x/compass-install
Code Issues Proposed changes

Add build for cobbler

Browse Source 
also add a dhcp-relay restart to debian host

Change-Id: Ib4184a615369707d5aea366814d0f0a71f745ec8
This commit is contained in:
Xicheng Chang 2015-03-19 14:11:11 -07:00
parent 31a3c755f4
commit b2a8f417a3
12 changed files with 1079 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
docker/build/cobbler/Dockerfile Normal file
View File

@ -0,0 +1,140 @@
FROM centos:centos6
ADD conf/setup.conf /tmp/setup.conf
ADD conf/cobbler_web.conf /etc/httpd/conf.d/cobbler_web.conf
ADD conf/ssl.conf /etc/httpd/conf.d/ssl.conf
ADD conf/tftpd.template /etc/cobbler/tftpd.template
ADD conf/modules.conf /etc/cobbler/modules.conf
ADD conf/distributions /tmp/distributions
ADD conf/dhcp.template /etc/cobbler/dhcp.template
RUN chmod +x /tmp/setup.conf
# add epel repo and atomic(for installing reprepro: a command tool to build debian repos) repo
RUN source /tmp/setup.conf && \
rpm -Uvh $EPEL7 && \
sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/epel.repo && \
rpm -Uvh $ATOMIC && \
sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/atomic.repo
RUN yum clean all && \
yum update -y --skip-broken && \
yum install -y syslinux bind rsync dhcp xinetd tftp-server gcc httpd cobbler cobbler-web createrepo mkisofs python-cheetah python-simplejson python-urlgrabber PyYAML PyYAML Django cman pykickstart reprepro git wget debmirror cman openssl openssl098e
# configure cobbler web and ssl
RUN mkdir -p /root/backup/cobbler && \
cp -rn /etc/httpd/conf.d /root/backup/cobbler && \
chmod 644 /etc/httpd/conf.d/cobbler_web.conf && \
chmod 644 /etc/httpd/conf.d/ssl.conf
# update tftpd template
RUN chmod 644 /etc/cobbler/tftpd.template
# update modules conf
RUN chmod 644 /etc/cobbler/modules.conf
# setup cobbler default web username password: cobbler/cobbler
RUN (echo -n "cobbler:Cobbler:" && echo -n "cobbler:Cobbler:cobbler" | md5sum - | cut -d' ' -f1) > /etc/cobbler/users.digest
# get adapters code
WORKDIR /root/
RUN git clone -b dev/experimental https://git.openstack.org/stackforge/compass-adapters.git && \
cp -rn /var/lib/cobbler/snippets /root/backup/cobbler/ && \
cp -rn /var/lib/cobbler/scripts /root/backup/cobbler && \
cp -rn /var/lib/cobbler/kickstarts/ /root/backup/cobbler/ && \
cp -rn /var/lib/cobbler/triggers /root/backup/cobbler/ && \
rm -rf /var/lib/cobbler/snippets/* && \
cp -rf compass-adapters/cobbler/snippets/* /var/lib/cobbler/snippets/ && \
cp -rf compass-adapters/cobbler/scripts/* /var/lib/cobbler/scripts/ && \
cp -rf compass-adapters/cobbler/triggers/* /var/lib/cobbler/triggers/ && \
chmod 777 /var/lib/cobbler/snippets && \
chmod 777 /var/lib/cobbler/scripts && \
chmod -R 666 /var/lib/cobbler/snippets/* && \
chmod -R 666 /var/lib/cobbler/scripts/* && \
chmod -R 755 /var/lib/cobbler/triggers && \
rm -f /var/lib/cobbler/kickstarts/default.ks && \
rm -f /var/lib/cobbler/kickstarts/default.seed && \
cp -rf compass-adapters/cobbler/kickstarts/default.ks /var/lib/cobbler/kickstarts/ && \
