From 49c8d32ed7e959f8c37b8af2e5d855e5e52fd912 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Mon, 12 Oct 2015 13:39:37 -0700 Subject: [PATCH 01/12] add swarm yamls --- ansible/beta-hosts/variables | 5 ++ ansible/group_vars/alpha-swarm-manager.yml | 21 ++++++++ ansible/group_vars/alpha-swarm-slave.yml | 12 +++++ ansible/prod-hosts/variables | 5 ++ .../roles/builder/templates/consul/Dockerfile | 54 +++++++++++++++++++ ansible/roles/docker/templates/docks | 2 +- ansible/swarm-master.yaml | 7 +++ 7 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 ansible/group_vars/alpha-swarm-manager.yml create mode 100644 ansible/group_vars/alpha-swarm-slave.yml create mode 100644 ansible/roles/builder/templates/consul/Dockerfile create mode 100644 ansible/swarm-master.yaml diff --git a/ansible/beta-hosts/variables b/ansible/beta-hosts/variables index 398ead09..7df4443a 100644 --- a/ansible/beta-hosts/variables +++ b/ansible/beta-hosts/variables @@ -47,11 +47,15 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526 +[swarm-master:vars] +swarm_master_port=2375 + [beta:vars] ansible_ssh_private_key_file=~/.ssh/oregon.pem datadog_host=10.20.1.59 datadog_port=8125 datadog_tags=env:beta +docker_port=4242 domain=runnable-beta.com new_relic_license_key=338516e0826451c297d44dc60aeaf0a0ca4bfead node_env=production-beta @@ -63,4 +67,5 @@ rabbit_password=wKK7g7NWKpQXEeSzyWB7mIpxZIL8H2mDSf3Q6czR3Vk rabbit_port=54321 rabbit_username=o2mdLh9N9Ke2GzhoK8xsruYPhIQFN7iEL44dQJoq7OM registry_host=10.20.1.55 +swarm_token=d363b783f03a845a2c82b081bfe8443e user_content_domain=runnablecloud.com diff --git a/ansible/group_vars/alpha-swarm-manager.yml b/ansible/group_vars/alpha-swarm-manager.yml new file mode 100644 index 00000000..294bdccd --- /dev/null +++ b/ansible/group_vars/alpha-swarm-manager.yml @@ -0,0 +1,21 @@ +name: "swarm" + +# container_kill_start settings +container_image: swarm +container_tag: 0.4.0 +container_run_opts: > + -d + -p {{ swarm_master_port }}:2375 + -v /opt/ssl/docker:/etc/ssl/docker:ro + +container_run_args: > + --tlsverify + --tlscacert= + --tlscert= + --tlskey= + manage + token://{{ discovery_token }} + +# for redis +redis_key: "frontend:swarm.{{ domain }}" +is_redis_update_required: 'yes' diff --git a/ansible/group_vars/alpha-swarm-slave.yml b/ansible/group_vars/alpha-swarm-slave.yml new file mode 100644 index 00000000..3eea4021 --- /dev/null +++ b/ansible/group_vars/alpha-swarm-slave.yml @@ -0,0 +1,12 @@ +name: "swarm" + +# container_kill_start settings +container_image: swarm +container_tag: latest +container_run_opts: > + -d + +container_run_args: > + join + --addr={{ ansible_default_ipv4.address }}:{{ docker_port }} + token://{{ discovery_token }} diff --git a/ansible/prod-hosts/variables b/ansible/prod-hosts/variables index 75ec3570..8cdd797b 100644 --- a/ansible/prod-hosts/variables +++ b/ansible/prod-hosts/variables @@ -47,11 +47,15 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526 +[swarm-master:vars] +swarm_master_port=2375 + [alpha:vars] ansible_ssh_private_key_file=~/.ssh/Test-runnable.pem datadog_host=10.0.1.239 datadog_port=8125 datadog_tags=env:alpha +docker_port=4242 domain=runnable.io new_relic_license_key=338516e0826451c297d44dc60aeaf0a0ca4bfead node_env=production @@ -63,4 +67,5 @@ rabbit_password=6df7983b76a22bbbffee11a29860cda8 rabbit_port=54321 rabbit_username=a4c1ac709c3bc685a6665fc1d23d737d registry_host=10.0.1.254 +swarm_token=40ec138a1b478aaf84aca2a1c21c70fe user_content_domain=runnableapp.com diff --git a/ansible/roles/builder/templates/consul/Dockerfile b/ansible/roles/builder/templates/consul/Dockerfile new file mode 100644 index 00000000..43ba49c6 --- /dev/null +++ b/ansible/roles/builder/templates/consul/Dockerfile @@ -0,0 +1,54 @@ +FROM registry.runnable.com/runnable/{{ base_dockerfile }}:latest + +# Copied from https://hub.docker.com/r/progrium/consul/~/dockerfile/ +ADD https://dl.bintray.com/mitchellh/consul/0.5.2_linux_amd64.zip /tmp/consul.zip +RUN cd /bin && unzip /tmp/consul.zip && chmod +x /bin/consul && rm /tmp/consul.zip + +ADD https://dl.bintray.com/mitchellh/consul/0.5.2_web_ui.zip /tmp/webui.zip +RUN cd /tmp && unzip /tmp/webui.zip && mv dist /ui && rm /tmp/webui.zip + +ADD ./config /config/ + +ADD ./check-http /bin/check-http +ADD ./check-cmd /bin/check-cmd + +EXPOSE 8300 8301 8301/udp 8302 8302/udp 8400 8500 +VOLUME ["/data"] + +ENV SHELL /bin/bash +# end copy + +{% if hosted_ports is defined %} +# Expose port to Host +EXPOSE {% for hosted_port in hosted_ports %}{{ hosted_port }} {% endfor %} +{% endif %} + +{% if dockerfile_enviroment is defined %} +# Envs +{% for env in dockerfile_enviroment %} +ENV {{ env }} +{% endfor %} +{% endif %} + +# setup node and npm versions +RUN n {{ node_version }} && npm install -g npm@{{ npm_version }} + +# Download Repo +RUN git clone -b {{ git_branch }} --single-branch {{ repo }} /{{ name }} + +WORKDIR /{{ name }} +{% if dockerfile_pre_install_commands is defined %} +{% for command in dockerfile_pre_install_commands %} +RUN {{ command }} +{% endfor %} +{% endif %} + +RUN npm install --production + +{% if dockerfile_post_install_commands is defined %} +{% for command in dockerfile_post_install_commands %} +RUN {{ command }} +{% endfor %} +{% endif %} + +ENTRYPOINT ["/bin/consul", "agent", "-config-dir=/config"] diff --git a/ansible/roles/docker/templates/docks b/ansible/roles/docker/templates/docks index 9d8b82e0..a2b08093 100644 --- a/ansible/roles/docker/templates/docks +++ b/ansible/roles/docker/templates/docks @@ -1,4 +1,4 @@ -DOCKER_OPTS="-H=unix:///var/run/docker.sock -H=0.0.0.0:4242" +DOCKER_OPTS="-H=unix:///var/run/docker.sock -H=0.0.0.0:{{ docker_port }}" DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/etc/ssl/docker/ca.pem" DOCKER_OPTS="$DOCKER_OPTS --tlscert=/etc/ssl/docker/cert.pem --tlskey=/etc/ssl/docker/key.pem" DOCKER_OPTS="$DOCKER_OPTS -g /docker --insecure-registry registry.runnable.com --icc=false" diff --git a/ansible/swarm-master.yaml b/ansible/swarm-master.yaml new file mode 100644 index 00000000..2a09223a --- /dev/null +++ b/ansible/swarm-master.yaml @@ -0,0 +1,7 @@ +--- +- hosts: swarm + vars_files: + - "group_vars/alpha-swarm.yml" + roles: + - { role: notify, tags: "notify" } + - { role: container_kill_start, tags: "deploy" } From 8348140921c377d0c0df9cf01225847f8bd0d236 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Mon, 12 Oct 2015 13:51:27 -0700 Subject: [PATCH 02/12] move common configs into the shared all.yml --- ansible/beta-hosts/variables | 13 ------------- ansible/group_vars/all.yml | 32 ++++++++++++++++++++++++++++++-- ansible/prod-hosts/variables | 13 ------------- 3 files changed, 30 insertions(+), 28 deletions(-) diff --git a/ansible/beta-hosts/variables b/ansible/beta-hosts/variables index 7df4443a..d0ca3733 100644 --- a/ansible/beta-hosts/variables +++ b/ansible/beta-hosts/variables @@ -4,22 +4,17 @@ api_aws_secret_access_key=A6XOpeEElvvIulfAzVLohqKtpKij5ZE8h0FFx0Jn api_github_client_id=baa5c868b6d17d7ae002 api_github_client_secret=ad4f8527ae98d7eea15a32ee5abbead5c9a25abc api_github_deploy_keys_bucket=runnable.deploykeys.production-beta -api_github_hook_secret=3V3RYTHINGisAW3S0ME! api_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af -api_loggly_token=f673760d-e0b3-4a93-a15e-2862ea074f91 api_mixpanel_app_id=c41affa4b08818443365c526cbb51606 api_mongo_auth=api:oW4c7x9Wiv28oiNBy2Bc api_mongo_database=beta api_mongo_replset_name=beta api_neo4j_auth=neo4j:oqGlRV1KTpaqbHDkdlJz -api_neo4j_port=7474 -api_neo4j_protocol=http:// api_new_relic_app_name=beta-api-production api_rollbar_key=a90d9c262c7c48cfabbd32fd0a1bc61c api_s3_context_bucket=runnable.context.resources.production-beta [eru:vars] -eru_api_host=api.