving static HTML files" \ + io.k8s.display-name="Lighttpd 1.4.53" \ + io.openshift.expose-services="8080:http" \ + io.openshift.tags="builder,html,lighttpd" + +# TODO: Install required packages here: +# RUN yum install -y ... && yum clean all -y +RUN yum install -y epel-release && yum install -y lighttpd && yum clean all -y + +# TODO (optional): Copy the builder files into /opt/app-root +# COPY .// /opt/app-root/ +# Defines the location of the S2I +LABEL io.openshift.s2i.scripts-url=image:///usr/libexec/s2i + +# TODO: Copy the S2I scripts to /usr/libexec/s2i, since openshift/base-centos7 image +# sets io.openshift.s2i.scripts-url label that way, or update that label +COPY ./s2i/bin/ /usr/libexec/s2i + +# Copy the lighttpd configuration file +COPY ./etc/ /opt/app-root/etc + +# TODO: Drop the root user and make the content of /opt/app-root owned by user 1001 +RUN chown -R 1001:1001 /opt/app-root + +# This default user is created in the openshift/base-centos7 image +USER 1001 + +# TODO: Set the default port for applications built using this image +EXPOSE 8080 + +# TODO: Set the default CMD for the image +CMD ["/usr/libexec/s2i/usage"] +``` + +## Quarto + +Modifique o arquivo responsável pela construção da aplicação: + +**s2i/bin/assemble** +``` +#!/bin/bash -e +# +# S2I assemble script for the 'lighttpd-centos7' image. +# The 'assemble' script builds your application source so that it is ready to run. +# +# For more information refer to the documentation: +# https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md +# + +# If the 'lighttpd-centos7' assemble script is executed with the '-h' flag, print the usage. +if [[ "$1" == "-h" ]]; then + exec /usr/libexec/s2i/usage +fi + +echo "---> Installing application source..." +cp -Rf /tmp/src/. ./ +``` + +## Quinto + +Modifique o arquivo responsável por iniciar a aplicação: + +**s2i/bin/run** +``` +#!/bin/bash -e +# +# S2I run script for the 'lighttpd-centos7' image. +# The run script executes the server that runs your application. +# +# For more information see the documentation: +# https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md +# + +exec lighttpd -D -f /opt/app-root/etc/lighttpd.conf +``` + +## Sexto + +Dentro do arquivo *usage* colocaremos informações de como utilizar a imagem: + + +**s2i/bin/usage** +``` +#!/bin/bash -e + +cat < "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png" +) +``` + +## Oitavo + +Feito isso, construa a aplicação com o **make**, que internamente está chamando o comando *docker build*: + + +``` +make +``` + +## Nono + +Para ver a execução do script **usage**, basta rodar a imagem: + +``` +docker run lighttpd-centos7 + +This is the lighttpd-centos7 S2I image: +To use it, install S2I: https://github.com/openshift/source-to-image + +Sample invocation: + +s2i build https://github.com/hector-vido/sti-lighttpd.git lighttpd-centos7 lighttpd-ex + +You can then run the resulting image via: +docker run -p 8080:8080 lighttpd-ex +``` + +Como estamos construindo nossa imagem, podemos jogar arquivos HTML dentro do diretório **test/test-app/** e executar o comando *s2i build test/test-app/ lighttpd-centos7 lighttpd-ex*. Mas como o repositório indicado existe, vamos utilizá-lo: + +``` +s2i build https://github.com/hector-vido/sti-lighttpd.git lighttpd-centos7 lighttpd-ex +docker run -p 8080:8080 lighttpd-ex +``` diff --git a/examples/s2i/assemble b/examples/s2i/assemble new file mode 100644 index 0000000..bb7e414 --- /dev/null +++ b/examples/s2i/assemble @@ -0,0 +1,16 @@ +#!/bin/bash -e +# +# S2I assemble script for the 'lighttpd-centos7' image. +# The 'assemble' script builds your application source so that it is ready to run. +# +# For more information refer to the documentation: +# https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md +# + +# If the 'lighttpd-centos7' assemble script is executed with the '-h' flag, print the usage. +if [[ "$1" == "-h" ]]; then + exec /usr/libexec/s2i/usage +fi + +echo "---> Installing application source..." +cp -Rf /tmp/src/. ./ diff --git a/examples/s2i/lighttpd.conf b/examples/s2i/lighttpd.conf new file mode 100644 index 0000000..9abba0d --- /dev/null +++ b/examples/s2i/lighttpd.conf @@ -0,0 +1,16 @@ +# directory where the documents will be served from +server.document-root = "/opt/app-root/src" + +# port the server listens on +server.port = 8080 + +# default file if none is provided in the URL +index-file.names = ( "index.html" ) + +# configure specific mimetypes, otherwise application/octet-stream will be used for every file +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png" +) diff --git a/examples/s2i/run b/examples/s2i/run new file mode 100644 index 0000000..d6895b1 --- /dev/null +++ b/examples/s2i/run @@ -0,0 +1,10 @@ +#!/bin/bash -e +# +# S2I run script for the 'lighttpd-centos7' image. +# The run script executes the server that runs your application. +# +# For more information see the documentation: +# https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md +# + +exec lighttpd -D -f /opt/app-root/etc/lighttpd.conf diff --git a/examples/s2i/usage b/examples/s2i/usage new file mode 100644 index 0000000..c472876 --- /dev/null +++ b/examples/s2i/usage @@ -0,0 +1,12 @@ +#!