forked from Normation/rudder
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
20 changed files
with
304 additions
and
156 deletions.
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
= relay | ||
|
||
== Goals | ||
|
||
We want to be able to | ||
|
||
== Summary | ||
|
||
These containers provide a full Rudder relay running in unprivileged | ||
read-only containers. | ||
|
||
Each service runs in its own read-only container. | ||
|
||
The relay is almost stateless and the only data that needs to be persisted is: | ||
|
||
* Agent id and key pair | ||
* HTTP server key pair | ||
|
||
Everything else can be rebuilt dynamically. | ||
|
||
A lot of config files are actually data files, and need to be updated dynamically. | ||
|
||
== Images | ||
|
||
Images are currently based on CentOS 8 and install Rudder 6.1 using rudder-setup. | ||
|
||
We use the standard packages (after disabling service management to allow | ||
packaging scripts calls to systemctl to succeed). | ||
|
||
The `cf-execd` container is a bit different as it synchronizes the policies | ||
from the server and shares some of them with the other containers. | ||
|
||
== Agent | ||
|
||
An agent is required to run a relay. | ||
|
||
== Run a relay | ||
|
||
We provide a docker-compose configuration example. | ||
|
||
You need to modify the policy_server.dat file to set the right policy server. | ||
|
||
---- | ||
docker-compose up | ||
---- | ||
|
||
== Limitations | ||
|
||
|
||
|
||
|
||
== TODO | ||
|
||
* [ ] See where to configure policy server (inside or outside of the containers?) | ||
* [ ] Upgrade procedure | ||
* [ ] Expose relayd HTTP API | ||
* [ ] Fix the things not working in remote-run | ||
* [ ] Find why some things are broken in remote-run | ||
* [ ] Fix random start error in cf-server (with `Undefined bundle` messages) | ||
|
||
|
||
httpd n'a pas le meme id que cf-execd | ||
|
||
|
||
|
||
|
||
Contraintes pour l'update : les volumes ne doivent pas contenir de trucs à mettre à jour |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,111 @@ | ||
version: "2" | ||
version: '2' | ||
services: | ||
cf_execd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data | ||
- ncf:/var/rudder/ncf | ||
- shared:/var/rudder/share | ||
- secure_httpd:/opt/rudder/etc/ssl/ | ||
- httpd_conf:/apache_conf_file | ||
- relay_conf:/opt/rudder/etc/relayd | ||
- nodelist:/var/rudder/lib/relay/ | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
external_links: | ||
- server | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data:ro | ||
- ncf:/var/rudder/ncf:ro | ||
- shared:/var/rudder/share:ro | ||
relay: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relay.Dockerfile | ||
volumes: | ||
- nodelist:/var/rudder/lib/relay:ro | ||
- relay_conf:/opt/rudder/etc/relayd:ro | ||
tmpfs: | ||
- /var/rudder/reports | ||
- /var/rudder/inventories | ||
httpd: | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
volumes: | ||
- httpd_conf:/apache_conf_file:ro | ||
- secure_httpd:/opt/rudder/etc/ssl:ro | ||
cf_execd: | ||
hostname: 'relay' | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- 'agent_state:/var/rudder/cfengine-community/' | ||
- 'agent_certs:/agent_certs' | ||
- 'node_id:/node_id' | ||
|
||
- 'policies_lib:/var/rudder/ncf' | ||
- 'policies_src_lib:/usr/share/ncf/tree' | ||
- 'policies_loc_lib:/var/rudder/configuration-repository/ncf' | ||
- 'policies:/var/rudder/share' | ||
|
||
- 'httpd_certs:/opt/rudder/etc/ssl/' | ||
- 'httpd_conf:/httpd_conf' | ||
|
||
- 'relayd_conf:/opt/rudder/etc/relayd' | ||
- 'relayd_nodelist:/var/rudder/lib/relay/' | ||
- 'relayd_certs:/var/rudder/lib/ssl/' | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/rudder/modified-files | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
- /var/rudder/reports | ||
- /tmp | ||
- /etc/cron.d | ||
- /etc/logrotate.d | ||
- /var/log | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
ports: | ||
- "5309:5309" | ||
volumes_from: | ||
# same as cf-execd to allow remote run | ||
- 'cf_execd' | ||
tmpfs: | ||
# same as cf-execd to allow remote run | ||
- /var/rudder/tmp | ||
- /var/rudder/modified-files | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
- /var/rudder/reports | ||
- /tmp | ||
- /etc/cron.d | ||
- /etc/logrotate.d | ||
- /var/log | ||
relayd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relayd.Dockerfile | ||
ports: | ||
# remove? | ||
- "127.0.0.1:3030:3030" | ||
volumes: | ||
- 'relayd_nodelist:/var/rudder/lib/relay:ro' | ||
- 'relayd_certs:/var/rudder/lib/ssl:ro' | ||
- 'relayd_conf:/opt/rudder/etc/relayd:ro' | ||
- 'inventories:/var/rudder/inventories' | ||
- 'reports:/var/rudder/reports' | ||
httpd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
ports: | ||
- "443:443" | ||
volumes: | ||
- 'httpd_conf:/httpd_conf:ro' | ||
- 'httpd_certs:/opt/rudder/etc/ssl:ro' | ||
- 'node_id:/node_id:ro' | ||
# windows policies | ||
- 'policies:/var/rudder/share:ro' | ||
- 'inventories:/var/rudder/inventories' | ||
- 'reports:/var/rudder/reports' | ||
tmpfs: | ||
- /var/log/httpd | ||
- /var/log/rudder/apache2 | ||
- /run/httpd | ||
# /tmp/davlock.db | ||
- /tmp | ||
volumes: | ||
cfengine_community: | ||
uuid_keys: | ||
ncf: | ||
shared: | ||
secure_httpd: | ||
httpd_conf: | ||
nodelist: | ||
relay_conf: | ||
agent_state: | ||
agent_certs: | ||
node_id: | ||
|
||
policies_lib: | ||
policies_src_lib: | ||
policies_loc_lib: | ||
policies: | ||
|
||
inventories: | ||
reports: | ||
|
||
httpd_certs: | ||
httpd_conf: | ||
|
||
relayd_nodelist: | ||
relayd_certs: | ||
relayd_conf: |
Oops, something went wrong.