Compare commits
27 Commits
feat/proxy
...
master
Author | SHA1 | Date | |
---|---|---|---|
|
232cf793d9 | ||
|
f3bc190943 | ||
|
232544f863 | ||
|
1ebcf482de | ||
|
7182ca0811 | ||
|
1760df0caf | ||
|
9bea6a01df | ||
|
4add7eef56 | ||
|
7e2296df94 | ||
|
ffbb92909b | ||
|
549e540671 | ||
|
4a59c96463 | ||
|
51777df36c | ||
|
5eceec91ed | ||
|
8e5430bfd1 | ||
|
0fff3e6d7f | ||
|
b8d94f5278 | ||
|
88bf5771ea | ||
|
28a236376f | ||
|
c40086d221 | ||
|
712f3eb38a | ||
|
661855eb26 | ||
|
4243501dca | ||
|
3fc23c58eb | ||
|
4d13239d77 | ||
|
5347fe6da7 | ||
|
89e49554be |
@ -1,6 +0,0 @@
|
|||||||
# These owners will be the default owners for everything in
|
|
||||||
# the repo. Unless a later match takes precedence,
|
|
||||||
# @global-owner1 and @global-owner2 will be requested for
|
|
||||||
# review when someone opens a pull request.
|
|
||||||
|
|
||||||
* @gauravgahlot @gianarb
|
|
45
CONTRIBUTING.md
Normal file
45
CONTRIBUTING.md
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
## Hello Contributors!
|
||||||
|
|
||||||
|
Thanks for your interest!
|
||||||
|
We're so glad you're here.
|
||||||
|
|
||||||
|
### Important Resources
|
||||||
|
|
||||||
|
#### bugs: [https://github.com/tinkerbell/sandbox/issues](https://github.com/tinkerbell/sandbox/issues)
|
||||||
|
|
||||||
|
### Code of Conduct
|
||||||
|
|
||||||
|
Please read and understand the code of conduct found [here](https://github.com/tinkerbell/.github/blob/master/CODE_OF_CONDUCT.md).
|
||||||
|
|
||||||
|
### DCO Sign Off
|
||||||
|
|
||||||
|
Please read and understand the DCO found [here](docs/DCO.md).
|
||||||
|
|
||||||
|
### Environment Details
|
||||||
|
|
||||||
|
Building is handled by `make`, please see the [Makefile](Makefile) for available targets.
|
||||||
|
|
||||||
|
#### Nix
|
||||||
|
|
||||||
|
This repo's build environment can be reproduced using `nix`.
|
||||||
|
|
||||||
|
##### Install Nix
|
||||||
|
|
||||||
|
Follow the [Nix installation](https://nixos.org/download.html) guide to setup Nix on your box.
|
||||||
|
|
||||||
|
##### Load Dependencies
|
||||||
|
|
||||||
|
Loading build dependencies is as simple as running `nix-shell` or using [lorri](https://github.com/nix-community/lorri).
|
||||||
|
If you have `direnv` installed the included `.envrc` will make that step automatic.
|
||||||
|
|
||||||
|
### How to Submit Change Requests
|
||||||
|
|
||||||
|
Please submit change requests and / or features via [Issues](https://github.com/tinkerbell/sandbox/issues).
|
||||||
|
There's no guarantee it'll be changed, but you never know until you try.
|
||||||
|
We'll try to add comments as soon as possible, though.
|
||||||
|
|
||||||
|
### How to Report a Bug
|
||||||
|
|
||||||
|
Bugs are problems in code, in the functionality of an application or in its UI design; you can submit them through [Issues](https://github.com/tinkerbell/sandbox/issues).
|
||||||
|
|
||||||
|
## Code Style Guides
|
@ -59,7 +59,7 @@ const headerFile = `#!/bin/bash
|
|||||||
|
|
||||||
# This file is generated by an utility called bump-version in
|
# This file is generated by an utility called bump-version in
|
||||||
# tinkerbell/sandbox.
|
# tinkerbell/sandbox.
|
||||||
# This file gets used from generate-envrc.sh but it is also used standalone by
|
# This file gets used from generate-env.sh but it is also used standalone by
|
||||||
# automation that wants to get the version of the programs currently supported
|
# automation that wants to get the version of the programs currently supported
|
||||||
# in sandbox
|
# in sandbox
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# This file is generated by an utility called bump-version in
|
# This file is generated by an utility called bump-version in
|
||||||
# tinkerbell/sandbox.
|
# tinkerbell/sandbox.
|
||||||
# This file gets used from generate-envrc.sh but it is also used standalone by
|
# This file gets used from generate-env.sh but it is also used standalone by
|
||||||
# automation that wants to get the version of the programs currently supported
|
# automation that wants to get the version of the programs currently supported
|
||||||
# in sandbox
|
# in sandbox
|
||||||
|
|
||||||
|
@ -4,5 +4,4 @@ ARG REGISTRY_USERNAME
|
|||||||
ARG REGISTRY_PASSWORD
|
ARG REGISTRY_PASSWORD
|
||||||
RUN mkdir -p /certs /auth
|
RUN mkdir -p /certs /auth
|
||||||
RUN htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} > /auth/htpasswd
|
RUN htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} > /auth/htpasswd
|
||||||
ADD config.yml /etc/docker/registry/config.yml
|
|
||||||
EXPOSE 443
|
EXPOSE 443
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
version: 0.1
|
|
||||||
proxy:
|
|
||||||
remoteurl: https://quay.io/tinkerbell-actions
|
|
||||||
log:
|
|
||||||
accesslog:
|
|
||||||
disabled: true
|
|
||||||
fields:
|
|
||||||
service: registry
|
|
||||||
storage:
|
|
||||||
cache:
|
|
||||||
blobdescriptor: inmemory
|
|
||||||
filesystem:
|
|
||||||
rootdirectory: /var/lib/registry
|
|
||||||
http:
|
|
||||||
addr: :5000
|
|
||||||
headers:
|
|
||||||
X-Content-Type-Options: [nosniff]
|
|
||||||
health:
|
|
||||||
storagedriver:
|
|
||||||
enabled: true
|
|
||||||
interval: 10s
|
|
||||||
threshold: 3
|
|
@ -57,8 +57,8 @@ resource "null_resource" "tink_directory" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
source = "../../generate-envrc.sh"
|
source = "../../generate-env.sh"
|
||||||
destination = "/root/tink/generate-envrc.sh"
|
destination = "/root/tink/generate-env.sh"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
@ -71,12 +71,9 @@ resource "null_resource" "tink_directory" {
|
|||||||
destination = "/root/tink"
|
destination = "/root/tink"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "file" {
|
||||||
inline = [
|
source = "nat_interface"
|
||||||
"iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT",
|
destination = "/root/tink/.nat_interface"
|
||||||
"iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT",
|
|
||||||
"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
|
1
deploy/terraform/nat_interface
Normal file
1
deploy/terraform/nat_interface
Normal file
@ -0,0 +1 @@
|
|||||||
|
bond0
|
2
deploy/vagrant/Vagrantfile
vendored
2
deploy/vagrant/Vagrantfile
vendored
@ -26,7 +26,7 @@ Vagrant.configure('2') do |config|
|
|||||||
|
|
||||||
config.vm.define :provisioner do |provisioner|
|
config.vm.define :provisioner do |provisioner|
|
||||||
provisioner.vm.box = "tinkerbelloss/sandbox-ubuntu1804"
|
provisioner.vm.box = "tinkerbelloss/sandbox-ubuntu1804"
|
||||||
provisioner.vm.box_version = "0.1.0"
|
provisioner.vm.box_version = "0.2.0"
|
||||||
provisioner.vm.hostname = 'provisioner'
|
provisioner.vm.hostname = 'provisioner'
|
||||||
provisioner.vm.synced_folder './../../', '/vagrant'
|
provisioner.vm.synced_folder './../../', '/vagrant'
|
||||||
provisioner.vm.provision :shell,
|
provisioner.vm.provision :shell,
|
||||||
|
@ -9,7 +9,8 @@ setup_docker() (
|
|||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
gnupg-agent \
|
gnupg-agent \
|
||||||
software-properties-common
|
software-properties-common \
|
||||||
|
;
|
||||||
|
|
||||||
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
|
||||||
sudo apt-key add -
|
sudo apt-key add -
|
||||||
@ -22,16 +23,24 @@ setup_docker() (
|
|||||||
sudo add-apt-repository "$repo"
|
sudo add-apt-repository "$repo"
|
||||||
|
|
||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
sudo apt-get install -y docker-ce docker-ce-cli containerd.io
|
sudo apt-get install -y \
|
||||||
|
containerd.io \
|
||||||
|
docker-ce \
|
||||||
|
docker-ce-cli \
|
||||||
|
;
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# from https://docs.docker.com/compose/install/
|
||||||
setup_docker_compose() (
|
setup_docker_compose() (
|
||||||
# from https://docs.docker.com/compose/install/
|
local name url
|
||||||
sudo curl -L \
|
name=docker-compose-$(uname -s)-$(uname -m)
|
||||||
"https://github.com/docker/compose/releases/download/1.26.0/docker-compose-$(uname -s)-$(uname -m)" \
|
url=https://github.com/docker/compose/releases/download/1.26.0/$name
|
||||||
-o /usr/local/bin/docker-compose
|
curl -fsSLO "$url"
|
||||||
|
curl -fsSLO "$url.sha256"
|
||||||
sudo chmod +x /usr/local/bin/docker-compose
|
sha256sum -c <"$name.sha256"
|
||||||
|
rm -f "$name.sha256"
|
||||||
|
chmod +x "$name"
|
||||||
|
sudo mv "$name" /usr/local/bin/docker-compose
|
||||||
)
|
)
|
||||||
|
|
||||||
main() (
|
main() (
|
||||||
@ -45,3 +54,4 @@ main() (
|
|||||||
)
|
)
|
||||||
|
|
||||||
main
|
main
|
||||||
|
sync # do not remove!
|
||||||
|
@ -34,12 +34,12 @@ setup_nat() (
|
|||||||
main() (
|
main() (
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
if [ ! -f ./.env ]; then
|
if ! [[ -f ./.env ]]; then
|
||||||
./generate-envrc.sh eth1 >.env
|
./generate-env.sh eth1 >.env
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
. ./.env
|
source ./.env
|
||||||
|
|
||||||
make_certs_writable
|
make_certs_writable
|
||||||
|
|
||||||
@ -51,6 +51,9 @@ main() (
|
|||||||
|
|
||||||
secure_certs
|
secure_certs
|
||||||
configure_vagrant_user
|
configure_vagrant_user
|
||||||
|
|
||||||
|
set +x # don't want the stderr output from xtrace messing with the post-setup-message
|
||||||
|
[[ -f /tmp/post-setup-message ]] && cat /tmp/post-setup-message
|
||||||
)
|
)
|
||||||
|
|
||||||
main
|
main
|
||||||
|
62
docs/DCO.md
Normal file
62
docs/DCO.md
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
# DCO Sign Off
|
||||||
|
|
||||||
|
All authors to the project retain copyright to their work. However, to ensure
|
||||||
|
that they are only submitting work that they have rights to, we are requiring
|
||||||
|
everyone to acknowledge this by signing their work.
|
||||||
|
|
||||||
|
Since this signature indicates your rights to the contribution and
|
||||||
|
certifies the statements below, it must contain your real name and
|
||||||
|
email address. Various forms of noreply email address must not be used.
|
||||||
|
|
||||||
|
Any copyright notices in this repository should specify the authors as "The
|
||||||
|
project authors".
|
||||||
|
|
||||||
|
To sign your work, just add a line like this at the end of your commit message:
|
||||||
|
|
||||||
|
```text
|
||||||
|
Signed-off-by: Jess Owens <jowens@tinkerbell.org>
|
||||||
|
```
|
||||||
|
|
||||||
|
This can easily be done with the `--signoff` option to `git commit`.
|
||||||
|
|
||||||
|
By doing this you state that you can certify the following (from [https://developercertificate.org/][1]):
|
||||||
|
|
||||||
|
```text
|
||||||
|
Developer Certificate of Origin
|
||||||
|
Version 1.1
|
||||||
|
|
||||||
|
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
|
||||||
|
1 Letterman Drive
|
||||||
|
Suite D4700
|
||||||
|
San Francisco, CA, 94129
|
||||||
|
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies of this
|
||||||
|
license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
|
||||||
|
Developer's Certificate of Origin 1.1
|
||||||
|
|
||||||
|
By making a contribution to this project, I certify that:
|
||||||
|
|
||||||
|
(a) The contribution was created in whole or in part by me and I
|
||||||
|
have the right to submit it under the open source license
|
||||||
|
indicated in the file; or
|
||||||
|
|
||||||
|
(b) The contribution is based upon previous work that, to the best
|
||||||
|
of my knowledge, is covered under an appropriate open source
|
||||||
|
license and I have the right under that license to submit that
|
||||||
|
work with modifications, whether created in whole or in part
|
||||||
|
by me, under the same open source license (unless I am
|
||||||
|
permitted to submit under a different license), as indicated
|
||||||
|
in the file; or
|
||||||
|
|
||||||
|
(c) The contribution was provided directly to me by some other
|
||||||
|
person who certified (a), (b) or (c) and I have not modified
|
||||||
|
it.
|
||||||
|
|
||||||
|
(d) I understand and agree that this project and the contribution
|
||||||
|
are public and that a record of the contribution (including all
|
||||||
|
personal information I submit with it, including my sign-off) is
|
||||||
|
maintained indefinitely and may be redistributed consistent with
|
||||||
|
this project or the open source license(s) involved.
|
||||||
|
```
|
110
generate-env.sh
Executable file
110
generate-env.sh
Executable file
@ -0,0 +1,110 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# stops the execution if a command or pipeline has an error
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
if command -v tput >/dev/null && tput setaf 1 >/dev/null 2>&1; then
|
||||||
|
# color codes
|
||||||
|
RED="$(tput setaf 1)"
|
||||||
|
RESET="$(tput sgr0)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ERR="${RED:-}ERROR:${RESET:-}"
|
||||||
|
|
||||||
|
source ./current_versions.sh
|
||||||
|
|
||||||
|
err() (
|
||||||
|
if [[ -z ${1:-} ]]; then
|
||||||
|
cat >&2
|
||||||
|
else
|
||||||
|
echo "$ERR " "$@" >&2
|
||||||
|
fi
|
||||||
|
)
|
||||||
|
|
||||||
|
candidate_interfaces() (
|
||||||
|
ip -o link show |
|
||||||
|
awk -F': ' '{print $2}' |
|
||||||
|
sed 's/[ \t].*//;/^\(lo\|bond0\|\|\)$/d' |
|
||||||
|
sort
|
||||||
|
)
|
||||||
|
|
||||||
|
validate_tinkerbell_network_interface() (
|
||||||
|
local tink_interface=$1
|
||||||
|
|
||||||
|
if ! candidate_interfaces | grep -q "^$tink_interface$"; then
|
||||||
|
err "Invalid interface ($tink_interface) selected, must be one of:"
|
||||||
|
candidate_interfaces | err
|
||||||
|
return 1
|
||||||
|
else
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
)
|
||||||
|
|
||||||
|
generate_password() (
|
||||||
|
head -c 12 /dev/urandom | sha256sum | cut -d' ' -f1
|
||||||
|
)
|
||||||
|
|
||||||
|
generate_env() (
|
||||||
|
local tink_interface=$1
|
||||||
|
|
||||||
|
validate_tinkerbell_network_interface "$tink_interface"
|
||||||
|
|
||||||
|
local tink_password
|
||||||
|
tink_password=$(generate_password)
|
||||||
|
local registry_password
|
||||||
|
registry_password=$(generate_password)
|
||||||
|
|
||||||
|
cat <<-EOF
|
||||||
|
# Tinkerbell Stack version
|
||||||
|
|
||||||
|
export OSIE_DOWNLOAD_LINK=${OSIE_DOWNLOAD_LINK}
|
||||||
|
export TINKERBELL_TINK_SERVER_IMAGE=${TINKERBELL_TINK_SERVER_IMAGE}
|
||||||
|
export TINKERBELL_TINK_CLI_IMAGE=${TINKERBELL_TINK_CLI_IMAGE}
|
||||||
|
export TINKERBELL_TINK_BOOTS_IMAGE=${TINKERBELL_TINK_BOOTS_IMAGE}
|
||||||
|
export TINKERBELL_TINK_HEGEL_IMAGE=${TINKERBELL_TINK_HEGEL_IMAGE}
|
||||||
|
export TINKERBELL_TINK_WORKER_IMAGE=${TINKERBELL_TINK_WORKER_IMAGE}
|
||||||
|
|
||||||
|
# Network interface for Tinkerbell's network
|
||||||
|
export TINKERBELL_NETWORK_INTERFACE="$tink_interface"
|
||||||
|
|
||||||
|
# Decide on a subnet for provisioning. Tinkerbell should "own" this
|
||||||
|
# network space. Its subnet should be just large enough to be able
|
||||||
|
# to provision your hardware.
|
||||||
|
export TINKERBELL_CIDR=${TINKERBELL_CIDR:-"29"}
|
||||||
|
|
||||||
|
# Host IP is used by provisioner to expose different services such as
|
||||||
|
# tink, boots, etc.
|
||||||
|
#
|
||||||
|
# The host IP should the first IP in the range, and the Nginx IP
|
||||||
|
# should be the second address.
|
||||||
|
export TINKERBELL_HOST_IP=${TINKERBELL_HOST_IP:-"192.168.1.1"}
|
||||||
|
|
||||||
|
# Tink server username and password
|
||||||
|
export TINKERBELL_TINK_USERNAME=admin
|
||||||
|
export TINKERBELL_TINK_PASSWORD="$tink_password"
|
||||||
|
|
||||||
|
# Docker Registry's username and password
|
||||||
|
export TINKERBELL_REGISTRY_USERNAME=admin
|
||||||
|
export TINKERBELL_REGISTRY_PASSWORD="$registry_password"
|
||||||
|
|
||||||
|
# Tink cli options
|
||||||
|
export TINKERBELL_GRPC_AUTHORITY=${TINKERBELL_HOST_IP:-"192.168.1.1"}:42113
|
||||||
|
export TINKERBELL_CERT_URL=http://${TINKERBELL_HOST_IP:-"192.168.1.1"}:42114/cert
|
||||||
|
|
||||||
|
# Legacy options, to be deleted:
|
||||||
|
export FACILITY=onprem
|
||||||
|
export ROLLBAR_TOKEN=ignored
|
||||||
|
export ROLLBAR_DISABLE=1
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
main() (
|
||||||
|
if [[ -z ${1:-} ]]; then
|
||||||
|
err "Usage: $0 network-interface-name > .env"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
generate_env "$1"
|
||||||
|
)
|
||||||
|
|
||||||
|
main "$@"
|
@ -1,105 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# stops the execution if a command or pipeline has an error
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
if command -v tput >/dev/null && tput setaf 1 >/dev/null 2>&1; then
|
|
||||||
# color codes
|
|
||||||
RED="$(tput setaf 1)"
|
|
||||||
RESET="$(tput sgr0)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ERR="${RED:-}ERROR:${RESET:-}"
|
|
||||||
|
|
||||||
source ./current_versions.sh
|
|
||||||
|
|
||||||
err() (
|
|
||||||
if [ -z "${1:-}" ]; then
|
|
||||||
cat >&2
|
|
||||||
else
|
|
||||||
echo "$ERR " "$@" >&2
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
|
|
||||||
candidate_interfaces() (
|
|
||||||
ip -o link show |
|
|
||||||
awk -F': ' '{print $2}' |
|
|
||||||
sed 's/[ \t].*//;/^\(lo\|bond0\|\|\)$/d' |
|
|
||||||
sort
|
|
||||||
)
|
|
||||||
|
|
||||||
validate_tinkerbell_network_interface() (
|
|
||||||
local tink_interface=$1
|
|
||||||
|
|
||||||
if ! candidate_interfaces | grep -q "^$tink_interface$"; then
|
|
||||||
err "Invalid interface ($tink_interface) selected, must be one of:"
|
|
||||||
candidate_interfaces | err
|
|
||||||
return 1
|
|
||||||
else
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
|
|
||||||
generate_password() (
|
|
||||||
head -c 12 /dev/urandom | sha256sum | cut -d' ' -f1
|
|
||||||
)
|
|
||||||
|
|
||||||
generate_envrc() (
|
|
||||||
local tink_interface=$1
|
|
||||||
|
|
||||||
validate_tinkerbell_network_interface "$tink_interface"
|
|
||||||
|
|
||||||
local tink_password
|
|
||||||
tink_password=$(generate_password)
|
|
||||||
local registry_password
|
|
||||||
registry_password=$(generate_password)
|
|
||||||
cat <<EOF
|
|
||||||
# Tinkerbell Stack version
|
|
||||||
|
|
||||||
export OSIE_DOWNLOAD_LINK=${OSIE_DOWNLOAD_LINK}
|
|
||||||
export TINKERBELL_TINK_SERVER_IMAGE=${TINKERBELL_TINK_SERVER_IMAGE}
|
|
||||||
export TINKERBELL_TINK_CLI_IMAGE=${TINKERBELL_TINK_CLI_IMAGE}
|
|
||||||
export TINKERBELL_TINK_BOOTS_IMAGE=${TINKERBELL_TINK_BOOTS_IMAGE}
|
|
||||||
export TINKERBELL_TINK_HEGEL_IMAGE=${TINKERBELL_TINK_HEGEL_IMAGE}
|
|
||||||
export TINKERBELL_TINK_WORKER_IMAGE=${TINKERBELL_TINK_WORKER_IMAGE}
|
|
||||||
|
|
||||||
# Network interface for Tinkerbell's network
|
|
||||||
export TINKERBELL_NETWORK_INTERFACE="$tink_interface"
|
|
||||||
|
|
||||||
# Decide on a subnet for provisioning. Tinkerbell should "own" this
|
|
||||||
# network space. Its subnet should be just large enough to be able
|
|
||||||
# to provision your hardware.
|
|
||||||
export TINKERBELL_CIDR=29
|
|
||||||
|
|
||||||
# Host IP is used by provisioner to expose different services such as
|
|
||||||
# tink, boots, etc.
|
|
||||||
#
|
|
||||||
# The host IP should the first IP in the range, and the Nginx IP
|
|
||||||
# should be the second address.
|
|
||||||
export TINKERBELL_HOST_IP=192.168.1.1
|
|
||||||
|
|
||||||
# Tink server username and password
|
|
||||||
export TINKERBELL_TINK_USERNAME=admin
|
|
||||||
export TINKERBELL_TINK_PASSWORD="$tink_password"
|
|
||||||
|
|
||||||
# Docker Registry's username and password
|
|
||||||
export TINKERBELL_REGISTRY_USERNAME=admin
|
|
||||||
export TINKERBELL_REGISTRY_PASSWORD="$registry_password"
|
|
||||||
|
|
||||||
# Legacy options, to be deleted:
|
|
||||||
export FACILITY=onprem
|
|
||||||
export ROLLBAR_TOKEN=ignored
|
|
||||||
export ROLLBAR_DISABLE=1
|
|
||||||
EOF
|
|
||||||
)
|
|
||||||
|
|
||||||
main() (
|
|
||||||
if [ -z "${1:-}" ]; then
|
|
||||||
err "Usage: $0 network-interface-name > .env"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
generate_envrc "$1"
|
|
||||||
)
|
|
||||||
|
|
||||||
main "$@"
|
|
76
setup.sh
76
setup.sh
@ -1,7 +1,7 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
# stops the execution if a command or pipeline has an error
|
# stops the execution if a command or pipeline has an error
|
||||||
set -eu
|
set -euxo pipefail
|
||||||
|
|
||||||
# Tinkerbell stack Linux setup script
|
# Tinkerbell stack Linux setup script
|
||||||
#
|
#
|
||||||
@ -38,7 +38,7 @@ NEXT="${GREEN:-}NEXT:${RESET:-}"
|
|||||||
get_distribution() (
|
get_distribution() (
|
||||||
local lsb_dist=""
|
local lsb_dist=""
|
||||||
# Every system that we officially support has /etc/os-release
|
# Every system that we officially support has /etc/os-release
|
||||||
if [ -r /etc/os-release ]; then
|
if [[ -r /etc/os-release ]]; then
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
lsb_dist="$(. /etc/os-release && echo "$ID")"
|
lsb_dist="$(. /etc/os-release && echo "$ID")"
|
||||||
fi
|
fi
|
||||||
@ -50,7 +50,7 @@ get_distribution() (
|
|||||||
get_distro_version() (
|
get_distro_version() (
|
||||||
local lsb_version="0"
|
local lsb_version="0"
|
||||||
# Every system that we officially support has /etc/os-release
|
# Every system that we officially support has /etc/os-release
|
||||||
if [ -r /etc/os-release ]; then
|
if [[ -r /etc/os-release ]]; then
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
lsb_version="$(. /etc/os-release && echo "$VERSION_ID")"
|
lsb_version="$(. /etc/os-release && echo "$VERSION_ID")"
|
||||||
fi
|
fi
|
||||||
@ -110,6 +110,18 @@ setup_networking() (
|
|||||||
else
|
else
|
||||||
echo "$ERR tinkerbell network interface configuration failed"
|
echo "$ERR tinkerbell network interface configuration failed"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
NAT_INTERFACE=""
|
||||||
|
if [[ -r .nat_interface ]]; then
|
||||||
|
NAT_INTERFACE=$(cat .nat_interface)
|
||||||
|
fi
|
||||||
|
if [[ -n $NAT_INTERFACE ]] && ip addr show "$NAT_INTERFACE" &>/dev/null; then
|
||||||
|
# TODO(nshalman) the terraform code would just run these commands as-is once
|
||||||
|
# but it would be nice to make these more persistent based on OS
|
||||||
|
iptables -A FORWARD -i "$TINKERBELL_NETWORK_INTERFACE" -o "$NAT_INTERFACE" -j ACCEPT
|
||||||
|
iptables -A FORWARD -i "$NAT_INTERFACE" -o "$TINKERBELL_NETWORK_INTERFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
iptables -t nat -A POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE
|
||||||
|
fi
|
||||||
)
|
)
|
||||||
|
|
||||||
setup_networking_manually() (
|
setup_networking_manually() (
|
||||||
@ -123,10 +135,10 @@ setup_networking_manually() (
|
|||||||
|
|
||||||
setup_network_forwarding() (
|
setup_network_forwarding() (
|
||||||
# enable IP forwarding for docker
|
# enable IP forwarding for docker
|
||||||
if [ "$(sysctl -n net.ipv4.ip_forward)" != "1" ]; then
|
if (($(sysctl -n net.ipv4.ip_forward) != 1)); then
|
||||||
if [ -d /etc/sysctl.d ]; then
|
if [[ -d /etc/sysctl.d ]]; then
|
||||||
echo "net.ipv4.ip_forward=1" >/etc/sysctl.d/99-tinkerbell.conf
|
echo "net.ipv4.ip_forward=1" >/etc/sysctl.d/99-tinkerbell.conf
|
||||||
elif [ -f /etc/sysctl.conf ]; then
|
elif [[ -f /etc/sysctl.conf ]]; then
|
||||||
echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
|
echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -159,7 +171,7 @@ setup_networking_netplan() (
|
|||||||
)
|
)
|
||||||
|
|
||||||
setup_networking_ubuntu_legacy() (
|
setup_networking_ubuntu_legacy() (
|
||||||
if [ ! -f /etc/network/interfaces ]; then
|
if ! [[ -f /etc/network/interfaces ]]; then
|
||||||
echo "$ERR file /etc/network/interfaces not found"
|
echo "$ERR file /etc/network/interfaces not found"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -212,7 +224,7 @@ EOF
|
|||||||
|
|
||||||
local cfgfile="/etc/sysconfig/network-scripts/ifcfg-$TINKERBELL_NETWORK_INTERFACE"
|
local cfgfile="/etc/sysconfig/network-scripts/ifcfg-$TINKERBELL_NETWORK_INTERFACE"
|
||||||
|
|
||||||
if [ -f "$cfgfile" ]; then
|
if [[ -f $cfgfile ]]; then
|
||||||
echo "$ERR network config already exists: $cfgfile"
|
echo "$ERR network config already exists: $cfgfile"
|
||||||
echo "$BLANK Please update it to match this configuration:"
|
echo "$BLANK Please update it to match this configuration:"
|
||||||
echo "$content"
|
echo "$content"
|
||||||
@ -233,12 +245,12 @@ setup_osie() (
|
|||||||
|
|
||||||
local osie_current=$STATEDIR/webroot/misc/osie/current
|
local osie_current=$STATEDIR/webroot/misc/osie/current
|
||||||
local tink_workflow=$STATEDIR/webroot/workflow/
|
local tink_workflow=$STATEDIR/webroot/workflow/
|
||||||
if [ ! -d "$osie_current" ] || [ ! -d "$tink_workflow" ]; then
|
if [[ ! -d $osie_current ]] || [[ ! -d $tink_workflow ]]; then
|
||||||
mkdir -p "$osie_current"
|
mkdir -p "$osie_current"
|
||||||
mkdir -p "$tink_workflow"
|
mkdir -p "$tink_workflow"
|
||||||
pushd "$SCRATCH"
|
pushd "$SCRATCH"
|
||||||
|
|
||||||
if [ -z "${TB_OSIE_TAR:-}" ]; then
|
if [[ -z ${TB_OSIE_TAR:-} ]]; then
|
||||||
curl "${OSIE_DOWNLOAD_LINK}" -o ./osie.tar.gz
|
curl "${OSIE_DOWNLOAD_LINK}" -o ./osie.tar.gz
|
||||||
tar -zxf osie.tar.gz
|
tar -zxf osie.tar.gz
|
||||||
else
|
else
|
||||||
@ -293,7 +305,7 @@ check_container_status() (
|
|||||||
--filter "event=health_status" \
|
--filter "event=health_status" \
|
||||||
--format '{{.Status}}')
|
--format '{{.Status}}')
|
||||||
|
|
||||||
if [ "$status" != "health_status: healthy" ]; then
|
if [[ $status != "health_status: healthy" ]]; then
|
||||||
echo "$ERR $container_name is not healthy. status: $status"
|
echo "$ERR $container_name is not healthy. status: $status"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -302,7 +314,7 @@ check_container_status() (
|
|||||||
generate_certificates() (
|
generate_certificates() (
|
||||||
mkdir -p "$STATEDIR/certs"
|
mkdir -p "$STATEDIR/certs"
|
||||||
|
|
||||||
if [ ! -f "$STATEDIR/certs/ca.json" ]; then
|
if ! [[ -f "$STATEDIR/certs/ca.json" ]]; then
|
||||||
jq \
|
jq \
|
||||||
'.
|
'.
|
||||||
| .names[0].L = $facility
|
| .names[0].L = $facility
|
||||||
@ -313,7 +325,7 @@ generate_certificates() (
|
|||||||
>"$STATEDIR/certs/ca.json"
|
>"$STATEDIR/certs/ca.json"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "$STATEDIR/certs/server-csr.json" ]; then
|
if ! [[ -f "$STATEDIR/certs/server-csr.json" ]]; then
|
||||||
jq \
|
jq \
|
||||||
'.
|
'.
|
||||||
| .hosts += [ $ip, "tinkerbell.\($facility).packet.net" ]
|
| .hosts += [ $ip, "tinkerbell.\($facility).packet.net" ]
|
||||||
@ -335,13 +347,13 @@ generate_certificates() (
|
|||||||
local certs_dir="/etc/docker/certs.d/$TINKERBELL_HOST_IP"
|
local certs_dir="/etc/docker/certs.d/$TINKERBELL_HOST_IP"
|
||||||
|
|
||||||
# copy public key to NGINX for workers
|
# copy public key to NGINX for workers
|
||||||
if ! cmp --quiet "$STATEDIR"/certs/ca.pem "$STATEDIR/webroot/workflow/ca.pem"; then
|
if ! cmp --quiet "$STATEDIR/certs/ca.pem" "$STATEDIR/webroot/workflow/ca.pem"; then
|
||||||
cp "$STATEDIR"/certs/ca.pem "$STATEDIR/webroot/workflow/ca.pem"
|
cp "$STATEDIR/certs/ca.pem" "$STATEDIR/webroot/workflow/ca.pem"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# update host to trust registry certificate
|
# update host to trust registry certificate
|
||||||
if ! cmp --quiet "$STATEDIR/certs/ca.pem" "$certs_dir/tinkerbell.crt"; then
|
if ! cmp --quiet "$STATEDIR/certs/ca.pem" "$certs_dir/tinkerbell.crt"; then
|
||||||
if [ ! -d "$certs_dir/tinkerbell.crt" ]; then
|
if ! [[ -d "$certs_dir/" ]]; then
|
||||||
# The user will be told to create the directory
|
# The user will be told to create the directory
|
||||||
# in the next block, if copying the certs there
|
# in the next block, if copying the certs there
|
||||||
# fails.
|
# fails.
|
||||||
@ -351,7 +363,7 @@ generate_certificates() (
|
|||||||
echo "$ERR please copy $STATEDIR/certs/ca.pem to $certs_dir/tinkerbell.crt"
|
echo "$ERR please copy $STATEDIR/certs/ca.pem to $certs_dir/tinkerbell.crt"
|
||||||
echo "$BLANK and run $0 again:"
|
echo "$BLANK and run $0 again:"
|
||||||
|
|
||||||
if [ ! -d "$certs_dir" ]; then
|
if ! [[ -d $certs_dir ]]; then
|
||||||
echo "sudo mkdir -p '$certs_dir'"
|
echo "sudo mkdir -p '$certs_dir'"
|
||||||
fi
|
fi
|
||||||
echo "sudo cp '$STATEDIR/certs/ca.pem' '$certs_dir/tinkerbell.crt'"
|
echo "sudo cp '$STATEDIR/certs/ca.pem' '$certs_dir/tinkerbell.crt'"
|
||||||
@ -394,7 +406,7 @@ bootstrap_docker_registry() (
|
|||||||
|
|
||||||
setup_docker_registry() (
|
setup_docker_registry() (
|
||||||
local registry_images="$STATEDIR/registry"
|
local registry_images="$STATEDIR/registry"
|
||||||
if [ ! -d "$registry_images" ]; then
|
if ! [[ -d $registry_images ]]; then
|
||||||
mkdir -p "$registry_images"
|
mkdir -p "$registry_images"
|
||||||
fi
|
fi
|
||||||
start_registry
|
start_registry
|
||||||
@ -415,13 +427,15 @@ command_exists() (
|
|||||||
)
|
)
|
||||||
|
|
||||||
check_command() (
|
check_command() (
|
||||||
if command_exists "$1"; then
|
if ! command_exists "$1"; then
|
||||||
echo "$BLANK Found prerequisite: $1"
|
echo "$ERR Prerequisite executable command not found: $1"
|
||||||
return 0
|
|
||||||
else
|
|
||||||
echo "$ERR Prerequisite command not installed: $1"
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
if ! [[ -s "$(which "$1")" ]]; then
|
||||||
|
echo "$ERR Prerequisite command is an empty file: $1"
|
||||||
|
fi
|
||||||
|
echo "$BLANK Found prerequisite: $1"
|
||||||
|
return 0
|
||||||
)
|
)
|
||||||
|
|
||||||
check_prerequisites() (
|
check_prerequisites() (
|
||||||
@ -457,15 +471,15 @@ check_prerequisites() (
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ $failed -eq 1 ]; then
|
if ((failed == 1)); then
|
||||||
echo "$ERR Prerequisites not met. Please install the missing commands and re-run $0."
|
echo "$ERR Prerequisites not met. Please install the missing commands and re-run $0."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
)
|
)
|
||||||
|
|
||||||
whats_next() (
|
whats_next() (
|
||||||
echo "$NEXT 1. Enter /vagrant/deploy and run: source ../.env; docker-compose up -d"
|
echo "$NEXT 1. Enter /deploy and run: source ../.env; docker-compose up -d"
|
||||||
echo "$BLANK 2. Try executing your fist workflow."
|
echo "$BLANK 2. Try executing your first workflow."
|
||||||
echo "$BLANK Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
|
echo "$BLANK Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -477,21 +491,23 @@ do_setup() (
|
|||||||
echo "$INFO starting tinkerbell stack setup"
|
echo "$INFO starting tinkerbell stack setup"
|
||||||
check_prerequisites "$lsb_dist" "$lsb_version"
|
check_prerequisites "$lsb_dist" "$lsb_version"
|
||||||
|
|
||||||
if [ ! -f "$ENV_FILE" ]; then
|
if ! [[ -f $ENV_FILE ]]; then
|
||||||
echo "$ERR Run './generate-envrc.sh network-interface > \"$ENV_FILE\"' before continuing."
|
echo "$ERR Run './generate-env.sh network-interface > \"$ENV_FILE\"' before continuing."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# shellcheck disable=SC1090
|
# shellcheck disable=SC1090
|
||||||
source "$ENV_FILE"
|
source "$ENV_FILE"
|
||||||
|
|
||||||
setup_networking "$lsb_dist" "$lsb_version"
|
if [[ -z $TINKERBELL_SKIP_NETWORKING ]]; then
|
||||||
|
setup_networking "$lsb_dist" "$lsb_version"
|
||||||
|
fi
|
||||||
setup_osie
|
setup_osie
|
||||||
generate_certificates
|
generate_certificates
|
||||||
setup_docker_registry
|
setup_docker_registry
|
||||||
|
|
||||||
echo "$INFO tinkerbell stack setup completed successfully on $lsb_dist server"
|
echo "$INFO tinkerbell stack setup completed successfully on $lsb_dist server"
|
||||||
whats_next
|
whats_next | tee /tmp/post-setup-message
|
||||||
)
|
)
|
||||||
|
|
||||||
# wrapped up in a function so that we have some protection against only getting
|
# wrapped up in a function so that we have some protection against only getting
|
||||||
|
Loading…
Reference in New Issue
Block a user