Skip to content

Instantly share code, notes, and snippets.

@rmillner
Forked from Miciah/kick.sh
Created October 22, 2012 19:08
Show Gist options
  • Save rmillner/3933438 to your computer and use it in GitHub Desktop.
Save rmillner/3933438 to your computer and use it in GitHub Desktop.
OpenShift kickstart script (using latest puddle)
#!/bin/sh
set -e
if [ $# -lt 1 ]
then
printf 'Usage: %s vm_name [arg1 [arg2 [...]]]\n' "$0"
printf 'Example:\n'
printf '%s my_new_broker_and_node install_components=broker,node,activemq,datastore named_ip_addr=10.0.0.1' "$0"
exit 1
fi
NAME="$1"; shift
DISK=/opt/"$NAME"
CMDLINE='ks=http://file.rdu.redhat.com/~mmasters/openshift.ks'
for ARG
do
CMDLINE="$CMDLINE $ARG"
done
set -x
qemu-img create "$DISK" 30G -f raw && mkfs.ext4 -F "$DISK"
virt-install --name="$NAME" --ram=2048 --vcpus=2 --hvm --disk "$DISK" \
--location http://download.devel.redhat.com/released/RHEL-6/6.3/Server/x86_64/os/ \
-x "$CMDLINE" \
--connect qemu:///system --network bridge=br0 --graphics vnc -d --wait=-1 \
--autostart
# This kickstart script configures a system that acts as either a node or
# a broker.
install
text
skipx
# NB: Be sure to change the password before running this kickstart script.
rootpw --iscrypted $6$D585cfHy7sxOwbvv$GxB8uftJRlBfK22vLso9g82/cSyC0TrmvQaDk8.VNqIuTjuy.135eL1HOhCUSe.QUuPB7g9QrOq6MvHR4N4KF1
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
services --enabled=ypbind,ntpd,network,logwatch
network --onboot yes --device eth0
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
bootloader --location=mbr --driveorder=vda
zerombr yes
clearpart --all --initlabel
firstboot --disable
reboot
part /boot --fstype=ext4 --size=500
part pv.253002 --grow --size=1
volgroup vg_vm1 --pesize=4096 pv.253002
logvol / --fstype=ext4 --name=lv_root --vgname=vg_vm1 --grow --size=1024 --maxsize=51200
logvol swap --name=lv_swap --vgname=vg_vm1 --grow --size=2016 --maxsize=4032
%packages
@core
@server-policy
ntp
git
emacs
%post --log=/root/anaconda-post.log
# Set output on the 7th console and switch to it
tail -f /root/anaconda-post.log >/dev/tty7 &
TAILPID=$!
OLDVT=`tty | sed -e 's|/dev/tty||g'`
/usr/bin/chvt 7 || :
# Verbose exec
set -x
# Enable both broker and node
export CONF_INSTALL_BROKER="true"
export CONF_INSTALL_NODE="true"
# You can tail the log file showing the execution of the commands below
# by using the following command:
# tailf /mnt/sysimage/root/anaconda-post.log
# You can use sed to extract just the %post section:
# sed -e '0,/^%post/d;/^%end/,$d'
# Log the command invocations (and not merely output) in order to make
# the log more useful.
set -x
########################################################################
# Synchronize the system clock to the NTP servers and then synchronize
# hardware clock with that.
synchronize_clock()
{
# Synchronize the system clock using NTP.
ntpdate clock.redhat.com
# Synchronize the hardware clock to the system clock.
hwclock --systohc
}
# Install SSH keys. We hardcode a key used for internal OpenShift
# development, but the hardcoded key can be replaced with another or
# with a wget command to download a key from elsewhere.
install_ssh_keys()
{
mkdir /root/.ssh
chmod 700 /root/.ssh
cat >> /root/.ssh/authorized_keys << KEYS
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkMc2jArUbWICi0071HXrt5uofQam11duqo5KEDWUZGtHuMTzuoZ0XEtzpqoRSidya9HjbJ5A4qUJBrvLZ07l0OIjENQ0Kvz83alVGFrEzVVUSZyiy6+yM9Ksaa/XAYUwCibfaFFqS9aVpVdY0qwaKrxX1ycTuYgNAw3WUvkHagdG54/79M8BUkat4uNiot0bKg6VLSI1QzNYV6cMJeOzz7WzHrJhbPrgXNKmgnAwIKQOkbATYB+YmDyHpA4m/O020dWDk9vWFmlxHLZqddCVGAXFyQnXoFTszFP4wTVOu1q2MSjtPexujYjTbBBxraKw9vrkE25YZJHvbZKMsNm2b libra_onprem
KEYS
}
configure_rhel_repo()
{
# Enable the optional channel.
# yum-config-manager --enable rhel-6-server-optional-rpms
cat > /etc/yum.repos.d/rhel-6-download-devel.repo <<YUM
[rhel63]
name=RHEL 6.3 Server
baseurl=http://download.devel.redhat.com/released/RHEL-6/6.3/Server/x86_64/os/
enabled=1
gpgcheck=0
[rhel63-optional]
name=RHEL 6.3 Server Optional
baseurl=http://download.devel.redhat.com/released/RHEL-6/6.3/Server/optional/x86_64/os/
enabled=1
gpgcheck=0
[jbosseap6-6server]
name=JBOSS EAP 6 Server for RHEL 6
baseurl=http://download.devel.redhat.com/released/JBEAP-6/6.0.0/rpm/6Server/x86_64/
enabled=1
gpgcheck=0
YUM
}
configure_client_tools_repo()
{
# Enable repo with the puddle for broker packages.
cat >> /etc/yum.repos.d/openshift-client.repo << YUM
[openshift_client]
name=OpenShift Client
baseurl=http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/Beta/2012-10-25.1/Client/x86_64/os/
enabled=1
gpgcheck=0
YUM
}
configure_broker_repo()
{
# Enable repo with the puddle for broker packages.
cat >> /etc/yum.repos.d/openshift-infrastructure.repo << YUM
[openshift_infrastructure]
name=OpenShift Infrastructure
baseurl=http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/Beta/2012-10-25.1/Infrastructure/x86_64/os/
enabled=1
gpgcheck=0
YUM
}
configure_node_repo()
{
# Enable repo with the puddle for node packages.
cat >> /etc/yum.repos.d/openshift-node.repo << YUM
[openshift_node]
name=OpenShift Node
baseurl=http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/Beta/2012-10-25.1/Node/x86_64/os/
enabled=1
gpgcheck=0
YUM
}
configure_mash_repo()
{
# Enable repo with the puddle for node packages.
cat >> /etc/yum.repos.d/openshift-mash.repo << YUM
[openshift_mash]
name=OpenShift Mash
baseurl=http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/Beta/2012-10-25.1/mash/devops-1-rhel-6-candidate/x86_64/os/
enabled=1
gpgcheck=0
YUM
}
configure_jboss_cartridge_repo()
{
# Enable repo with the puddle for the JBossEAP cartridge package.
cat >> /etc/yum.repos.d/openshift-jboss.repo << YUM
[openshift_jbosseap]
name=OpenShift JBossEAP
baseurl=http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/Beta/2012-10-25.1/JBoss_EAP6_Cartridge/x86_64/os/
enabled=1
gpgcheck=0
YUM
}
# Install the client tools.
install_rhc_pkg()
{
yum install -y rhc
}
# Install broker-specific packages.
install_broker_pkgs()
{
# Kickstart doesn't handle line continuations.
pkgs="openshift-origin-broker"
pkgs="$pkgs openshift-origin-broker-util"
pkgs="$pkgs rubygem-openshift-origin-msg-broker-mcollective"
pkgs="$pkgs rubygem-openshift-origin-auth-remote-user"
pkgs="$pkgs rubygem-openshift-origin-dns-bind"
yum install -y $pkgs
}
# Install node-specific packages.
install_node_pkgs()
{
# Kickstart doesn't handle line continuations.
pkgs="rubygem-openshift-origin-node rubygem-passenger-native"
pkgs="$pkgs openshift-origin-port-proxy"
pkgs="$pkgs openshift-origin-node-util"
# We use semanage in this kickstart script, so we need to install
# policycoreutils-python.
pkgs="$pkgs policycoreutils-python"
yum install -y $pkgs
}
# Install any cartridges developers may want.
install_cartridges()
{
:
# Following are cartridge rpms that one may want to install here:
# Embedded cron support.
yum install openshift-origin-cartridge-cron-1.4 -y
# diy app.
yum install openshift-origin-cartridge-diy-0.1 -y
# haproxy-1.4 support.
yum install openshift-origin-cartridge-haproxy-1.4 -y
# JBossEWS1.0 support.
yum install openshift-origin-cartridge-jbossews-1.0 -y
# JBossEAP6.0 support.
yum install openshift-origin-cartridge-jbosseap-6.0 -y
# Jenkins server for continuous integration.
yum install openshift-origin-cartridge-jenkins-1.4 -y
# Embedded jenkins client.
yum install openshift-origin-cartridge-jenkins-client-1.4 -y
# Embedded MySQL.
yum install openshift-origin-cartridge-mysql-5.1 -y
# mod_perl support.
yum install openshift-origin-cartridge-perl-5.10 -y
# PHP 5.3 support.
yum install openshift-origin-cartridge-php-5.3 -y
# Embedded PostgreSQL.
yum install openshift-origin-cartridge-postgresql-8.4 -y
# Python 2.6 support.
yum install openshift-origin-cartridge-python-2.6 -y
# Ruby Rack support running on Phusion Passenger (Ruby 1.8).
yum install openshift-origin-cartridge-ruby-1.8 -y
# Ruby Rack support running on Phusion Passenger (Ruby 1.9).
yum install openshift-origin-cartridge-ruby-1.9-scl -y
}
# Fix up SELinux policy on the broker.
configure_selinux_policy_on_broker()
{
# We combine these setsebool commands into a single semanage command
# because separate commands take a long time to run.
(
# Allow the broker to write files in the http file context.
echo boolean -m --on httpd_unified
# Allow the broker to access the network.
echo boolean -m --on httpd_can_network_connect
echo boolean -m --on httpd_can_network_relay
# Enable some passenger-related permissions.
#
# The name may change at some future point, at which point we will
# need to delete the httpd_run_stickshift line below and enable the
# httpd_run_openshift line.
echo boolean -m --on httpd_run_stickshift
#echo boolean -m --on httpd_run_openshift
# Allow the broker to communicate with the named service.
echo boolean -m --on allow_ypbind
) | semanage -i -
fixfiles -R rubygem-passenger restore
fixfiles -R mod_passenger restore
restorecon -R -v /var/run
restorecon -rv /usr/share/rubygems/gems/passenger-*
}
# Fix up SELinux policy on the node.
configure_selinux_policy_on_node()
{
# We combine these setsebool commands into a single semanage command
# because separate commands take a long time to run.
(
# Allow the node to write files in the http file context.
echo boolean -m --on httpd_unified
# Allow the node to access the network.
echo boolean -m --on httpd_can_network_connect
echo boolean -m --on httpd_can_network_relay
# Allow httpd on the node to read gear data.
#
# The name may change at some future point, at which point we will
# need to delete the httpd_run_stickshift line below and enable the
# httpd_run_openshift line.
echo boolean -m --on httpd_run_stickshift
#echo boolean -m --on httpd_run_openshift
echo boolean -m --on httpd_read_user_content
echo boolean -m --on httpd_enable_homedirs
# Enable polyinstantiation for gear data.
echo boolean -m --on allow_polyinstantiation
) | semanage -i -
fixfiles -R rubygem-passenger restore
fixfiles -R mod_passenger restore
restorecon -rv /var/run
restorecon -rv /usr/share/rubygems/gems/passenger-*
restorecon -rv /usr/sbin/mcollectived /var/log/mcollective.log /var/run/mcollectived.pid
restorecon -rv /var/lib/openshift /etc/openshift/node.conf /etc/httpd/conf.d/openshift
}
configure_pam_on_node()
{
sed -i -e 's|pam_selinux|pam_openshift|g' /etc/pam.d/sshd
for f in "runuser" "runuser-l" "sshd" "su" "system-auth-ac"
do
t="/etc/pam.d/$f"
if ! grep -q "pam_namespace.so" "$t"
then
echo -e "session\t\trequired\tpam_namespace.so no_unmount_on_close" >> "$t"
fi
done
}
configure_cgroups_on_node()
{
cp -vf /usr/share/doc/*/cgconfig.conf /etc/cgconfig.conf
restorecon -v /etc/cgconfig.conf
mkdir /cgroup
restorecon -v /cgroup
chkconfig cgconfig on
chkconfig cgred on
chkconfig openshift-cgroups on
}
# Turn some sysctl knobs.
configure_sysctl_on_node()
