diff --git a/docker/build/cobbler/Dockerfile b/docker/build/cobbler/Dockerfile new file mode 100644 index 0000000..8136086 --- /dev/null +++ b/docker/build/cobbler/Dockerfile @@ -0,0 +1,140 @@ +FROM centos:centos6 + +ADD conf/setup.conf /tmp/setup.conf +ADD conf/cobbler_web.conf /etc/httpd/conf.d/cobbler_web.conf +ADD conf/ssl.conf /etc/httpd/conf.d/ssl.conf +ADD conf/tftpd.template /etc/cobbler/tftpd.template +ADD conf/modules.conf /etc/cobbler/modules.conf +ADD conf/distributions /tmp/distributions +ADD conf/dhcp.template /etc/cobbler/dhcp.template +RUN chmod +x /tmp/setup.conf + +# add epel repo and atomic(for installing reprepro: a command tool to build debian repos) repo +RUN source /tmp/setup.conf && \ + rpm -Uvh $EPEL7 && \ + sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/epel.repo && \ + rpm -Uvh $ATOMIC && \ + sed -i 's/^mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/atomic.repo + +RUN yum clean all && \ + yum update -y --skip-broken && \ + yum install -y syslinux bind rsync dhcp xinetd tftp-server gcc httpd cobbler cobbler-web createrepo mkisofs python-cheetah python-simplejson python-urlgrabber PyYAML PyYAML Django cman pykickstart reprepro git wget debmirror cman openssl openssl098e + +# configure cobbler web and ssl +RUN mkdir -p /root/backup/cobbler && \ + cp -rn /etc/httpd/conf.d /root/backup/cobbler && \ + chmod 644 /etc/httpd/conf.d/cobbler_web.conf && \ + chmod 644 /etc/httpd/conf.d/ssl.conf + +# update tftpd template +RUN chmod 644 /etc/cobbler/tftpd.template + +# update modules conf +RUN chmod 644 /etc/cobbler/modules.conf + +# setup cobbler default web username password: cobbler/cobbler +RUN (echo -n "cobbler:Cobbler:" && echo -n "cobbler:Cobbler:cobbler" | md5sum - | cut -d' ' -f1) > /etc/cobbler/users.digest + + +# get adapters code +WORKDIR /root/ +RUN git clone -b dev/experimental https://git.openstack.org/stackforge/compass-adapters.git && \ + cp -rn /var/lib/cobbler/snippets /root/backup/cobbler/ && \ + cp -rn /var/lib/cobbler/scripts /root/backup/cobbler && \ + cp -rn /var/lib/cobbler/kickstarts/ /root/backup/cobbler/ && \ + cp -rn /var/lib/cobbler/triggers /root/backup/cobbler/ && \ + rm -rf /var/lib/cobbler/snippets/* && \ + cp -rf compass-adapters/cobbler/snippets/* /var/lib/cobbler/snippets/ && \ + cp -rf compass-adapters/cobbler/scripts/* /var/lib/cobbler/scripts/ && \ + cp -rf compass-adapters/cobbler/triggers/* /var/lib/cobbler/triggers/ && \ + chmod 777 /var/lib/cobbler/snippets && \ + chmod 777 /var/lib/cobbler/scripts && \ + chmod -R 666 /var/lib/cobbler/snippets/* && \ + chmod -R 666 /var/lib/cobbler/scripts/* && \ + chmod -R 755 /var/lib/cobbler/triggers && \ + rm -f /var/lib/cobbler/kickstarts/default.ks && \ + rm -f /var/lib/cobbler/kickstarts/default.seed && \ + cp -rf compass-adapters/cobbler/kickstarts/default.ks /var/lib/cobbler/kickstarts/ && \ + cp -rf compass-adapters//cobbler/kickstarts/default.seed /var/lib/cobbler/kickstarts/ && \ + chmod 666 /var/lib/cobbler/kickstarts/default.ks && \ + chmod 666 /var/lib/cobbler/kickstarts/default.seed && \ + mkdir -p /var/www/cblr_ks && \ + chmod 755 /var/www/cblr_ks && \ + cp -rf compass-adapters/cobbler/conf/cobbler.conf /etc/httpd/conf.d/ && \ + chmod 644 /etc/httpd/conf.d/cobbler.conf && \ + export passwd=$(openssl passwd -1 -salt 'huawei' '123456') && \ + sed -i "s,^default_password_crypted:[ \t]\+\"\(.