Cloud-config for CoreOS IPXE deployment on Vultr. Provisioning etcd, fleet, private network and docker compatible firewall. #tags: foo, bar

vultr-coreos-bootstrap.sh

#!/bin/bash
# Cloud-config for CoreOS IPXE deployment on Vultr
##################################################
# This cloud-config bootstraps CoreOS on /dev/vda and provisions:
# - private ip-address on eth1
# - etcd on private network
# - fleet on private network
# - basic firewall (docker compatible)
# - SSHd security hardening
##################################################
# Usage:
# 1. Fill in region, SSH Key and etcd token.
# Hint: generate a new token for each unique etcd cluster on https://discovery.etcd.io/new
# 2. Point the cloud-config-url parameter in your IPXE boot script to this file.
##################################################

REGION='vultr-ams'
SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA61LSHA7iU+82Z2qypYLx2gB9uHydUOoDON30ceAKl5dSgzShtF5XS5sqABYBMowDcvdkNyUDdt1Druv82iu/scATLFmxTQ8R2XIL33dMO6IpBg0d3WQcU5Xqeor9s5LTpln7F0V+9vaYG/nXqQtnz4PEnZGA+f9ddHuvcDajqKLNTDyriL87E6HAfjNU+1ShI2Qv8Zqhq8rYW0zkn2C+4vVKpgzq8B91R7hSXZwUTU9+bIq3uqTfe/t9/5hFNZEUo/ezV25DFvWDmvKcXt1QRoLxL/NI7h00fEJY7QVh2eevtiA9BdthI2LHx2tm2LoMYHQVZUVljm033xh2UISx'
ETCD_TOKEN=0a92b2b1223fe3f551e25047d238d261

# Don't edit below unless you know what you're doing
##################################################

V4_PRIVATE_IP=`curl -sS http://169.254.169.254/current/meta-data/local-ipv4`
V4_PUBLIC_IP=`curl -sS http://169.254.169.254/current/meta-data/public-ipv4`
INSTANCE_ID=`curl -sS http://169.254.169.254/current/meta-data/instance-id`

cat > "cloud-config.yaml" <<EOF
#cloud-config
hostname: $REGION-${INSTANCE_ID: -4}
ssh_authorized_keys:
  - $SSH_KEY
coreos:
  etcd:
    discovery: https://discovery.etcd.io/$ETCD_TOKEN
    # multi-region and multi-cloud deployments need to use $V4_PUBLIC_IP
    addr: $V4_PRIVATE_IP:4001
    peer-addr: $V4_PRIVATE_IP:7001
  fleet:
    public-ip: $V4_PRIVATE_IP
    metadata: region=$REGION public_ip=$V4_PUBLIC_IP
  update:
    reboot-strategy: best-effort
  units:
    - name: vultr-meta.service
      command: start
      runtime: yes
      content: |
        [Unit]
        Description=Initialize Vultr private network

        [Service]
        Type=oneshot
        WorkingDirectory=/root
        ExecStart=/usr/bin/bash /root/vultr-privatenet.sh
    - name: iptables.service
      enable: false
    - name: iptables-restore.service
      enable: true
    - name: etcd.service
      command: start
    - name: fleet.service
      command: start
write_files:
    - path: /etc/environment
      permissions: 0644
      owner: "root:root"
      content: |
        COREOS_PRIVATE_IPV4=$V4_PRIVATE_IP
        COREOS_PUBLIC_IPV4=$V4_PUBLIC_IP
        ETCD_ADDR=$V4_PRIVATE_IP:4001
        ETCD_PEER_ADDR=$V4_PRIVATE_IP:7001
        ETCD_TOKEN=$ETCD_TOKEN
    - path: /etc/systemd/network/10-static-eth1.network
      permissions: 0644
      owner: "root:root"
      content: |
        [Match]
        Name=eth1

        [Link]
        MTUBytes=1450

        [Network]
        Address=$V4_PRIVATE_IP/16
    - path: /root/vultr-privatenet.sh
      permissions: 0755
      owner: "root:root"
      content: |
        #!/bin/bash
        
        ip -4 addr add dev eth1 $V4_PRIVATE_IP/16
    - path: /var/lib/iptables/rules-save
      permissions: 0644
      owner: "root:root"
      content: |
        *filter
        :INPUT DROP [0:0]
        :FORWARD ACCEPT [0:0]
        :OUTPUT ACCEPT [0:0]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -i eth1 -j ACCEPT
        -A INPUT -i docker0 -j ACCEPT
        -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443,9345,9346 -j ACCEPT
        -A INPUT -m conntrack --ctstate NEW -m multiport -p udp --dports 500,4500 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
        -A FORWARD -i docker0 -o eth1 -j ACCEPT
        -A FORWARD -i eth1 -o docker0 -j ACCEPT
        -A FORWARD -i eth0 -o docker0 -j ACCEPT
        -A FORWARD -i docker0 -o eth0 -j ACCEPT
        COMMIT
    - path: /etc/ssh/sshd_config
      permissions: 0600
      owner: "root:root"
      content: |
          # Use most defaults for sshd configuration.
          UsePrivilegeSeparation sandbox
          Subsystem sftp internal-sftp
   
          PermitRootLogin no
          AllowUsers core
          PasswordAuthentication no
          ChallengeResponseAuthentication no
    - path: /etc/motd.d/info.conf
      content: |
          ____________________________
          
          Private IP...: $V4_PRIVATE_IP
          Public IP....: $V4_PUBLIC_IP
          Region.......: $REGION
          Etcd Token...: $ETCD_TOKEN
          ____________________________

EOF

sudo coreos-install -d /dev/vda -c cloud-config.yaml
sudo reboot

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

+1

this no longer works,
VM gets stuck in boot cycle.
have tried with multiple versions of coreOS going back to 1185.5.0

+2