{{ domain }} eru_github_id=8abb08f83f6d1c52bd1a eru_github_secret=74a23ee56486d57b14f292283cb04625f600917c @@ -47,24 +42,16 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526 -[swarm-master:vars] -swarm_master_port=2375 - [beta:vars] ansible_ssh_private_key_file=~/.ssh/oregon.pem datadog_host=10.20.1.59 -datadog_port=8125 datadog_tags=env:beta -docker_port=4242 domain=runnable-beta.com new_relic_license_key=338516e0826451c297d44dc60aeaf0a0ca4bfead node_env=production-beta -pg_database=shiva pg_host=beta-infrastructure-db.cnksgdqarobf.us-west-2.rds.amazonaws.com pg_pass=QBjSpAXVYwmGHu4Y -pg_user=shiva rabbit_password=wKK7g7NWKpQXEeSzyWB7mIpxZIL8H2mDSf3Q6czR3Vk -rabbit_port=54321 rabbit_username=o2mdLh9N9Ke2GzhoK8xsruYPhIQFN7iEL44dQJoq7OM registry_host=10.20.1.55 swarm_token=d363b783f03a845a2c82b081bfe8443e diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index e4d8c266..861ac3d6 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -25,8 +25,36 @@ slack_channels: [ '#ops' ] loggly_token: f673760d-e0b3-4a93-a15e-2862ea074f91 loggly_password: TebejAcutHeH_Ch0tR9ru4anaT6CRu*3 -loggly_account_name: sandboxes loggly_username: ops -# datadog key +## +## shared application configs +## + +# api +api_github_hook_secret: 3V3RYTHINGisAW3S0ME! +api_neo4j_port: 7474 +api_neo4j_protocol: http:// + +# datadog +datadog_port: 8125 datadog_api_key: 6488896fe0c811965ef233b96809d70d + +# docker +docker_port: 4242 +docker_cert_path: /etc/ssl/docker/cert.pem +docker_key_path: /etc/ssl/docker/key.pem +docker_ca_path: /etc/ssl/docker/ca.pem + +# eru +eru_api_host=api.{{ domain }} + +# rabbit +rabbit_port=54321 + +# shiva +pg_database=shiva +pg_user=shiva + +# swarm +swarm_master_port=2375 diff --git a/ansible/prod-hosts/variables b/ansible/prod-hosts/variables index 8cdd797b..fce49971 100644 --- a/ansible/prod-hosts/variables +++ b/ansible/prod-hosts/variables @@ -4,22 +4,17 @@ api_aws_secret_access_key=tyvGiCbj5jWCiQnMLvfrfD64dFo8i6prkdcga86y api_github_client_id=d42d6634d4070c9d9bf9 api_github_client_secret=d6cfde38fef5723e25e52629e3d25825c8a704c9 api_github_deploy_keys_bucket=runnable.deploykeys.production -api_github_hook_secret=3V3RYTHINGisAW3S0ME! api_hello_runnable_github_token=7ae2c176371fccfa17a26f2e44ea8cc77a9e07e5 -api_loggly_token=f673760d-e0b3-4a93-a15e-2862ea074f91 api_mixpanel_app_id=57260a5b6fc972e9c69184882efd009e api_mongo_auth=api:uK8W84j7oU1BYi3ocsEvvJ2Fax9FxeYISla3PoQdvRg= api_mongo_database=alpha api_mongo_replset_name=alpha-0 api_neo4j_auth=neo4j:oqGlRV1KTpaqbHDkdlJz -api_neo4j_port=7474 -api_neo4j_protocol=http:// api_new_relic_app_name=alpha-api-production api_rollbar_key=a90d9c262c7c48cfabbd32fd0a1bc61c api_s3_context_bucket=runnable.context.resources.production [eru:vars] -eru_api_host=api.{{ domain }} eru_github_id=46a23f5f99f0aa9460f8 eru_github_secret=a0336d72e3d540fb9fbbed2c123a81e1cb329dab @@ -47,24 +42,16 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526 -[swarm-master:vars] -swarm_master_port=2375 - [alpha:vars] ansible_ssh_private_key_file=~/.ssh/Test-runnable.pem datadog_host=10.0.1.239 -datadog_port=8125 datadog_tags=env:alpha -docker_port=4242 domain=runnable.io new_relic_license_key=338516e0826451c297d44dc60aeaf0a0ca4bfead node_env=production -pg_database=shiva pg_host=alpha-production-db.czw5moz6rmpp.us-west-1.rds.amazonaws.com:30573 pg_pass=wCJGCfCWE9CKmQwa2XUKj6d8WYcEZAb9 -pg_user=shiva rabbit_password=6df7983b76a22bbbffee11a29860cda8 -rabbit_port=54321 rabbit_username=a4c1ac709c3bc685a6665fc1d23d737d registry_host=10.0.1.254 swarm_token=40ec138a1b478aaf84aca2a1c21c70fe From ff36d28854a7c93103c19b322f098c6e6e7d22a3 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Mon, 12 Oct 2015 14:09:33 -0700 Subject: [PATCH 03/12] add cert path for swarm manager --- ansible/group_vars/alpha-swarm-manager.yml | 6 +++--- ansible/roles/docker/templates/docks | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/group_vars/alpha-swarm-manager.yml b/ansible/group_vars/alpha-swarm-manager.yml index 294bdccd..686e50ae 100644 --- a/ansible/group_vars/alpha-swarm-manager.yml +++ b/ansible/group_vars/alpha-swarm-manager.yml @@ -10,9 +10,9 @@ container_run_opts: > container_run_args: > --tlsverify - --tlscacert= - --tlscert= - --tlskey= + --tlscacert={{ docker_ca_path }} + --tlscert={{ docker_cert_path }} + --tlskey={{ docker_key_path }} manage token://{{ discovery_token }} diff --git a/ansible/roles/docker/templates/docks b/ansible/roles/docker/templates/docks index a2b08093..e5bc05c2 100644 --- a/ansible/roles/docker/templates/docks +++ b/ansible/roles/docker/templates/docks @@ -1,5 +1,5 @@ DOCKER_OPTS="-H=unix:///var/run/docker.sock -H=0.0.0.0:{{ docker_port }}" -DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/etc/ssl/docker/ca.pem" -DOCKER_OPTS="$DOCKER_OPTS --tlscert=/etc/ssl/docker/cert.pem --tlskey=/etc/ssl/docker/key.pem" +DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert={{ docker_ca_path }}" +DOCKER_OPTS="$DOCKER_OPTS --tlscert={{ docker_cert_path }} --tlskey={{ docker_key_path }}" DOCKER_OPTS="$DOCKER_OPTS -g /docker --insecure-registry registry.runnable.com --icc=false" -DOCKER_OPTS="$DOCKER_OPTS --dns={{ charon_host | default(hostvars[groups['charon'][0]]['ansible_default_ipv4']['address'])}} --dns=8.8.8.8" +DOCKER_OPTS="$DOCKER_OPTS --dns=172.17.42.1 --dns=8.8.8.8" From 2c8adc69f867ca92bbf09e0261568c75fd90b521 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Mon, 12 Oct 2015 16:32:00 -0700 Subject: [PATCH 04/12] add client cert generate in docker_client role, fix some nits --- .gitignore | 5 ++- ansible/beta-hosts/hosts | 4 ++ ansible/certs/scripts/genClientCert.sh | 3 ++ ansible/group_vars/all.yml | 10 ++--- ansible/group_vars/alpha-swarm-manager.yml | 10 +++-- ansible/prod-hosts/hosts | 4 ++ ansible/roles/docker_client/README.md | 17 +++++++++ .../files/certs/script/genClientCert.sh | 37 +++++++++++++++++++ .../docker_client/files/certs/swarm/cert.pem | 20 ++++++++++ .../docker_client/files/certs/swarm/key.pem | 27 ++++++++++++++ ansible/swarm-manager.yml | 11 ++++++ ansible/swarm-master.yaml | 7 ---- package.json | 2 +- 13 files changed, 140 insertions(+), 17 deletions(-) create mode 100644 ansible/roles/docker_client/README.md