summaryrefslogtreecommitdiffstats
path: root/roles/atomic_proxy
diff options
context:
space:
mode:
authorThomas Wiest <twiest@redhat.com>2014-10-22 11:12:46 -0400
committerThomas Wiest <twiest@redhat.com>2014-10-23 12:51:52 -0400
commit5f9c7eb2d2ad44776d33197857dcd0afe693b5f5 (patch)
tree22a39c5589aa3f6a2a01f185041258e4fd69dea6 /roles/atomic_proxy
parent1057c69acdaf47e2bcd4b395069e3bc1bd9eec88 (diff)
downloadopenshift-5f9c7eb2d2ad44776d33197857dcd0afe693b5f5.tar.gz
openshift-5f9c7eb2d2ad44776d33197857dcd0afe693b5f5.tar.bz2
openshift-5f9c7eb2d2ad44776d33197857dcd0afe693b5f5.tar.xz
openshift-5f9c7eb2d2ad44776d33197857dcd0afe693b5f5.zip
Added atomic aws host to cloud.rb
Diffstat (limited to 'roles/atomic_proxy')
-rw-r--r--roles/atomic_proxy/README.md56
-rw-r--r--roles/atomic_proxy/defaults/main.yml2
-rw-r--r--roles/atomic_proxy/files/ctr-proxy-1.service37
-rw-r--r--roles/atomic_proxy/files/ctr-proxy-monitoring-1.service37
-rw-r--r--roles/atomic_proxy/files/ctr-proxy-puppet-1.service37
-rw-r--r--roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json29
-rw-r--r--roles/atomic_proxy/files/puppet/auth.conf116
-rwxr-xr-xroles/atomic_proxy/files/setup-proxy-containers.sh43
-rw-r--r--roles/atomic_proxy/handlers/main.yml2
-rw-r--r--roles/atomic_proxy/meta/main.yml21
-rw-r--r--roles/atomic_proxy/tasks/main.yml21
-rw-r--r--roles/atomic_proxy/tasks/setup_puppet.yml24
-rw-r--r--roles/atomic_proxy/templates/puppet/puppet.conf.j240
-rwxr-xr-xroles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j216
-rw-r--r--roles/atomic_proxy/vars/main.yml2
15 files changed, 483 insertions, 0 deletions
diff --git a/roles/atomic_proxy/README.md b/roles/atomic_proxy/README.md
new file mode 100644
index 000000000..348eaee1f
--- /dev/null
+++ b/roles/atomic_proxy/README.md
@@ -0,0 +1,56 @@
+Role Name
+========
+
+The purpose of this role is to do common configurations for all RHEL atomic hosts.
+
+
+Requirements
+------------
+
+None
+
+
+Role Variables
+--------------
+
+None
+
+
+Dependencies
+------------
+
+None
+
+
+Example Playbook
+-------------------------
+
+From a group playbook:
+
+ hosts: servers
+ roles:
+ - ../../roles/atomic_proxy
+
+
+License
+-------
+
+Copyright 2012-2014 Red Hat, Inc., All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+Author Information
+------------------
+
+Thomas Wiest <twiest@redhat.com>
diff --git a/roles/atomic_proxy/defaults/main.yml b/roles/atomic_proxy/defaults/main.yml
new file mode 100644
index 000000000..0da428c27
--- /dev/null
+++ b/roles/atomic_proxy/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for atomic_proxy
diff --git a/roles/atomic_proxy/files/ctr-proxy-1.service b/roles/atomic_proxy/files/ctr-proxy-1.service
new file mode 100644
index 000000000..c532eb8e8
--- /dev/null
+++ b/roles/atomic_proxy/files/ctr-proxy-1.service
@@ -0,0 +1,37 @@
+
+
+[Unit]
+Description=Container proxy-1
+
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+Slice=container-small.slice
+
+ExecStartPre=-/usr/bin/docker rm "proxy-1"
+
+ExecStart=/usr/bin/docker run --rm --name "proxy-1" \
+ --volumes-from proxy-shared-data-1 \
+ -a stdout -a stderr -p 80:80 -p 443:443 -p 4999:4999 \
+ "proxy:latest"
+
+ExecStartPost=-/usr/bin/gear init --post "proxy-1" "proxy:latest"
+ExecReload=-/usr/bin/docker stop "proxy-1"
+ExecReload=-/usr/bin/docker rm "proxy-1"
+ExecStop=-/usr/bin/docker stop "proxy-1"
+
+[Install]
+WantedBy=container.target
+
+# Container information
+X-ContainerId=proxy-1
+X-ContainerImage=proxy:latest
+X-ContainerUserId=
+X-ContainerRequestId=LwiWtYWaAvSavH6Ze53QJg
+X-ContainerType=simple
+X-PortMapping=80:80
+X-PortMapping=443:443
+X-PortMapping=4999:4999
+
+
diff --git a/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service b/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service
new file mode 100644
index 000000000..7a91ea02c
--- /dev/null
