-
Notifications
You must be signed in to change notification settings - Fork 37
Expand file tree
/
Copy pathservices.setup
More file actions
executable file
·213 lines (179 loc) · 6.55 KB
/
Copy pathservices.setup
File metadata and controls
executable file
·213 lines (179 loc) · 6.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/bin/bash
set -ex
SERVER_IP=10.111.112.100
# static host name and IP so that peer VMs can find us
systemctl enable --now NetworkManager
nmcli con add con-name "static-mcast1" ifname ens15 type ethernet ip4 "$SERVER_IP/20" ipv4.dns "$SERVER_IP" gw4 "10.111.112.1"
nmcli con up "static-mcast1"
hostnamectl set-hostname services.cockpit.lan
#############
#
# FreeIPA setup
#
#############
# see https://quay.io/repository/freeipa/freeipa-server
# we want centos-9-stream tag here, but newer versions have a time-bomb crash: https://issues.redhat.com/browse/RHEL-76748
setsebool -P container_manage_cgroup 1
mkdir /var/lib/ipa-data
cat <<EOF > /root/run-freeipa
podman run -d --rm --name freeipa -ti -h f0.cockpit.lan \
-e IPA_SERVER_IP=$SERVER_IP \
-p $SERVER_IP:53:53/udp -p $SERVER_IP:53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
-v /var/lib/ipa-data:/data:Z \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
quay.io/freeipa/freeipa-server:centos-9-stream-4.12.0 \
-U -p foobarfoo -a foobarfoo -n cockpit.lan -r COCKPIT.LAN --setup-dns --no-forwarders --no-ntp
EOF
chmod 755 /root/run-freeipa
/root/run-freeipa
podman logs -f freeipa &
LOGS=$!
# so wait until booted and setup is done
podman exec freeipa sh -ec 'until systemctl --quiet is-system-running; do sleep 5; done'
# stop podman logs
kill $LOGS
wait || true
# further setup
podman exec freeipa sh -exc '
# Default password expiry of 90 days is impractical
echo foobarfoo | kinit admin@COCKPIT.LAN
ipa pwpolicy-mod --minlife=0 --maxlife=1000
# Change password to apply new password policy
printf "foobarfoo\nfoobarfoo\n" | ipa user-mod --password admin
# Allow "admins" IPA group members to run sudo
# This is an "unbreak my setup" step and ought to happen by default.
# See https://pagure.io/freeipa/issue/7538
ipa-advise enable-admins-sudo | sh -ex
ipa dnsconfig-mod --forwarder=8.8.8.8
poweroff
'
#############
#
# Samba AD setup
#
#############
# See https://github.com/Fmstrat/samba-domain ; docker.io/nowsci/samba-domain works fine
# but we have to build ourselves due to docker pull rate limits
git clone --depth=1 https://github.com/Fmstrat/samba-domain /var/tmp/samba-domain
# avoid pulling ubuntu base image from dockerhub
sed -i '/^FROM/ s|ubuntu:22.04|quay.io/bedrock/ubuntu:jammy|' /var/tmp/samba-domain/Dockerfile
podman build -t localhost/samba-domain /var/tmp/samba-domain
cat <<EOF > /root/run-samba-domain
podman run -d -it --rm --privileged --name samba \
-e "DOMAIN=COCKPIT.LAN" \
-e "DOMAINPASS=foobarFoo123" \
-e "DNSFORWARDER=172.27.0.3" \
-e "HOSTIP=$SERVER_IP" \
-p $SERVER_IP:53:53 \
-p $SERVER_IP:53:53/udp \
-p 88:88 \
-p 88:88/udp \
-p 135:135 \
-p 137-138:137-138/udp \
-p 139:139 \
-p 389:389 \
-p 389:389/udp \
-p 445:445 \
-p 464:464 \
-p 464:464/udp \
-p 636:636 \
-p 1024-1044:1024-1044 \
-p 3268-3269:3268-3269 \
--add-host services.cockpit.lan:$SERVER_IP \
-h f0.cockpit.lan \
localhost/samba-domain
EOF
chmod 755 /root/run-samba-domain
# no need to run the script here; it initializes reasonably fast and we don't have post-setup to do for now
#############################
#
# candlepin setup
#
#############################
# run the candlepin container to copy the certificates out of it
podman run -d --name candlepin \
--uts=host \
-p 8443:8443 \
-p 8080:8080 \
ghcr.io/candlepin/candlepin-unofficial:latest
# give systemd the time to start in the container
sleep 5
podman exec -i candlepin sh -eux <<EOF
# ensure hostname is installed, as it is used by gen_certs.sh
dnf --setopt install_weak_deps=False -y install hostname
# stop tomcat, so we can regenerate the certs
systemctl stop tomcat
# regenerate the certs used by Candlepin; this is done so the hostname
# of the certificate is actually this container's hostname (which actually
# is the hostname of the system, because of --uts=host)
~candlepin/devel/candlepin/bin/deployment/gen_certs.sh --force --trust --hostname \$(hostname -f)
# restart tomcat
systemctl start tomcat
EOF
# give candlepin the time to start in the container
sleep 5
# validate that it works
until curl --insecure --fail --head https://localhost:8443/candlepin/status; do sleep 5; done
curl --insecure --fail --head http://localhost:8080/RPM-GPG-KEY-candlepin
# copy the certificate to where the tests expect them
mkdir -p /home/admin/candlepin
podman cp candlepin:/home/candlepin/devel/candlepin/generated_certs /home/admin/candlepin/
mkdir -p /home/admin/candlepin/certs
podman cp candlepin:/etc/candlepin/certs/candlepin-ca.crt /home/admin/candlepin/certs/
podman cp candlepin:/etc/candlepin/certs/candlepin-ca.key /home/admin/candlepin/certs/
chown -R admin:admin /home/admin/candlepin/
podman stop candlepin
cat <<EOF > /root/run-candlepin
#!/bin/sh
podman start candlepin
until curl --insecure --fail --head https://localhost:8443/candlepin/status; do sleep 5; done
EOF
chmod 755 /root/run-candlepin
#############################
#
# grafana setup
#
#############################
# use mirror to avoid pull rate limits in the RH VPN
podman pull quay.io/glueops/mirror/grafana/grafana:12.1.0
podman tag quay.io/glueops/mirror/grafana/grafana:12.1.0 docker.io/grafana/grafana:latest
cat <<EOF > /root/run-grafana
#!/bin/sh
if [ -e /root/pcp.yaml ]; then
PCP_CONFIG="-v /root/pcp.yaml:/etc/grafana/provisioning/plugins/pcp.yaml:ro,z"
fi
podman run -d --rm --name grafana -p 3000:3000 \
-v grafana-storage:/var/lib/grafana \
\$PCP_CONFIG \
-e GF_SECURITY_ADMIN_PASSWORD=foobar \
-e GF_ANALYTICS_ENABLED=false \
-e GF_ANALYTICS_REPORTING_ENABLED=false \
-e GF_ANALYTICS_CHECK_FOR_UPDATES=false \
-e GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES=false \
-e GF_PLUGINS_PREINSTALL="redis-datasource,performancecopilot-pcp-app" \
docker.io/grafana/grafana:latest
EOF
chmod 755 /root/run-grafana
# run it once to initialize and download plugin; still without pcp.yaml, as the
# plugin isn't installed yet, so it can't be enabled yet
/root/run-grafana
# wait until set up completed and stop the container. Give Grafana a
# lot of time to stop cleanly. Otherwise we might end up with
# non-working plugins.
until curl http://localhost:3000; do sleep 5; done
podman stop --time=600 grafana
# create PCP plugin enablement config, for next start
cat <<EOF > /root/pcp.yaml
apiVersion: 1
apps:
- type: performancecopilot-pcp-app
EOF
#############################
#
# Final tweaks
#
#############################
# disable automatic updates
systemctl disable --now zincati.service
# reduce image size
/var/lib/testvm/zero-disk.setup