/bin/bash -e +cat < lighttpd.yml +``` + +Faça as modificações que achar pertinente e então adicione o novo template no cluster: + +``` +oc apply -f lighttpd.yml +``` + +Os ícones utilizados podem ser do próprio **Openshift**: + +[https://rawgit.com/openshift/openshift-logos-icon/master/demo.html](https://rawgit.com/openshift/openshift-logos-icon/master/demo.html) + +Ou do **font awesome** versão 4: + +[https://fontawesome.com/v4.7.0/icons/](https://fontawesome.com/v4.7.0/icons/) diff --git a/examples/template/lighttpd.yml b/examples/template/lighttpd.yml new file mode 100644 index 0000000..0e01c14 --- /dev/null +++ b/examples/template/lighttpd.yml @@ -0,0 +1,210 @@ +apiVersion: template.openshift.io/v1 +kind: Template +labels: + app: lighttpd-example + template: lighttpd-example +message: |- + The following service(s) have been created in your project: ${NAME}. + + For more information about using this template, including OKD considerations, see https://raw.githubusercontent.com/hector-vido/lighttpd-ex/master/README.md. +metadata: + annotations: + description: An example Lighttpd HTTP Server application that serves static + content. For more information about using this template, including OpenShift + considerations, see https://raw.githubusercontent.com/hector-vido/lighttpd-ex/master/README.md. + iconClass: "fa fa-paper-plane-o" + openshift.io/display-name: Lighttpd Server + openshift.io/documentation-url: https://github.com/hector-vido/lighttpd-ex + openshift.io/long-description: This template defines resources needed to develop + a static application served by Lighttpd Server, including a build + configuration, application deployment configuration and HPA. + openshift.io/provider-display-name: $Linux + openshift.io/support-url: https://www.hector-vido.com.br + tags: quickstart,lighttpd + template.openshift.io/bindable: "false" + name: lighttpd-example + namespace: openshift +objects: +- apiVersion: v1 + kind: Service + metadata: + annotations: + description: Exposes and load balances the application pods + name: ${NAME} + spec: + ports: + - name: web + port: 8080 + targetPort: 8080 + selector: + name: ${NAME} +- apiVersion: v1 + kind: Route + metadata: + name: ${NAME} + spec: + host: ${APPLICATION_DOMAIN} + to: + kind: Service + name: ${NAME} +- apiVersion: v1 + kind: ImageStream + metadata: + annotations: + description: Keeps track of changes in the application image + name: ${NAME} +- apiVersion: v1 + kind: BuildConfig + metadata: + annotations: + description: Defines how to build the application + template.alpha.openshift.io/wait-for-ready: "true" + name: ${NAME} + spec: + output: + to: + kind: ImageStreamTag + name: ${NAME}:latest + source: + contextDir: ${CONTEXT_DIR} + git: + ref: ${SOURCE_REPOSITORY_REF} + uri: ${SOURCE_REPOSITORY_URL} + type: Git + strategy: + sourceStrategy: + from: + kind: ImageStreamTag + name: lighttpd-centos7:latest + namespace: ${NAMESPACE} + type: Source + triggers: + - type: ImageChange + - type: ConfigChange + - github: + secret: ${GITHUB_WEBHOOK_SECRET} + type: GitHub + - generic: + secret: ${GENERIC_WEBHOOK_SECRET} + type: Generic +- apiVersion: v1 + kind: DeploymentConfig + metadata: + annotations: + description: Defines how to deploy the application server + template.alpha.openshift.io/wait-for-ready: "true" + name: ${NAME} + spec: + replicas: 1 + selector: + name: ${NAME} + strategy: + type: Rolling + template: + metadata: + labels: + name: ${NAME} + name: ${NAME} + spec: + containers: + - env: [] + image: ' ' + livenessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 30 + timeoutSeconds: 3 + name: lighttpd + ports: + - containerPort: 8080 + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 3 + timeoutSeconds: 3 + resources: + limits: + cpu: ${CPU_LIMIT} + memory: ${MEMORY_LIMIT} + requests: + cpu: ${CPU_LIMIT} + memory: ${MEMORY_LIMIT} + triggers: + - imageChangeParams: + automatic: true + containerNames: + - lighttpd + from: + kind: ImageStreamTag + name: ${NAME}:latest + type: ImageChange + - type: ConfigChange +- apiVersion: autoscaling/v1 + kind: HorizontalPodAutoscaler + metadata: + creationTimestamp: null + name: ${NAME} + spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + name: ${NAME} + targetCPUUtilizationPercentage: ${CPU_PERCENT} +parameters: +- description: The name assigned to all of the frontend objects defined in this template. + displayName: Name + name: NAME + required: true + value: lighttpd-example +- description: The OpenShift Namespace where the ImageStream resides. + displayName: Namespace + name: NAMESPACE + required: true + value: openshift +- description: Maximum amount of memory the container can use. + displayName: Memory Limit + name: MEMORY_LIMIT + required: true + value: 128Mi +- description: Maximum % of vcore the container can use. + displayName: CPU Limit + name: CPU_LIMIT + required: true + value: 200m +- description: Maximum % usage to activate autoscaling. + displayName: CPU Percent + name: CPU_PERCENT + required: true + value: "80" +- description: The URL of the repository with your application source code. + displayName: Git Repository URL + name: SOURCE_REPOSITORY_URL + required: true + value: https://github.com/hector-vido/lighttpd-ex.git +- description: Set this to a branch name, tag or other ref of your repository if you + are not using the default branch. + displayName: Git Reference + name: SOURCE_REPOSITORY_REF +- description: Set this to the relative path to your project if it is not in the root + of your repository. + displayName: Context Directory + name: CONTEXT_DIR +- description: The exposed hostname that will route to the httpd service, if left + blank a value will be defaulted. + displayName: Application Hostname + name: APPLICATION_DOMAIN +- description: Github trigger secret. A difficult to guess string encoded as part + of the webhook URL. Not encrypted. + displayName: GitHub Webhook Secret + from: '[a-zA-Z0-9]{40}' + generate: expression + name: GITHUB_WEBHOOK_SECRET +- description: A secret string used to configure the Generic webhook. + displayName: Generic Webhook Secret + from: '[a-zA-Z0-9]{40}' + generate: expression + name: GENERIC_WEBHOOK_SECRET diff --git a/files/ansible.cfg b/files/ansible.cfg new file mode 100644 index 0000000..9d39b6b --- /dev/null +++ b/files/ansible.cfg @@ -0,0 +1,43 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== + +# This config file provides examples for running +# the OpenShift playbooks with the provided +# inventory scripts. + +[defaults] +# Set the log_path +log_path = ~/openshift-ansible.log + +# Additional default options for OpenShift Ansible +forks = 20 +host_key_checking = False +retry_files_enabled = False +retry_files_save_path = ~/ansible-installer-retries +nocows = True +remote_user = root +roles_path = roles/ +gathering = smart +fact_caching = jsonfile +fact_caching_connection = $HOME/ansible/facts +fact_caching_timeout = 600 +callback_whitelist = profile_tasks +inventory_ignore_extensions = secrets.py, .pyc, .cfg, .crt, .ini +# work around privilege escalation timeouts in ansible: +timeout = 30 + +# Uncomment to use the provided example inventory +#inventory = inventory/hosts.example + +[inventory] +# fail more helpfully when the inventory file does not parse (Ansible 2.4+) +unparsed_is_failed=true + +# Additional ssh options for OpenShift Ansible +[ssh_connection] +pipelining = True +ssh_args = -o ControlMaster=auto -o ControlPersist=600s +timeout = 10 +# shorten the ControlPath which is often too long; when it is, +# ssh connection reuse silently fails, making everything slower. +control_path = %(directory)s/%%h-%%r diff --git a/files/base.ldif b/files/base.ldif new file mode 100644 index 0000000..99015a4 --- /dev/null +++ b/files/base.ldif @@ -0,0 +1,13 @@ +dn: dc=extras,dc=example,dc=com +dc: extras +o: Origin Kubernetes Distribution LDAP +objectclass: organization +objectclass: dcObject + +dn: ou=users,dc=extras,dc=example,dc=com +objectClass: organizationalUnit +ou: users + +dn: ou=groups,dc=extras,dc=example,dc=com +objectClass: organizationalUnit +ou: groups diff --git a/files/groups.ldif b/files/groups.ldif new file mode 100644 index 0000000..203233a --- /dev/null +++ b/files/groups.ldif @@ -0,0 +1,14 @@ +dn: cn=admins,ou=groups,dc=extras,dc=example,dc=com +objectClass: top +objectClass: posixGroup +cn: admins +gidNumber: 10000 +memberUid: ronnie.james + +dn: cn=users,ou=groups,dc=extras,dc=example,dc=com +objectClass: top +objectClass: posixGroup +cn: users +gidNumber: 10001 +memberUid: lou.gramm +memberUid: tina.turner diff --git a/files/hosts b/files/hosts new file mode 100644 index 0000000..f184454 --- /dev/null +++ b/files/hosts @@ -0,0 +1,30 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +ansible_ssh_user=root +openshift_enable_olm=false +openshift_deployment_type=origin +openshift_enable_service_catalog=false +openshift_metrics_install_metrics=true +openshift_logging_install_logging=false +openshift_cluster_monitoring_operator_install=false +openshift_master_default_subdomain='172-27-11-10.nip.io' +openshift_disable_check='disk_availability,memory_availability,docker_storage,package_availability,docker_image_availability,package_version' +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] +openshift_enable_excluders=false +openshift_docker_excluder_install=false + +[masters] +okd.example.com openshift_public_ip='172.27.11.10' openshift_public_hostname='okd.example.com' + +[etcd] +okd.example.com etcd_ip='172.27.11.10' + +[nodes] +okd.example.com openshift_node_group_name='node-config-master-infra' +node1.example.com openshift_node_group_name='node-config-compute' +node2.example.com openshift_node_group_name='node-config-compute' diff --git a/files/hosts-allinone b/files/hosts-allinone new file mode 100644 index 0000000..1fe8cd0 --- /dev/null +++ b/files/hosts-allinone @@ -0,0 +1,29 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +ansible_ssh_user=root +docker_version="ce" +openshift_enable_olm=false +openshift_deployment_type=origin +openshift_enable_service_catalog=false +openshift_metrics_install_metrics=false +openshift_logging_install_logging=false +openshift_cluster_monitoring_operator_install=false +openshift_master_default_subdomain='172-27-11-10.nip.io' +openshift_disable_check='disk_availability,memory_availability,docker_storage,package_availability,docker_image_availability,package_version' +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] +openshift_enable_excluders=false +openshift_docker_excluder_install=false + +[masters] +okd.example.com openshift_public_ip='172.27.11.10' openshift_public_hostname='okd.example.com' + +[etcd] +okd.example.com etcd_ip='172.27.11.10' + +[nodes] +okd.example.com openshift_node_group_name='node-config-all-in-one' diff --git a/files/hosts-allinone.backup b/files/hosts-allinone.backup new file mode 100644 index 0000000..6505b05 --- /dev/null +++ b/files/hosts-allinone.backup @@ -0,0 +1,27 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +ansible_ssh_user=root +docker_version="ce" +openshift_enable_olm=false +openshift_deployment_type=origin +openshift_enable_service_catalog=false +openshift_metrics_install_metrics=false +openshift_logging_install_logging=false +openshift_cluster_monitoring_operator_install=false +openshift_master_default_subdomain='172-27-11-10.nip.io' +openshift_disable_check='disk_availability,memory_availability,docker_storage,package_availability' +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] + +[masters] +okd.example.com openshift_public_ip='172.27.11.10' openshift_public_hostname='okd.example.com' + +[etcd] +okd.example.com etcd_ip='172.27.11.10' + +[nodes] +okd.example.com openshift_node_group_name='node-config-all-in-one' diff --git a/files/hosts-allinone.backup2 b/files/hosts-allinone.backup2 new file mode 100644 index 0000000..2e01e67 --- /dev/null +++ b/files/hosts-allinone.backup2 @@ -0,0 +1,27 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +ansible_ssh_user=root +docker_version="ce" +openshift_enable_olm=false +openshift_deployment_type=origin +openshift_enable_service_catalog=false +openshift_metrics_install_metrics=false +openshift_logging_install_logging=false +openshift_cluster_monitoring_operator_install=false +openshift_master_default_subdomain='172-27-11-10.nip.io' +openshift_disable_check='disk_availability,memory_availability,docker_storage,package_availability,docker_image_availability,package_version' +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] + +[masters] +okd.example.com openshift_public_ip='172.27.11.10' openshift_public_hostname='okd.example.com' + +[etcd] +okd.example.com etcd_ip='172.27.11.10' + +[nodes] +okd.example.com openshift_node_group_name='node-config-all-in-one' diff --git a/files/hosts.backup b/files/hosts.backup new file mode 100644 index 0000000..6ae3993 --- /dev/null +++ b/files/hosts.backup @@ -0,0 +1,28 @@ +[OSEv3:children] +masters +nodes +etcd + +[OSEv3:vars] +ansible_ssh_user=root +openshift_enable_olm=false +openshift_deployment_type=origin +openshift_enable_service_catalog=false +openshift_metrics_install_metrics=true +openshift_logging_install_logging=false +openshift_cluster_monitoring_operator_install=false +openshift_master_default_subdomain='172-27-11-10.nip.io' +openshift_disable_check='disk_availability,memory_availability,docker_storage' +openshift_docker_options='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry=172.30.0.0/16 --exec-opt native.cgroupdriver=systemd' +openshift_master_identity_providers=[{'name': 'HTPASSWD', 'challenge': 'true', 'login': 'true', 'kind':'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim'}] + +[masters] +okd.example.com openshift_public_ip='172.27.11.10' openshift_public_hostname='okd.example.com' + +[etcd] +okd.example.com etcd_ip='172.27.11.10' + +[nodes] +okd.example.com openshift_node_group_name='node-config-master-infra' +node1.example.com openshift_node_group_name='node-config-compute' +node2.example.com openshift_node_group_name='node-config-compute' diff --git a/files/key b/files/key new file mode 100644 index 0000000..7cb32d6 --- /dev/null +++ b/files/key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArSF2RtIR3POS3qTuKWXqSGHM3cC+P2CnQjAat/M5hwcBWJ3J +925fxC/rPQtkMfILPyiwMv99vN7mxLcrnfmTfeKYiqRrj8oUGIf4CUQTQCc6dPBO +mi7S+l5YUxOb9Gq0Cf8IKlzYi0qRXgDP1zj8gR5RpowOCtRclJbSivdK72++GHRH +6UlDwgNRSRPS6NU4DsLNj9Gh25zgtGMlZtV8Q4Mybk7/BUvXsdDNHWZpJ8fedeUT +WZGllgo/I5IpPKIixxciuCWUCak55bAlaPGjm8ShBZC05nwAb//MC5eWmPyMzt+b +oshsqA5tLGtKLtHC8A8J0Rky0QliDyq7XN9/6wIDAQABAoIBAGKGmHjVM7U6KGrs +EV0d0qY+ggfwmFQY/RZ9qbblg+eD5RA5O6bD+Vv8qTKkOPDzfdMDpMJhA31onIt2 +ciwEzBrnyUedKlk59xW+yzj6tLndmTbTSugTnZ0986XTkv0VfD/0EwGItPMQDIoi +jCU/GPOh/XV6XsNq9wTYkBjlgo+fZ4m8e5gnRpMLVr+uo8Oy1LDQLMyl5uMintsa +8BaEvwYi/khudph3AezdWZoUOG9CmmjBStMzvHanwiiwEnaeFiqjGptBT2+KBeGG +IC34PiNGjZP5+uH2/g+TKHjuFMePoyvqKQcznqtNIF+1jS+2NK0YCxXHlk5gwYik +p/MpJwECgYEA43A5Jw7NL4fsovMuzBIGwaZbAo6K2AEggkaTsAxIW6/M8hk0YiDw +4hpAFIn17sx3aZODKsT25m803XNHDiCaok0ulrTkfNis+mMee18DtmLxLa8K0QaV +DRvxdMDETEI1sZumjdfc3IMlgRMsvoYbyOGr5vo0Vuw8al5VwblP1DMCgYEAwt9V +x2zALb6+NJMjtm6Jw88OvfUtZRUtLAkI0dDMdS07cAcKldDStMTtel1Pn5Asekws +LhF7/4wP95hyPI9XQZjQrdmMk4GkIcc8ifEpQiWTFnbehqlqoSKEWL8xpR/xuUuD +JragLvUOLqx6T6iwBCMqoV8q2AJLfEszv9FZrWkCgYEAx7anuRBaRL6KoJwCH9hE +bo9xo1EfwoVa0oq+7PwcHcbFpGFVikV6wFBkrKRofIS25tJNf6TtWXOVbE/puRIQ +NyynGFdHvAlX+5ZGEfdg/yrqtT7btKifAZ/j6q3KsVwCYi9XlX5Txp6ytCDuTW7d +vwvLM0vJ4foXIyArFa1v19kCgYB/DOz4IEcLjBimXmgiQN9A8nZCEt+Nz8irtRgy +81bZ7quZ1n1oP8WgZeQOq1eGSJE3CwKi5nNZoQ+n9ZRFN49EDUXAkt28LgG8pBEs +PjcQET9cnhNm6H3EoKR41+6eIb2PeVQAoYC+HLcqZvk3hlt71xGsNEfSnWxplP4g +SXWWQQKBgAxNSsnJm9GjE1oqGpwXISSR6b50Hsnq6aolgC1B+PNmhCwdRDcJ5E5E +vqYsB1dJ6jF2zAV6Hg9tvt9MpuyLXlvcWsdxJZF0frySmdEnrInZLRex6/Gw4UcI +zHYY4tJfcoTRXYI7VflrhO6e/5vYFv+AvGqpr+5Dx4zWD8M7G/SN +-----END RSA PRIVATE KEY----- diff --git a/files/key.pub b/files/key.pub new file mode 100644 index 0000000..081a07b --- /dev/null +++ b/files/key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtIXZG0hHc85LepO4pZepIYczdwL4/YKdCMBq38zmHBwFYncn3bl/EL+s9C2Qx8gs/KLAy/3283ubEtyud+ZN94piKpGuPyhQYh/gJRBNAJzp08E6aLtL6XlhTE5v0arQJ/wgqXNiLSpFeAM/XOPyBHlGmjA4K1FyUltKK90rvb74YdEfpSUPCA1FJE9Lo1TgOws2P0aHbnOC0YyVm1XxDgzJuTv8FS9ex0M0dZmknx9515RNZkaWWCj8jkik8oiLHFyK4JZQJqTnlsCVo8aObxKEFkLTmfABv/8wLl5aY/IzO35uiyGyoDm0sa0ou0cLwDwnRGTLRCWIPKrtc33/r diff --git a/files/ldap.ldif b/files/ldap.ldif new file mode 100644 index 0000000..479b988 --- /dev/null +++ b/files/ldap.ldif @@ -0,0 +1,14 @@ +dn: olcDatabase={2}hdb,cn=config +changetype: modify +replace: olcSuffix +olcSuffix: dc=extras,dc=example,dc=com + +dn: olcDatabase={2}hdb,cn=config +changetype: modify +replace: olcRootDN +olcRootDN: cn=admin,dc=extras,dc=example,dc=com + +dn: olcDatabase={2}hdb,cn=config +changetype: modify +replace: olcRootPW +olcRootPW: {SSHA}DHB1bLFwMkP7VtUM8MAu5NzZunlAeA07 diff --git a/files/users.ldif b/files/users.ldif new file mode 100644 index 0000000..e48e0f1 --- /dev/null +++ b/files/users.ldif @@ -0,0 +1,47 @@ +dn: uid=ronnie.james,ou=users,dc=extras,dc=example,dc=com +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +cn: Ronnie James Dio +uid: ronnie.james +uidNumber: 10000 +gidNumber: 10000 +homeDirectory: /srv/home/ronnie.james +loginShell: /bin/bash +userPassword: {SSHA}MhndfhVccrnp3Ynam7WhQOp3Eoy/f1YT +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 + +dn: uid=lou.gramm,ou=users,dc=extras,dc=example,dc=com +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +cn: Lou Gramm +uid: lou.gramm +uidNumber: 10001 +gidNumber: 10001 +homeDirectory: /srv/home/hector.vido +loginShell: /bin/bash +userPassword: {SSHA}T9+m42tBydKkjMPH+X9NrQxY9pzxXcQC +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 + +dn: uid=tina.turner,ou=users,dc=extras,dc=example,dc=com +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +cn: Tina Turner +uid: tina.turner +uidNumber: 10002 +gidNumber: 10001 +homeDirectory: /srv/home/tina.turner +loginShell: /bin/bash +userPassword: {SSHA}NM0Y0NPj5uus1qbGVFPWuxOx1iDwgYZX +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 diff --git a/haproxy/haproxy.config b/haproxy/haproxy.config new file mode 100644 index 0000000..618b9b9 --- /dev/null +++ b/haproxy/haproxy.config @@ -0,0 +1,236 @@ +global + maxconn 20000 + + + + daemon + ca-base /etc/ssl + crt-base /etc/ssl + # TODO: Check if we can get reload to be faster by saving server state. + # server-state-file /var/lib/haproxy/run/haproxy.state + stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners + stats timeout 2m + + # Increase the default request size to be comparable to modern cloud load balancers (ALB: 64kb), affects + # total memory use when large numbers of connections are open. + tune.maxrewrite 8192 + tune.bufsize 32768 + + # Configure the TLS versions we support + ssl-default-bind-options ssl-min-ver TLSv1.0 + +# The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, +# or the user can provide one using the ROUTER_CIPHERS environment variable. +# By default when a cipher set is not provided, intermediate is used. + # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + + +defaults + maxconn 20000 + + # Add x-forwarded-for header. + + # To configure custom default errors, you can either uncomment the + # line below (server ... 