*\)\",default_password_crypted: \"$cobbler_passwd\",g" /etc/cobbler/settings && \ + chmod 644 /etc/cobbler/settings + + +# disable selinux +RUN echo 0 > /selinux/enforce + +# create log dirs +RUN mkdir -p /var/log/cobbler && \ + mkdir -p /var/log/cobbler/tasks && \ + mkdir -p /var/log/cobbler/anamon && \ + chmod -R 777 /var/log/cobbler + +# create centos ppa repo dir +RUN rm -rf /var/lib/cobbler/repo_mirror/centos_ppa_repo && \ + mkdir -p /var/lib/cobbler/repo_mirror/centos_ppa_repo + +# download centos repo pkgs +WORKDIR /var/lib/cobbler/repo_mirror/centos_ppa_repo +ADD conf/setup.conf /tmp/setup.conf +RUN source /tmp/setup.conf && \ + wget $NTP && \ + wget $SSH_CLIENTS && \ + wget $OPENSSH && \ + wget $IPROUTE && \ + wget $WGET && \ + wget $NTPDATE && \ + wget $YUM_PRIORITIES && \ + wget $JSONC && \ + wget $LIBESTR && \ + wget $LIBGT && \ + wget $LIBLOGGING && \ + wget $RSYSLOG && \ + wget $CHEF_CLIENT_CENTOS + +# creating ubuntu repo +RUN rm -rf /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo && \ + mkdir -p /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf && \ + mv /tmp/distributions /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf/distributions && \ + chmod 644 /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/conf/distributions && \ + wget -O /var/lib/cobbler/repo_mirror/ubuntu_ppa_repo/chef_11.8.0-1.ubuntu.12.04_amd64.deb http://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef_11.8.0-1.ubuntu.12.04_amd64.deb + + +# create repos +WORKDIR /var/lib/cobbler/repo_mirror +RUN createrepo centos_ppa_repo && \ + find ubuntu_ppa_repo -name \*.deb -exec reprepro -Vb ubuntu_ppa_repo includedeb ppa {} \; + +# add repos to cobbler repo and get loaders +RUN /usr/sbin/apachectl -k start && \ + /usr/bin/cobblerd start \& && \ + cobbler repo add --mirror=/var/lib/cobbler/repo_mirror/centos_ppa_repo --name=centos_ppa_repo --mirror-locally=Y --arch=x86_64 && \ + cobbler repo add --mirror=/var/lib/cobbler/repo_mirror/ubuntu_ppa_repo --name=ubuntu_ppa_repo --mirror-locally=Y --arch=x86_64 && \ + cobbler reposync && \ + cobbler get-loaders + +ADD conf/cobbler.settings /etc/cobbler/settings +RUN sed -i 's/disable\([ \t]\+\)=\([ \t]\+\)yes/disable\1=\2no/g' /etc/xinetd.d/rsync && \ + sed -i 's/^@dists=/# @dists=/g' /etc/debmirror.conf && \ + sed -i 's/^@arches=/# @arches=/g' /etc/debmirror.conf + +# create mount points +RUN mkdir -p /var/lib/cobbler/mount_point +VOLUME ["/var/lib/cobbler/mount_point"] +ADD scripts/start /root/start +RUN chmod +x /root/start +CMD ["/root/start"] + + +EXPOSE 80 +EXPOSE 69 69/udp +EXPOSE 53 53/udp +EXPOSE 25151 +EXPOSE 443 +EXPOSE 873 diff --git a/docker/build/cobbler/conf/cobbler.settings b/docker/build/cobbler/conf/cobbler.settings new file mode 100644 index 0000000..4ea2e76 --- /dev/null +++ b/docker/build/cobbler/conf/cobbler.settings @@ -0,0 +1,450 @@ +--- +# cobbler settings file +# restart cobblerd and run "cobbler sync" after making changes +# This config file is in YAML 1.0 format +# see http://yaml.org +# ========================================================== +# if 1, cobbler will allow insertions of system records that duplicate +# the --dns-name information of other system records. In general, +# this is undesirable and should be left 0. +allow_duplicate_hostnames: 0 + +# if 1, cobbler will allow insertions of system records that duplicate +# the ip address information of other system records. In general, +# this is undesirable and should be left 0. +allow_duplicate_ips: 0 + +# if 1, cobbler will allow insertions of system records that duplicate +# the mac address information of other system records. In general, +# this is undesirable. +allow_duplicate_macs: 0 + +# if 1, cobbler will allow settings to be changed dynamically without +# a restart of the cobblerd daemon. You can only change this variable +# by manually editing the settings file, and you MUST restart cobblerd +# after changing it. +allow_dynamic_settings: 0 + +# by default, installs are *not* set to send installation logs to the cobbler +# # # server. With 'anamon_enabled', kickstart templates may use the pre_anamon +# # # snippet to allow remote live monitoring of their installations from the +# # # cobbler server. Installation logs will be stored under +# # # /var/log/cobbler/anamon/. NOTE: This does allow an xmlrpc call to send logs +# # # to this directory, without authentication, so enable only if you are +# # # ok with this limitation. +anamon_enabled: 1 + +# If using authn_pam in the modules.conf, this can be configured +# to change the PAM service authentication will be tested against. +# The default value is "login". +authn_pam_service: "login" + +# Email out a report when cobbler finishes installing a system. +# enabled: set to 1 to turn this feature on +# sender: optional +# email: which addresses to email +# smtp_server: used to specify another server for an MTA +# subject: use the default subject unless overridden +build_reporting_enabled: 0 +build_reporting_sender: "" +build_reporting_email: [ 'root@localhost' ] +build_reporting_smtp_server: "localhost" +build_reporting_subject: "" + +# Cheetah-language kickstart templates can import Python modules. +# while this is a useful feature, it is not safe to allow them to +# import anything they want. This whitelists which modules can be +# imported through Cheetah. Users can expand this as needed but +# should never allow modules such as subprocess or those that +# allow access to the filesystem as Cheetah templates are evaluated +# by cobblerd as code. +cheetah_import_whitelist: + - "random" + - "re" + - "time" + +# Default createrepo_flags to use for new repositories. If you have +# createrepo >= 0.4.10, consider "-c cache --update -C", which can +# dramatically improve your "cobbler reposync" time. "-s sha" +# enables working with Fedora repos from F11/F12 from EL-4 or +# EL-5 without python-hashlib installed (which is not available +# on EL-4) +createrepo_flags: "-c cache -s sha" + +# if no kickstart is specified to profile add, use this template +default_kickstart: /var/lib/cobbler/kickstarts/default.ks + +# configure all installed systems to use these nameservers by default +# unless defined differently in the profile. For DHCP configurations +# you probably do /not/ want to supply this. +default_name_servers: ['10.145.89.100'] + +# if using the authz_ownership module (see the Wiki), objects +# created without specifying an owner are assigned to this +# owner and/or group. Can be a comma seperated list. +default_ownership: + - "admin" + +# cobbler has various sample kickstart templates stored +# in /var/lib/cobbler/kickstarts/. This controls +# what install (root) password is set up for those +# systems that reference this variable. The factory +# default is "cobbler" and cobbler check will warn if +# this is not changed. +# The simplest way to change the password is to run +# openssl passwd -1 +# and put the output between the "" below. +default_password_crypted: "$1$huawei$9OkoVJwO4W8vavlXd1bUS/" + +# the default template type to use in the absence of any +# other detected template. If you do not specify the template +# with '#template=' on the first line of your +# templates/snippets, cobbler will assume try to use the +# following template engine to parse the templates. +# +# Current valid values are: cheetah, jinja2 +default_template_type: "cheetah" + +# for libvirt based installs in koan, if no virt bridge +# is specified, which bridge do we try? For EL 4/5 hosts +# this should be xenbr0, for all versions of Fedora, try +# "virbr0". This can be overriden on a per-profile +# basis or at the koan command line though this saves +# typing to just set it here to the most common option. +default_virt_bridge: xenbr0 + +# use this as the default disk size for virt guests (GB) +default_virt_file_size: 5 + +# use this as the default memory size for virt guests (MB) +default_virt_ram: 512 + +# if koan is invoked without --virt-type and no virt-type +# is set on the profile/system, what virtualization type +# should be assumed? Values: xenpv, xenfv, qemu, vmware +# (NOTE: this does not change what virt_type is chosen by import) +default_virt_type: xenpv + +# enable gPXE booting? Enabling this option will cause cobbler +# to copy the undionly.kpxe file to the tftp root directory, +# and if a profile/system is configured to boot via gpxe it will +# chain load off pxelinux.0. +# Default: 0 +enable_gpxe: 0 + +# controls whether cobbler will add each new profile entry to the default +# PXE boot menu. This can be over-ridden on a per-profile +# basis when adding/editing profiles with --enable-menu=0/1. Users +# should ordinarily leave this setting enabled unless they are concerned +# with accidental reinstalls from users who select an entry at the PXE +# boot menu. Adding a password to the boot menus templates +# may also be a good solution to prevent unwanted reinstallations +enable_menu: 0 + +# enable Func-integration? This makes sure each installed machine is set up +# to use func out of the box, which is a powerful way to script and control +# remote machines. +# Func lives at http://fedorahosted.org/func +# read more at https://github.com/cobbler/cobbler/wiki/Func-integration +# you will need to mirror Fedora/EPEL packages for this feature, so see +# https://github.com/cobbler/cobbler/wiki/Manage-yum-repos if you want cobbler +# to help you with this +func_auto_setup: 0 +func_master: overlord.example.org + +# change this port if Apache is not running plaintext on port +# 80. Most people can leave this alone. +http_port: 8080 + +# kernel options that should be present in every cobbler installation. +# kernel options can also be applied at the distro/profile/system +# level. +kernel_options: + ksdevice: bootif + lang: ' ' + text: ~ + +# s390 systems require additional kernel options in addition to the +# above defaults +kernel_options_s390x: + RUNKS: 1 + ramdisk_size: 40000 + root: /dev/ram0 + ro: ~ + ip: off + vnc: ~ + +# configuration options if using the authn_ldap module. See the +# the Wiki for details. This can be ignored if you are not using +# LDAP for WebUI/XMLRPC authentication. +ldap_server: "ldap.example.com" +ldap_base_dn: "DC=example,DC=com" +ldap_port: 389 +ldap_tls: 1 +ldap_anonymous_bind: 1 +ldap_search_bind_dn: '' +ldap_search_passwd: '' +ldap_search_prefix: 'uid=' +ldap_tls_cacertfile: '' +ldap_tls_keyfile: '' +ldap_tls_certfile: '' + +# cobbler has a feature that allows for integration with config management +# systems such as Puppet. The following parameters work in conjunction with +# --mgmt-classes and are described in furhter detail at: +# https://github.com/cobbler/cobbler/wiki/Using-cobbler-with-a-configuration-management-system +mgmt_classes: [] +mgmt_parameters: + from_cobbler: 1 + +# if enabled, this setting ensures that puppet is installed during +# machine provision, a client certificate is generated and a +# certificate signing request is made with the puppet master server +puppet_auto_setup: 0 + +# when puppet starts on a system after installation it needs to have +# its certificate signed by the puppet master server. Enabling the +# following feature will ensure that the puppet server signs the +# certificate after installation if the puppet master server is +# running on the same machine as cobbler. This requires +# puppet_auto_setup above to be enabled +sign_puppet_certs_automatically: 0 + +# location of the puppet executable, used for revoking certificates +puppetca_path: "/usr/bin/puppet" + +# when a puppet managed machine is reinstalled it is necessary to +# remove the puppet certificate from the puppet master server before a +# new certificate is signed (see above). Enabling the following +# feature will ensure that the certificate for the machine to be +# installed is removed from the puppet master server if the puppet +# master server is running on the same machine as cobbler. This +# requires puppet_auto_setup above to be enabled +remove_old_puppet_certs_automatically: 0 + +# choose a --server argument when running puppetd/puppet agent during kickstart +#puppet_server: 'puppet' + +# let cobbler know that you're using a newer version of puppet +# choose version 3 to use: 'puppet agent'; version 2 uses status quo: 'puppetd' +#puppet_version: 2 + +# choose whether to enable puppet parameterized classes or not. +# puppet versions prior to 2.6.5 do not support parameters +#puppet_parameterized_classes: 1 + +# set to 1 to enable Cobbler's DHCP management features. +# the choice of DHCP management engine is in /etc/cobbler/modules.conf +manage_dhcp: 0 + +# set to 1 to enable Cobbler's DNS management features. +# the choice of DNS mangement engine is in /etc/cobbler/modules.conf +manage_dns: 1 + +# set to path of bind chroot to create bind-chroot compatible bind +# configuration files. This should be automatically detected. +bind_chroot_path: "" + +# set to the ip address of the master bind DNS server for creating secondary +# bind configuration files +bind_master: 127.0.0.1 + +# set to 1 to enable Cobbler's TFTP management features. +# the choice of TFTP mangement engine is in /etc/cobbler/modules.conf +manage_tftpd: 1 + +# set to 1 to enable Cobbler's RSYNC management features. +manage_rsync: 0 + +# if using BIND (named) for DNS management in /etc/cobbler/modules.conf +# and manage_dns is enabled (above), this lists which zones are managed +# See the Wiki (https://github.com/cobbler/cobbler/wiki/Dns-management) for more info +manage_forward_zones: ['ods.com'] +manage_reverse_zones: ['10','172.16'] + +# if using cobbler with manage_dhcp, put the IP address +# of the cobbler server here so that PXE booting guests can find it +# if you do not set this correctly, this will be manifested in TFTP open timeouts. +next_server: 192.168.100.1 + +# settings for power management features. optional. +# see https://github.com/cobbler/cobbler/wiki/Power-management to learn more +# choices (refer to codes.py): +# apc_snmp bladecenter bullpap drac ether_wake ilo integrity +# ipmilan ipmitool lpar rsa virsh wti +power_management_default_type: 'ipmitool' + +# the commands used by the power management module are sourced +# from what directory? +power_template_dir: "/etc/cobbler/power" + +# if this setting is set to 1, cobbler systems that pxe boot +# will request at the end of their installation to toggle the +# --netboot-enabled record in the cobbler system record. This eliminates +# the potential for a PXE boot loop if the system is set to PXE +# first in it's BIOS order. Enable this if PXE is first in your BIOS +# boot order, otherwise leave this disabled. See the manpage +# for --netboot-enabled. +pxe_just_once: 1 + +# the templates used for PXE config generation are sourced +# from what directory? +pxe_template_dir: "/etc/cobbler/pxe" + +# Path to where system consoles are +consoles: "/var/consoles" + +# Are you using a Red Hat management platform in addition to Cobbler? +# Cobbler can help you register to it. Choose one of the following: +# "off" : I'm not using Red Hat Network, Satellite, or Spacewalk +# "hosted" : I'm using Red Hat Network +# "site" : I'm using Red Hat Satellite Server or Spacewalk +# You will also want to read: https://github.com/cobbler/cobbler/wiki/Tips-for-RHN +redhat_management_type: "off" + +# if redhat_management_type is enabled, choose your server +# "management.example.org" : For Satellite or Spacewalk +# "xmlrpc.rhn.redhat.com" : For Red Hat Network +# This setting is also used by the code that supports using Spacewalk/Satellite users/passwords +# within Cobbler Web and Cobbler XMLRPC. Using RHN Hosted for this is not supported. +# This feature can be used even if redhat_management_type is off, you just have +# to have authn_spacewalk selected in modules.conf +redhat_management_server: "xmlrpc.rhn.redhat.com" + +# specify the default Red Hat authorization key to use to register +# system. If left blank, no registration will be attempted. Similarly +# you can set the --redhat-management-key to blank on any system to +# keep it from trying to register. +redhat_management_key: "" + +# if using authn_spacewalk in modules.conf to let cobbler authenticate +# against Satellite/Spacewalk's auth system, by default it will not allow per user +# access into Cobbler Web and Cobbler XMLRPC. +# in order to permit this, the following setting must be enabled HOWEVER +# doing so will permit all Spacewalk/Satellite users of certain types to edit all +# of cobbler's configuration. +# these roles are: config_admin and org_admin +# users should turn this on only if they want this behavior and +# do not have a cross-multi-org seperation concern. If you have +# a single org in your satellite, it's probably safe to turn this +# on and then you can use CobblerWeb alongside a Satellite install. +redhat_management_permissive: 0 + +# if set to 1, allows /usr/bin/cobbler-register (part of the koan package) +# to be used to remotely add new cobbler system records to cobbler. +# this effectively allows for registration of new hardware from system +# records. +register_new_installs: 0 + +# Flags to use for yum's reposync. If your version of yum reposync +# does not support -l, you may need to remove that option. +reposync_flags: "-l -n -d" + +# These options will be used for an rsync initiated by cobbler replicate +replicate_rsync_options: "-avzH" + +# when DHCP and DNS management are enabled, cobbler sync can automatically +# restart those services to apply changes. The exception for this is +# if using ISC for DHCP, then omapi eliminates the need for a restart. +# omapi, however, is experimental and not recommended for most configurations. +# If DHCP and DNS are going to be managed, but hosted on a box that +# is not on this server, disable restarts here and write some other +# script to ensure that the config files get copied/rsynced to the destination +# box. This can be done by modifying the restart services trigger. +# Note that if manage_dhcp and manage_dns are disabled, the respective +# parameter will have no effect. Most users should not need to change +# this. +restart_dns: 1 +restart_dhcp: 1 + +# install triggers are scripts in /var/lib/cobbler/triggers/install +# that are triggered in kickstart pre and post sections. Any +# executable script in those directories is run. They can be used +# to send email or perform other actions. They are currently +# run as root so if you do not need this functionality you can +# disable it, though this will also disable "cobbler status" which +# uses a logging trigger to audit install progress. +run_install_triggers: 1 + +# enables a trigger which version controls all changes to /var/lib/cobbler +# when add, edit, or sync events are performed. This can be used +# to revert to previous database versions, generate RSS feeds, or for +# other auditing or backup purposes. "git" and "hg" are currently suported, +# but git is the recommend SCM for use with this feature. +scm_track_enabled: 0 +scm_track_mode: "git" + +# this is the address of the cobbler server -- as it is used +# by systems during the install process, it must be the address +# or hostname of the system as those systems can see the server. +# if you have a server that appears differently to different subnets +# (dual homed, etc), you need to read the --server-override section +# of the manpage for how that works. +server: 192.168.100.1 + +# If set to 1, all commands will be forced to use the localhost address +# instead of using the above value which can force commands like +# cobbler sync to open a connection to a remote address if one is in the +# configuration and would traceback. +client_use_localhost: 0 + +# If set to 1, all commands to the API (not directly to the XMLRPC +# server) will go over HTTPS instead of plaintext. Be sure to change +# the http_port setting to the correct value for the web server +client_use_https: 0 + +# this is a directory of files that cobbler uses to make +# templating easier. See the Wiki for more information. Changing +# this directory should not be required. +snippetsdir: /var/lib/cobbler/snippets + +# Normally if a kickstart is specified at a remote location, this +# URL will be passed directly to the kickstarting