KAZ/kaz-vagrant
12
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Compare commits

base: KAZ:v1.0.0
Branches Tags
KAZ:master
KAZ:v1.0.0
...
compare: KAZ:8fa15e33d329502eecaccd3c16ba8ece69eff838
Branches Tags
KAZ:master
KAZ:v1.0.0

15 Commits
v1.0.0 ... 8fa15e33d3

Author SHA1 Message Date
Francois Lesueur
8fa15e33d3 Merge branch 'master' into develop-snster 2023-03-05 18:48:22 +01:00
gael
3254d401a9 package unaccent utilisé par createUser.sh 2023-03-04 23:23:42 +01:00
Francois Lesueur
def800e181 rm customkaz dans prod 2023-03-02 17:07:01 +01:00
Francois Lesueur
aa3c77c29a cache docker + squid vm ou externe 2023-03-02 16:48:10 +01:00
Francois Lesueur
4c1e7bde33 plus de caches 2023-03-02 12:38:30 +01:00
Francois Lesueur
3974c20a84 update .gitignore 2023-03-02 12:37:32 +01:00
Francois Lesueur
e9ee502ae4 ajout doc proxy upstream 2023-03-02 10:49:20 +01:00
Francois Lesueur
8569a47c03 augmentation taille cache squid 2023-03-01 17:44:49 +01:00
Francois Lesueur
326f6d7871 typo sur le switch branch inutile 2023-03-01 15:41:10 +01:00
francois.lesueur
bdd7f98379 Merge pull request 'Migration de la VM vers SNSTER' (#1) from develop-snster into master 
Reviewed-on: #1
 2023-03-01 15:28:07 +01:00
Francois Lesueur
ba1737a1fa update doc 2023-03-01 15:14:33 +01:00
Francois Lesueur
a878cbd4f2 customvm 2023-03-01 15:11:01 +01:00
Francois Lesueur
63bb4d160f repassage à un vagrantfile, suppr init.sh 2023-03-01 15:01:55 +01:00
Francois Lesueur
f9b16207d8 passage à squid, de la VM aux dockers 2023-03-01 14:55:48 +01:00
Francois Lesueur
75a4b60f57 apt-cacher in the VM, used during provision then by snster 2023-02-10 15:37:54 +01:00
8 changed files with 242 additions and 372 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,10 +1,12 @@
.apt-mirror-config .apt-mirror-config
.customDocker.sh .customDocker.sh
.customVM.sh
.proxy-config .proxy-config
.vagrant .vagrant
DEADJOE DEADJOE
Vagrantfile
/files/log /files/log
/files/kaz/download /files/kaz/download
/files/kaz/git /files/kaz/git
/files/kaz/log /files/kaz/log
/files/customVM.sh
/files/snster-kaz/kaz/prod/customKaz.sh

67
README.md
View File

@ -20,10 +20,6 @@ Nous utilisons :
Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git. Vous avez besoin de [vagrant](https://www.vagrantup.com/), [VirtualBox](https://www.virtualbox.org/) et éventuellement git.
UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entreprise par exemple). Pour tester:
```bash
# dig @80.67.169.12 www.kaz.bzh
```
## Installation ## Installation
@ -32,39 +28,17 @@ UDP/53 ne doit pas être filtré depuis votre poste (par un firewall d'entrepris
git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer git clone https://git.kaz.bzh/KAZ/kaz-vagrant.git # pour essayer
git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer git clone git+ssh://git@git.kaz.bzh:2202/KAZ/kaz-vagrant.git # pour contribuer
cd kaz-vagrant/ cd kaz-vagrant/
git switch develop-snster # dans les 2 cas
```
* Personalisez votre simulateur avec la commande (au besoin ajustez la mémoire et les cpus utilisés dans Vagrantfile) :
```bash
vagrant plugin install vagrant-disksize
vagrant plugin install vagrant-vbguest
./init.sh # vous pouvez laisser les choix par défaut
``` ```
* (Optionnel) Ajustez éventuellement la mémoire et les cpus utilisés dans Vagrantfile (par défaut 4GB et 2 vCPUs)
* Pour créer tout l'univers Kaz il faut se placer dans le répertoire et lancer la commande : * Pour créer tout l'univers Kaz il faut se placer dans le répertoire et lancer la commande :
```bash ```bash
vagrant up vagrant up
``` ```
Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem FUSE beaucoup plus lent qu'en natif... Cette étape peut-être (très) longue. Notamment, la construction de kaz-prod se fait dans un conteneur LXC, dans lequel les overlays docker passent par un filesystem plus lent qu'en natif... Comptez entre 40 minutes et quelques heures, selon la connexion réseau et les performances de la machine.