127.0.0.1:8080) and point it to your custom + # backend service or alternatively, you can send a custom 503 error. + # + # server openshift_backend 127.0.0.1:8080 + errorfile 503 /var/lib/haproxy/conf/error-page-503.http + + timeout connect 5s + timeout client 30s + timeout client-fin 1s + timeout server 30s + timeout server-fin 1s + timeout http-request 10s + timeout http-keep-alive 300s + + # Long timeout for WebSocket connections. + timeout tunnel 1h + + + +frontend public + + bind :80 + mode http + tcp-request inspect-delay 5s + tcp-request content accept if HTTP + monitor-uri /_______internal_router_healthz + + # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) + http-request del-header Proxy + + # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase + # before matching, or any requests containing uppercase characters will never match. + http-request set-header Host %[req.hdr(Host),lower] + + # check if we need to redirect/force using https. + acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found + redirect scheme https if secure_redirect + + use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)] + + default_backend openshift_default + +# public ssl accepts all connections and isn't checking certificates yet certificates to use will be +# determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend +# that terminates encryption in this router (edge) +frontend public_ssl + + bind :443 + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + + # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend + # for the SNI case, we also need to compare it in case-insensitive mode (by converting it to lowercase) as RFC 4343 says + acl sni req.ssl_sni -m found + acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found + use_backend %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough + + # if the route is SNI and NOT passthrough enter the termination flow + use_backend be_sni if sni + + # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it + # will not be able to match a cert to an SNI host + default_backend be_no_sni + +########################################################################## +# TLS SNI +# +# When using SNI we can terminate encryption with custom certificates. +# Certs will be stored in a directory and will be matched with the SNI host header +# which must exist in the CN of the certificate. Certificates must be concatenated +# as a single file (handled by the plugin writer) per the haproxy documentation. +# +# Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted +# traffic +########################################################################## +backend be_sni + server fe_sni 127.0.0.1:10444 weight 1 send-proxy + +frontend fe_sni + # terminate ssl on edge + bind 127.0.0.1:10444 ssl crt /etc/pki/tls/private/tls.crt crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy + mode http + + # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) + http-request del-header Proxy + + # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase + # before matching, or any requests containing uppercase characters will never match. + http-request set-header Host %[req.hdr(Host),lower] + + + + # map to backend + # Search from most specific to general path (host case). + # Note: If no match, haproxy uses the default_backend, no other + # use_backend directives below this will be processed. + use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)] + + default_backend openshift_default + +########################################################################## +# END TLS SNI +########################################################################## + +########################################################################## +# TLS NO SNI +# +# When we don't have SNI the only thing we can try to do is terminate the encryption +# using our wild card certificate. Once that is complete we can either re-encrypt +# the traffic or pass it on to the backends +########################################################################## +# backend for when sni does not exist, or ssl term needs to happen on the edge +backend be_no_sni + server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy + +frontend fe_no_sni + # terminate ssl on edge + bind 127.0.0.1:10443 ssl crt /etc/pki/tls/private/tls.crt accept-proxy + mode http + + # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) + http-request del-header Proxy + + # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase + # before matching, or any requests containing uppercase characters will never match. + http-request set-header Host %[req.hdr(Host),lower] + + + + # map to backend + # Search from most specific to general path (host case). + # Note: If no match, haproxy uses the default_backend, no other + # use_backend directives below this will be processed. + use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)] + + default_backend openshift_default + +########################################################################## +# END TLS NO SNI +########################################################################## + +backend openshift_default + mode http + option forwardfor + #option http-keep-alive + option http-pretend-keepalive + +##-------------- app level backends ---------------- + + +# Secure backend, pass through +backend be_tcp:default:docker-registry + balance source + + hash-type consistent + timeout check 5000ms + server pod:docker-registry-1-vwjlv:docker-registry:10.128.0.21:5000 10.128.0.21:5000 weight 256 + +# Secure backend, pass through +backend be_tcp:default:registry-console + balance source + + hash-type consistent + timeout check 5000ms + server pod:registry-console-1-wlc9l:registry-console:10.128.0.27:9090 10.128.0.27:9090 weight 256 + +# Plain http backend or backend with TLS terminated at the edge or a +# secure backend with re-encryption. +backend be_secure:openshift-console:console + mode http + option redispatch + option forwardfor + balance leastconn + + timeout check 5000ms + http-request set-header X-Forwarded-Host %[req.hdr(host)] + http-request set-header X-Forwarded-Port %[dst_port] + http-request set-header X-Forwarded-Proto http if !