create mode 100755 ansible/roles/docker_client/files/certs/script/genClientCert.sh create mode 100644 ansible/roles/docker_client/files/certs/swarm/cert.pem create mode 100644 ansible/roles/docker_client/files/certs/swarm/key.pem create mode 100644 ansible/swarm-manager.yml delete mode 100644 ansible/swarm-master.yaml diff --git a/.gitignore b/.gitignore index b512c09d..8b65e26f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -node_modules \ No newline at end of file +node_modules +ca-key.pem +pass +hellorunnable diff --git a/ansible/beta-hosts/hosts b/ansible/beta-hosts/hosts index 178620ac..b3d3fad5 100644 --- a/ansible/beta-hosts/hosts +++ b/ansible/beta-hosts/hosts @@ -65,6 +65,9 @@ beta-services [registry] beta-registry +[swarm] +beta-services + [docks] [beta:children] @@ -86,6 +89,7 @@ optimus rabbitmq eru shiva +swarm [targets] localhost ansible_connection=local bastion_name=beta-bastion diff --git a/ansible/certs/scripts/genClientCert.sh b/ansible/certs/scripts/genClientCert.sh index b1ed4ad2..d8389fd0 100755 --- a/ansible/certs/scripts/genClientCert.sh +++ b/ansible/certs/scripts/genClientCert.sh @@ -32,3 +32,6 @@ openssl x509 \ -extfile "$CLIENT-extfile.cnf" chmod 400 "$CLIENT-cert.pem" +# cleanup files we do not need +rm $CLIENT-extfile.cnf +rm $CLIENT-client.csr \ No newline at end of file diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 861ac3d6..8e4eab41 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -47,14 +47,14 @@ docker_key_path: /etc/ssl/docker/key.pem docker_ca_path: /etc/ssl/docker/ca.pem # eru -eru_api_host=api.{{ domain }} +eru_api_host: api.{{ domain }} # rabbit -rabbit_port=54321 +rabbit_port: 54321 # shiva -pg_database=shiva -pg_user=shiva +pg_database: shiva +pg_user: shiva # swarm -swarm_master_port=2375 +swarm_master_port: 2375 diff --git a/ansible/group_vars/alpha-swarm-manager.yml b/ansible/group_vars/alpha-swarm-manager.yml index 686e50ae..efd8bc24 100644 --- a/ansible/group_vars/alpha-swarm-manager.yml +++ b/ansible/group_vars/alpha-swarm-manager.yml @@ -3,6 +3,13 @@ name: "swarm" # container_kill_start settings container_image: swarm container_tag: 0.4.0 + +# for redis +redis_host: "{{ hostvars[groups['redis'][0]]['ansible_default_ipv4']['address'] }}" +redis_key: "frontend:swarm.{{ domain }}" +is_redis_update_required: 'yes' + +# container_kill_start vars container_run_opts: > -d -p {{ swarm_master_port }}:2375 @@ -16,6 +23,3 @@ container_run_args: > manage token://{{ discovery_token }} -# for redis -redis_key: "frontend:swarm.{{ domain }}" -is_redis_update_required: 'yes' diff --git a/ansible/prod-hosts/hosts b/ansible/prod-hosts/hosts index 1485232a..5b27ba42 100644 --- a/ansible/prod-hosts/hosts +++ b/ansible/prod-hosts/hosts @@ -71,6 +71,9 @@ alpha-registry [shiva] alpha-api-old +[swarm] +alpha-api-old + [docks] [alpha:children] @@ -94,6 +97,7 @@ detention hubot eru shiva +swarm [targets] localhost ansible_connection=local bastion_name=alpha-bastion diff --git a/ansible/roles/docker_client/README.md b/ansible/roles/docker_client/README.md new file mode 100644 index 00000000..7d3dce74 --- /dev/null +++ b/ansible/roles/docker_client/README.md @@ -0,0 +1,17 @@ +# Role Name + +Ansible Role to Install Docker Client Certs on Ubuntu + +## Manual Setup + +Creating new docker client certs: +1. cd into this dir ```cd ``` +2. ensure you have ca-key.pem here `roles/docker_client/ca-key.pem` +3. run cert generator `sudo ./scripts/genClientCert.sh` +4. output files we want are `-key.pem` and `-cert.pem` +5. create folder for these new certs based on app name ```mkdir ``` +6. move keys into folder ```mv ./-key.pem .//key.pem && mv ./-cert.pem .//cert.pem``` + +## Author Information + +anandkumarpatel diff --git a/ansible/roles/docker_client/files/certs/script/genClientCert.sh b/ansible/roles/docker_client/files/certs/script/genClientCert.sh new file mode 100755 index 00000000..d8389fd0 --- /dev/null +++ b/ansible/roles/docker_client/files/certs/script/genClientCert.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +if [[ $1 = '' ]]; then + echo 'script requires a client name' + exit 1 +fi +CLIENT=$1 + +# generate key for client +openssl genrsa -out "$CLIENT-key.pem" 2048 +chmod 400 "$CLIENT-key.pem" + +# generate CSR for client +openssl req \ + -subj '/CN=client' \ + -new \ + -key "$CLIENT-key.pem" \ + -out "$CLIENT-client.csr" +chmod 400 "$CLIENT-client.csr" + +echo extendedKeyUsage = clientAuth > "$CLIENT-extfile.cnf" + +# generate cert for client +openssl x509 \ + -req \ + -days 365 \ + -in "$CLIENT-client.csr" \ + -CA ca.pem \ + -CAkey ca-key.pem \ + -CAcreateserial \ + -out "$CLIENT-cert.pem" \ + -extfile "$CLIENT-extfile.cnf" +chmod 400 "$CLIENT-cert.pem" + +# cleanup files we do not need +rm $CLIENT-extfile.cnf +rm $CLIENT-client.csr \ No newline at end of file diff --git a/ansible/roles/docker_client/files/certs/swarm/cert.pem b/ansible/roles/docker_client/files/certs/swarm/cert.pem new file mode 100644 index 00000000..7259821e --- /dev/null +++ b/ansible/roles/docker_client/files/certs/swarm/cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIJAPP4C2aCETjaMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ +bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 +MTAxMjIzMjA0N1oXDTE2MTAxMTIzMjA0N1owETEPMA0GA1UEAxMGY2xpZW50MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtB1XYLhTAKjMVdoDm9XKjWWS +OjdjN5S5XHRBbhQXWS8zTVkJwmF1RTarHChb4wUCfg2Fnbg+deTxIVQHU+M4Kfia +PmeTf1A8dfA5f+F0Jj7nCi0b9Trft8yzlqv49pgKD0dHuWNYp1WZDlv8QbzpSG9r +rpJwJqqkaelCqI8R2qB5iA3VJbhyT6V6n43LYZZO7D2ct/0+K40QalA8ZWogGENh +5T+ik3VvrWQ5t/i0FIcTfyxpfBnX5hsBD0jtzT5RdBZTy8xk/VS2jInjQN9Rw7uw +ttqWMXRQPlAs0AG+eAGdkPvdniYt1Ro7DM8qg9jdkybzo2VQ99rpQwVEf7E3QwID +AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEA +A8QHccu1fSZrzopG17oxwYX6w2N9UqeJIblx2z9UIfCwc2ypwm6NIxdQzvp8CtIF +ReU/KQzpl4HLEXOrWQmweNA07KlmyEuuBH8OoI3x1s56SiJiTe7fIdfE2uAZVI1N +mcejNpgWRfrnecIwVLorm700pnD6pSdcOtuBKNl0P6edy/PgHj4i0buUAQni6PL+ +da2u6HtePOrApUgGrD9Ey6w77Pw/uOspP5HyVuXmBph5ArXIv+6x1zZz+jFnMh5M +n3iZr5feeIYqCmolYyXQez9CKWdLNtZiO6KBXhAVrOGDcyTd7U5aqnaMEziHjSSh +hNl160Mmr+fgY50K9bBAmw== +-----END CERTIFICATE----- diff --git a/ansible/roles/docker_client/files/certs/swarm/key.pem b/ansible/roles/docker_client/files/certs/swarm/key.pem new file mode 100644 index 00000000..af599240 --- /dev/null +++ b/ansible/roles/docker_client/files/certs/swarm/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtB1XYLhTAKjMVdoDm9XKjWWSOjdjN5S5XHRBbhQXWS8zTVkJ +wmF1RTarHChb4wUCfg2Fnbg+deTxIVQHU+M4KfiaPmeTf1A8dfA5f+F0Jj7nCi0b +9Trft8yzlqv49pgKD0dHuWNYp1WZDlv8QbzpSG9rrpJwJqqkaelCqI8R2qB5iA3V +JbhyT6V6n43LYZZO7D2ct/0+K40QalA8ZWogGENh5T+ik3VvrWQ5t/i0FIcTfyxp +fBnX5hsBD0jtzT5RdBZTy8xk/VS2jInjQN9Rw7uwttqWMXRQPlAs0AG+eAGdkPvd +niYt1Ro7DM8qg9jdkybzo2VQ99rpQwVEf7E3QwIDAQABAoIBAB9M3gtr3NjHfMMK +oQfqzklmNlQxnedhzBiaB2jWyvvvrO2rJHwILbX6ex/oj5dTHozDUs4G36vjPlg5 +XxCf8vmwPzXLECHW0rr4JTXo+yNOWR42mp4yPgCV7Tuo5RoNb+oZzAgWkKh7wp5x +M9REvRGec0siHaVKkEnrhG8AdezVHcZ/taPxZ84woxavKXQWxEGAHZe8OlCng1Sb +Fi5UUzQY7bYnQg4Foseng4b7wB0Y3wUhaqtDB8fIUQGbh/J6WogAfalsDIT/oMEd +m1V2pMz9PWHcjaGwMI9JAyTTcRVFP1d+xGxC7e5xbBv42EzzbnccaRNUZR2cBiFU +hqa+5FECgYEA2QtZUMj6EL/1SMRFhMsx7gqYsv7090zWHquNjidi2HhMfuwWfy91 +m+SmYbA45Rr7h+HKTU0nsFL3eT3uZCYxQdVNxpdgtq/EmCAr/a0uwL3BSP9Bl1Oh +LZnWgrChspKWufi43Iunp3/KPKaX4DN9N9xSep6eGlhjZu049ZzY2KkCgYEA1HEp +wh3fRZXh145QBwl5QKopGl4/l/j+vST1MW+gKXj8INSXBxWxipy+8PJvHGRQrF1s +i1fuBIk5UPk9XxoQNSw2ohDvRHQtMxBP3Eq/6bTmUvfF9m6QQhnL8jwtuHzGm3gd +sV1+rYD02zCswNgVzKIyt9PbGKMsK1aGbMxJqAsCgYEAjJoMfwfi7uzbYgs7mb3k +F3en2fTODlIpN28c4WTkZKTxsRsRq8y73IRvwELfaJNlNG5xlkgQGOp2RIV5JEmV +iTc8DhVMYqxUp9PXi5sf+V4zky1AeV6EwDyzOLBh34OUvt7AKqcRsbFX+phVNLlG +OeSxTZvpgdmWczvjtUCpPRkCgYAVDPmUUJ11KbrtPx7S869eJv5XrIskpfmoCGd7 +dJIsSd7B6g7lFtM25v1Mptk3uQD9c2x0Ckx9ipNxYKEiMVT1z+HCAWeUIubvrmgb +bhTCNbi08/RbzOzif+fjou7s3wBXG3nlv1v0GVkp9xLHMSJH2rKn4IhPUqvnx3Ue +hsetrQKBgQCE3AXmfUMuwXhjF5MQpEQdXuVx+1Fj44YudHphrcvapDXAIvvx6G2B +wyxVJIHglK2feijsekH/i3kBHRDh0+0Y0zw+JTu4tjr3rLJv3BRofov0/LAdv53G +ulXyb9uTQ73uqmnGzpCre9LzUvVq/iIbFZYESJlceF66n74XpQdXnA== +-----END RSA PRIVATE KEY----- diff --git a/ansible/swarm-manager.yml b/ansible/swarm-manager.yml new file mode 100644 index 00000000..f27c45a4 --- /dev/null +++ b/ansible/swarm-manager.yml @@ -0,0 +1,11 @@ +--- +- hosts: redis + +- hosts: swarm + vars_files: + - "group_vars/alpha-swarm-manager.yml" + roles: + - { role: notify, tags: "notify" } + - { role: redis_key, tags: ["setup", "redis_key"] } + - { role: docker_client, tags: "docker_client" } + - { role: container_kill_start, tags: "deploy" } diff --git a/ansible/swarm-master.yaml b/ansible/swarm-master.yaml deleted file mode 100644 index 2a09223a..00000000 --- a/ansible/swarm-master.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: swarm - vars_files: - - "group_vars/alpha-swarm.yml" - roles: - - { role: notify, tags: "notify" } - - { role: container_kill_start, tags: "deploy" } diff --git a/package.json b/package.json index eafec232..7bfa6e55 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "devops-scripts", - "version": "0.0.0", + "version": "0.0.1", "description": "devops-scripts ==============", "main": "index.js", "directories": { From e6e6f85767ad75bd842a6259f24a45aabeb2e7ac Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 12:17:33 -0700 Subject: [PATCH 05/12] fix up certs --- ansible/group_vars/alpha-swarm-manager.yml | 16 +++--- ansible/group_vars/alpha-swarm-slave.yml | 2 +- .../roles/container_kill_start/tasks/main.yml | 2 +- .../docker_client/{files/certs => }/ca.pem | 0 .../files/certs/script/genClientCert.sh | 37 -------------- .../files/certs/swarm-manager/ca.pem | 27 ++++++++++ .../files/certs/swarm-manager/cert.pem | 21 ++++++++ .../files/certs/swarm-manager/key.pem | 27 ++++++++++ .../docker_client/files/certs/swarm/cert.pem | 20 -------- .../docker_client/files/certs/swarm/key.pem | 27 ---------- .../docker_client/scripts/genClientCert.sh | 50 +++++++++++++++++++ ansible/roles/docker_client/tasks/main.yml | 6 +-- ansible/swarm-manager.yml | 1 - 13 files changed, 136 insertions(+), 100 deletions(-) rename ansible/roles/docker_client/{files/certs => }/ca.pem (100%) delete mode 100755 ansible/roles/docker_client/files/certs/script/genClientCert.sh create mode 100755 ansible/roles/docker_client/files/certs/swarm-manager/ca.pem create mode 100644 ansible/roles/docker_client/files/certs/swarm-manager/cert.pem create mode 100644 ansible/roles/docker_client/files/certs/swarm-manager/key.pem delete mode 100644 ansible/roles/docker_client/files/certs/swarm/cert.pem delete mode 100644 ansible/roles/docker_client/files/certs/swarm/key.pem create mode 100755 ansible/roles/docker_client/scripts/genClientCert.sh diff --git a/ansible/group_vars/alpha-swarm-manager.yml b/ansible/group_vars/alpha-swarm-manager.yml index efd8bc24..d657bf58 100644 --- a/ansible/group_vars/alpha-swarm-manager.yml +++ b/ansible/group_vars/alpha-swarm-manager.yml @@ -1,25 +1,21 @@ -name: "swarm" +name: "swarm-manager" # container_kill_start settings container_image: swarm container_tag: 0.4.0 -# for redis -redis_host: "{{ hostvars[groups['redis'][0]]['ansible_default_ipv4']['address'] }}" -redis_key: "frontend:swarm.{{ domain }}" -is_redis_update_required: 'yes' - # container_kill_start vars +log_driver: json-file + container_run_opts: > -d -p {{ swarm_master_port }}:2375 - -v /opt/ssl/docker:/etc/ssl/docker:ro + -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro container_run_args: > + manage --tlsverify --tlscacert={{ docker_ca_path }} --tlscert={{ docker_cert_path }} --tlskey={{ docker_key_path }} - manage - token://{{ discovery_token }} - + token://{{ swarm_token }} diff --git a/ansible/group_vars/alpha-swarm-slave.yml b/ansible/group_vars/alpha-swarm-slave.yml index 3eea4021..228f5d73 100644 --- a/ansible/group_vars/alpha-swarm-slave.yml +++ b/ansible/group_vars/alpha-swarm-slave.yml @@ -9,4 +9,4 @@ container_run_opts: > container_run_args: > join --addr={{ ansible_default_ipv4.address }}:{{ docker_port }} - token://{{ discovery_token }} + token://{{ swarm_token }} diff --git a/ansible/roles/container_kill_start/tasks/main.yml b/ansible/roles/container_kill_start/tasks/main.yml index c6f0f2f6..46a3ac1c 100644 --- a/ansible/roles/container_kill_start/tasks/main.yml +++ b/ansible/roles/container_kill_start/tasks/main.yml @@ -40,7 +40,7 @@ # start our new container with options and args - name: start container - command: sudo docker run --log-driver=none -v /var/log:/var/log:rw --restart=always {{container_run_opts}} {{container_image}}:{{container_tag}} {{container_run_args}} + command: sudo docker run --log-driver={{ log_driver | default("none")}} -v /var/log:/var/log:rw --restart=always {{container_run_opts}} {{container_image}}:{{container_tag}} {{container_run_args}} register: new_container_id notify: - get new container ports diff --git a/ansible/roles/docker_client/files/certs/ca.pem b/ansible/roles/docker_client/ca.pem similarity index 100% rename from ansible/roles/docker_client/files/certs/ca.pem rename to ansible/roles/docker_client/ca.pem diff --git a/ansible/roles/docker_client/files/certs/script/genClientCert.sh b/ansible/roles/docker_client/files/certs/script/genClientCert.sh deleted file mode 100755 index d8389fd0..00000000 --- a/ansible/roles/docker_client/files/certs/script/genClientCert.