diff options
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/clean-genesis.sh | 158 | ||||
| -rwxr-xr-x | tools/deploy.sh | 159 | ||||
| -rw-r--r-- | tools/files/Corefile-intel-pod17 | 11 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-ca.crt | 19 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-ca.key | 28 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-ca.pem | 0 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-ca.pem.orig | 19 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-ca.srl | 1 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-crt | 20 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-csr | 18 | ||||
| -rw-r--r-- | tools/files/certificate/ingress-key | 27 | ||||
| -rw-r--r-- | tools/files/certificate/mycertfile.pem | 0 | ||||
| -rw-r--r-- | tools/files/certificate/openssl.cnf | 23 | ||||
| -rw-r--r-- | tools/files/intel-pod17.db | 24 | ||||
| -rw-r--r-- | tools/files/seccomp_default | 767 | ||||
| -rwxr-xr-x | tools/files/shipyard.sh | 33 | ||||
| -rw-r--r-- | tools/files/sources.list | 56 | ||||
| -rwxr-xr-x | tools/test.sh | 2 |
18 files changed, 1330 insertions, 35 deletions
diff --git a/tools/clean-genesis.sh b/tools/clean-genesis.sh new file mode 100644 index 0000000..4d18f78 --- /dev/null +++ b/tools/clean-genesis.sh @@ -0,0 +1,158 @@ +#!/bin/bash + +set -x + +log () { + printf "$(date)\t%s\n" "${1}" +} + +TO_RM=( + "/etc/cni" + "/etc/coredns" + "/etc/etcd" + "/etc/genesis" + "/etc/kubernetes" + "/etc/promenade" + "/etc/systemd/system/kubelet.service" + "/home/ceph" + "/tmp/tmp.*" + "/var/lib/etcd" + "/var/lib/kubelet" + "/var/lib/openstack-helm" + "/var/log/containers" + "/var/log/pods" + "/var/log/armada" + "/etc/modprobe.d/krbd_blacklist.conf" + "/srv/elasticsearch-data" + "/srv/elasticsearch-master" + "/srv/prometheus-data" +) + +prune_docker() { + log "Docker prune" + docker volume prune -f + docker system prune -a -f +} + +remove_containers() { + log "Remove all Docker containers" + docker ps -aq 2> /dev/null | xargs --no-run-if-empty docker rm -fv + log "Remove all containerd pods" + systemctl restart containerd || true + sleep 60 + crictl rmp -a -f || true + log "Remove any remaining containerd containers" + crictl rm -a -f || true + systemctl stop containerd || true +} + +remove_files() { + for item in "${TO_RM[@]}"; do + log "Removing ${item}" + rm -rf "${item}" + done +} + +reset_docker() { + log "Remove all local Docker images" + docker images -qa | xargs --no-run-if-empty docker rmi -f + log "Remove remaining Docker files" + systemctl stop docker + if ! rm -rf /var/lib/docker/*; then + log "Failed to cleanup some files in /var/lib/docker" + find /var/lib/docker + fi + log "Remove all local containerd data" + if ! rm -rf /var/lib/containerd/*; then + log "Failed to cleanup some files in /var/lib/containerd/" + find /var/lib/containerd + fi +} + +stop_kubelet() { + log "Stop Kubelet and clean pods" + systemctl stop kubelet || true + # Issue with orhan PODS + # https://github.com/kubernetes/kubernetes/issues/38498 + find /var/lib/kubelet/pods 2> /dev/null | while read orphan_pod; do + if [[ ${orphan_pod} == *io~secret/* ]] || [[ ${orphan_pod} == *empty-dir/* ]]; then + umount "${orphan_pod}" || true + rm -rf "${orphan_pod}" + fi + done +} + +wipe_disk() { + CEPH_VG=$(vgs | tail -n +1 | awk '{print $1}' | grep ceph-vg- | paste -d " " - -) + + if [[ x$CEPH_VG != 'x' ]]; then + vgremove -f $CEPH_VG + fi + + log "Wipe out CEPH disks" + apt install --yes gdisk + echo "====Earsing disk sdb====" + sudo sgdisk -Z /dev/sdb + sudo dd if=/dev/zero of=/dev/sdb bs=1M count=200 +} + +service_exists() { + local n=$1 + if [[ $(systemctl list-units --all -t service --full --no-legend "$n.service" | cut -f1 -d' ') == $n.service ]]; then + return 0 + else + return 1 + fi +} + +FORCE=0 +RESET_DOCKER=0 +while getopts "fk" opt; do + case "${opt}" in + f) + FORCE=1 + ;; + k) + RESET_DOCKER=1 + ;; + *) + echo "Unknown option" + exit 1 + ;; + esac +done + +if [[ $FORCE == "0" ]]; then + echo Warning: This cleanup script is very aggresive. Run with -f to avoid this prompt. + while true; do + read -p "Are you sure you wish to proceed with aggressive cleanup?" yn + case $yn in + [Yy]*) + RESET_DOCKER=1 + break + ;; + *) + echo Exitting. + exit 1 + esac + done +fi + +if service_exists kubelet; then + stop_kubelet + remove_containers + remove_files + prune_docker + systemctl daemon-reload + systemctl start containerd.service + if [[ $RESET_DOCKER == "1" ]]; then + echo "hi" + reset_docker + fi + systemctl start containerd +#sudo crictl pull docker.io/busybox:1.28.3 +#sudo crictl pull docker.io/haproxy:1.8.19 + service docker restart +fi +wipe_disk + diff --git a/tools/deploy.sh b/tools/deploy.sh index 7fb5273..7a940a6 100755 --- a/tools/deploy.sh +++ b/tools/deploy.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -x +set -ex export OS_USERNAME=${OS_USERNAME:-shipyard} export OS_PASSWORD=${OS_PASSWORD:-password123} @@ -15,10 +15,10 @@ export TERM_OPTS=${TERM_OPTS:-" "} ## Source Environment Variables. help() { - echo "Usage: deploy.sh <site_name> <deploy_site|update_site>" + echo "Usage: deploy.sh <site_name> <deploy_site|update_site|update_software>" } -if [[ $# -ne 2 ]] +if [[ $# -lt 2 ]] then help exit 1 @@ -35,6 +35,8 @@ fi cd ${WORK_DIR} +AIRSHIP_CMD=treasuremap/tools/airship + ## Deps pkg_check() { @@ -42,20 +44,15 @@ pkg_check() { sudo dpkg -s $pkg &> /dev/null || sudo apt -y install $pkg done } -pkg_check docker.io git ipmitool python3-yaml +pkg_check docker.io git ipmitool python3-yaml ## Cleanup genesis_cleanup() { - ssh $GEN_SSH sudo systemctl disable kubelet - ssh $GEN_SSH sudo systemctl disable docker - ssh $GEN_SSH sudo touch /forcefsck - # reset bare-metal servers - ALL_NODES="${GEN_IPMI} ${NODES_IPMI}" for node in $ALL_NODES; do ipmitool -I lanplus -H $node -U $IPMI_USER -P $IPMI_PASS chassis power off @@ -66,17 +63,9 @@ genesis_cleanup() { while ! ssh $GEN_SSH hostname; do :; done - # cleanup previous k8s/airship install - - ssh $GEN_SSH rm -rf promenade genesis.sh - ssh $GEN_SSH git clone https://review.opendev.org/airship/promenade - ssh $GEN_SSH sudo promenade/tools/cleanup.sh -f > /dev/null - - ssh $GEN_SSH sudo parted -s /dev/sdb mklabel gpt - ssh $GEN_SSH sudo rm -rf /var/lib/ceph - ssh $GEN_SSH sudo rm -rf /var/lib/docker - - ssh $GEN_SSH sudo /etc/init.d/docker restart + scp $WORK_DIR/airship/tools/clean-genesis.sh $GEN_SSH: + ssh $GEN_SSH chmod a+x clean-genesis.sh + ssh $GEN_SSH sudo ./clean-genesis.sh -fk } @@ -87,7 +76,6 @@ read_yaml() { } git_checkout() { - git clone $1 cd ${1##*/} @@ -100,7 +88,7 @@ git_checkout() { fi git log -1 - cd $WORK_DIR + cd .. } clone_repos() { @@ -127,19 +115,89 @@ clone_repos() { ## Deployment pegleg_collect() { - sudo -E treasuremap/tools/airship pegleg site \ - -r /target/airship collect -s collect $SITE_NAME + if [ -d "collect/${SITE_NAME}" ]; then + sudo rm -rf collect/${SITE_NAME} + fi + sudo mkdir -p collect/${SITE_NAME} + sudo -E ${AIRSHIP_CMD} pegleg site -r /target/airship collect -s collect/${SITE_NAME} $SITE_NAME + +# sudo mkdir -p render/${SITE_NAME} +# sudo -E ${AIRSHIP_CMD} pegleg site -r /target/treasuremap render $SITE_NAME \ +# -s /target/render/${SITE_NAME}/manifest.yaml +} + +pre_genesis() { + + scp $WORK_DIR/airship/tools/files/seccomp_default $GEN_SSH: + ssh $GEN_SSH 'sudo mkdir -p /var/lib/kubelet/seccomp' + ssh $GEN_SSH 'sudo chown root:root /var/lib/kubelet/seccomp' + ssh $GEN_SSH 'sudo chown root:root ~/seccomp_default' + ssh $GEN_SSH 'sudo mv ~/seccomp_default /var/lib/kubelet/seccomp' + + scp $WORK_DIR/airship/tools/files/sources.list $GEN_SSH: + + ssh $GEN_SSH 'sudo cp -n /etc/apt/sources.list /etc/apt/sources.list.orig' + ssh $GEN_SSH 'sudo chown root:root ~/sources.list' + ssh $GEN_SSH 'sudo mv ~/sources.list /etc/apt/sources.list' + + ssh $GEN_SSH 'wget -qO - http://mirror.mirantis.com/testing/kubernetes-extra/bionic/archive-kubernetes-extra.key | sudo apt-key add -' + # thsi fails but appaerntly not required. + # ssh $GEN_SSH 'wget -qO - http://linux.dell.com/repo/community/openmanage/930/bionic/dists/bionic/Release.gpg | sudo apt-key add -' + ssh $GEN_SSH 'sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32' + ssh $GEN_SSH 'sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1285491434D8786F' + + if [ -d "render/${SITE_NAME}" ]; then + sudo rm -rf render/${SITE_NAME} + fi + + ssh $GEN_SSH 'sudo cp /etc/default/grub /etc/default/grub.orig' + ssh $GEN_SSH 'sudo sed -i "/GRUB_CMDLINE_LINUX=\"/c GRUB_CMDLINE_LINUX=\"hugepagesz=1G hugepages=12 transparent_hugepage=never default_hugepagesz=1G dpdk-socket-mem=4096,4096 iommu=pt intel_iommu=on amd_iommu=on cgroup_disable=hugetlb console=ttyS1,115200n8\"" /etc/default/grub' + ssh $GEN_SSH 'sudo update-grub' + + # upstream pre-geneis is not ready to be used directly yet + # sudo mkdir -p render/${SITE_NAME} + # sudo -E ${AIRSHIP_CMD} pegleg site -r /target/treasuremap render $SITE_NAME \ + # -s /target/render/${SITE_NAME}/manifest.yaml + # sudo -E treasuremap/tools/genesis-setup/pre-genesis.sh render/${SITE_NAME}/manifest.yaml +} + +generate_certs() { + # create certificates based on PKI catalogs + + if [ -d "certs/${SITE_NAME}" ]; then + sudo rm -rf certs/${SITE_NAME} + fi + + sudo mkdir -p certs/${SITE_NAME} + + # remove old certificates before collect + sudo rm -f airship/site/${SITE_NAME}/secrets/certificates/certificates.yaml + + pegleg_collect + + sudo -E ${AIRSHIP_CMD} promenade generate-certs -o /target/certs/${SITE_NAME} collect/${SITE_NAME}/*.yaml + + # copy certs + mkdir -p airship/site/${SITE_NAME}/secrets/certificates + sudo cp certs/${SITE_NAME}/certificates.yaml \ + airship/site/${SITE_NAME}/secrets/certificates/certificates.yaml } promenade_bundle() { - mkdir bundle - sudo -E treasuremap/tools/airship promenade build-all \ - --validators -o /target/bundle /target/collect/*.yaml + + if [ -d "bundle/${SITE_NAME}" ]; then + sudo rm -rf bundle/${SITE_NAME} + fi + sudo mkdir -p bundle/${SITE_NAME} + + PROMENADE_KEY=$(sudo -E ${AIRSHIP_CMD} promenade build-all \ + --validators -o /target/bundle/${SITE_NAME} /target/collect/${SITE_NAME}/*.yaml | \ + sed -n '/Copy this decryption key for use during script execution:/{n;p;d;}; x') } genesis_deploy() { - scp bundle/genesis.sh $GEN_SSH: - ssh $GEN_SSH 'sudo ./genesis.sh' && sleep 120 + scp bundle/${SITE_NAME}/genesis.sh $GEN_SSH: + ssh $GEN_SSH PROMENADE_ENCRYPTION_KEY=$PROMENADE_KEY sudo -E ./genesis.sh } site_action() { @@ -147,16 +205,25 @@ site_action() { # Site deployment with Shipyard, see more details here # https://airship-treasuremap.readthedocs.io/en/latest/authoring_and_deployment.html#deploy-site-with-shipyard - sudo -E treasuremap/tools/airship shipyard create configdocs \ - $SITE_NAME --directory=/target/collect --replace - sudo -E treasuremap/tools/airship shipyard commit configdocs + sudo -E ${AIRSHIP_CMD} shipyard create configdocs \ + $SITE_NAME --directory=/target/collect/$SITE_NAME --replace + sudo -E ${AIRSHIP_CMD} shipyard commit configdocs - sudo -E treasuremap/tools/airship shipyard create action \ + sudo -E ${AIRSHIP_CMD} shipyard create action \ --allow-intermediate-commits $1 sudo -E treasuremap/tools/gate/wait-for-shipyard.sh } +shipyard_action() { + + # Site deployment with Shipyard, see more details here + # https://airship-treasuremap.readthedocs.io/en/latest/authoring_and_deployment.html#deploy-site-with-shipyard + + sudo -E ${AIRSHIP_CMD} shipyard $1 $2 $3 +} + + create_public_network() { export OS_AUTH_URL=${OS_AUTH_URL_IDENTITY} sudo -E treasuremap/tools/openstack stack create --wait \ @@ -165,11 +232,22 @@ create_public_network() { } case "$2" in +'pre_genesis') + pre_genesis + ;; 'deploy_site') - genesis_cleanup + read -n 1 -p "This script will clean up the genesis node. Continue (Y/N) ?" input + case $input in + [Yy] ) break;; + [Nn] ) exit 1;; + * ) echo "Please answer yes or no."; exit 1; + esac + clone_repos pegleg_collect promenade_bundle + genesis_cleanup + pre_genesis genesis_deploy site_action $2 create_public_network @@ -179,7 +257,20 @@ case "$2" in pegleg_collect site_action $2 ;; +'update_software') + clone_repos + pegleg_collect + site_action $2 + ;; +'generate_certs') + clone_repos + generate_certs + ;; +'shipyard') + shipyard_action $3 $4 $5 + ;; *) help + echo "*** $2" exit 1 ;; esac diff --git a/tools/files/Corefile-intel-pod17 b/tools/files/Corefile-intel-pod17 new file mode 100644 index 0000000..c5c093d --- /dev/null +++ b/tools/files/Corefile-intel-pod17 @@ -0,0 +1,11 @@ +.:53 { + forward . 8.8.8.8 8.8.4.4 + log + errors +} + +intel-pod17.opnfv.org:53 { + file /root/coredns/intel-pod17.db + log + errors +} diff --git a/tools/files/certificate/ingress-ca.crt b/tools/files/certificate/ingress-ca.crt new file mode 100644 index 0000000..7de203d --- /dev/null +++ b/tools/files/certificate/ingress-ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIJALiv9mc7SJL/MA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV +BAMMCmluZ3Jlc3MtY2EwHhcNMjAwNzEwMjAxNjQ1WhcNMzAwNzA4MjAxNjQ1WjAV +MRMwEQYDVQQDDAppbmdyZXNzLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAsdLuV9LVazMW/f5pQ/yRsKIDm3/W8+dqSvuXqa5wKmkKre3BICauTqcK +vDqn4m5MOrYgJJAeFBDpLPIk07XJPSDLZ+04qg621Jv+2fEJipPFmSebUbqdoG/S +MBDyzeBb/WKHGhtxcgpBzfnj7HspreIcFLh1TfYHS34uJDpOs4yDv8tWkyEFEAv1 +w3n1W/wLyVLDHN6KpUVQsAsPzt+4bcYRr4tapU45ZPANEvmfSVSqZIJKeShunyZ8 +bQIr8b3XCbjY/zexu8+RMXUkb404MR5vvOf8yNfGZEv4xoyMN+BWcE1GbObH1HJf +xwor9z1NnlJboyCWDYPp/3EcVjpHzQIDAQABo1AwTjAdBgNVHQ4EFgQUgNkj8PoW +nHPtt7Nj7JFCal7vxIEwHwYDVR0jBBgwFoAUgNkj8PoWnHPtt7Nj7JFCal7vxIEw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAj72hoR/6JO22k+2N4RzW +4ITjPZRzgbs+LU7MA6Fw4MapSQx5MwgUMI23bez3AG7MefN7E3IKT+j3CDkA5v9S +X/pLo7bLvLWVOFjHFqiLZ01xGm9nw7QmpNLmR42PrZTiNx5cBBJAvtkx1i8mY+fA +mhAxPzwy7mLkpXkeEha6zDyf5Cuy/42mJ/BpRrAlzaU/59w0YwQuTXzNrp5HIYlI +Fy9xE9rME7Y9zy0V2VhaFncmQD+DedJMjm/guBTy1D6Hyl0v+DPfEmLs3NCZ7coG +3kHS35ipqgT6GnZpKlqxcpBD2EWN5XC+Romsu1D+1OPc0ZnTUENs9836UFgaOAhT +YQ== +-----END CERTIFICATE----- diff --git a/tools/files/certificate/ingress-ca.key b/tools/files/certificate/ingress-ca.key new file mode 100644 index 0000000..bdd0634 --- /dev/null +++ b/tools/files/certificate/ingress-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCx0u5X0tVrMxb9 +/mlD/JGwogObf9bz52pK+5eprnAqaQqt7cEgJq5Opwq8Oqfibkw6tiAkkB4UEOks +8iTTtck9IMtn7TiqDrbUm/7Z8QmKk8WZJ5tRup2gb9IwEPLN4Fv9YocaG3FyCkHN ++ePseymt4hwUuHVN9gdLfi4kOk6zjIO/y1aTIQUQC/XDefVb/AvJUsMc3oqlRVCw +Cw/O37htxhGvi1qlTjlk8A0S+Z9JVKpkgkp5KG6fJnxtAivxvdcJuNj/N7G7z5Ex +dSRvjTgxHm+85/zI18ZkS/jGjIw34FZwTUZs5sfUcl/HCiv3PU2eUlujIJYNg+n/ +cRxWOkfNAgMBAAECggEALapbZtZP1E20c9mnsrvjthaFEqPL0ar2Evd1RS/0wg9j +nLLXy6fjT3N6QEhX4MAud01aB8myz7hgCRjN+EhQu4/2bGPxD0rkDMlasyFBMAMu +1VvkeSKRZCgTNCDGGbSqKvHoe/3cLksQBxNLQumGFI9iYrfT+AdcbDilJMyMdXMM +pqyh135moH/TmPTobMY9jr1pNPq0LOWftg4yvnmrNhr3MqfciJZ6kljZB5vXDUpL +TvqVb8pHl19O8UHPsWyFk0+4L/kiZbM0yjdmVrlsPza7Vva0LUITFB2krl4WJF2h +ByToJ3b30crN+5Ccg56wbuXdNtk+TdrulDX6/SxXCQKBgQDcPMDe/hC0RfniTQ+i +FPGYhMsjHwGE+WTZkHchKXxtcBu3muPQe/DUiFVcTwrlfNt+A3tJPBPR1vh56sa/ +EZsJrNM5hXFuwd3YAqDotyNxxsh0dl5AK63A6rn80BzULQnknx/TOTWagcwnZuBr +YiMUVnmEtorStKc3OWNO78cBVwKBgQDOsw635GZ37bfX4ndTKSBB+Cf6u/DHX5y8 +rDBo/hd8hWe1Sou/FrsyiApRWv6I/B+5Vaa2m6qaBNPGFREnpaGla+fZ84CuYh1f +DT2LmzY5w/GchBx5eTOhK80NJpzrBcK9jkfltESsUpQ2wfXZ82RUot1e5ii2rMb4 +c+gH0rOVewKBgHHIhZDvzCuHF6H+VDxV+7fjq5uakktkGeF5jMK6T0mvKPLD+D0n +O3ZidU96mtOTnUbOf6yHeGnqWXeLf2EJtILcIkjOk5s4V+gY+48fxxUqMThSS0F2 +D4/i9XITB0Hrfvf56hRTs0j/FD2rHfj8u8jvIFsbgD96DAYxBQisQrGDAoGBALwr +igSi6x3WzXy9cD/GutUTouHB4qq+QiQI5XFPj/YORKFoIdxuRzDzY+E4Y2w1inPg +o4quIBtitaAoYZukT4oWt9VUthsKuw5jMVo8jJr95KDGLF3xlqztARktw8C5V9XV +B2L4P2RZMRDAdp5Z00axlbHk+b+DfweEDQHCMTatAoGBAKf7JUi0YEu5/fIrUfrm +tQXOrEwvnD0jkDp/tQc0+veuraLxCvQXGD86+s1vyIx/ZGhMp9e/dgWsMGG2UAKk +f8Dpo0M9dW/6R4Y0v7KiRW7OVrvDY0PjRP+6jls2VL3Lcwsow8awbo4TFL0Wlim7 +fdymzMEIIJD0XzfApzKEuvdr +-----END PRIVATE KEY----- diff --git a/tools/files/certificate/ingress-ca.pem b/tools/files/certificate/ingress-ca.pem new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tools/files/certificate/ingress-ca.pem diff --git a/tools/files/certificate/ingress-ca.pem.orig b/tools/files/certificate/ingress-ca.pem.orig new file mode 100644 index 0000000..7de203d --- /dev/null +++ b/tools/files/certificate/ingress-ca.pem.orig @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIJALiv9mc7SJL/MA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV +BAMMCmluZ3Jlc3MtY2EwHhcNMjAwNzEwMjAxNjQ1WhcNMzAwNzA4MjAxNjQ1WjAV +MRMwEQYDVQQDDAppbmdyZXNzLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAsdLuV9LVazMW/f5pQ/yRsKIDm3/W8+dqSvuXqa5wKmkKre3BICauTqcK +vDqn4m5MOrYgJJAeFBDpLPIk07XJPSDLZ+04qg621Jv+2fEJipPFmSebUbqdoG/S +MBDyzeBb/WKHGhtxcgpBzfnj7HspreIcFLh1TfYHS34uJDpOs4yDv8tWkyEFEAv1 +w3n1W/wLyVLDHN6KpUVQsAsPzt+4bcYRr4tapU45ZPANEvmfSVSqZIJKeShunyZ8 +bQIr8b3XCbjY/zexu8+RMXUkb404MR5vvOf8yNfGZEv4xoyMN+BWcE1GbObH1HJf +xwor9z1NnlJboyCWDYPp/3EcVjpHzQIDAQABo1AwTjAdBgNVHQ4EFgQUgNkj8PoW +nHPtt7Nj7JFCal7vxIEwHwYDVR0jBBgwFoAUgNkj8PoWnHPtt7Nj7JFCal7vxIEw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAj72hoR/6JO22k+2N4RzW +4ITjPZRzgbs+LU7MA6Fw4MapSQx5MwgUMI23bez3AG7MefN7E3IKT+j3CDkA5v9S +X/pLo7bLvLWVOFjHFqiLZ01xGm9nw7QmpNLmR42PrZTiNx5cBBJAvtkx1i8mY+fA +mhAxPzwy7mLkpXkeEha6zDyf5Cuy/42mJ/BpRrAlzaU/59w0YwQuTXzNrp5HIYlI +Fy9xE9rME7Y9zy0V2VhaFncmQD+DedJMjm/guBTy1D6Hyl0v+DPfEmLs3NCZ7coG +3kHS35ipqgT6GnZpKlqxcpBD2EWN5XC+Romsu1D+1OPc0ZnTUENs9836UFgaOAhT +YQ== +-----END CERTIFICATE----- diff --git a/tools/files/certificate/ingress-ca.srl b/tools/files/certificate/ingress-ca.srl new file mode 100644 index 0000000..f48a4f3 --- /dev/null +++ b/tools/files/certificate/ingress-ca.srl @@ -0,0 +1 @@ +8AB2C82AEE12CD33 diff --git a/tools/files/certificate/ingress-crt b/tools/files/certificate/ingress-crt new file mode 100644 index 0000000..0cb15d5 --- /dev/null +++ b/tools/files/certificate/ingress-crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAh6gAwIBAgIJAIqyyCruEs0zMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV +BAMMCmluZ3Jlc3MtY2EwHhcNMjAwNzEwMjAxNjQ2WhcNMzAwNzA4MjAxNjQ2WjAi +MSAwHgYDVQQDDBcqLmludGVsLXBvZDE3Lm9wbmZ2Lm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMv+Q9RnipooU3zU9Om0ghzpY2L3TbxShyizObld +4SLungyjKy0ElIn4dRQar/x8BF//K/qgQK1P3vhDoosVzQsT6lwQqzOyfVCOetjv +HMIjzHjLcYEfSCon8tZwmFzz7v5hAyvP5qQJzCjXOBt52HCMIkLxgScN7lIJMzgv +kezZnvfWd0pntitjIoIl/47uQD2nopJiCeA4lF8iz3kAjxeU5fxejlDiQ+sxq+EW +CJ2FO8ou95Yh7BauFPr6zAwOuirUroxVjR3J/aLjy0uGsPCDUl6thCwAHoIqdlok +F+6SuiZ14rZMq5HmlXT+ALNh+TTyIlLP60uc62N3V5kssAMCAwEAAaN8MHowCQYD +VR0TBAIwADAdBgNVHQ4EFgQUfTsTBuqoBACa4kZjMfqLESGFS90wCwYDVR0PBAQD +AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAiBgNVHREEGzAZghcq +LmludGVsLXBvZDE3Lm9wbmZ2Lm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAgMQGUeL5 +h3Ysj3/zaxUM4Jrb4j6qn2szjz7q/ZPYo46Vdbg789HMvGfsPsLccBAdxIvzfp35 +OkP6tmFlmNHg22Nmu0G9EKfy+lXuspsMEU2O8S+jFB6mVrQihnq2MXHxXdQzYAEg +x4ZAAC78PMHdRjXgfcTufxkwjJx5FHiIQhv3e6f9+Jr8LQLUxDIJTmpNkHXzPgjM +tVPUNuqZprX3m3oDM4PXv1xF42I89cNZRvR7/YFl8ZhITAdCOQ7HiJeBO/1Yyd3R +zyp7fclTXDZh6s7bmZBfFXDiyJpJeFHInTVrMqK3Q4u0jDmDJH+t01MEUjMaqOlz +usMQUi0wphAWpg== +-----END CERTIFICATE----- diff --git a/tools/files/certificate/ingress-csr b/tools/files/certificate/ingress-csr new file mode 100644 index 0000000..df7f144 --- /dev/null +++ b/tools/files/certificate/ingress-csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC9DCCAdwCAQAwIjEgMB4GA1UEAwwXKi5pbnRlbC1wb2QxNy5vcG5mdi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL/kPUZ4qaKFN81PTptIIc +6WNi9028Uocoszm5XeEi7p4MoystBJSJ+HUUGq/8fARf/yv6oECtT974Q6KLFc0L +E+pcEKszsn1QjnrY7xzCI8x4y3GBH0gqJ/LWcJhc8+7+YQMrz+akCcwo1zgbedhw +jCJC8YEnDe5SCTM4L5Hs2Z731ndKZ7YrYyKCJf+O7kA9p6KSYgngOJRfIs95AI8X +lOX8Xo5Q4kPrMavhFgidhTvKLveWIewWrhT6+swMDroq1K6MVY0dyf2i48tLhrDw +g1JerYQsAB6CKnZaJBfukromdeK2TKuR5pV0/gCzYfk08iJSz+tLnOtjd1eZLLAD +AgMBAAGggYwwgYkGCSqGSIb3DQEJDjF8MHowCQYDVR0TBAIwADAdBgNVHQ4EFgQU +fTsTBuqoBACa4kZjMfqLESGFS90wCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsG +AQUFBwMCBggrBgEFBQcDATAiBgNVHREEGzAZghcqLmludGVsLXBvZDE3Lm9wbmZ2 +Lm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAljZ34DiXvqwLE4K2zTHQS76Iy6Sj+pI+ +BFNZxje8PlTgH1vdWHrF3APXoUM6ow/rADoDU1jEnqsFt0K533LRlQbZJXwtj8qG +6SDJAj4P1qFuaavjtCaqdpwvNY+EModSQK2c0gVgwXVtrL9AkO0jUNk2cGDT7kBU +BOzBnSH0FvoemDGKxNxUpKsEGIeV6xtqGejKNE3alVAXlsGN5drqgWvQuVXCXEmf +4H9/PknUNvDCJWwE/DBn7gOtxOhTX0cbU1pY5Z7Q6fmuBKwPmCZ647FNPJx8ru3q +fJ2Jv4NwEAGasLueV5xKwBTVSr9C3298kPehfklGlqhoAKnjJEpe7w== +-----END CERTIFICATE REQUEST----- diff --git a/tools/files/certificate/ingress-key b/tools/files/certificate/ingress-key new file mode 100644 index 0000000..c5886ba --- /dev/null +++ b/tools/files/certificate/ingress-key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAy/5D1GeKmihTfNT06bSCHOljYvdNvFKHKLM5uV3hIu6eDKMr +LQSUifh1FBqv/HwEX/8r+qBArU/e+EOiixXNCxPqXBCrM7J9UI562O8cwiPMeMtx +gR9IKify1nCYXPPu/mEDK8/mpAnMKNc4G3nYcIwiQvGBJw3uUgkzOC+R7Nme99Z3 +Sme2K2MigiX/ju5APaeikmIJ4DiUXyLPeQCPF5Tl/F6OUOJD6zGr4RYInYU7yi73 +liHsFq4U+vrMDA66KtSujFWNHcn9ouPLS4aw8INSXq2ELAAegip2WiQX7pK6JnXi +tkyrkeaVdP4As2H5NPIiUs/rS5zrY3dXmSywAwIDAQABAoIBAQCCVFXjy69K5H7K +n4hGFDSY4ifEX/pDWnrN7wvvOWKQneFOc6UvIuD/8URj7tUHO/jTmETx4BbSY9gx +x4x+zhPtgvDVlzS6V8wmfpFQLhyykIqflmNTOrgxbsqAZPmDUbocvcB36mER5syQ +P0iyjTtSVMXC/Wclm4nq0cPunr3dktwsVxVpqV/BH2kmFXNQMl57+6jYXvLcM5Nk +iA1usA5c+rGozXk2ADsEpBGlm/bz/2zLMpIr9NOylyq3Cy7UtXztnH5jpV2CB2jh +JR+e6Md0fd68EHM8g6MnOgwcIZH3jH8ScbqDYq5pAzsYvlgZn/5Srg0YsXV4P3am +TPFhCrVhAoGBAOepIpJ+GOzhcrZ8FNAPel9hhOgjnWjEI2kwVmmV48NDLn6ECmGB +9MhMBsXeiNuHln0t/sHqimuFCUo4eluUhMu3x17gs30Uc8R3ZOtdmgqk7zpB2arW +C7eO8D/U8ctkJPJ8rMRBTzbt0ihxHYPCwr3Yg32INEt3DWuj2pHrgHOTAoGBAOFs ++L00jAP/qkF/aIpJfHVRfLpGBol6ZRTUTVlUn1Fj4idydvOUBcSFG+36ft2qMfgu +l6NiEh1losdVqq6MoVT+PCm1KQKh07bNrp7aAjSUN5Z1jAHnCPQRjTuvgFZzaa+U +mg20MhFn/MBvWK2oF0GnhbN3dcJdM/9M8LzpN3fRAoGBALeFJ9xBhOFzoHqsRZim +Cl2xVabJQBQU/bCBGJPAqJSxjg2v8MFaQF7Ey8DJEEZJXZCBdYaNlWakF73yjAws +1h7E0m55N/fo0eVcaFiE6FlyXAoczKEnvFSIKg+HVJ26EgL/faZjzqtHL+vV4HnX +OotHELPLyRHXmIwjXC2pETN9AoGBAIX34QtwwxVNR72NHm+wpIqEVv/Mxe3GE3SB +h0ZjiBsypSCUYiT3/0V/Zc3UZLkPgIriBbRPgDyAPnEAdGMvqGF+hfqzcx/hVJT7 +P5+gKFdfDnoYeZBX4XZLSAgEkNzP0itKwRML2AWIKymiAq2Ri+C00jyJ7i4IffJn +o1phr1lBAoGBAN53tvpr8KzKK6EPy5Q7fZf0nfrA6H4GQhCkLciGZWDPBBLQ2w64 +3APepY2w6ecgg/Wc2tHtuavoKD1HdSsGE0E09JZ1bXXKHOdwS2s47qITMzHZzmLF +7Mtu9Fw2+TEsC/utmtoa3lNaIES4mQMSB2NVCJxEfRySMISlM1NbeVVd +-----END RSA PRIVATE KEY----- diff --git a/tools/files/certificate/mycertfile.pem b/tools/files/certificate/mycertfile.pem new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tools/files/certificate/mycertfile.pem diff --git a/tools/files/certificate/openssl.cnf b/tools/files/certificate/openssl.cnf new file mode 100644 index 0000000..732a5a0 --- /dev/null +++ b/tools/files/certificate/openssl.cnf @@ -0,0 +1,23 @@ +[ req ] +prompt = no +default_bits = 2048 +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req + +[ req_distinguished_name ] +commonName = *.intel-pod17.opnfv.org + +# Allow client and server auth. You may want to only allow server auth. +# Link to SAN names. +[v3_req] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names + +# Alternative names are specified as IP.# and DNS.# for IP addresses and +# DNS accordingly. +[alt_names] +DNS.1 = *.intel-pod17.opnfv.org diff --git a/tools/files/intel-pod17.db b/tools/files/intel-pod17.db new file mode 100644 index 0000000..de46e07 --- /dev/null +++ b/tools/files/intel-pod17.db @@ -0,0 +1,24 @@ +intel-pod17.opnfv.org. IN SOA dns.intel-pod17.opnfv.org. admin.intel-pod17.opnfv.org. 2015082541 7200 3600 1209600 3600 +dns.intel-pod17.opnfv.org. IN A 10.10.170.20 +iam-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +shipyard-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +cloudformation-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +compute-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +dashboard-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +grafana-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +identity-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +image-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +kibana-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +nagios-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +network-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +nova-novncproxy-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +object-store-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +orchestration-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +placement-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +volume-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +kubernetes-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +mini-mirror-nc.intel-pod17.opnfv.org. IN A 10.10.171.129 +ranger-agent-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +ro-nc.intel-pod17.opnfv.org. IN A 10.10.170.129 +drydock-nc.intel-pod17.opnfv.org. IN A 10.10.171.129 +maas-nc.intel-pod17.opnfv.org. IN A 10.10.171.129 diff --git a/tools/files/seccomp_default b/tools/files/seccomp_default new file mode 100644 index 0000000..35d26da --- /dev/null +++ b/tools/files/seccomp_default @@ -0,0 +1,767 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_gettime", + "clock_nanosleep", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedsend", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "syslog", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timerfd_create", + "timerfd_gettime", + "timerfd_settime", + "timer_getoverrun", + "timer_gettime", + "timer_settime", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": {} + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": {} + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "reboot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_BOOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "delete_module", + "init_module", + "finit_module", + "query_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": {} + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": {} + }, + { + "names": [ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": {} + }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": {} + }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": {} + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": {} + }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + } + ] +} diff --git a/tools/files/shipyard.sh b/tools/files/shipyard.sh new file mode 100755 index 0000000..a6d5832 --- /dev/null +++ b/tools/files/shipyard.sh @@ -0,0 +1,33 @@ +#!/bin/bash +#Checks shipyard action status + +set -e +CONTAINER="shipyard-api" +TEMP_RESULT=${TEMP_RESULT:-$(mktemp)} +API=$(kubectl get pods -n ucp -l application=shipyard,component=api --no-headers | awk '{print $1}' | head -n 1) +# this doesn't actually get exported to environment unless the script is sourced +export OS_PASSWORD=$(kubectl exec -it ${API} -n ucp -c ${CONTAINER} -- cat /etc/shipyard/shipyard.conf | grep "password =" | awk '{print $3}' | tr -d '\r') +OS_AUTH_URL=$(kubectl exec -it ${API} -n ucp -c ${CONTAINER} -- cat /etc/shipyard/shipyard.conf |grep "auth_uri =" | awk '{print $3}' | tr -d '\r') +SHIPYARD_IMAGE=$(kubectl get po ${API} -n ucp -o jsonpath="{.spec.containers[0].image}") +SHIPYARD_HOSTPATH="/target" +SHIPYARD_IMAGE="${SHIPYARD_IMAGE}" +LIST_STEPS=$(mktemp) + +# Define Base Docker Command +base_docker_command=$(cat << EndOfCommand +sudo -E docker run -t --rm --net=host +-e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local} +-e OS_AUTH_URL=${OS_AUTH_URL} +-e OS_USERNAME=${OS_USERNAME:-shipyard} +-e OS_USER_DOMAIN_NAME=${OS_DOMAIN:-default} +-e OS_PASSWORD +-e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default} +-e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service} +EndOfCommand +) + +echo "$OS_AUTH_URL" + +# Execute Shipyard CLI + + ${base_docker_command} -v "$(pwd)":"${SHIPYARD_HOSTPATH}" "${SHIPYARD_IMAGE}" "${@}" diff --git a/tools/files/sources.list b/tools/files/sources.list new file mode 100644 index 0000000..eb659ec --- /dev/null +++ b/tools/files/sources.list @@ -0,0 +1,56 @@ +# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to +# newer versions of the distribution. +#deb http://us.archive.ubuntu.com/ubuntu bionic main restricted +# deb-src http://us.archive.ubuntu.com/ubuntu bionic main restricted + +## Major bug fix updates produced after the final release of the +## distribution. +#deb http://us.archive.ubuntu.com/ubuntu bionic-updates main restricted +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-updates main restricted + +## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu +## team. Also, please note that software in universe WILL NOT receive any +## review or updates from the Ubuntu security team. +#deb http://us.archive.ubuntu.com/ubuntu bionic universe +# deb-src http://us.archive.ubuntu.com/ubuntu bionic universe +#deb http://us.archive.ubuntu.com/ubuntu bionic-updates universe +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-updates universe + +## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu +## team, and may not be under a free licence. Please satisfy yourself as to +## your rights to use the software. Also, please note that software in +## multiverse WILL NOT receive any review or updates from the Ubuntu +## security team. +#deb http://us.archive.ubuntu.com/ubuntu bionic multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu bionic multiverse +#deb http://us.archive.ubuntu.com/ubuntu bionic-updates multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-updates multiverse + +## N.B. software from this repository may not have been tested as +## extensively as that contained in the main release, although it includes +## newer versions of some applications which may provide useful features. +## Also, please note that software in backports WILL NOT receive any review +## or updates from the Ubuntu security team. +#deb http://us.archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-backports main restricted universe multiverse + +## Uncomment the following two lines to add software from Canonical's +## 'partner' repository. +## This software is not part of Ubuntu, but is offered by Canonical and the +## respective vendors as a service to Ubuntu users. +# deb http://archive.canonical.com/ubuntu bionic partner +# deb-src http://archive.canonical.com/ubuntu bionic partner + +#deb http://us.archive.ubuntu.com/ubuntu bionic-security main restricted +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-security main restricted +#deb http://us.archive.ubuntu.com/ubuntu bionic-security universe +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-security universe +#deb http://us.archive.ubuntu.com/ubuntu bionic-security multiverse +# deb-src http://us.archive.ubuntu.com/ubuntu bionic-security multiverse + +deb http://mirror.mirantis.com/testing/ceph-nautilus/bionic bionic main +deb https://mirror.mirantis.com/testing/kubernetes-extra/bionic bionic main +deb http://linux.dell.com/repo/community/openmanage/930/bionic bionic main +deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse +deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse +deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse diff --git a/tools/test.sh b/tools/test.sh index a41977c..afac473 100755 --- a/tools/test.sh +++ b/tools/test.sh @@ -45,7 +45,7 @@ object-storage-feature-enabled: EOF cat > openstack.creds << EOF -export OS_AUTH_URL=http://identity-airship.intel-pod17.opnfv.org/v3 +export OS_AUTH_URL=http://identity-nc.intel-pod17.opnfv.org/v3 export OS_USER_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default export OS_USERNAME=admin |