Vultour · October 29, 2020 16:26
diff --git a/labrt-install-full.sh b/labrt-install-full.sh
 #!/bin/bash
 set -x
 set -e


 # ==========
 # INITIAL SETUP
 # ==========
 echo "127.0.0.1   labrt.local puppet" >> /etc/hosts

 yum update -y
 yum install -y vim

 systemctl stop NetworkManager
 systemctl start network
 systemctl disable NetworkManager
 systemctl enable network
 yum remove -y NetworkManager


 # ==========
 # LIBVIRT SETUP
 # ==========
 yum install -y libvirt qemu-kvm qemu-kvm-tools qemu-kvm-common virt-install

 systemctl enable libvirtd
 systemctl start libvirtd

 # Create default storage pool
 mkdir -p /opt/virt/machines
 cat <<EOF > /root/default-storage-pool.xml
 <pool type='dir'>
  <name>machines</name>
  <target>
    <path>/opt/virt/machines</path>
  </target>
 </pool>
 EOF
 virsh pool-define /root/default-storage-pool.xml
 virsh pool-autostart machines
 virsh pool-start machines

 mkdir -p /var/lib/tftpboot

 # Create default bridged network
 virsh net-destroy default
 virsh net-undefine default
 systemctl restart network
 cat <<EOF > /etc/libvirt/qemu/networks/default.xml
 <network>
  <name>default</name>
  <uuid>2837a98f-1fca-ef21-a908-103afce736af</uuid>
  <forward mode='nat' />
  <bridge name='virbr0' stp='on' delay='0' />
  <mac address='DE:AD:BE:EF:00:00' />
  <ip address='192.168.0.1' netmask='255.255.255.0'>
    <tftp root='/var/lib/tftpboot' />
    <dhcp>
      <range start='192.168.0.50' end='192.168.0.100' />
      <bootp file='pxelinux.0' />
    </dhcp>
  </ip>
 </network>
 EOF
 virsh net-define /etc/libvirt/qemu/networks/default.xml
 virsh net-start default
 virsh net-autostart default
 systemctl restart network


 # ==========
 # TLS CERTIFICATES FOR REMOTE LIBVIRT CONNECTIONS
 # ==========
 TLS_HOSTNAME='labrt.local'
 CA_KEY='/root/tls-ca-privatekey.pem'
 CA_CERT='/etc/pki/CA/cacert.pem'
 CA_TEMPLATE='/tmp/ca.info'
 SERVER_TEMPLATE='/tmp/server.info'
 CLIENT_TEMPLATE='/tmp/client.info'
 LIBVIRT_SERVERKEY='/etc/pki/libvirt/private/serverkey.pem'
 LIBVIRT_SERVERCERT='/etc/pki/libvirt/servercert.pem'
 LIBVIRT_CLIENTKEY='/etc/pki/libvirt/private/clientkey.pem'
 LIBVIRT_CLIENTCERT='/etc/pki/libvirt/clientcert.pem'

 mkdir -p $(dirname "$CA_CERT")
 mkdir -p $(dirname "$LIBVIRT_SERVERKEY")

 # Certificate authority
 certtool --generate-privkey > $CA_KEY

 cat <<EOF > $CA_TEMPLATE
 cn = $TLS_HOSTNAME
 ca
 cert_signing_key
 EOF

 certtool \
    --generate-self-signed \
    --load-privkey $CA_KEY \
    --template $CA_TEMPLATE\
    --outfile $CA_CERT

 # Server certificate
 certtool --generate-privkey > $LIBVIRT_SERVERKEY

 cat <<EOF > $SERVER_TEMPLATE
 organization = Lab Inc
 cn = $TLS_HOSTNAME
 tls_www_server
 encryption_key
 signing_key
 EOF

 certtool \
    --generate-certificate \
    --load-privkey $LIBVIRT_SERVERKEY \
    --load-ca-certificate $CA_CERT \
    --load-ca-privkey $CA_KEY \
    --template $SERVER_TEMPLATE \
    --outfile $LIBVIRT_SERVERCERT

 # Client certificate
 certtool --generate-privkey > $LIBVIRT_CLIENTKEY

 cat <<EOF > $CLIENT_TEMPLATE
 country = GB
 state = London
 locality = London
 organization = Red Hat
 cn = $HOSTNAME
 tls_www_client
 encryption_key
 signing_key
 EOF

 certtool \
    --generate-certificate \
    --load-privkey $LIBVIRT_CLIENTKEY \
    --load-ca-certificate $CA_CERT \
    --load-ca-privkey $CA_KEY \
    --template $CLIENT_TEMPLATE \
    --outfile $LIBVIRT_CLIENTCERT

 # Cleanup
 shred -zun 25 $CA_TEMPLATE
 shred -zun 25 $SERVER_TEMPLATE
 shred -zun 25 $CLIENT_TEMPLATE

 # Enable TLS connections in libvirt
 echo "" >> /etc/sysconfig/libvirt
 echo "LIBVIRTD_ARGS='--listen'" >> /etc/sysconfig/libvirtd
 systemctl restart libvirtd


 # ==========
 # FOREMAN SETUP
 # ==========
 rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
 yum -y install epel-release https://yum.theforeman.org/releases/1.12/el7/x86_64/foreman-release.rpm

 yum -y install foreman-installer

 foreman-installer \
  --foreman-admin-password password \
  --foreman-unattended true \
  --foreman-cli-password password
  
 /opt/puppetlabs/bin/puppet agent --test

 yum -y install foreman-libvirt

 # Local OS images
 mkdir -p /opt/virt/os/mnt
 yum install -y vsftpd
 cat <<EOF > /etc/vsftpd/vsftpd.conf
 anonymous_enable=YES
 local_enable=NO
 write_enable=NO
 anon_upload_enable=NO
 anon_mkdir_write_enable=NO
 xferlog_enable=YES
 connect_from_port_20=YES
 xferlog_std_format=YES
 xferlog_file=/var/log/vsftpd-xferlog
 anon_root=/opt/virt/os/mnt
 EOF
 systemctl enable vsftpd
 systemctl restart vsftpd

 mkdir -p /opt/virt/os/mnt/centos-7
 wget -O /opt/virt/os/centos7.iso http://mirror.ox.ac.uk/sites/mirror.centos.org/7/isos/x86_64/CentOS-7-x86_64-Minimal-1511.iso
 echo "/opt/virt/os/centos7.iso /opt/virt/os/mnt/centos-7 iso9660 ro,fscontext=unconfined_u:object_r:usr_t:s0,relatime 0 0" >> /etc/fstab

 mount -a

 # Set unattended URL to current IP as there's no DNS yet
 hammer settings set \
    --name unattended_url \
    --value "http://$(ip a | grep -E 'inet\s' | awk 'NR==2' | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+' | grep -oE '^[^/]*')"

 hammer subnet create \
    --boot-mode Static \
    --dns-primary 192.168.0.2 \
    --dns-secondary 8.8.8.8 \
    --gateway 192.168.0.1 \
    --mask 255.255.255.0 \
    --name labroot \
    --network 192.168.0.0 \
    --domains local

 hammer compute-resource create \
    --description "LABRT-Libvirt"\
    --display-type VNC \
    --name LABRT-libvirt \
    --provider Libvirt \
    --set-console-password "" \
    --url "qemu://labrt.local/system"

 hammer medium create \
    --name 'centos-7-local' \
    --os-family Redhat \
    --path ftp://$(ip a | grep -E 'inet\s' | awk 'NR==2' | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+' | grep -oE '^[^/]*')/mnt/centos-7

 hammer os create \
    --name centos-7 \
    --description "centos-7" \
    --major 7 \
    --family Redhat \
    --media "centos-7-local,CentOS mirror" \
    --partition-tables "Kickstart default" \
    --architectures x86_64 \
    --provisioning-templates "Kickstart default,Kickstart default finish,Kickstart default iPXE,Kickstart default PXELinux"

 hammer hostgroup create \
    --architecture x86_64 \
    --ask-root-pass no \
    --domain local \
    --environment production \
    --medium "centos-7-local" \
    --name "LABRT-default-prod" \
    --operatingsystem "centos-7" \
    --partition-table "Kickstart default" \
    --puppet-ca-proxy labrt.local \
    --puppet-proxy labrt.local \
    --root-pass password \
    --subnet labroot

 # Smart proxy setup
 cat <<EOF >> /etc/foreman-proxy/settings.yml
 :tftp: true
 :tftproot: /var/tftpboot
 :tftp_servername: 192.168.0.1
 :dns: true
 :dns_provider: virsh
 :dhcp: true
 :dhcp_vendor: virsh
 :virsh_network: default
 EOF

 systemctl restart foreman
 systemctl restart foreman-proxy
 systemctl restart httpd


 # ==========
 # Docker
 # ==========
 cat <<EOF > /etc/yum.repos.d/docker.repo
 [dockerrepo]
 name=Docker Repository
 baseurl=https://yum.dockerproject.org/repo/main/centos/7/
 enabled=1
 gpgcheck=1
 gpgkey=https://yum.dockerproject.org/gpg
 EOF
 yum install -y docker-engine
 systemctl enable docker
 systemctl start docker
	#!/bin/bash
	set -x
	set -e


	# ==========
	# INITIAL SETUP
	# ==========
	echo "127.0.0.1 labrt.local puppet" >> /etc/hosts

	yum update -y
	yum install -y vim

	systemctl stop NetworkManager
	systemctl start network
	systemctl disable NetworkManager
	systemctl enable network
	yum remove -y NetworkManager


	# ==========
	# LIBVIRT SETUP
	# ==========
	yum install -y libvirt qemu-kvm qemu-kvm-tools qemu-kvm-common virt-install

	systemctl enable libvirtd
	systemctl start libvirtd

	# Create default storage pool
	mkdir -p /opt/virt/machines
	cat <<EOF > /root/default-storage-pool.xml
	<pool type='dir'>
	<name>machines</name>
	<target>
	<path>/opt/virt/machines</path>
	</target>
	</pool>
	EOF
	virsh pool-define /root/default-storage-pool.xml
	virsh pool-autostart machines
	virsh pool-start machines

	mkdir -p /var/lib/tftpboot

	# Create default bridged network
	virsh net-destroy default
	virsh net-undefine default
	systemctl restart network
	cat <<EOF > /etc/libvirt/qemu/networks/default.xml
	<network>
	<name>default</name>
	<uuid>2837a98f-1fca-ef21-a908-103afce736af</uuid>
	<forward mode='nat' />
	<bridge name='virbr0' stp='on' delay='0' />
	<mac address='DE:AD:BE:EF:00:00' />
	<ip address='192.168.0.1' netmask='255.255.255.0'>
	<tftp root='/var/lib/tftpboot' />
	<dhcp>
	<range start='192.168.0.50' end='192.168.0.100' />
	<bootp file='pxelinux.0' />
	</dhcp>
	</ip>
	</network>
	EOF
	virsh net-define /etc/libvirt/qemu/networks/default.xml
	virsh net-start default
	virsh net-autostart default
	systemctl restart network


	# ==========
	# TLS CERTIFICATES FOR REMOTE LIBVIRT CONNECTIONS
	# ==========
	TLS_HOSTNAME='labrt.local'
	CA_KEY='/root/tls-ca-privatekey.pem'
	CA_CERT='/etc/pki/CA/cacert.pem'
	CA_TEMPLATE='/tmp/ca.info'
	SERVER_TEMPLATE='/tmp/server.info'
	CLIENT_TEMPLATE='/tmp/client.info'
	LIBVIRT_SERVERKEY='/etc/pki/libvirt/private/serverkey.pem'
	LIBVIRT_SERVERCERT='/etc/pki/libvirt/servercert.pem'
	LIBVIRT_CLIENTKEY='/etc/pki/libvirt/private/clientkey.pem'
	LIBVIRT_CLIENTCERT='/etc/pki/libvirt/clientcert.pem'

	mkdir -p $(dirname "$CA_CERT")
	mkdir -p $(dirname "$LIBVIRT_SERVERKEY")

	# Certificate authority
	certtool --generate-privkey > $CA_KEY

	cat <<EOF > $CA_TEMPLATE
	cn = $TLS_HOSTNAME
	ca
	cert_signing_key
	EOF

	certtool \
	--generate-self-signed \
	--load-privkey $CA_KEY \
	--template $CA_TEMPLATE\
	--outfile $CA_CERT

	# Server certificate
	certtool --generate-privkey > $LIBVIRT_SERVERKEY

	cat <<EOF > $SERVER_TEMPLATE
	organization = Lab Inc
	cn = $TLS_HOSTNAME
	tls_www_server
	encryption_key
	signing_key
	EOF

	certtool \
	--generate-certificate \
	--load-privkey $LIBVIRT_SERVERKEY \
	--load-ca-certificate $CA_CERT \
	--load-ca-privkey $CA_KEY \
	--template $SERVER_TEMPLATE \
	--outfile $LIBVIRT_SERVERCERT

	# Client certificate
	certtool --generate-privkey > $LIBVIRT_CLIENTKEY

	cat <<EOF > $CLIENT_TEMPLATE
	country = GB
	state = London
	locality = London
	organization = Red Hat
	cn = $HOSTNAME
	tls_www_client
	encryption_key
	signing_key
	EOF

	certtool \
	--generate-certificate \
	--load-privkey $LIBVIRT_CLIENTKEY \
	--load-ca-certificate $CA_CERT \
	--load-ca-privkey $CA_KEY \
	--template $CLIENT_TEMPLATE \
	--outfile $LIBVIRT_CLIENTCERT

	# Cleanup
	shred -zun 25 $CA_TEMPLATE
	shred -zun 25 $SERVER_TEMPLATE
	shred -zun 25 $CLIENT_TEMPLATE

	# Enable TLS connections in libvirt
	echo "" >> /etc/sysconfig/libvirt
	echo "LIBVIRTD_ARGS='--listen'" >> /etc/sysconfig/libvirtd
	systemctl restart libvirtd


	# ==========
	# FOREMAN SETUP
	# ==========
	rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
	yum -y install epel-release https://yum.theforeman.org/releases/1.12/el7/x86_64/foreman-release.rpm

	yum -y install foreman-installer

	foreman-installer \
	--foreman-admin-password password \
	--foreman-unattended true \
	--foreman-cli-password password

	/opt/puppetlabs/bin/puppet agent --test

	yum -y install foreman-libvirt

	# Local OS images
	mkdir -p /opt/virt/os/mnt
	yum install -y vsftpd
	cat <<EOF > /etc/vsftpd/vsftpd.conf
	anonymous_enable=YES
	local_enable=NO
	write_enable=NO
	anon_upload_enable=NO
	anon_mkdir_write_enable=NO
	xferlog_enable=YES
	connect_from_port_20=YES
	xferlog_std_format=YES
	xferlog_file=/var/log/vsftpd-xferlog
	anon_root=/opt/virt/os/mnt
	EOF
	systemctl enable vsftpd
	systemctl restart vsftpd

	mkdir -p /opt/virt/os/mnt/centos-7
	wget -O /opt/virt/os/centos7.iso http://mirror.ox.ac.uk/sites/mirror.centos.org/7/isos/x86_64/CentOS-7-x86_64-Minimal-1511.iso
	echo "/opt/virt/os/centos7.iso /opt/virt/os/mnt/centos-7 iso9660 ro,fscontext=unconfined_u:object_r:usr_t:s0,relatime 0 0" >> /etc/fstab

	mount -a

	# Set unattended URL to current IP as there's no DNS yet
	hammer settings set \
	--name unattended_url \
	--value "http://$(ip a \| grep -E 'inet\s' \| awk 'NR==2' \| grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+' \| grep -oE '^[^/]*')"

	hammer subnet create \
	--boot-mode Static \
	--dns-primary 192.168.0.2 \
	--dns-secondary 8.8.8.8 \
	--gateway 192.168.0.1 \
	--mask 255.255.255.0 \
	--name labroot \
	--network 192.168.0.0 \
	--domains local

	hammer compute-resource create \
	--description "LABRT-Libvirt"\
	--display-type VNC \
	--name LABRT-libvirt \
	--provider Libvirt \
	--set-console-password "" \
	--url "qemu://labrt.local/system"

	hammer medium create \
	--name 'centos-7-local' \
	--os-family Redhat \
	--path ftp://$(ip a \| grep -E 'inet\s' \| awk 'NR==2' \| grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+' \| grep -oE '^[^/]*')/mnt/centos-7

	hammer os create \
	--name centos-7 \
	--description "centos-7" \
	--major 7 \
	--family Redhat \
	--media "centos-7-local,CentOS mirror" \
	--partition-tables "Kickstart default" \
	--architectures x86_64 \
	--provisioning-templates "Kickstart default,Kickstart default finish,Kickstart default iPXE,Kickstart default PXELinux"

	hammer hostgroup create \
	--architecture x86_64 \
	--ask-root-pass no \
	--domain local \
	--environment production \
	--medium "centos-7-local" \
	--name "LABRT-default-prod" \
	--operatingsystem "centos-7" \
	--partition-table "Kickstart default" \
	--puppet-ca-proxy labrt.local \
	--puppet-proxy labrt.local \
	--root-pass password \
	--subnet labroot

	# Smart proxy setup
	cat <<EOF >> /etc/foreman-proxy/settings.yml
	:tftp: true
	:tftproot: /var/tftpboot
	:tftp_servername: 192.168.0.1
	:dns: true
	:dns_provider: virsh
	:dhcp: true
	:dhcp_vendor: virsh
	:virsh_network: default
	EOF

	systemctl restart foreman
	systemctl restart foreman-proxy
	systemctl restart httpd


	# ==========
	# Docker
	# ==========
	cat <<EOF > /etc/yum.repos.d/docker.repo
	[dockerrepo]
	name=Docker Repository
	baseurl=https://yum.dockerproject.org/repo/main/centos/7/
	enabled=1
	gpgcheck=1
	gpgkey=https://yum.dockerproject.org/gpg
	EOF
	yum install -y docker-engine
	systemctl enable docker
	systemctl start docker