+++ b/roles/atomic_proxy/files/ctr-proxy-monitoring-1.service
@@ -0,0 +1,37 @@
+
+
+[Unit]
+Description=Container proxy-monitoring-1
+
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+Slice=container-small.slice
+
+ExecStartPre=-/usr/bin/docker rm "proxy-monitoring-1"
+
+ExecStart=/usr/bin/docker run --rm --name "proxy-monitoring-1" \
+ --volumes-from proxy-shared-data-1 \
+ -a stdout -a stderr \
+ "monitoring:latest"
+
+ExecStartPost=-/usr/bin/gear init --post "proxy-monitoring-1" "monitoring:latest"
+ExecReload=-/usr/bin/docker stop "proxy-monitoring-1"
+ExecReload=-/usr/bin/docker rm "proxy-monitoring-1"
+ExecStop=-/usr/bin/docker stop "proxy-monitoring-1"
+
+[Install]
+WantedBy=container.target
+
+# Container information
+X-ContainerId=proxy-monitoring-1
+X-ContainerImage=monitoring:latest
+X-ContainerUserId=
+X-ContainerRequestId=LwiWtYWaAvSavH6Ze53QJg
+X-ContainerType=simple
+X-PortMapping=80:80
+X-PortMapping=443:443
+X-PortMapping=4999:4999
+
+
diff --git a/roles/atomic_proxy/files/ctr-proxy-puppet-1.service b/roles/atomic_proxy/files/ctr-proxy-puppet-1.service
new file mode 100644
index 000000000..c1f4d9b13
--- /dev/null
+++ b/roles/atomic_proxy/files/ctr-proxy-puppet-1.service
@@ -0,0 +1,37 @@
+
+
+[Unit]
+Description=Container proxy-puppet-1
+
+
+[Service]
+Type=simple
+TimeoutStartSec=5m
+Slice=container-small.slice
+
+
+ExecStartPre=-/usr/bin/docker rm "proxy-puppet-1"
+
+ExecStart=/usr/bin/docker run --rm --name "proxy-puppet-1" \
+ --volumes-from proxy-shared-data-1 \
+ -v /var/lib/docker/volumes/proxy_puppet/var/lib/puppet/ssl:/var/lib/puppet/ssl \
+ -v /var/lib/docker/volumes/proxy_puppet/etc/puppet:/etc/puppet \
+ -a stdout -a stderr \
+ "puppet:latest"
+# Set links (requires container have a name)
+ExecStartPost=-/usr/bin/gear init --post "proxy-puppet-1" "puppet:latest"
+ExecReload=-/usr/bin/docker stop "proxy-puppet-1"
+ExecReload=-/usr/bin/docker rm "proxy-puppet-1"
+ExecStop=-/usr/bin/docker stop "proxy-puppet-1"
+
+[Install]
+WantedBy=container.target
+
+# Container information
+X-ContainerId=proxy-puppet-1
+X-ContainerImage=puppet:latest
+X-ContainerUserId=
+X-ContainerRequestId=Ky0lhw0onwoSDJR4GK6t3g
+X-ContainerType=simple
+
+
diff --git a/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json b/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json
new file mode 100644
index 000000000..c15835d48
--- /dev/null
+++ b/roles/atomic_proxy/files/proxy_containers_deploy_descriptor.json
@@ -0,0 +1,29 @@
+{
+ "Containers":[
+ {
+ "Name":"proxy-puppet",
+ "Count":1,
+ "Image":"puppet:latest",
+ "PublicPorts":[
+ ]
+ },
+ {
+ "Name":"proxy",
+ "Count":1,
+ "Image":"proxy:latest",
+ "PublicPorts":[
+ {"Internal":80,"External":80},
+ {"Internal":443,"External":443},
+ {"Internal":4999,"External":4999}
+ ]
+ },
+ {
+ "Name":"proxy-monitoring",
+ "Count":1,
+ "Image":"monitoring:latest",
+ "PublicPorts":[
+ ]
+ }
+ ],
+ "RandomizeIds": false
+}
diff --git a/roles/atomic_proxy/files/puppet/auth.conf b/roles/atomic_proxy/files/puppet/auth.conf
new file mode 100644
index 000000000..b31906bae
--- /dev/null
+++ b/roles/atomic_proxy/files/puppet/auth.conf
@@ -0,0 +1,116 @@
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
+#
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
+#
+# Supported syntax:
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
+#
+# Example Stanza
+# ---------------------------------
+# path /path/to/resource # simple prefix match
+# # path ~ regex # alternately, regex match
+# [environment envlist]
+# [method methodlist]
+# [auth[enthicated] {yes|no|on|off|any}]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
+#
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
+#
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
+#
+# Examples:
+#
+# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
+# allow * # Allow all authenticated nodes (since auth
+# # defaults to `yes`).