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -if [[ $1 = '' ]]; then - echo 'script requires a client name' - exit 1 -fi -CLIENT=$1 - -# generate key for client -openssl genrsa -out "$CLIENT-key.pem" 2048 -chmod 400 "$CLIENT-key.pem" - -# generate CSR for client -openssl req \ - -subj '/CN=client' \ - -new \ - -key "$CLIENT-key.pem" \ - -out "$CLIENT-client.csr" -chmod 400 "$CLIENT-client.csr" - -echo extendedKeyUsage = clientAuth > "$CLIENT-extfile.cnf" - -# generate cert for client -openssl x509 \ - -req \ - -days 365 \ - -in "$CLIENT-client.csr" \ - -CA ca.pem \ - -CAkey ca-key.pem \ - -CAcreateserial \ - -out "$CLIENT-cert.pem" \ - -extfile "$CLIENT-extfile.cnf" -chmod 400 "$CLIENT-cert.pem" - -# cleanup files we do not need -rm $CLIENT-extfile.cnf -rm $CLIENT-client.csr \ No newline at end of file diff --git a/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem b/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem new file mode 100755 index 00000000..85f5c74f --- /dev/null +++ b/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEnjCCA4agAwIBAgIJAK0JF0nQ7r9xMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ +bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 +MDUyMjIxNDY1MloXDTE2MDUyMTIxNDY1MlowgZAxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMREwDwYDVQQK +EwhSdW5uYWJsZTEMMAoGA1UECxMDT3BzMRIwEAYDVQQDEwlsb2NhbGhvc3QxHzAd +BgkqhkiG9w0BCQEWEG9wc0BydW5uYWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCkX4cwQDcimGvnJg0HBl+A9da0zpUjJJVPbba3A2wJ/S7l +gKlYID5TXNYpSAepdmmWO+NEXcNVPUYVhoBe4DWkJFc+lxtLPy0UOseZ+TvMac7i +Zp0k/GSLl3ASloDPfKsBlpOpM+OhWvl5jzAzSJ1l6dGcCEAXE6dhtEUgPMUzfAfl +bUuQ7ri8iMB67Ktix8FJCEpwczlKfebzmxw3VxwGiNQSGbbyIknuCk5eGbMVPtdY +DBl+5R7h0S0enXxYtPtL7CRKs0uHxm8Kmvvo2htSf9bdOSsjnFzQvZdBLrrQipN+ +i8m/ZOL8IOzV/Wfwqd7Zo3w3hUE8rzrBP0Ce0f0BAgMBAAGjgfgwgfUwHQYDVR0O +BBYEFKoY1K08hkkW4dt/bo0153ccq9sMMIHFBgNVHSMEgb0wgbqAFKoY1K08hkkW +4dt/bo0153ccq9sMoYGWpIGTMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzERMA8GA1UEChMIUnVubmFi +bGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJbG9jYWxob3N0MR8wHQYJKoZIhvcN +AQkBFhBvcHNAcnVubmFibGUuY29tggkArQkXSdDuv3EwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQsFAAOCAQEAl/wOczN+5etU9iYmhNs4RmKxY33SUnnKPZwD/bFM +gVEmHu3Gc2hFDJ/+c4BKULBB60j6K+J3In9iTZHzsUe+5HB1J1Wk5ecXMLc51xBs ++Tc3ZsX6PjSkwHWJyXlcdivmpd8O87vkjrLHg5kzeLL+bwkjGngWg/bbNGR4rGu3 +js//+b9GjSMK91lqRE2aegJyqguqDs0qoxGwzSOqlnSSjQze6YmpN9DWO9X7RGpE +8UswjBeI9DKBIjdzwfF3Zn3ay1ChAhTBnBQE5b2rgIhf6YBw1SP935gfWdbs9AKt +zBF55uLuWt0nBvXCJcHUBTFUnAfqiuQMZuVxBfXi4vuePg== +-----END CERTIFICATE----- diff --git a/ansible/roles/docker_client/files/certs/swarm-manager/cert.pem b/ansible/roles/docker_client/files/certs/swarm-manager/cert.pem new file mode 100644 index 00000000..aa200304 --- /dev/null +++ b/ansible/roles/docker_client/files/certs/swarm-manager/cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIJAJ3gObWAsIjjMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ +bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 +MTAxMzE5MTI1NVoXDTE2MTAxMjE5MTI1NVowETEPMA0GA1UEAxMGY2xpZW50MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxnIwOEiaAiqxsv7ixToFnzHq +0Xc4biOgx8tvEYpv0lOXCg4s7n2AS4zqQyNaWze05v/tfghLTEj2j+dFIzkLk3fN +pmSKu0Jr6xhh1QkyoWsZ20yIgMya9T1P9/8kslqLQ263w5hsG2/z84+Aj6Ku9LYt +pqda0lpYqXEyeh2XnyzKouP5Qcd8/e1X8mLdZt8pDkaQ4WiG2w3TQ8rbX/7ulNBX +9PWwzS6FtYA7SeaE9OgwwK6gQLSw60A/kZE+0eLNXoIjxuIICoV69S6jI/Jztbbr +KKoh76oTa935sAT5KcHnJh5I8rFc+BIkZrz4e3bIyQJu2nXEqBTCjtfK9HYYvQID +AQABo0MwQTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwIAYDVR0RBBkw +F4cEChQBO4cEfwAAAYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAUk7w/ +NtuaHmVDMKvm5lw1ow8AREzcZ3hlyugbBT8MXoMKbnPuAKqfhfwGQNn7LnXdHD1x +Q/6ZbAuI+Q/Cf2KRwTvRslJ1ca5UEZb+t8w+LSU/loSpl3YTDJSCS12ef/W9Ln3S +UiRVskLTbIUXhZ7I+1cjO+52lWw9aYfU/PT7xs6wUIkmZ2AHg2o5odeyLGvwcMPW +VHpcfc9WYfgJhRXw4lPB7Hey+q/G+Y4y3yvxC57pDC/yQtvDGiLdIK7TbVfJh5DA +oT/T5hzx/T1YnFEjjU41+8hGwrrPTavrz5ss87jcHB5k2vS3x/nBbunNhqE3sayj +4r5bzTYODEuNbbvS +-----END CERTIFICATE----- diff --git a/ansible/roles/docker_client/files/certs/swarm-manager/key.pem b/ansible/roles/docker_client/files/certs/swarm-manager/key.pem new file mode 100644 index 00000000..d1c890b5 --- /dev/null +++ b/ansible/roles/docker_client/files/certs/swarm-manager/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxnIwOEiaAiqxsv7ixToFnzHq0Xc4biOgx8tvEYpv0lOXCg4s +7n2AS4zqQyNaWze05v/tfghLTEj2j+dFIzkLk3fNpmSKu0Jr6xhh1QkyoWsZ20yI +gMya9T1P9/8kslqLQ263w5hsG2/z84+Aj6Ku9LYtpqda0lpYqXEyeh2XnyzKouP5 +Qcd8/e1X8mLdZt8pDkaQ4WiG2w3TQ8rbX/7ulNBX9PWwzS6FtYA7SeaE9OgwwK6g +QLSw60A/kZE+0eLNXoIjxuIICoV69S6jI/JztbbrKKoh76oTa935sAT5KcHnJh5I +8rFc+BIkZrz4e3bIyQJu2nXEqBTCjtfK9HYYvQIDAQABAoIBAQCyvWULPPFipDvc +AlIU3Nb1dYuQUXbFVVfavTR0MyHW6q1vRCdaRDYLVogmIrCe2oUZT0kFLMlNk6Zp +JSCTwizYDZ9wkLyYQBJd9V8g+CDfXU0zxjJo+GFWJHxj3i6aao1nFlF0XlR5PhQX +u5hLR3eYOILTyYc3UmLrc2bIsODBX4soU993Aq/ME2I8A6S5wSboPTkuiSboC7rD +4Z3V0eOdljSubMXKoc4v/4A6v2bbe8BLvemL4wTX7TSdTzdU+cpePhPpd0P+/UbI +tQptLR4JkvO05G7bhfsqGyurbLrwsnFOvqk96PCZjNLkYauWjoyNCw9ar4ScHIne +/gdRTc5BAoGBAO2e4lr9QsMUMKyPqbiMD3NQZI2w4Hau7QTvayXkB711nwHQhRQd +uh8EXKE2ODUUhL03J83zFKSarT23hLSqE+JHs8zCVImC6hUlgVA3m5lQB53DX36y +O1C1DdV8vrRIoIc+85mqtspK7545yPRMnT5erS0GTv+EhmLNDT6zhu8NAoGBANXL +nBokQqNFeCMf10BjPrIdSwO06rG7dDjHf44/Mcoem6c65OZCH9nFakqjP+f6pCHP +uw7ASgGSldLnMdjJPz3ERPuEO7Hk71RrqDFeN+H6t2TH2IyX1uByeuxaIYV2QpCE +rmqnALUXaFY7FsEw0FMMbcsXVqgDouMu1331O+RxAoGBAK7KQRdNVN7K60MEKoRm +AreAW3cetP6YjiEjPF4S7t6etuhOypWRiGdoffrYN2BUR5AoEk+cj4LFhMnxRNzg +ft/kfo4QJL9CXY5QmF65iOutwux52rUHxjoH9LUlneJfyjWySN6whOUpWjm5p+iM +st4+JoUILvQmN/RVgXit9oPBAoGAVGMFvpvJYcCt5s9Omy+RM6S0U0Y5zOV8vlyg +UHlJIcprDdsFNo2rHL37cnJ1aw9XcbEY2H21uGEvmgt/dV4aBDtQLybGmTUP8nZ7 +8OCLljrr4G+xXe0g9364XkpFKPTA2WJFpfs9ID2ZBVBVbvPhhqZFQAB6R98HkDyQ ++jqt5UECgYA4GSlK6ij+Xr9NDeIfG8xfuy6aUU792AaYcz7suQXkEUN6Q6PJe+b4 +BHd/ieUWSdl0bkD8ENzZ0GM7nCLxy4DZMNy1Pio2rEJn7M0ljATJbpmdrd1R/EPY +0R/Tb5T0do+ARehLymgCTkTrqCF48gkYUuHeqw+ywQ2BGktnHwFUyw== +-----END RSA PRIVATE KEY----- diff --git a/ansible/roles/docker_client/files/certs/swarm/cert.pem b/ansible/roles/docker_client/files/certs/swarm/cert.pem deleted file mode 100644 index 7259821e..00000000 --- a/ansible/roles/docker_client/files/certs/swarm/cert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDPDCCAiSgAwIBAgIJAPP4C2aCETjaMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ -bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 -MTAxMjIzMjA0N1oXDTE2MTAxMTIzMjA0N1owETEPMA0GA1UEAxMGY2xpZW50MIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtB1XYLhTAKjMVdoDm9XKjWWS -OjdjN5S5XHRBbhQXWS8zTVkJwmF1RTarHChb4wUCfg2Fnbg+deTxIVQHU+M4Kfia -PmeTf1A8dfA5f+F0Jj7nCi0b9Trft8yzlqv49pgKD0dHuWNYp1WZDlv8QbzpSG9r -rpJwJqqkaelCqI8R2qB5iA3VJbhyT6V6n43LYZZO7D2ct/0+K40QalA8ZWogGENh -5T+ik3VvrWQ5t/i0FIcTfyxpfBnX5hsBD0jtzT5RdBZTy8xk/VS2jInjQN9Rw7uw -ttqWMXRQPlAs0AG+eAGdkPvdniYt1Ro7DM8qg9jdkybzo2VQ99rpQwVEf7E3QwID -AQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEA -A8QHccu1fSZrzopG17oxwYX6w2N9UqeJIblx2z9UIfCwc2ypwm6NIxdQzvp8CtIF -ReU/KQzpl4HLEXOrWQmweNA07KlmyEuuBH8OoI3x1s56SiJiTe7fIdfE2uAZVI1N -mcejNpgWRfrnecIwVLorm700pnD6pSdcOtuBKNl0P6edy/PgHj4i0buUAQni6PL+ -da2u6HtePOrApUgGrD9Ey6w77Pw/uOspP5HyVuXmBph5ArXIv+6x1zZz+jFnMh5M -n3iZr5feeIYqCmolYyXQez9CKWdLNtZiO6KBXhAVrOGDcyTd7U5aqnaMEziHjSSh -hNl160Mmr+fgY50K9bBAmw== ------END CERTIFICATE----- diff --git a/ansible/roles/docker_client/files/certs/swarm/key.pem b/ansible/roles/docker_client/files/certs/swarm/key.pem deleted file mode 100644 index af599240..00000000 --- a/ansible/roles/docker_client/files/certs/swarm/key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtB1XYLhTAKjMVdoDm9XKjWWSOjdjN5S5XHRBbhQXWS8zTVkJ -wmF1RTarHChb4wUCfg2Fnbg+deTxIVQHU+M4KfiaPmeTf1A8dfA5f+F0Jj7nCi0b -9Trft8yzlqv49pgKD0dHuWNYp1WZDlv8QbzpSG9rrpJwJqqkaelCqI8R2qB5iA3V -JbhyT6V6n43LYZZO7D2ct/0+K40QalA8ZWogGENh5T+ik3VvrWQ5t/i0FIcTfyxp -fBnX5hsBD0jtzT5RdBZTy8xk/VS2jInjQN9Rw7uwttqWMXRQPlAs0AG+eAGdkPvd -niYt1Ro7DM8qg9jdkybzo2VQ99rpQwVEf7E3QwIDAQABAoIBAB9M3gtr3NjHfMMK -oQfqzklmNlQxnedhzBiaB2jWyvvvrO2rJHwILbX6ex/oj5dTHozDUs4G36vjPlg5 -XxCf8vmwPzXLECHW0rr4JTXo+yNOWR42mp4yPgCV7Tuo5RoNb+oZzAgWkKh7wp5x -M9REvRGec0siHaVKkEnrhG8AdezVHcZ/taPxZ84woxavKXQWxEGAHZe8OlCng1Sb -Fi5UUzQY7bYnQg4Foseng4b7wB0Y3wUhaqtDB8fIUQGbh/J6WogAfalsDIT/oMEd -m1V2pMz9PWHcjaGwMI9JAyTTcRVFP1d+xGxC7e5xbBv42EzzbnccaRNUZR2cBiFU -hqa+5FECgYEA2QtZUMj6EL/1SMRFhMsx7gqYsv7090zWHquNjidi2HhMfuwWfy91 -m+SmYbA45Rr7h+HKTU0nsFL3eT3uZCYxQdVNxpdgtq/EmCAr/a0uwL3BSP9Bl1Oh -LZnWgrChspKWufi43Iunp3/KPKaX4DN9N9xSep6eGlhjZu049ZzY2KkCgYEA1HEp -wh3fRZXh145QBwl5QKopGl4/l/j+vST1MW+gKXj8INSXBxWxipy+8PJvHGRQrF1s -i1fuBIk5UPk9XxoQNSw2ohDvRHQtMxBP3Eq/6bTmUvfF9m6QQhnL8jwtuHzGm3gd -sV1+rYD02zCswNgVzKIyt9PbGKMsK1aGbMxJqAsCgYEAjJoMfwfi7uzbYgs7mb3k -F3en2fTODlIpN28c4WTkZKTxsRsRq8y73IRvwELfaJNlNG5xlkgQGOp2RIV5JEmV -iTc8DhVMYqxUp9PXi5sf+V4zky1AeV6EwDyzOLBh34OUvt7AKqcRsbFX+phVNLlG -OeSxTZvpgdmWczvjtUCpPRkCgYAVDPmUUJ11KbrtPx7S869eJv5XrIskpfmoCGd7 -dJIsSd7B6g7lFtM25v1Mptk3uQD9c2x0Ckx9ipNxYKEiMVT1z+HCAWeUIubvrmgb -bhTCNbi08/RbzOzif+fjou7s3wBXG3nlv1v0GVkp9xLHMSJH2rKn4IhPUqvnx3Ue -hsetrQKBgQCE3AXmfUMuwXhjF5MQpEQdXuVx+1Fj44YudHphrcvapDXAIvvx6G2B -wyxVJIHglK2feijsekH/i3kBHRDh0+0Y0zw+JTu4tjr3rLJv3BRofov0/LAdv53G -ulXyb9uTQ73uqmnGzpCre9LzUvVq/iIbFZYESJlceF66n74XpQdXnA== ------END RSA PRIVATE KEY----- diff --git a/ansible/roles/docker_client/scripts/genClientCert.sh b/ansible/roles/docker_client/scripts/genClientCert.sh new file mode 100755 index 00000000..61d8cec1 --- /dev/null +++ b/ansible/roles/docker_client/scripts/genClientCert.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +if [[ $1 = '' ]]; then + echo 'script requires a client name' + exit 1 +fi +CLIENT=./files/certs/$1 + +if [[ $2 = '' ]]; then + echo 'script requires a client ip address' + exit 1 +fi + +mkdir $CLIENT + +# generate key for client +openssl genrsa -out "$CLIENT/key.pem" 2048 +chmod 400 "$CLIENT/key.pem" + +# generate CSR for client +openssl req \ + -subj '/CN=client' \ + -new \ + -key "$CLIENT/key.pem" \ + -out "$CLIENT/client.csr" + +chmod 400 "$CLIENT/client.csr" + +echo extendedKeyUsage=clientAuth,serverAuth > "$CLIENT/extfile.cnf" +echo subjectAltName=IP:$2,IP:127.0.0.1,DNS:localhost >> "$CLIENT/extfile.cnf" + +# generate cert for client +openssl x509 \ + -req \ + -days 365 \ + -sha256 \ + -in "$CLIENT/client.csr" \ + -CA ca.pem \ + -CAkey ca-key.pem \ + -CAcreateserial \ + -out "$CLIENT/cert.pem" \ + -extfile "$CLIENT/extfile.cnf" + +# set permissions for deploy +chmod 644 "$CLIENT/cert.pem" +chmod 644 "$CLIENT/key.pem" + +# cleanup files we do not need +rm $CLIENT/extfile.cnf +rm $CLIENT/client.csr diff --git a/ansible/roles/docker_client/tasks/main.yml b/ansible/roles/docker_client/tasks/main.yml index d3f68fc8..dd0f40e4 100644 --- a/ansible/roles/docker_client/tasks/main.yml +++ b/ansible/roles/docker_client/tasks/main.yml @@ -2,14 +2,14 @@ - name: create docker cert directory sudo: yes file: - path=/opt/ssl/docker + path=/opt/ssl/docker/{{ name }} state=directory - name: copy docker CA sudo: yes copy: src=certs/ca.pem - dest=/opt/ssl/docker + dest=/opt/ssl/docker/{{ name }} mode=0440 owner=root group=root @@ -18,7 +18,7 @@ sudo: yes copy: src=certs/{{ name }}/ - dest=/opt/ssl/docker + dest=/opt/ssl/docker/{{ name }} mode=0440 owner=root group=root diff --git a/ansible/swarm-manager.yml b/ansible/swarm-manager.yml index f27c45a4..ac6e7921 100644 --- a/ansible/swarm-manager.yml +++ b/ansible/swarm-manager.yml @@ -6,6 +6,5 @@ - "group_vars/alpha-swarm-manager.yml" roles: - { role: notify, tags: "notify" } - - { role: redis_key, tags: ["setup", "redis_key"] } - { role: docker_client, tags: "docker_client" } - { role: container_kill_start, tags: "deploy" } From 0969a7f874a0193d1f28222d691391268d9083ba Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 12:23:06 -0700 Subject: [PATCH 06/12] add palantiri cert --- ansible/group_vars/alpha-api.yml | 2 +- ansible/group_vars/alpha-khronos.yml | 2 +- ansible/group_vars/alpha-palantiri.yml | 2 +- ansible/group_vars/alpha-workers.yml | 2 +- .../files/certs/palantiri/cert.pem | 21 +++++++++++++++ .../files/certs/palantiri/key.pem | 27 +++++++++++++++++++ .../files/certs/swarm-manager/ca.pem | 27 ------------------- 7 files changed, 52 insertions(+), 31 deletions(-) create mode 100644 ansible/roles/docker_client/files/certs/palantiri/cert.pem create mode 100644 ansible/roles/docker_client/files/certs/palantiri/key.pem delete mode 100755 ansible/roles/docker_client/files/certs/swarm-manager/ca.pem diff --git a/ansible/group_vars/alpha-api.yml b/ansible/group_vars/alpha-api.yml index e112f147..b6ea40ee 100644 --- a/ansible/group_vars/alpha-api.yml +++ b/ansible/group_vars/alpha-api.yml @@ -60,5 +60,5 @@ container_envs: > container_run_opts: > -d -P - -v /opt/ssl/docker:/etc/ssl/docker:ro + -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro {{ container_envs }} diff --git a/ansible/group_vars/alpha-khronos.yml b/ansible/group_vars/alpha-khronos.yml index dbbad7b0..f5e828e3 100644 --- a/ansible/group_vars/alpha-khronos.yml +++ b/ansible/group_vars/alpha-khronos.yml @@ -18,5 +18,5 @@ container_envs: > container_run_opts: > -d - -v /opt/ssl/docker:/etc/ssl/docker:ro + -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro {{container_envs}} diff --git a/ansible/group_vars/alpha-palantiri.yml b/ansible/group_vars/alpha-palantiri.yml index 07b1f1a3..1a8aec38 100644 --- a/ansible/group_vars/alpha-palantiri.yml +++ b/ansible/group_vars/alpha-palantiri.yml @@ -26,5 +26,5 @@ container_envs: > container_run_opts: > -d --restart=always - -v /opt/ssl/docker:/etc/ssl/docker:ro + -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro {{ container_envs }} diff --git a/ansible/group_vars/alpha-workers.yml b/ansible/group_vars/alpha-workers.yml index b4fbd7c9..a8ba2190 100644 --- a/ansible/group_vars/alpha-workers.yml +++ b/ansible/group_vars/alpha-workers.yml @@ -56,6 +56,6 @@ container_envs: > container_run_opts: > -d - -v /opt/ssl/docker:/etc/ssl/docker:ro + -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro --restart=always {{ container_envs }} diff --git a/ansible/roles/docker_client/files/certs/palantiri/cert.pem b/ansible/roles/docker_client/files/certs/palantiri/cert.pem new file mode 100644 index 00000000..4634c6b4 --- /dev/null +++ b/ansible/roles/docker_client/files/certs/palantiri/cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIJALSmsYYWe2lHMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ +bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 +MTAxMzE5MjEzNVoXDTE2MTAxMjE5MjEzNVowETEPMA0GA1UEAxMGY2xpZW50MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Q+9XmQj8hgPzt4SWTFE5Bg8 +luxX15L3GdGrd4u8wyq49yuAQcHETp2uQzHtKrYXhRDqR2CNrBERMXUndHZLSDnU +91GWaYl9sfFHJm1q/GC+kAdvKReaOR80a+zZjponDU02lgji6Km9CD/f92wDF0HO +A4usSB1V7n06sBYE+VY0kyZDIfra07WnSG6FnQgsY38q7+UaNEy5NbA4jwo4VsWc +vl9prBAsi8GwRpIu6b1E+0puHauRSz48N0Xe8el4Vms1jV2agdCWD39Xif+1BvSt +DqEg09PgO4QKkDYpF/WAfc1+esekGC0OWRsdadR5fiJrb60aKI+pYIXky0ZxNwID +AQABo0MwQTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwIAYDVR0RBBkw +F4cEChQBO4cEfwAAAYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQA3yexj +BTKok47lq87ALPOMdbaTUXnzrFhalEZJAKLdiglh42EWIjS+rXkKaqUIh1iB9i/s +4AFqGLqJUh89LR8X27bYc2fpJxCsyVv/uQzGSD2MKsCpyVWuOmj1ro8jhqNzp+5R +CcK7Zht85a+PKGeIy5DGleFQYoVDvW1J9niMpbG0LdEIavJq1oibMZo0VfZtwBkD +BnMJsoDbBWiykPYvPEOnMTOB6k1CsxT2GU2hNhQV7YGrlk0QUCk4CbwRwScCFfy3 +QrqE7fpAjTmpVXqvmSke/hjKknvbfzXt92tGH85PxbUasmnqlSjYkqJxj/NaAJ50 +SSxD6qKqFNjF4Pdh +-----END CERTIFICATE----- diff --git a/ansible/roles/docker_client/files/certs/palantiri/key.pem b/ansible/roles/docker_client/files/certs/palantiri/key.pem new file mode 100644 index 00000000..64c9307b --- /dev/null +++ b/ansible/roles/docker_client/files/certs/palantiri/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA6Q+9XmQj8hgPzt4SWTFE5Bg8luxX15L3GdGrd4u8wyq49yuA +QcHETp2uQzHtKrYXhRDqR2CNrBERMXUndHZLSDnU91GWaYl9sfFHJm1q/GC+kAdv +KReaOR80a+zZjponDU02lgji6Km9CD/f92wDF0HOA4usSB1V7n06sBYE+VY0kyZD +Ifra07WnSG6FnQgsY38q7+UaNEy5NbA4jwo4VsWcvl9prBAsi8GwRpIu6b1E+0pu +HauRSz48N0Xe8el4Vms1jV2agdCWD39Xif+1BvStDqEg09PgO4QKkDYpF/WAfc1+ +esekGC0OWRsdadR5fiJrb60aKI+pYIXky0ZxNwIDAQABAoIBAQDBkB747DamdLF8 +YBfhF/hdcHux5Sy3kAnF2cuNB/OILE1eizSEaIe/u1nl2Ote08kI7RmGmnxPcgVT +jDdulGjF3bIwjgRcNqK8TOWI1stKPJdIS8RY3o9p7a6+DAJMW18fvwcc6Nh7361t +0o8SkRSoFjEh5Lj7U9HwtvUtFbyfzxEj6gtGKmQ0FJMVZhQ8CSsewJsoPYvm7n6F +1V3UF/2cH989yzVKaTCApDuXyR5Xq4ssTvqfkR/TNu7HHCdsbiRUIONAGHIGRdLl +9WoIwJXiS1s8Ju0xM2SpkbEDl6mFBQb2W136tvzs88kNQ1nIXNua6/3LCObXNvkQ +mGP0SBxhAoGBAPhusTUj0zje9/918meDMmGPPDuu2X61qY6BW0R7ITtEgvXvi6J9 +hk4dI1TnfoNCs1emrzpHcQlwGQowdkivjwmHTd+SgJTiss6MjwdPa/fXKbYR6Mx/ +18upP12B9yv4jqussGBt0GzQjxWszbB+LUSeJGasGZsh0XaAx09L5KEPAoGBAPAp +LuUSvOw1lgxjVzU4xEpmyfw4xg3zoAcPtTZn9W9StQ6vsuM3Fj0qokAJKcjnOtPx +XbxLpIlIxBdjEPNkFlgvWPn6nscvzLLT0wywVcswXsXGN7KSbDxRq/BMF1NNcb43 +OuDSplcCJ9MiySoA4+N2St3ylkMnJkWTiPHxOF1ZAoGAD5GIQ2dCVl8KtZSjoz8C +ikCaqrbTZHBn9sk+efUpaPhrKJRhcMZjA0QqMajsMbedW5HTi1hsygWfXBcbYoS1 +9wfmpmsc6benMvB2CiQ9BOQT9hf7Oc2NLXMmyGpbngLOlg2VZAWduSP8w4P3w+a0 +WYd7in+gfytIYB/D3cFIy5sCgYACWVTFFs7UPJ3wFxSmR5zb4W9+UQvW3RgmmYe7 +NX8YDKYKs7s7L7G+/WjC2ZQYC/LuWcEB83dzhEuusuBakRMK38OuBj6BUj1dTmcV +C7B7IUj8BDlNPNNkL6RP4F6mCO7g3mdsBYNs/G9pSEDRcVrJQcHvs8y2cW6VZaEE +RMi5WQKBgESB2zO/8yXLOdotbGLKaZnXbvzeL/giKXrWsq5R4WzsDXAor6L3yEoT +0nptlAPxP3pU4TJev3Ms4dKGzzCOEUjaUx8TW5X959bnmcy8UJeoPYWb7yKdCyuM +zl6TJ7tpDbjBoOKrDQzqmjvwOTEd/mb6ZllyHBxdZRsQzABLvE3x +-----END RSA PRIVATE KEY----- diff --git a/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem b/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem deleted file mode 100755 index 85f5c74f..00000000 --- a/ansible/roles/docker_client/files/certs/swarm-manager/ca.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEnjCCA4agAwIBAgIJAK0JF0nQ7r9xMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzERMA8GA1UEChMIUnVubmFibGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJ -bG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBvcHNAcnVubmFibGUuY29tMB4XDTE1 -MDUyMjIxNDY1MloXDTE2MDUyMTIxNDY1MlowgZAxCzAJBgNVBAYTAlVTMRMwEQYD -VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMREwDwYDVQQK -EwhSdW5uYWJsZTEMMAoGA1UECxMDT3BzMRIwEAYDVQQDEwlsb2NhbGhvc3QxHzAd -BgkqhkiG9w0BCQEWEG9wc0BydW5uYWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCkX4cwQDcimGvnJg0HBl+A9da0zpUjJJVPbba3A2wJ/S7l -gKlYID5TXNYpSAepdmmWO+NEXcNVPUYVhoBe4DWkJFc+lxtLPy0UOseZ+TvMac7i -Zp0k/GSLl3ASloDPfKsBlpOpM+OhWvl5jzAzSJ1l6dGcCEAXE6dhtEUgPMUzfAfl -bUuQ7ri8iMB67Ktix8FJCEpwczlKfebzmxw3VxwGiNQSGbbyIknuCk5eGbMVPtdY -DBl+5R7h0S0enXxYtPtL7CRKs0uHxm8Kmvvo2htSf9bdOSsjnFzQvZdBLrrQipN+ -i8m/ZOL8IOzV/Wfwqd7Zo3w3hUE8rzrBP0Ce0f0BAgMBAAGjgfgwgfUwHQYDVR0O -BBYEFKoY1K08hkkW4dt/bo0153ccq9sMMIHFBgNVHSMEgb0wgbqAFKoY1K08hkkW -4dt/bo0153ccq9sMoYGWpIGTMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzERMA8GA1UEChMIUnVubmFi -bGUxDDAKBgNVBAsTA09wczESMBAGA1UEAxMJbG9jYWxob3N0MR8wHQYJKoZIhvcN -AQkBFhBvcHNAcnVubmFibGUuY29tggkArQkXSdDuv3EwDAYDVR0TBAUwAwEB/zAN -BgkqhkiG9w0BAQsFAAOCAQEAl/wOczN+5etU9iYmhNs4RmKxY33SUnnKPZwD/bFM -gVEmHu3Gc2hFDJ/+c4BKULBB60j6K+J3In9iTZHzsUe+5HB1J1Wk5ecXMLc51xBs -+Tc3ZsX6PjSkwHWJyXlcdivmpd8O87vkjrLHg5kzeLL+bwkjGngWg/bbNGR4rGu3 -js//+b9GjSMK91lqRE2aegJyqguqDs0qoxGwzSOqlnSSjQze6YmpN9DWO9X7RGpE -8UswjBeI9DKBIjdzwfF3Zn3ay1ChAhTBnBQE5b2rgIhf6YBw1SP935gfWdbs9AKt -zBF55uLuWt0nBvXCJcHUBTFUnAfqiuQMZuVxBfXi4vuePg== ------END CERTIFICATE----- From 101352e960fc6fe001b2c488a62f9a9a4d4eae9e Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 12:29:15 -0700 Subject: [PATCH 07/12] fix some added nits --- ansible/certs/scripts/genClientCert.sh | 3 -- ansible/group_vars/alpha-swarm-slave.yml | 12 ----- .../roles/builder/templates/consul/Dockerfile | 54 ------------------- ansible/roles/docker_client/README.md | 5 +- package.json | 2 +- 5 files changed, 2 insertions(+), 74 deletions(-) delete mode 100644 ansible/group_vars/alpha-swarm-slave.yml delete mode 100644 ansible/roles/builder/templates/consul/Dockerfile diff --git a/ansible/certs/scripts/genClientCert.sh b/ansible/certs/scripts/genClientCert.sh index d8389fd0..b1ed4ad2 100755 --- a/ansible/certs/scripts/genClientCert.sh +++ b/ansible/certs/scripts/genClientCert.sh @@ -32,6 +32,3 @@ openssl x509 \ -extfile "$CLIENT-extfile.cnf" chmod 400 "$CLIENT-cert.pem" -# cleanup files we do not need -rm $CLIENT-extfile.cnf -rm $CLIENT-client.csr \ No newline at end of file diff --git a/ansible/group_vars/alpha-swarm-slave.yml b/ansible/group_vars/alpha-swarm-slave.yml deleted file mode 100644 index 228f5d73..00000000 --- a/ansible/group_vars/alpha-swarm-slave.