forked from Normation/rudder
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
265 additions
and
140 deletions.
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
= relay | ||
|
||
== Goals | ||
|
||
We want to be able to | ||
|
||
== Summary | ||
|
||
These containers provide a full Rudder relay running in unprivileged | ||
read-only containers. | ||
|
||
Each service runs in its own read-only container. | ||
|
||
The relay is almost stateless and the only data that needs to be persisted is: | ||
|
||
* Agent id and key pair | ||
* HTTP server key pair | ||
|
||
Everything else can be rebuilt dynamically. | ||
|
||
A lot of config files are actually data files, and need to be updated dynamically. | ||
|
||
== Images | ||
|
||
Images are currently based on CentOS 8 and install Rudder 6.1 using rudder-setup. | ||
|
||
We use the standard packages (after disabling service management to allow | ||
packaging scripts calls to systemctl to succeed). | ||
|
||
The `cf-execd` container is a bit different as it synchronizes the policies | ||
from the server and shares some of them with the other containers. | ||
|
||
== Agent | ||
|
||
An agent is required to run a relay. | ||
|
||
== Run a relay | ||
|
||
We provide a docker-compose configuration example. | ||
|
||
You need to modify the policy_server.dat file to set the right policy server. | ||
|
||
---- | ||
docker-compose up | ||
---- | ||
|
||
== Limitations | ||
|
||
No remote-run for now. | ||
|
||
We need to give read access to the cf-serverd container. | ||
|
||
== TODO | ||
|
||
* [ ] See to configure policy server (inside or outside of the container?) | ||
* [ ] Upgrade procedure | ||
* [ ] Exposed and redirected ports | ||
* [ ] Reload reload | ||
|
||
|
||
Contraintes pour l'update : les volumes ne doivent pas contenir de trucs à mettre à jour |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,111 @@ | ||
version: "2" | ||
version: '2' | ||
services: | ||
cf_execd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data | ||
- ncf:/var/rudder/ncf | ||
- shared:/var/rudder/share | ||
- secure_httpd:/opt/rudder/etc/ssl/ | ||
- httpd_conf:/apache_conf_file | ||
- relay_conf:/opt/rudder/etc/relayd | ||
- nodelist:/var/rudder/lib/relay/ | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
external_links: | ||
- server | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data:ro | ||
- ncf:/var/rudder/ncf:ro | ||
- shared:/var/rudder/share:ro | ||
relay: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relay.Dockerfile | ||
volumes: | ||
- nodelist:/var/rudder/lib/relay:ro | ||
- relay_conf:/opt/rudder/etc/relayd:ro | ||
tmpfs: | ||
- /var/rudder/reports | ||
- /var/rudder/inventories | ||
httpd: | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
volumes: | ||
- httpd_conf:/apache_conf_file:ro | ||
- secure_httpd:/opt/rudder/etc/ssl:ro | ||
cf_execd: | ||
hostname: 'relay' | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- 'agent_state:/var/rudder/cfengine-community/' | ||
- 'agent_certs:/agent_certs' | ||
- 'node_id:/node_id' | ||
|
||
- 'policies_lib:/var/rudder/ncf' | ||
- 'policies_src_lib:/usr/share/ncf/tree' | ||
- 'policies_loc_lib:/var/rudder/configuration-repository/ncf' | ||
- 'policies:/var/rudder/share' | ||
|
||
- 'httpd_certs:/opt/rudder/etc/ssl/' | ||
- 'httpd_conf:/httpd_conf' | ||
|
||
- 'relayd_conf:/opt/rudder/etc/relayd' | ||
- 'relayd_nodelist:/var/rudder/lib/relay/' | ||
- 'relayd_certs:/var/rudder/lib/ssl/' | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/rudder/modified-files | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
- /var/rudder/reports | ||
- /tmp | ||
- /etc/cron.d | ||
- /etc/logrotate.d | ||
- /var/log | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
ports: | ||
- "5309:5309" | ||
volumes_from: | ||
# same as cf-execd to allow remote run | ||
- 'cf_execd' | ||
tmpfs: | ||
# same as cf-execd to allow remote run | ||
- /var/rudder/tmp | ||
- /var/rudder/modified-files | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
- /var/rudder/reports | ||
- /tmp | ||
- /etc/cron.d | ||
- /etc/logrotate.d | ||
- /var/log | ||
relayd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relayd.Dockerfile | ||
ports: | ||
# remove? | ||
- "127.0.0.1:3030:3030" | ||
volumes: | ||
- 'relayd_nodelist:/var/rudder/lib/relay:ro' | ||
- 'relayd_certs:/var/rudder/lib/ssl:ro' | ||
- 'relayd_conf:/opt/rudder/etc/relayd:ro' | ||
- 'inventories:/var/rudder/inventories' | ||
tmpfs: | ||
- /var/rudder/reports | ||
- /var/rudder/inventories | ||
httpd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
ports: | ||
- "443:443" | ||
volumes: | ||
- 'httpd_conf:/httpd_conf:ro' | ||
- 'httpd_certs:/opt/rudder/etc/ssl:ro' | ||
- 'node_id:/node_id:ro' | ||
# windows policies | ||
- 'policies:/var/rudder/share:ro' | ||
- 'inventories:/var/rudder/inventories' | ||
tmpfs: | ||
- /var/log/httpd | ||
- /var/log/rudder/apache2 | ||
- /run/httpd | ||
# /tmp/davlock.db | ||
- /tmp | ||
volumes: | ||
cfengine_community: | ||
uuid_keys: | ||
ncf: | ||
shared: | ||
secure_httpd: | ||
httpd_conf: | ||
nodelist: | ||
relay_conf: | ||
agent_state: | ||
agent_certs: | ||
node_id: | ||
|
||
policies_lib: | ||
policies_src_lib: | ||
policies_loc_lib: | ||
policies: | ||
|
||
inventories: | ||
|
||
httpd_certs: | ||
httpd_conf: | ||
|
||
relayd_nodelist: | ||
relayd_certs: | ||
relayd_conf: |
Oops, something went wrong.