Eric Lake ericlake

## Initial iptables rules from fresh build
Chain INPUT (policy DROP)
target     prot opt source               destination
cali-INPUT  all  --  0.0.0.0/0            0.0.0.0/0            /* cali:Cz_u1IQiXIMmKD4c */
KUBE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  10.100.36.128/25     0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6443 /* K8s API port */

## version.sh
#!/bin/bash
export MESSAGE=$(echo -e "\n\n$(git log `git describe --tags --abbrev=0`..HEAD --oneline)")
bumpversion \
--message 'Bump version: {current_version} → {new_version}{$MESSAGE}' \
${@:1}

## iptables_spec.rb
require 'serverspec'
set :backend, :exec

describe iptables do
  it { should have_rule('-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT') }
  it { should have_rule('-A INPUT -s 10.10.10.10/32 -p tcp -m tcp --dport 80 -j ACCEPT') }
  it { should have_rule('-A INPUT -p tcp -m tcp --dport 80 -j REJECT') }
end


## ose-hosts
[masters]
master-1.staging.badger.net
master-2.staging.badger.net
master-3.staging.badger.net

[etcd]
master-1.staging.badger.net
master-2.staging.badger.net
master-3.staging.badger.net

## database.yml
sh-4.2# pwd
/persistent-region/region-data/var/www/miq/vmdb/config
sh-4.2# cat database.yml
---
base:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5

## gist:acddd7be4bdaf2bc31d92e2961903f7e
Jun 28 15:36:20 manageiq-0 sh[333]: Starting EVM...
Jun 28 15:36:20 manageiq-0 sh[333]: rake aborted!
Jun 28 15:36:20 manageiq-0 sh[333]: PG::ConnectionBad: could not connect to server: No such file or directory
Jun 28 15:36:20 manageiq-0 sh[333]: Is the server running locally and accepting
Jun 28 15:36:20 manageiq-0 sh[333]: connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/extensions/ar_virtual.rb:400:in `load_schema!'
Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/app/models/miq_server.rb:531:in `block in <class:MiqServer>'
Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/app/models/miq_server/worker_management.rb:14:in `kill_all_workers'
Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/tasks/evm_application.rb:21:in `start'
Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/tasks/evm.rake:8:in `block (2 levels) in <top (required)>'

## broken manageiq-0
oc rsh pod/manageiq-0 ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 15:17 ?        00:00:00 /usr/sbin/init
root        19     1  0 15:17 ?        00:00:00 /usr/lib/systemd/systemd-journal
root        20     1  0 15:17 ?        00:00:00 /usr/sbin/crond -n
root        45     1  0 15:17 ?        00:00:00 vmstat -a -n 60
root        46     1  0 15:17 ?        00:00:00 top -b -d 60
dbus        74     1  0 15:17 ?        00:00:00 /bin/dbus-daemon --system --addr
root       225     1  0 15:18 ?        00:00:00 /bin/bash /bin/evm_watchdog
root       226   225  0 15:18 ?        00:00:00 ruby /bin/evm_watchdog.rb

## gist:667354b4485a04234c0dff35f013b4e4
Name:			manageiq-0
Namespace:		manageiq
Security Policy:	privileged
Node:			node-020.ord1.prod.rsi.rackspace.net/10.10.155.17
Start Time:		Fri, 23 Jun 2017 13:21:54 -0500
Labels:			name=manageiq
Status:			Running
IP:			172.20.13.7
Controllers:		StatefulSet/manageiq
Containers:

## ceph-shared-key.yaml
apiVersion: v1
kind: Secret
metadata:
  name: ceph-shared-key
data:
  key: FILL-IN-WITH-YOUR-OWN-KEY
type: kubernetes.io/rbd

