-
Notifications
You must be signed in to change notification settings - Fork 0
/
provision-base.sh
147 lines (125 loc) · 4.26 KB
/
provision-base.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash
source /vagrant/lib.sh
ubuntu_mirror="${1:-http://mirrors.ptisp.pt/ubuntu/}"; shift || true
pandora_fqdn="${1:-pandora.eksa.test}"; shift || true
pandora_ip_address="${1:-10.10.0.2}"; shift || true
# prevent apt-get et al from asking questions.
# NB even with this, you'll still get some warnings that you can ignore:
# dpkg-preconfigure: unable to re-open stdin: No such file or directory
export DEBIAN_FRONTEND=noninteractive
# show mac addresses and the machine uuid to troubleshoot they are unique within the cluster.
ip link
cat /sys/class/dmi/id/product_uuid
# configure the ubuntu mirror.
sed -i -E "s,(deb(-src)?) [^ ]+ ,\\1 $ubuntu_mirror ,g" /etc/apt/sources.list
# configure APT to use our apt-cacher cache APT proxy.
# NB we cannot use APT::Update::Pre-Invoke in apt.confi because that is invoked
# after sources.list is loaded, so we had to override the apt-get command
# with our own version.
cat >/usr/local/bin/apt-get <<EOF
#!/bin/bash
if [ "\$1" == 'update' ]; then
for p in \$(find /etc/apt/sources.list /etc/apt/sources.list.d -type f); do
sed -i -E '/http:\\/\\/$pandora_fqdn:3142/! s,(deb(-src)? .*)http://,\1http://$pandora_fqdn:3142/,g' \$p
sed -i -E '/http:\\/\\/$pandora_fqdn:3142/! s,(deb(-src)? .*)https://,\1http://$pandora_fqdn:3142/HTTPS///,g' \$p
done
fi
exec /usr/bin/apt-get "\$@"
EOF
chmod +x /usr/local/bin/apt-get
hash -r
# configure the hosts file.
echo "$pandora_ip_address $pandora_fqdn" >>/etc/hosts
# update the package cache.
apt-get update
# install jq.
apt-get install -y jq
# install vim.
apt-get install -y --no-install-recommends vim
cat >/etc/vim/vimrc.local <<'EOF'
syntax on
set background=dark
set esckeys
set ruler
set laststatus=2
set nobackup
EOF
# configure the shell.
cat >/etc/profile.d/login.sh <<'EOF'
[[ "$-" != *i* ]] && return
export EDITOR=vim
export PAGER=less
alias l='ls -lF --color'
alias ll='l -a'
alias h='history 25'
alias j='jobs -l'
EOF
if [ 'pandora' == "$(hostname)" ]; then
cat >>/etc/profile.d/login.sh <<'EOF'
export KUBECONFIG="$HOME/.kube/config"
EOF
else
cat >>/etc/profile.d/login.sh <<'EOF'
export KUBECONFIG="/vagrant/shared/kubeconfig"
EOF
fi
cat >/etc/inputrc <<'EOF'
set input-meta on
set output-meta on
set show-all-if-ambiguous on
set completion-ignore-case on
"\e[A": history-search-backward
"\e[B": history-search-forward
"\eOD": backward-word
"\eOC": forward-word
EOF
# add support for bash completions.
apt-get install -y bash-completion
# install useful tools.
apt-get install -y python3-tabulate python3-yaml
# let the root user login with a ssh key.
sed -i -E 's,#?(PermitRootLogin) .*,\1 prohibit-password,g' /etc/ssh/sshd_config
systemctl reload sshd
# generate the root ssh key.
if [ "$(hostname)" == 'pandora' ]; then
if [ ! -f /vagrant/shared/ssh/id_rsa ]; then
mkdir -p /vagrant/shared/ssh
ssh-keygen -f /vagrant/shared/ssh/id_rsa -t rsa -b 2048 -C "$USER@$(hostname --fqdn)" -N ''
fi
if [ ! -f ~/.ssh/id_rsa ]; then
install -d -m 700 ~/.ssh
install -m 600 /vagrant/shared/ssh/* ~/.ssh
fi
fi
# trust the pandora root ssh key.
if [ ! -f ~/.ssh/authorized_keys ]; then
install -d -m 700 ~/.ssh
install -m 600 /dev/null ~/.ssh/authorized_keys
fi
pandora_ssh_public_key="$(cat /vagrant/shared/ssh/id_rsa.pub)"
if ! grep "$pandora_ssh_public_key" ~/.ssh/authorized_keys >/dev/null; then
echo "$pandora_ssh_public_key" >>~/.ssh/authorized_keys
fi
# trust the pandora example ca.
# NB this step is skipped in the pandora box; this file is created later
# in provision-certificate.sh.
if [ -f /vagrant/shared/tls/example-ca/example-ca-crt.pem ]; then
cp /vagrant/shared/tls/example-ca/example-ca-crt.pem /usr/local/share/ca-certificates/example-ca.crt
update-ca-certificates -v
fi
# install iptables.
apt-get install -y iptables
# install tcpdump.
apt-get install -y tcpdump
# install curl.
apt-get install -y curl
# install ipvsadm.
apt-get install -y ipvsadm
# bump the inotify resource limits.
# NB not enough resources will lead to "too many open files" errors.
# see https://kind.sigs.k8s.io/docs/user/known-issues/#pod-errors-due-to-too-many-open-files
cat >/etc/sysctl.d/20-inotify.conf <<'EOF'
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512
EOF
sysctl --load /etc/sysctl.d/20-inotify.conf