cp -rf compass-adapters//cobbler/kickstarts/default.seed /var/lib/cobbler/kickstarts/ && \
chmod 666 /var/lib/cobbler/kickstarts/default.ks && \
chmod 666 /var/lib/cobbler/kickstarts/default.seed && \
mkdir -p /var/www/cblr_ks && \
chmod 755 /var/www/cblr_ks && \
cp -rf compass-adapters/cobbler/conf/cobbler.conf /etc/httpd/conf.d/ && \
chmod 644 /etc/httpd/conf.d/cobbler.conf && \
export passwd=$(openssl passwd -1 -salt 'huawei' '123456') && \
sed -i "s,^default_password_crypted:[ \t]\+\"\(.*\)\",default_password_crypted: \"$cobbler_passwd\",g" /etc/cobbler/settings && \
chmod 644 /etc/cobbler/settings
# disable selinux
RUN echo 0 > /selinux/enforce
# create log dirs
RUN mkdir -p /var/log/cobbler && \
mkdir -p /var/log/cobbler/tasks && \
mkdir -p /var/log/cobbler/anamon && \
chmod -R 777 /var/log/cobbler
# create centos ppa repo dir
RUN rm -rf /var/lib/cobbler/repo_mirror/centos_ppa_repo && \
mkdir -p /var/lib/cobbler/repo_mirror/centos_ppa_repo
# download centos repo pkgs
WORKDIR /var/lib/cobbler/repo_mirror/centos_ppa_repo
ADD conf/setup.conf /tmp/setup.conf
RUN source /tmp/setup.conf && \
wget $NTP && \
wget $SSH_CLIENTS && \
wget $OPENSSH && \
wget $IPROUTE && \
wget $WGET && \
wget $NTPDATE && \
wget $YUM_PRIORITIES && \
wget $JSONC && \
wget $LIBESTR && \
wget $LIBGT && \
wget $LIBLOGGING && \
wget $RSYSLOG && \
wget $CHEF_CLIENT_CENTOS
# creating ubuntu repo
RUN rm -rf /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo && \
mkdir -p /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf && \
mv /tmp/distributions /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf/distributions && \
chmod 644 /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf/distributions && \
wget -O /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/chef_11.8.0-1.ubuntu.12.04_amd64.deb http://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef_11.8.0-1.ubuntu.12.04_amd64.deb
# create repos
WORKDIR /var/lib/cobbler/repo_mirror
RUN createrepo centos_ppa_repo && \
find ubuntu_ppa_repo -name \*.deb -exec reprepro -Vb ubuntu_ppa_repo includedeb ppa {} \;
# add repos to cobbler repo and get loaders
RUN /usr/sbin/apachectl -k start && \
/usr/bin/cobblerd start \& && \
cobbler repo add --mirror=/var/lib/cobbler/repo_mirror/centos_ppa_repo --name=centos_ppa_repo --mirror-locally=Y --arch=x86_64 && \
cobbler repo add --mirror=/var/lib/cobbler/repo_mirror/ubuntu_ppa_repo --name=ubuntu_ppa_repo --mirror-locally=Y --arch=x86_64 && \
cobbler reposync && \
cobbler get-loaders
ADD conf/cobbler.settings /etc/cobbler/settings
RUN sed -i 's/disable\([ \t]\+\)=\([ \t]\+\)yes/disable\1=\2no/g' /etc/xinetd.d/rsync && \
sed -i 's/^@dists=/# @dists=/g' /etc/debmirror.conf && \
sed -i 's/^@arches=/# @arches=/g' /etc/debmirror.conf
# create mount points
RUN mkdir -p /var/lib/cobbler/mount_point
VOLUME ["/var/lib/cobbler/mount_point"]
ADD scripts/start /root/start
RUN chmod +x /root/start
CMD ["/root/start"]
EXPOSE 80
EXPOSE 69 69/udp
EXPOSE 53 53/udp
EXPOSE 25151
EXPOSE 443
EXPOSE 873

450
docker/build/cobbler/conf/cobbler.settings Normal file
View File

@ -0,0 +1,450 @@
---
# cobbler settings file
# restart cobblerd and run "cobbler sync" after making changes
# This config file is in YAML 1.0 format
# see http://yaml.org
# ==========================================================
# if 1, cobbler will allow insertions of system records that duplicate
# the --dns-name information of other system records. In general,
# this is undesirable and should be left 0.
allow_duplicate_hostnames: 0
# if 1, cobbler will allow insertions of system records that duplicate
# the ip address information of other system records. In general,
# this is undesirable and should be left 0.
allow_duplicate_ips: 0
# if 1, cobbler will allow insertions of system records that duplicate
# the mac address information of other system records. In general,
# this is undesirable.
allow_duplicate_macs: 0
# if 1, cobbler will allow settings to be changed dynamically without
# a restart of the cobblerd daemon. You can only change this variable
# by manually editing the settings file, and you MUST restart cobblerd
# after changing it.
allow_dynamic_settings: 0
# by default, installs are *not* set to send installation logs to the cobbler
# # # server. With 'anamon_enabled', kickstart templates may use the pre_anamon
# # # snippet to allow remote live monitoring of their installations from the
# # # cobbler server. Installation logs will be stored under
# # # /var/log/cobbler/anamon/. NOTE: This does allow an xmlrpc call to send logs
# # # to this directory, without authentication, so enable only if you are
# # # ok with this limitation.
anamon_enabled: 1
# If using authn_pam in the modules.conf, this can be configured
# to change the PAM service authentication will be tested against.
# The default value is "login".
authn_pam_service: "login"
# Email out a report when cobbler finishes installing a system.
# enabled: set to 1 to turn this feature on
# sender: optional
# email: which addresses to email
# smtp_server: used to specify another server for an MTA
# subject: use the default subject unless overridden
build_reporting_enabled: 0
build_reporting_sender: ""
build_reporting_email: [ 'root@localhost' ]
build_reporting_smtp_server: "localhost"
build_reporting_subject: ""
# Cheetah-language kickstart templates can import Python modules.
# while this is a useful feature, it is not safe to allow them to
# import anything they want. This whitelists which modules can be
# imported through Cheetah. Users can expand this as needed but
# should never allow modules such as subprocess or those that
# allow access to the filesystem as Cheetah templates are evaluated
# by cobblerd as code.
cheetah_import_whitelist:
- "random"
- "re"
- "time"
# Default createrepo_flags to use for new repositories. If you have
# createrepo >= 0.4.10, consider "-c cache --update -C", which can
# dramatically improve your "cobbler reposync" time. "-s sha"
# enables working with Fedora repos from F11/F12 from EL-4 or
# EL-5 without python-hashlib installed (which is not available
# on EL-4)
createrepo_flags: "-c cache -s sha"
# if no kickstart is specified to profile add, use this template
default_kickstart: /var/lib/cobbler/kickstarts/default.ks
# configure all installed systems to use these nameservers by default
# unless defined differently in the profile. For DHCP configurations
# you probably do /not/ want to supply this.
default_name_servers: ['10.145.89.100']
# if using the authz_ownership module (see the Wiki), objects
# created without specifying an owner are assigned to this
# owner and/or group. Can be a comma seperated list.
default_ownership:
- "admin"
# cobbler has various sample kickstart templates stored
# in /var/lib/cobbler/kickstarts/. This controls
# what install (root) password is set up for those
# systems that reference this variable. The factory
# default is "cobbler" and cobbler check will warn if
# this is not changed.
# The simplest way to change the password is to run
# openssl passwd -1
# and put the output between the "" below.
default_password_crypted: "$1$huawei$9OkoVJwO4W8vavlXd1bUS/"
# the default template type to use in the absence of any
# other detected template. If you do not specify the template
# with '#template=<template_type>' on the first line of your
# templates/snippets, cobbler will assume try to use the
# following template engine to parse the templates.
#
# Current valid values are: cheetah, jinja2
default_template_type: "cheetah"
# for libvirt based installs in koan, if no virt bridge
# is specified, which bridge do we try? For EL 4/5 hosts
# this should be xenbr0, for all versions of Fedora, try
# "virbr0". This can be overriden on a per-profile
# basis or at the koan command line though this saves
# typing to just set it here to the most common option.
default_virt_bridge: xenbr0
# use this as the default disk size for virt guests (GB)
default_virt_file_size: 5
# use this as the default memory size for virt guests (MB)
default_virt_ram: 512
# if koan is invoked without --virt-type and no virt-type
# is set on the profile/system, what virtualization type
# should be assumed? Values: xenpv, xenfv, qemu, vmware
# (NOTE: this does not change what virt_type is chosen by import)
default_virt_type: xenpv
# enable gPXE booting? Enabling this option will cause cobbler
# to copy the undionly.kpxe file to the tftp root directory,
# and if a profile/system is configured to boot via gpxe it will
# chain load off pxelinux.0.
# Default: 0
enable_gpxe: 0
# controls whether cobbler will add each new profile entry to the default
# PXE boot menu. This can be over-ridden on a per-profile
# basis when adding/editing profiles with --enable-menu=0/1. Users
# should ordinarily leave this setting enabled unless they are concerned
# with accidental reinstalls from users who select an entry at the PXE
# boot menu. Adding a password to the boot menus templates
# may also be a good solution to prevent unwanted reinstallations
enable_menu: 0
# enable Func-integration? This makes sure each installed machine is set up
# to use func out of the box, which is a powerful way to script and control
# remote machines.
# Func lives at http://fedorahosted.org/func
# read more at https://github.com/cobbler/cobbler/wiki/Func-integration
# you will need to mirror Fedora/EPEL packages for this feature, so see
# https://github.com/cobbler/cobbler/wiki/Manage-yum-repos if you want cobbler
# to help you with this
func_auto_setup: 0
func_master: overlord.example.org
# change this port if Apache is not running plaintext on port
# 80. Most people can leave this alone.
http_port: 8080
# kernel options that should be present in every cobbler installation.
# kernel options can also be applied at the distro/profile/system
# level.
kernel_options:
ksdevice: bootif
lang: ' '
text: ~
# s390 systems require additional kernel options in addition to the
# above defaults
kernel_options_s390x:
RUNKS: 1
ramdisk_size: 40000
root: /dev/ram0
ro: ~
ip: off
vnc: ~
# configuration options if using the authn_ldap module. See the
# the Wiki for details. This can be ignored if you are not using
# LDAP for WebUI/XMLRPC authentication.
ldap_server: "ldap.example.com"
ldap_base_dn: "DC=example,DC=com"
ldap_port: 389
ldap_tls: 1
ldap_anonymous_bind: 1
ldap_search_bind_dn: ''
ldap_search_passwd: ''
ldap_search_prefix: 'uid='
ldap_tls_cacertfile: ''
ldap_tls_keyfile: ''
ldap_tls_certfile: ''
# cobbler has a feature that allows for integration with config management
# systems such as Puppet. The following parameters work in conjunction with
# --mgmt-classes and are described in furhter detail at:
# https://github.com/cobbler/cobbler/wiki/Using-cobbler-with-a-configuration-management-system
mgmt_classes: []
mgmt_parameters:
from_cobbler: 1
# if enabled, this setting ensures that puppet is installed during
# machine provision, a client certificate is generated and a
# certificate signing request is made with the puppet master server
puppet_auto_setup: 0
# when puppet starts on a system after installation it needs to have
# its certificate signed by the puppet master server. Enabling the
# following feature will ensure that the puppet server signs the
# certificate after installation if the puppet master server is
# running on the same machine as cobbler. This requires
# puppet_auto_setup above to be enabled
sign_puppet_certs_automatically: 0
# location of the puppet executable, used for revoking certificates
puppetca_path: "/usr/bin/puppet"
# when a puppet managed machine is reinstalled it is necessary to
# remove the puppet certificate from the puppet master server before a
# new certificate is signed (see above). Enabling the following
# feature will ensure that the certificate for the machine to be
# installed is removed from the puppet master server if the puppet
# master server is running on the same machine as cobbler. This
# requires puppet_auto_setup above to be enabled
remove_old_puppet_certs_automatically: 0
# choose a --server argument when running puppetd/puppet agent during kickstart
#puppet_server: 'puppet'
# let cobbler know that you're using a newer version of puppet
# choose version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd'
#puppet_version: 2
# choose whether to enable puppet parameterized classes or not.
# puppet versions prior to 2.6.5 do not support parameters
#puppet_parameterized_classes: 1
# set to 1 to enable Cobbler's DHCP management features.
# the choice of DHCP management engine is in /etc/cobbler/modules.conf
manage_dhcp: 0
# set to 1 to enable Cobbler's DNS management features.
# the choice of DNS mangement engine is in /etc/cobbler/modules.conf
manage_dns: 1
# set to path of bind chroot to create bind-chroot compatible bind
# configuration files. This should be automatically detected.
bind_chroot_path: ""
# set to the ip address of the master bind DNS server for creating secondary
# bind configuration files
bind_master: 127.0.0.1
# set to 1 to enable Cobbler's TFTP management features.
# the choice of TFTP mangement engine is in /etc/cobbler/modules.conf
manage_tftpd: 1
# set to 1 to enable Cobbler's RSYNC management features.
manage_rsync: 0
# if using BIND (named) for DNS management in /etc/cobbler/modules.conf
# and manage_dns is enabled (above), this lists which zones are managed
# See the Wiki (https://github.com/cobbler/cobbler/wiki/Dns-management) for more info
manage_forward_zones: ['ods.com']
manage_reverse_zones: ['10','172.16']
# if using cobbler with manage_dhcp, put the IP address
# of the cobbler server here so that PXE booting guests can find it
# if you do not set this correctly, this will be manifested in TFTP open timeouts.
next_server: 192.168.100.1
# settings for power management features. optional.
# see https://github.com/cobbler/cobbler/wiki/Power-management to learn more
# choices (refer to codes.py):
# apc_snmp bladecenter bullpap drac ether_wake ilo integrity
# ipmilan ipmitool lpar rsa virsh wti
power_management_default_type: 'ipmitool'
# the commands used by the power management module are sourced
# from what directory?
power_template_dir: "/etc/cobbler/power"
# if this setting is set to 1, cobbler systems that pxe boot
# will request at the end of their installation to toggle the
# --netboot-enabled record in the cobbler system record. This eliminates
# the potential for a PXE boot loop if the system is set to PXE
# first in it's BIOS order. Enable this if PXE is first in your BIOS
# boot order, otherwise leave this disabled. See the manpage
# for --netboot-enabled.
pxe_just_once: 1
# the templates used for PXE config generation are sourced
# from what directory?
pxe_template_dir: "/etc/cobbler/pxe"
# Path to where system consoles are
consoles: "/var/consoles"
# Are you using a Red Hat management platform in addition to Cobbler?
# Cobbler can help you register to it. Choose one of the following:
# "off" : I'm not using Red Hat Network, Satellite, or Spacewalk
# "hosted" : I'm using Red Hat Network
# "site" : I'm using Red Hat Satellite Server or Spacewalk
# You will also want to read: https://github.com/cobbler/cobbler/wiki/Tips-for-RHN
redhat_management_type: "off"
# if redhat_management_type is enabled, choose your server
# "management.example.org" : For Satellite or Spacewalk
# "xmlrpc.rhn.redhat.com" : For Red Hat Network
# This setting is also used by the code that supports using Spacewalk/Satellite users/passwords
# within Cobbler Web and Cobbler XMLRPC. Using RHN Hosted for this is not supported.
# This feature can be used even if redhat_management_type is off, you just have
# to have authn_spacewalk selected in modules.conf
redhat_management_server: "xmlrpc.rhn.redhat.com"
# specify the default Red Hat authorization key to use to register
# system. If left blank, no registration will be attempted. Similarly
# you can set the --redhat-management-key to blank on any system to
# keep it from trying to register.
redhat_management_key: ""
# if using authn_spacewalk in modules.conf to let cobbler authenticate
# against Satellite/Spacewalk's auth system, by default it will not allow per user
# access into Cobbler Web and Cobbler XMLRPC.
# in order to permit this, the following setting must be enabled HOWEVER
# doing so will permit all Spacewalk/Satellite users of certain types to edit all
# of cobbler's configuration.
# these roles are: config_admin and org_admin
# users should turn this on only if they want this behavior and
# do not have a cross-multi-org seperation concern. If you have
# a single org in your satellite, it's probably safe to turn this
# on and then you can use CobblerWeb alongside a Satellite install.
redhat_management_permissive: 0
# if set to 1, allows /usr/bin/cobbler-register (part of the koan package)
# to be used to remotely add new cobbler system records to cobbler.
# this effectively allows for registration of new hardware from system
# records.
register_new_installs: 0
# Flags to use for yum's reposync. If your version of yum reposync
# does not support -l, you may need to remove that option.
reposync_flags: "-l -n -d"
# These options will be used for an rsync initiated by cobbler replicate
replicate_rsync_options: "-avzH"
# when DHCP and DNS management are enabled, cobbler sync can automatically
# restart those services to apply changes. The exception for this is
# if using ISC for DHCP, then omapi eliminates the need for a restart.
# omapi, however, is experimental and not recommended for most configurations.
# If DHCP and DNS are going to be managed, but hosted on a box that
# is not on this server, disable restarts here and write some other
# script to ensure that the config files get copied/rsynced to the destination
# box. This can be done by modifying the restart services trigger.
# Note that if manage_dhcp and manage_dns are disabled, the respective
# parameter will have no effect. Most users should not need to change
# this.
restart_dns: 1
restart_dhcp: 1
# install triggers are scripts in /var/lib/cobbler/triggers/install
# that are triggered in kickstart pre and post sections. Any
# executable script in those directories is run. They can be used
# to send email or perform other actions. They are currently
# run as root so if you do not need this functionality you can
# disable it, though this will also disable "cobbler status" which
# uses a logging trigger to audit install progress.
run_install_triggers: 1
# enables a trigger which version controls all changes to /var/lib/cobbler
# when add, edit, or sync events are performed. This can be used
# to revert to previous database versions, generate RSS feeds, or for
# other auditing or backup purposes. "git" and "hg" are currently suported,
# but git is the recommend SCM for use with this feature.
scm_track_enabled: 0
scm_track_mode: "git"
# this is the address of the cobbler server -- as it is used
# by systems during the install process, it must be the address
# or hostname of the system as those systems can see the server.
# if you have a server that appears differently to different subnets
# (dual homed, etc), you need to read the --server-override section
# of the manpage for how that works.
server: 192.168.100.1
# If set to 1, all commands will be forced to use the localhost address
# instead of using the above value which can force commands like
# cobbler sync to open a connection to a remote address if one is in the
# configuration and would traceback.
client_use_localhost: 0
# If set to 1, all commands to the API (not directly to the XMLRPC
# server) will go over HTTPS instead of plaintext. Be sure to change
# the http_port setting to the correct value for the web server
client_use_https: 0
# this is a directory of files that cobbler uses to make
# templating easier. See the Wiki for more information. Changing
# this directory should not be required.
snippetsdir: /var/lib/cobbler/snippets
# Normally if a kickstart is specified at a remote location, this
# URL will be passed directly to the kickstarting system, thus bypassing
# the usual snippet templating Cobbler does for local kickstart files. If
# this option is enabled, Cobbler will fetch the file contents internally
# and serve a templated version of the file to the client.
template_remote_kickstarts: 0
# should new profiles for virtual machines default to auto booting with the physical host when the physical host reboots?
# this can be overridden on each profile or system object.
virt_auto_boot: 1
# cobbler's web directory. Don't change this setting -- see the
# Wiki on "relocating your cobbler install" if your /var partition
# is not large enough.
webdir: /var/www/cobbler
# cobbler's public XMLRPC listens on this port. Change this only
# if absolutely needed, as you'll have to start supplying a new
# port option to koan if it is not the default.
xmlrpc_port: 25151
# "cobbler repo add" commands set cobbler up with repository
# information that can be used during kickstart and is automatically
# set up in the cobbler kickstart templates. By default, these
# are only available at install time. To make these repositories
# usable on installed systems (since cobbler makes a very convient)
# mirror, set this to 1. Most users can safely set this to 1. Users
# who have a dual homed cobbler server, or are installing laptops that
# will not always have access to the cobbler server may wish to leave
# this as 0. In that case, the cobbler mirrored yum repos are still
# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
# configuration can still be done manually. This is just a shortcut.
yum_post_install_mirror: 1
# the default yum priority for all the distros. This is only used
# if yum-priorities plugin is used. 1=maximum. Tweak with caution.
yum_distro_priority: 1
# Flags to use for yumdownloader. Not all versions may support
# --resolve.
yumdownloader_flags: "--resolve"
# sort and indent JSON output to make it more human-readable
serializer_pretty_json: 0
# replication rsync options for distros, kickstarts, snippets set to override default value of "-avzH"
replicate_rsync_options: "-avzH"
# replication rsync options for repos set to override default value of "-avzH"
replicate_repo_rsync_options: "-avzH"

10
docker/build/cobbler/conf/cobbler_web.conf Normal file
View File

@ -0,0 +1,10 @@
# This configuration file enables the cobbler web
# interface (django version)
# Force everything to go to https
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/cobbler_web
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
WSGIScriptAlias /cobbler_web /usr/share/cobbler/web/cobbler.wsgi

98
docker/build/cobbler/conf/dhcp.template Normal file
View File

@ -0,0 +1,98 @@
# ******************************************************************
# Cobbler managed dhcpd.conf file
#
# generated from cobbler dhcp.conf template ($date)
# Do NOT make changes to /etc/dhcpd.conf. Instead, make your changes
# in /etc/cobbler/dhcp.template, as /etc/dhcpd.conf will be
# overwritten.
#
# ******************************************************************
ddns-update-style interim;
allow booting;
allow bootp;
deny unknown-clients;
local-address 192.168.100.100;
log-facility local6;
ignore client-updates;
set vendorclass = option vendor-class-identifier;
option pxe-system-type code 93 = unsigned integer 16;
option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;
subnet 192.168.100.0 netmask 255.255.254.0 {
option routers 192.168.100.1;
option domain-name-servers 192.168.100.1;
option subnet-mask 255.255.254.0;
range dynamic-bootp 192.168.100.10 192.168.101.250;
default-lease-time 21600;
max-lease-time 43200;
next-server $next_server;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
if option pxe-system-type = 00:02 {
filename "ia64/elilo.efi";
} else if option pxe-system-type = 00:06 {
filename "grub/grub-x86.efi";
} else if option pxe-system-type = 00:07 {
filename "grub/grub-x86_64.efi";
} else {
filename "pxelinux.0";
}
}
}
#for dhcp_tag in $dhcp_tags.keys():
## group could be subnet if your dhcp tags line up with your subnets
## or really any valid dhcpd.conf construct ... if you only use the
## default dhcp tag in cobbler, the group block can be deleted for a
## flat configuration
# group for Cobbler DHCP tag: $dhcp_tag
group {
#for mac in $dhcp_tags[$dhcp_tag].keys():
#set iface = $dhcp_tags[$dhcp_tag][$mac]
host $iface.name {
hardware ethernet $mac;
site-option-space "pxelinux";
option pxelinux.magic f1:00:74:7e;
if exists dhcp-parameter-request-list {
# Always send the PXELINUX options (specified in hexadecimal)
option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list,d0,d1,d2,d3);
}
option pxelinux.reboottime 30;
#if $iface.hostname:
option host-name "$iface.hostname";
#end if
#if $iface.netmask:
option subnet-mask $iface.netmask;
#end if
#if $iface.gateway:
option routers $iface.gateway;
#end if
#if $iface.enable_gpxe:
if exists user-class and option user-class = "gPXE" {
filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner";
} else if exists user-class and option user-class = "iPXE" {
filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner";
} else {
filename "undionly.kpxe";
}
#else
filename "$iface.filename";
#end if
## Cobbler defaults to $next_server, but some users
## may like to use $iface.system.server for proxied setups
next-server $next_server;
## next-server $iface.next_server;
}
#end for
}
#end for

8
docker/build/cobbler/conf/distributions Normal file
View File

@ -0,0 +1,8 @@
Origin: ppa
Label: ppa_repo
Suite: stable
Codename: ppa
Version: 0.1
Architectures: i386 amd64 source
Components: main
Description: ppa repo

84
docker/build/cobbler/conf/modules.conf Normal file
View File

@ -0,0 +1,84 @@
# cobbler module configuration file
# =================================
# authentication:
# what users can log into the WebUI and Read-Write XMLRPC?
# choices:
# authn_denyall -- no one (default)
# authn_configfile -- use /etc/cobbler/users.digest (for basic setups)
# authn_passthru -- ask Apache to handle it (used for kerberos)
# authn_ldap -- authenticate against LDAP
# authn_spacewalk -- ask Spacewalk/Satellite (experimental)
# authn_pam -- use PAM facilities
# authn_testing -- username/password is always testing/testing (debug)
# (user supplied) -- you may write your own module
# WARNING: this is a security setting, do not choose an option blindly.
# for more information:
# https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface
# https://github.com/cobbler/cobbler/wiki/Security-overview
# https://github.com/cobbler/cobbler/wiki/Kerberos
# https://github.com/cobbler/cobbler/wiki/Ldap
[authentication]
module = authn_configfile
# authorization:
# once a user has been cleared by the WebUI/XMLRPC, what can they do?
# choices:
# authz_allowall -- full access for all authneticated users (default)
# authz_ownership -- use users.conf, but add object ownership semantics
# (user supplied) -- you may write your own module
# WARNING: this is a security setting, do not choose an option blindly.
# If you want to further restrict cobbler with ACLs for various groups,
# pick authz_ownership. authz_allowall does not support ACLs. configfile
# does but does not support object ownership which is useful as an additional
# layer of control.
# for more information:
# https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface
# https://github.com/cobbler/cobbler/wiki/Security-overview
# https://github.com/cobbler/cobbler/wiki/Web-authorization
[authorization]
module = authz_allowall
# dns:
# chooses the DNS management engine if manage_dns is enabled
# in /etc/cobbler/settings, which is off by default.
# choices:
# manage_bind -- default, uses BIND/named
# manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dhcp below
# NOTE: more configuration is still required in /etc/cobbler
# for more information:
# https://github.com/cobbler/cobbler/wiki/Dns-management
[dns]
module = manage_bind
# dhcp:
# chooses the DHCP management engine if manage_dhcp is enabled
# in /etc/cobbler/settings, which is off by default.
# choices:
# manage_isc -- default, uses ISC dhcpd
# manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dns above
# NOTE: more configuration is still required in /etc/cobbler
# for more information:
# https://github.com/cobbler/cobbler/wiki/Dhcp-management
[dhcp]
module = manage_isc
# tftpd:
# chooses the TFTP management engine if manage_tftp is enabled
# in /etc/cobbler/settings, which is ON by default.
#
# choices:
# manage_in_tftpd -- default, uses the system's tftp server
# manage_tftpd_py -- uses cobbler's tftp server
#
[tftpd]
module = manage_in_tftpd
#--------------------------------------------------

25
docker/build/cobbler/conf/setup.conf Executable file
View File

@ -0,0 +1,25 @@
#centos6.5
NTP=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/ntp-4.2.6p5-1.el6.centos.x86_64.rpm
SSH_CLIENTS=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/openssh-clients-5.3p1-94.el6.x86_64.rpm
OPENSSH=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/openssh-5.3p1-94.el6.x86_64.rpm
IPROUTE=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/iproute-2.6.32-31.el6.x86_64.rpm
WGET=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/wget-1.12-1.8.el6.x86_64.rpm
NTPDATE=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm
YUM_PRIORITIES=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/yum-plugin-priorities-1.1.30-14.el6.noarch.rpm
JSONC=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/json-c-0.9-4.el6.x86_64.rpm
LIBESTR=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/libestr-0.1.9-1.el6.x86_64.rpm
LIBGT=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/libgt-0.3.11-1.el6.x86_64.rpm
LIBLOGGING=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/liblogging-1.0.4-1.el6.x86_64.rpm
RSYSLOG=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/rsyslog-7.6.3-1.el6.src.rpm
CHEF_CLIENT_CENTOS=http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.8.0-1.el6.x86_64.rpm
#ubuntu12.04
CHEF_CLIENT_UBUNTU=http://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef_11.8.0-1.ubuntu.12.04_amd64.deb
#iso
CENTOS_ISO=http://mirror.rackspace.com/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
UBUNTU_ISO=http://releases.ubuntu.com/12.04/ubuntu-12.04.4-server-amd64.iso
#repos
EPEL7=http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
ATOMIC=http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/atomic-release-1.0-19.el7.art.noarch.rpm

221
docker/build/cobbler/conf/ssl.conf Normal file
View File

@ -0,0 +1,221 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

21
docker/build/cobbler/conf/tftpd.template Normal file
View File

@ -0,0 +1,21 @@
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
disable = no
log_type = SYSLOG local5 info
socket_type = dgram
protocol = udp
wait = yes
user = $user
server = $binary
server_args = -B 1380 -v -s $args
instances = 1000
per_source = 1000
cps = 1000 2
flags = IPv4
}

17
docker/build/cobbler/scripts/start Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
service httpd start
service cobblerd start
# import distros
cobbler import --path=/var/lib/cobbler/mount_point/CentOS-6.5-x86_64 --name=CentOS-6.5-x86_64 --arch=x86_64 --kickstart=/var/lib/cobbler/kickstarts/default.ks --breed=redhat
cobbler import --path=/var/lib/cobbler/mount_point/Ubuntu-12.04-x86_64 --name=Ubuntu-12.04-x86_64 --arch=x86_64 --kickstart=/var/lib/cobbler/kickstarts/default.seed --breed=ubuntu
# add profiles
cobbler profile add --name=CentOS-6.5-x86_64 --repo=centos_ppa_repo --distro=CentOS-6.5-x86_64 --ksmeta="tree=http://10.145.89.200:8080/cobbler/ks_mirror/CentOS-6.5-x86_64 compass_server=10.145.89.200" --kickstart=/var/lib/cobbler/kickstarts/default.ks
cobbler profile add --name=Ubuntu-12.04-x86_64 --repo=ubuntu_ppa_repo --distro=Ubuntu-12.04-x86_64 --ksmeta="tree=http://10.145.89.200:8080/cobbler/ks_mirror/Ubuntu-12.04-x86_64 compass_server=10.145.89.200" --kickstart=/var/lib/cobbler/kickstarts/default.seed --kopts="netcfg/choose_interface=auto"
cobbler reposync
cobbler sync
cobbler check

3
install/roles/cobbler/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart dhcp-relay
shell: service isc-dhcp-relay restart

2
install/roles/cobbler/tasks/dhcp-relay-debian.yml
View File

@ -12,3 +12,5 @@
lineinfile: dest=/etc/default/isc-dhcp-relay
regexp='^INTERFACES'
line='INTERFACES="compass0"'
notify:
restart dhcp-relay