forked from Normation/rudder
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
200 additions
and
126 deletions.
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
= relay | ||
|
||
== Goals | ||
|
||
We want to be able to | ||
|
||
== Summary | ||
|
||
These containers provide a full Rudder relay running in unprivileged | ||
read-only containers. | ||
|
||
Each service runs in its own read-only container. | ||
|
||
The relay is almost stateless and the only data that needs to be persisted is: | ||
|
||
* Agent id and key pair | ||
* HTTP server key pair | ||
|
||
Everything else can be rebuilt dynamically. | ||
|
||
== Images | ||
|
||
Images are currently based on CentOS 8 and install Rudder 6.1 using rudder-setup. | ||
|
||
We use the standard packages (after disabling service management to allow | ||
packaging scripts calls to systemctl to succeed). | ||
|
||
The `cf-execd` container is a bit different as it synchronizes the policies | ||
from the server and shares some of them with the other containers. | ||
|
||
== Agent | ||
|
||
An agent is required to run a relay. | ||
|
||
== Run a relay | ||
|
||
We provide a docker-compose configuration example. | ||
|
||
You need to modify the policy_server.dat file to set the right policy server. | ||
|
||
---- | ||
docker-compose up | ||
---- | ||
|
||
== TODO | ||
|
||
* [ ] See to configure policy server (inside or outside of the container?) | ||
* [ ] | ||
|
||
|
||
Contraintes pour l'update : les volumes ne doivent pas contenir de trucs à mettre à jour |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,78 @@ | ||
version: "2" | ||
version: '2' | ||
services: | ||
cf_execd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data | ||
- ncf:/var/rudder/ncf | ||
- shared:/var/rudder/share | ||
- secure_httpd:/opt/rudder/etc/ssl/ | ||
- httpd_conf:/apache_conf_file | ||
- relay_conf:/opt/rudder/etc/relayd | ||
- nodelist:/var/rudder/lib/relay/ | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
external_links: | ||
- server | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
volumes: | ||
- cfengine_community:/var/rudder/cfengine-community/ | ||
- uuid_keys:/data:ro | ||
- ncf:/var/rudder/ncf:ro | ||
- shared:/var/rudder/share:ro | ||
relay: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relay.Dockerfile | ||
volumes: | ||
- nodelist:/var/rudder/lib/relay:ro | ||
- relay_conf:/opt/rudder/etc/relayd:ro | ||
tmpfs: | ||
- /var/rudder/reports | ||
- /var/rudder/inventories | ||
httpd: | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
volumes: | ||
- httpd_conf:/apache_conf_file:ro | ||
- secure_httpd:/opt/rudder/etc/ssl:ro | ||
cf_execd: | ||
hostname: "relay" | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-execd.Dockerfile | ||
volumes: | ||
- 'agent_state:/var/rudder/cfengine-community/' | ||
- 'agent_certs:/data' | ||
|
||
- 'policies_lib:/var/rudder/ncf' | ||
- 'policies_src_lib:/usr/share/ncf/tree' | ||
- 'policies_loc_lib:/var/rudder/configuration-repository/ncf' | ||
- 'policies:/var/rudder/share' | ||
|
||
- 'httpd_certs:/opt/rudder/etc/ssl/' | ||
- 'httpd_conf:/httpd_conf' | ||
|
||
- 'relayd_conf:/opt/rudder/etc/relayd' | ||
- 'relayd_nodelist:/var/rudder/lib/relay/' | ||
- 'relayd_certs:/var/rudder/lib/ssl/' | ||
tmpfs: | ||
- /var/rudder/tmp | ||
- /var/backup/rudder | ||
- /opt/rudder/var/fusioninventory | ||
- /var/rudder/inventories | ||
- /var/rudder/reports | ||
- /tmp | ||
- /etc/cron.d | ||
cf_serverd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: cf-serverd.Dockerfile | ||
volumes: | ||
- 'agent_state:/var/rudder/cfengine-community/' | ||
- 'agent_certs:/data:ro' | ||
|
||
- 'policies_lib:/var/rudder/ncf:ro' | ||
- 'policies_src_lib:/usr/share/ncf/tree:ro' | ||
- 'policies_loc_lib:/var/rudder/configuration-repository/ncf:ro' | ||
- 'policies:/var/rudder/share:ro' | ||
relayd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: relayd.Dockerfile | ||
volumes: | ||
- 'relayd_nodelist:/var/rudder/lib/relay:ro' | ||
- 'relayd_certs:/var/rudder/lib/ssl:ro' | ||
- 'relayd_conf:/opt/rudder/etc/relayd:ro' | ||
tmpfs: | ||
- /var/rudder/reports | ||
- /var/rudder/inventories | ||
httpd: | ||
read_only: true | ||
build: | ||
context: . | ||
dockerfile: httpd.Dockerfile | ||
volumes: | ||
- 'httpd_conf:/httpd_conf:ro' | ||
- 'httpd_certs:/opt/rudder/etc/ssl:ro' | ||
tmpfs: | ||
- /etc/httpd/logs | ||
volumes: | ||
cfengine_community: | ||
uuid_keys: | ||
ncf: | ||
shared: | ||
secure_httpd: | ||
httpd_conf: | ||
nodelist: | ||
relay_conf: | ||
agent_state: | ||
agent_certs: | ||
policies_lib: | ||
policies_src_lib: | ||
policies_loc_lib: | ||
policies: | ||
httpd_certs: | ||
httpd_conf: | ||
relayd_nodelist: | ||
relayd_certs: | ||
relayd_conf: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,33 @@ | ||
FROM centos:8 | ||
|
||
RUN \ | ||
yum -y install diffutils curl && \ | ||
curl -o rudder-setup https://repository.rudder.io/tools/rudder-setup && \ | ||
sh rudder-setup add-repository 6.1 && \ | ||
yum -y install rudder-server-relay && \ | ||
/usr/libexec/httpd-ssl-gencerts && \ | ||
yum clean all | ||
|
||
RUN \ | ||
mkdir /apache_conf_file && \ | ||
ln -sf /apache_conf_file/rudder-networks-24.conf /opt/rudder/etc/rudder-networks-24.conf && \ | ||
ln -sf /apache_conf_file/rudder-networks-policy-server-24.conf /opt/rudder/etc/rudder-networks-policy-server-24.conf && \ | ||
ln -sf /apache_conf_file/rudder-apache-relay-ssl.conf /opt/rudder/etc/rudder-apache-relay-ssl.conf && \ | ||
ln -sf /apache_conf_file/rudder-apache-relay-common.conf /opt/rudder/etc/rudder-apache-relay-common.conf && \ | ||
ln -sf /apache_conf_file/rudder-apache-relay-nossl.conf /opt/rudder/etc/rudder-apache-relay-nossl.conf | ||
|
||
|
||
EXPOSE 80 443 | ||
|
||
ENTRYPOINT ["/bin/bash", "-c"] | ||
|
||
CMD ["/usr/sbin/apachectl -DFOREGROUND"] | ||
FROM centos:8 | ||
|
||
RUN \ | ||
ln -sf /bin/true /usr/sbin/service && \ | ||
ln -sf /bin/true /bin/systemctl && \ | ||
ln -sf /bin/true /usr/bin/systemctl | ||
|
||
# We install the relay package is it does some config for httpd | ||
RUN \ | ||
yum -y install epel-release && \ | ||
yum -y install diffutils curl inotify-tools && \ | ||
curl -o rudder-setup https://repository.rudder.io/tools/rudder-setup && \ | ||
sh rudder-setup add-repository 6.1 && \ | ||
yum -y install rudder-server-relay && \ | ||
/usr/libexec/httpd-ssl-gencerts | ||
|
||
RUN \ | ||
mkdir /httpd_conf && \ | ||
for f in rudder-networks-24.conf rudder-networks-policy-server-24.conf rudder-apache-relay-ssl.conf \ | ||
rudder-apache-relay-common.conf rudder-apache-relay-nossl.conf htpasswd-webdav htpasswd-webdav-initial; \ | ||
do \ | ||
ln -sf /httpd_conf/${f} /opt/rudder/etc/${f}; \ | ||
done | ||
|
||
COPY \ | ||
httpd.sh . | ||
|
||
RUN \ | ||
yum clean all | ||
|
||
EXPOSE 80 443 | ||
|
||
CMD ["./httpd.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
set -x | ||
|
||
/usr/sbin/apachectl -DFOREGROUND & | ||
|
||
# watch for changes in /apache_config_file and update http if there is one on /backup | ||
while true; do | ||
changes=$(inotifywait -m -e move,create,modify /httpd_conf/); | ||
exit_code=$? | ||
if [ $exit_code != 0 ]; then | ||
echo "reloading httpd config" | ||
exec /usr/sbin/httpd -k graceful | ||
fi | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
server |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.