This repository has been archived by the owner on Jul 27, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
mantl common
TanyaCouture edited this page Feb 25, 2016
·
1 revision
2 versions of mantl-common: to be consolidated and in progress
- common: mantl-common
- System Dependencies
- python-pip
- httpd-tools
- nc
- openssh
- policycoreutils-python
- epel-release
- unzip
- Ansible defaults: selinux with permissive policy and central configuration
- Ansible handlers: update-ca-trust -> run
update-ca-trust
cmd in package script when needed - Ansible main tasks
- set timezone to UTC ->
user_data: timezone: Etc/UTC
- create
/etc/mantl
to hold metadata for state of cluster pre-consul boot - j2 template for
/etc/hosts
->user_data: resolv_conf: search_domains: [.node.consul]
- install distributive from ciscocloud's bintray -> separate package (mantl-distributive)?
- disable requiretty in sudoers -> sed 's/^.+requiretty$/# Defaults requiretty/' /etc/sudoers #but only last entry
- set selinux policy based on ansible defaults
- disable firewalld -> here is a partial go implementation:
- set timezone to UTC ->
- System Dependencies
package main
import (
"fmt"
"log"
"os/exec"
)
func main () {
// disable firewalld
out, err := exec.Command("systemctl disable firewalld").Output()
if err != nil{
log.Fatal(err)
}
// check state of firewalld
out, err := exec.Command("firewalld-cmd --state").Output()
if err != nil{
log.Fatal(err)
}
// if the state is NOT not running, disable has failed
if out != not running{
log.Fatal(err)
fmt.println ("Firewalld is not disabled.")
}
}
- Ansible users tasks should be managed via API or Ansible
- Ansible ssl tasks
-
copy local path ssl/cacert.pem to remote server /etc/pki/ca-trust/source/anchors/cacert.pem; chown to root
-
notify handler update-ca-trust ->
update-ca-trust
-
common: mantl-common
- System Dependencies
- python-pip
- httpd-tools
- nc
- openssh
- policycoreutils-python
- epel-release
- unzip
- Ansible defaults: selinux with permissive policy and central configuration
- Ansible handlers: update-ca-trust -> run
update-ca-trust
cmd in package script when needed - Ansible main tasks
- set timezone to UTC ->
ln -sf /etc/localtime /usr/share/zoneinfo/Etc/UTC
- create
/etc/mantl
to hold metadata for state of cluster pre-consul boot - j2 template for
/etc/hosts
-> consul template for/etc/hosts
- disable firewalld -> here is a partial go implementation:
- set timezone to UTC ->
- System Dependencies
package main import ( "fmt" "log" "os/exec" ) func main () { // disable firewalld out, err := exec.Command("systemctl disable firewalld").Output() if err != nil{ log.Fatal(err) } // check state of firewalld out, err := exec.Command("firewalld-cmd --state").Output() if err != nil{ log.Fatal(err) } // if the state is NOT not running, disable has failed if out != not running{ log.Fatal(err) fmt.println ("Firewalld is not disabled.") } }
- install distributive from ciscocloud's bintray -> separate package?? - disable requiretty in sudoers -> sed 's/^.+requiretty$/# Defaults requiretty/' /etc/sudoers #but only last entry - set selinux policy based on ansible defaults
- Ansible users tasks
- configure members of wheel group for passwordless sudo ->
sed 's/^%wheel/%wheel ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers
- create enabled os users, based on
users
ansible var (docs) - set ssh key for
users
- delete disabled
users
- configure members of wheel group for passwordless sudo ->
- Ansible ssl tasks
- copy local path ssl/cacert.pem to remote server /etc/pki/ca-trust/source/anchors/cacert.pem; chown to root
- notify handler update-ca-trust ->
update-ca-trust
-