sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docker images update

Browse Source
This commit is contained in:
havelight-ee
2023-06-20 19:51:12 +09:00
parent 813f1027b7
commit 3e93fa63e9
19 changed files with 551 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
packer/ansible/docker_roles.yaml Executable file
View File

@@ -0,0 +1,8 @@
---
- hosts: default
become: true
roles:
- docker
vars:
username: root
password: saasadmin1234!@#$

4
packer/ansible/node_roles.yaml
View File

@@ -5,5 +5,5 @@
- node - node
- security-settings - security-settings
vars: vars:
username: username: root
password: password: saasadmin1234!@#$

10
packer/ansible/roles/docker/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Reload systemd configuration
service:
daemon_reload: True
- name: Restart docker service
service:
name: docker
enabled: true
state: restarted

86
packer/ansible/roles/docker/tasks/00-amazon-os-main.yml Normal file
View File

@@ -0,0 +1,86 @@
---
- name: Update and upgrade yum packages
yum:
name: "*"
state: latest
- name: Install yum packages
yum:
name: "{{ item }}"
state: present
with_items:
- python-pip
- yum-utils
- device-mapper-persistent-data
- lvm2
- amazon-linux-extras
- name: Add extras repository
shell: yum-config-manager --enable extras
- name: Disable firewalld
systemd: name=firewalld state=stopped
ignore_errors: yes
tags:
- install
- atomic
- firewalld
- name: Disable SWAP since kubernetes can't work with swap enabled (1/2)
command: 'swapoff -a'
# - name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
# replace:
# path: /etc/fstab
# regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
# replace: '# \1'
- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
become: true
lineinfile:
path: /etc/fstab
regexp: '^/dev/mapper/.*swap'
line: '# {{ item }}'
# when: item is search('^/dev/mapper/.*swap')
loop: "{{ lookup('file', '/etc/fstab').split('\n') }}"
- name: Add br_netfilter to module autoload
lineinfile:
path: /etc/modules-load.d/k8s2.conf
line: "{{ item }}"
create: true
with_items:
- 'overlay'
- 'br_netfilter'
- name: Add br_netfilter to module autoload
modprobe:
name: "{{ item }}"
state: present
become: true
with_items:
- 'overlay'
- 'br_netfilter'
- name: Add br_netfilter to module autoload
lineinfile:
path: /etc/sysctl.d/k8s.conf
line: "{{ item }}"
create: true
with_items:
- 'net.bridge.bridge-nf-call-iptables = 1'
- 'net.bridge.bridge-nf-call-ip6tables = 1'
- 'net.ipv4.ip_forward = 1'
- name: Disable net.bridge.bridge-nf-call-iptables
sysctl:
name: "{{ item }}"
value: 1
with_items:
- 'net.bridge.bridge-nf-call-iptables'
- 'net.bridge.bridge-nf-call-ip6tables'
- name: Disable net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: "1"

66
packer/ansible/roles/docker/tasks/00-ubuntu-os-main.yml Normal file
View File

@@ -0,0 +1,66 @@
---
- name: Update and upgrade apt packages
apt:
upgrade: yes
update_cache: yes
force_apt_get: yes
cache_valid_time: 86400
- name: Install apt packages
apt:
name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg', 'lsb-release']
state: present
- name: Disable ufw
command: 'ufw disable'
when: ansible_distribution_version == '20.04'
- name: Disable SWAP since kubernetes can't work with swap enabled (1/2)
command: 'swapoff -a'
- name: Disable SWAP in fstab since kubernetes can't work with swap enabled (2/2)
replace:
path: /etc/fstab
regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
replace: '# \1'
- name: Add br_netfilter to module autoload
lineinfile:
path: /etc/modules-load.d/k8s.conf
line: "{{ item }}"
create: true
with_items:
- 'overlay'
- 'br_netfilter'
- name: Add br_netfilter to module autoload
modprobe:
name: "{{ item }}"
state: present
become: true
with_items:
- 'overlay'
- 'br_netfilter'
- name: Add br_netfilter to module autoload
lineinfile:
path: /etc/sysctl.d/k8s.conf
line: "{{ item }}"
create: true
with_items:
- 'net.bridge.bridge-nf-call-iptables = 1'
- 'net.bridge.bridge-nf-call-ip6tables = 1'
- 'net.ipv4.ip_forward = 1'
- name: Disable net.bridge.bridge-nf-call-iptables
sysctl:
name: "{{ item }}"
value: 1
with_items:
- 'net.bridge.bridge-nf-call-iptables'
- 'net.bridge.bridge-nf-call-ip6tables'
- name: Disable net.ipv4.ip_forward
sysctl:
name: net.ipv4.ip_forward
value: "1"

53
packer/ansible/roles/docker/tasks/01-amazon-os-docker.yml Normal file
View File

@@ -0,0 +1,53 @@
---
- name: Install docker-ce (centos) via amazon-linux-extras packages
shell: "amazon-linux-extras install docker -y"
- name: Ensure Python pip packages are installed
pip:
name: "{{ item }}"
with_items:
- boto
- boto3
- docker-compose
#- name: Add docker script
# command: curl -fsSL https://get.docker.com -o /root/get-docker.sh
#
#- name: install docker
# command: sh /root/get-docker.sh
#
- name: Create docker configuration directory
file:
path: /etc/docker
state: directory
#- name: Install required packages
# yum:
# name: ['docker-ce']
# state: present
# notify:
# - Reload systemd configuration
# - Restart docker service
- name: Configure docker
template:
src: daemon.json.j2
dest: /etc/docker/daemon.json
notify:
- Reload systemd configuration
- Restart docker service
#- name: Delete containerd config
# file:
# path: /etc/containerd/config.toml
# state: absent
# notify:
# - Restart containerd service
- meta: flush_handlers
- name: Enable docker service
service:
name: docker
enabled: True
state: started

19
packer/ansible/roles/docker/tasks/01-ubuntu-os-docker.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Add docker script
command: curl -fsSL https://get.docker.com -o /root/get-docker.sh
- name: install docker
command: sh /root/get-docker.sh
- name: Create docker configuration directory
file:
path: /etc/docker
state: directory
- name: Configure docker
template:
src: daemon.json.j2
dest: /etc/docker/daemon.json
notify:
- Reload systemd configuration
- Restart docker service

19
packer/ansible/roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Gather Ansible Facts
ansible.builtin.setup:
- include: 00-amazon-os-main.yml
tags: amazon
when: ansible_facts.os_family == 'RedHat'
- include: 00-ubuntu-os-main.yml
tags: ubuntu
when: ansible_facts.os_family == 'Debian'
- include: 01-amazon-os-docker.yml
tags: cent-docker
when: ansible_facts.os_family == 'RedHat'
- include: 01-ubuntu-os-docker.yml
tags: ubuntu-docker
when: ansible_facts.os_family == 'Debian'

8
packer/ansible/roles/docker/tasks/sysctl.yml Executable file
View File

@@ -0,0 +1,8 @@
---
- name: Add pam_tally2.so
template:
src: sysctl.j2
dest: /etc/sysctl.conf
owner: root
group: root
mode: 0644

27
packer/ansible/roles/docker/templates/common-auth.j2 Executable file
View File

@@ -0,0 +1,27 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
auth required pam_permit.so
# since the modules above will each just jump around
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

9
packer/ansible/roles/docker/templates/daemon.json.j2 Executable file
View File

@@ -0,0 +1,9 @@
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"insecure-registries": ["10.10.31.243:5000"]
}

50
packer/ansible/roles/docker/templates/pwquality.conf.j2 Executable file
View File

@@ -0,0 +1,50 @@
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = {{pwquality_minlen}}
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = {{pwquality_dcredit}}
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = {{pwquality_ucredit}}
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = {{pwquality_lcredit}}
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = {{pwquality_ocredit}}
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
maxrepeat = {{pwquality_maxrepeat}}
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

82
packer/ansible/roles/docker/templates/sysctl.j2 Executable file
View File

@@ -0,0 +1,82 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
###################################################################
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438
vm.dirty_background_ratio = 5
vm.dirty_ratio = 80
net.core.default_qdisc = fq
net.core.rmem_max = 268435456
net.core.wmem_max = 268435456
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728

3
packer/ansible/roles/node/templates/sysctl.j2
View File

@@ -66,6 +66,9 @@
# for what other values do # for what other values do
#kernel.sysrq=438 #kernel.sysrq=438
vm.dirty_background_ratio = 5
vm.dirty_ratio = 80
net.core.default_qdisc = fq net.core.default_qdisc = fq
net.core.rmem_max = 268435456 net.core.rmem_max = 268435456
net.core.wmem_max = 268435456 net.core.wmem_max = 268435456

2
packer/ansible/roles/security-settings/files/allow_users.conf Normal file
View File

@@ -0,0 +1,2 @@
AllowUsers *@10.20.142.*
AllowUsers *@10.10.43.*

8
packer/ansible/roles/security-settings/tasks/sshd_config.yml
View File

@@ -21,3 +21,11 @@
group: root group: root
mode: 0640 mode: 0640
notify: restart sshd notify: restart sshd
#- name: SSH AllowUsers Setting
# copy:
# src: allow_users.conf
# dest: /etc/ssh/sshd_config.d/allow_users.conf
# owner: root
# group: root
# mode: 0644

2
packer/build_ami_security/command
View File

@@ -1,4 +1,4 @@
filename="datasaker-node-packer-ubuntu.pkr.hcl" filename="docker-ubuntu.pkr.hcl"
echo "packer init ${filename}" echo "packer init ${filename}"
echo "packer fmt ${filename}" echo "packer fmt ${filename}"

49
packer/build_ami_security/docker-amazon.pkr.hcl Normal file
View File

@@ -0,0 +1,49 @@
packer {
required_plugins {
amazon = {
version = ">= 0.0.2"
source = "github.com/hashicorp/amazon"
}
}
}
variable "ami_prefix" {
type = string
default = "docker-amazonlinux"
}
locals {
timestamp = regex_replace(timestamp(), "[- TZ:]", "")
}
# source 블록에는 실제 빌드할 이미지에 대한 스펙을 정의
source "amazon-ebs" "docker-amazonlinux" {
ami_name = "${var.ami_prefix}-${local.timestamp}"
instance_type = "t3.small"
region = "ap-northeast-2"
source_ami_filter {
filters = {
image-id = "ami-0eb14fe5735c13eb5"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["137112412989"]
}
tags = {
source_ami_name = "{{ .SourceAMIName }}"
}
ssh_username = "ec2-user"
}
build {
name = "datasaker-packer"
sources = ["source.amazon-ebs.docker-amazonlinux"]
provisioner "ansible" {
playbook_file = "../ansible/docker_roles.yaml"
user = "ec2-user"
extra_arguments = ["--become"]
ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"]
}
}

49
packer/build_ami_security/docker-ubuntu.pkr.hcl Normal file
View File

@@ -0,0 +1,49 @@
packer {
required_plugins {
amazon = {
version = ">= 0.0.2"
source = "github.com/hashicorp/amazon"
}
}
}
variable "ami_prefix" {
type = string
default = "datasaker-node-ubuntu2004"
}
locals {
timestamp = regex_replace(timestamp(), "[- TZ:]", "")
}
# source 블록에는 실제 빌드할 이미지에 대한 스펙을 정의
source "amazon-ebs" "datasaker-node-ubuntu2004" {
ami_name = "${var.ami_prefix}-${local.timestamp}"
instance_type = "t3.small"
region = "ap-northeast-2"
source_ami_filter {
filters = {
image-id = "ami-0be886bd314f8bd39"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["099720109477"]
}
tags = {
source_ami_name = "{{ .SourceAMIName }}"
}
ssh_username = "ubuntu"
}
build {
name = "datasaker-packer"
sources = ["source.amazon-ebs.datasaker-node-ubuntu2004"]
provisioner "ansible" {
playbook_file = "../ansible/docker_roles.yaml"
user = "ubuntu"
extra_arguments = ["--become"]
ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"]
}
}