{
# Increase kernel semaphores to accomodate many httpds.
echo "kernel.sem = 250 32000 32 4096" >> /etc/sysctl.conf
# Move ephemeral port range to accommodate app proxies.
echo "net.ipv4.ip_local_port_range = 15000 35530" >> /etc/sysctl.conf
# Increase the connection tracking table size.
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.conf
# Reload sysctl.conf to get the new settings.
#
# Note: We could add -e here to ignore errors that are caused by
# options appearing in sysctl.conf that correspond to kernel modules
# that are not yet loaded. On the other hand, adding -e might cause
# us to miss some important error messages.
sysctl -p /etc/sysctl.conf
}
configure_sshd_on_node()
{
# Configure sshd to pass the GIT_SSH environment variable through.
echo 'AcceptEnv GIT_SSH' >> /etc/ssh/sshd_config
# Up the limits on the number of connections to a given node.
perl -p -i -e "s/^#MaxSessions .*$/MaxSessions 40/" /etc/ssh/sshd_config
perl -p -i -e "s/^#MaxStartups .*$/MaxStartups 40/" /etc/ssh/sshd_config
}
# Configure MongoDB datastore.
configure_datastore()
{
# Install MongoDB.
yum install -y mongodb-server
# Require authentication.
perl -p -i -e "s/^#auth = .*$/auth = true/" /etc/mongodb.conf
# Use a smaller default size for databases.
if [ "x`fgrep smallfiles=true /etc/mongodb.conf`x" != "xsmallfiles=truex" ]
then
echo 'smallfiles=true' >> /etc/mongodb.conf
fi
# Iff mongod is running on a separate host from the broker, open up
# the firewall to allow the broker host to connect.
if broker
then
echo 'The broker and data store are on the same host.'
echo 'Skipping firewall and mongod configuration;'
echo 'mongod will only be accessible over localhost).'
else
echo 'The broker and data store are on separate hosts.'
echo 'Configuring the firewall to allow connections to mongod...'
lokkit --nostart --port=27017:tcp
echo 'Configuring mongod to listen on external interfaces...'
perl -p -i -e "s/^bind_ip = .*$/bind_ip = 0.0.0.0/" /etc/mongodb.conf
fi
# Configure mongod to start on boot.
chkconfig mongod on
# Start mongod so we can perform some administration now.
service mongod start
}
# Open up services required on the node for apps and developers.
configure_port_proxy()
{
lokkit --nostart --port=35531-65535:tcp
chkconfig openshift-port-proxy on
}
configure_gears()
{
# Make sure that gears are restarted on reboot.
chkconfig openshift-gears on
}
# Enable services to start on boot for the node.
enable_services_on_node()
{
# We use --nostart below because activating the configuration here will
# produce errors. Anyway, we only need the configuration activated
# after Anaconda reboots, so --nostart makes sense in any case.
lokkit --nostart --service=ssh
lokkit --nostart --service=https
lokkit --nostart --service=http
chkconfig httpd on
chkconfig network on
chkconfig sshd on
}
# Enable services to start on boot for the broker.
enable_services_on_broker()
{
# We use --nostart below because activating the configuration here will
# produce errors. Anyway, we only need the configuration activated
# after Anaconda reboots, so --nostart makes sense in any case.
lokkit --nostart --service=ssh
lokkit --nostart --service=https
lokkit --nostart --service=http
chkconfig httpd on
chkconfig network on
chkconfig ntpd on
chkconfig sshd on
}
# Configure mcollective on the broker to use qpid.
configure_mcollective_for_qpid_on_broker()
{
yum install -y mcollective-client
cat <<EOF > /etc/mcollective/client.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
loglevel = debug
logfile = /var/log/mcollective-client.log
# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host = ${broker_hostname}.${domain}
plugin.qpid.secure = false
plugin.qpid.timeout = 5
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF
}
# Configure mcollective on the broker to use qpid.
configure_mcollective_for_qpid_on_node()
{
yum install -y mcollective openshift-origin-msg-node-mcollective
cat <<EOF > /etc/mcollective/server.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = debug
daemonize = 1
direct_addressing = n
# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host = ${broker_hostname}.${domain}
plugin.qpid.secure = false
plugin.qpid.timeout = 5
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF
chkconfig mcollective on
}
# Configure mcollective on the broker to use ActiveMQ.
configure_mcollective_for_activemq_on_broker()
{
yum install -y mcollective-client
cat <<EOF > /etc/mcollective/client.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective-client.log
loglevel = debug
# Plugins
securityprovider=psk
plugin.psk=unset
connector = stomp
plugin.stomp.host = ${activemq_hostname}.${domain}
plugin.stomp.port = 61613
plugin.stomp.user = mcollective
plugin.stomp.password = marionette
EOF
}
# Configure mcollective on the broker to use qpid.
configure_mcollective_for_activemq_on_node()
{
yum install -y mcollective openshift-origin-msg-node-mcollective
cat <<EOF > /etc/mcollective/server.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = debug
daemonize = 1
direct_addressing = n
# Plugins
securityprovider = psk
plugin.psk = unset
connector = stomp
plugin.stomp.host = ${activemq_hostname}.${domain}
plugin.stomp.port = 61613
plugin.stomp.user = mcollective
plugin.stomp.password = marionette
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF
chkconfig mcollective on
}
# Configure ActiveMQ.
configure_activemq()
{
# Install the service.
yum install -y activemq activemq-client
cat <<EOF > /etc/activemq/activemq.xml
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
<!-- Allows us to use system properties as variables in this configuration file -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<value>file:\${activemq.conf}/credentials.properties</value>
</property>
</bean>
<!--
The <broker> element is used to configure the ActiveMQ broker.
