Created
March 25, 2019 15:56
-
-
Save silenius/f5e30e7e07863c2e5a55b42af29a3aea to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| salt% pwd | |
| /usr/local/etc/salt/pillar/jail | |
| salt% more chouffe.sls | |
| jails: | |
| root: /jails | |
| jail_conf: /etc/jail.conf | |
| jail_conf_template: salt://jails/files/chouffe/jail.conf.jinja | |
| instances: | |
| pg11: | |
| present: true | |
| version: 12.0-RELEASE | |
| init_scripts: | |
| - salt://jails/files/scripts/jail_init.sh | |
| sets: | |
| - base.txz | |
| - lib32.txz | |
| salt: | |
| minion_id: pg11.prod.lan | |
| master: salt.lan | |
| jail_conf: | | |
| $ip = 39; | |
| allow.sysvipc = 1; | |
| rc_conf: | | |
| network_interfaces="" | |
| rpcbind_enable="NO" | |
| cron_flags="$cron_flags -J 15" | |
| syslogd_flags="-ss" | |
| sendmail_enable="NONE" | |
| sshd_enable="YES" | |
| salt_minion_enable="YES" | |
| patches: | |
| - target: /etc/login.conf | |
| diff: patch-login.conf | |
| hash: 07ebd5eaebb5f9bb87e769356bec62fb | |
| pkg: | |
| FreeBSD.conf: | | |
| FreeBSD: { enabled: no } | |
| bebif.conf: | | |
| bebif: { | |
| url: "http://poudriere.myhost.be/12_0amd64-default-server", | |
| enabled: yes | |
| } | |
| fstab: | |
| /data/jails/pg11: | |
| path: /jails/pg11/data | |
| fstype: nullfs | |
| opts: rw | |
| /data/jails/pg11/data11: | |
| path: /jails/pg11/data/data11 | |
| fstype: nullfs | |
| opts: rw | |
| user: 770 | |
| group: 770 | |
| mode: 700 | |
| /data/jails/pg11/backups: | |
| path: /jails/pg11/data/backups | |
| fstype: nullfs | |
| opts: rw | |
| user: 770 | |
| group: 770 | |
| mode: 700 | |
| salt% pwd | |
| /usr/local/etc/salt/states/jails | |
| salt% ls -l | |
| total 22 | |
| drwxr-xr-x 8 root wheel 8 Mar 15 10:50 files | |
| -rw-rw-r-- 1 root wheel 652 Mar 1 11:29 freebsd_update.sls | |
| -rw-rw-r-- 1 root wheel 4911 Mar 25 10:01 init.sls | |
| -rw-rw-r-- 1 root wheel 251 Dec 21 14:15 jail_conf.sls | |
| salt% more files/chouffe/jail.conf.jinja | |
| {% set jails = salt.pillar.get('jails') %} | |
| exec.prestart += "cp /etc/resolv.conf $path/etc"; | |
| exec.prestart += "cp /etc/localtime $path/etc"; | |
| exec.start = "/bin/sh /etc/rc"; | |
| exec.stop += "/bin/sh /etc/rc.shutdown"; | |
| exec.poststop += "rm $path/etc/resolv.conf"; | |
| exec.poststop += "rm $path/etc/localtime"; | |
| exec.clean; | |
| mount.devfs; | |
| mount.fstab = "/etc/fstab.$name"; | |
| ip4.addr = 192.168.10.$ip; | |
| path = "/jails/$name"; | |
| interface = "production"; | |
| host.hostname = "$name.prod.lan"; | |
| {% for jail, cfg in jails.instances.items() %} | |
| {{ jail }} { | |
| {{ cfg.jail_conf }} | |
| } | |
| {% endfor %} | |
| salt% more files/scripts/jail_init.sh | |
| #!/bin/sh | |
| jexec "${JAIL_NAME}" << EOF | |
| pkg install pkg | |
| pkg install py27-salt | |
| pkg install ca_root_nss | |
| cp /usr/local/etc/salt/minion.sample /usr/local/etc/salt/minion | |
| mkdir -p /usr/local/etc/salt/minion.d | |
| sed -i '' "s/^#default_include:.*/default_include: minion.d\/\*.conf/" /usr/local/etc/salt/minion | |
| EOF | |
| cat << EOF > "${JAIL_ROOT}/usr/local/etc/salt/minion.d/10-main.conf" | |
| id: ${MINION_ID} | |
| master: ${SALT_MASTER} | |
| ipv6: False | |
| log_file: /var/log/salt/minion | |
| log_level: warning | |