## inventory.txt
# Logging configuration
openshift_logging_image_version=v1.5.1
openshift_logging_use_ops=false
openshift_logging_public_master_url=https://rsi.example.net
openshift_logging_namespace=logging
openshift_logging_install_logging=true
openshift_logging_kibana_hostname=logs.rsi.example.net
openshift_logging_kibana_key=/certs/rsi.example.net.key
openshift_logging_kibana_cert=/certs/rsi.example.net.crt
openshift_logging_kibana_ca=/certs/thawte-bundle.crt
	Chain INPUT (policy DROP)
	target prot opt source destination
	cali-INPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */
	KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
	ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
	ACCEPT all -- 10.100.36.128/25 0.0.0.0/0
	ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6443 /* K8s API port */
	#!/bin/bash
	export MESSAGE=$(echo -e "\n\n$(git log `git describe --tags --abbrev=0`..HEAD --oneline)")
	bumpversion \
	--message 'Bump version: {current_version} → {new_version}{$MESSAGE}' \
	${@:1}
	require 'serverspec'
	set :backend, :exec

	describe iptables do
	it { should have_rule('-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT') }
	it { should have_rule('-A INPUT -s 10.10.10.10/32 -p tcp -m tcp --dport 80 -j ACCEPT') }
	it { should have_rule('-A INPUT -p tcp -m tcp --dport 80 -j REJECT') }
	end
	[masters]
	master-1.staging.badger.net
	master-2.staging.badger.net
	master-3.staging.badger.net

	[etcd]
	master-1.staging.badger.net
	master-2.staging.badger.net
	master-3.staging.badger.net
	sh-4.2# pwd
	/persistent-region/region-data/var/www/miq/vmdb/config
	sh-4.2# cat database.yml
	---
	base:
	adapter: postgresql
	encoding: utf8
	username: root
	pool: 5
	wait_timeout: 5
	Jun 28 15:36:20 manageiq-0 sh[333]: Starting EVM...
	Jun 28 15:36:20 manageiq-0 sh[333]: rake aborted!
	Jun 28 15:36:20 manageiq-0 sh[333]: PG::ConnectionBad: could not connect to server: No such file or directory
	Jun 28 15:36:20 manageiq-0 sh[333]: Is the server running locally and accepting
	Jun 28 15:36:20 manageiq-0 sh[333]: connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
	Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/extensions/ar_virtual.rb:400:in `load_schema!'
	Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/app/models/miq_server.rb:531:in `block in <class:MiqServer>'
	Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/app/models/miq_server/worker_management.rb:14:in `kill_all_workers'
	Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/tasks/evm_application.rb:21:in `start'
	Jun 28 15:36:20 manageiq-0 sh[333]: /var/www/miq/vmdb/lib/tasks/evm.rake:8:in `block (2 levels) in <top (required)>'
	oc rsh pod/manageiq-0 ps -ef
	UID PID PPID C STIME TTY TIME CMD
	root 1 0 0 15:17 ? 00:00:00 /usr/sbin/init
	root 19 1 0 15:17 ? 00:00:00 /usr/lib/systemd/systemd-journal
	root 20 1 0 15:17 ? 00:00:00 /usr/sbin/crond -n
	root 45 1 0 15:17 ? 00:00:00 vmstat -a -n 60
	root 46 1 0 15:17 ? 00:00:00 top -b -d 60
	dbus 74 1 0 15:17 ? 00:00:00 /bin/dbus-daemon --system --addr
	root 225 1 0 15:18 ? 00:00:00 /bin/bash /bin/evm_watchdog
	root 226 225 0 15:18 ? 00:00:00 ruby /bin/evm_watchdog.rb
	Name: manageiq-0
	Namespace: manageiq
	Security Policy: privileged
	Node: node-020.ord1.prod.rsi.rackspace.net/10.10.155.17
	Start Time: Fri, 23 Jun 2017 13:21:54 -0500
	Labels: name=manageiq
	Status: Running
	IP: 172.20.13.7
	Controllers: StatefulSet/manageiq
	Containers:
	apiVersion: v1
	kind: Secret
	metadata:
	name: ceph-shared-key
	data:
	key: FILL-IN-WITH-YOUR-OWN-KEY
	type: kubernetes.io/rbd
	# Logging configuration
	openshift_logging_image_version=v1.5.1
	openshift_logging_use_ops=false
	openshift_logging_public_master_url=https://rsi.example.net
	openshift_logging_namespace=logging
	openshift_logging_install_logging=true
	openshift_logging_kibana_hostname=logs.rsi.example.net
	openshift_logging_kibana_key=/certs/rsi.example.net.key
	openshift_logging_kibana_cert=/certs/rsi.example.net.crt
	openshift_logging_kibana_ca=/certs/thawte-bundle.crt