-->
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="${activemq_hostname}.${domain}" dataDirectory="\${activemq.data}">
<!--
For better performances use VM cursor and small memory limit.
For more information, see:
http://activemq.apache.org/message-cursors.html
Also, if your producer is "hanging", it's probably due to producer flow control.
For more information, see:
http://activemq.apache.org/producer-flow-control.html
-->
<destinationPolicy>
<policyMap>
<policyEntries>
<policyEntry topic=">" producerFlowControl="true" memoryLimit="1mb">
<pendingSubscriberPolicy>
<vmCursor />
</pendingSubscriberPolicy>
</policyEntry>
<policyEntry queue=">" producerFlowControl="true" memoryLimit="1mb">
<!-- Use VM cursor for better latency
For more information, see:
http://activemq.apache.org/message-cursors.html
<pendingQueuePolicy>
<vmQueueCursor/>
</pendingQueuePolicy>
-->
</policyEntry>
</policyEntries>
</policyMap>
</destinationPolicy>
<!--
The managementContext is used to configure how ActiveMQ is exposed in
JMX. By default, ActiveMQ uses the MBean server that is started by
the JVM. For more information, see:
http://activemq.apache.org/jmx.html
-->
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<!--
Configure message persistence for the broker. The default persistence
mechanism is the KahaDB store (identified by the kahaDB tag).
For more information, see:
http://activemq.apache.org/persistence.html
-->
<persistenceAdapter>
<kahaDB directory="\${activemq.data}/kahadb"/>
</persistenceAdapter>
<!-- add users for mcollective -->
<plugins>
<statisticsBrokerPlugin/>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>
<authenticationUser username="admin" password="secret" groups="mcollective,admin,everyone"/>
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<!--
The systemUsage controls the maximum amount of space the broker will
use before slowing down producers. For more information, see:
http://activemq.apache.org/producer-flow-control.html
If using ActiveMQ embedded - the following limits could safely be used:
<systemUsage>
<systemUsage>
<memoryUsage>
<memoryUsage limit="20 mb"/>
</memoryUsage>
<storeUsage>
<storeUsage limit="1 gb"/>
</storeUsage>
<tempUsage>
<tempUsage limit="100 mb"/>
</tempUsage>
</systemUsage>
</systemUsage>
-->
<systemUsage>
<systemUsage>
<memoryUsage>
<memoryUsage limit="64 mb"/>
</memoryUsage>
<storeUsage>
<storeUsage limit="100 gb"/>
</storeUsage>
<tempUsage>
<tempUsage limit="50 gb"/>
</tempUsage>
</systemUsage>
</systemUsage>
<!--
The transport connectors expose ActiveMQ over a given protocol to
clients and other brokers. For more information, see:
http://activemq.apache.org/configuring-transports.html
-->
<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
</transportConnectors>
</broker>
<!--
Enable web consoles, REST and Ajax APIs and demos
Take a look at \${ACTIVEMQ_HOME}/conf/jetty.xml for more details
-->
<import resource="jetty.xml"/>
</beans>
<!-- END SNIPPET: example -->
EOF
# Allow connections to ActiveMQ.
lokkit --nostart --port=61613:tcp
# Configure ActiveMQ to start on boot.
chkconfig activemq on
}
# Configure qpid.
configure_qpid()
{
if [[ "x`fgrep auth= /etc/qpidd.conf`" == xauth* ]]
then
sed -i -e 's/auth=yes/auth=no/' /etc/qpidd.conf
else
echo "auth=no" >> /etc/qpidd.conf
fi
# Allow connections to qpidd.
lokkit --nostart --port=5672:tcp
# Configure qpidd to start on boot.
chkconfig qpidd on
}
# Configure BIND.
configure_named()
{
yum install -y bind bind-utils
# $keyfile will contain a new DNSSEC key for our domain.
keyfile=/var/named/${domain}.key
# Generate the new key for the domain.
rm -f /var/named/K${domain}*
pushd /var/named
dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom ${domain}
KEY="$(grep Key: K${domain}*.private | cut -d ' ' -f 2)"
popd
# Ensure we have a key for the broker to communicate with BIND.
rndc-confgen -a -r /dev/urandom
restorecon /etc/rndc.* /etc/named.*
chown root:named /etc/rndc.key
chmod 640 /etc/rndc.key
# Set up DNS forwarding.
cat <<EOF > /var/named/forwarders.conf
forwarders { ${nameservers} } ;
EOF
restorecon /var/named/forwarders.conf
chmod 755 /var/named/forwarders.conf
# Install the configuration file for the OpenShift Enterprise domain
# name.
rm -rf /var/named/dynamic
mkdir -p /var/named/dynamic
cat <<EOF > /var/named/dynamic/${domain}.db
\$ORIGIN .