| log_level_logfile: info | |
| hash_type: sha256 | |
| EOF | |
| service -j "${JAIL_NAME}" salt_minion start | |
| salt% more freebsd_update.sls | |
| # freebsd-update | |
| {% set jails = salt.pillar.get('jails') %} | |
| {% for jail, cfg in jails.instances.items() %} | |
| {{ jail }}_freebsd_update_fetch: | |
| cmd.run: | |
| - name: freebsd-update --not-running-from-cron --currently-running {{ cfg.version }} -b {{ jails.root | path_join(jail) }} fetch || exit 0 | |
| - cwd: /tmp | |
| - require_in: | |
| - cmd: {{ jail }}_freebsd_update_install | |
| {{ jail }}_freebsd_update_install: | |
| cmd.run: | |
| - name: freebsd-update --not-running-from-cron --currently-running {{ cfg.version }} -b {{ jails.root | path_join(jail) }} install | |
| - cwd: /tmp | |
| - onchanges: | |
| - cmd: {{ jail }}_freebsd_update_fetch | |
| {% endfor %} | |
| salt% more jail_conf.sls | |
| {% set jails = salt.pillar.get('jails') %} | |
| # /etc/jail.conf | |
| jail_etc_jail_conf: | |
| file.managed: | |
| - name: {{ jails.jail_conf }} | |
| - source: {{ jails.jail_conf_template }} | |
| - user: root | |
| - group: wheel | |
| - mode: 644 | |
| - template: jinja | |
| salt% more init.sls | |
| include: | |
| - jails.jail_conf | |
| - jails.freebsd_update | |
| {%- if salt.pillar.get('zfs:fs') %} | |
| - zfs.fs | |
| {%- endif %} | |
| {% set jails = salt.pillar.get('jails') %} | |
| # Root directory for all jails | |
| jail_root: | |
| file.directory: | |
| - name: {{ jails.root }} | |
| - user: root | |
| - group: wheel | |
| - require_in: | |
| - file: jail_etc_jail_conf | |
| {% if salt.pillar.get('zfs:fs') %} | |
| - require: | |
| - sls: zfs.fs | |
| {% endif %} | |
| {% for jail, cfg in jails.instances.items() %} | |
| # Jail directory | |
| {{ jail }}_directory: | |
| file.managed: | |
| - name: {{ jails.root | path_join(jail) | path_join('.saltstack') }} | |
| - contents_pillar: jails:instances:{{ jail }}:version | |
| - mode: 600 | |
| - user: root | |
| - group: wheel | |
| {%- if not jails.get('use_zfs', True) %} | |
| - makedirs: True | |
| {%- endif %} | |
| {% for set in cfg.sets %} | |
| # Create jail | |
| {{ jail }}_set_{{ set }}: | |
| cmd.run: | |
| - name: fetch "https://download.freebsd.org/ftp/releases/amd64/{{ cfg.version }}/{{ set }}" -4 -q -o - | tar -x -C {{ jails.root | path_join(jail) }} -f - | |
| - cwd: /tmp | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| - onchanges_in: | |
| - cmd: {{ jail }}_freebsd_update_fetch | |
| - watch_in: | |
| - file: jail_etc_jail_conf | |
| - require_in: | |
| - file: {{ jail }}_init_rc_conf | |
| {% endfor %} # SETS | |
| # Minimal rc.conf | |
| {{ jail }}_init_rc_conf: | |
| file.managed: | |
| - name: {{ jails.root | path_join(jail) | path_join('etc/rc.conf') }} | |
| - contents_pillar: jails:instances:{{ jail }}:rc_conf | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| # Patches | |
| {% for patch in cfg.get('patches', ()) %} | |
| {{ jail }}_patch_{{ patch.target }}_{{ loop.index }}: | |
| file.patch: | |
| - name: {{ jails.root | path_join(jail) | path_join(patch.target) }} | |
| - source: salt://jails/files/patches/{{ cfg.version | path_join(patch.diff) }} | |
| - hash: {{ patch.hash }} | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| {% if patch.target == '/etc/login.conf' %} | |
| {{ jail }}_cap_mkdb_{{ loop.index }}: | |
| cmd.run: | |
| - name: cap_mkdb {{ jails.root | path_join(jail) | path_join('/etc/login.conf') }} | |
| - cwd: {{ jails.root | path_join(jail) }} | |
| - onchanges: | |
| - file: {{ jail }}_patch_{{ patch.target }}_{{ loop.index }} | |
| {% endif %} | |
| {% endfor %} | |
| # pkg repos | |
| {{ jail }}_pkg_repos: | |
| file.directory: | |
| - name: {{ jails.root | path_join(jail) | path_join('/usr/local/etc/pkg/repos') }} | |
| - user: root | |
| - group: wheel | |
| - makedirs: True | |
| - mode: 755 | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| {% for repo in cfg.get('pkg', {}) %} | |
| {{ jail }}_pkg_repo_{{ repo }}: | |
| file.managed: | |
| - name: {{ jails.root | path_join(jail) | path_join('/usr/local/etc/pkg/repos') | path_join(repo) }} | |
| - user: root | |
| - group: wheel | |
| - mode: 644 | |
| - contents_pillar: jails:instances:{{ jail }}:pkg:{{ repo }} | |
| - onchanges: | |
| - file: {{ jail }}_pkg_repos | |
| {% endfor %} | |
| # /etc/fstab.xxx | |
| {{ jail }}_fstab: | |
| file.touch: | |
| - name: /etc/fstab.{{ jail }} | |
| - require_in: | |
| - cmd: {{ jail }}_start | |
| {% if cfg.fstab is defined %} | |
| {% for mount, mount_cfg in cfg.fstab.items() %} | |
| {%- if not jails.get('use_zfs', True) %} | |
| {{ jail }}_{{ mount }}_host_directory: | |
| file.directory: | |
| - name: {{ mount }} | |
| - user: root | |
| - group: wheel | |
| - makedirs: True | |
| - require_in: | |
| - file: {{ jail }}_{{ mount }}_directory | |
| {%- endif %} | |
| {{ jail }}_{{ mount }}_directory: | |
| file.directory: | |
| - name: {{ mount_cfg.path }} | |
| - user: {{ mount_cfg.get('user', 'root') }} | |
| - group: {{ mount_cfg.get('group', 'wheel') }} | |
| - mode: {{ mount_cfg.get('mode', 755) }} | |
| {%- if not jails.get('use_zfs', True) %} | |
| - makedirs: True | |
| {%- endif %} | |
| - require: | |
| - file: {{ jail }}_directory | |
| {{ jail }}_{{ mount }}_fstab: | |
| mount.mounted: | |
| - name: {{ mount_cfg.path }} | |
| - config: /etc/fstab.{{ jail }} | |
| - device: {{ mount }} | |
| - fstype: {{ mount_cfg.fstype }} | |
| - opts: {{ mount_cfg.opts }} | |
| - persist: True | |
| - mount: False | |
| - require_in: | |
| - cmd: {{ jail }}_start | |
| - require: | |
| - file: {{ jail }}_{{ mount }}_directory | |
| {% endfor %} | |
| {% endif %} | |
| {{ jail }}_start: | |
| cmd.run: | |
| - name: service jail onestart {{ jail }} | |
| - cwd: /tmp | |
| - require: | |
| - file: {{ jail }}_init_rc_conf | |
| - file: jail_etc_jail_conf | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| {% for init_script in cfg.init_scripts %} | |
| {{ jail }}_{{ init_script }}: | |
| cmd.script: | |
| - name: {{ init_script }} | |
| - env: | |
| - ASSUME_ALWAYS_YES: "YES" | |
| - JAILS_ROOT: {{ jails.root }} | |
| - JAIL_ROOT: {{ jails.root | path_join(jail) }} | |
| - JAIL_RELEASE: {{ cfg.version }} | |
| - JAIL_NAME: {{ jail }} | |
| - SALT_MASTER: {{ cfg.salt.master }} | |
| - MINION_ID: {{ cfg.salt.minion_id }} | |
| - require: | |
| - cmd: {{ jail }}_start | |
| - onchanges: | |
| - file: {{ jail }}_directory | |
| {% endfor %} # INIT SCRIPTS | |
| {% endfor %} # JAILS LIST |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment