3a4f5d2209
User-management now creates users if they do not exist. This is to handle users that are created after this task runs. Change-Id: I12ea54dbf39d09af27fb4d944a61b9f71c3ead00
246 lines
6.9 KiB
YAML
246 lines
6.9 KiB
YAML
rootfs_root: build
|
|
default_run_context: common
|
|
qcow_run_context: qcow
|
|
user_scripts_dir_default: "/config/scripts/{{ default_run_context }}"
|
|
user_scripts_dir_qcow: "/config/scripts/{{ qcow_run_context }}"
|
|
|
|
kernel:
|
|
modules:
|
|
load:
|
|
- name: 8021q
|
|
- name: bonding
|
|
- name: ip_vs
|
|
- name: ip_vs_rr
|
|
- name: ip_vs_wrr
|
|
- name: ip_vs_sh
|
|
- name: br_netfilter
|
|
blacklist:
|
|
- name: krbd
|
|
|
|
banners:
|
|
login: |
|
|
Airship Node \l: \n.\o
|
|
Kernel: \s \m \r \v
|
|
IP address: \4
|
|
motd: |
|
|
#!/bin/sh
|
|
. /etc/lsb-release
|
|
printf "Airship Node, based on: %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
|
|
|
|
kubelet:
|
|
# Add only image-builder appropriate kubelet args here.
|
|
# Add all others to kubeadmcontrolplane.yaml
|
|
extra_systemd_args: []
|
|
#- name: reserved-cpus
|
|
# value: '0-3'
|
|
|
|
grub:
|
|
GRUB_TIMEOUT: 10
|
|
GRUB_CMDLINE_LINUX_DEFAULT:
|
|
- name: console
|
|
value: 'ttyS0,115200n8'
|
|
- name: console
|
|
value: 'tty0'
|
|
- name: amd_iommu
|
|
value: 'on'
|
|
- name: intel_iommu
|
|
value: 'on'
|
|
- name: iommu
|
|
value: 'pt'
|
|
- name: cgroup_disable
|
|
value: 'hugetlb'
|
|
- name: dpdk-socket-mem
|
|
value: '4096,4096'
|
|
- name: rcu_nocb_poll
|
|
value: 'true'
|
|
GRUB_SERIAL_COMMAND:
|
|
- name: speed
|
|
value: 'ttyS0,115200n8'
|
|
- name: unit
|
|
value: '0'
|
|
- name: word
|
|
value: '8'
|
|
- name: parity
|
|
value: 'no'
|
|
- name: stop
|
|
value: '1'
|
|
|
|
kdump_tools:
|
|
crashkernel: '768M'
|
|
|
|
limits:
|
|
- name: core_dump
|
|
domain: '0:'
|
|
type: 'hard'
|
|
item: 'core'
|
|
value: 0
|
|
- name: nofile-root-soft
|
|
domain: 'root'
|
|
type: 'soft'
|
|
item: 'nofile'
|
|
value: '65536'
|
|
- name: nofile-root-hard
|
|
domain: 'root'
|
|
type: 'hard'
|
|
item: 'nofile'
|
|
value: '1048576'
|
|
- name: nofile-all-soft
|
|
domain: '*'
|
|
type: 'soft'
|
|
item: 'nofile'
|
|
value: '65536'
|
|
- name: nofile-all-hard
|
|
domain: '*'
|
|
type: 'hard'
|
|
item: 'nofile'
|
|
value: '1048576'
|
|
|
|
sysctl:
|
|
- name: net.bridge.bridge-nf-call-ip6tables
|
|
value: '1'
|
|
- name: net.bridge.bridge-nf-call-iptables
|
|
value: '1'
|
|
- name: net.nf_conntrack_max
|
|
value: '1048576'
|
|
- name: kernel.panic
|
|
value: '3'
|
|
- name: kernel.pid_max
|
|
value: '4194303'
|
|
- name: net.ipv4.conf.default.arp_accept
|
|
value: '1'
|
|
- name: net.ipv4.conf.all.arp_accept
|
|
value: '1'
|
|
- name: net.ipv4.tcp_keepalive_intvl
|
|
value: '15'
|
|
- name: net.ipv4.tcp_keepalive_time
|
|
value: '30'
|
|
- name: net.ipv4.tcp_keepalive_probes
|
|
value: '8'
|
|
- name: net.ipv4.tcp_retries2
|
|
value: '5'
|
|
- name: net.ipv4.neigh.default.gc_thresh1
|
|
value: '4096'
|
|
- name: net.ipv4.neigh.default.gc_thresh3
|
|
value: '16384'
|
|
- name: net.ipv4.conf.default.rp_filter
|
|
value: '2'
|
|
- name: net.ipv6.conf.all.accept_ra
|
|
value: '0'
|
|
- name: net.ipv6.conf.default.accept_ra
|
|
value: '0'
|
|
- name: net.ipv6.conf.lo.accept_ra
|
|
value: '0'
|
|
- name: net.ipv6.conf.lo.disable_ipv6
|
|
value: '0'
|
|
- name: net.netfilter.nf_conntrack_acct
|
|
value: '1'
|
|
- name: fs.suid_dumpable
|
|
value: '2'
|
|
- name: fs.inotify.max_user_watches
|
|
value: '1048576'
|
|
- name: fs.protected_hardlinks
|
|
value: '1'
|
|
- name: fs.protected_symlinks
|
|
value: '1'
|
|
- name: kernel.sysrq
|
|
value: '8'
|
|
|
|
# Any directories to create on disk can be defined here
|
|
directories:
|
|
# Full path to file to create
|
|
- name: /testdir
|
|
permissions: '0755'
|
|
owner: root
|
|
group: root
|
|
# The contexts where this operation is performed
|
|
# {{ default_run_context }} = part of shared base image
|
|
# qcow = is performed for QCOW but not ephemeral (unless
|
|
# combined with previous item)
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
|
|
# Any files to write to disk can be defined here
|
|
files:
|
|
# Full path to file to create
|
|
- name: /testdir/test.sh
|
|
file_content: |
|
|
#!/bin/bash
|
|
echo hello world
|
|
permissions: '0755'
|
|
owner: root
|
|
group: root
|
|
# The contexts where this operation is performed
|
|
# {{ default_run_context }} = part of shared base image
|
|
# qcow = is performed for QCOW but not ephemeral (unless
|
|
# combined with previous item)
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
|
|
systemd:
|
|
# Full name, including systemd suffix. sample.service. sample.mount, sample.timer, etc.
|
|
- name: sample.service
|
|
file_content: |
|
|
[Unit]
|
|
Description=sample service
|
|
After=network.target
|
|
|
|
[Service]
|
|
ExecStart=/bin/sleep infinity
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
# whether the target image should run this service on boot
|
|
enabled: yes
|
|
# whether to override existing symlinks (e.g. name collision).
|
|
# Use only if you are intenting to overwrite an existing systemd unit
|
|
force: no
|
|
# The contexts where this operation is performed
|
|
# {{ default_run_context }} = part of shared base image
|
|
# qcow = is performed for QCOW but not ephemeral (unless
|
|
# combined with previous item)
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
|
|
# If any custom shell scripts are needed for image building, they can be added here.
|
|
user_scripts:
|
|
- file_content: |
|
|
#!/bin/bash
|
|
echo "custom container buildtime script"
|
|
# The contexts where this operation is performed
|
|
# {{ default_run_context }} = part of shared base image
|
|
# qcow = is performed for QCOW but not ephemeral (unless
|
|
# combined with previous item)
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
|
|
# Any other adjustments to file or directory permissions, for files that already exist.
|
|
file_permissions:
|
|
# Full path to file to create
|
|
- name: /testdir/test.sh
|
|
permissions: '0700'
|
|
owner: root
|
|
group: root
|
|
# The contexts where this operation is performed
|
|
# {{ default_run_context }} = part of shared base image
|
|
# qcow = is performed for QCOW but not ephemeral (unless
|
|
# combined with previous item)
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
# Set password and login shell for existing users
|
|
# Mainly intended to lock down system users
|
|
# Creates user if does not exist
|
|
user_management:
|
|
- name: test
|
|
shell: /bin/false
|
|
password: ''
|
|
password_lock: yes
|
|
run_contexts:
|
|
- "{{ default_run_context }}"
|
|
# If any required resources need to be fetched from URL for image build customization, they can be added here.
|
|
# Downloaded resources can be found in /tmp/url_resources directory.
|
|
# Example:-
|
|
# fetch_from_url:
|
|
# - url: https://www.example.com/resource.tar.gz
|
|
# use_proxy: no
|
|
fetch_from_url: []
|