proper application of selinux

2022-03-01 21:57:57 +01:00
parent ecbd79743e
commit e5404b6adc
5 changed files with 41 additions and 21 deletions
--- a/modules/host/locals.tf
+++ b/modules/host/locals.tf
@@ -10,12 +10,4 @@ locals {
  ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
  # shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
  ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
-
-  microOS_install_commands = [
-    "set -ex",
-    "apt-get update",
-    "apt-get install -y aria2",
-    "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
-    "qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
-  ]
 }
--- a/modules/host/main.tf
+++ b/modules/host/main.tf
@@ -31,14 +31,42 @@ resource "hcloud_server" "server" {

  # Install MicroOS
  provisioner "remote-exec" {
-    inline = local.microOS_install_commands
+    inline = [
+      "set -ex",
+      "apt-get update",
+      "apt-get install -y aria2",
+      "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
+      "qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
+    ]
  }

  # Issue a reboot command
  provisioner "local-exec" {
    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
  }
+  # Wait for MicroOS to reboot and be ready
+  provisioner "local-exec" {
+    command = <<-EOT
+      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
+      do
+        echo "Waiting for MicroOS to reboot and become available..."
+        sleep 3
+      done
+    EOT
+  }

+  # We've rebooted into MicroOS, now we install the k3s-selinux RPM
+  provisioner "remote-exec" {
+    inline = [
+      "set -ex",
+      "transactional-update pkg install -y k3s-selinux"
+    ]
+  }
+
+  # Issue a reboot command
+  provisioner "local-exec" {
+    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
+  }
  # Wait for MicroOS to reboot and be ready
  provisioner "local-exec" {
    command = <<-EOT
--- a/modules/host/templates/boothook.sh.tpl
+++ b/modules/host/templates/boothook.sh.tpl
@@ -2,4 +2,4 @@
 #cloud-boothook

 # Fix hostname after reboot
-hostnamectl hostname "${hostname}"
+hostnamectl hostname "${hostname}"
--- a/modules/host/templates/userdata.yaml.tpl
+++ b/modules/host/templates/userdata.yaml.tpl
@@ -29,15 +29,14 @@ ssh_authorized_keys:
 %{ endfor ~}

 runcmd:
+  # Activate the private network
+  - systemctl reload network

-# Activate the private network
- systemctl reload network
+  # Activate ssh configuration
+  - systemctl reload sshd

-# Activate ssh configuration
- systemctl reload sshd
+  # Fix hostname (during first boot)
+  - hostnamectl hostname ${hostname}

-# Fix hostname (during first boot)
- hostnamectl hostname ${hostname}
-
-# Finishing automatic reboot via Kured setup
- rebootmgrctl set-strategy off
+  # Finishing automatic reboot via Kured setup
+  - rebootmgrctl set-strategy off