From 3b1b007430bf0bd4184dfa9a6063fe57057056eb Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:21:24 -0700 Subject: [PATCH 01/32] Remove loggly --- ansible/base.yml | 2 +- ansible/charon.yml | 2 +- ansible/krain.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/base.yml b/ansible/base.yml index 6ee8aead..a30cb2d7 100644 --- a/ansible/base.yml +++ b/ansible/base.yml @@ -19,5 +19,5 @@ - { role: docker, tags: [ docker ] } - { role: datadog, tags: [ datadog ] } - { role: ulimits, tags: [ ulimits ] } - - { role: loggly, tags: [ loggly, clean ] } + # - { role: loggly, tags: [ loggly, clean ] } - { role: node } diff --git a/ansible/charon.yml b/ansible/charon.yml index 774bfc5d..428f4569 100644 --- a/ansible/charon.yml +++ b/ansible/charon.yml @@ -9,5 +9,5 @@ - { role: notify, tags: [notify] } - { role: git_repo } - { role: node_service } - - { role: loggly } + # - { role: loggly } - { role: consul_value, tags: [consul_value] } diff --git a/ansible/krain.yml b/ansible/krain.yml index c865517f..18f675a0 100644 --- a/ansible/krain.yml +++ b/ansible/krain.yml @@ -9,5 +9,5 @@ - { role: build_essential } - { role: git_repo } - { role: node_service } - - { role: loggly } + # - { role: loggly } - { role: consul_value, tags: [consul_value] } From 392f95e2a325fbd056de2342930cb0f37ea3ab1e Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:23:15 -0700 Subject: [PATCH 02/32] Replace local registry with docker hub --- ansible/roles/dock-images/tasks/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible/roles/dock-images/tasks/main.yml b/ansible/roles/dock-images/tasks/main.yml index 6a75f343..f99be66f 100644 --- a/ansible/roles/dock-images/tasks/main.yml +++ b/ansible/roles/dock-images/tasks/main.yml @@ -5,19 +5,15 @@ name=docker state=started -- name: add runnable registry to /etc/hosts +- name: docker login become: true - blockinfile: - dest: /etc/hosts - insertafter: EOF - block: | - {{ registry_address }} registry.runnable.com + command: docker login -u {{ docker_hub_username }} -p {{ docker_hub_password }} - name: pulling docker images become: true command: docker pull {{ item }} with_items: - - "registry.runnable.com/runnable/image-builder:v4.3.0" + - "runnable/image-builder:v4.3.0" # private - "swarm:1.2.5" - "registry:2.3.1" - "google/cadvisor:v0.24.1" @@ -38,6 +34,10 @@ - "runnable/mongo:3.2" - "runnable/redis:3.2" +- name: docker logout + become: true + command: docker logout + - name: stopping docker become: true service: From 96d9044ac5dd290f48825cc1151c357a34ef6c01 Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:23:54 -0700 Subject: [PATCH 03/32] Make sure user is sudo --- ansible/roles/git_repo/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/git_repo/tasks/main.yml b/ansible/roles/git_repo/tasks/main.yml index c30e2279..56ab69d7 100644 --- a/ansible/roles/git_repo/tasks/main.yml +++ b/ansible/roles/git_repo/tasks/main.yml @@ -9,6 +9,7 @@ msg: "application Installed: {{ app_name }}, branch : {{ git_branch }} " - name: create repository dir + become: true file: path=/opt/runnable/{{ app_name }} state=directory From ffd27ad56f346a3c90c816d79d8784619166835e Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:24:23 -0700 Subject: [PATCH 04/32] Push images to docker hub. Not local registry --- ansible/roles/image-builder/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/image-builder/tasks/main.yml b/ansible/roles/image-builder/tasks/main.yml index ac71aa5e..bb054497 100644 --- a/ansible/roles/image-builder/tasks/main.yml +++ b/ansible/roles/image-builder/tasks/main.yml @@ -7,10 +7,10 @@ - name: build the image-builder tags: deploy - command: sudo docker build --no-cache --tag="registry.runnable.com/{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder + command: sudo docker build --no-cache --tag="{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder - name: push image-builder tags: deploy run_once: true - command: sudo docker push "registry.runnable.com/{{ image_builder_docker_namespace }}:{{ git_branch }}" + command: sudo docker push "{{ image_builder_docker_namespace }}:{{ git_branch }}" when: dock is not defined From be570dd2f164b6a0f8b38fd40756e597e89ba8aa Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:24:52 -0700 Subject: [PATCH 05/32] Remove registry.runnable.com --- ansible/roles/docker/meta/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/docker/meta/main.yml b/ansible/roles/docker/meta/main.yml index 36877817..d45cf0e1 100644 --- a/ansible/roles/docker/meta/main.yml +++ b/ansible/roles/docker/meta/main.yml @@ -1,3 +1,3 @@ --- -dependencies: - - { role: base_ubuntu, when: "ansible_distribution == 'Ubuntu'"} +# dependencies: + # - { role: base_ubuntu, when: "ansible_distribution == 'Ubuntu'"} From eeca2c80f243a67c054a6b4a56fc94cdcbe35b93 Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:25:51 -0700 Subject: [PATCH 06/32] Dock should not be bound to any other enviroment. Remove commands that require variables tied to environment --- ansible/dock-init.yml | 4 +-- ansible/roles/node_service/tasks/main.yml | 30 +++++++++++------------ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/ansible/dock-init.yml b/ansible/dock-init.yml index 0e7d7040..cc6c5d36 100644 --- a/ansible/dock-init.yml +++ b/ansible/dock-init.yml @@ -11,6 +11,6 @@ - { role: docker, tags: [docker] } - { role: datadog, tags: [datadog] } - { role: git_repo } - - { role: dock-init } - - { role: consul_value, tags: [consul_value] } + # - { role: dock-init } + # - { role: consul_value, tags: [consul_value] } - { role: ulimits, tags: [ulimits] } diff --git a/ansible/roles/node_service/tasks/main.yml b/ansible/roles/node_service/tasks/main.yml index 8b454355..6196680d 100644 --- a/ansible/roles/node_service/tasks/main.yml +++ b/ansible/roles/node_service/tasks/main.yml @@ -21,19 +21,19 @@ line="manual" create=yes -- name: create new config file - tags: deploy - become: true - template: - src=upstart.conf - dest=/etc/init/{{ app_name }}.conf - backup=yes +# - name: create new config file + # tags: deploy + # become: true + # template: + # src=upstart.conf + # dest=/etc/init/{{ app_name }}.conf + # backup=yes -- name: restart service {{ app_name }} - tags: deploy - become: true - when: dock is not defined - service: - name={{ app_name }} - state=restarted - enabled=yes +# - name: restart service {{ app_name }} + # tags: deploy + # become: true + # when: dock is not defined + # service: + # name={{ app_name }} + # state=restarted + # enabled=yes From e4db52b241573fdb5890f3e6ce28d83e964153bf Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:30:57 -0700 Subject: [PATCH 07/32] Remove docks-psad --- ansible/dock.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/dock.yml b/ansible/dock.yml index 9eea4fb6..92d59839 100644 --- a/ansible/dock.yml +++ b/ansible/dock.yml @@ -16,7 +16,7 @@ - include: krain.yml git_branch="v0.3.0" - hosts: "{{ dock }}" - tasks: + tasks: - name: remove datadog agent become: true apt: @@ -28,4 +28,4 @@ roles: - { role: install-ssm } - { role: dock-images } - - { role: docks-psad } + # - { role: docks-psad } From 55f3ff6970421febb9f361d21f47de5527ccd700 Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 17:53:49 -0700 Subject: [PATCH 08/32] Re add roles. Must be run with skip-tags in order to work --- ansible/base.yml | 2 +- ansible/charon.yml | 2 +- ansible/dock-init.yml | 4 ++-- ansible/dock.yml | 2 +- ansible/krain.yml | 2 +- ansible/roles/dock-init/tasks/main.yml | 5 ++--- ansible/roles/loggly/tasks/main.yml | 4 ++-- 7 files changed, 10 insertions(+), 11 deletions(-) diff --git a/ansible/base.yml b/ansible/base.yml index a30cb2d7..6ee8aead 100644 --- a/ansible/base.yml +++ b/ansible/base.yml @@ -19,5 +19,5 @@ - { role: docker, tags: [ docker ] } - { role: datadog, tags: [ datadog ] } - { role: ulimits, tags: [ ulimits ] } - # - { role: loggly, tags: [ loggly, clean ] } + - { role: loggly, tags: [ loggly, clean ] } - { role: node } diff --git a/ansible/charon.yml b/ansible/charon.yml index 428f4569..774bfc5d 100644 --- a/ansible/charon.yml +++ b/ansible/charon.yml @@ -9,5 +9,5 @@ - { role: notify, tags: [notify] } - { role: git_repo } - { role: node_service } - # - { role: loggly } + - { role: loggly } - { role: consul_value, tags: [consul_value] } diff --git a/ansible/dock-init.yml b/ansible/dock-init.yml index cc6c5d36..a4b53c14 100644 --- a/ansible/dock-init.yml +++ b/ansible/dock-init.yml @@ -11,6 +11,6 @@ - { role: docker, tags: [docker] } - { role: datadog, tags: [datadog] } - { role: git_repo } - # - { role: dock-init } - # - { role: consul_value, tags: [consul_value] } + - { role: dock-init, tags: [init] } + - { role: consul_value, tags: [consul_value] } - { role: ulimits, tags: [ulimits] } diff --git a/ansible/dock.yml b/ansible/dock.yml index 92d59839..708bbab6 100644 --- a/ansible/dock.yml +++ b/ansible/dock.yml @@ -28,4 +28,4 @@ roles: - { role: install-ssm } - { role: dock-images } - # - { role: docks-psad } + - { role: docks-psad, tags: [psad] } diff --git a/ansible/krain.yml b/ansible/krain.yml index 18f675a0..c865517f 100644 --- a/ansible/krain.yml +++ b/ansible/krain.yml @@ -9,5 +9,5 @@ - { role: build_essential } - { role: git_repo } - { role: node_service } - # - { role: loggly } + - { role: loggly } - { role: consul_value, tags: [consul_value] } diff --git a/ansible/roles/dock-init/tasks/main.yml b/ansible/roles/dock-init/tasks/main.yml index fd0bc261..805169ca 100644 --- a/ansible/roles/dock-init/tasks/main.yml +++ b/ansible/roles/dock-init/tasks/main.yml @@ -1,5 +1,6 @@ --- - fail: msg="value tokens need to be defined for this role" + tags: vault_files when: vault_auth_token is not defined or vault_token_01 is not defined or vault_token_02 is not defined or vault_token_03 is not defined - name: create vault auth directory @@ -25,12 +26,10 @@ - { file_name: 'token-02', value: "{{ vault_token_02 }}" } - { file_name: 'token-03', value: "{{ vault_token_03 }}" } -- fail: msg="docks_rollbar_key needs to be defined for this role" - when: docks_rollbar_key is not defined - - name: copy rollbar token tags: rollbar become: true + when: docks_rollbar_key is defined lineinfile: dest="/opt/runnable/dock-init/key/rollbar.token" line="{{ docks_rollbar_key }}" diff --git a/ansible/roles/loggly/tasks/main.yml b/ansible/roles/loggly/tasks/main.yml index a9556ae1..2d29fd14 100644 --- a/ansible/roles/loggly/tasks/main.yml +++ b/ansible/roles/loggly/tasks/main.yml @@ -122,7 +122,7 @@ state=present - name: runnable bin directory - tags: [ loggly, clean ] + tags: [ loggly, clean ] become: true file: path=/opt/runnable/bin @@ -141,7 +141,7 @@ mode=0700 - name: purge log files - tags: [ loggly, clean ] + tags: [ loggly, clean ] become: true cron: name="purge log files" From a7b1a871d63e0860adb9a28a68720008dd14c506 Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 18:01:14 -0700 Subject: [PATCH 09/32] Change node service config to tag. Skip tags if running dock --- ansible/roles/node_service/tasks/main.yml | 30 +++++++++++------------ 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/ansible/roles/node_service/tasks/main.yml b/ansible/roles/node_service/tasks/main.yml index 6196680d..48c77851 100644 --- a/ansible/roles/node_service/tasks/main.yml +++ b/ansible/roles/node_service/tasks/main.yml @@ -21,19 +21,19 @@ line="manual" create=yes -# - name: create new config file - # tags: deploy - # become: true - # template: - # src=upstart.conf - # dest=/etc/init/{{ app_name }}.conf - # backup=yes +- name: create new config file + tags: deploy,render_node_service_config + become: true + template: + src=upstart.conf + dest=/etc/init/{{ app_name }}.conf + backup=yes -# - name: restart service {{ app_name }} - # tags: deploy - # become: true - # when: dock is not defined - # service: - # name={{ app_name }} - # state=restarted - # enabled=yes +- name: restart service {{ app_name }} + tags: deploy,render_node_service_config + become: true + when: dock is not defined + service: + name={{ app_name }} + state=restarted + enabled=yes From e5f2fcba8aca03fcce909b346a8fc4143297d471 Mon Sep 17 00:00:00 2001 From: thejsj Date: Sun, 12 Mar 2017 18:03:21 -0700 Subject: [PATCH 10/32] Remove unused tag --- ansible/dock-init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/dock-init.yml b/ansible/dock-init.yml index a4b53c14..0e7d7040 100644 --- a/ansible/dock-init.yml +++ b/ansible/dock-init.yml @@ -11,6 +11,6 @@ - { role: docker, tags: [docker] } - { role: datadog, tags: [datadog] } - { role: git_repo } - - { role: dock-init, tags: [init] } + - { role: dock-init } - { role: consul_value, tags: [consul_value] } - { role: ulimits, tags: [ulimits] } From c41a0b507b3edaeb47ad4cdeb8171b63be035879 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 13 Mar 2017 01:04:35 -0700 Subject: [PATCH 11/32] Add primary functions for init --- ansible/dock-generate-launch-config.yml | 10 +++++ .../roles/dock_launch_config/tasks/main.yml | 33 +++++++++++++++ .../dock_launch_config/templates/init.tmpl | 10 +++++ .../dock_launch_config/templates/upstart.conf | 41 +++++++++++++++++++ ansible/roles/docker/meta/main.yml | 4 +- 5 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 ansible/dock-generate-launch-config.yml create mode 100644 ansible/roles/dock_launch_config/tasks/main.yml create mode 100644 ansible/roles/dock_launch_config/templates/init.tmpl create mode 100644 ansible/roles/dock_launch_config/templates/upstart.conf diff --git a/ansible/dock-generate-launch-config.yml b/ansible/dock-generate-launch-config.yml new file mode 100644 index 00000000..b10d0d8f --- /dev/null +++ b/ansible/dock-generate-launch-config.yml @@ -0,0 +1,10 @@ +--- +- hosts: cream + tasks: + - fail: msg="`dock` (target dock) needs to be defined to run this role" + when: dock is not defined + - add_host: + name={{ dock }} + groups=dock + roles: + - { role: dock_launch_config } diff --git a/ansible/roles/dock_launch_config/tasks/main.yml b/ansible/roles/dock_launch_config/tasks/main.yml new file mode 100644 index 00000000..5ed63999 --- /dev/null +++ b/ansible/roles/dock_launch_config/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: create new config file for krain + template: + src=upstart.conf + dest=~/{{ app_name }}.conf + backup=yes + vars: + - app_name: "krain" + +- name: encode krain config to base64 + shell: cat ~/{{ app_name }}.conf | base64 -w 0 + register: krain_base64 + vars: + - app_name: "krain" + +- name: create new config file for charon + template: + src=upstart.conf + dest=~/{{ app_name }}.conf + backup=yes + vars: + - app_name: "charon" + +- name: encode krain config to base64 + shell: cat ~/{{ app_name }}.conf | base64 -w 0 + register: charon_base64 + vars: + - app_name: "charon" + +- name: Generate init script + template: + src=init.tmpl + dest=~/init.sh diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl new file mode 100644 index 00000000..0938865d --- /dev/null +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -0,0 +1,10 @@ +#!/bin/bash +export CONSUL_PORT={{ consul_api_port }} +export CONSUL_HOSTNAME={{ ansible_default_ipv4.address }} +export VAULT_PORT=65240 +echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf +echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf +- name: create new config file for krain +start amazon-ssm-agent +service krain start +service charon start vault server --config=/tmp/vault.hcl > /tmp/log 2>&1 & diff --git a/ansible/roles/dock_launch_config/templates/upstart.conf b/ansible/roles/dock_launch_config/templates/upstart.conf new file mode 100644 index 00000000..7fac67c5 --- /dev/null +++ b/ansible/roles/dock_launch_config/templates/upstart.conf @@ -0,0 +1,41 @@ +#!upstart +description "{{ app_name }}" +author "Anandkumar Patel" + +env NPM_BIN=/usr/local/bin/npm +env APP_DIR=/opt/runnable/{{ app_name }} +env LOG_FILE={{ app_log_dir }}/{{ app_name }}.log +env NODE_ENV={{ node_env }} + +{% if enviroment_vars is defined %} +{% for name, value in enviroment_vars.iteritems() %} +env {{ name }}={{ value }} +{% endfor %} +{% endif %} + +start on (local-filesystems and net-device-up IFACE=eth0) +stop on shutdown + +script + touch $LOG_FILE + chdir $APP_DIR + echo $$ > /var/run/{{ app_name }}.pid + exec $NPM_BIN start >> $LOG_FILE 2>&1 +end script + +pre-start script + # Date format same as (new Date()).toISOString() for consistency + echo "[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Starting" >> $LOG_FILE +end script + +pre-stop script + rm /var/run/{{ app_name }}.pid + echo "[`date -u +%Y-%m-%dT%T.%3NZ`] (sys) Stopping" >> $LOG_FILE +end script + +post-start script + echo "===== App restarted =====" >> $LOG_FILE +end script + +respawn +respawn limit 5 1 # give up restart after 5 respawns in 1 seconds diff --git a/ansible/roles/docker/meta/main.yml b/ansible/roles/docker/meta/main.yml index d45cf0e1..36877817 100644 --- a/ansible/roles/docker/meta/main.yml +++ b/ansible/roles/docker/meta/main.yml @@ -1,3 +1,3 @@ --- -# dependencies: - # - { role: base_ubuntu, when: "ansible_distribution == 'Ubuntu'"} +dependencies: + - { role: base_ubuntu, when: "ansible_distribution == 'Ubuntu'"} From 425548c62058ecde3db229f8d77dc57874307056 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 13 Mar 2017 01:25:47 -0700 Subject: [PATCH 12/32] Add vault tokens --- ansible/roles/dock_launch_config/tasks/main.yml | 6 ++++++ .../dock_launch_config/templates/init.tmpl | 17 ++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ansible/roles/dock_launch_config/tasks/main.yml b/ansible/roles/dock_launch_config/tasks/main.yml index 5ed63999..fe2a67da 100644 --- a/ansible/roles/dock_launch_config/tasks/main.yml +++ b/ansible/roles/dock_launch_config/tasks/main.yml @@ -31,3 +31,9 @@ template: src=init.tmpl dest=~/init.sh + vars: + tokens: + - { file_name: 'auth-token', value: "{{ vault_auth_token }}" } + - { file_name: 'token-01', value: "{{ vault_token_01 }}" } + - { file_name: 'token-02', value: "{{ vault_token_02 }}" } + - { file_name: 'token-03', value: "{{ vault_token_03 }}" } diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 0938865d..58898c7b 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -1,10 +1,25 @@ #!/bin/bash + +# Set ENV files export CONSUL_PORT={{ consul_api_port }} export CONSUL_HOSTNAME={{ ansible_default_ipv4.address }} export VAULT_PORT=65240 + +# Add upstart files echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf -- name: create new config file for krain + +# Create directory for env +mkdir /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" +chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" +chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" + +# Set Vault Tokens +{% for item in tokens %} +echo {{ item.value }} >> /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} +{% endfor %} + +# Start services start amazon-ssm-agent service krain start service charon start vault server --config=/tmp/vault.hcl > /tmp/log 2>&1 & From 8df439342209b4f8fb492136fe0db54cad83e8c8 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 13 Mar 2017 01:29:26 -0700 Subject: [PATCH 13/32] Add tokens --- .../roles/dock_launch_config/templates/init.tmpl | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 58898c7b..0da078ee 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -5,21 +5,21 @@ export CONSUL_PORT={{ consul_api_port }} export CONSUL_HOSTNAME={{ ansible_default_ipv4.address }} export VAULT_PORT=65240 -# Add upstart files -echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf -echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf +# Set Vault Tokens +{% for item in tokens %} +echo {{ item.value }} >> /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} +{% endfor %} # Create directory for env mkdir /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" -# Set Vault Tokens -{% for item in tokens %} -echo {{ item.value }} >> /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} -{% endfor %} +# Add upstart files +echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf +echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf # Start services start amazon-ssm-agent service krain start -service charon start vault server --config=/tmp/vault.hcl > /tmp/log 2>&1 & +service charon start From 982098dad906507506a427dc45ce89dba9126eb8 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 13 Mar 2017 10:38:41 -0700 Subject: [PATCH 14/32] Add tag to ensure_registry --- ansible/roles/base_ubuntu/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/base_ubuntu/tasks/main.yml b/ansible/roles/base_ubuntu/tasks/main.yml index ee624a85..fbac16c8 100644 --- a/ansible/roles/base_ubuntu/tasks/main.yml +++ b/ansible/roles/base_ubuntu/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: ensure registry.runnable in /etc/hosts become: true + tags: ensure_registry when: dock is not defined lineinfile: dest=/etc/hosts From 9400c65ab4362d41b1c018cc0d757fddd2464548 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 13 Mar 2017 17:17:06 -0700 Subject: [PATCH 15/32] Fix vault port. Remove amazon-ssm-agent --- ansible/group_vars/all.yml | 3 +++ ansible/roles/dock_launch_config/templates/init.tmpl | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index e91ff748..2c4332a4 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -204,6 +204,9 @@ navi_mongo_port: 27017 npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2 +# remote vault +vault_port=65240 + # local-vault vault_local_port: 31836 vault_addr: http://127.0.0.1:{{ vault_local_port }} diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 0da078ee..46643bc2 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -3,7 +3,7 @@ # Set ENV files export CONSUL_PORT={{ consul_api_port }} export CONSUL_HOSTNAME={{ ansible_default_ipv4.address }} -export VAULT_PORT=65240 +export VAULT_PORT={{ vault_port }} # Set Vault Tokens {% for item in tokens %} @@ -20,6 +20,5 @@ echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf # Start services -start amazon-ssm-agent service krain start service charon start From 60bd667d71c901d570a2ac948ccac68e53d2e5dd Mon Sep 17 00:00:00 2001 From: thejsj Date: Tue, 14 Mar 2017 16:28:48 -0700 Subject: [PATCH 16/32] Add vault port --- ansible/group_vars/all.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 2c4332a4..52840c53 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -205,7 +205,7 @@ navi_mongo_port: 27017 npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2 # remote vault -vault_port=65240 +vault_port: 65240 # local-vault vault_local_port: 31836 From 3b27d32a89dbff4787412b9022fad10bfcb4c3a5 Mon Sep 17 00:00:00 2001 From: thejsj Date: Tue, 14 Mar 2017 17:08:09 -0700 Subject: [PATCH 17/32] Fix script to run on localhost --- ansible/dock-generate-launch-config.yml | 3 ++- ansible/gamma-hosts/hosts | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ansible/dock-generate-launch-config.yml b/ansible/dock-generate-launch-config.yml index b10d0d8f..b7663328 100644 --- a/ansible/dock-generate-launch-config.yml +++ b/ansible/dock-generate-launch-config.yml @@ -1,5 +1,6 @@ --- -- hosts: cream +- hosts: user-local + connection: local tasks: - fail: msg="`dock` (target dock) needs to be defined to run this role" when: dock is not defined diff --git a/ansible/gamma-hosts/hosts b/ansible/gamma-hosts/hosts index 7feb4a76..c62f6dbd 100644 --- a/ansible/gamma-hosts/hosts +++ b/ansible/gamma-hosts/hosts @@ -1,6 +1,9 @@ [bastion] gamma-bastion +[user-local] +127.0.0.1 + [hipache] gamma-hipache httpsCheckForBackend80=false prependIncomingPort=true subDomainDepth=4 @@ -134,6 +137,7 @@ gamma-app-services gamma-dock-services [gamma:children] +user-local agreeable-egret api arithmancy From b44c6c6f012f80f3930a1be021bb844909f008a5 Mon Sep 17 00:00:00 2001 From: thejsj Date: Tue, 14 Mar 2017 17:14:40 -0700 Subject: [PATCH 18/32] Remove pushing of image --- ansible/roles/image-builder/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ansible/roles/image-builder/tasks/main.yml b/ansible/roles/image-builder/tasks/main.yml index bb054497..4dfaa182 100644 --- a/ansible/roles/image-builder/tasks/main.yml +++ b/ansible/roles/image-builder/tasks/main.yml @@ -8,9 +8,3 @@ - name: build the image-builder tags: deploy command: sudo docker build --no-cache --tag="{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder - -- name: push image-builder - tags: deploy - run_once: true - command: sudo docker push "{{ image_builder_docker_namespace }}:{{ git_branch }}" - when: dock is not defined From 76ec7509c098d51c192d42ef26df6f0ff4bbdcb0 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 15 Mar 2017 14:10:32 -0700 Subject: [PATCH 19/32] Make image-builder public --- ansible/roles/dock-images/tasks/main.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ansible/roles/dock-images/tasks/main.yml b/ansible/roles/dock-images/tasks/main.yml index f99be66f..c1751e38 100644 --- a/ansible/roles/dock-images/tasks/main.yml +++ b/ansible/roles/dock-images/tasks/main.yml @@ -5,15 +5,11 @@ name=docker state=started -- name: docker login - become: true - command: docker login -u {{ docker_hub_username }} -p {{ docker_hub_password }} - - name: pulling docker images become: true command: docker pull {{ item }} with_items: - - "runnable/image-builder:v4.3.0" # private + - "runnable/image-builder:v4.3.1" - "swarm:1.2.5" - "registry:2.3.1" - "google/cadvisor:v0.24.1" @@ -34,10 +30,6 @@ - "runnable/mongo:3.2" - "runnable/redis:3.2" -- name: docker logout - become: true - command: docker logout - - name: stopping docker become: true service: From c4ebcba442d9f11a0a7feccd33eb196b4ad71abf Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 14:41:37 -0700 Subject: [PATCH 20/32] Update dock images. Add consul_values tag --- ansible/consul-values.yml | 2 ++ ansible/roles/consul_value/tasks/main.yml | 2 +- ansible/roles/dock-images/tasks/main.yml | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible/consul-values.yml b/ansible/consul-values.yml index 5f226ffd..87405e35 100644 --- a/ansible/consul-values.yml +++ b/ansible/consul-values.yml @@ -17,6 +17,7 @@ with_items: "{{ consul_seed }}" - name: get values from consul + tags: consul_values run_once: true when: read_values is defined uri: @@ -26,6 +27,7 @@ register: values - name: print values to screen + tags: consul_values run_once: true when: read_values is defined debug: msg="{{ item.item.key }}" -> "{{ item.json[0].Value | b64decode }}" diff --git a/ansible/roles/consul_value/tasks/main.yml b/ansible/roles/consul_value/tasks/main.yml index e750812f..e92441f5 100644 --- a/ansible/roles/consul_value/tasks/main.yml +++ b/ansible/roles/consul_value/tasks/main.yml @@ -14,7 +14,7 @@ cache_valid_time=604800 - name: put values into consul - tags: deploy + tags: deploy, consul_values run_once: true when: consul_host_address is defined and consul_api_port is defined and consul_values is defined and dock is not defined uri: diff --git a/ansible/roles/dock-images/tasks/main.yml b/ansible/roles/dock-images/tasks/main.yml index c1751e38..774a8f2e 100644 --- a/ansible/roles/dock-images/tasks/main.yml +++ b/ansible/roles/dock-images/tasks/main.yml @@ -9,7 +9,6 @@ become: true command: docker pull {{ item }} with_items: - - "runnable/image-builder:v4.3.1" - "swarm:1.2.5" - "registry:2.3.1" - "google/cadvisor:v0.24.1" From 15fee45ece3237dcb8a1c8e22f10c3e49ce75a54 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 14:42:19 -0700 Subject: [PATCH 21/32] Update krain image --- ansible/dock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/dock.yml b/ansible/dock.yml index 29e1f932..5995ef5f 100644 --- a/ansible/dock.yml +++ b/ansible/dock.yml @@ -13,7 +13,7 @@ - include: charon.yml git_branch="v5.0.1" - include: dock-init.yml git_branch="v10.1.2" -- include: krain.yml git_branch="v0.3.0" +- include: krain.yml git_branch="v0.3.1" - hosts: "{{ dock }}" tasks: From 41afba30e9c5cf30e36ed718a5f779b4b698a419 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 14:45:50 -0700 Subject: [PATCH 22/32] Add docker-listener image inspect list --- ansible/group_vars/alpha-docker-listener.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/group_vars/alpha-docker-listener.yml b/ansible/group_vars/alpha-docker-listener.yml index 758c06e6..3593d623 100644 --- a/ansible/group_vars/alpha-docker-listener.yml +++ b/ansible/group_vars/alpha-docker-listener.yml @@ -13,6 +13,7 @@ container_envs: > -e DATADOG_HOST={{ datadog_host_address }} -e DATADOG_PORT={{ datadog_port }} -e DOCKER_CERT_PATH=/etc/ssl/docker + -e IMAGE_INSPECT_LIST=localhost,registry.runnable.com,runnable -e LOGGLY_TOKEN={{ loggly_token }} -e NODE_ENV={{ node_env }} -e RABBITMQ_HOSTNAME={{ rabbit_host_address }} From 0cb5bfd5dd39a314cbbc78877930d0cc66c39f07 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 14:57:40 -0700 Subject: [PATCH 23/32] Add CA certs. Convert to single template. Overwrite existing files --- .../roles/dock_launch_config/tasks/main.yml | 45 ++++++++++++++++--- .../dock_launch_config/templates/init.tmpl | 35 ++++++++++----- 2 files changed, 63 insertions(+), 17 deletions(-) diff --git a/ansible/roles/dock_launch_config/tasks/main.yml b/ansible/roles/dock_launch_config/tasks/main.yml index fe2a67da..4bf36c5f 100644 --- a/ansible/roles/dock_launch_config/tasks/main.yml +++ b/ansible/roles/dock_launch_config/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: load variables + include_vars: "group_vars/alpha-krain.yml" + - name: create new config file for krain template: src=upstart.conf @@ -6,6 +9,7 @@ backup=yes vars: - app_name: "krain" + - enviroment_vars: enviroment_vars - name: encode krain config to base64 shell: cat ~/{{ app_name }}.conf | base64 -w 0 @@ -13,6 +17,9 @@ vars: - app_name: "krain" +- name: load variables + include_vars: "group_vars/alpha-charon.yml" + - name: create new config file for charon template: src=upstart.conf @@ -20,6 +27,7 @@ backup=yes vars: - app_name: "charon" + - enviroment_vars: enviroment_vars - name: encode krain config to base64 shell: cat ~/{{ app_name }}.conf | base64 -w 0 @@ -27,13 +35,38 @@ vars: - app_name: "charon" -- name: Generate init script - template: - src=init.tmpl - dest=~/init.sh - vars: - tokens: +- name: register tokens + set_fact: + vault_tokens: - { file_name: 'auth-token', value: "{{ vault_auth_token }}" } - { file_name: 'token-01', value: "{{ vault_token_01 }}" } - { file_name: 'token-02', value: "{{ vault_token_02 }}" } - { file_name: 'token-03', value: "{{ vault_token_03 }}" } + +- name: encode ca.pem to base64 + shell: cat ./roles/docker_client/scripts/ca.pem | base64 -w 0 + register: ca_pem_base64 + +- name: encode ca-key.pem to base64 + shell: cat ./roles/docker_client/scripts/ca-key.pem | base64 -w 0 + register: ca_key_pem_base64 + +- name: encode pass to base64 + shell: cat ./roles/docker_client/scripts/pass | base64 -w 0 + register: pass_base64 + +- name: Generate dock script + template: + src=init.tmpl + dest=~/dock.sh + vars: + tokens: "{{ vault_tokens }}" + is_dock_pool: false + +- name: Generate dock script + template: + src=init.tmpl + dest=~/dock-pool.sh + vars: + tokens: "{{ vault_tokens }}" + is_dock_pool: true diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 433cc5c5..d8d62214 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -1,25 +1,38 @@ #!/bin/bash # Set ENV files -export CONSUL_PORT={{ consul_api_port }} -export CONSUL_HOSTNAME={{ ansible_default_ipv4.address }} +export CONSUL_PORT={{ consul_https_port }} +export CONSUL_HOSTNAME={{ groups['consul'][0] }} export VAULT_PORT={{ vault_port }} +# Create directory for env +mkdir -p /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} +chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} +chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} + # Set Vault Tokens {% for item in tokens %} -echo {{ item.value }} >> /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} +echo {{ item.value }} > /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} {% endfor %} -# Create directory for env -mkdir /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" -chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" -chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}" - # Add upstart files -echo {{ krain_base64['stdout'] }} | base64 --decode >> /etc/init/krain.conf -echo {{ charon_base64['stdout'] }} | base64 --decode >> /etc/init/charon.conf +mkdir -p /docker/app-logs/ +echo {{ krain_base64['stdout'] }} | base64 --decode > /etc/init/krain.conf +echo {{ charon_base64['stdout'] }} | base64 --decode > /etc/init/charon.conf + +# Add Certs +mkdir -p /etc/ssl/docker/ +rm /etc/ssl/docker/* +echo {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem +echo {{ ca_key_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca-key.pem +echo {{ pass_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/pass # Start services +{% if is_dock_pool %} +start amazon-ssm-agent +{% endif %} service krain start service charon start -CONSUL_HOSTNAME=10.4.0.148 CONSUL_PORT=65200 VAULT_PORT=65240 bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log +{% if not is_dock_pool %} +CONSUL_HOSTNAME={{ groups['consul'][0] }} CONSUL_PORT={{ consul_https_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log +{% endif %} From cbd2587ff56da9e9b91c42674ffc2728b4e173cb Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 14:57:52 -0700 Subject: [PATCH 24/32] Add more comments --- .../roles/dock_launch_config/templates/init.tmpl | 10 +++++----- ansible/roles/docker/tasks/main.yml | 15 --------------- 2 files changed, 5 insertions(+), 20 deletions(-) diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index d8d62214..5e5b09cf 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -10,22 +10,22 @@ mkdir -p /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} chown ubuntu:ubuntu /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} chmod 0711 /opt/runnable/dock-init/consul-resources/vault/{{ node_env }} -# Set Vault Tokens +# Set Vault Tokens (Used for fetching templates) {% for item in tokens %} echo {{ item.value }} > /opt/runnable/dock-init/consul-resources/vault/{{ node_env }}/{{ item.file_name }} {% endfor %} -# Add upstart files +# Add upstart files for charon and krain mkdir -p /docker/app-logs/ echo {{ krain_base64['stdout'] }} | base64 --decode > /etc/init/krain.conf echo {{ charon_base64['stdout'] }} | base64 --decode > /etc/init/charon.conf -# Add Certs +# Add Certs (Used for genereting Docker client keys + certs) mkdir -p /etc/ssl/docker/ -rm /etc/ssl/docker/* -echo {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem +cho {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem echo {{ ca_key_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca-key.pem echo {{ pass_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/pass +chmod -R 0440 /etc/ssl/docker/ # Start services {% if is_dock_pool %} diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index e2e3fffd..3eaa82d8 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -15,17 +15,6 @@ owner=root group=root -- name: copy docker certs - become: true - tags: docker_certs - when: dock is defined - copy: - src=certs/ - dest=/etc/ssl/docker - mode=0440 - owner=root - group=root - - name: create core file dir become: true when: docker_config == "runnable" and core_file_dir != "/var/log" @@ -110,10 +99,6 @@ group=root mode=0755 -- name: restart docker - when: (copied_config.changed and restart is defined) or dock is defined - command: sudo service docker restart - - name: create docker group become: true group: From ed929f7c82fbaa1412a238b76017c088202a7f3d Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 15:22:02 -0700 Subject: [PATCH 25/32] Update vault port --- ansible/group_vars/all.yml | 2 +- ansible/group_vars/alpha-vault.yml | 2 +- ansible/vault-values.yml | 16 ++++++++-------- ansible/vault.yml | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 0d8b7522..1501730a 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -208,7 +208,7 @@ navi_mongo_port: 27017 npm_token: c76363e9-78e0-4667-82ac-e2ac01efcfe2 # remote vault -vault_port: 65240 +vault_port: 8200 # local-vault vault_local_port: 31836 diff --git a/ansible/group_vars/alpha-vault.yml b/ansible/group_vars/alpha-vault.yml index 3d1f8c45..4d4faa4c 100644 --- a/ansible/group_vars/alpha-vault.yml +++ b/ansible/group_vars/alpha-vault.yml @@ -13,7 +13,7 @@ container_run_opts: > -v /opt/vault/client-consul:/opt/vault/client-consul:ro -v /opt/vault/server:/opt/vault/server:ro -v {{ app_log_dir }}:{{ app_log_dir }}:rw - -p {{ ansible_default_ipv4.address }}:8200:8200 + -p {{ ansible_default_ipv4.address }}:{{ vault_port }}:{{ vault_port }} -p {{ ansible_default_ipv4.address }}:8201:8201 --cap-add IPC_LOCK --restart=always diff --git a/ansible/vault-values.yml b/ansible/vault-values.yml index d856017e..5d8a063e 100644 --- a/ansible/vault-values.yml +++ b/ansible/vault-values.yml @@ -13,7 +13,7 @@ when: write_values is defined uri: method=PUT - url=http://{{ ansible_default_ipv4.address }}:8200/v1/{{ item.key }} + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/{{ item.key }} HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item.data | to_json }}' @@ -25,7 +25,7 @@ when: write_values is defined uri: method=GET - url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/sys/mounts HEADER_X-Vault-Token="{{ vault_auth_token }}" return_content=yes register: mounts @@ -36,7 +36,7 @@ uri: method=POST follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1h + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/sys/mounts/aws_1h HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json }}' @@ -53,7 +53,7 @@ uri: method=POST follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1yr + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/sys/mounts/aws_1yr HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json }}' @@ -70,7 +70,7 @@ uri: method=POST follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/config/root + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/aws_1h/config/root HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json }}' @@ -87,7 +87,7 @@ uri: method=POST follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1yr/config/root + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/aws_1yr/config/root HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json }}' @@ -104,7 +104,7 @@ uri: method=GET follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/aws_1h/roles/dock-init HEADER_X-Vault-Token="{{ vault_auth_token }}" status_code=200,404 register: role @@ -115,7 +115,7 @@ uri: method=POST follow_redirects=all - url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/aws_1h/roles/dock-init HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json | replace("\\\\", "") }}' diff --git a/ansible/vault.yml b/ansible/vault.yml index fe9b3357..c0c5a4f2 100644 --- a/ansible/vault.yml +++ b/ansible/vault.yml @@ -13,7 +13,7 @@ tags: [ deploy ] uri: method=GET - url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/sys/seal-status HEADER_X-Vault-Token="{{ vault_auth_token }}" return_content=yes register: seal_status @@ -23,7 +23,7 @@ when: seal_status.json.sealed uri: method=PUT - url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/unseal + url=http://{{ ansible_default_ipv4.address }}:{{ vault_port }}/v1/sys/unseal HEADER_X-Vault-Token="{{ vault_auth_token }}" body_format=json body='{{ item | to_json }}' From df930de7e9eb5270afa138fbe40b12e0d2f5fcc5 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 15:27:19 -0700 Subject: [PATCH 26/32] Add user-local to delta --- ansible/delta-hosts/hosts | 4 ++++ ansible/gamma-hosts/hosts | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/delta-hosts/hosts b/ansible/delta-hosts/hosts index c18acb2a..556368bf 100644 --- a/ansible/delta-hosts/hosts +++ b/ansible/delta-hosts/hosts @@ -1,6 +1,9 @@ [bastion] delta-bastion +[user-local] +127.0.0.1 + [hipache] delta-hipache httpsCheckForBackend80=false prependIncomingPort=true subDomainDepth=4 @@ -172,6 +175,7 @@ shiva socket-server socket-server-proxy swarm-manager +user-local userland web worker diff --git a/ansible/gamma-hosts/hosts b/ansible/gamma-hosts/hosts index 6f702f0b..9d569e3d 100644 --- a/ansible/gamma-hosts/hosts +++ b/ansible/gamma-hosts/hosts @@ -140,7 +140,6 @@ gamma-app-services gamma-dock-services [gamma:children] -user-local agreeable-egret api arithmancy @@ -175,6 +174,7 @@ socket-server socket-server-proxy swarm-manager userland +user-local web worker From 23dda55d8db4be1f203b6f8b48e14e2a4fce34d9 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 17:27:12 -0700 Subject: [PATCH 27/32] Fix host addresses. Remove NODE_ENV from krain (default). Change location of paths --- ansible/dock-generate-launch-config.yml | 9 +++------ ansible/group_vars/alpha-krain.yml | 1 - ansible/roles/dock_launch_config/tasks/main.yml | 6 +++--- ansible/roles/dock_launch_config/templates/init.tmpl | 4 ++-- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/ansible/dock-generate-launch-config.yml b/ansible/dock-generate-launch-config.yml index b7663328..89603148 100644 --- a/ansible/dock-generate-launch-config.yml +++ b/ansible/dock-generate-launch-config.yml @@ -1,11 +1,8 @@ --- +- hosts: redis +- hosts: consul + - hosts: user-local connection: local - tasks: - - fail: msg="`dock` (target dock) needs to be defined to run this role" - when: dock is not defined - - add_host: - name={{ dock }} - groups=dock roles: - { role: dock_launch_config } diff --git a/ansible/group_vars/alpha-krain.yml b/ansible/group_vars/alpha-krain.yml index 285fb62d..454c1792 100644 --- a/ansible/group_vars/alpha-krain.yml +++ b/ansible/group_vars/alpha-krain.yml @@ -6,7 +6,6 @@ krain_env: default # upstart template variables app_name: krain app_repo: git@github.com:CodeNow/krain.git -node_env: "{{ krain_env }}" enviroment_vars: {} diff --git a/ansible/roles/dock_launch_config/tasks/main.yml b/ansible/roles/dock_launch_config/tasks/main.yml index 4bf36c5f..c8276e79 100644 --- a/ansible/roles/dock_launch_config/tasks/main.yml +++ b/ansible/roles/dock_launch_config/tasks/main.yml @@ -44,15 +44,15 @@ - { file_name: 'token-03', value: "{{ vault_token_03 }}" } - name: encode ca.pem to base64 - shell: cat ./roles/docker_client/scripts/ca.pem | base64 -w 0 + shell: cat ./certs/ca.pem | base64 -w 0 register: ca_pem_base64 - name: encode ca-key.pem to base64 - shell: cat ./roles/docker_client/scripts/ca-key.pem | base64 -w 0 + shell: cat ./certs/ca-key.pem | base64 -w 0 register: ca_key_pem_base64 - name: encode pass to base64 - shell: cat ./roles/docker_client/scripts/pass | base64 -w 0 + shell: cat ./certs/pass | base64 -w 0 register: pass_base64 - name: Generate dock script diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 5e5b09cf..95a7b37b 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -2,7 +2,7 @@ # Set ENV files export CONSUL_PORT={{ consul_https_port }} -export CONSUL_HOSTNAME={{ groups['consul'][0] }} +export CONSUL_HOSTNAME={{ consul_host_address }} export VAULT_PORT={{ vault_port }} # Create directory for env @@ -34,5 +34,5 @@ start amazon-ssm-agent service krain start service charon start {% if not is_dock_pool %} -CONSUL_HOSTNAME={{ groups['consul'][0] }} CONSUL_PORT={{ consul_https_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log +CONSUL_HOSTNAME={{ consul_host_address }} CONSUL_PORT={{ consul_https_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log {% endif %} From 6d1855451b2a2ef46603f95441e24b9c5d968017 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 24 Mar 2017 17:51:13 -0700 Subject: [PATCH 28/32] Change image inspect list. Change author --- ansible/group_vars/alpha-docker-listener.yml | 2 +- ansible/roles/dock_launch_config/templates/upstart.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/alpha-docker-listener.yml b/ansible/group_vars/alpha-docker-listener.yml index 3593d623..8ef1192e 100644 --- a/ansible/group_vars/alpha-docker-listener.yml +++ b/ansible/group_vars/alpha-docker-listener.yml @@ -13,7 +13,7 @@ container_envs: > -e DATADOG_HOST={{ datadog_host_address }} -e DATADOG_PORT={{ datadog_port }} -e DOCKER_CERT_PATH=/etc/ssl/docker - -e IMAGE_INSPECT_LIST=localhost,registry.runnable.com,runnable + -e IMAGE_INSPECT_LIST=localhost,runnable/image-builder -e LOGGLY_TOKEN={{ loggly_token }} -e NODE_ENV={{ node_env }} -e RABBITMQ_HOSTNAME={{ rabbit_host_address }} diff --git a/ansible/roles/dock_launch_config/templates/upstart.conf b/ansible/roles/dock_launch_config/templates/upstart.conf index 7fac67c5..38e0e7ad 100644 --- a/ansible/roles/dock_launch_config/templates/upstart.conf +++ b/ansible/roles/dock_launch_config/templates/upstart.conf @@ -1,6 +1,6 @@ #!upstart description "{{ app_name }}" -author "Anandkumar Patel" +author "Jorge Silva" env NPM_BIN=/usr/local/bin/npm env APP_DIR=/opt/runnable/{{ app_name }} From be0ec5f3783922bf714ee76379e580841efd10c0 Mon Sep 17 00:00:00 2001 From: thejsj Date: Tue, 4 Apr 2017 13:01:45 -0700 Subject: [PATCH 29/32] Re-add restart docker --- ansible/roles/docker/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index 3eaa82d8..427a7877 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -99,6 +99,10 @@ group=root mode=0755 +- name: restart docker + when: (copied_config.changed and restart is defined) or dock is defined + command: sudo service docker restart + - name: create docker group become: true group: From e56c2570a2f84218eb5f579518e922d3a9f33f8e Mon Sep 17 00:00:00 2001 From: thejsj Date: Thu, 6 Apr 2017 14:02:26 -0700 Subject: [PATCH 30/32] Change port to consul_api_port --- ansible/roles/dock_launch_config/templates/init.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 95a7b37b..59efa459 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -1,7 +1,7 @@ #!/bin/bash # Set ENV files -export CONSUL_PORT={{ consul_https_port }} +export CONSUL_PORT={{ consul_api_port }} export CONSUL_HOSTNAME={{ consul_host_address }} export VAULT_PORT={{ vault_port }} From d2b5e7b80f09d11dfa0a200004abf21dc3b988e9 Mon Sep 17 00:00:00 2001 From: thejsj Date: Thu, 6 Apr 2017 21:31:18 -0700 Subject: [PATCH 31/32] Fix api port and echo in launch config --- ansible/roles/dock_launch_config/templates/init.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/dock_launch_config/templates/init.tmpl b/ansible/roles/dock_launch_config/templates/init.tmpl index 59efa459..550a9f83 100644 --- a/ansible/roles/dock_launch_config/templates/init.tmpl +++ b/ansible/roles/dock_launch_config/templates/init.tmpl @@ -22,7 +22,7 @@ echo {{ charon_base64['stdout'] }} | base64 --decode > /etc/init/charon.conf # Add Certs (Used for genereting Docker client keys + certs) mkdir -p /etc/ssl/docker/ -cho {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem +echo {{ ca_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca.pem echo {{ ca_key_pem_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/ca-key.pem echo {{ pass_base64['stdout'] }} | base64 --decode > /etc/ssl/docker/pass chmod -R 0440 /etc/ssl/docker/ @@ -34,5 +34,5 @@ start amazon-ssm-agent service krain start service charon start {% if not is_dock_pool %} -CONSUL_HOSTNAME={{ consul_host_address }} CONSUL_PORT={{ consul_https_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log +CONSUL_HOSTNAME={{ consul_host_address }} CONSUL_PORT={{ consul_api_port }} VAULT_PORT={{ vault_port }} bash /opt/runnable/dock-init/init.sh | tee /var/log/user-script-dock-init.log {% endif %} From e632e45a67183cdef49f689b49df86e42d2aaee6 Mon Sep 17 00:00:00 2001 From: thejsj Date: Fri, 7 Apr 2017 13:40:17 -0700 Subject: [PATCH 32/32] Re-add image-builder. Change order for Docker startups purposes. Tag image-builder twice Had a problem with starting up Docker and having it use the config with the keys vs it not using it, so change the order for this in order for the first part to use insecure docker for pulling images and then switch to docker with certs + keys. --- ansible/dock.yml | 8 +++++--- ansible/roles/image-builder/tasks/main.yml | 8 +++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ansible/dock.yml b/ansible/dock.yml index 5995ef5f..bc3daba9 100644 --- a/ansible/dock.yml +++ b/ansible/dock.yml @@ -11,9 +11,7 @@ name={{ dock }} groups=dock -- include: charon.yml git_branch="v5.0.1" -- include: dock-init.yml git_branch="v10.1.2" -- include: krain.yml git_branch="v0.3.1" +- include: image-builder.yml git_branch="v4.3.0" - hosts: "{{ dock }}" tasks: @@ -28,3 +26,7 @@ roles: - { role: install-ssm } - { role: dock-images } + +- include: charon.yml git_branch="v5.0.1" +- include: dock-init.yml git_branch="v10.1.2" +- include: krain.yml git_branch="v0.3.1" diff --git a/ansible/roles/image-builder/tasks/main.yml b/ansible/roles/image-builder/tasks/main.yml index 4dfaa182..1a29a3aa 100644 --- a/ansible/roles/image-builder/tasks/main.yml +++ b/ansible/roles/image-builder/tasks/main.yml @@ -7,4 +7,10 @@ - name: build the image-builder tags: deploy - command: sudo docker build --no-cache --tag="{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder + become: true + command: docker build --no-cache --tag="{{ image_builder_docker_namespace }}:{{ git_branch }}" /opt/runnable/image-builder + +- name: tag the image-builder with registry.runnable.com + tags: deploy + become: true + command: docker tag {{ image_builder_docker_namespace }}:{{ git_branch }} registry.runnable.com/{{ image_builder_docker_namespace }}:{{ git_branch }}