\$TTL 1 ; 1 seconds (for testing only)
${domain} IN SOA ns1.${domain}. hostmaster.${domain}. (
2011112904 ; serial
60 ; refresh (1 minute)
15 ; retry (15 seconds)
1800 ; expire (30 minutes)
10 ; minimum (10 seconds)
)
NS ns1.${domain}.
MX 10 mail.${domain}.
\$ORIGIN ${domain}.
ns1 A 127.0.0.1
EOF
# Install the key for the OpenShift Enterprise domain.
cat <<EOF > /var/named/${domain}.key
key ${domain} {
algorithm HMAC-MD5;
secret "${KEY}";
};
EOF
chown named:named -R /var/named
restorecon -R /var/named
# Replace named.conf.
cat <<EOF > /etc/named.conf
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on port 953 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
// set forwarding to the next nearest server (from DHCP response
forward only;
include "forwarders.conf";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
// use the default rndc key
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "/etc/named.rfc1912.zones";
include "${domain}.key";
zone "${domain}" IN {
type master;
file "dynamic/${domain}.db";
allow-update { key ${domain} ; } ;
};
EOF
chown root:named /etc/named.conf
chcon system_u:object_r:named_conf_t:s0 -v /etc/named.conf
# Configure named to start on boot.
lokkit --nostart --service=dns
chkconfig named on
# Start named so we can perform some updates immediately.
service named start
# Tell BIND about the broker.
nsupdate -k ${keyfile} <<EOF
server 127.0.0.1
update delete ${named_hostname}.${domain} A
update add ${named_hostname}.${domain} 180 A ${named_ip_addr}
send
EOF
}
# Make resolv.conf point to our named service, which will resolve the
# host names used in this installation of OpenShift. Our named service
# will forward other requests to some other DNS servers.
update_resolv_conf()
{
# Update resolv.conf to use our named.
cat <<EOF > /etc/resolv.conf
nameserver ${named_ip_addr}
EOF
}
# Update the controller configuration.
configure_controller()
{
# Configure the broker with the correct hostname.
perl -p -i -e "s/.*:domain_suffix.*/ :domain_suffix => \"${domain}\",/" /var/www/openshift/broker/config/environments/*.rb
# */ # What the heck, VIM syntax highlighting? Kickstart scripts do not use
# C-style comments.
# Point the broker to the data store (mongod service).
perl -p -i -e "s/.*:host_port.*/ :host_port => [\"${datastore_hostname}.${domain}\", 27017],/" /var/www/openshift/broker/config/environments/*.rb
# */
# Configure the broker with the correct password for the data store.
# If you change the MongoDB password of "mooo" to something else, be
# sure to edit and enable the following line:
#sed -i -e '/:password => "mooo"/s/mooo/<password>/' /var/www/openshift/broker/config/environments/development.rb
# Configure the broker service to start on boot.
chkconfig openshift-broker on
}
# Set the administrative password for the database.
configure_mongo_password()
{
# The init script lies to us as of version 2.0.2-1.el6_3: The start and
# restart actions return before the daemon is ready to accept
# connections (it appears to take time to initialize the journal). Thus
# we need the following to wait until the daemon is really ready.
echo "Waiting for MongoDB to start ($(date +%H:%M:%S))..."
while :
do
echo exit | mongo && break
sleep 5
done
echo "MongoDB is ready! ($(date +%H:%M:%S))"
mongo openshift_broker_dev --eval 'db.addUser("openshift", "mooo")'
}
# Configure the broker to use the remote-user authentication plugin.
configure_auth_plugin()
{
cp /etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf{.example,}
}
configure_messaging_plugin()
{
cp /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf{.example,}
}
# Configure the broker to use the BIND DNS plug-in.
configure_dns_plugin()
{
mkdir -p /etc/openshift/plugins.d
cat <<EOF > /etc/openshift/plugins.d/openshift-origin-dns-bind.conf
BIND_SERVER="${named_ip_addr}"
BIND_PORT=53
BIND_KEYNAME="${domain}"
BIND_KEYVALUE="${KEY}"
BIND_ZONE="${domain}"
EOF
pushd /usr/share/selinux/packages/openshift-origin-dns-bind/ && make -f /usr/share/selinux/devel/Makefile ; popd
semodule -i /usr/share/selinux/packages/openshift-origin-dns-bind/dhcpnamedforward.pp
}
# Configure httpd for authentication.
configure_httpd_auth()
