Skip to content
This repository has been archived by the owner on Jul 27, 2023. It is now read-only.

mantl common

TanyaCouture edited this page Feb 25, 2016 · 1 revision

2 versions of mantl-common: to be consolidated and in progress

  • common: mantl-common
    • System Dependencies
      • python-pip
      • httpd-tools
      • nc
      • openssh
      • policycoreutils-python
      • epel-release
      • unzip
    • Ansible defaults: selinux with permissive policy and central configuration
    • Ansible handlers: update-ca-trust -> run update-ca-trust cmd in package script when needed
    • Ansible main tasks
      • set timezone to UTC -> user_data: timezone: Etc/UTC
      • create /etc/mantl to hold metadata for state of cluster pre-consul boot
      • j2 template for /etc/hosts -> user_data: resolv_conf: search_domains: [.node.consul]
      • install distributive from ciscocloud's bintray -> separate package (mantl-distributive)?
      • disable requiretty in sudoers -> sed 's/^.+requiretty$/# Defaults requiretty/' /etc/sudoers #but only last entry
      • set selinux policy based on ansible defaults
      • disable firewalld -> here is a partial go implementation:
package main
import (
  "fmt"
  "log"
  "os/exec"
)

func main () {
  // disable firewalld
  out, err := exec.Command("systemctl disable firewalld").Output()
  if err != nil{
    log.Fatal(err)
  }

  // check state of firewalld
  out, err := exec.Command("firewalld-cmd --state").Output()
  if err != nil{
    log.Fatal(err)
  }
  // if the state is NOT not running, disable has failed
  if out != not running{
    log.Fatal(err)
    fmt.println ("Firewalld is not disabled.")
  }
}
  • Ansible users tasks should be managed via API or Ansible
  • Ansible ssl tasks
    • copy local path ssl/cacert.pem to remote server /etc/pki/ca-trust/source/anchors/cacert.pem; chown to root

    • notify handler update-ca-trust -> update-ca-trust

    • common: mantl-common

      • System Dependencies
        • python-pip
        • httpd-tools
        • nc
        • openssh
        • policycoreutils-python
        • epel-release
        • unzip
      • Ansible defaults: selinux with permissive policy and central configuration
      • Ansible handlers: update-ca-trust -> run update-ca-trust cmd in package script when needed
      • Ansible main tasks
        • set timezone to UTC -> ln -sf /etc/localtime /usr/share/zoneinfo/Etc/UTC
        • create /etc/mantl to hold metadata for state of cluster pre-consul boot
        • j2 template for /etc/hosts -> consul template for /etc/hosts
        • disable firewalld -> here is a partial go implementation:
    package main
    import (
      "fmt"
      "log"     
      "os/exec"
    )
    
    func main () {
      // disable firewalld
      out, err := exec.Command("systemctl disable firewalld").Output()
      if err != nil{
        log.Fatal(err)
      }
    
      // check state of firewalld
      out, err := exec.Command("firewalld-cmd --state").Output()
      if err != nil{
        log.Fatal(err)
      }
      // if the state is NOT not running, disable has failed
      if out != not running{
        log.Fatal(err)
        fmt.println ("Firewalld is not disabled.")
      }
    }
    
    - install distributive from ciscocloud's bintray -> separate package??
    - disable requiretty in sudoers -> sed 's/^.+requiretty$/# Defaults requiretty/' /etc/sudoers #but only last entry
    - set selinux policy based on ansible defaults
    
    • Ansible users tasks
      • configure members of wheel group for passwordless sudo -> sed 's/^%wheel/%wheel ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers
      • create enabled os users, based on users ansible var (docs)
      • set ssh key for users
      • delete disabled users
    • Ansible ssl tasks
      • copy local path ssl/cacert.pem to remote server /etc/pki/ca-trust/source/anchors/cacert.pem; chown to root
      • notify handler update-ca-trust -> update-ca-trust
Clone this wiki locally