drycc
diff --git a/‎contrib/linode/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎contrib/linode/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎contrib/linode/README.md‎
Lines changed: 3 additions & 0 deletions b/‎contrib/linode/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎contrib/linode/apply-firewall.py‎
Lines changed: 214 additions & 0 deletions b/‎contrib/linode/apply-firewall.py‎
Lines changed: 214 additions & 0 deletions
diff --git a/‎contrib/linode/create-linode-user-data.py‎
Lines changed: 128 additions & 0 deletions b/‎contrib/linode/create-linode-user-data.py‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎contrib/linode/linode-user-data-template.yaml‎
Lines changed: 46 additions & 0 deletions b/‎contrib/linode/linode-user-data-template.yaml‎
Lines changed: 46 additions & 0 deletions
@@ -0,0 +1 @@
+linode-user-data.yaml
@@ -0,0 +1,3 @@
+# Provision a Deis Cluster on Linode
+
+Please refer to the instructions at http://docs.deis.io/en/latest/installing_deis/linode/.
@@ -0,0 +1,214 @@
+#!/usr/bin/env python
+"""
+Apply a "Security Group" to the members of an etcd cluster.
+
+Usage: apply-firewall.py
+"""
+import os
+import re
+import string
+import argparse
+from threading import Thread
+import uuid
+
+import colorama
+from colorama import Fore, Style
+import paramiko
+import requests
+import sys
+import yaml
+
+
+def get_nodes_from_args(args):
+    if args.discovery_url is not None:
+        return get_nodes_from_discovery_url(args.discovery_url)
+
+    return get_nodes_from_discovery_url(get_discovery_url_from_user_data())
+
+
+def get_nodes_from_discovery_url(discovery_url):
+    try:
+        nodes = []
+        json = requests.get(discovery_url).json()
+        discovery_nodes = json['node']['nodes']
+        for node in discovery_nodes:
+            value = node['value']
+            ip = re.search('([0-9]{1,3}\.){3}[0-9]{1,3}', value).group(0)
+            nodes.append(ip)
+        return nodes
+    except:
+        raise IOError('Could not load nodes from discovery url ' + discovery_url)
+
+
+def get_discovery_url_from_user_data():
+    name = 'linode-user-data.yaml'
+    log_info('Loading discovery url from ' + name)
+    try:
+        current_dir = os.path.dirname(__file__)
+        user_data_file = file(os.path.abspath(os.path.join(current_dir, name)), 'r')
+        user_data = yaml.safe_load(user_data_file)
+        return user_data['coreos']['etcd']['discovery']
+    except:
+        raise IOError('Could not load discovery url from ' + name)
+
+
+def validate_ip_address(ip):
+    return True if re.match('([0-9]{1,3}\.){3}[0-9]{1,3}', ip) else False
+
+
+def get_firewall_contents(node_ips, private=False):
+    rules_template_text = """*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:Firewall-INPUT - [0:0]
+-A INPUT -j Firewall-INPUT
+-A FORWARD -j Firewall-INPUT
+-A Firewall-INPUT -i lo -j ACCEPT
+-A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+-A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+# Ping
+-A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT
+# Accept any established connections
+-A Firewall-INPUT -m conntrack --ctstate  ESTABLISHED,RELATED -j ACCEPT
+# Enable the traffic between the nodes of the cluster
+-A Firewall-INPUT -s $node_ips -j ACCEPT
+# Allow connections from docker container
+-A Firewall-INPUT -i docker0 -j ACCEPT
+# Accept ssh, http, https and git
+-A Firewall-INPUT -m conntrack --ctstate NEW -m multiport$multiport_private -p tcp --dports 22,2222,80,443 -j ACCEPT
+# Log and drop everything else
+-A Firewall-INPUT -j REJECT
+COMMIT
+"""
+
+    multiport_private = ' -s 192.168.0.0/16' if private else ''
+
+    rules_template = string.Template(rules_template_text)
+    return rules_template.substitute(node_ips=string.join(node_ips, ','), multiport_private=multiport_private)
+
+
+def apply_rules_to_all(host_ips, rules, private_key):
+    pkey = detect_and_create_private_key(private_key)
+
+    threads = []
+    for ip in host_ips:
+        t = Thread(target=apply_rules, args=(ip, rules, pkey))
+        t.setDaemon(False)
+        t.start()
+        threads.append(t)
+    for thread in threads:
+        thread.join()
+
+
+def detect_and_create_private_key(private_key):
+    private_key_text = private_key.read()
+    private_key.seek(0)
+    if '-----BEGIN RSA PRIVATE KEY-----' in private_key_text:
+        return paramiko.RSAKey.from_private_key(private_key)
+    elif '-----BEGIN DSA PRIVATE KEY-----' in private_key_text:
+        return paramiko.DSSKey.from_private_key(private_key)
+    else:
+        raise ValueError('Invalid private key file ' + private_key.name)
+
+
+def apply_rules(host_ip, rules, private_key):
+    # connect to the server via ssh
+    ssh = paramiko.SSHClient()
+    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    ssh.connect(host_ip, username='core', allow_agent=False, look_for_keys=False, pkey=private_key)
+
+    # copy the rules to the temp directory
+    temp_file = '/tmp/' + str(uuid.uuid4())
+
+    ssh.open_sftp()
+    sftp = ssh.open_sftp()
+    sftp.open(temp_file, 'w').write(rules)
+
+    # move the rules in to place and enable and run the iptables-restore.service
+    commands = [
+        'sudo mv ' + temp_file + ' /var/lib/iptables/rules-save',
+        'sudo chown root:root /var/lib/iptables/rules-save',
+        'sudo systemctl enable iptables-restore.service',
+        'sudo systemctl start iptables-restore.service'
+    ]
+
+    for command in commands:
+        stdin, stdout, stderr = ssh.exec_command(command)
+        stdout.channel.recv_exit_status()
+
+    ssh.close()
+
+    log_success('Applied rule to ' + host_ip)
+
+
+def main():
+    colorama.init()
+
+    parser = argparse.ArgumentParser(description='Apply a "Security Group" to a Deis cluster')
+    parser.add_argument('--private-key', required=True, type=file, dest='private_key', help='Cluster SSH Private Key')
+    parser.add_argument('--private', action='store_true', dest='private', help='Only allow access to the cluster from the private network')
+    parser.add_argument('--discovery-url', dest='discovery_url', help='Etcd discovery url')
+    parser.add_argument('--hosts', nargs='+', dest='hosts', help='The IP addresses of the hosts to apply rules to')
+    args = parser.parse_args()
+
+    nodes = get_nodes_from_args(args)
+    hosts = args.hosts if args.hosts is not None else nodes
+
+    node_ips = []
+    for ip in nodes:
+        if validate_ip_address(ip):
+            node_ips.append(ip)
+        else:
+            log_warning('Invalid IP will not be added to security group: ' + ip)
+
+    if not len(node_ips) > 0:
+        raise ValueError('No valid IP addresses in security group.')
+
+    host_ips = []
+    for ip in hosts:
+        if validate_ip_address(ip):
+            host_ips.append(ip)
+        else:
+            log_warning('Host has invalid IP address: ' + ip)
+
+    if not len(host_ips) > 0:
+        raise ValueError('No valid host addresses.')
+
+    log_info('Generating iptables rules...')
+    rules = get_firewall_contents(node_ips, args.private)
+    log_success('Generated rules:')
+    log_debug(rules)
+
+    log_info('Applying rules...')
+    apply_rules_to_all(host_ips, rules, args.private_key)
+    log_success('Done!')
+
+
+def log_debug(message):
+    print(Style.DIM + Fore.MAGENTA + message + Fore.RESET + Style.RESET_ALL)
+
+
+def log_info(message):
+    print(Fore.CYAN + message + Fore.RESET)
+
+
+def log_warning(message):
+    print(Fore.YELLOW + message + Fore.RESET)
+
+
+def log_success(message):
+    print(Style.BRIGHT + Fore.GREEN + message + Fore.RESET + Style.RESET_ALL)
+
+
+def log_error(message):
+    print(Style.BRIGHT + Fore.RED + message + Fore.RESET + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    try:
+        main()
+    except Exception as e:
+        log_error(e.message)
+        sys.exit(1)
@@ -0,0 +1,128 @@
+#!/usr/bin/env python
+"""
+Create CoreOS user-data by merging contrib/coreos/user-data and contrib/linode/linode-user-data-template
+
+Usage: create-linode-user-data.py
+"""
+import base64
+import sys
+import os
+import collections
+import argparse
+
+import yaml
+import colorama
+from colorama import Fore, Style
+import requests
+
+
+def combine_dicts(orig_dict, new_dict):
+    for key, val in new_dict.iteritems():
+        if isinstance(val, collections.Mapping):
+            tmp = combine_dicts(orig_dict.get(key, {}), val)
+            orig_dict[key] = tmp
+        elif isinstance(val, list):
+            orig_dict[key] = (orig_dict.get(key, []) + val)
+        else:
+            orig_dict[key] = new_dict[key]
+    return orig_dict
+
+
+def get_file(name, mode="r", abspath=False):
+    current_dir = os.path.dirname(__file__)
+
+    if abspath:
+        return file(os.path.abspath(os.path.join(current_dir, name)), mode)
+    else:
+        return file(os.path.join(current_dir, name), mode)
+
+
+def main():
+    colorama.init()
+
+    parser = argparse.ArgumentParser(description='Create Linode User Data')
+    parser.add_argument('--public-key', action='append', required=True, type=file, dest='public_key_files', help='Authorized SSH Keys')
+    parser.add_argument('--etcd-token', required=False, default=None, dest='etcd_token', help='Etcd Token')
+    args = parser.parse_args()
+
+    etcd_token = args.etcd_token
+    if etcd_token is None:
+        etcd_token = generate_etcd_token()
+    else:
+        if not validate_etcd_token(args.etcd_token):
+            raise ValueError('Invalid Etcd Token. You can generate a new token at https://discovery.etcd.io/new.')
+
+    public_keys = []
+    for public_key_file in args.public_key_files:
+        public_key = public_key_file.read()
+        if validate_public_key(public_key):
+            public_keys.append(public_key)
+        else:
+            log_warning('Invalid public key: ' + public_key_file.name)
+
+    if not len(public_keys) > 0:
+        raise ValueError('Must supply at least one valid public key')
+
+    linode_user_data = get_file("linode-user-data.yaml", "w", True)
+    linode_template = get_file("linode-user-data-template.yaml")
+    coreos_template = get_file("../coreos/user-data.example")
+
+    configuration_linode_template = yaml.safe_load(linode_template)
+    configuration_coreos_template = yaml.safe_load(coreos_template)
+
+    configuration = combine_dicts(configuration_coreos_template, configuration_linode_template)
+    configuration['coreos']['etcd']['discovery'] = 'https://discovery.etcd.io/' + str(etcd_token)
+    configuration['ssh_authorized_keys'] = public_keys
+
+    with linode_user_data as outfile:
+        outfile.write("#cloud-config\n\n" + yaml.safe_dump(configuration, default_flow_style=False, default_style='|'))
+        log_success('Wrote Linode user data to ' + linode_user_data.name)
+
+
+def validate_public_key(key):
+    try:
+        type, key_string, comment = key.split()
+        data = base64.decodestring(key_string)
+        return data[4:11] == type
+    except:
+        return False
+
+
+def generate_etcd_token():
+    log_info('Generating new Etcd token...')
+    data = requests.get('https://discovery.etcd.io/new').text
+    token = data.replace('https://discovery.etcd.io/', '')
+    log_success('Generated new token: ' + token)
+    return token
+
+
+def validate_etcd_token(token):
+    try:
+        int(token, 16)
+        return True
+    except:
+        return False
+
+
+def log_info(message):
+    print(Fore.CYAN + message + Fore.RESET)
+
+
+def log_warning(message):
+    print(Fore.YELLOW + message + Fore.RESET)
+
+
+def log_success(message):
+    print(Style.BRIGHT + Fore.GREEN + message + Fore.RESET + Style.RESET_ALL)
+
+
+def log_error(message):
+    print(Style.BRIGHT + Fore.RED + message + Fore.RESET + Style.RESET_ALL)
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except Exception as e:
+        log_error(e.message)
+        sys.exit(1)
@@ -0,0 +1,46 @@
+#cloud-config
+hostname: $hostname
+coreos:
+  fleet:
+    metadata: name=%H
+  units:
+  - name: 00-eth0.network
+    runtime: false
+    content: |
+      [Match]
+      Name=eth0
+
+      [Network]
+      Address=$public_ipv4/24
+      Address=$private_ipv4/17
+      Gateway=$gateway.1
+      DNS=72.14.179.5
+      DNS=8.8.8.8
+      DNS=208.67.222.222
+  - name: disable-ipv6.service
+    command: start
+    content: |
+      [Unit]
+      Description=Disable IPv6. The notion of a security group does not exist on Linode. To make firewalling each Linode easier, disable IPv6.
+      Before=network.target
+
+      [Service]
+      Type=oneshot
+      ExecStart=/bin/sh -c "sysctl -w net.ipv6.conf.all.disable_ipv6=1"
+    # use ntpd rather than timesyncd. timesyncd was not keeping the nodes close enough to keep ceph happy
+  - name: systemd-timesyncd.service
+    command: stop
+    mask: true
+  - name: ntpd.service
+    command: start
+    enable: true
+write_files:
+  - path: /etc/environment
+    content: |
+      COREOS_PUBLIC_IPV4=$public_ipv4
+      COREOS_PRIVATE_IPV4=$private_ipv4
+  - path: /etc/systemd/system/ntpd.service.d/debug.conf
+    content: |
+      [Service]
+      ExecStart=
+      ExecStart=/usr/sbin/ntpd -g -n -f /var/lib/ntp/ntp.drift
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Provision a Deis Cluster on Linode`
	`2`	`+`
	`3`	`+Please refer to the instructions at http://docs.deis.io/en/latest/installing_deis/linode/.`