{ ssl_fc } + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } + http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)];proto-version=%[req.hdr(X-Forwarded-Proto-Version)] + cookie 1e2670d92730b515ce3a1bb65da45062 insert indirect nocache httponly secure attr SameSite=None + server pod:console-75ff54865-bxf7m:console:10.128.0.22:8443 10.128.0.22:8443 cookie 7975a71592eb59717a53657aad37ba28 weight 256 ssl verifyhost console.openshift-console.svc verify required ca-file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + +# Plain http backend or backend with TLS terminated at the edge or a +# secure backend with re-encryption. +backend be_secure:openshift-infra:hawkular-metrics + mode http + option redispatch + option forwardfor + balance leastconn + + timeout check 5000ms + http-request set-header X-Forwarded-Host %[req.hdr(host)] + http-request set-header X-Forwarded-Port %[dst_port] + http-request set-header X-Forwarded-Proto http if !{ ssl_fc } + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } + http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)];proto-version=%[req.hdr(X-Forwarded-Proto-Version)] + cookie a054b5d9e987bf679f10c9d29be39478 insert indirect nocache httponly secure attr SameSite=None + server pod:hawkular-metrics-rp6cn:hawkular-metrics:10.128.0.26:8443 10.128.0.26:8443 cookie bb9702a210555545797c318f9112d112 weight 256 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openshift-infra:hawkular-metrics.pem diff --git a/haproxy/os_tcp_be.map b/haproxy/os_tcp_be.map new file mode 100644 index 0000000..7ed9e0e --- /dev/null +++ b/haproxy/os_tcp_be.map @@ -0,0 +1,4 @@ +^registry-console-default\.172-27-11-10\.nip\.io(:[0-9]+)?(/.*)?$ be_tcp:default:registry-console +^hawkular-metrics\.172-27-11-10\.nip\.io(:[0-9]+)?(/.*)?$ be_secure:openshift-infra:hawkular-metrics +^docker-registry-default\.172-27-11-10\.nip\.io(:[0-9]+)?(/.*)?$ be_tcp:default:docker-registry +^console\.172-27-11-10\.nip\.io(:[0-9]+)?(/.*)?$ be_secure:openshift-console:console diff --git a/haproxy/os_wildcard_domain.map b/haproxy/os_wildcard_domain.map new file mode 100644 index 0000000..e69de29 diff --git a/provision/allinone.sh b/provision/allinone.sh new file mode 100644 index 0000000..c17a36e --- /dev/null +++ b/provision/allinone.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh +/vagrant/provision/fix-openshift-repos.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct + +# Install and start Docker +yum install -y docker +systemctl start docker +systemctl enable docker +systemctl status docker + +#docker pull docker.io/openshift/origin-pod:v3.11 +#docker pull docker.io/openshift/origin-node:v3.11 +#docker pull docker.io/openshift/origin-docker-builder:v3.11.0 +#docker pull docker.io/openshift/origin-deployer:v3.11 +#docker pull docker.io/openshift/origin-haproxy-router:v3.11 +#docker pull docker.io/cockpit/kubernetes +#docker pull docker.io/openshift/origin-docker-registry:v3.11 +#docker pull docker.io/openshift/origin-control-plane:v3.11 +#docker pull quay.io/coreos/etcd:v3.2.22 + +yum install -y container-selinux libsemanage-python httpd-tools java python-passlib pyOpenSSL PyYAML python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.7-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts-allinone /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +/vagrant/provision/fix-openshift-repos.sh +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +mkdir -p /etc/origin/master && htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/allinone.sh.backup b/provision/allinone.sh.backup new file mode 100644 index 0000000..7c5acbf --- /dev/null +++ b/provision/allinone.sh.backup @@ -0,0 +1,32 @@ +#!/bin/bash + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct + +#docker pull docker.io/openshift/origin-pod:v3.11 +#docker pull docker.io/openshift/origin-node:v3.11 +#docker pull docker.io/openshift/origin-docker-builder:v3.11.0 +#docker pull docker.io/openshift/origin-deployer:v3.11 +#docker pull docker.io/openshift/origin-haproxy-router:v3.11 +#docker pull docker.io/cockpit/kubernetes +#docker pull docker.io/openshift/origin-docker-registry:v3.11 +#docker pull docker.io/openshift/origin-control-plane:v3.11 +#docker pull quay.io/coreos/etcd:v3.2.22 + +yum install -y java python-passlib pyOpenSSL PyYAML python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.7-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts-allinone /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/allinone.sh.backup3 b/provision/allinone.sh.backup3 new file mode 100644 index 0000000..abc1026 --- /dev/null +++ b/provision/allinone.sh.backup3 @@ -0,0 +1,35 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh +/vagrant/provision/fix-openshift-repos.