diff --git a/bin/chef/addcookbooks.py b/bin/chef/addcookbooks.py old mode 100644 new mode 100755 index b4ce8b1f..af7d8926 --- a/bin/chef/addcookbooks.py +++ b/bin/chef/addcookbooks.py @@ -1,10 +1,25 @@ #!/usr/bin/env python +import logging import os import os.path -cookbooks = [] -cookbook_dir = '/var/chef/cookbooks/' -cmd = "knife cookbook upload --all --cookbook-path %s" % cookbook_dir -os.system(cmd) + +from compass.utils import flags +from compass.utils import logsetting + + +flags.add('cookbooks_dir', + help='chef cookbooks directory', + default='/var/chef/cookbooks') + + +if __name__ == '__main__': + flags.init() + logsetting.init() + cookbooks = [] + cookbooks_dir = flags.OPTIONS.cookbooks_dir + logging.info('add cookbooks %s', cookbooks_dir) + cmd = "knife cookbook upload --all --cookbook-path %s" % cookbooks_dir + os.system(cmd) diff --git a/bin/chef/adddatabags.py b/bin/chef/adddatabags.py old mode 100644 new mode 100755 index 3b83837d..7c847a13 --- a/bin/chef/adddatabags.py +++ b/bin/chef/adddatabags.py @@ -1,21 +1,37 @@ #!/usr/bin/env python +import logging import os import os.path -databags = [] -databag_dir = '/var/chef/databags' -for item in os.listdir(databag_dir): - databags.append(item) +from compass.utils import flags +from compass.utils import logsetting -for databag in databags: - cmd = "knife data bag create %s" % databag - os.system(cmd) - databag_items = [] - databagitem_dir = os.path.join(databag_dir, databag) - for item in os.listdir(databagitem_dir): - databag_items.append(os.path.join(databagitem_dir, item)) - for databag_item in databag_items: - cmd = 'knife data bag from file %s %s' % (databag, databag_item) +flags.add('databags_dir', + help='chef databags directory', + default='/var/chef/databags') + + +if __name__ == '__main__': + flags.init() + logsetting.init() + databags = [] + databags_dir = flags.OPTIONS.databags_dir + for item in os.listdir(databags_dir): + databags.append(item) + + for databag in databags: + logging.info('add databag %s', databag) + cmd = "knife data bag create %s" % databag os.system(cmd) + databag_items = [] + databagitem_dir = os.path.join(databags_dir, databag) + for item in os.listdir(databagitem_dir): + databag_items.append(os.path.join(databagitem_dir, item)) + + for databag_item in databag_items: + logging.info('add databag item %s to databag %s', + databag_item, databag) + cmd = 'knife data bag from file %s %s' % (databag, databag_item) + os.system(cmd) diff --git a/bin/chef/addroles.py b/bin/chef/addroles.py index 9c777b71..71eb9d06 100755 --- a/bin/chef/addroles.py +++ b/bin/chef/addroles.py @@ -1,15 +1,29 @@ #!/usr/bin/env python +import logging import os import os.path -rolelist = [] -role_dir = '/var/chef/roles' -for item in os.listdir(role_dir): - f = os.path.join(role_dir, item) - rolelist.append(f) +from compass.utils import flags +from compass.utils import logsetting -for role in rolelist: - cmd = "knife role from file %s" % role - os.system(cmd) +flags.add('roles_dir', + help='chef roles directory', + default='/var/chef/roles') + + +if __name__ == '__main__': + flags.init() + logsetting.init() + rolelist = [] + roles_dir = flags.OPTIONS.roles_dir + + for item in os.listdir(roles_dir): + role_file = os.path.join(roles_dir, item) + rolelist.append(role_file) + + for role in rolelist: + logging.info('add role %s', role) + cmd = "knife role from file %s" % role + os.system(cmd) diff --git a/bin/manage_db.py b/bin/manage_db.py index 8b606d13..08961aaf 100755 --- a/bin/manage_db.py +++ b/bin/manage_db.py @@ -5,6 +5,7 @@ import os import os.path import re import shutil +import sys from flask.ext.script import Manager @@ -69,9 +70,21 @@ def list_config(): print key, value +@app_manager.command +def checkdb(): + """check if db exists""" + if setting.DATABASE_TYPE == 'file': + if os.path.exists(setting.DATABASE_FILE): + sys.exit(0) + else: + sys.exit(1) + + sys.exit(0) + + @app_manager.command def createdb(): - "Creates database from sqlalchemy models" + """Creates database from sqlalchemy models""" if setting.DATABASE_TYPE == 'file': if os.path.exists(setting.DATABASE_FILE): os.remove(setting.DATABASE_FILE) @@ -81,7 +94,7 @@ def createdb(): @app_manager.command def dropdb(): - "Drops database from sqlalchemy models" + """Drops database from sqlalchemy models""" database.drop_db() @@ -115,14 +128,17 @@ def sync_from_installers(): roles_per_target_system = {} for adapter in adapters: target_systems.add(adapter['target_system']) + for target_system in target_systems: roles_per_target_system[target_system] = manager.get_roles( target_system) + with database.session() as session: session.query(Adapter).delete() session.query(Role).delete() for adapter in adapters: session.add(Adapter(**adapter)) + for target_system, roles in roles_per_target_system.items(): for role in roles: session.add(Role(**role)) diff --git a/bin/refresh.sh b/bin/refresh.sh index 5da2af9c..c5dc5d13 100755 --- a/bin/refresh.sh +++ b/bin/refresh.sh @@ -1,12 +1,6 @@ #!/bin/bash -let initial_run=0 -while [ $# -gt 0 ]; do - case "$1" in - -i|--init) let initial_run=1; shift ;; - *) shift ;; - esac -done -if [ $initial_run -eq 0 ]; then +/opt/compass/bin/manage_db.py checkdb +if [[ "$?" == "0" ]]; then /opt/compass/bin/manage_db.py clean_clusters fi /opt/compass/bin/manage_db.py createdb diff --git a/compass/actions/health_check/check_dns.py b/compass/actions/health_check/check_dns.py index 953fb8c6..8edc35fa 100644 --- a/compass/actions/health_check/check_dns.py +++ b/compass/actions/health_check/check_dns.py @@ -64,10 +64,7 @@ class DnsCheck(base.BaseCheck): if "listen-on port 53" in line and host_ip in line: VAR_MAP["match_port"] = True if "allow-query" in line: - for subnet in ["127.0.0.0/8", - "10.0.0.0/8", - "192.168.0.0/16", - "172.16.0.0/12"]: + for subnet in ["127.0.0.0/8"]: if not subnet in line: missing_query.append(subnet) f.close() diff --git a/compass/config_management/installers/plugins/chefhandler.py b/compass/config_management/installers/plugins/chefhandler.py index 2a6dee0e..be40c3d8 100644 --- a/compass/config_management/installers/plugins/chefhandler.py +++ b/compass/config_management/installers/plugins/chefhandler.py @@ -33,10 +33,14 @@ TO_CLUSTER_TRANSLATORS = { '/credential/mysql/image', '/credential/mysql/metering', '/credential/mysql/network', - '/credential/mysql/super', '/credential/mysql/volume', ] )], + '/security/service_credentials/password': [KeyTranslator( + translated_keys=[ + '/credential/mysql/super/password', + ] + )], '/networking/interfaces/management/nic': [KeyTranslator( translated_keys=['/networking/control/interface'], )], diff --git a/compass/tests/config_management/utils/data/test1 b/compass/tests/config_management/utils/data/test1 index 75eecf3d..607ca607 100644 --- a/compass/tests/config_management/utils/data/test1 +++ b/compass/tests/config_management/utils/data/test1 @@ -194,7 +194,7 @@ chef_EXPECTED = { 'metering': {'username': 'service', 'password': 'huawei'}, 'volume': {'username': 'service', 'password': 'huawei'}, 'dashboard': {'username': 'service', 'password': 'huawei'}, - 'super': {'username': 'service', 'password': 'huawei'}, + 'super': {'password': 'huawei'}, 'identity': {'username': 'service', 'password': 'huawei'} } }, diff --git a/compass/tests/config_management/utils/data/test2 b/compass/tests/config_management/utils/data/test2 index 353cc85a..4047226c 100644 --- a/compass/tests/config_management/utils/data/test2 +++ b/compass/tests/config_management/utils/data/test2 @@ -244,7 +244,7 @@ chef_EXPECTED = { 'metering': {'username': 'service', 'password': 'huawei'}, 'volume': {'username': 'service', 'password': 'huawei'}, 'dashboard': {'username': 'service', 'password': 'huawei'}, - 'super': {'username': 'service', 'password': 'huawei'}, + 'super': {'password': 'huawei'}, 'identity': {'username': 'service', 'password': 'huawei'} } }, diff --git a/compass/tests/config_management/utils/data/test3 b/compass/tests/config_management/utils/data/test3 index 0a55b236..f363c517 100644 --- a/compass/tests/config_management/utils/data/test3 +++ b/compass/tests/config_management/utils/data/test3 @@ -404,7 +404,7 @@ chef_EXPECTED = { 'metering': {'username': 'service', 'password': 'huawei'}, 'volume': {'username': 'service', 'password': 'huawei'}, 'dashboard': {'username': 'service', 'password': 'huawei'}, - 'super': {'username': 'service', 'password': 'huawei'}, + 'super': {'password': 'huawei'}, 'identity': {'username': 'service', 'password': 'huawei'} } }, @@ -474,7 +474,7 @@ chef_EXPECTED = { 'metering': {'username': 'service', 'password': 'huawei'}, 'volume': {'username': 'service', 'password': 'huawei'}, 'dashboard': {'username': 'service', 'password': 'huawei'}, - 'super': {'username': 'service', 'password': 'huawei'}, + 'super': {'password': 'huawei'}, 'identity': {'username': 'service', 'password': 'huawei'} } }, diff --git a/install/chef.sh b/install/chef.sh index 1beafae2..caae8fa1 100755 --- a/install/chef.sh +++ b/install/chef.sh @@ -1,45 +1,60 @@ #!/bin/bash +# -##export ipaddr=$(ifconfig $NIC | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') -echo "$ipaddr $HOSTNAME" >> /etc/hosts +# create backup dir +sudo mkdir -p /root/backup/chef + +sudo rpm -q chef-server +if [[ "$?" != "0" ]]; then sudo rpm -Uvh $CHEF_SRV - -# configure rsyslog -cp /etc/rsyslog.conf /root/backup/ -# update rsyslog.conf -sudo sed -i ' -/#### GLOBAL DIRECTIVES ####/ i\ -\$WorkDirectory /var/lib/rsyslog\ -\ -\# Added for chef logfiles\ -\$template Chef_log,"/var/log/cobbler/anamon/%hostname%/chef-client.log"\ -\$template Raw, "%rawmsg%"\ -' /etc/rsyslog.conf -sudo sed -i ' -/# ### begin forwarding rule ###/ i\ -local3.* -?Chef_log\ -' /etc/rsyslog.conf -sudo sed -i 's/^#$ModLoad[ \t]\+imtcp/$ModLoad imtcp/g' /etc/rsyslog.conf -sudo sed -i '/$InputTCPServerRun/c\$InputTCPServerRun 514' /etc/rsyslog.conf -sudo service rsyslog restart +if [[ "$?" != "0" ]]; then + echo "failed to rpm install $CHEF_SRV" + exit 1 +fi +else + echo "chef-server has already installed" +fi # configure chef-server -sudo mkdir /root/backup/chef-server -sudo cp /opt/chef-server/embedded/conf/nginx.conf /root/backup/chef-server/ -sudo sed -i 's/listen\([ \t]\+\)80;/listen\18080;/g' /opt/chef-server/embedded/conf/nginx.conf +sudo chef-server-ctl cleanse +mkdir -p /etc/chef-server +sudo cp -rn /etc/chef-server/chef-server.rb /root/backup/chef/ +sudo rm -f /etc/chef-server/chef-server.rb +sudo cp -rf $COMPASSDIR/misc/chef-server/chef-server.rb /etc/chef-server/chef-server.rb +sudo chmod 644 /etc/chef-server/chef-server.rb sudo chef-server-ctl reconfigure -sudo cp /var/opt/chef-server/nginx/etc/nginx.conf /root/backup/chef-server/etc-nginx.conf -sudo sed -i 's/listen\([ \t]\+\)80;/listen\18080;/g' /var/opt/chef-server/nginx/etc/nginx.conf -sudo chef-server-ctl restart sudo chef-server-ctl test +if [[ "$?" != "0" ]]; then + echo "chef-server-ctl test failed" + exit 1 +fi # configure chef client and knife -sudo curl -L http://www.opscode.com/chef/install.sh | sudo bash +rpm -q chef +if [[ "$?" != "0" ]]; then +sudo wget -c --progress=bar:force -O /tmp/chef_install.sh http://www.opscode.com/chef/install.sh +if [[ "$?" != "0" ]]; then + echo "failed to download chef install script" + exit 1 +else + echo "chef install script is downloaded" +fi +sudo chmod 755 /tmp/chef_install.sh +sudo /tmp/chef_install.sh +if [[ "$?" != "0" ]]; then + echo "chef install failed" + exit 1 +else + echo "chef is installed" +fi +else +echo "chef has already installed" +fi -sudo mkdir ~/.chef +sudo mkdir -p ~/.chef sudo knife configure -y -i --defaults -r ~/chef-repo -s https://localhost:443 -u $USER --admin-client-name admin --admin-client-key /etc/chef-server/admin.pem --validation-client-name chef-validator --validation-key /etc/chef-server/chef-validator.pem <//g' /etc/httpd/conf.d/ssl.conf - - -sudo mkdir /root/backup/selinux -sudo cp /etc/selinux/config /root/backup/selinux/ +# disable selinux +sudo mkdir -p /root/backup/selinux +sudo cp -rn /etc/selinux/config /root/backup/selinux/ sudo sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config -sudo cp /etc/cobbler/modules.conf /root/backup/cobbler/ -sudo sed -i 's/module\([ \t]\+\)=\([ \t]\+\)authn_denyall/module\1=\2authn_configfile/g' /etc/cobbler/modules.conf +# update cobbler settings +sudo cp -rn /etc/cobbler/settings /root/backup/cobbler/ +sudo rm -f /etc/cobbler/settings +sudo cp -rf $ADAPTER_HOME/cobbler/conf/settings /etc/cobbler/settings +sudo sed -i "s/next_server:[ \t]*\$next_server/next_server: $NEXTSERVER/g" /etc/cobbler/settings +sudo sed -i "s/server:[ \t]*\$ipaddr/server: $ipaddr/g" /etc/cobbler/settings +sudo sed -i "s/default_name_servers:[ \t]*\['\$ipaddr'\]/default_name_servers: \['$ipaddr'\]/g" /etc/cobbler/settings +domains=$(echo $NAMESERVER_DOMAINS | sed "s/,/','/g") +sudo sed -i "s/manage_forward_zones:[ \t]*\[\]/manage_forward_zones: \['$domains'\]/g" /etc/cobbler/settings +export cobbler_passwd=$(openssl passwd -1 -salt 'huawei' '123456') +sudo sed -i "s,^default_password_crypted:[ \t]\+\"\(.*\)\",default_password_crypted: \"$cobbler_passwd\",g" /etc/cobbler/settings +sudo chmod 644 /etc/cobbler/settings + +# update dhcp.template +sudo cp -rn /etc/cobbler/dhcp.template /root/backup/cobbler/ +sudo rm -f /etc/cobbler/dhcp.template +sudo cp -rf $ADAPTER_HOME/cobbler/conf/dhcp.template /etc/cobbler/dhcp.template +subnet=$(ipcalc $SUBNET -n |cut -f 2 -d '=') +sudo sed -i "s/subnet \$subnet netmask \$netmask/subnet $subnet netmask $netmask/g" /etc/cobbler/dhcp.template +sudo sed -i "s/option routers \$gateway/option routers $OPTION_ROUTER/g" /etc/cobbler/dhcp.template +sudo sed -i "s/option subnet-mask \$netmask/option subnet-mask $netmask/g" /etc/cobbler/dhcp.template +sudo sed -i "s/option domain-name-servers \$ipaddr/option domain-name-servers $ipaddr/g" /etc/cobbler/dhcp.template +sudo sed -i "s/range dynamic-bootp \$ip_range/range dynamic-bootp $IP_RANGE/g" /etc/cobbler/dhcp.template +sudo sed -i "s/local-address \$ipaddr/local-address $ipaddr/g" /etc/cobbler/dhcp.template +sudo chmod 644 /etc/cobbler/dhcp.template + +# update tftpd.template +sudo cp -rn /etc/cobbler/tftpd.template /root/backup/cobbler/ +sudo rm -f /etc/cobbler/tftpd.template +sudo cp -rf $ADAPTER_HOME/cobbler/conf/tftpd.template /etc/cobbler/tftpd.template +sudo chmod 644 /etc/cobbler/tftpd.template + +# update named.template +sudo cp -rn /etc/cobbler/named.template /root/backup/cobbler/ +sudo rm -f /etc/cobbler/named.template +sudo cp -rf $ADAPTER_HOME/cobbler/conf/named.template /etc/cobbler/named.template +sudo sed -i "s/listen-on port 53 { \$ipaddr; }/listen-on port 53 \{ $ipaddr; \}/g" /etc/cobbler/named.template +subnet_escaped=$(echo $SUBNET | sed -e 's/[\/&]/\\&/g') +sudo sed -i "s/allow-query { 127.0.0.0\/8; \$subnet; }/allow-query \{ 127.0.0.0\/8; $subnet_escaped; \}/g" /etc/cobbler/named.template +sudo chmod 644 /etc/cobbler/named.template + +# update zone.template +sudo cp -rn /etc/cobbler/zone.template /root/backup/cobbler/ +sudo rm -f /etc/cobbler/zone.template +sudo cp -rf $ADAPTER_HOME/cobbler/conf/zone.template /etc/cobbler/zone.template +sudo sed -i "s/\$hostname IN A \$ipaddr/$HOSTNAME IN A $ipaddr/g" /etc/cobbler/zone.template +sudo chmod 644 /etc/cobbler/zone.template + +# update modules.conf +sudo cp -rn /etc/cobbler/modules.conf /root/backup/cobbler/ +sudo rm -f /etc/cobbler/modules.conf +sudo cp -rf $ADAPTER_HOME/cobbler/conf/modules.conf /etc/cobbler/modules.conf +sudo chmod 644 /etc/cobbler/modules.conf echo "setting up cobbler web password: default user is cobbler" CBLR_USER=${CBLR_USER:-"cobbler"} CBLR_PASSWD=${CBLR_PASSWD:-"cobbler"} -(echo -n "$CBLR_USER:Cobbler:" && echo -n "$CBLR_USER:Cobbler:$CBLR_PASSWD" | md5sum - | cut -d' ' -f1) >> /etc/cobbler/users.digest +(echo -n "$CBLR_USER:Cobbler:" && echo -n "$CBLR_USER:Cobbler:$CBLR_PASSWD" | md5sum - | cut -d' ' -f1) > /etc/cobbler/users.digest -sudo sed -i "s/listen-on[ \t]\+.*;/listen-on port 53 \{ $ipaddr; \};/g" /etc/cobbler/named.template -subnet_escaped=$(echo $SUBNET | sed -e 's/[\/&]/\\&/g') -sudo sed -i "s/allow-query[ \t]\+.*/allow-query\t\{ 127.0.0.0\/8; 10.0.0.0\/8; 192.168.0.0\/16; 172.16.0.0\/12; $subnet_escaped; \};/g" /etc/cobbler/named.template +# update cobbler config +sudo cp -rn /var/lib/cobbler/snippets /root/backup/cobbler/ +sudo cp -rn /var/lib/cobbler/kickstarts/ /root/backup/cobbler/ +sudo rm -rf /var/lib/cobbler/snippets/* +sudo cp -rf $ADAPTER_HOME/cobbler/snippets/* /var/lib/cobbler/snippets/ +sudo chmod 777 /var/lib/cobbler/snippets +sudo chmod 666 /var/lib/cobbler/snippets/* +sudo sed -i "s/# \$compass_ip \$compass_hostname/$ipaddr $HOSTNAME/g" /var/lib/cobbler/snippets/hosts +sudo rm -f /var/lib/cobbler/kickstarts/default.ks +sudo cp -rf $ADAPTER_HOME/cobbler/kickstarts/default.ks /var/lib/cobbler/kickstarts/ +sudo chmod 666 /var/lib/cobbler/kickstarts/default.ks -echo "$HOSTNAME IN A $ipaddr" >> /etc/cobbler/zone.template - -sudo cp /etc/xinetd.d/rsync /root/backup/ +sudo cp -rn /etc/xinetd.d /root/backup/ sudo sed -i 's/disable\([ \t]\+\)=\([ \t]\+\)yes/disable\1=\2no/g' /etc/xinetd.d/rsync sudo sed -i 's/^@dists=/# @dists=/g' /etc/debmirror.conf sudo sed -i 's/^@arches=/# @arches=/g' /etc/debmirror.conf echo "disable iptables" sudo service iptables stop +sudo service iptables status +if [[ "$?" == "0" ]]; then + echo "iptables is running" + exit 1 +fi echo "disable selinux temporarily" echo 0 > /selinux/enforce -echo "Checking if httpd is running" -sudo ps cax | grep httpd > /dev/null -if [ $? -eq 0 ]; then - echo "httpd is running." -else - echo "httpd is not running. Starting httpd" - sudo service httpd start -fi - +sudo service httpd restart sudo service cobblerd restart sudo cobbler get-loaders -sudo cobbler check sudo cobbler sync +sudo service xinetd restart +sudo cobbler check + +echo "Checking if httpd is running" +sudo service httpd status +if [[ "$?" == "0" ]]; then + echo "httpd is running." +else + echo "httpd is not running" + exit 1 +fi echo "Checking if dhcpd is running" -sudo ps cax | grep dhcpd > /dev/null -if [ $? -eq 0 ]; then +sudo service dhcpd status +if [[ "$?" == "0" ]]; then echo "dhcpd is running." else - echo "dhcpd is not running. Starting httpd" - sudo service dhcpd start + echo "dhcpd is not running" + exit 1 fi echo "Checking if named is running" -ps cax | grep named > /dev/null -if [ $? -eq 0 ]; then +sudo service named status +if [[ "$?" == "0" ]]; then echo "named is running." else - echo "named is not running. Starting httpd" - sudo service named start + echo "named is not running" + exit 1 +fi + +echo "Checking if xinetd is running" +sudo service xinetd status +if [[ "$?" == "0" ]]; then + echo "xinetd is running." +else + echo "xinetd is not running" + exit 1 +fi + +echo "Checking if cobblerd is running" +if [[ "$?" == "0" ]]; then + echo "cobblerd is running." +else + echo "cobblerd is not running" + exit 1 fi # create repo sudo mkdir -p /var/lib/cobbler/repo_mirror/ppa_repo +found_ppa_repo=0 +for repo in $(cobbler repo list); do +if [ "$repo" == "ppa_repo" ]; then +found_ppa_repo=1 +fi +done + +if [ "$found_ppa_repo" == "0" ]; then sudo cobbler repo add --mirror=/var/lib/cobbler/repo_mirror/ppa_repo --name=ppa_repo --mirror-locally=Y +if [[ "$?" != "0" ]]; then + echo "failed to add ppa_repo" + exit 1 +else + echo "ppa_repo is added" +fi +else +echo "repo ppa_repo has already existed." +fi + # download packages cd /var/lib/cobbler/repo_mirror/ppa_repo/ -sudo curl http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.8.0-1.el6.x86_64.rpm > chef-11.8.0-1.el6.x86_64.rpm +sudo wget -c --progress=bar:force -O chef-11.8.0-1.el6.${IMAGE_ARCH}.rpm http://opscode-omnibus-packages.s3.amazonaws.com/el/${IMAGE_VERSION_MAJOR}/${IMAGE_ARCH}/chef-11.8.0-1.el6.${IMAGE_ARCH}.rpm -sudo curl ftp://ftp.muug.mb.ca/mirror/centos/6.5/os/x86_64/Packages/ntp-4.2.6p5-1.el6.centos.x86_64.rpm > ntp-4.2.6p5-1.el6.centos.x86_64.rpm +sudo wget -c --progress=bar:force -O ntp-4.2.6p5-1.el6.${IMAGE_TYPE}.$IMAGE_ARCH.rpm ftp://rpmfind.net/linux/${IMAGE_TYPE,,}/${IMAGE_VERSION}/os/${IMAGE_ARCH}/Packages/ntp-4.2.6p5-1.el6.${IMAGE_TYPE,,}.${IMAGE_ARCH}.rpm -sudo curl http://vault.centos.org/6.4/os/Source/SPackages/openssh-5.3p1-84.1.el6.src.rpm > openssh-clients-5.3p1-84.1.el6.x86_64.rpm +sudo wget -c --progress=bar:force -O openssh-clients-5.3p1-94.1.el6.${IMAGE_ARCH}.rpm http://vault.${IMAGE_TYPE,,}.org/${IMAGE_VERSION}/os/Source/SPackages/openssh-5.3p1-94.el6.src.rpm -sudo curl ftp://ftp.muug.mb.ca/mirror/centos/6.5/os/x86_64/Packages/iproute-2.6.32-31.el6.x86_64.rpm > iproute-2.6.32-31.el6.x86_64.rpm +sudo wget -c --progress=bar:force -O iproute-2.6.32-31.el6.${IMAGE_ARCH}.rpm ftp://rpmfind.net/linux/${IMAGE_TYPE,,}/${IMAGE_VERSION_MAJOR}/os/${IMAGE_ARCH}/Packages/iproute-2.6.32-31.el6.${IMAGE_ARCH}.rpm -sudo curl ftp://ftp.muug.mb.ca/mirror/centos/6.5/os/x86_64/Packages/wget-1.12-1.8.el6.x86_64.rpm > wget-1.12-1.8.el6.x86_64.rpm +sudo wget -c --progress=bar:force -O wget-1.12-1.8.el6.${IMAGE_ARCH}.rpm ftp://rpmfind.net/linux/${IMAGE_TYPE,,}/${IMAGE_VERSION_MAJOR}/os/${IMAGE_ARCH}/Packages/wget-1.12-1.8.el6.${IMAGE_ARCH}.rpm -sudo curl ftp://ftp.muug.mb.ca/mirror/centos/6.5/os/x86_64/Packages/ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm > ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm +sudo wget -c --progress=bar:force -O ntpdate-4.2.6p5-1.el6.${IMAGE_TYPE}.${IMAGE_ARCH}.rpm ftp://rpmfind.net/linux/${IMAGE_TYPE,,}/${IMAGE_VERSION_MAJOR}/os/${IMAGE_ARCH}/Packages/ntpdate-4.2.6p5-1.el6.${IMAGE_TYPE,,}.${IMAGE_ARCH}.rpm cd .. sudo createrepo ppa_repo +if [[ "$?" != "0" ]]; then + echo "failed to createrepo ppa_repo" + exit 1 +else + echo "ppa_repo is created" +fi + sudo cobbler reposync # import cobbler distro -##export ipaddr=$(ifconfig $NIC | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') sudo mkdir -p /var/lib/cobbler/iso -sudo curl "$IMAGE_SOURCE" > /var/lib/cobbler/iso/$IMAGE_NAME.iso -sudo mkdir -p /mnt/$IMAGE_NAME -sudo mount -o loop /var/lib/cobbler/iso/$IMAGE_NAME.iso /mnt/$IMAGE_NAME -sudo cobbler import --path=/mnt/$IMAGE_NAME --name=$IMAGE_NAME --arch=x86_64 -# manually run distro add and profile add if cobbler import fails -sudo cobbler distro add --name="$IMAGE_NAME" --kernel="/var/www/cobbler/ks_mirror/$IMAGE_NAME-x86_64/isolinux/vmlinuz" --initrd="/var/www/cobbler/ks_mirror/$IMAGE_NAME-x86_64/isolinux/initrd.img" --arch=x86_64 --breed=redhat -sudo cobbler profile add --name="$IMAGE_NAME" --repo=ppa_repo --distro=$IMAGE_NAME --ksmeta="tree=http://$ipaddr/cobbler/ks_mirror/$IMAGE_NAME-x86_64" --kickstart=/var/lib/cobbler/kickstarts/default.ks +sudo wget -c --progress=bar:force -O /var/lib/cobbler/iso/${IMAGE_NAME}-${IMAGE_ARCH}.iso "$IMAGE_SOURCE" +if [[ "$?" != "0" ]]; then + echo "failed to download images $IMAGE_SOURCE" + exit 1 +else + echo "$IMAGE_SOURCE is downloaded" +fi + +sudo mkdir -p /mnt/${IMAGE_NAME}-${IMAGE_ARCH} +if [ $(mount | grep -c "/mnt/${IMAGE_NAME}-${IMAGE_ARCH} ") -eq 0 ]; then +sudo mount -o loop /var/lib/cobbler/iso/${IMAGE_NAME}-${IMAGE_ARCH}.iso /mnt/${IMAGE_NAME}-${IMAGE_ARCH} +if [[ "$?" != "0" ]]; then + echo "failed to mount image /mnt/${IMAGE_NAME}-${IMAGE_ARCH}" + exit 1 +else + echo "/mnt/${IMAGE_NAME}-${IMAGE_ARCH} is mounted" +fi +else +echo "/mnt/${IMAGE_NAME}-${IMAGE_ARCH} has already mounted" +fi + +# add distro +found_distro=0 +for distro in $(cobbler distro list); do +if [ "$distro" == "${IMAGE_NAME}-${IMAGE_ARCH}" ]; then +found_distro=1 +fi +done + +if [ "$found_distro" == "0" ]; then +sudo cobbler import --path=/mnt/${IMAGE_NAME}-${IMAGE_ARCH} --name=${IMAGE_NAME} --arch=${IMAGE_ARCH} --kickstart=/var/lib/cobbler/kickstarts/default.ks --breed=redhat +if [[ "$?" != "0" ]]; then + echo "failed to import /mnt/${IMAGE_NAME}-${IMAGE_ARCH}" + exit 1 +else + echo "/mnt/${IMAGE_NAME}-${IMAGE_ARCH} is imported" +fi +else +echo "distro $IMAGE_NAME has already existed" +fi + +# add profile +found_profile=0 +for profile in $(cobbler profile list); do +if [ "$profile" == "${IMAGE_NAME}-${IMAGE_ARCH}" ]; then +found_profile=1 +fi +done + +if [ "$found_profile" == "0" ]; then +sudo cobbler profile add --name="${IMAGE_NAME}-${IMAGE_ARCH}" --repo=ppa_repo --distro="${IMAGE_NAME}-${IMAGE_ARCH}" --ksmeta="tree=http://$ipaddr/cobbler/ks_mirror/${IMAGE_NAME}-${IMAGE_ARCH}" --kickstart=/var/lib/cobbler/kickstarts/default.ks +if [[ "$?" != "0" ]]; then + echo "failed to add profile ${IMAGE_NAME}-${IMAGE_ARCH}" + exit 1 +else + echo "profile ${IMAGE_NAME}-${IMAGE_ARCH} is added" +fi +else +echo "profile $IMAGE_NAME has already existed." +sudo cobbler profile edit --name="${IMAGE_NAME}-${IMAGE_ARCH}" --repo=ppa_repo +if [[ "$?" != "0" ]]; then + echo "failed to edit profile ${IMAGE_NAME}-${IMAGE_ARCH}" + exit 1 +else + echo "profile ${IMAGE_NAME}-${IMAGE_ARCH} is updated" +fi +fi echo "Cobbler configuration complete!" diff --git a/install/compass.sh b/install/compass.sh index 132f49da..d5b9f6c7 100755 --- a/install/compass.sh +++ b/install/compass.sh @@ -1,116 +1,4 @@ #!/bin/bash -SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) -echo "script dir: $SCRIPT_DIR" -COMPASSDIR=${SCRIPT_DIR}/.. -echo "compass dir is $COMPASSDIR" -copygit2dir() -{ - destdir=$1 - repo=$2 - if [ -d $destdir ];then - echo "$destdir exists" - cd $destdir - git remote set-url origin $repo - git remote update - git reset --hard - git clean -x -f - git checkout master - git reset --hard remotes/origin/master - if [[ -n "$GERRIT_REFSPEC" ]];then - git fetch origin $GERRIT_REFSPEC && git checkout FETCH_HEAD - fi - git clean -x -f - else - mkdir -p $destdir - git clone $repo $destdir - if [[ -n "$GERRIT_REFSPEC" ]];then - # project=$(echo $repo|rev|cut -d '/' -f 1|rev) - cd $destdir - git fetch $repo $GERRIT_REFSPEC && git checkout FETCH_HEAD - fi - fi - cd $SCRIPT_DIR -} -copylocal2dir() -{ - destdir=$1 - repo=$2 - if [ -d $destdir ];then - echo "$destdir exists" - else - mkdir -p $destdir - fi - sudo \cp -rf $repo/* $destdir -} -cd $SCRIPT_DIR -#export ipaddr=$(ifconfig $NIC | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') - -##SUBNET=${SUBNET:-$(ip address| grep "global $NIC" |cut -f 6 -d ' ')} -WEB_HOME=${WEB_HOME:-'/tmp/web/'} -ADAPTER_HOME=${ADAPTER_HOME:-'/tmp/adapter/'} -##WEB_SOURCE=${WEB_SOURCE:-'https://github.com/stackforge/compass-web'} -WEB_SOURCE=${WEB_SOURCE:-$REPO_URL'/stackforge/compass-web'} -# ADAPTER_SOURCE=${ADAPTER_SOURCE:-'https://github.com/stackforge/compass-adapters'} -ADAPTER_SOURCE=${ADAPTER_SOURCE:-$REPO_URL'/stackforge/compass-adapters'} -if [ "$source" != "local" ]; then - copygit2dir $WEB_HOME $WEB_SOURCE - copygit2dir $ADAPTER_HOME $ADAPTER_SOURCE -else - copylocal2dir $WEB_HOME $WEB_SOURCE - copylocal2dir $ADAPTER_HOME $ADAPTER_SOURCE -fi - -# download dependences -wget -N http://github.com/downloads/bitovi/javascriptmvc/$JS_MVC.zip -sudo yum install -y unzip -sudo unzip -o $JS_MVC -sudo \cp -rf $JS_MVC/. $WEB_HOME/public/ - -# update squid conf -sudo rm /etc/squid/squid.conf -sudo cp $COMPASSDIR/misc/squid/squid.conf /etc/squid/ -sudo sed -i "/acl localnet src 10.0.0.0/i\acl localnet src $SUBNET" /etc/squid/squid.conf -sudo chmod 644 /etc/squid/squid.conf -sudo mkdir -p /var/squid/cache -sudo chown -R squid:squid /var/squid -sudo service squid restart - -# update /etc/resolv.conf -echo "DNS1=$ipaddr" >> /etc/sysconfig/network-scripts/ifcfg-$NIC -echo "DOMAIN=ods.com" >> /etc/sysconfig/network-scripts/ifcfg-$NIC -service network restart - -# Install net-snmp -sudo yum install -y net-snmp-utils net-snmp net-snmp-python -if [ ! -d "/usr/local/share/snmp/" ]; then - sudo mkdir /usr/local/share/snmp/ -fi -sudo cp -rf $COMPASSDIR/mibs /usr/local/share/snmp/ -sudo cat >> /etc/snmp/snmp.conf < /etc/profile.d/celery_env.sh sudo chmod +x /etc/profile.d/celery_env.sh -sudo service httpd restart - cd $COMPASSDIR sudo python setup.py install +if [[ "$?" != "0" ]]; then + echo "failed to install compass package" + exit 1 +else + echo "compass package is installed" +fi + sudo sed -i "/COBBLER_INSTALLER_URL/c\COBBLER_INSTALLER_URL = 'http:\/\/$ipaddr/cobbler_api'" /etc/compass/setting sudo sed -i "/CHEF_INSTALLER_URL/c\CHEF_INSTALLER_URL = 'https:\/\/$ipaddr/'" /etc/compass/setting -sudo sh /opt/compass/bin/refresh.sh --init -figlet -ctf slant Installation Complete! + +# add cookbooks, databags and roles +sudo /opt/compass/bin/addcookbooks.py --cookbooks_dir=$ADAPTER_HOME/chef/cookbooks +sudo /opt/compass/bin/adddatabags.py --databags_dir=$ADAPTER_HOME/chef/databags +sudo /opt/compass/bin/addroles.py --roles_dir=$ADAPTER_HOME/chef/roles + +# copy the chef validatation keys to cobbler snippets +sudo cp -rf /etc/chef-server/chef-validator.pem /var/lib/cobbler/snippets/chef-validator.pem + +sudo sh /opt/compass/bin/refresh.sh + +sudo service httpd status +if [[ "$?" != "0" ]]; then + echo "httpd is not started" + exit 1 +else + echo "httpd has already started" +fi + +sudo service compassd status +if [[ "$?" != "0" ]]; then + echo "compassd is not started" + exit 1 +else + echo "compassd has already started" +fi diff --git a/install/dependency.sh b/install/dependency.sh index b0c3df3f..5ee8cc32 100755 --- a/install/dependency.sh +++ b/install/dependency.sh @@ -2,10 +2,23 @@ echo 'Installing Required packages for Compass...' -sudo yum install -y rsyslog ntp iproute openssh-clients python git wget python-setuptools python-netaddr python-flask python-flask-sqlalchemy python-amqplib amqp python-paramiko python-mock mod_wsgi httpd squid dhcp bind rsync yum-utils xinetd tftp-server gcc net-snmp-utils net-snmp python-daemon +sudo yum install -y rsyslog logrotate ntp iproute openssh-clients python git wget python-setuptools python-netaddr python-flask python-flask-sqlalchemy python-amqplib amqp python-paramiko python-mock mod_wsgi httpd squid dhcp bind rsync yum-utils xinetd tftp-server gcc net-snmp-utils net-snmp net-snmp-python python-daemon unzip openssl openssl098e +if [[ "$?" != "0" ]]; then + echo "failed to install yum dependency" + exit 1 +fi sudo easy_install pip==1.2.1 +if [[ "$?" != "0" ]]; then + echo "failed to install easy install" + exit 1 +fi + sudo pip install flask-script flask-restful Celery six discover unittest2 pychef requests +if [[ "$?" != "0" ]]; then + echo "failed to install pip packages" + exit 1 +fi sudo chkconfig httpd on sudo chkconfig squid on diff --git a/install/install.conf b/install/install.conf index 1465a9ea..754b2577 100755 --- a/install/install.conf +++ b/install/install.conf @@ -3,53 +3,54 @@ ##################################### # OS_INSTALLER indicates the tool for OS provisioning, default is 'cobbler'. -export OS_INSTALLER=cobbler +export OS_INSTALLER=${OS_INSTALLER:-cobbler} # PACKAGE_INSTALLER indicates the tool for Package provisioning, default is 'chef'. -export PACKAGE_INSTALLER=chef +export PACKAGE_INSTALLER=${PACKAGE_INSTALLER:-chef} # service NIC -export NIC= +export NIC=${NIC:-} # DHCP config # SUBNET variable specifies the subnet for DHCP server. Example: 192.168.0.0/16 -export SUBNET= +export SUBNET=${SUBNET:-} # DHCP option router address(Default is your management interface IP address )" -export OPTION_ROUTER= +export OPTION_ROUTER=${OPTION_ROUTER:-} # The IP range for DHCP clients (Default: local subnet start from 100 to 254) -IP_RANGE= +export IP_RANGE=${IP_RANGE:-} # TFTP server's IP address(Default: Management Interface/eth0 IP) -export NEXTSERVER= +export NEXTSERVER=${NEXTSERVER:-} # the domains covered by nameserver -export NAMESERVER_DOMAINS= +export NAMESERVER_DOMAINS=${NAMESERVER_DOMAINS:-} -export REPO_URL="https://github.com" +export REPO_URL=${REPO_URL:-"https://github.com"} # set the default cobbler user "cobbler" password, if not set, the default will be cobbler/cobbler -CBLR_USER= -CBLR_PASSWD= +export CBLR_USER=${CBLR_USER:-} +export CBLR_PASSWD=${CBLR_PASSWD:-} -# IMAGE_SOURCE is where you host your CentOS image -#export IMAGE_SOURCE=http://12.234.32.58/software/OS/centos/centos6.4/CentOS-6.4-x86_64-minimal.iso -export IMAGE_SOURCE=http://mirror.rackspace.com/CentOS/6/isos/x86_64/CentOS-6.5-x86_64-minimal.iso -IMAGE_NAME=$(echo $IMAGE_SOURCE |rev|cut -d '/' -f1|rev) -export IMAGE_NAME=${IMAGE_NAME/.iso/''} -export COBBLER_PASSWORD=cobbler +export IMAGE_TYPE=${IMAGE_TYPE:-"CentOS"} +export IMAGE_VERSION_MAJOR=${IMAGE_VERSION_MAJOR:-"6"} +export IMAGE_VERSION_MINOR=${IMAGE_VERSION_MINOR:-"5"} +export IMAGE_VERSION=${IMAGE_VERSION:-"${IMAGE_VERSION_MAJOR}.${IMAGE_VERSION_MINOR}"} +export IMAGE_NAME=${IMAGE_NAME:-"${IMAGE_TYPE}-${IMAGE_VERSION}"} +export IMAGE_ARCH=${IMAGE_ARCH:-"x86_64"} +export IMAGE_SOURCE=${IMAGE_SOURCE:-"http://mirror.rackspace.com/${IMAGE_TYPE}/${IMAGE_VERSION_MAJOR}/isos/${IMAGE_ARCH}/${IMAGE_TYPE}-${IMAGE_VERSION}-${IMAGE_ARCH}-minimal.iso"} +export COBBLER_PASSWORD=${COBBLER_PASSWORD:-"cobbler"} # Currently the use of Javascript MVC is set to version 3.2.4 -export JS_MVC=javascriptmvc-3.2.4 +export JS_MVC=${JS_MVC:-"javascriptmvc-3.2.4"} # set the chef packages download path -export CHEF_SRV=http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.8-1.el6.x86_64.rpm +export CHEF_SRV=${CHEF_SRV:-"http://opscode-omnibus-packages.s3.amazonaws.com/el/${IMAGE_VERSION_MAJOR}/${IMAGE_ARCH}/chef-server-11.0.8-1.el6.${IMAGE_ARCH}.rpm"} # Set Chef password for Chef web UI -export CHEF_PASSWD=root1234 +export CHEF_PASSWD=${CHEF_PASSWD:-"root1234"} # Set Compass-web and Compass-adpater variables -WEB_HOME= -ADAPTER_HOME= - -if [[ -n $source ]] && [ $source = "local" ];then - export WEB_SOURCE=${DIR}/../web - export ADAPTER_SOURCE=${DIR}/../misc -fi +export WEB_HOME=${WEB_HOME:='/tmp/web'} +export ADAPTER_HOME=${ADAPTER_HOME:-'/tmp/adapter'} +export WEB_SOURCE=${WEB_SOURCE:-} +export ADAPTER_SOURCE=${ADAPTER_SOURCE:-} +export SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +export COMPASSDIR=${SCRIPT_DIR}/.. diff --git a/install/install.sh b/install/install.sh index 06c416af..f18cb638 100755 --- a/install/install.sh +++ b/install/install.sh @@ -29,7 +29,14 @@ DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) echo 0 > /selinux/enforce ### Add epel repo +sudo rpm -q epel-release-6-8 +if [ "$?" != "0" ]; then sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm >& /dev/null +if [ "$?" != "0" ]; then + echo "failed to install epel" + exit 1 +fi +fi sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/epel.repo ### Trap any error code with related filename and line. @@ -39,7 +46,9 @@ errtrap() echo "[FILE: "$(basename $FILE)", LINE: $1] Error: Command or function exited with status $2" } +if [[ "$-" == *x* ]]; then trap 'errtrap $LINENO $?' ERR +fi # Install figlet sudo yum -y install figlet >& /dev/null @@ -56,15 +65,13 @@ done # Load variables source $DIR/install.conf -echo $WEB_SOURCE -echo $ADAPTER_SOURCE loadvars() { varname=${1,,} eval var=\$$(echo $1) if [[ -z $var ]]; then - echo -e "\x1b[32mPlease enter the DHCP $varname (Example: $2):\x1b[37m" + echo -e "\x1b[32mPlease enter the $varname (Example: $2):\x1b[37m" while read input do if [ "$input" == "" ]; then @@ -72,14 +79,11 @@ loadvars() export $(echo $1)="$2" break else - if [[ ( "$input" != *.* ) && ( "$1" != "NIC" ) ]]; then - echo "I really expect IP addresses" - exit - elif [ "$1" == "NIC" ]; then + if [ "$1" == "NIC" ]; then sudo ip addr |grep $input >& /dev/null if [ $? -ne 0 ]; then echo "There is not any IP address assigned to the NIC '$input' yet, please assign an IP address first." - exit + exit 1 fi fi echo "You have entered $input" @@ -100,17 +104,31 @@ loadvars OPTION_ROUTER $(route -n | grep '^0.0.0.0' | xargs | cut -d ' ' -f 2) loadvars IP_RANGE "$range" loadvars NEXTSERVER $ipaddr loadvars NAMESERVER_DOMAINS "ods.com" +if [[ -n $source ]] && [ $source = "local" ];then +loadvars WEB_SOURCE ${COMPASSDIR}/../web +loadvars ADAPTER_SOURCE ${COMPASSDIR}/../misc +else +loadvars WEB_SOURCE $REPO_URL'/stackforge/compass-web' +loadvars ADAPTER_SOURCE $REPO_URL'/stackforge/compass-adapters' +fi + +echo "script dir: $SCRIPT_DIR" +echo "compass dir is $COMPASSDIR" echo "Install the Dependencies" -source $DIR/dependency.sh +source ${COMPASSDIR}/install/dependency.sh + +echo "Prepare the Installation" +source ${COMPASSDIR}/install/prepare.sh echo "Install the OS Installer Tool" -source $DIR/$OS_INSTALLER.sh +source ${COMPASSDIR}/install/$OS_INSTALLER.sh echo "Install the Package Installer Tool" -source $DIR/$PACKAGE_INSTALLER.sh +source ${COMPASSDIR}/install/$PACKAGE_INSTALLER.sh echo "Download and Setup Compass and related services" -source $DIR/compass.sh +source ${COMPASSDIR}/install/compass.sh +figlet -ctf slant Installation Complete! echo -e "It takes\x1b[32m $SECONDS \x1b[0mseconds during the installation." diff --git a/install/prepare.sh b/install/prepare.sh new file mode 100755 index 00000000..f43b222e --- /dev/null +++ b/install/prepare.sh @@ -0,0 +1,140 @@ +#!/bin/bash +# +copygit2dir() +{ + repo=$1 + destdir=$2 + if [ -d $destdir ];then + echo "$destdir exists" + cd $destdir + git remote set-url origin $repo + git remote update + git reset --hard + git clean -x -f + git checkout master + git reset --hard remotes/origin/master + if [[ -n "$GERRIT_REFSPEC" ]];then + git fetch origin $GERRIT_REFSPEC && git checkout FETCH_HEAD + fi + git clean -x -f + else + echo "create $destdir" + mkdir -p $destdir + git clone $repo $destdir + if [[ -n "$GERRIT_REFSPEC" ]];then + # project=$(echo $repo|rev|cut -d '/' -f 1|rev) + cd $destdir + git fetch $repo $GERRIT_REFSPEC && git checkout FETCH_HEAD + fi + fi + cd $SCRIPT_DIR +} + +copylocal2dir() +{ + repo=$1 + destdir=$2 + if [ -d $destdir ];then + echo "$destdir exists" + else + mkdir -p $destdir + fi + sudo cp -rf $repo/* $destdir +} + +cd $SCRIPT_DIR +if [ "$source" != "local" ]; then + copygit2dir $WEB_SOURCE $WEB_HOME + copygit2dir $ADAPTER_SOURCE $ADAPTER_HOME +else + copylocal2dir $WEB_SOURCE $WEB_HOME + copylocal2dir $ADAPTER_SOURCE $ADAPTER_HOME +fi + +# install js mvc package +wget -c --progress=bar:force -O /tmp/$JS_MVC.zip http://github.com/downloads/bitovi/javascriptmvc/$JS_MVC.zip +if [[ "$?" != "0" ]]; then +echo "failed to download $JS_MVC" +exit 1 +else +echo "successfully download $JS_MVC" +fi + +if [ -d /tmp/$JS_MVC ]; then +echo "/tmp/$JS_MVC is already unzipped" +else +sudo unzip -o /tmp/$JS_MVC.zip -d /tmp/ +fi +sudo cp -rf /tmp/$JS_MVC/. $WEB_HOME/public/ + +# Create backup dir +sudo mkdir -p /root/backup + +# update /etc/hosts +sudo cp -rn /etc/hosts /root/backup/hosts +sudo rm -f /etc/hosts +sudo cp -rf $COMPASSDIR/misc/hosts /etc/hosts +sudo sed -i "s/\$ipaddr \$hostname/$ipaddr $HOSTNAME/g" /etc/hosts +sudo chmod 644 /etc/hosts + +# update rsyslog +sudo cp -rn /etc/rsyslog.conf /root/backup/ +sudo rm -f /etc/rsyslog.conf +sudo cp -rf $COMPASSDIR/misc/rsyslog/rsyslog.conf /etc/rsyslog.conf +sudo chmod 644 /etc/rsyslog.conf +sudo service rsyslog restart +sudo service rsyslog status +if [[ "$?" != "0" ]]; then + echo "rsyslog is not started" + exit 1 +else + echo "rsyslog conf is updated" +fi + +# update logrotate.d +sudo cp -rn /etc/logrotate.d /root/backup/ +rm -f /etc/logrotate.d/* +sudo cp -rf $COMPASSDIR/misc/logrotate.d/* /etc/logrotate.d/ +sudo chmod 644 /etc/logrotate.d/* + +# update ntp conf +sudo cp -rn /etc/ntp.conf /root/backup/ +sudo rm -f /etc/ntp.conf +sudo cp -rf $COMPASSDIR/misc/ntp/ntp.conf /etc/ntp.conf +sudo chmod 644 /etc/ntp.conf +sudo service ntpd stop +sudo ntpdate 0.centos.pool.ntp.org +sudo service ntpd start +sudo service ntpd status +if [[ "$?" != "0" ]]; then + echo "ntp is not started" + exit 1 +else + echo "ntp conf is updated" +fi + +# update squid conf +sudo cp -rn /etc/squid/squid.conf /root/backup/ +sudo rm -f /etc/squid/squid.conf +sudo cp $COMPASSDIR/misc/squid/squid.conf /etc/squid/ +subnet_escaped=$(echo $SUBNET | sed -e 's/[\/&]/\\&/g') +sudo sed -i "s/acl localnet src \$subnet/acl localnet src $subnet_escaped/g" /etc/squid/squid.conf +sudo chmod 644 /etc/squid/squid.conf +sudo mkdir -p /var/squid/cache +sudo chown -R squid:squid /var/squid +sudo service squid restart +sudo service squid status +if [[ "$?" != "0" ]]; then + echo "squid is not started" + exit 1 +else + echo "squid conf is updated" +fi + +# Install net-snmp +sudo cp -rn /etc/snmp/snmp.conf /root/backup/ +sudo mkdir -p /usr/local/share/snmp/ +sudo cp -rf $COMPASSDIR/mibs /usr/local/share/snmp/ +sudo rm -f /etc/snmp/snmp.conf +sudo cp -rf $COMPASSDIR/misc/snmp/snmp.conf /etc/snmp/snmp.conf +sudo chmod 644 /etc/snmp/snmp.conf diff --git a/misc/apache/cobbler_web.conf b/misc/apache/cobbler_web.conf new file mode 100644 index 00000000..f03d4fe8 --- /dev/null +++ b/misc/apache/cobbler_web.conf @@ -0,0 +1,10 @@ +# This configuration file enables the cobbler web +# interface (django version) + +# Force everything to go to https +RewriteEngine on +RewriteCond %{HTTPS} off +RewriteCond %{REQUEST_URI} ^/cobbler_web +# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + +WSGIScriptAlias /cobbler_web /usr/share/cobbler/web/cobbler.wsgi diff --git a/misc/apache/ssl.conf b/misc/apache/ssl.conf new file mode 100644 index 00000000..8de611e2 --- /dev/null +++ b/misc/apache/ssl.conf @@ -0,0 +1,222 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 445 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/misc/chef-server/chef-server.rb b/misc/chef-server/chef-server.rb new file mode 100644 index 00000000..f7956a6c --- /dev/null +++ b/misc/chef-server/chef-server.rb @@ -0,0 +1,4 @@ +nginx['non_ssl_port'] = 8080 +nginx['enable_non_ssl'] = true +nginx['ssl_port'] = 443 +nginx['url'] = "https://#{node['fqdn']}" diff --git a/misc/hosts b/misc/hosts new file mode 100644 index 00000000..8b39e259 --- /dev/null +++ b/misc/hosts @@ -0,0 +1,3 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +$ipaddr $hostname diff --git a/misc/logrotate.d/httpd b/misc/logrotate.d/httpd new file mode 100644 index 00000000..794b9d78 --- /dev/null +++ b/misc/logrotate.d/httpd @@ -0,0 +1,9 @@ +/var/log/httpd/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service httpd reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/misc/logrotate.d/ntp b/misc/logrotate.d/ntp new file mode 100644 index 00000000..6b290d5b --- /dev/null +++ b/misc/logrotate.d/ntp @@ -0,0 +1,9 @@ +/var/log/ntp.log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service ntpd reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/misc/logrotate.d/squid b/misc/logrotate.d/squid new file mode 100644 index 00000000..1191d234 --- /dev/null +++ b/misc/logrotate.d/squid @@ -0,0 +1,9 @@ +/var/log/squid/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service squid reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/misc/logrotate.d/syslog b/misc/logrotate.d/syslog new file mode 100644 index 00000000..db907edb --- /dev/null +++ b/misc/logrotate.d/syslog @@ -0,0 +1,13 @@ +/var/log/cron +/var/log/maillog +/var/log/messages +/var/log/secure +/var/log/spooler +/var/log/dhcpd.log +/var/log/tftpd.log +{ + sharedscripts + postrotate + /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true + endscript +} diff --git a/misc/logrotate.d/yum b/misc/logrotate.d/yum new file mode 100644 index 00000000..e587f968 --- /dev/null +++ b/misc/logrotate.d/yum @@ -0,0 +1,7 @@ +/var/log/yum.log { + missingok + notifempty + size 30k + yearly + create 0600 root root +} diff --git a/misc/ntp/ntp.conf b/misc/ntp/ntp.conf new file mode 100644 index 00000000..e1572f3a --- /dev/null +++ b/misc/ntp/ntp.conf @@ -0,0 +1,60 @@ +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +logfile /var/log/ntp.log + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# Hosts on local network are less restricted. +#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). +server 0.centos.pool.ntp.org iburst +server 1.centos.pool.ntp.org iburst +server 2.centos.pool.ntp.org iburst +server 3.centos.pool.ntp.org iburst + +#broadcast 192.168.1.255 autokey # broadcast server +#broadcastclient # broadcast client +#broadcast 224.0.1.1 autokey # multicast server +#multicastclient 224.0.1.1 # multicast client +#manycastserver 239.255.254.254 # manycast server +#manycastclient 239.255.254.254 autokey # manycast client + +# Undisciplined Local Clock. This is a fake driver intended for backup +# and when no outside source of synchronized time is available. +server 127.127.1.0 # local clock +#fudge 127.127.1.0 stratum 10 + +# Enable public key cryptography. +#crypto + +includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys /etc/ntp/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats diff --git a/misc/rsyslog/rsyslog.conf b/misc/rsyslog/rsyslog.conf new file mode 100644 index 00000000..e2ddd9f7 --- /dev/null +++ b/misc/rsyslog/rsyslog.conf @@ -0,0 +1,94 @@ +# rsyslog v5 configuration file + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### MODULES #### + +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability + +# Provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# Provides TCP syslog reception +$ModLoad imtcp +$InputTCPServerRun 514 + + +$WorkDirectory /var/lib/rsyslog + +# Added for chef logfiles +$template Chef_log,"/var/log/cobbler/anamon/%hostname%/chef-client.log" +$template Raw, "%rawmsg%" + +#### GLOBAL DIRECTIVES #### + +# Use default timestamp format +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +syslog.*,daemon.* /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Log dhcpd +local6.* /var/log/dhcpd.log + +# Log tftpd +local5.* /var/log/tftpd.log + +# Everybody gets emergency messages +*.emerg * + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +local3.* -?Chef_log + +# ### begin forwarding rule ### +# The statement between the begin ... end define a SINGLE forwarding +# rule. They belong together, do NOT split them. If you create multiple +# forwarding rules, duplicate the whole block! +# Remote Logging (we use TCP for reliable delivery) +# +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host:514 +# ### end of the forwarding rule ### diff --git a/misc/snmp/snmp.conf b/misc/snmp/snmp.conf new file mode 100644 index 00000000..34f8053e --- /dev/null +++ b/misc/snmp/snmp.conf @@ -0,0 +1 @@ +mibdirs +/usr/local/share/snmp/mibs diff --git a/misc/squid/squid.conf b/misc/squid/squid.conf index 8846b354..a6312e7f 100644 --- a/misc/squid/squid.conf +++ b/misc/squid/squid.conf @@ -8,6 +8,7 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed +acl localnet src $subnet # the subnet of local network acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network @@ -55,8 +56,7 @@ cache_dir aufs /var/squid/cache 25000 16 256 cache_store_log /var/log/squid/store.log -logformat squid %tl %6tr %>a %Ss/%>Hs %h %