-
Notifications
You must be signed in to change notification settings - Fork 51
/
node-startup.sh
113 lines (94 loc) · 3.97 KB
/
node-startup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/bash -ex
{{ if .Config.SecurityPatchPackages }}
logger -t node-startup.sh "installing red hat cdn configuration on $(hostname)"
cat >/var/lib/yum/client-cert.pem <<'EOF'
{{ CertAsBytes .Config.Certificates.PackageRepository.Cert | String }}
EOF
cat >/var/lib/yum/client-key.pem <<'EOF'
{{ PrivateKeyAsBytes .Config.Certificates.PackageRepository.Key | String }}
EOF
logger -t node-startup.sh "installing ARO security updates [{{ StringsJoin .Config.SecurityPatchPackages ", " }}] on $(hostname)"
for attempt in {1..5}; do
yum install -y -q {{ StringsJoin .Config.SecurityPatchPackages " " }} && break
logger -t node-startup.sh "[attempt ${attempt}] ARO security updates installation failed"
if [[ ${attempt} -lt 5 ]]; then sleep 1; else exit 1; fi
done
logger -t node-startup.sh "removing red hat cdn configuration on $(hostname)"
yum clean all
rm -rf /var/lib/yum/client-cert.pem /var/lib/yum/client-key.pem
{{end}}
# create container pull secret
mkdir -p /var/lib/origin/.docker
cat >/var/lib/origin/.docker/config.json <<'EOF'
{{ .Derived.CombinedImagePullSecret .Config | String }}
EOF
ln -s /var/lib/origin/.docker /root/
# TODO: delete the following group creation after it is baked into our VM images
groupadd -f docker
if ! grep /var/lib/docker /etc/fstab; then
systemctl stop docker-cleanup.timer
systemctl stop docker-cleanup.service
systemctl stop docker.service
mkfs.xfs -f /dev/disk/azure/resource-part1
echo '/dev/disk/azure/resource-part1 /var/lib/docker xfs grpquota 0 0' >>/etc/fstab
mount /var/lib/docker
restorecon -R /var/lib/docker
{{- if eq .Role "infra" }}
cat >/etc/docker/daemon.json <<'EOF'
{
"log-driver": "journald",
"disable-legacy-registry": true
}
EOF
{{- end }}
systemctl start docker.service
systemctl start docker-cleanup.timer
fi
docker pull {{ .Config.Images.Node }} &>/dev/null &
# when starting node waagent and network utilities goes into race condition.
# if waagent runs before dns is known to the node we end up with empty string
while [[ $(hostname -d) == "" ]]; do sleep 1; done
logger -t node-startup.sh "pulling {{ .Config.Images.Startup }}"
for attempt in {1..5}; do
docker pull {{ .Config.Images.Startup }} && break
logger -t node-startup.sh "[attempt ${attempt}] docker pull {{ .Config.Images.Startup }} failed"
if [[ ${attempt} -lt 5 ]]; then sleep 60; else exit 1; fi
done
#
# NOTE: In future, move that information outside of environment variables
#
set +x
export SASURI='{{ .Config.WorkerStartupSASURI }}'
set -x
docker run --privileged --rm --network host -v /:/host:z -e SASURI {{ .Config.Images.Startup }} startup
unset SASURI
update-ca-trust
# setting up geneva logging stack as soon as the configuration is laid out by
# the startup container, the closer this is to the startup container, the more
# logs from the startup process we will ship to geneva
# these should run once a day only as per the docs
/usr/local/bin/azsecd config -s baseline -d P1D
/usr/local/bin/azsecd config -s software -d P1D
/usr/local/bin/azsecd config -s clamav -d P1D
# enable and start logging stack services
systemctl unmask mdsd.service azsecd.service azsecmond.service fluentd.service
systemctl enable mdsd.service azsecd.service azsecmond.service fluentd.service
systemctl start mdsd.service azsecd.service azsecmond.service fluentd.service
{{- if eq .Role "infra" }}
tuned-adm profile openshift-control-plane
{{- else }}
tuned-adm profile openshift-node
{{- end }}
# we also need openshift.local.volumes dir created before xfs quota code runs
mkdir -m 0750 -p /var/lib/origin/openshift.local.volumes
# disabling rsyslog since we manage everything through journald
systemctl disable rsyslog.service
systemctl stop rsyslog.service
# note: atomic-openshift-node crash loops until master is up
systemctl enable atomic-openshift-node.service
{{ if .Config.SecurityPatchPackages }}
logger -t node-startup.sh "scheduling $(hostname) reboot to complete ARO security updates"
shutdown --reboot +2
{{else}}
systemctl start atomic-openshift-node.service || true
{{end}}