-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathsetup-appliance
136 lines (113 loc) · 4.53 KB
/
setup-appliance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/bash -e
#
# Copyright 2022 Carnegie Mellon University.
# Released under a BSD (SEI)-style license, please see LICENSE.md in the
# project root or contact permission@sei.cmu.edu for full terms.
#
# Foundry Appliance Setup
#
echo "$APPLIANCE_VERSION" > /etc/appliance_version
# Expand LVM volume to use full drive capacity
~/foundry/scripts/expand-volume
# Disable swap for Kubernetes
swapoff -a
sed -i -r 's/(\/swap\.img.*)/#\1/' /etc/fstab
# Add new repositories and upgrade existing Ubuntu packages
## Add Kubernetes Apt Repo
apt-get update
apt-get install -y apt-transport-https ca-certificates curl
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
## Add Helm Apt Repo
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
## Update and Upgrade
apt-get update
apt-get full-upgrade -y
# Stop multipathd errors in syslog
cat <<EOF >> /etc/multipath.conf
blacklist {
devnode "sda$"
}
EOF
systemctl restart multipathd
# Add dnsmasq resolver and other required packages
PRIMARY_INTERFACE=$(ip -o -4 route show to default | awk '{print $5}')
mkdir /etc/dnsmasq.d
cat <<EOF > /etc/dnsmasq.d/foundry.conf
bind-interfaces
listen-address=10.0.1.1
interface-name=foundry.local,$PRIMARY_INTERFACE
EOF
cat <<EOF > /etc/netplan/01-loopback.yaml
# Add loopback address for pods to use dnsmasq as upstream resolver
network:
version: 2
ethernets:
lo:
match:
name: lo
addresses:
- 127.0.0.1/8:
label: lo
- 10.0.1.1/32:
label: lo:host-access
- ::1/128
EOF
netplan apply
apt-get install -y dnsmasq avahi-daemon jq nfs-common sshpass kubectl helm pwgen build-essential
# Install VirtualBox Guest Additions
if [ -f ~/VBoxGuestAdditions.iso ]; then
mount -o loop ~/VBoxGuestAdditions.iso /mnt
/mnt/VBoxLinuxAdditions.run
umount /mnt
rm ~/VBoxGuestAdditions.iso
fi
# Install k3s
mkdir -p /etc/rancher/k3s
echo "nameserver 10.0.1.1" >> /etc/rancher/k3s/resolv.conf
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION="v1.28.10+k3s1" INSTALL_K3S_EXEC="--disable traefik --resolv-conf /etc/rancher/k3s/resolv.conf" sh -
sudo -u $SSH_USERNAME mkdir ~/.kube
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sed -i 's/default/foundry/g' ~/.kube/config
chown $SSH_USERNAME:$SSH_USERNAME ~/.kube/config
# Install CFSSL for certificate generation
curl -sLo /usr/local/bin/cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64
curl -sLo /usr/local/bin/cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64
chmod +x /usr/local/bin/cfssl*
# Install k-alias Kubernetes helper scripts
sudo -u $SSH_USERNAME git clone https://github.com/jaggedmountain/k-alias.git
(cd /usr/local/bin && ln -s ~/k-alias/[h,k]* .)
# Customize MOTD and other text for the appliance
chmod -x /etc/update-motd.d/00-header
chmod -x /etc/update-motd.d/10-help-text
sed -i -r 's/(ENABLED=)1/\10/' /etc/default/motd-news
cp ~/foundry/scripts/display-banner /etc/update-motd.d/05-display-banner
rm ~/foundry/scripts/display-banner
sed -i "s/{version}/$APPLIANCE_VERSION/" ~/mkdocs/docs/index.md
echo -e "Foundry Appliance $APPLIANCE_VERSION \\\n \l \n" > /etc/issue
# Create systemd service to configure netplan primary interface
mv /home/foundry/foundry/scripts/configure-nic /usr/local/bin
cat <<EOF > /etc/systemd/system/configure-nic.service
[Unit]
Description=Configure Netplan primary Ethernet interface
After=network.target
Before=k3s.service
[Service]
Type=oneshot
ExecStart=configure-nic
[Install]
WantedBy=multi-user.target
EOF
systemctl enable configure-nic
# Generate SSH key
sudo -u $SSH_USERNAME ssh-keygen -t rsa -f ~/.ssh/id_rsa -q -N ''
# Generate CA and host certificates
sudo -u $SSH_USERNAME ~/foundry/certs/generate-certs -loglevel 3
# Add newly generated CA certificate to trusted roots
cp ~/foundry/certs/root-ca.pem /usr/local/share/ca-certificates/foundry-appliance-root-ca.crt
update-ca-certificates
# Restart mDNS daemon to avoid conflict with other hosts
systemctl restart avahi-daemon
# Delete Ubuntu machine ID for proper DHCP operation on deploy
echo -n > /etc/machine-id