+#
+# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
+# allow $1 # certname), but not any other node's catalog.
+#
+# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
+# auth yes # access the "extra_files"
+# allow /^(.+)\.example\.com$/ # mount point; note this must
+# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
+# # since it is more specific.
+#
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
+# auth:: restrict an ACL to an authenticated or unauthenticated request
+# the default when unspecified is to restrict the ACL to authenticated requests
+# (ie exactly as if auth yes was present).
+#
+
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+
+# allow nodes to retrieve their own catalog
+path ~ ^/catalog/([^/]+)$
+method find
+allow $1
+
+# allow nodes to retrieve their own node definition
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# allow all nodes to access the certificates services
+path /certificate_revocation_list/ca
+method find
+allow *
+
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
+method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
+allow *
+
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
+path /certificate/ca
+auth any
+method find
+allow *
+
+# allow nodes to retrieve the certificate they requested earlier
+path /certificate/
+auth any
+method find
+allow *
+
+# allow nodes to request a new certificate
+path /certificate_request
+auth any
+method find, save
+allow *
+
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
+path /
+auth any
diff --git a/roles/atomic_proxy/files/setup-proxy-containers.sh b/roles/atomic_proxy/files/setup-proxy-containers.sh
new file mode 100755
index 000000000..d047c96c1
--- /dev/null
+++ b/roles/atomic_proxy/files/setup-proxy-containers.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+function fail {
+ msg=$1
+ echo
+ echo $msg
+ echo
+ exit 5
+}
+
+
+NUM_DATA_CTR=$(docker ps -a | grep -c proxy-shared-data-1)
+[ "$NUM_DATA_CTR" -ne 0 ] && fail "ERROR: proxy-shared-data-1 exists"
+
+
+# pre-cache the container images
+echo
+timeout --signal TERM --kill-after 30 600 docker pull busybox:latest || fail "ERROR: docker pull of busybox failed"
+
+echo
+# WORKAROUND: Setup the shared data container
+/usr/bin/docker run --name "proxy-shared-data-1" \
+ -v /shared/etc/haproxy \
+ -v /shared/etc/httpd \
+ -v /shared/etc/openshift \
+ -v /shared/etc/pki \
+ -v /shared/var/run/ctr-ipc \
+ -v /shared/var/lib/haproxy \
+ -v /shared/usr/local \
+ "busybox:latest" true
+
+# WORKAROUND: These are because we're not using a pod yet
+cp /usr/local/etc/ctr-proxy-1.service /usr/local/etc/ctr-proxy-puppet-1.service /usr/local/etc/ctr-proxy-monitoring-1.service /etc/systemd/system/
+
+systemctl daemon-reload
+
+echo
+echo -n "sleeping 10 seconds for systemd reload to take affect..."
+sleep 10
+echo " Done."
+
+# Start the services
+systemctl start ctr-proxy-puppet-1 ctr-proxy-1 ctr-proxy-monitoring-1
diff --git a/roles/atomic_proxy/handlers/main.yml b/roles/atomic_proxy/handlers/main.yml
new file mode 100644
index 000000000..8de31258f
--- /dev/null
+++ b/roles/atomic_proxy/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for atomic_proxy
diff --git a/roles/atomic_proxy/meta/main.yml b/roles/atomic_proxy/meta/main.yml
new file mode 100644
index 000000000..a92d685b1
--- /dev/null
+++ b/roles/atomic_proxy/meta/main.yml
@@ -0,0 +1,21 @@
+---
+galaxy_info:
+ author: Thomas Wiest
+ description: Common base RHEL atomic configurations
+ company: Red Hat
+ # Some suggested licenses:
+ # - BSD (default)
+ # - MIT
+ # - GPLv2
+ # - GPLv3
+ # - Apache
+ # - CC-BY
+ license: Apache
+ min_ansible_version: 1.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+dependencies:
+ # This is the role's PRIVATE counterpart, which is used.
+ - ../../../../../atomic_private/ansible/roles/atomic_proxy
diff --git a/roles/atomic_proxy/tasks/main.yml b/roles/atomic_proxy/tasks/main.yml
new file mode 100644
index 000000000..d5a5a0a47
--- /dev/null
+++ b/roles/atomic_proxy/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+- name: upload sbin scripts
+ copy: >
+ src={{ item }}
+ dest=/usr/local/sbin/{{ item }}
+ mode=0750
+ with_items:
+ - setup-proxy-containers.sh
+
+- name: upload /usr/local/etc files
+ copy: >
+ src={{ item }}
+ dest=/usr/local/etc/{{ item }}
+ mode=0640
+ with_items:
+ - proxy_containers_deploy_descriptor.json
+ - ctr-proxy-1.service
+ - ctr-proxy-puppet-1.service
+ - ctr-proxy-monitoring-1.service
+
+- include: setup_puppet.yml
diff --git a/roles/atomic_proxy/tasks/setup_puppet.yml b/roles/atomic_proxy/tasks/setup_puppet.yml
new file mode 100644
index 000000000..e711d06c1
--- /dev/null
+++ b/roles/atomic_proxy/tasks/setup_puppet.yml
@@ -0,0 +1,24 @@
+---
+- name: make puppet conf dir
+ file: >
+ dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet
+ mode=755
+ owner=root
+ group=root
+ state=directory
+
+- name: upload puppet auth config
+ copy: >
+ src=puppet/auth.conf
+ dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet/auth.conf
+ mode=0644
+ owner=root
+ group=root
+
+- name: upload puppet config
+ template: >
+ src=puppet/puppet.conf.j2
+ dest={{ oo_proxy_puppet_volume_dir }}/etc/puppet/puppet.conf
+ mode=0644
+ owner=root
+ group=root
diff --git a/roles/atomic_proxy/templates/puppet/puppet.conf.j2 b/roles/atomic_proxy/templates/puppet/puppet.conf.j2
new file mode 100644
index 000000000..9a47ab11c
--- /dev/null
+++ b/roles/atomic_proxy/templates/puppet/puppet.conf.j2
@@ -0,0 +1,40 @@
+[main]
+ # we need to override the host name of the container
+ certname = ctr-proxy.stg.rhcloud.com
+
+ # The Puppet log directory.
+ # The default value is '$vardir/log'.
+ logdir = /var/log/puppet
+
+ # Where Puppet PID files are kept.
+ # The default value is '$vardir/run'.
+ rundir = /var/run/puppet
+
+ # Where SSL certificates are kept.
+ # The default value is '$confdir/ssl'.
+ ssldir = $vardir/ssl
+ manifest = $manifestdir/site.pp
+ manifestdir = /var/lib/puppet/environments/pub/$environment/manifests
+ environment = {{ oo_env_long }}
+ modulepath = /var/lib/puppet/environments/pub/$environment/modules:/var/lib/puppet/environments/pri/$environment/modules:/var/lib/puppet/environments/pri/production/modules:$confdir/modules:/usr/share/puppet/modules
+
+[agent]
+ # The file in which puppetd stores a list of the classes
+ # associated with the retrieved configuratiion. Can be loaded in
+ # the separate ``puppet`` executable using the ``--loadclasses``
+ # option.
+ # The default value is '$confdir/classes.txt'.
+ classfile = $vardir/classes.txt
+
+ # Where puppetd caches the local configuration. An
+ # extension indicating the cache format is added automatically.
+ # The default value is '$confdir/localconfig'.
+ localconfig = $vardir/localconfig
+ server = puppet.ops.rhcloud.com
+ environment = {{ oo_env_long }}
+ pluginsync = true
+ graph = true
+ configtimeout = 600
+ report = true
+ runinterval = 3600
+ splay = true
diff --git a/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2 b/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2
new file mode 100755
index 000000000..d9aa2d811
--- /dev/null
+++ b/roles/atomic_proxy/templates/sync/sync-proxy-configs.sh.j2
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+VOL_DIR=/var/lib/docker/volumes/proxy
+SSH_CMD="ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null"
+
+mkdir -p ${VOL_DIR}/etc/haproxy/
+rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/haproxy/ ${VOL_DIR}/etc/haproxy/
+
+mkdir -p ${VOL_DIR}/etc/httpd/
+rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/httpd/ ${VOL_DIR}/etc/httpd/
+
+mkdir -p ${VOL_DIR}/etc/pki/tls/
+rsync -e "${SSH_CMD}" -va --progress root@proxy1.{{ oo_env }}.rhcloud.com:/etc/pki/tls/ ${VOL_DIR}/etc/pki/tls/
+
+# We need to disable the haproxy chroot
+sed -i -re 's/^(\s+)chroot/\1#chroot/' /var/lib/docker/volumes/proxy/etc/haproxy/haproxy.cfg
diff --git a/roles/atomic_proxy/vars/main.yml b/roles/atomic_proxy/vars/main.yml
new file mode 100644
index 000000000..1f90492fd
--- /dev/null
+++ b/roles/atomic_proxy/vars/main.yml
@@ -0,0 +1,2 @@
+---
+oo_proxy_puppet_volume_dir: /var/lib/docker/volumes/proxy_puppet