## Mise au point
Il est possible d'interrompre la création à la coquille vide (juste la VM sans les services KAZ) pour des question de mise au point avec la commande :
```bash
NOKAZ="true" vagrant up
```
Dans ce cas, il faudra ensuite lancer dans la VM :
```bash
KAZGUARD="true" /root/vm-install-kaz.sh
```
Pour détruire la VM et recommencer :
```bash
vagrant destroy
```
## Utilisation ## Utilisation
@ -117,7 +91,40 @@ Vous pouvez également démarrer firefox avec les URL suivantes:
* https://cloud.kaz.sns/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 ) * https://cloud.kaz.sns/login (compte contact1@kaz.local créé, mot de passe totototototototo1234 )
* https://sondage.kaz.sns * https://sondage.kaz.sns
Il vous faudra accepter les alertes de sécurité pour certificat absent (web et messagerie) Il vous faudra accepter les éventuelles alertes de sécurité pour certificat absent (web et messagerie)
## Mise au point
Il est possible d'interrompre la création à la coquille vide (juste la VM sans les services KAZ) pour des question de mise au point avec la commande :
```bash
NOKAZ="true" vagrant up
```
Dans ce cas, il faudra ensuite lancer dans la VM :
```bash
KAZGUARD="true" /root/vm-install-kaz.sh
```
Pour détruire la VM et recommencer :
```bash
vagrant destroy
```
## Accélération de la construction avec un proxy cache local
Au tout début de la construction de la VM, un proxy Squid et un proxy Dockerhub (docker-registry) sont installés au niveau de la VM. Ils font du cache et sont ensuite utilisé lors des apt-get du provisionning de la VM puis lors des constructions des conteneurs LXC et des dockers. Quelques téléchargements ne sont pas encore mis en cache (soit parce que certains téléchargements se font hors de ce proxy, soit par l'utilisation du HTTPS qui n'est pas (encore) intercepté pour faire ce cache), mais cela diminue déjà beaucoup le trafic réseau lors de la construction et lors des reconstructions partielles ensuite.
Il est possible de configurer ce proxy pour utiliser un proxy du réseau local à son tour. L'intérêt est d'avoir un cache persistant lors de la reconstruction de la VM, ou de pouvoir rediriger certaines requêtes (dépôts Debian ou Alpine) vers des miroirs locaux. Pour cela, il faut un fichier `files/customVM.sh`. Un fichier `files/customVM.sh.dist` est fourni en exemple : il suffit de le renommer en `customVM.sh`, puis de modifier les IP du proxy et du registry Docker upstreams dans les premières lignes. Il est évidemment possible de n'activer que l'une des 2 fonctionnalités (soit que le proxy http externe, soit que le docker registry externe) en commentant les lignes associées.
Pour installer un Squid sur l'hôte : TODO
Pour installer un docker-registry sur l'hôte :
* `apt install docker-registry`
* Éditer `/etc/docker/registry/config.yml` :
* Enlever la section `auth`
* Ajouter `proxy:
remoteurl: https://registry-1.docker.io`
## Installation avancée ## Installation avancée

50
Vagrantfile vendored Normal file
View File

@ -0,0 +1,50 @@
# coding: utf-8
# -*- mode: ruby -*-
# vi: set ft=ruby :
unless Vagrant.has_plugin?("vagrant-disksize")
raise Vagrant::Errors::VagrantError.new, "vagrant-disksize plugin is missing. Please install it using 'vagrant plugin install vagrant-disksize' and rerun 'vagrant up'"
end
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
required_plugins = %w( vagrant-vbguest vagrant-disksize )
_retry = false
required_plugins.each do |plugin|
unless Vagrant.has_plugin? plugin
system "vagrant plugin install #{plugin}"
_retry=true
end
end
if (_retry)
exec "vagrant " + ARGV.join(' ')
end
config.vm.box = "debian/bullseye64"
config.vm.hostname = 'kaz-vm'
config.disksize.size = '32GB'
config.vm.provider "virtualbox" do |vb|
vb.memory = "4096"
vb.cpus = "2"
vb.name = "kaz-vm"
vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24']
vb.gui = true
end
#permet d'avoir un répertoire partagé entre la VM et le host
config.vm.synced_folder "/tmp/", "/tmp_host"
config.vm.synced_folder "files/", "/root/kaz-vagrant"
config.vm.provision "shell" do |s|
s.inline = "/vagrant/files/vm-provision.sh"
s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
end
end

95
Vagrantfile.dist
View File

@ -1,95 +0,0 @@
# coding: utf-8
# -*- mode: ruby -*-
# vi: set ft=ruby :
unless Vagrant.has_plugin?("vagrant-disksize")
raise Vagrant::Errors::VagrantError.new, "vagrant-disksize plugin is missing. Please install it using 'vagrant plugin install vagrant-disksize' and rerun 'vagrant up'"
end
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
required_plugins = %w( vagrant-vbguest vagrant-disksize )
_retry = false
required_plugins.each do |plugin|
unless Vagrant.has_plugin? plugin
system "vagrant plugin install #{plugin}"
_retry=true
end
end
if (_retry)
exec "vagrant " + ARGV.join(' ')
end
config.vm.box = "debian/bullseye64"
config.vm.hostname = 'kaz-vm'
config.disksize.size = '32GB'
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "data", "/vagrant_data"
# config.vm.synced_folder "..", "/root/mi-lxc", create:true, type:"rsync",
# rsync__exclude: [".git/", "zzlocal/", "vagrant/"]
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
vb.memory = "4096"
vb.cpus="2"
vb.name = "kaz-vm"
vb.customize ["modifyvm", :id, "--vram", "64", "--clipboard-mode", "bidirectional", '--graphicscontroller', 'vmsvga', '--natnet1', '192.168.64.0/24']
vb.gui = true
end
# Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
# such as FTP and Heroku are also available. See the documentation at
# https://docs.vagrantup.com/v2/push/atlas.html for more information.
# config.push.define "atlas" do |push|
# push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
# end
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
#permet d'avoir un répertoire partagé entre la VM et le host
config.vm.synced_folder "/tmp/", "/tmp_host"
config.vm.synced_folder "files/", "/root/kaz-vagrant"
config.vm.provision "shell" do |s|
s.inline = "/vagrant/files/vm-provision.sh"
s.env = {"KAZGUARD" => "true", "HOSTLANG" => ENV['LANG'], "NOKAZ" => ENV['NOKAZ'], "KAZBRANCH" => ENV['KAZBRANCH']}
end
end

42