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct + +#docker pull docker.io/openshift/origin-pod:v3.11 +#docker pull docker.io/openshift/origin-node:v3.11 +#docker pull docker.io/openshift/origin-docker-builder:v3.11.0 +#docker pull docker.io/openshift/origin-deployer:v3.11 +#docker pull docker.io/openshift/origin-haproxy-router:v3.11 +#docker pull docker.io/cockpit/kubernetes +#docker pull docker.io/openshift/origin-docker-registry:v3.11 +#docker pull docker.io/openshift/origin-control-plane:v3.11 +#docker pull quay.io/coreos/etcd:v3.2.22 + +yum install -y httpd-tools java python-passlib pyOpenSSL PyYAML python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.7-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts-allinone /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +mkdir -p /etc/origin/master && htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/allinone.sh.fixed b/provision/allinone.sh.fixed new file mode 100644 index 0000000..2bd29b8 --- /dev/null +++ b/provision/allinone.sh.fixed @@ -0,0 +1,34 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct + +#docker pull docker.io/openshift/origin-pod:v3.11 +#docker pull docker.io/openshift/origin-node:v3.11 +#docker pull docker.io/openshift/origin-docker-builder:v3.11.0 +#docker pull docker.io/openshift/origin-deployer:v3.11 +#docker pull docker.io/openshift/origin-haproxy-router:v3.11 +#docker pull docker.io/cockpit/kubernetes +#docker pull docker.io/openshift/origin-docker-registry:v3.11 +#docker pull docker.io/openshift/origin-control-plane:v3.11 +#docker pull quay.io/coreos/etcd:v3.2.22 + +yum install -y java python-passlib pyOpenSSL PyYAML python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.7-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts-allinone /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/extras.sh b/provision/extras.sh new file mode 100644 index 0000000..9df1707 --- /dev/null +++ b/provision/extras.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh + +yum -y install vim openldap-servers openldap-clients + +# LDAP +systemctl enable slapd +systemctl start slapd + +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif + +ldapmodify -Y EXTERNAL -H ldapi:/// -f /vagrant/files/ldap.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/base.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/users.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/groups.ldif + +# NFS +> /etc/exports + +for X in $(seq 0 9); do + mkdir -p /srv/nfs/v$X + echo "/srv/nfs/v$X 172.27.11.0/24(rw,all_squash)" >> /etc/exports +done + +chmod 0700 /srv/nfs/v* +chown nfsnobody: /srv/nfs/v* + +exportfs -a +systemctl start rpcbind nfs-server +systemctl enable rpcbind nfs-server diff --git a/provision/extras.sh.backup b/provision/extras.sh.backup new file mode 100644 index 0000000..4bac781 --- /dev/null +++ b/provision/extras.sh.backup @@ -0,0 +1,31 @@ +#!/bin/bash + +yum -y install vim openldap-servers openldap-clients + +# LDAP +systemctl enable slapd +systemctl start slapd + +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif +ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif + +ldapmodify -Y EXTERNAL -H ldapi:/// -f /vagrant/files/ldap.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/base.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/users.ldif +ldapadd -h 'localhost' -D 'cn=admin,dc=extras,dc=example,dc=com' -w 'okdldap' -f /vagrant/files/groups.ldif + +# NFS +> /etc/exports + +for X in $(seq 0 9); do + mkdir -p /srv/nfs/v$X + echo "/srv/nfs/v$X 172.27.11.0/24(rw,all_squash)" >> /etc/exports +done + +chmod 0700 /srv/nfs/v* +chown nfsnobody: /srv/nfs/v* + +exportfs -a +systemctl start rpcbind nfs-server +systemctl enable rpcbind nfs-server diff --git a/provision/fix-centos-repos.sh b/provision/fix-centos-repos.sh new file mode 100755 index 0000000..cd95b5c --- /dev/null +++ b/provision/fix-centos-repos.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# Fix CentOS 7 repository URLs to use vault.centos.org + +echo "Fixing CentOS 7 repository URLs..." + +# Backup original repo files +cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup 2>/dev/null || true + +# Create new CentOS-Base.repo pointing to vault.centos.org +cat > /etc/yum.repos.d/CentOS-Base.repo << 'REPO_EOF' +[base] +name=CentOS-7 - Base +baseurl=http://vault.centos.org/7.9.2009/os/x86_64/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +enabled=1 + +[updates] +name=CentOS-7 - Updates +baseurl=http://vault.centos.org/7.9.2009/updates/x86_64/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +enabled=1 + +[extras] +name=CentOS-7 - Extras +baseurl=http://vault.centos.org/7.9.2009/extras/x86_64/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +enabled=1 + +[centosplus] +name=CentOS-7 - Plus +baseurl=http://vault.centos.org/7.9.2009/centosplus/x86_64/ +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +REPO_EOF + +# Clean yum cache +yum clean all +yum makecache diff --git a/provision/fix-openshift-repos.sh b/provision/fix-openshift-repos.sh new file mode 100755 index 0000000..f320491 --- /dev/null +++ b/provision/fix-openshift-repos.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# Comprehensive fix for OpenShift Origin repository issues + +echo "Fixing OpenShift Origin repository URLs..." + +# Fix the main CentOS-OpenShift-Origin311.repo file to use vault.centos.org +cat > /etc/yum.repos.d/CentOS-OpenShift-Origin311.repo << 'REPO_EOF' +[centos-openshift-origin311] +name=CentOS OpenShift Origin +baseurl=http://vault.centos.org/centos/7/paas/x86_64/openshift-origin311/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-testing] +name=CentOS OpenShift Origin Testing +baseurl=http://vault.centos.org/centos/7/paas/x86_64/openshift-origin311/ +enabled=0 +gpgcheck=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-debuginfo] +name=CentOS OpenShift Origin DebugInfo +baseurl=http://vault.centos.org/centos/7/paas/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-source] +name=CentOS OpenShift Origin Source +baseurl=http://vault.centos.org/centos/7/paas/Source/openshift-origin311/ +enabled=0 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS +REPO_EOF + +# Also handle any other variants +if [ -f /etc/yum.repos.d/centos-openshift-origin311.repo ]; then + rm -f /etc/yum.repos.d/centos-openshift-origin311.repo +fi + +# Clean yum cache to remove any cached broken repo data +yum clean all + +echo "OpenShift Origin repository URLs fixed to use vault.centos.org" diff --git a/provision/fix-repos-persistent.sh b/provision/fix-repos-persistent.sh new file mode 100755 index 0000000..bf7ad64 --- /dev/null +++ b/provision/fix-repos-persistent.