{
# Install the Apache configuration file.
cp /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf{.sample,}
# The above configuration file configures Apache to use
# /etc/openshift/htpasswd for its password file. Use the following
# command to add users:
#
# htpasswd -c /etc/openshift/htpasswd username
# Generate the broker key.
openssl genrsa -out /etc/openshift/server_priv.pem 2048
openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem
# TODO: In the future, we will want to edit
# /etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf to
# put in a random salt.
}
# Configure IP address and hostname.
configure_network()
{
# Append some stuff to the DHCP configuration.
cat <<EOF >> /etc/dhcp/dhclient-eth0.conf
prepend domain-name-servers ${named_ip_addr};
supersede host-name "${hostname}";
supersede domain-name "${domain}";
EOF
# Set the hostname.
sed -i -e "s/HOSTNAME=.*/HOSTNAME=${hostname}.${domain}/" /etc/sysconfig/network
hostname "${hostname}"
}
# Set some parameters in the OpenShift node configuration file.
configure_node()
{
sed -i -e "s/^PUBLIC_IP=.*$/PUBLIC_IP=${node_ip_addr}/;
s/^CLOUD_DOMAIN=.*$/CLOUD_DOMAIN=${domain}/;
s/^PUBLIC_HOSTNAME=.*$/PUBLIC_HOSTNAME=${hostname}.${domain}/;
s/^BROKER_HOST=.*$/BROKER_HOST=${broker_ip_addr}/" \
/etc/openshift/node.conf
}
# Run the cronjob installed by openshift-origin-msg-node-mcollective immediately
# to regenerate facts.yaml.
update_openshift_facts_on_node()
{
/etc/cron.minutely/openshift-facts
}
########################################################################
#
# Parse the kernel command-line, define variables with the parameters
# specified on it, and define functions broker() and node(), which
# return true or false as appropriate based on whether we are
# configuring the host as a broker or as a node.
#
# Parse /proc/cmdline so that from, e.g., "foo=bar baz" we get
# CONF_FOO=bar and CONF_BAZ=true in the environment.
for word in $(cat /proc/cmdline)
do
key="${word%%\=*}"
case "$word" in
(*=*) val="${word#*\=}" ;;
(*) val=true ;;
esac
eval "CONF_${key^^}"'="$val"'
done
is_true()
{
for arg
do
[[ x$arg =~ x(1|true) ]] || return 1
done
return 0
}
is_false()
{
for arg
do
[[ x$arg =~ x(1|true) ]] || return 0
done
return 1
}
# Following are the different components that can be installed:
components='broker node named activemq datastore'
# For each component, will define a constant function that return either
# true or false. For example, there will be a named function. We can
# then use 'if named; then ...; fi' or just 'named && ...' to run the
# given commands if, and only if, named is enabled.
# By default, each component is _not_ installed.
for component in $components
do
eval "$component() { false; }"
done
# But any or all components may be explicity enabled.
for component in ${CONF_INSTALL_COMPONENTS// }
do
eval "$component() { :; }"
done
# If nothing is explicitly enabled, enable everything.
installing_something=0
for component in $components
do
if eval $component
then
installing_something=1
break
fi
done
if [ $installing_something = 0 ]
then
for component in $components
do
eval "$component() { :; }"
done
fi
# Following are some settings used in subsequent steps.
# The domain name for the OpenShift Enterprise installation.
domain="${CONF_DOMAIN:-example.com}"
broker_hostname="${CONF_BROKER_HOSTNAME:-broker}"
node_hostname="${CONF_NODE_HOSTNAME:-node}"
named_hostname="${CONF_NAMED_HOSTNAME:-ns}"
activemq_hostname="${CONF_ACTIVEMQ_HOSTNAME:-activemq}"
datastore_hostname="${CONF_DATASTORE_HOSTNAME:-datastore}"
# The hostname name for this host.
# Note: If this host is, e.g., both a broker and a datastore, we want to
# go with the broker hostname and not the datastore hostname.
if broker
then hostname="$broker_hostname"
elif node
then hostname="$node_hostname"
elif named
then hostname="$named_hostname"
elif activemq
then hostname="$activemq_hostname"
elif datastore
then hostname="$datastore_hostname"
fi
# Grab the IP address set during installation.
cur_ip_addr="$(/sbin/ip addr show dev eth0 | awk '/inet / { split($2,a,"/"); print a[1]; }')"
# Unless otherwise specified, the broker is assumed to be the current
# host.
broker_ip_addr="${CONF_BROKER_IP_ADDR:-$cur_ip_addr}"
