Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Cloud-config for CoreOS IPXE deployment on Vultr. Provisioning etcd, fleet, private network and docker compatible firewall. #tags: foo, bar
#!/bin/bash
# Cloud-config for CoreOS IPXE deployment on Vultr
##################################################
# This cloud-config bootstraps CoreOS on /dev/vda and provisions:
# - private ip-address on eth1
# - etcd on private network
# - fleet on private network
# - basic firewall (docker compatible)
# - SSHd security hardening
##################################################
# Usage:
# 1. Fill in region, SSH Key and etcd token.
# Hint: generate a new token for each unique etcd cluster on https://discovery.etcd.io/new
# 2. Point the cloud-config-url parameter in your IPXE boot script to this file.
##################################################
REGION='vultr-ams'
SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA61LSHA7iU+82Z2qypYLx2gB9uHydUOoDON30ceAKl5dSgzShtF5XS5sqABYBMowDcvdkNyUDdt1Druv82iu/scATLFmxTQ8R2XIL33dMO6IpBg0d3WQcU5Xqeor9s5LTpln7F0V+9vaYG/nXqQtnz4PEnZGA+f9ddHuvcDajqKLNTDyriL87E6HAfjNU+1ShI2Qv8Zqhq8rYW0zkn2C+4vVKpgzq8B91R7hSXZwUTU9+bIq3uqTfe/t9/5hFNZEUo/ezV25DFvWDmvKcXt1QRoLxL/NI7h00fEJY7QVh2eevtiA9BdthI2LHx2tm2LoMYHQVZUVljm033xh2UISx'
ETCD_TOKEN=0a92b2b1223fe3f551e25047d238d261
# Don't edit below unless you know what you're doing
##################################################
V4_PRIVATE_IP=`curl -sS http://169.254.169.254/current/meta-data/local-ipv4`
V4_PUBLIC_IP=`curl -sS http://169.254.169.254/current/meta-data/public-ipv4`
INSTANCE_ID=`curl -sS http://169.254.169.254/current/meta-data/instance-id`
cat > "cloud-config.yaml" <<EOF
#cloud-config
hostname: $REGION-${INSTANCE_ID: -4}
ssh_authorized_keys:
- $SSH_KEY
coreos:
etcd:
discovery: https://discovery.etcd.io/$ETCD_TOKEN
# multi-region and multi-cloud deployments need to use $V4_PUBLIC_IP
addr: $V4_PRIVATE_IP:4001
peer-addr: $V4_PRIVATE_IP:7001
fleet:
public-ip: $V4_PRIVATE_IP
metadata: region=$REGION public_ip=$V4_PUBLIC_IP
update:
reboot-strategy: best-effort
units:
- name: vultr-meta.service
command: start
runtime: yes
content: |
[Unit]
Description=Initialize Vultr private network
[Service]
Type=oneshot
WorkingDirectory=/root
ExecStart=/usr/bin/bash /root/vultr-privatenet.sh
- name: iptables.service
enable: false
- name: iptables-restore.service
enable: true
- name: etcd.service
command: start
- name: fleet.service
command: start
write_files:
- path: /etc/environment
permissions: 0644
owner: "root:root"
content: |
COREOS_PRIVATE_IPV4=$V4_PRIVATE_IP
COREOS_PUBLIC_IPV4=$V4_PUBLIC_IP
ETCD_ADDR=$V4_PRIVATE_IP:4001
ETCD_PEER_ADDR=$V4_PRIVATE_IP:7001
ETCD_TOKEN=$ETCD_TOKEN
- path: /etc/systemd/network/10-static-eth1.network
permissions: 0644
owner: "root:root"
content: |
[Match]
Name=eth1
[Link]
MTUBytes=1450
[Network]
Address=$V4_PRIVATE_IP/16
- path: /root/vultr-privatenet.sh
permissions: 0755
owner: "root:root"
content: |
#!/bin/bash
ip -4 addr add dev eth1 $V4_PRIVATE_IP/16
- path: /var/lib/iptables/rules-save
permissions: 0644
owner: "root:root"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443,9345,9346 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m multiport -p udp --dports 500,4500 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i docker0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o docker0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o eth0 -j ACCEPT
COMMIT
- path: /etc/ssh/sshd_config
permissions: 0600
owner: "root:root"
content: |
# Use most defaults for sshd configuration.
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
PermitRootLogin no
AllowUsers core
PasswordAuthentication no
ChallengeResponseAuthentication no
- path: /etc/motd.d/info.conf
content: |
____________________________
Private IP...: $V4_PRIVATE_IP
Public IP....: $V4_PUBLIC_IP
Region.......: $REGION
Etcd Token...: $ETCD_TOKEN
____________________________
EOF
sudo coreos-install -d /dev/vda -c cloud-config.yaml
sudo reboot
@webts

This comment has been minimized.

Copy link

webts commented Dec 26, 2017

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

@Trumeet

This comment has been minimized.

Copy link

Trumeet commented Aug 26, 2019

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

+1

@blyzer

This comment has been minimized.

Copy link

blyzer commented Sep 30, 2019

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

+2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.