files/customVM.sh.dist Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
PROXY="192.168.0.121:3128"
REGISTRY="192.168.0.121:5000"
# Pour le proxy http/https (https sans cache) avec iptables
cat >> /etc/rc.local <<EOF
#!/bin/sh
PROXY=${PROXY}
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3142 -j DNAT --to \${PROXY}
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3142 -j DNAT --to \${PROXY}
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
EOF
chmod +x /etc/rc.local
echo "net.ipv4.conf.eth0.route_localnet=1" >> /etc/sysctl.conf
sysctl -p
# fin proxy
# Pour le cache docker
cat >> /etc/rc.local <<EOF
REGISTRY=${REGISTRY}
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5000 -j DNAT --to \${REGISTRY}
EOF
# fin cache docker
bash /etc/rc.local
# Un peu de customisation
DEBIAN_FRONTEND=noninteractive apt-get install -y vim rsync
rsync -a /vagrant/files/.emacs* /root/
###
# Une autre façon de router vers un autre proxy http/https upstream, si on veut que la VM fasse le cache
###
# Pour le proxy http/https (https sans cache) avec squid config
#echo "cache_peer $(cut -d':' -f1 <<< $PROXY) parent $(cut -d':' -f2 <<< $PROXY) 0 no-query default
#acl all src 0.0.0.0/0.0.0.0
#http_access allow all
#never_direct allow all" >> /etc/squid/squid.conf
#service squid restart

70
files/snster-kaz/kaz/prod/provision.sh
View File

@ -18,7 +18,7 @@ DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
# KAZ specific things # KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils # fuse-overlayfs DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean git apg curl sudo unzip rsync btrfs-progs ldap-utils unaccent # fuse-overlayfs
usermod -G docker debian usermod -G docker debian
# activation dans alias dans /root/.bashrc # activation dans alias dans /root/.bashrc
sed -i \ sed -i \
@ -47,25 +47,6 @@ fi
# On met le GUARD pour la mise au point # On met le GUARD pour la mise au point
echo "export SNSTERGUARD='true'" >> /root/.bashrc echo "export SNSTERGUARD='true'" >> /root/.bashrc
# On active fuse-overlayfs pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs" }
EOF
service docker restart
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker
# On place les certifs # On place les certifs
if [ -d letsencrypt ]; then if [ -d letsencrypt ]; then
@ -80,6 +61,55 @@ fi
echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local echo -e '#!/bin/sh\n/kaz/bin/container.sh start' >> /etc/rc.local
chmod +x /etc/rc.local chmod +x /etc/rc.local
# On sauve le proxy APT
proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
sed -i -e "s/^proxy.*$/proxy=$proxy/" /usr/local/sbin/detect_proxy.sh
#echo "export http_proxy=\"http://$proxy:3142\"" > /etc/profile.d/proxy.sh
#echo "export https_proxy=\"http://$proxy:3142\"" >> /etc/profile.d/proxy.sh
# Proxy pour les environnements durant les dockerbuilds
mkdir /root/.docker
echo "{
\"proxies\":
{
\"default\":
{
\"httpProxy\": \"http://$proxy:3142\",
\"httpsProxy\": \"http://$proxy:3142\",
\"noProxy\": \"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
}
}
}" > /root/.docker/config.json
# Proxy pour les docker pull -> commenté car pas de cache avec dockerhub
# echo "http_proxy=\"http://$proxy:3142\"
# https_proxy=\"http://$proxy:3142\"
# no_proxy=\"*.sns,127.0.0.0/8,100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\"
# " >> /etc/default/docker
# On active btrfs+registry miroir pour docker
cat >> /etc/docker/daemon.json <<EOF
{ "storage-driver": "btrfs",
"registry-mirrors": ["http://$proxy:5000"] }
EOF
service docker restart
# clear apt cache # clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean DEBIAN_FRONTEND=noninteractive apt-get clean
# notes fuse-overlayfs :
#mknod -m 666 /dev/fuse c 10 229
#echo -e '#!/bin/sh\nmknod -m 666 /dev/fuse c 10 229' >> /etc/rc.local
#chmod +x /etc/rc.local
# lxc.cgroup2.devices.allow = b 7:* rwm
# lxc.cgroup2.devices.allow = c 10:237 rwm
#
# mknod -m 666 /dev/loop0 b 7 0
# mknod -m 666 /dev/loop-control c 10 237
# truncate -s 30G /root/varlibdocker.img
# mkfs.btrfs /root/varlibdocker.img
# losetup -f /root/varlibdocker.img
# mount /dev/loop0 /var/lib/docker

124
files/vm-provision.sh
View File

@ -15,52 +15,45 @@ mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-" export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
( (
echo "########## ********** Start Vagrant $(date +%D-%T)" echo "########## ********** Start Vagrant $(date +%D-%T)"
#pour la résolution de noms dans /etc/hosts
SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
# Copie de qques fichiers # Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
sysctl -w net.ipv4.ip_forward=1 # gestions sources.list
# MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then sed -i -e 's/https:/http:/' /etc/apt/sources.list
# pour ceux qui disposent d'un cache apt local et pas la fibre apt-get --allow-releaseinfo-change update
# suffit d'indiquer "host:port" dans le fichier ".apt-mirror-config"
. "${VAGRANT_SRC_DIR}/.apt-mirror-config" # Cache APT
sed -i \ #DEBIAN_FRONTEND=noninteractive apt-get install -y apt-cacher # apt-cacher-ng does not work well on bullseye
-e "s%s\?://deb.debian.org%://${APT_MIRROR_DEBIAN}%g" \ #echo "allowed_hosts = *" >> /etc/apt-cacher/apt-cacher.conf
-e "s%s\?://security.debian.org%://${APT_MIRROR_DEBIAN_SECURITY}%g" \ #service apt-cacher restart
-e "s%s\?://archive.ubuntu.com%://${APT_MIRROR_UBUNTU}%g" \ DEBIAN_FRONTEND=noninteractive apt-get install -y squid
-e "s%s\?://security.ubuntu.com%://${APT_MIRROR_UBUNTU_SECURITY}%g" \ sed -i -e "s/#http_access allow localnet/http_access allow localnet/" /etc/squid/squid.conf
/etc/apt/sources.list echo "cache_dir aufs /var/spool/squid 5000 14 256
maximum_object_size 4000 MB
http_port 3142" >> /etc/squid/squid.conf
service squid restart
echo "Acquire::http::Proxy \"http://127.0.0.1:3142\";" > /etc/apt/apt.conf.d/01proxy; # utilisation de apt-cacher-ng
# Ajouter http://www.squid-cache.org/Doc/config/cache_peer/ à squid pour un proxy upstream
# Pour le confort de chacun, un customVM.sh optionnel
if [ -f "${VAGRANT_SRC_DIR}/customVM.sh" ]; then
bash "${VAGRANT_SRC_DIR}/customVM.sh"
fi fi
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update # MAJ et Install
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs docker-registry # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny' ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
# Pour le confort de chacun
# Le fihcier .customDocker.sh contient
# DEBIAN_FRONTEND=noninteractive apt-get install -y joe
# DEBIAN_FRONTEND=noninteractive apt-get install -y emacs
# DEBIAN_FRONTEND=noninteractive apt-get install -y vim
if [ -f "${VAGRANT_SRC_DIR}/.customDocker.sh" ]; then
chmod a+x "${VAGRANT_SRC_DIR}/.customDocker.sh"
"${VAGRANT_SRC_DIR}/.customDocker.sh"
fi
# Localisation du $LANG, en par défaut, timezone Paris # Localisation du $LANG, en par défaut, timezone Paris
if [ -z "${HOSTLANG}" ] ; then if [ -z "${HOSTLANG}" ] ; then
HOSTLANG="en_US.UTF-8" HOSTLANG="en_US.UTF-8"
fi fi
echo "Europe/Paris" > /etc/timezone echo "Europe/Paris" > /etc/timezone
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
@ -71,38 +64,33 @@ export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
dpkg-reconfigure --frontend=noninteractive locales || true # don't fail for a locales problem dpkg-reconfigure --frontend=noninteractive locales || true # don't fail for a locales problem
update-locale LANG=${HOSTLANG} || true # don't fail for a locales problem update-locale LANG=${HOSTLANG} || true # don't fail for a locales problem
echo -e "\n #### create user\n"
# Creation des utilisateurs # Creation des utilisateurs
echo -e "\n #### create user\n"
usermod -p $(mkpasswd --method=sha-512 root) root usermod -p $(mkpasswd --method=sha-512 root) root
useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists
# augmentation de la taille de /run si lowmem
#echo "tmpfs /run tmpfs nosuid,noexec,size=26M 0 0" >> /etc/fstab
#mount -o remount /run
# Désactivation de la mise en veille de l'écran # Désactivation de la mise en veille de l'écran
mkdir -p /etc/X11/xorg.conf.d/ mkdir -p /etc/X11/xorg.conf.d/
rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/ rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/
# mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak # mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker
#faut virer exim, il fout la grouille avec le docker postfix #faut virer exim, inutile
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light
#login ssh avec mot de passe #login ssh avec mot de passe
sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
fi fi
# autorisation du routing et augmentation inotify # autorisation du routing et augmentation inotify
if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
fi fi
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf
if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then
echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
fi fi
sysctl -p sysctl -p
@ -128,49 +116,52 @@ EOF
mkdir -p $(dirname "${TERM_CFG}") mkdir -p $(dirname "${TERM_CFG}")
touch "${TERM_CFG}" touch "${TERM_CFG}"
if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then
echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}" echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}"
fi fi
echo -e "\n #### set swapspace\n"
# free swapspace at shutdown # free swapspace at shutdown
echo -e "\n #### set swapspace\n"
sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service
systemctl daemon-reload systemctl daemon-reload
# limit journald log size # limit journald log size
mkdir -p /etc/systemd/journald.conf.d mkdir -p /etc/systemd/journald.conf.d
if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then
cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF
[Journal] [Journal]
SystemMaxUse=20M SystemMaxUse=20M
SystemMaxFileSize=2M SystemMaxFileSize=2M
EOF EOF
fi fi
#***********DEBUT CERTIF******************* # CA et certifs avec mkcert
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
echo -e "\n #### mkcert\n" echo -e "\n #### mkcert\n"
# Récupérer mkcert et générer la CA
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
mkdir -p /root/mkcert mkdir -p /root/mkcert
cd /root/mkcert cd /root/mkcert
if [ ! -f mkcert ]; then if [ ! -f mkcert ]; then
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
chmod +x mkcert chmod +x mkcert
mkdir -p /etc/letsencrypt/local/ mkdir -p /etc/letsencrypt/local/
export CAROOT=/etc/letsencrypt/local/ export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/ /root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}" cd "${CAROOT}"
/root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/ /root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.sns/ mkdir -p /etc/letsencrypt/live/kaz.sns/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem
fi fi
# Cache docker registry
echo "proxy:
remoteurl: https://registry-1.docker.io
auth:
none:
" >> /etc/docker/registry/config.yml
#***********FIN CERTIF*******************
# clear apt cache # clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
@ -191,22 +182,16 @@ EOF
mkfs.btrfs -f /root/btrfs.img mkfs.btrfs -f /root/btrfs.img
echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab
mount /var/lib/lxc mount /var/lib/lxc
#losetup -f /root/btrfs.img
#mount /dev/loop0 /var/lib/lxc
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
# SNSTER KAZ # SNSTER KAZ
# cp -ar ${VAGRANT_SRC_DIR}/templates /root
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys # crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/ cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail) # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
# mkdir /kaz-prod /kaz
# echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
# echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz ln -s /kaz-prod/kaz /kaz
@ -235,3 +220,14 @@ reboot
# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x" # KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt" # ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates" # ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"
# Interception https avec squid-openssl (nok pour dockerhub) :
# http_port 3142 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/letsencrypt/local/rootCA.pem tls-key=/etc/letsencrypt/local/rootCA-key.pem tls-dh=prime256v1:/etc/letsencrypt/local/dhparam.pem
# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
# sslcrtd_children 5
# ssl_bump server-first all
# ssl_bump stare all
# sslproxy_cert_error deny all
# refresh_pattern -i (/blobs/sha256) 1440 99% 10080 ignore-no-store ignore-private override-expire store-stale reload-into-ims
# refresh_pattern -i (/images/sha256) 1440 99% 10080 ignore-no-store ignore-private override-expire store-stale reload-into-ims
# refresh_pattern -i (/manifests/) 1440 99% 10080 ignore-no-store ignore-private override-expire store-stale reload-into-ims

162
init.sh
View File

@ -1,162 +0,0 @@
#!/bin/bash
### Personalisation de la VM
cd "$(dirname $0)"
BOLD=''
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
NC='' # No Color
NL='
'
mkdir -p ./files/kaz/log/ ./files/kaz/download/ ./files/kaz/git/
chmod a+rxw ./files/kaz/log/ ./files/kaz/download/ ./files/kaz/git/
cp Vagrantfile.dist Vagrantfile
OLD_MEN=$(grep vb.memory Vagrantfile | sed -e 's%.*vb.memory\s*=\s*"\([^"]*\)".*%\1%')
OLD_CUPS=$(grep vb.cpus Vagrantfile | sed -e 's%.*vb.cpus\s*=\s*"\([^"]*\)".*%\1%')
MEM=$(expr $(head -1 /proc/meminfo | awk '{print $2}') / 4096)
CUP=$(expr $(nproc) / 2)
cat <<EOF
${GREEN}${BOLD}
MEM: ${OLD_MEN} => ${MEM}
CUP: ${OLD_CUPS} => ${CUP}
${NC}
Update './Vagrantfile'
EOF
sed -i Vagrantfile \
-e 's%vb.memory\s*=\s*"[^"]*"%vb.memory = "'${MEM}'"%' \
-e 's%vb.cpus\s*=\s*"[^"]*"%vb.cpus = "'${CUP}'"%'
APT_CONF="files/.apt-mirror-config"
if [ -f "${APT_CONF}" ]; then
. "${APT_CONF}"
fi
### Personalisation d'un cache apt
if [ -z "${APT_MIRROR_DEBIAN}" ]; then
