proper application of selinux
This commit is contained in:
parent
ecbd79743e
commit
e5404b6adc
@ -145,9 +145,10 @@ locals {
|
|||||||
"[ -e /etc/rancher/k3s/k3s.yaml ] && exit 0",
|
"[ -e /etc/rancher/k3s/k3s.yaml ] && exit 0",
|
||||||
]
|
]
|
||||||
|
|
||||||
install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"])
|
k3s_selinux_apply = ["chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s"]
|
||||||
|
|
||||||
install_k3s_agent = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"])
|
install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"], local.k3s_selinux_apply)
|
||||||
|
install_k3s_agent = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"], local.k3s_selinux_apply)
|
||||||
|
|
||||||
agent_nodepools = merge([
|
agent_nodepools = merge([
|
||||||
for nodepool_name, nodepool_obj in var.agent_nodepools : {
|
for nodepool_name, nodepool_obj in var.agent_nodepools : {
|
||||||
|
@ -10,12 +10,4 @@ locals {
|
|||||||
ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
|
ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
|
||||||
# shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
|
# shared flags for ssh to ignore host keys, to use our ssh identity file for all connections during provisioning.
|
||||||
ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
|
ssh_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${local.ssh_identity_file}"
|
||||||
|
|
||||||
microOS_install_commands = [
|
|
||||||
"set -ex",
|
|
||||||
"apt-get update",
|
|
||||||
"apt-get install -y aria2",
|
|
||||||
"aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
|
|
||||||
"qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
@ -31,14 +31,42 @@ resource "hcloud_server" "server" {
|
|||||||
|
|
||||||
# Install MicroOS
|
# Install MicroOS
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = local.microOS_install_commands
|
inline = [
|
||||||
|
"set -ex",
|
||||||
|
"apt-get update",
|
||||||
|
"apt-get install -y aria2",
|
||||||
|
"aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
|
||||||
|
"qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Issue a reboot command
|
# Issue a reboot command
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
|
command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
|
||||||
}
|
}
|
||||||
|
# Wait for MicroOS to reboot and be ready
|
||||||
|
provisioner "local-exec" {
|
||||||
|
command = <<-EOT
|
||||||
|
until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
|
||||||
|
do
|
||||||
|
echo "Waiting for MicroOS to reboot and become available..."
|
||||||
|
sleep 3
|
||||||
|
done
|
||||||
|
EOT
|
||||||
|
}
|
||||||
|
|
||||||
|
# We've rebooted into MicroOS, now we install the k3s-selinux RPM
|
||||||
|
provisioner "remote-exec" {
|
||||||
|
inline = [
|
||||||
|
"set -ex",
|
||||||
|
"transactional-update pkg install -y k3s-selinux"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Issue a reboot command
|
||||||
|
provisioner "local-exec" {
|
||||||
|
command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
|
||||||
|
}
|
||||||
# Wait for MicroOS to reboot and be ready
|
# Wait for MicroOS to reboot and be ready
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = <<-EOT
|
command = <<-EOT
|
||||||
|
@ -29,7 +29,6 @@ ssh_authorized_keys:
|
|||||||
%{ endfor ~}
|
%{ endfor ~}
|
||||||
|
|
||||||
runcmd:
|
runcmd:
|
||||||
|
|
||||||
# Activate the private network
|
# Activate the private network
|
||||||
- systemctl reload network
|
- systemctl reload network
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user