Created
August 4, 2014 23:25
-
-
Save adamalex/eeed0825488b4831f559 to your computer and use it in GitHub Desktop.
Secure CoreOS config for Rackspace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cloud-config | |
| coreos: | |
| etcd: | |
| # generate a new token for each unique cluster from https://discovery.etcd.io/new | |
| discovery: https://discovery.etcd.io/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
| update: | |
| # disable this for now until it is supported when using private ip config | |
| reboot-strategy: off | |
| units: | |
| # oneshot script (written below) to secure the cluster | |
| - name: secure-cluster.service | |
| runtime: true | |
| command: start | |
| content: | | |
| [Unit] | |
| Description=secure-cluster | |
| Before=etcd.service fleet.service | |
| [Service] | |
| Type=oneshot | |
| RemainAfterExit=yes | |
| ExecStart=/etc/secure-cluster/boot.sh | |
| - name: etcd.service | |
| command: start | |
| - name: fleet.service | |
| command: start | |
| write_files: | |
| - path: /etc/secure-cluster/boot.sh | |
| owner: root:root | |
| permissions: 0700 | |
| content: | | |
| #!/bin/bash | |
| # read public and private ips assigned by rackspace | |
| PUBLIC_IP=$(ifconfig -a eth0 | awk '/(cast)/ { print $2 }' | cut -d':' -f2 | head -1) | |
| PRIVATE_IP=$(ifconfig -a eth2 | awk '/(cast)/ { print $2 }' | cut -d':' -f2 | head -1) | |
| BASHRC=/home/core/.bashrc | |
| # replace .bashrc symlink with its file contents and add aliases | |
| if [ -h $BASHRC ] | |
| then | |
| cp --remove-destination $(readlink $BASHRC) $BASHRC | |
| chown core:core $BASHRC | |
| chmod 600 $BASHRC | |
| cat >>$BASHRC <<EOF | |
| alias fleetctl="fleetctl --endpoint=http://$PRIVATE_IP:4001" | |
| alias etcdctl="etcdctl --peers $PRIVATE_IP:4001" | |
| EOF | |
| fi | |
| # configure etcd | |
| cat >/run/systemd/system/etcd.service.d/30-secure.conf <<EOF | |
| [Service] | |
| Environment="ETCD_ADDR=$PRIVATE_IP:4001" | |
| Environment="ETCD_BIND_ADDR=$PRIVATE_IP:4001" | |
| Environment="ETCD_PEER_ADDR=$PRIVATE_IP:7001" | |
| Environment="ETCD_PEER_BIND_ADDR=$PRIVATE_IP:7001" | |
| EOF | |
| # configure fleet | |
| cat >>/run/systemd/system/fleet.service.d/20-cloudinit.conf <<EOF | |
| Environment="FLEET_PUBLIC_IP=$PRIVATE_IP" | |
| Environment="FLEET_METADATA=public_ip=$PUBLIC_IP" | |
| Environment="FLEET_ETCD_SERVERS=http://$PRIVATE_IP:4001" | |
| EOF | |
| systemctl daemon-reload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment