-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(research): Create staging-1 server with auto wiping database #1530
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
version: "3" | ||
|
||
services: | ||
pg: | ||
environment: | ||
- PGA_SYSTEM_ID=staging |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/usr/bin/env bash | ||
apt update | ||
apt install -y postgresql-client | ||
Comment on lines
+2
to
+3
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where are these commands ran? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. They run inside of the container that is going to be affected. Since we're running everything on debians (rust's default docker images use it as a base) this is safe, but it does feel a bit hack-ish |
||
# TODO(victor): At some point we need to start managing the db credentials as secrets | ||
export PGPASSWORD="bugbear" | ||
psql -U si -d si -h postgres -c " DROP SCHEMA public CASCADE; CREATE SCHEMA public;" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
module dockersock 1.0; | ||
|
||
require { | ||
type docker_var_run_t; | ||
type docker_t; | ||
type svirt_lxc_net_t; | ||
class sock_file write; | ||
class unix_stream_socket connectto; | ||
} | ||
|
||
allow svirt_lxc_net_t docker_t:unix_stream_socket connectto; | ||
allow svirt_lxc_net_t docker_var_run_t:sock_file write; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FROM nginx:stable | ||
COPY index.html /usr/share/nginx/html/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
<html lang="en"> | ||
<head><title>SI Test Image</title></head> | ||
<body> | ||
<h1>System Initiative Test Image</h1> | ||
<i>V0.0.0</i> | ||
</body> | ||
</html> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# This file controls the state of SELinux on the system. | ||
# SELINUX=disabled # can take one of these three values: | ||
# enforcing - SELinux security policy is enforced. | ||
# permissive - SELinux prints warnings instead of enforcing. | ||
# disabled - No SELinux policy is loaded. | ||
# See also: | ||
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes | ||
# | ||
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled #disabled would also | ||
# fully disable SELinux during boot. If you need a system with SELinux | ||
# fully disabled instead of SELinux running with no policy loaded, you | ||
# need to pass selinux=0 to the kernel command line. You can use grubby | ||
# to persistently set the bootloader to boot with selinux=0: | ||
# | ||
# grubby --update-kernel ALL --args selinux=0 | ||
# | ||
# To revert back to SELinux enabled: | ||
# | ||
# grubby --update-kernel ALL --remove-args selinux | ||
# | ||
SELINUX=disabled | ||
# SELINUXTYPE= can take one of these three values: | ||
# targeted - Targeted processes are protected, | ||
# minimum - Modification of targeted policy. Only selected processes are protected. | ||
# mls - Multi Level Security protection. | ||
SELINUXTYPE=targeted |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,15 @@ storage: | |
- path: /etc/hostname | ||
contents: | ||
inline: staging-1 | ||
- path: /opt/dockersock.pp | ||
mode: 0755 | ||
contents: | ||
local: research/staging_host/dockersock.pp | ||
# We need to disable SELINUX (or make a new policy) so that watchtower can get credentials to dockerhub | ||
# - path: /etc/selinux/config | ||
# mode: 0644 | ||
# contents: | ||
# local: research/staging_host/selinux.conf | ||
- path: /usr/local/bin/docker-auth.sh | ||
mode: 0755 | ||
contents: | ||
|
@@ -22,6 +31,10 @@ storage: | |
mode: 0755 | ||
contents: | ||
local: deploy/scripts/gateway.sh | ||
- path: /opt/deploy/scripts/reset-database.sh | ||
mode: 0755 | ||
contents: | ||
local: deploy/scripts/reset-database.sh | ||
- path: /opt/deploy/docker-compose.yml | ||
contents: | ||
local: deploy/docker-compose.yml | ||
|
@@ -31,12 +44,27 @@ storage: | |
- path: /opt/deploy/docker-compose.pganalyze.yml | ||
contents: | ||
local: deploy/docker-compose.pganalyze.yml | ||
- path: /opt/deploy/docker-compose.prod.yml | ||
- path: /opt/deploy/docker-compose.staging.yml | ||
contents: | ||
local: deploy/docker-compose.prod.yml | ||
local: deploy/docker-compose.staging.yml | ||
systemd: | ||
units: | ||
# installing aws-cli as a layered package with rpm-ostree | ||
- name: install-selinux-dockersock-policy.service | ||
enabled: true | ||
contents: | | ||
[Unit] | ||
Description=Install SELINUX Docker sock policy | ||
Wants=network-online.target | ||
After=network-online.target | ||
|
||
[Service] | ||
Type=oneshot | ||
RemainAfterExit=yes | ||
WorkingDirectory=/opt | ||
ExecStart=semodule -i dockersock.pp | ||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
- name: layer-awscli.service | ||
enabled: true | ||
contents: | | ||
|
@@ -55,6 +83,28 @@ systemd: | |
RemainAfterExit=yes | ||
ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive --idempotent awscli | ||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
# Note(victor): This is not vital but is necessary. I will not be taking questions at this time. | ||
- name: layer-vim.service | ||
enabled: true | ||
contents: | | ||
[Unit] | ||
Description=Install Vim | ||
Wants=network-online.target | ||
After=network-online.target | ||
|
||
# We run before `zincati.service` to avoid conflicting rpm-ostree | ||
# transactions. - https://docs.fedoraproject.org/en-US/fedora-coreos/os-extensions/ | ||
After=layer-awscli.service | ||
Before=zincati.service | ||
|
||
|
||
[Service] | ||
Type=oneshot | ||
RemainAfterExit=yes | ||
ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive --idempotent vim | ||
Comment on lines
+88
to
+106
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Jokes aside, there may be a "system packages" step that evolves from the groundwork here. For instance, we will likely eventually want toolbox on here so that we don't have to do this on the host. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is very cool! I also feel like butane could make this simpler but the task that track this isn't very active sadly |
||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
- name: layer-make.service | ||
|
@@ -65,7 +115,7 @@ systemd: | |
Wants=network-online.target | ||
After=network-online.target | ||
|
||
After=layer-awscli.service | ||
After=layer-vim.service | ||
Before=zincati.service | ||
|
||
|
||
|
@@ -148,30 +198,8 @@ systemd: | |
[Service] | ||
TimeoutStartSec=60s | ||
WorkingDirectory=/opt/deploy | ||
ExecStart=make prod-service | ||
ExecStartPre=-/usr/bin/docker-compose down | ||
ExecStart=make staging | ||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
# - name: watchtower.service | ||
# enabled: true | ||
# contents: | | ||
# [Unit] | ||
# After=network-online.target | ||
# Wants=network-online.target | ||
# | ||
# After=deployment.service | ||
# Requires=deployment.service | ||
# | ||
# | ||
# [Service] | ||
# ExecStartPre=-/usr/bin/docker kill whiskers1 | ||
# ExecStartPre=-/usr/bin/docker rm whiskers1 | ||
# ExecStart=/usr/bin/docker run --name watchtower \ | ||
# -v /var/run/docker.sock:/var/run/docker.sock docker.io/containrrr/watchtower \ | ||
# -v /root/.docker/config.json:/config.json \ | ||
# --interval 30 --label-enable \ | ||
# containrrr/watchtower | ||
# | ||
# [Install] | ||
# WantedBy=multi-user.target | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Three times the updates.