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# Persistent repository fix that runs continuously + +echo "Setting up persistent repository fix..." + +# Create a script that will fix repos whenever they're created +cat > /usr/local/bin/fix-openshift-repos-monitor.sh << 'MONITOR_EOF' +#!/bin/bash +while true; do + if [ -f /etc/yum.repos.d/CentOS-OpenShift-Origin311.repo ]; then + if grep -q "mirror.centos.org" /etc/yum.repos.d/CentOS-OpenShift-Origin311.repo; then + echo "$(date): Fixing OpenShift Origin repository URLs..." + + cat > /etc/yum.repos.d/CentOS-OpenShift-Origin311.repo << 'REPO_EOF' +[centos-openshift-origin311] +name=CentOS OpenShift Origin +baseurl=http://vault.centos.org/centos/7/paas/x86_64/openshift-origin311/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-testing] +name=CentOS OpenShift Origin Testing +baseurl=http://vault.centos.org/centos/7/paas/x86_64/openshift-origin311/ +enabled=0 +gpgcheck=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-debuginfo] +name=CentOS OpenShift Origin DebugInfo +baseurl=http://vault.centos.org/centos/7/paas/x86_64/ +enabled=0 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS + +[centos-openshift-origin311-source] +name=CentOS OpenShift Origin Source +baseurl=http://vault.centos.org/centos/7/paas/Source/openshift-origin311/ +enabled=0 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-PaaS +REPO_EOF + + yum clean all + echo "$(date): Repository URLs fixed to use vault.centos.org" + fi + fi + sleep 5 +done +MONITOR_EOF + +chmod +x /usr/local/bin/fix-openshift-repos-monitor.sh + +# Start the monitor in background +nohup /usr/local/bin/fix-openshift-repos-monitor.sh > /var/log/repo-fix.log 2>&1 & + +echo "Persistent repository fix started" diff --git a/provision/master.sh b/provision/master.sh new file mode 100644 index 0000000..e81b86c --- /dev/null +++ b/provision/master.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh +/vagrant/provision/fix-repos-persistent.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct docker python-ipaddress PyYAML + +systemctl start docker +systemctl enable docker + +for IMAGE in 'origin-node:v3.11' 'origin-pod:v3.11'; do + docker pull "quay.io/openshift/$IMAGE" + for IP in 20 30; do + docker save "quay.io/openshift/$IMAGE" | ssh -o stricthostkeychecking=no root@172.27.11.$IP docker load + done +done + +yum install -y container-selinux libsemanage-python httpd-tools java python-passlib pyOpenSSL python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.2-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +/vagrant/provision/fix-repos-persistent.sh +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +mkdir -p /etc/origin/master && htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/master.sh.backup b/provision/master.sh.backup new file mode 100644 index 0000000..98b7aa0 --- /dev/null +++ b/provision/master.sh.backup @@ -0,0 +1,34 @@ +#!/bin/bash + +/vagrant/provision/fix-centos-repos.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct docker python-ipaddress PyYAML + +systemctl start docker +systemctl enable docker + +for IMAGE in 'origin-node:v3.11' 'origin-pod:v3.11'; do + docker pull "quay.io/openshift/$IMAGE" + for IP in 20 30; do + docker save "quay.io/openshift/$IMAGE" | ssh -o stricthostkeychecking=no root@172.27.11.$IP docker load + done +done + +yum install -y java python-passlib pyOpenSSL python-jinja2 python-paramiko python-setuptools python2-cryptography sshpass +rpm -i https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.2-1.el7.ans.noarch.rpm +cp /vagrant/files/hosts /etc/ansible/hosts +cp /vagrant/files/ansible.cfg /etc/ansible/ansible.cfg +cp /vagrant/files/key /root/.ssh/id_rsa; chmod 400 /root/.ssh/id_rsa +cp /vagrant/files/key.pub /root/.ssh/id_rsa.pub +sed -i -e "s/#host_key_checking/host_key_checking/" /etc/ansible/ansible.cfg +sed -i -e "s@#private_key_file = /path/to/file@private_key_file = /root/.ssh/id_rsa@" /etc/ansible/ansible.cfg + +git clone -b release-3.11 --single-branch https://github.com/openshift/openshift-ansible /root/openshift-ansible +cd /root/openshift-ansible +sed -i 's/openshift.common.ip/openshift.common.public_ip/' roles/openshift_control_plane/templates/master.yaml.v1.j2 + +ansible-playbook /root/openshift-ansible/playbooks/prerequisites.yml +ansible-playbook /root/openshift-ansible/playbooks/deploy_cluster.yml + +htpasswd -Bbc /etc/origin/master/htpasswd developer 4linux diff --git a/provision/node.sh b/provision/node.sh new file mode 100644 index 0000000..67d5b57 --- /dev/null +++ b/provision/node.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Fix CentOS repositories first +/vagrant/provision/fix-centos-repos.sh +/vagrant/provision/fix-repos-persistent.sh + +# Dependências +yum install -y container-selinux libsemanage-python curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct docker python-ipaddress PyYAML + +systemctl start docker +systemctl enable docker diff --git a/provision/node.sh.backup b/provision/node.sh.backup new file mode 100644 index 0000000..7628633 --- /dev/null +++ b/provision/node.sh.backup @@ -0,0 +1,7 @@ +#!/bin/bash + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct docker python-ipaddress PyYAML + +systemctl start docker +systemctl enable docker diff --git a/provision/node.sh.backup-new b/provision/node.sh.backup-new new file mode 100644 index 0000000..a648b95 --- /dev/null +++ b/provision/node.sh.backup-new @@ -0,0 +1,10 @@ +#!/bin/bash + +# Fix CentOS repositories first +/vagrant/provision/fix-centos-repos.sh + +# Dependências +yum install -y curl vim device-mapper-persistent-data lvm2 epel-release wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct docker python-ipaddress PyYAML + +systemctl start docker +systemctl enable docker diff --git a/provision/provision.sh b/provision/provision.sh new file mode 100644 index 0000000..20c3400 --- /dev/null +++ b/provision/provision.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +mkdir -p /root/.ssh +cp /vagrant/files/key.pub /root/.ssh/authorized_keys + +HOSTS="$(head -n2 /etc/hosts)" +echo -e "$HOSTS" > /etc/hosts +cat >> /etc/hosts <