diff options
Diffstat (limited to 'compass-deck/misc')
34 files changed, 1436 insertions, 0 deletions
diff --git a/compass-deck/misc/Dockerfile b/compass-deck/misc/Dockerfile new file mode 100644 index 0000000..116bf9f --- /dev/null +++ b/compass-deck/misc/Dockerfile @@ -0,0 +1,86 @@ +from centos:latest + +# Add repos +RUN rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ + sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/epel.repo && \ + rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm + +# yum update +RUN yum update -y + +# udpate repo +ADD misc/compass_install.repo /etc/yum.repos.d/compass_install.repo + +# Install packages +RUN yum --enablerepo=compass_install --nogpgcheck install -y python python-devel git wget syslinux amqp mod_wsgi httpd bind rsync yum-utils gcc unzip openssl openssl098e ca-certificates mysql-devel mysql MySQL-python python-virtualenv python-setuptools python-pip bc libselinux-python libffi-devel openssl-devel vim net-tools + +# Add code +RUN mkdir -p /root/compass-deck +ADD . /root/compass-deck +RUN cd /root/ && \ + git clone git://git.openstack.org/openstack/compass-web + +RUN mkdir -p /root/compass-deck/compass && \ + mv /root/compass-deck/actions /root/compass-deck/compass/ && \ + mv /root/compass-deck/api /root/compass-deck/compass/ && \ + mv /root/compass-deck/apiclient /root/compass-deck/compass/ && \ + mv /root/compass-deck/deployment /root/compass-deck/compass/ && \ + mv /root/compass-deck/utils /root/compass-deck/compass/ && \ + mv /root/compass-deck/db /root/compass-deck/compass/ && \ + mv /root/compass-deck/tasks /root/compass-deck/compass/ && \ + mv /root/compass-deck/log_analyzor /root/compass-deck/compass/ + +# pip +RUN easy_install --upgrade pip && \ + pip install --upgrade pip && \ + pip install --upgrade setuptools && \ + pip install --upgrade virtualenv && \ + pip install --upgrade redis && \ + pip install --upgrade virtualenvwrapper + +# http +RUN mkdir -p /var/log/httpd && \ + chmod -R 777 /var/log/httpd + +# virtualenv +RUN yum install -y which && \ + source `which virtualenvwrapper.sh` && \ + mkvirtualenv --system-site-packages compass-core && \ + workon compass-core && \ + cd /root/compass-deck && \ + pip install -U -r requirements.txt + +# web +RUN mkdir -p /var/www/compass_web/v2.5 && \ + cp -rf /root/compass-web/v2.5/target/* /var/www/compass_web/v2.5/ + +# compass-server +RUN echo "ServerName compass-deck:80" >> /etc/httpd/conf/httpd.conf +RUN mkdir -p /opt/compass/bin && \ + mkdir -p /opt/compass/db +ADD misc/apache/ods-server.conf /etc/httpd/conf.d/ods-server.conf +ADD misc/apache/http_pip.conf /etc/httpd/conf.d/http_pip.conf +ADD misc/apache/images.conf /etc/httpd/conf.d/images.conf +ADD misc/apache/packages.conf /etc/httpd/conf.d/packages.conf +#COPY conf /etc/compass +ADD bin/* /opt/compass/bin/ +RUN mkdir -p /var/www/compass && \ + ln -s -f /opt/compass/bin/compass_wsgi.py /var/www/compass/compass.wsgi && \ + cp -rf /usr/lib64/libcrypto.so.6 /usr/lib64/libcrypto.so + + +# install comapss-deck code +RUN mkdir -p /var/log/compass && \ + chmod -R 777 /var/log/compass && \ + chmod -R 777 /opt/compass/db && \ + touch /root/compass-deck/compass/__init__.py && \ + source `which virtualenvwrapper.sh` && \ + workon compass-core && \ + cd /root/compass-deck && \ + python setup.py install && \ + usermod -a -G root apache + +EXPOSE 80 +ADD start.sh /usr/local/bin/start.sh +ENTRYPOINT ["/bin/bash", "-c"] +CMD ["/usr/local/bin/start.sh"] diff --git a/compass-deck/misc/adapter_changes/Debian.yml b/compass-deck/misc/adapter_changes/Debian.yml new file mode 100644 index 0000000..0f76f75 --- /dev/null +++ b/compass-deck/misc/adapter_changes/Debian.yml @@ -0,0 +1,18 @@ +############################################################################# +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################# +--- + +cron_path: "/var/spool/cron/crontabs" + +packages: + - keystone + +services: + - apache2 + - keystone diff --git a/compass-deck/misc/adapter_changes/HA-ansible-multinodes.yml b/compass-deck/misc/adapter_changes/HA-ansible-multinodes.yml new file mode 100644 index 0000000..b0c5810 --- /dev/null +++ b/compass-deck/misc/adapter_changes/HA-ansible-multinodes.yml @@ -0,0 +1,239 @@ +--- +- hosts: all + remote_user: root + pre_tasks: + - name: make sure ssh dir exist + file: + path: '{{ item.path }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + state: directory + mode: 0755 + with_items: + - path: /root/.ssh + owner: root + group: root + + - name: write ssh config + copy: + content: "UserKnownHostsFile /dev/null\nStrictHostKeyChecking no" + dest: '{{ item.dest }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + mode: 0600 + with_items: + - dest: /root/.ssh/config + owner: root + group: root + + - name: generate ssh keys + shell: if [ ! -f ~/.ssh/id_rsa.pub ]; then ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -N ""; else echo "already gen ssh key!"; fi; + + - name: fetch ssh keys + fetch: src=/root/.ssh/id_rsa.pub dest=/tmp/ssh-keys-{{ ansible_hostname }} flat=yes + + - authorized_key: + user: root + key: "{{ lookup('file', 'item') }}" + with_fileglob: + - /tmp/ssh-keys-* + max_fail_percentage: 0 + roles: + - common + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - setup-network + +- hosts: ha + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - ha + +- hosts: controller + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - memcached + - apache + - database + - mq + - keystone + - nova-controller + - neutron-controller + - cinder-controller + - glance + - neutron-common + - neutron-network + - ceilometer_controller +# - ext-network + - dashboard + - heat + - aodh + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - storage + +- hosts: compute + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - nova-compute + - neutron-compute + - cinder-volume + - ceilometer_compute + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - secgroup + +- hosts: ceph_adm + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: [] + # - ceph-deploy + +- hosts: ceph + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - ceph-purge + - ceph-config + +- hosts: ceph_mon + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - ceph-mon + +- hosts: ceph_osd + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - ceph-osd + +- hosts: ceph + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - ceph-openstack + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - monitor + + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + tasks: + - name: set bash to nova + user: + name: nova + shell: /bin/bash + + - name: make sure ssh dir exist + file: + path: '{{ item.path }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + state: directory + mode: 0755 + with_items: + - path: /var/lib/nova/.ssh + owner: nova + group: nova + + - name: copy ssh keys for nova + shell: cp -rf /root/.ssh/id_rsa /var/lib/nova/.ssh; + + - name: write ssh config + copy: + content: "UserKnownHostsFile /dev/null\nStrictHostKeyChecking no" + dest: '{{ item.dest }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + mode: 0600 + with_items: + - dest: /var/lib/nova/.ssh/config + owner: nova + group: nova + + - authorized_key: + user: nova + key: "{{ lookup('file', 'item') }}" + with_fileglob: + - /tmp/ssh-keys-* + + - name: chown ssh file + shell: chown -R nova:nova /var/lib/nova/.ssh; + + +- hosts: all + remote_user: root + max_fail_percentage: 0 + roles: + - odl_cluster + +- hosts: all + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - onos_cluster + +- hosts: all + remote_user: root + sudo: True + max_fail_percentage: 0 + roles: + - open-contrail + +- hosts: all + remote_user: root + serial: 1 + max_fail_percentage: 0 + roles: + - odl_cluster_neutron + +- hosts: all + remote_user: root + max_fail_percentage: 0 + roles: + - odl_cluster_post + +- hosts: controller + remote_user: root + max_fail_percentage: 0 + roles: + - ext-network + +- hosts: controller + remote_user: root + accelerate: false + max_fail_percentage: 0 + roles: + - tacker diff --git a/compass-deck/misc/adapter_changes/keystone_install.yml b/compass-deck/misc/adapter_changes/keystone_install.yml new file mode 100644 index 0000000..01907c6 --- /dev/null +++ b/compass-deck/misc/adapter_changes/keystone_install.yml @@ -0,0 +1,74 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: disable auto start + copy: + content: "#!/bin/sh\nexit 101" + dest: "/usr/sbin/policy-rc.d" + mode: 0755 + when: ansible_os_family == "Debian" + +- name: install keystone packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: packages | union(packages_noarch) + +- name: enable auto start + file: + path=/usr/sbin/policy-rc.d + state=absent + when: ansible_os_family == "Debian" + +- name: generate keystone service list + lineinfile: dest=/opt/service create=yes line='{{ item }}' + with_items: services | union(services_noarch) + +- name: delete sqlite database + file: + path: /var/lib/keystone/keystone.db + state: absent + +- name: update keystone conf + template: src=keystone.conf dest=/etc/keystone/keystone.conf backup=yes + notify: + - restart keystone services + +- name: update apache2 configs + template: + src: wsgi-keystone.conf.j2 + dest: '{{ apache_config_dir }}/sites-available/wsgi-keystone.conf' + when: ansible_os_family == 'Debian' + notify: + - restart keystone services + +- name: update apache2 configs + template: + src: wsgi-keystone.conf.j2 + dest: '{{ apache_config_dir }}/wsgi-keystone.conf' + when: ansible_os_family == 'RedHat' + notify: + - restart keystone services + +- name: enable keystone server + file: + src: "{{ apache_config_dir }}/sites-available/wsgi-keystone.conf" + dest: "{{ apache_config_dir }}/sites-enabled/wsgi-keystone.conf" + state: "link" + when: ansible_os_family == 'Debian' + notify: + - restart keystone services + +- name: keystone source files + template: src={{ item }} dest=/opt/{{ item }} + with_items: + - admin-openrc.sh + - demo-openrc.sh + +- meta: flush_handlers diff --git a/compass-deck/misc/adapter_changes/preseed_post_anamon_local b/compass-deck/misc/adapter_changes/preseed_post_anamon_local new file mode 100644 index 0000000..c4f461f --- /dev/null +++ b/compass-deck/misc/adapter_changes/preseed_post_anamon_local @@ -0,0 +1,80 @@ +#if $str($getVar('anamon_enabled','')) == "1" + +## install anamon script + #if $getVar("compass_server", "") != "" +wget -O /usr/local/sbin/anamon "http://$compass_server:$http_port/cobbler/aux/anamon" + #else +wget -O /usr/local/sbin/anamon "http://$server:$http_port/cobbler/aux/anamon" + #end if +## install anamon system service +cat << EOF > /etc/init.d/anamon.init +#raw +#!/bin/bash +## BEGIN INIT INFO +# Provides: anamon.init +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Required-Start: $network +# Short-Description: Starts the cobbler anamon boot notification program +# Description: anamon runs the first time a machine is booted after +# installation. +## END INIT INFO + +# +# anamon.init: Starts the cobbler post-install boot notification program +# +# chkconfig: 35 95 95 +# +# description: anamon runs the first time a machine is booted after +# installation. +# +#end raw +cd /var/log/installer +gunzip initial-status.gz +cd - +#if $getVar("compass_server","") != "" +/usr/local/sbin/anamon --watchfile "/var/log/installer/syslog /var/log/installer/hardware-summary /var/log/installer/initial-status /var/log/installer/status" --name $name --server $compass_server --port $http_port --exit +#else +/usr/local/sbin/anamon --watchfile "/var/log/installer/syslog /var/log/installer/hardware-summary /var/log/installer/initial-status /var/log/installer/status" --name $name --server $server --port $http_port --exit +#end if +update-rc.d -f anamon remove +mv /etc/init.d/anamon.init /tmp/anamon.init +EOF + +## adjust permissions +chmod 755 /etc/init.d/anamon.init /usr/local/sbin/anamon +test -d /selinux && restorecon /etc/init.d/anamon.init /usr/local/sbin/anamon + +## enable the script +update-rc.d anamon.init defaults 95 95 +#end if + +## place start-up script for updating os state +#if $getVar('compass_server', '') != "" + #set srv = $getVar('compass_server','') +#else + #set srv = $getVar('server','') +#end if +cat << EOF > /etc/init.d/set_state +#raw +#!/bin/bash +# Provides: set_state +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Required-Start: $network $ssh +# Short-Description: Notifies the os installation is finished +# Description: set_state runs the first time a machine is booted after +# installation. +#end raw +wget -O /tmp/os_state --post-data='{"ready": true}' --header=Content-Type:application/json "http://$srv/api/hosts/${host_id}/state_internal" +update-rc.d -f set_state remove +mv /etc/init.d/set_state /tmp/set_state +EOF + +## adjust permissions +chmod 755 /etc/init.d/set_state +test -d /selinux && restorecon /etc/init.d/set_state + +update-rc.d set_state defaults 99 99 + +echo "compass_server=$server" >> /etc/compass.conf diff --git a/compass-deck/misc/adapter_changes/preseed_post_anamon_remote b/compass-deck/misc/adapter_changes/preseed_post_anamon_remote new file mode 100644 index 0000000..aae183a --- /dev/null +++ b/compass-deck/misc/adapter_changes/preseed_post_anamon_remote @@ -0,0 +1,80 @@ +#if $str($getVar('anamon_enabled','')) == "1" + +## install anamon script + #if $getVar("compass_server", "") != "" +wget -O /usr/local/sbin/anamon "http://$compass_server:$http_port/cobbler/aux/anamon" + #else +wget -O /usr/local/sbin/anamon "http://$server:$http_port/cobbler/aux/anamon" + #end if +## install anamon system service +cat << EOF > /etc/init.d/anamon.init +#raw +#!/bin/bash +## BEGIN INIT INFO +# Provides: anamon.init +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Required-Start: $network +# Short-Description: Starts the cobbler anamon boot notification program +# Description: anamon runs the first time a machine is booted after +# installation. +## END INIT INFO + +# +# anamon.init: Starts the cobbler post-install boot notification program +# +# chkconfig: 35 95 95 +# +# description: anamon runs the first time a machine is booted after +# installation. +# +#end raw +cd /var/log/installer +gunzip initial-status.gz +cd - +#if $getVar("compass_server","") != "" +/usr/local/sbin/anamon --watchfile "/var/log/installer/syslog /var/log/installer/hardware-summary /var/log/installer/initial-status /var/log/installer/status" --name $name --server $compass_server --port $http_port --exit +#else +/usr/local/sbin/anamon --watchfile "/var/log/installer/syslog /var/log/installer/hardware-summary /var/log/installer/initial-status /var/log/installer/status" --name $name --server $server --port $http_port --exit +#end if +update-rc.d -f anamon remove +mv /etc/init.d/anamon.init /tmp/anamon.init +EOF + +## adjust permissions +chmod 755 /etc/init.d/anamon.init /usr/local/sbin/anamon +test -d /selinux && restorecon /etc/init.d/anamon.init /usr/local/sbin/anamon + +## enable the script +update-rc.d anamon.init defaults 95 95 +#end if + +## place start-up script for updating os state +#if $getVar('compass_server', '') != "" + #set srv = $getVar('compass_server','') +#else + #set srv = $getVar('server','') +#end if +cat << EOF > /etc/init.d/set_state +#raw +#!/bin/bash +# Provides: set_state +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Required-Start: $network $ssh +# Short-Description: Notifies the os installation is finished +# Description: set_state runs the first time a machine is booted after +# installation. +#end raw +wget -O /tmp/os_state --post-data='{"ready": true}' --header=Content-Type:application/json "http://c.stack360.io/api/hosts/${host_id}/state_internal" +update-rc.d -f set_state remove +mv /etc/init.d/set_state /tmp/set_state +EOF + +## adjust permissions +chmod 755 /etc/init.d/set_state +test -d /selinux && restorecon /etc/init.d/set_state + +update-rc.d set_state defaults 99 99 + +echo "compass_server=$server" >> /etc/compass.conf diff --git a/compass-deck/misc/apache/README b/compass-deck/misc/apache/README new file mode 100644 index 0000000..73b883c --- /dev/null +++ b/compass-deck/misc/apache/README @@ -0,0 +1,15 @@ +Apache2 is supported. mod_wsgi is required to run Compass web app. + +On Ubuntu systems (e.g, 12.04), you can install mod_wsgi with + sudo aptitude install libapache2-mod-wsgi + +The current wsgi config file assumes that the environment variable +ODS_PROJECT_HOME is set in /etc/apache2/envvars file.You also need +to make sure mod_rewrite module in apache is enabled. If not, you +need to run the command: sudo a2enmod rewrite + +We also assume that the server host name is ods-server.us.huawei.com. + +Restart Apache to get mod_wsgi to work. + +sudo service apache2 restart diff --git a/compass-deck/misc/apache/cobbler_web.conf b/compass-deck/misc/apache/cobbler_web.conf new file mode 100644 index 0000000..f03d4fe --- /dev/null +++ b/compass-deck/misc/apache/cobbler_web.conf @@ -0,0 +1,10 @@ +# This configuration file enables the cobbler web +# interface (django version) + +# Force everything to go to https +RewriteEngine on +RewriteCond %{HTTPS} off +RewriteCond %{REQUEST_URI} ^/cobbler_web +# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + +WSGIScriptAlias /cobbler_web /usr/share/cobbler/web/cobbler.wsgi diff --git a/compass-deck/misc/apache/http_pip.conf b/compass-deck/misc/apache/http_pip.conf new file mode 100644 index 0000000..9a61de2 --- /dev/null +++ b/compass-deck/misc/apache/http_pip.conf @@ -0,0 +1,9 @@ +Alias /pip /var/www/pip + +<Directory "/var/www/pip"> + SetEnv VIRTUALENV + Options Indexes FollowSymLinks + Order allow,deny + Allow from all +</Directory> + diff --git a/compass-deck/misc/apache/images.conf b/compass-deck/misc/apache/images.conf new file mode 100644 index 0000000..d38986a --- /dev/null +++ b/compass-deck/misc/apache/images.conf @@ -0,0 +1,9 @@ +Alias /image /var/www/guestimg + +<Directory "/var/www/guestimg"> + SetEnv VIRTUALENV + Options Indexes FollowSymLinks + Order allow,deny + Allow from all +</Directory> + diff --git a/compass-deck/misc/apache/ods-server.conf b/compass-deck/misc/apache/ods-server.conf new file mode 100644 index 0000000..a773777 --- /dev/null +++ b/compass-deck/misc/apache/ods-server.conf @@ -0,0 +1,18 @@ +# Apache config for ods server +# +# Specify python path if you use virtualenv + +WSGIDaemonProcess compass threads=4 display-name=%{GROUP} +WSGIProcessGroup compass +WSGIScriptAlias /api /var/www/compass/compass.wsgi +WSGISocketPrefix /var/run/wsgi + +<VirtualHost *:80> + DocumentRoot /var/www/compass_web/v2.5 + + <Directory "/var/www/compass_web/v2.5"> + Options Indexes FollowSymLinks + Order allow,deny + Allow from all + </Directory> +</VirtualHost> diff --git a/compass-deck/misc/apache/packages.conf b/compass-deck/misc/apache/packages.conf new file mode 100644 index 0000000..0934fcd --- /dev/null +++ b/compass-deck/misc/apache/packages.conf @@ -0,0 +1,9 @@ +Alias /packages /var/www/packages + +<Directory "/var/www/packages"> + SetEnv VIRTUALENV + Options Indexes FollowSymLinks + Order allow,deny + Allow from all +</Directory> + diff --git a/compass-deck/misc/apache/ssl.conf b/compass-deck/misc/apache/ssl.conf new file mode 100644 index 0000000..703f97d --- /dev/null +++ b/compass-deck/misc/apache/ssl.conf @@ -0,0 +1,221 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 445 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:445> + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars +</Files> +<Directory "/var/www/cgi-bin"> + SSLOptions +StdEnvVars +</Directory> + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> + diff --git a/compass-deck/misc/chef-server/chef-server.rb b/compass-deck/misc/chef-server/chef-server.rb new file mode 100644 index 0000000..f7956a6 --- /dev/null +++ b/compass-deck/misc/chef-server/chef-server.rb @@ -0,0 +1,4 @@ +nginx['non_ssl_port'] = 8080 +nginx['enable_non_ssl'] = true +nginx['ssl_port'] = 443 +nginx['url'] = "https://#{node['fqdn']}" diff --git a/compass-deck/misc/ci/prepare_node_compass.sh b/compass-deck/misc/ci/prepare_node_compass.sh new file mode 100755 index 0000000..b9c40db --- /dev/null +++ b/compass-deck/misc/ci/prepare_node_compass.sh @@ -0,0 +1,28 @@ +#!/bin/bash -x +echo 0 > /selinux/enforce +yum clean all +yum -y update --skip-broken +yum install -y virt-install libvirt qemu-kvm figlet rsyslog logrotate iproute openssh-clients python git wget python-setuptools python-netaddr python-flask python-flask-sqlalchemy python-amqplib amqp python-paramiko python-mock dhcp bind rsync yum-utils xinetd tftp-server gcc net-snmp-utils net-snmp net-snmp-python python-daemon unzip openssl openssl098e createrepo mkisofs python-cheetah python-simplejson python-urlgrabber PyYAML Django cman debmirror pykickstart libxml2-devel libxslt-devel python-devel sshpass bc +service libvirtd start +sed -i "s/Defaults requiretty/#Defaults requiretty/" /etc/sudoers +brctl show |grep installation > /dev/null +if [[ $? -eq 0 ]] ; then + echo "bridge already exists" +else + brctl addbr installation + brctl addif installation eth1 + ifconfig eth1 up + dhclient -r eth1 + dhclient -r installation + dhclient installation +fi +git clone http://git.openstack.org/openstack/compass-core -b dev/experimental ||exit $? +cd compass-core +source install/install.conf.template +source install/install.conf +source install/setup_env.sh +source install/dependency.sh +source install/prepare.sh +sync +sleep 5 +echo "image preparation done" diff --git a/compass-deck/misc/ci/pxe-deploy.sh b/compass-deck/misc/ci/pxe-deploy.sh new file mode 100755 index 0000000..545c95a --- /dev/null +++ b/compass-deck/misc/ci/pxe-deploy.sh @@ -0,0 +1,14 @@ +#!/bin/bash -xe +ln -s /var/log/cobbler/anamon cobbler_logs +ln -s /var/log/compass compass_logs +ln -s /var/log/chef chef_logs +cp compass-core/compass/apiclient/example.py /tmp/test.py +chmod +x /tmp/test.py +virsh destroy pxe01 +virsh start pxe01 +virsh list +source compass-core/install/install.conf.template +/usr/bin/python /tmp/test.py +if [ "$tempest" == "true" ]; then + ./tempest_run.sh +fi diff --git a/compass-deck/misc/ci/pxe-prepare.sh b/compass-deck/misc/ci/pxe-prepare.sh new file mode 100755 index 0000000..08f5eb3 --- /dev/null +++ b/compass-deck/misc/ci/pxe-prepare.sh @@ -0,0 +1,29 @@ +#!/bin/bash -x +if [[ ! -e /tmp/pxe01.raw ]]; then + qemu-img create -f raw /tmp/pxe01.raw 20G +else + rm -rf /tmp/pxe01.raw + qemu-img create -f raw /tmp/pxe01.raw 20G +fi +virsh list |grep pxe01 +vmrc=$? +if [[ $vmrc -eq 0 ]] ; then + virsh destroy pxe01 + virsh undefine pxe01 +else + echo "no legacy pxe vm found" +fi +virt-install --accelerate --hvm --connect qemu:///system \ + --network=bridge:installation,mac=00:11:20:30:40:01 --pxe \ + --network=network:default \ + --name pxe01 --ram=8192 \ + --disk /tmp/pxe01.raw,format=raw \ + --vcpus=10 \ + --graphics vnc,listen=0.0.0.0 --noautoconsole \ + --os-type=linux --os-variant=rhel6 +rm -rf switch-file +echo "machine,10.145.81.220,5,1,00:11:20:30:40:01" > switch-file +echo "switch,10.145.81.220,huawei,v2c,public,under_monitoring" >> switch-file +/usr/bin/python /opt/compass/bin/manage_db.py set_switch_machines --switch_machines_file switch-file +/usr/bin/python /opt/compass/bin/manage_db.py clean_clusters +/usr/bin/python /opt/compass/bin/manage_db.py clean_installation_progress diff --git a/compass-deck/misc/ci/tempest_run.sh b/compass-deck/misc/ci/tempest_run.sh new file mode 100755 index 0000000..7ac2212 --- /dev/null +++ b/compass-deck/misc/ci/tempest_run.sh @@ -0,0 +1,81 @@ +#!/bin/bash -xe +# Determinate is the given option present in the INI file +# ini_has_option config-file section option +function ini_has_option { + local xtrace=$(set +o | grep xtrace) + set +o xtrace + local file=$1 + local section=$2 + local option=$3 + local line + line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file") + $xtrace + [ -n "$line" ] +} +# Set an option in an INI file +# iniset config-file section option value +function iniset { + local xtrace=$(set +o | grep xtrace) + set +o xtrace + local file=$1 + local section=$2 + local option=$3 + local value=$4 + + [[ -z $section || -z $option ]] && return + + if ! grep -q "^\[$section\]" "$file" 2>/dev/null; then + # Add section at the end + echo -e "\n[$section]" >>"$file" + fi + if ! ini_has_option "$file" "$section" "$option"; then + # Add it + sed -i -e "/^\[$section\]/ a\\ +$option = $value +" "$file" + else + local sep=$(echo -ne "\x01") + # Replace it + sed -i -e '/^\['${section}'\]/,/^\[.*\]/ s'${sep}'^\('${option}'[ \t]*=[ \t]*\).*$'${sep}'\1'"${value}"${sep} "$file" + fi + $xtrace +} +#Install prerequites for Tempest +pip install tox==1.6.1 +#Install setuptools twice so that it is really upgraded +pip install -U setuptools +pip install -U setuptools +pip install -U virtualenvwrapper +yum install -y libxml2-devel libxslt-devel python-devel sshpass +if [[ ! -e /tmp/tempest ]]; then + git clone http://git.openstack.org/openstack/tempest /tmp/tempest + cd /tmp/tempest +else + cd /tmp/tempest + git remote set-url origin http://git.openstack.org/openstack/tempest + git remote update + git reset --hard + git clean -x -f -d -q + git checkout remotes/origin/master +fi +source `which virtualenvwrapper.sh` +set +e +if ! lsvirtualenv |grep tempest>/dev/null; then + mkvirtualenv tempest + workon tempest +else + workon tempest +fi +set -e +cd /tmp/tempest +#Install Tempest including dependencies +pip install -e . +nova_api_host=$(knife search node 'roles:os-compute-api' | grep 'IP:' | awk '{print $2}' | head -1) +sshpass -p 'root' scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -r root@$nova_api_host:/root/openrc /root/. +source /root/openrc +# wait for nova-compute neutron-agent and cinder-volume to report health +# In some scenarios, nova-compute is up before conductor and has to retry +# to register to conductor and there is some wait time between retries. +timeout 180s sh -c "while ! nova service-list --binary nova-compute | grep 'enabled.*\ up\ '; do sleep 3; done" +timeout 180s sh -c '''while ! neutron agent-list -f csv -c alive -c agent_type -c host | grep "\":-).*Open vSwitch agent.*\"" ; do sleep 3; done''' +timeout 180s sh -c "cinder service-list --binary cinder-volume | grep 'enabled.*\ up\ '" diff --git a/compass-deck/misc/ci/test-install.sh b/compass-deck/misc/ci/test-install.sh new file mode 100755 index 0000000..22fd5d4 --- /dev/null +++ b/compass-deck/misc/ci/test-install.sh @@ -0,0 +1,22 @@ +#!/bin/bash -x +# create a bridge named 'installation' so that compass and pxeboot vm are in the +# same l2 network. +brctl show |grep installation > /dev/null +if [[ $? -eq 0 ]] ; then + echo "bridge already exists" +else + brctl addbr installation + brctl addif installation eth1 +fi + +ifconfig installation 172.16.0.1 broadcast 172.16.0.0 netmask 255.255.0.0 up +ifconfig eth1 up + +# kill the dhcp service started by libvirt to avoid conflict with dhcpd +killall dnsmasq +source compass-core/install/install.conf.template +/bin/bash -x compass-core/install/install.sh || exit $? +# echo "cache_peer 10.145.81.137 parent 3128 3130 default" >> /etc/squid/squid.conf +# service squid restart +# service squid status |grep running || exit $? +# sleep 5 diff --git a/compass-deck/misc/compass_install.repo b/compass-deck/misc/compass_install.repo new file mode 100644 index 0000000..6b97ed0 --- /dev/null +++ b/compass-deck/misc/compass_install.repo @@ -0,0 +1,5 @@ +[compass_install] +name=compass_repo +baseurl=http://192.168.104.2:9999/download/compass_install/centos7/ +gpgcheck=0 +enabled=1 diff --git a/compass-deck/misc/hosts b/compass-deck/misc/hosts new file mode 100644 index 0000000..8b39e25 --- /dev/null +++ b/compass-deck/misc/hosts @@ -0,0 +1,3 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +$ipaddr $hostname diff --git a/compass-deck/misc/logrotate.d/httpd b/compass-deck/misc/logrotate.d/httpd new file mode 100644 index 0000000..794b9d7 --- /dev/null +++ b/compass-deck/misc/logrotate.d/httpd @@ -0,0 +1,9 @@ +/var/log/httpd/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service httpd reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/compass-deck/misc/logrotate.d/ntp b/compass-deck/misc/logrotate.d/ntp new file mode 100644 index 0000000..6b290d5 --- /dev/null +++ b/compass-deck/misc/logrotate.d/ntp @@ -0,0 +1,9 @@ +/var/log/ntp.log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service ntpd reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/compass-deck/misc/logrotate.d/squid b/compass-deck/misc/logrotate.d/squid new file mode 100644 index 0000000..1191d23 --- /dev/null +++ b/compass-deck/misc/logrotate.d/squid @@ -0,0 +1,9 @@ +/var/log/squid/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service squid reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/compass-deck/misc/logrotate.d/syslog b/compass-deck/misc/logrotate.d/syslog new file mode 100644 index 0000000..db907ed --- /dev/null +++ b/compass-deck/misc/logrotate.d/syslog @@ -0,0 +1,13 @@ +/var/log/cron +/var/log/maillog +/var/log/messages +/var/log/secure +/var/log/spooler +/var/log/dhcpd.log +/var/log/tftpd.log +{ + sharedscripts + postrotate + /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true + endscript +} diff --git a/compass-deck/misc/logrotate.d/yum b/compass-deck/misc/logrotate.d/yum new file mode 100644 index 0000000..e587f96 --- /dev/null +++ b/compass-deck/misc/logrotate.d/yum @@ -0,0 +1,7 @@ +/var/log/yum.log { + missingok + notifempty + size 30k + yearly + create 0600 root root +} diff --git a/compass-deck/misc/logstash-forwarder/logstash-forwarder.conf b/compass-deck/misc/logstash-forwarder/logstash-forwarder.conf new file mode 100644 index 0000000..d0cffeb --- /dev/null +++ b/compass-deck/misc/logstash-forwarder/logstash-forwarder.conf @@ -0,0 +1,57 @@ +{ + # The network section covers network configuration :) + "network": { + # A list of downstream servers listening for our messages. + # logstash-forwarder will pick one at random and only switch if + # the selected one appears to be dead or unresponsive + "servers": [ "www.stack360.io:5000" ], + + # The path to your client ssl certificate (optional) + #"ssl certificate": "./logstash-forwarder.crt", + # The path to your client ssl key (optional) + #"ssl key": "./logstash-forwarder.key", + + # The path to your trusted ssl CA file. This is used + # to authenticate your downstream server. + "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt", + + # Network timeout in seconds. This is most important for + # logstash-forwarder determining whether to stop waiting for an + # acknowledgement from the downstream server. If an timeout is reached, + # logstash-forwarder will assume the connection or server is bad and + # will connect to a server chosen at random from the servers list. + "timeout": 15 + }, + + # The list of files configurations + "files": [ + { + "paths": [ + "/var/log/compass/celery.log" + ] + } + # An array of hashes. Each hash tells what paths to watch and + # what fields to annotate on events from those paths. + #{ + #"paths": [ + # single paths are fine + #"/var/log/messages", + # globs are fine too, they will be periodically evaluated + # to see if any new files match the wildcard. + #"/var/log/*.log" + #], + + # A dictionary of fields to annotate on each event. + #"fields": { "type": "syslog" } + #}, { + # A path of "-" means stdin. + #"paths": [ "-" ], + #"fields": { "type": "stdin" } + #}, { + #"paths": [ + #"/var/log/apache/httpd-*.log" + #], + #"fields": { "type": "apache" } + #} + ] +} diff --git a/compass-deck/misc/logstash-forwarder/logstash-forwarder.crt b/compass-deck/misc/logstash-forwarder/logstash-forwarder.crt new file mode 100644 index 0000000..90f66b1 --- /dev/null +++ b/compass-deck/misc/logstash-forwarder/logstash-forwarder.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFAzCCAuugAwIBAgIJAKrryFncVfJNMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV +BAMMDSouc3RhY2szNjAuaW8wHhcNMTYwODE4MTcwNzEyWhcNMjYwODE2MTcwNzEy +WjAYMRYwFAYDVQQDDA0qLnN0YWNrMzYwLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAw4p1OVw8tMeYfk9828FiRLPhYWwHD2OCVwlKr8P3bl974I/P +PhYTkrjEEe5SDYCWNcO58MxJ5X1vB2uQGNBBUFMni+KOqbVvcbPLL4Mkf8pjLdzD +2pItE1X7UQ8p1iYBEyAnLoV4MjA7CJ4MmUtOOcCb6keHWEhyJFOj9IzkTjFCbKuL +Y0paxayQOFlkuEK2d3Aa2HXgTLh3FFUX3kRqOcGg1uxEs2awf0nwP/NwcyfAgTSe +6yqVjnb3GLYdy283FqvxW1MrZS9UAxp/tAXRgMT8I9L2wSrjnPmrabBv5I+Kuf0p +EmLmxedOCTQsRYtYGL7TmySYgGuYtt/4UNKaG9tCPBnRXuMzlRClBDIoDhwLEKzC +LlE8JKyClNgutMKcrHbWlEJiGxooyDC1H9gwkHTi3w7qF9BYYBhkXFN2Sl0mPk0m +6NMfhQUAeqI0HlOsAX/HLwSWyRl0Nr2rvVJqgbbHRF18pADitQEuc/koT9qhON5f +BReYhQZIarwPJ/UBgwgadrP79bvWJ5u9Oga6H7yHf49/UYD3gQCvu3/Hxo/IY6AX +86eZg1ZObD6J0xpWb5jskVSgugar6Xq/h6iRkX8O3ssUdIyIxsIMhtCgxykSmdQY +FDEIWGZq2kdEVvF6GR/EYJRxvASI+27TXzuxP1UodQQOXa8xySkKu9U5SqMCAwEA +AaNQME4wHQYDVR0OBBYEFPLilPT6k6rRlxv9kCTW38VYy5AuMB8GA1UdIwQYMBaA +FPLilPT6k6rRlxv9kCTW38VYy5AuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBAAdDy+R0bGCBQgiF2fGunl+AZ8zd0MZbtL4Kv53gunlhyaPQJ3Z+e3GF +V+Z9BhvMUXE/XN3bsAIZYJekvclysYLBdK1C8n9Rli+AbBSGjwgttRAXeEqaZCbE +QrNPukRgHThv6hyJNcf1TnR70xCBlcYOGQkEqWx1g0xrsG8ryGbum0BAG0YWLCYq +BboP16FGAPjDlb10ysWy7HuGJorf470Kyb2iRfp4PX/zdYbcA8gcggGCT323JwuD +Qwnd8kyX6+6pNhBJE3gAyPDhqvbFbpmo/Ia5pqmJkL3APee1bVI2itqZB/HnmyZ5 +UCIzqf4uAuEodN6yXiImHt0TagXtL4eEXNE2qjwsFSaHeyP6iXPX5tc8RMHzFQjH +I3MzROHaeVUxs2rMxETGvq4+DebhGzCBKaJUWfMV6Y1+ovrE0MowcR8nO1Q4YQt3 +to+W5IrjI7zzQ7+4XqZm+Yz1DQ4Kr7s2iyAExvkq7kU5FAow6SLPIaOl7kbas2M4 +fwFisuEQT2Om+hbWWZTJ1T45KU5NjznkPqJZ9dCdyqs2mH7BE4vOkOULq81uFG06 +VnJHcO+wZM1iCLa1hy7F2S4fDTjTBYDcuD5GFkulFLeFH5X7zoPz20OGTRMXZONI +CHEk1ibp8j/Q6bw1zd0jGm3KDUSx+0/Avfve/e28U4KAdNekrgQf +-----END CERTIFICATE----- diff --git a/compass-deck/misc/logstash-forwarder/logstash-forwarder.repo b/compass-deck/misc/logstash-forwarder/logstash-forwarder.repo new file mode 100644 index 0000000..27d68ba --- /dev/null +++ b/compass-deck/misc/logstash-forwarder/logstash-forwarder.repo @@ -0,0 +1,6 @@ +[logstashforwarder] +name=logstashforwarder repository +baseurl=http://packages.elasticsearch.org/logstashforwarder/centos +gpgcheck=1 +gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch +enabled=1 diff --git a/compass-deck/misc/ntp/ntp.conf b/compass-deck/misc/ntp/ntp.conf new file mode 100644 index 0000000..e1572f3 --- /dev/null +++ b/compass-deck/misc/ntp/ntp.conf @@ -0,0 +1,60 @@ +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +logfile /var/log/ntp.log + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# Hosts on local network are less restricted. +#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). +server 0.centos.pool.ntp.org iburst +server 1.centos.pool.ntp.org iburst +server 2.centos.pool.ntp.org iburst +server 3.centos.pool.ntp.org iburst + +#broadcast 192.168.1.255 autokey # broadcast server +#broadcastclient # broadcast client +#broadcast 224.0.1.1 autokey # multicast server +#multicastclient 224.0.1.1 # multicast client +#manycastserver 239.255.254.254 # manycast server +#manycastclient 239.255.254.254 autokey # manycast client + +# Undisciplined Local Clock. This is a fake driver intended for backup +# and when no outside source of synchronized time is available. +server 127.127.1.0 # local clock +#fudge 127.127.1.0 stratum 10 + +# Enable public key cryptography. +#crypto + +includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys /etc/ntp/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats diff --git a/compass-deck/misc/rsync b/compass-deck/misc/rsync new file mode 100644 index 0000000..1f8b9b1 --- /dev/null +++ b/compass-deck/misc/rsync @@ -0,0 +1,14 @@ +# default: off +# description: The rsync server is a good addition to an ftp server, as it \ +# allows crc checksumming etc. +service rsync +{ + disable = no + flags = IPv6 + socket_type = stream + wait = no + user = root + server = /usr/bin/rsync + server_args = --daemon + log_on_failure += USERID +} diff --git a/compass-deck/misc/rsyslog/rsyslog.conf b/compass-deck/misc/rsyslog/rsyslog.conf new file mode 100644 index 0000000..306108b --- /dev/null +++ b/compass-deck/misc/rsyslog/rsyslog.conf @@ -0,0 +1,97 @@ +# rsyslog v5 configuration file + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### MODULES #### + +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability + +# Provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# Provides TCP syslog reception +$ModLoad imtcp +$InputTCPServerRun 514 + + +$WorkDirectory /var/lib/rsyslog + +# Added for chef logfiles +$template Chef_log,"/var/log/chef/%syslogtag%/chef-client.log" +$template Raw, "%rawmsg%" +$template CustomLog, "%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" +$template Chef_Openstack_log, "/var/log/chef/%syslogtag%/%programname%.log" +#### GLOBAL DIRECTIVES #### + +# Use default timestamp format +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# File syncing capability is disabled by default. This feature is usually not required, +# not useful and an extreme performance hit +#$ActionFileEnableSync on + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf + + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +syslog.*,daemon.* /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Log dhcpd +local6.* /var/log/dhcpd.log + +# Log tftpd +local5.* /var/log/tftpd.log + +# Everybody gets emergency messages +*.emerg * + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +local3.* -?Chef_log + +local4.* -?Chef_Openstack_log;CustomLog + +# ### begin forwarding rule ### +# The statement between the begin ... end define a SINGLE forwarding +# rule. They belong together, do NOT split them. If you create multiple +# forwarding rules, duplicate the whole block! +# Remote Logging (we use TCP for reliable delivery) +# +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#$WorkDirectory /var/lib/rsyslog # where to place spool files +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files +#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +#$ActionQueueType LinkedList # run asynchronously +#$ActionResumeRetryCount -1 # infinite retries if host is down +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +#*.* @@remote-host:514 +# ### end of the forwarding rule ### diff --git a/compass-deck/misc/snmp/snmp.conf b/compass-deck/misc/snmp/snmp.conf new file mode 100644 index 0000000..34f8053 --- /dev/null +++ b/compass-deck/misc/snmp/snmp.conf @@ -0,0 +1 @@ +mibdirs +/usr/local/share/snmp/mibs diff --git a/compass-deck/misc/squid/squid.conf b/compass-deck/misc/squid/squid.conf new file mode 100644 index 0000000..018da20 --- /dev/null +++ b/compass-deck/misc/squid/squid.conf @@ -0,0 +1,71 @@ +# +# Recommended minimum configuration: +# +acl manager proto cache_object +acl localhost src 127.0.0.1/32 ::1 +acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src $subnet # the subnet of local network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Only allow cachemgr access from localhost +http_access allow manager localhost +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# We recommend you to use at least the following line. +# hierarchy_stoplist cgi-bin ? + +cache_mem 512 MB +maximum_object_size_in_memory 512 KB +maximum_object_size 512 MB +# Uncomment and adjust the following to add a disk cache directory. +cache_dir aufs /var/squid/cache 25000 16 256 + +cache_store_log /var/log/squid/store.log + +access_log none + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# Add any of your own refresh_pattern entries above these. +refresh_pattern . 86400 50% 518400 + +quick_abort_min -1 QB +read_ahead_gap 100 MB + +positive_dns_ttl 30 second +negative_dns_ttl 1 second + +pipeline_prefetch on +request_timeout 15 minute |