# Unless otherwise specified, the node is assumed to be the current
# host.
node_ip_addr="${CONF_NODE_IP_ADDR:-$cur_ip_addr}"
# Unless otherwise specified, the named service, data store, and
# ActiveMQ service are assumed to be the current host if we are
# installing the component now or the broker host otherwise.
if named
then
named_ip_addr="${CONF_NAMED_IP_ADDR:-$cur_ip_addr}"
else
named_ip_addr="${CONF_NAMED_IP_ADDR:-$broker_ip_addr}"
fi
echo "The following components will be installed:"
for component in $components
do
if eval $component
then
printf '\t%s.\n' $component
fi
done
echo "Configuring with broker with hostname ${broker_hostname}.${domain}."
node && echo "Configuring with node with hostname ${node_hostname}.${domain}."
echo "Configuring with named with IP address ${named_ip_addr}."
echo "Configuring with datastore with hostname ${datastore_hostname}.${domain}."
echo "Configuring with activemq with hostname ${activemq_hostname}.${domain}."
# The nameservers to which named on the broker will forward requests.
# This should be a list of IP addresses with a semicolon after each.
nameservers="$(awk '/nameserver/ { printf "%s; ", $2 }' /etc/resolv.conf)"
########################################################################
is_false "$CONF_NO_NTP" && synchronize_clock
is_false "$CONF_NO_SSH_KEYS" && install_ssh_keys
configure_rhel_repo
if activemq || broker || datastore
then
configure_broker_repo
fi
( broker || node ) && configure_mash_repo
node && configure_node_repo
node && configure_jboss_cartridge_repo
broker && configure_client_tools_repo
yum update -y
named && configure_named
update_resolv_conf
configure_network
datastore && configure_datastore
#broker && configure_qpid
activemq && configure_activemq
#broker && configure_mcollective_for_qpid_on_broker
broker && configure_mcollective_for_activemq_on_broker
#node && configure_mcollective_for_qpid_on_node
node && configure_mcollective_for_activemq_on_node
broker && install_broker_pkgs
node && install_node_pkgs
node && install_cartridges
broker && install_rhc_pkg
broker && enable_services_on_broker
node && enable_services_on_node
node && configure_pam_on_node
node && configure_cgroups_on_node
broker && configure_selinux_policy_on_broker
node && configure_selinux_policy_on_node
node && configure_sysctl_on_node
node && configure_sshd_on_node
broker && configure_controller
broker && configure_auth_plugin
broker && configure_messaging_plugin
broker && configure_dns_plugin
broker && configure_httpd_auth
datastore && configure_mongo_password
node && configure_port_proxy
node && configure_gears
node && configure_node
node && update_openshift_facts_on_node
# rmillner: Set up a local admin account with password admin
/usr/bin/htpasswd -b -c /etc/openshift/htpasswd admin admin
# rmillner: Use local broker instance
cat > /etc/openshift/express.conf <<CFG
# Remote API server
libra_server = 'localhost'
# Logging
debug = 'false'
# Timeout
#timeout = '10'
CFG
# rmillner: Setup root account
mkdir -p /root/.openshift
cat > /root/.openshift/express.conf <<CFG
# Default user login
default_rhlogin='admin'
# Server API
libra_server = 'localhost'
CFG
# rmillner: Setup root .ssh and add libra key
mkdir -p /root/.ssh
chmod 700 /root/.ssh
[ -f /root/.ssh/id_rsa ] || ssh-keygen -q -N '' -t rsa -f /root/.ssh/id_rsa
# rmillner: add devenv/libra key
cat >> /root/.ssh/authorized_keys << KEYS
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUq7W38xCZ9WGSWCvustaMGMT04tRohw6AKGzI7P7xql5lhCAReyt72n9qWQRZsE1YiCSQuTfXI1oc8NpSM7+lMLwj12G8z3I1YT31JHr9LLYg/XIcExkzfBI920CaS82VqmKOpI9+ARHSJBdIbKRI0f5Y+u4xbc5UzKCJX8jcKGG7nEiw8zm+cvAlfOgssMK+qJppIbVcb2iZNTsw5i2aX6FDMyC+b17DQHzBGpNbhZYxuoERZVRcnYctgIzuo6fD60gniX0fVvrchlOnubB1sRYbloP2r6UE22w/dpLKOFE5i7CA0ZzNBERZ94cIKumIH9MiJs1a6bMe89VOjjNV libra
KEYS
# rmillner: kickstart can't finish with these running
/sbin/service mongod stop
/sbin/service crond stop
/sbin/service named stop
kill $TAILPID
chvt $OLDVT || :
%end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment