apmarshall · January 12, 2016 20:31
diff --git a/vultr-coreos-bootstrap.sh b/vultr-coreos-bootstrap.sh
 #!/bin/bash
 # Cloud-config for CoreOS IPXE deployment on Vultr
 ##################################################
 # This cloud-config bootstraps CoreOS on /dev/vda and provisions:
 # - private ip-address on eth1
 # - etcd2 on private network
 # - fleet on private network
 # - basic firewall (docker compatible)
 # - SSHd security hardening
 ##################################################
 # Usage:
 # 1. Fill in region, SSH Key and etcd token.
 # Hint: generate a new token for each unique etcd cluster on https://discovery.etcd.io/new
 # 2. Point the cloud-config-url parameter in your IPXE boot script to this file.
 ##################################################

 V4_PRIVATE_IP=`curl -sS http://169.254.169.254/current/meta-data/local-ipv4`
 V4_PUBLIC_IP=`curl -sS http://169.254.169.254/current/meta-data/public-ipv4`
 INSTANCE_ID=`curl -sS http://169.254.169.254/current/meta-data/instance-id`
 REGION='curl -sS http://169.254.169.254/current/meta-data/dcid'
 NAME=Harbor1-0-$REGION-$INSTANCE_ID
 SSH_KEY='ssh-rsa '
 ETCD_TOKEN=

 cat > "cloud-config.yaml" <<EOF
 #cloud-config
 hostname: $NAME
 ssh_authorized_keys:
  - $SSH_KEY
 coreos:
  etcd2:
    name: $NAME
    discovery: "https://discovery.etcd.io/$ETCD_TOKEN"
    # multi-region and multi-cloud deployments need to use $V4_PUBLIC_IP
    advertise-client-urls: "http://$V4_PUBLIC_IP:2379"
    initial-advertise-peer-urls: "http://$V4_PRIVATE_IP:2380"
  fleet:
    public_ip: "$V4_PRIVATE_IP"
    metadata: "region=$REGION public_ip=$V4_PUBLIC_IP"
  flannel:
    public_ip: "$V4_PUBLIC_IP"
  update:
    reboot-strategy: "best-effort"
    group: "master"
  units:
    - name: vultr-meta.service
      command: start
      runtime: yes
      content: |
        [Unit]
        Description=Initialize Vultr private network

        [Service]
        Type=oneshot
        WorkingDirectory=/root
        ExecStart=/usr/bin/bash /root/vultr-privatenet.sh
    - name: iptables.service
      enable: false
    - name: iptables-restore.service
      enable: true
    - name: etcd2.service
      command: start
    - name: fleet.service
      command: start
    - name: flanneld.service
      command: start
        drop-ins:
        - name: 50-network-config.conf
        content: |
            [Unit]
            Requires=etcd2.service
            [Service]
            ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{ "Network": "10.1.0.0/16" }'
    - name: docker.service
    command: start
    Requires=flanneld.service
    After=flanneld.service
 write_files:
    - path: /etc/environment
      permissions: 0644
      owner: "root:root"
      content: |
        COREOS_PRIVATE_IPV4=$V4_PRIVATE_IP
        COREOS_PUBLIC_IPV4=$V4_PUBLIC_IP
        ETCD_ADDR=$V4_PRIVATE_IP:4001
        ETCD_PEER_ADDR=$V4_PRIVATE_IP:7001
        ETCD_TOKEN=$ETCD_TOKEN
    - path: /etc/systemd/network/10-static-eth1.network
      permissions: 0644
      owner: "root:root"
      content: |
        [Match]
        Name=eth1

        [Link]
        MTUBytes=1450

        [Network]
        Address=$V4_PRIVATE_IP/16
    - path: /root/vultr-privatenet.sh
      permissions: 0755
      owner: "root:root"
      content: |
        #!/bin/bash
        
        ip -4 addr add dev eth1 $V4_PRIVATE_IP/16
    - path: /var/lib/iptables/rules-save
      permissions: 0644
      owner: "root:root"
      content: |
        *filter
        :INPUT DROP [0:0]
        :FORWARD ACCEPT [0:0]
        :OUTPUT ACCEPT [0:0]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -i eth1 -j ACCEPT
        -A INPUT -i docker0 -j ACCEPT
        -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443,9345,9346 -j ACCEPT
        -A INPUT -m conntrack --ctstate NEW -m multiport -p udp --dports 500,4500,8285 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
        -A FORWARD -i docker0 -o eth1 -j ACCEPT
        -A FORWARD -i eth1 -o docker0 -j ACCEPT
        -A FORWARD -i eth0 -o docker0 -j ACCEPT
        -A FORWARD -i docker0 -o eth0 -j ACCEPT
        COMMIT
    - path: /etc/ssh/sshd_config
      permissions: 0600
      owner: "root:root"
      content: |
          # Use most defaults for sshd configuration.
          UsePrivilegeSeparation sandbox
          Subsystem sftp internal-sftp
   
          PermitRootLogin no
          AllowUsers core
          PasswordAuthentication no
          ChallengeResponseAuthentication no
    - path: /etc/motd.d/info.conf
      content: |
          ____________________________
          
          Private IP...: $V4_PRIVATE_IP
          Public IP....: $V4_PUBLIC_IP
          Region.......: $REGION
          Etcd Token...: $ETCD_TOKEN
          ____________________________

 EOF

 sudo coreos-install -d /dev/vda -c cloud-config.yaml
 sudo reboot
	#!/bin/bash
	# Cloud-config for CoreOS IPXE deployment on Vultr
	##################################################
	# This cloud-config bootstraps CoreOS on /dev/vda and provisions:
	# - private ip-address on eth1
	# - etcd2 on private network
	# - fleet on private network
	# - basic firewall (docker compatible)
	# - SSHd security hardening
	##################################################
	# Usage:
	# 1. Fill in region, SSH Key and etcd token.
	# Hint: generate a new token for each unique etcd cluster on https://discovery.etcd.io/new
	# 2. Point the cloud-config-url parameter in your IPXE boot script to this file.
	##################################################

	V4_PRIVATE_IP=`curl -sS http://169.254.169.254/current/meta-data/local-ipv4`
	V4_PUBLIC_IP=`curl -sS http://169.254.169.254/current/meta-data/public-ipv4`
	INSTANCE_ID=`curl -sS http://169.254.169.254/current/meta-data/instance-id`
	REGION='curl -sS http://169.254.169.254/current/meta-data/dcid'
	NAME=Harbor1-0-$REGION-$INSTANCE_ID
	SSH_KEY='ssh-rsa '
	ETCD_TOKEN=

	cat > "cloud-config.yaml" <<EOF
	#cloud-config
	hostname: $NAME
	ssh_authorized_keys:
	- $SSH_KEY
	coreos:
	etcd2:
	name: $NAME
	discovery: "https://discovery.etcd.io/$ETCD_TOKEN"
	# multi-region and multi-cloud deployments need to use $V4_PUBLIC_IP
	advertise-client-urls: "http://$V4_PUBLIC_IP:2379"
	initial-advertise-peer-urls: "http://$V4_PRIVATE_IP:2380"
	fleet:
	public_ip: "$V4_PRIVATE_IP"
	metadata: "region=$REGION public_ip=$V4_PUBLIC_IP"
	flannel:
	public_ip: "$V4_PUBLIC_IP"
	update:
	reboot-strategy: "best-effort"
	group: "master"
	units:
	- name: vultr-meta.service
	command: start
	runtime: yes
	content: \|
	[Unit]
	Description=Initialize Vultr private network

	[Service]
	Type=oneshot
	WorkingDirectory=/root
	ExecStart=/usr/bin/bash /root/vultr-privatenet.sh
	- name: iptables.service
	enable: false
	- name: iptables-restore.service
	enable: true
	- name: etcd2.service
	command: start
	- name: fleet.service
	command: start
	- name: flanneld.service
	command: start
	drop-ins:
	- name: 50-network-config.conf
	content: \|
	[Unit]
	Requires=etcd2.service
	[Service]
	ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{ "Network": "10.1.0.0/16" }'
	- name: docker.service
	command: start
	Requires=flanneld.service
	After=flanneld.service
	write_files:
	- path: /etc/environment
	permissions: 0644
	owner: "root:root"
	content: \|
	COREOS_PRIVATE_IPV4=$V4_PRIVATE_IP
	COREOS_PUBLIC_IPV4=$V4_PUBLIC_IP
	ETCD_ADDR=$V4_PRIVATE_IP:4001
	ETCD_PEER_ADDR=$V4_PRIVATE_IP:7001
	ETCD_TOKEN=$ETCD_TOKEN
	- path: /etc/systemd/network/10-static-eth1.network
	permissions: 0644
	owner: "root:root"
	content: \|
	[Match]
	Name=eth1

	[Link]
	MTUBytes=1450

	[Network]
	Address=$V4_PRIVATE_IP/16
	- path: /root/vultr-privatenet.sh
	permissions: 0755
	owner: "root:root"
	content: \|
	#!/bin/bash

	ip -4 addr add dev eth1 $V4_PRIVATE_IP/16
	- path: /var/lib/iptables/rules-save
	permissions: 0644
	owner: "root:root"
	content: \|
	*filter
	:INPUT DROP [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -i eth1 -j ACCEPT
	-A INPUT -i docker0 -j ACCEPT
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443,9345,9346 -j ACCEPT
	-A INPUT -m conntrack --ctstate NEW -m multiport -p udp --dports 500,4500,8285 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
	-A FORWARD -i docker0 -o eth1 -j ACCEPT
	-A FORWARD -i eth1 -o docker0 -j ACCEPT
	-A FORWARD -i eth0 -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o eth0 -j ACCEPT
	COMMIT
	- path: /etc/ssh/sshd_config
	permissions: 0600
	owner: "root:root"
	content: \|
	# Use most defaults for sshd configuration.
	UsePrivilegeSeparation sandbox
	Subsystem sftp internal-sftp

	PermitRootLogin no
	AllowUsers core
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	- path: /etc/motd.d/info.conf
	content: \|
	____________________________

	Private IP...: $V4_PRIVATE_IP
	Public IP....: $V4_PUBLIC_IP
	Region.......: $REGION
	Etcd Token...: $ETCD_TOKEN
	____________________________

	EOF

	sudo coreos-install -d /dev/vda -c cloud-config.yaml
	sudo reboot