quay/buildman/templates/cloudconfig.yaml

#cloud-config

hostname: {{ build_uuid | default('quay-builder', True) }}

users:
  groups:
  - sudo
  - docker

{% if ssh_authorized_keys -%}
ssh_authorized_keys:
{% for ssh_key in ssh_authorized_keys -%}
- {{ ssh_key }}
{%- endfor %}
{%- endif %}

write_files:
- path: /root/disable-aws-metadata.sh
  permission: '0755'
  content: |
    iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1

- path: /etc/docker/daemon.json
  permission: '0644'
  content: |
    {
        "storage-driver": "overlay2"
    }

- path: /root/overrides.list
  permission: '0644'
  content: |
    REALM={{ realm }}
    TOKEN={{ token }}
    SERVER={{ websocket_scheme }}://{{ manager_hostname }}
    {% if logentries_token -%}
    LOGENTRIES_TOKEN={{ logentries_token }}
    {%- endif %}

coreos:
  update:
    reboot-strategy: off
    group: {{ coreos_channel }}

  units:
    - name: update-engine.service
      command: stop
    - name: locksmithd.service
      command: stop
    - name: systemd-journal-gatewayd.socket
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Journal Gateway Service Socket
        [Socket]
        ListenStream=/var/run/journald.sock
        Service=systemd-journal-gatewayd.service
        [Install]
        WantedBy=sockets.target
    {{ dockersystemd('quay-builder',
                     worker_image,
                     quay_username,
                     quay_password,
                     worker_tag,
                     extra_args='--net=host --privileged --env-file /root/overrides.list -v /var/run/docker.sock:/var/run/docker.sock -v /usr/share/ca-certificates:/etc/ssl/certs',
                     exec_stop_post=['/bin/sh -xc "/bin/sleep 120; /usr/bin/systemctl --no-block poweroff"'],
                     flattened=True,
                     restart_policy='no'
                    ) | indent(4) }}
    {% if logentries_token -%}
    # https://github.com/kelseyhightower/journal-2-logentries/pull/11 so moved journal-2-logentries to coreos
    {{ dockersystemd('builder-logs',
                     'quay.io/coreos/journal-2-logentries',
                     extra_args='--env-file /root/overrides.list -v /run/journald.sock:/run/journald.sock',
                     flattened=True,
                     after_units=['quay-builder.service']
                     ) | indent(4) }}
    {%- endif %}
    - name: disable-aws-metadata.service
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Disable AWS metadata service
        Before=network-pre.target
        Wants=network-pre.target
        [Service]
        Type=oneshot
        ExecStart=/root/disable-aws-metadata.sh
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target
    - name: machine-lifetime.service
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Machine Lifetime Service
        [Service]
        Type=oneshot
        ExecStart=/bin/sh -xc "/bin/sleep {{ max_lifetime_s }}; /usr/bin/systemctl --no-block poweroff"
First implementation of ephemeral build lifecycle manager. 2014-12-16 18:41:30 +00:00			`#cloud-config`

Set builder hostnames to build UUID 2016-11-15 20:35:48 +00:00			`hostname: {{ build_uuid \| default('quay-builder', True) }}`

Kubernetes build worker 2015-11-20 20:32:32 +00:00			`users:`
			`groups:`
			`- sudo`
			`- docker`

Move SSH keys and other config hard-coded config out of the build worker template In addition to removing our public keys from git, this will also allow additional customization Fixes https://jira.coreos.com/browse/QUAY-1035 2018-09-05 21:36:01 +00:00			`{% if ssh_authorized_keys -%}`
Add everyones ssh keys to the ephemeral build workers. 2015-01-29 23:40:17 +00:00			`ssh_authorized_keys:`
Move SSH keys and other config hard-coded config out of the build worker template In addition to removing our public keys from git, this will also allow additional customization Fixes https://jira.coreos.com/browse/QUAY-1035 2018-09-05 21:36:01 +00:00			`{% for ssh_key in ssh_authorized_keys -%}`
			`- {{ ssh_key }}`
			`{%- endfor %}`
			`{%- endif %}`
Add everyones ssh keys to the ephemeral build workers. 2015-01-29 23:40:17 +00:00
First implementation of ephemeral build lifecycle manager. 2014-12-16 18:41:30 +00:00			`write_files:`
Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1 While this isn't strictly a security issue, it appears to be and we got audited as such, so just turn it off Fixes https://jira.coreos.com/browse/QS-83 2017-12-06 22:21:55 +00:00			`- path: /root/disable-aws-metadata.sh`
Fix permissions on disable-aws-metadata script 2018-01-05 18:26:59 +00:00			`permission: '0755'`
Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1 While this isn't strictly a security issue, it appears to be and we got audited as such, so just turn it off Fixes https://jira.coreos.com/browse/QS-83 2017-12-06 22:21:55 +00:00			`content: \|`
			`iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1`

Force Docker onto overlay2 Both btfs and overlay file systems suffer a very strange bug when executing the following Dockerfile: ``` FROM alpine RUN mkdir lch COPY . lch/ COPY requirements.txt lch/requirements.txt COPY ./requirements/ lch/requirements/ ENTRYPOINT ["/docker-entrypoint.sh"] ``` It fails on the last `COPY` line, due to the presence of the `COPY . lch/` call. Unknown as to why, but moving to the new filesystem fixes things. 2017-11-15 00:23:15 +00:00			`- path: /etc/docker/daemon.json`
			`permission: '0644'`
			`content: \|`
			`{`
			`"storage-driver": "overlay2"`
			`}`

First implementation of ephemeral build lifecycle manager. 2014-12-16 18:41:30 +00:00			`- path: /root/overrides.list`
			`permission: '0644'`
			`content: \|`
			`REALM={{ realm }}`
			`TOKEN={{ token }}`
Small code cleanup before whitelist addition 2016-07-08 17:01:02 +00:00			`SERVER={{ websocket_scheme }}://{{ manager_hostname }}`
Add logentries reporting to the ephemeral builders. 2015-03-27 19:28:08 +00:00			`{% if logentries_token -%}`
			`LOGENTRIES_TOKEN={{ logentries_token }}`
			`{%- endif %}`
First implementation of ephemeral build lifecycle manager. 2014-12-16 18:41:30 +00:00
			`coreos:`
			`update:`
			`reboot-strategy: off`
			`group: {{ coreos_channel }}`

			`units:`
Completely disable update-engine on builders 2016-11-23 15:12:55 +00:00			`- name: update-engine.service`
			`command: stop`
			`- name: locksmithd.service`
			`command: stop`
Tell the journal on the builders to listen on the proper socket. 2015-03-27 20:31:35 +00:00			`- name: systemd-journal-gatewayd.socket`
			`command: start`
			`enable: yes`
			`content: \|`
			`[Unit]`
			`Description=Journal Gateway Service Socket`
			`[Socket]`
			`ListenStream=/var/run/journald.sock`
			`Service=systemd-journal-gatewayd.service`
			`[Install]`
			`WantedBy=sockets.target`
Switch to using a squashed image for the build workers 2015-02-10 20:43:01 +00:00			`{{ dockersystemd('quay-builder',`
Move SSH keys and other config hard-coded config out of the build worker template In addition to removing our public keys from git, this will also allow additional customization Fixes https://jira.coreos.com/browse/QUAY-1035 2018-09-05 21:36:01 +00:00			`worker_image,`
Switch to using a squashed image for the build workers 2015-02-10 20:43:01 +00:00			`quay_username,`
			`quay_password,`
			`worker_tag,`
			`extra_args='--net=host --privileged --env-file /root/overrides.list -v /var/run/docker.sock:/var/run/docker.sock -v /usr/share/ca-certificates:/etc/ssl/certs',`
			`exec_stop_post=['/bin/sh -xc "/bin/sleep 120; /usr/bin/systemctl --no-block poweroff"'],`
			`flattened=True,`
			`restart_policy='no'`
			`) \| indent(4) }}`
Add logentries reporting to the ephemeral builders. 2015-03-27 19:28:08 +00:00			`{% if logentries_token -%}`
Updating the log-2-logentries to a new repo. 2016-11-14 21:28:17 +00:00			`# https://github.com/kelseyhightower/journal-2-logentries/pull/11 so moved journal-2-logentries to coreos`
Add logentries reporting to the ephemeral builders. 2015-03-27 19:28:08 +00:00			`{{ dockersystemd('builder-logs',`
Updating the log-2-logentries to a new repo. 2016-11-14 21:28:17 +00:00			`'quay.io/coreos/journal-2-logentries',`
Add logentries reporting to the ephemeral builders. 2015-03-27 19:28:08 +00:00			`extra_args='--env-file /root/overrides.list -v /run/journald.sock:/run/journald.sock',`
cloudconfig: flatten logentries container 2015-05-20 20:34:16 +00:00			`flattened=True,`
Tell the journal on the builders to listen on the proper socket. 2015-03-27 20:31:35 +00:00			`after_units=['quay-builder.service']`
Add logentries reporting to the ephemeral builders. 2015-03-27 19:28:08 +00:00			`) \| indent(4) }}`
			`{%- endif %}`
Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1 While this isn't strictly a security issue, it appears to be and we got audited as such, so just turn it off Fixes https://jira.coreos.com/browse/QS-83 2017-12-06 22:21:55 +00:00			`- name: disable-aws-metadata.service`
			`command: start`
			`enable: yes`
			`content: \|`
			`[Unit]`
			`Description=Disable AWS metadata service`
			`Before=network-pre.target`
			`Wants=network-pre.target`
			`[Service]`
			`Type=oneshot`
			`ExecStart=/root/disable-aws-metadata.sh`
			`RemainAfterExit=yes`
			`[Install]`
			`WantedBy=multi-user.target`
builder cloudconfig: shutdown server after 3 hours (#1554) 2016-06-17 20:03:40 +00:00			`- name: machine-lifetime.service`
			`command: start`
			`enable: yes`
			`content: \|`
			`[Unit]`
			`Description=Machine Lifetime Service`
			`[Service]`
			`Type=oneshot`
Move SSH keys and other config hard-coded config out of the build worker template In addition to removing our public keys from git, this will also allow additional customization Fixes https://jira.coreos.com/browse/QUAY-1035 2018-09-05 21:36:01 +00:00			`ExecStart=/bin/sh -xc "/bin/sleep {{ max_lifetime_s }}; /usr/bin/systemctl --no-block poweroff"`