APT_MIRROR_DEBIAN=$(grep "deb\s.*/debian[^-]" /etc/apt/sources.list | head -1 | sed -e "s%.*deb\s.*://\([^/]*\)/debian.*%\1%")
fi
if [ -z "${APT_MIRROR_DEBIAN_SECURITY}" ]; then
APT_MIRROR_DEBIAN_SECURITY=$(grep "deb\s.*/debian-security" /etc/apt/sources.list | head -1 | sed -e "s%.*deb\s.*://\([^/]*\)/debian-security.*%\1%")
fi
if [ -z "${APT_MIRROR_UBUNTU}" ]; then
APT_MIRROR_UBUNTU=$(grep "deb\s.*://\([^/]*\)/ubuntu" /etc/apt/sources.list | head -1 | sed -e "s%.*deb\s.*://\([^/]*\)/ubuntu.*%\1%")
fi
if [ -z "${APT_MIRROR_UBUNTU_SECURITY}" ]; then
APT_MIRROR_UBUNTU_SECURITY=$(grep "deb\s.*://\([^/]*\)/ubuntu.*-security" /etc/apt/sources.list | head -1 | sed -e "s%.*deb\s.*://\([^/]*\)/ubuntu.*%\1%")
fi
if [ -z "${APT_MIRROR_UBUNTU}" ]; then
APT_MIRROR_UBUNTU="${APT_MIRROR_DEBIAN}"
fi
if [ -z "${APT_MIRROR_UBUNTU_SECURITY}" ]; then
APT_MIRROR_UBUNTU_SECURITY="${APT_MIRROR_DEBIAN_SECURITY}"
fi
while : ; do
cat <<EOF
${GREEN}${BOLD}
APT_MIRROR_DEBIAN=${APT_MIRROR_DEBIAN}
APT_MIRROR_DEBIAN_SECURITY=${APT_MIRROR_DEBIAN_SECURITY}
APT_MIRROR_UBUNTU=${APT_MIRROR_UBUNTU}
APT_MIRROR_UBUNTU_SECURITY=${APT_MIRROR_UBUNTU_SECURITY}
${NC}
EOF
read -p "Update '${APT_CONF}' (ip:port or y/n)? [no] " proxy
case "${proxy}" in
*:* )
APT_MIRROR_DEBIAN=${proxy}
APT_MIRROR_DEBIAN_SECURITY=${proxy}
APT_MIRROR_UBUNTU=${proxy}
APT_MIRROR_UBUNTU_SECURITY=${proxy}
;;
[YyOo]* )
cat > "${APT_CONF}" <<EOF
# Generated by $(pwd)$(basename $0)
# $(date "+%x %X")
APT_MIRROR_DEBIAN=${APT_MIRROR_DEBIAN}
APT_MIRROR_DEBIAN_SECURITY=${APT_MIRROR_DEBIAN_SECURITY}
APT_MIRROR_UBUNTU=${APT_MIRROR_UBUNTU}
APT_MIRROR_UBUNTU_SECURITY=${APT_MIRROR_UBUNTU_SECURITY}
EOF
break;;
""|[Nn]* ) break;;
* ) echo "Please answer ip:port, yes or no.";;
esac
done
PROXY_CONF="files/.proxy-config"
if [ -f "${PROXY_CONF}" ]; then
FTP_PROXY=$(grep "ftp_proxy" "${PROXY_CONF}" | head -1 | sed -e "s%.*ftp_proxy\s*=\s*.*://\(.*\)%\1%")
HTTP_PROXY=$(grep "http_proxy" "${PROXY_CONF}" | head -1 | sed -e "s%.*http_proxy\s*=\s*.*://\(.*\)%\1%")
HTTPS_PROXY=$(grep "https_proxy" "${PROXY_CONF}" | head -1 | sed -e "s%.*https_proxy\s*=\s*.*://\(.*\)%\1%")
fi
while : ; do
cat <<EOF
${GREEN}${BOLD}
export ftp_proxy=ftp://${FTP_PROXY}
export http_proxy=http://${HTTP_PROXY}
export https_proxy=https://${HTTPS_PROXY}
${NC}
EOF
read -p "proxy in '${PROXY_CONF}' (ip:port, yes or no)? [no] " proxy
case "${proxy}" in
*:* )
FTP_PROXY=${proxy}
HTTP_PROXY=${proxy}
HTTPS_PROXY=${proxy}
;;
[yY]*|[Oo]* )
cat > "${PROXY_CONF}" <<EOF
# Generated by $(pwd)$(basename $0)
# $(date "+%x %X")
export ftp_proxy=ftp://${FTP_PROXY}
export http_proxy=http://${HTTP_PROXY}
export https_proxy=https://${HTTPS_PROXY}
EOF
break;;
""|[Nn]* ) break;;
* ) echo "Please answer ip:port, yes or no.";;
esac
done
CUSTOM_CONF=files/.customDocker.sh
echo
if [ -f "${CUSTOM_CONF}" ]; then
OLD_EDITOR=$(grep install "${CUSTOM_CONF}" | grep "\(joe\|emacs\|vim\)" | head -1 | sed -e "s%.*\(joe\|emacs\|vim\).*%\1%")
fi
while : ; do
read -p "Choose editor in '${CUSTOM_CONF}' (joe, emacs, vim or no)? [${GREEN}${BOLD}${OLD_EDITOR}${NC}] " editor
case "${editor}" in
joe|emacs|vim )
if [ ! -f "${CUSTOM_CONF}" ]; then
echo "#!/bin/bash" > "${CUSTOM_CONF}"
fi
chmod a+x "${CUSTOM_CONF}"
if ! grep -qw "${editor}" "${CUSTOM_CONF}" 2> /dev/null ; then
echo "DEBIAN_FRONTEND=noninteractive apt-get install -y ${editor}" >> "${CUSTOM_CONF}"
echo "rsync -a /vagrant/files/.emacs* /root/" >> "${CUSTOM_CONF}"
fi
break;;
""|[Nn]* ) break;;
* ) echo "Please answer joe, emacs, vim or no.";;
esac
done