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: "swarm" - -# container_kill_start settings -container_image: swarm -container_tag: latest -container_run_opts: > - -d - -container_run_args: > - join - --addr={{ ansible_default_ipv4.address }}:{{ docker_port }} - token://{{ swarm_token }} diff --git a/ansible/roles/builder/templates/consul/Dockerfile b/ansible/roles/builder/templates/consul/Dockerfile deleted file mode 100644 index 43ba49c6..00000000 --- a/ansible/roles/builder/templates/consul/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -FROM registry.runnable.com/runnable/{{ base_dockerfile }}:latest - -# Copied from https://hub.docker.com/r/progrium/consul/~/dockerfile/ -ADD https://dl.bintray.com/mitchellh/consul/0.5.2_linux_amd64.zip /tmp/consul.zip -RUN cd /bin && unzip /tmp/consul.zip && chmod +x /bin/consul && rm /tmp/consul.zip - -ADD https://dl.bintray.com/mitchellh/consul/0.5.2_web_ui.zip /tmp/webui.zip -RUN cd /tmp && unzip /tmp/webui.zip && mv dist /ui && rm /tmp/webui.zip - -ADD ./config /config/ - -ADD ./check-http /bin/check-http -ADD ./check-cmd /bin/check-cmd - -EXPOSE 8300 8301 8301/udp 8302 8302/udp 8400 8500 -VOLUME ["/data"] - -ENV SHELL /bin/bash -# end copy - -{% if hosted_ports is defined %} -# Expose port to Host -EXPOSE {% for hosted_port in hosted_ports %}{{ hosted_port }} {% endfor %} -{% endif %} - -{% if dockerfile_enviroment is defined %} -# Envs -{% for env in dockerfile_enviroment %} -ENV {{ env }} -{% endfor %} -{% endif %} - -# setup node and npm versions -RUN n {{ node_version }} && npm install -g npm@{{ npm_version }} - -# Download Repo -RUN git clone -b {{ git_branch }} --single-branch {{ repo }} /{{ name }} - -WORKDIR /{{ name }} -{% if dockerfile_pre_install_commands is defined %} -{% for command in dockerfile_pre_install_commands %} -RUN {{ command }} -{% endfor %} -{% endif %} - -RUN npm install --production - -{% if dockerfile_post_install_commands is defined %} -{% for command in dockerfile_post_install_commands %} -RUN {{ command }} -{% endfor %} -{% endif %} - -ENTRYPOINT ["/bin/consul", "agent", "-config-dir=/config"] diff --git a/ansible/roles/docker_client/README.md b/ansible/roles/docker_client/README.md index 7d3dce74..3b95b530 100644 --- a/ansible/roles/docker_client/README.md +++ b/ansible/roles/docker_client/README.md @@ -7,10 +7,7 @@ Ansible Role to Install Docker Client Certs on Ubuntu Creating new docker client certs: 1. cd into this dir ```cd ``` 2. ensure you have ca-key.pem here `roles/docker_client/ca-key.pem` -3. run cert generator `sudo ./scripts/genClientCert.sh` -4. output files we want are `-key.pem` and `-cert.pem` -5. create folder for these new certs based on app name ```mkdir ``` -6. move keys into folder ```mv ./-key.pem .//key.pem && mv ./-cert.pem .//cert.pem``` +3. run cert generator ```sudo ./scripts/genClientCert.sh ``` ## Author Information diff --git a/package.json b/package.json index 7bfa6e55..eafec232 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "devops-scripts", - "version": "0.0.1", + "version": "0.0.0", "description": "devops-scripts ==============", "main": "index.js", "directories": { From 403c02ce896f524a4f849bc81c8d14059d42e5cb Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 13:54:45 -0700 Subject: [PATCH 08/12] move docker-listener cert path --- ansible/group_vars/alpha-docker-listener.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/alpha-docker-listener.yml b/ansible/group_vars/alpha-docker-listener.yml index 79cfc5e1..aa2360d8 100644 --- a/ansible/group_vars/alpha-docker-listener.yml +++ b/ansible/group_vars/alpha-docker-listener.yml @@ -8,7 +8,7 @@ redis_host: "{{ hostvars[groups['redis'][0]]['ansible_default_ipv4']['address'] redis_port: 6379 enviroment_vars: - DOCKER_CERT_PATH: "/opt/ssl/docker" + DOCKER_CERT_PATH: "/opt/ssl/docker/{{ name }}" HOST_TAGS: "{{ host_tags | default('default') }}" LOGGLY_TOKEN: "{{ loggly_token }}" RABBITMQ_HOSTNAME: "{% if rabbit_host is defined %}{{ rabbit_host }}{% else %}{{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}{% endif %}" From d3cec5989cc62cd7c1fb918ccc24b000fd246d4f Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 14:29:58 -0700 Subject: [PATCH 09/12] restart always --- ansible/group_vars/alpha-swarm-manager.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/group_vars/alpha-swarm-manager.yml b/ansible/group_vars/alpha-swarm-manager.yml index d657bf58..c7829c1a 100644 --- a/ansible/group_vars/alpha-swarm-manager.yml +++ b/ansible/group_vars/alpha-swarm-manager.yml @@ -11,6 +11,7 @@ container_run_opts: > -d -p {{ swarm_master_port }}:2375 -v /opt/ssl/docker/{{ name }}:/etc/ssl/docker:ro + --restart=always container_run_args: > manage From 55eb0834abdece1a3cbf13f41f78e964b0c3cce7 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 14:32:02 -0700 Subject: [PATCH 10/12] remove redis, no longer publish --- ansible/swarm-manager.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible/swarm-manager.yml b/ansible/swarm-manager.yml index ac6e7921..7dc1dcbc 100644 --- a/ansible/swarm-manager.yml +++ b/ansible/swarm-manager.yml @@ -1,6 +1,4 @@ --- -- hosts: redis - - hosts: swarm vars_files: - "group_vars/alpha-swarm-manager.yml" From 7a60ee8c1732bae6d5666c857b0d3211e1ffd3a5 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 14:38:46 -0700 Subject: [PATCH 11/12] rename hosts to swarm-manager --- ansible/beta-hosts/hosts | 4 ++-- ansible/prod-hosts/hosts | 4 ++-- ansible/swarm-manager.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/beta-hosts/hosts b/ansible/beta-hosts/hosts index b3d3fad5..852cc540 100644 --- a/ansible/beta-hosts/hosts +++ b/ansible/beta-hosts/hosts @@ -65,7 +65,7 @@ beta-services [registry] beta-registry -[swarm] +[swarm-manager] beta-services [docks] @@ -89,7 +89,7 @@ optimus rabbitmq eru shiva -swarm +swarm-manager [targets] localhost ansible_connection=local bastion_name=beta-bastion diff --git a/ansible/prod-hosts/hosts b/ansible/prod-hosts/hosts index 5b27ba42..0f84a384 100644 --- a/ansible/prod-hosts/hosts +++ b/ansible/prod-hosts/hosts @@ -71,7 +71,7 @@ alpha-registry [shiva] alpha-api-old -[swarm] +[swarm-manager] alpha-api-old [docks] @@ -97,7 +97,7 @@ detention hubot eru shiva -swarm +swarm-manager [targets] localhost ansible_connection=local bastion_name=alpha-bastion diff --git a/ansible/swarm-manager.yml b/ansible/swarm-manager.yml index 7dc1dcbc..22ac2c01 100644 --- a/ansible/swarm-manager.yml +++ b/ansible/swarm-manager.yml @@ -1,5 +1,5 @@ --- -- hosts: swarm +- hosts: swarm-manager vars_files: - "group_vars/alpha-swarm-manager.yml" roles: From e0c3c02c114063a11a73cf28ee5d6ff4fb4f6e10 Mon Sep 17 00:00:00 2001 From: AnandkumarPatel Date: Tue, 13 Oct 2015 16:56:06 -0700 Subject: [PATCH 12/12] revert dock template --- ansible/roles/docker/templates/docks | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/docker/templates/docks b/ansible/roles/docker/templates/docks index e5bc05c2..9d8b82e0 100644 --- a/ansible/roles/docker/templates/docks +++ b/ansible/roles/docker/templates/docks @@ -1,5 +1,5 @@ -DOCKER_OPTS="-H=unix:///var/run/docker.sock -H=0.0.0.0:{{ docker_port }}" -DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert={{ docker_ca_path }}" -DOCKER_OPTS="$DOCKER_OPTS --tlscert={{ docker_cert_path }} --tlskey={{ docker_key_path }}" +DOCKER_OPTS="-H=unix:///var/run/docker.sock -H=0.0.0.0:4242" +DOCKER_OPTS="$DOCKER_OPTS --tlsverify --tlscacert=/etc/ssl/docker/ca.pem" +DOCKER_OPTS="$DOCKER_OPTS --tlscert=/etc/ssl/docker/cert.pem --tlskey=/etc/ssl/docker/key.pem" DOCKER_OPTS="$DOCKER_OPTS -g /docker --insecure-registry registry.runnable.com --icc=false" -DOCKER_OPTS="$DOCKER_OPTS --dns=172.17.42.1 --dns=8.8.8.8" +DOCKER_OPTS="$DOCKER_OPTS --dns={{ charon_host | default(hostvars[groups['charon'][0]]['ansible_default_ipv4']['address'])}} --dns=8.8.8.8"