system, thus bypassing +# the usual snippet templating Cobbler does for local kickstart files. If +# this option is enabled, Cobbler will fetch the file contents internally +# and serve a templated version of the file to the client. +template_remote_kickstarts: 0 + +# should new profiles for virtual machines default to auto booting with the physical host when the physical host reboots? +# this can be overridden on each profile or system object. +virt_auto_boot: 1 + +# cobbler's web directory. Don't change this setting -- see the +# Wiki on "relocating your cobbler install" if your /var partition +# is not large enough. +webdir: /var/www/cobbler + +# cobbler's public XMLRPC listens on this port. Change this only +# if absolutely needed, as you'll have to start supplying a new +# port option to koan if it is not the default. +xmlrpc_port: 25151 + +# "cobbler repo add" commands set cobbler up with repository +# information that can be used during kickstart and is automatically +# set up in the cobbler kickstart templates. By default, these +# are only available at install time. To make these repositories +# usable on installed systems (since cobbler makes a very convient) +# mirror, set this to 1. Most users can safely set this to 1. Users +# who have a dual homed cobbler server, or are installing laptops that +# will not always have access to the cobbler server may wish to leave +# this as 0. In that case, the cobbler mirrored yum repos are still +# accessable at http://cobbler.example.org/cblr/repo_mirror and yum +# configuration can still be done manually. This is just a shortcut. +yum_post_install_mirror: 1 + +# the default yum priority for all the distros. This is only used +# if yum-priorities plugin is used. 1=maximum. Tweak with caution. +yum_distro_priority: 1 + +# Flags to use for yumdownloader. Not all versions may support +# --resolve. +yumdownloader_flags: "--resolve" + +# sort and indent JSON output to make it more human-readable +serializer_pretty_json: 0 + +# replication rsync options for distros, kickstarts, snippets set to override default value of "-avzH" +replicate_rsync_options: "-avzH" + +# replication rsync options for repos set to override default value of "-avzH" +replicate_repo_rsync_options: "-avzH" diff --git a/docker/build/cobbler/conf/cobbler_web.conf b/docker/build/cobbler/conf/cobbler_web.conf new file mode 100644 index 0000000..f03d4fe --- /dev/null +++ b/docker/build/cobbler/conf/cobbler_web.conf @@ -0,0 +1,10 @@ +# This configuration file enables the cobbler web +# interface (django version) + +# Force everything to go to https +RewriteEngine on +RewriteCond %{HTTPS} off +RewriteCond %{REQUEST_URI} ^/cobbler_web +# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + +WSGIScriptAlias /cobbler_web /usr/share/cobbler/web/cobbler.wsgi diff --git a/docker/build/cobbler/conf/dhcp.template b/docker/build/cobbler/conf/dhcp.template new file mode 100644 index 0000000..f18ec37 --- /dev/null +++ b/docker/build/cobbler/conf/dhcp.template @@ -0,0 +1,98 @@ +# ****************************************************************** +# Cobbler managed dhcpd.conf file +# +# generated from cobbler dhcp.conf template ($date) +# Do NOT make changes to /etc/dhcpd.conf. Instead, make your changes +# in /etc/cobbler/dhcp.template, as /etc/dhcpd.conf will be +# overwritten. +# +# ****************************************************************** + +ddns-update-style interim; + +allow booting; +allow bootp; +deny unknown-clients; +local-address 192.168.100.100; +log-facility local6; + +ignore client-updates; +set vendorclass = option vendor-class-identifier; + +option pxe-system-type code 93 = unsigned integer 16; +option space pxelinux; +option pxelinux.magic code 208 = string; +option pxelinux.configfile code 209 = text; +option pxelinux.pathprefix code 210 = text; +option pxelinux.reboottime code 211 = unsigned integer 32; + +subnet 192.168.100.0 netmask 255.255.254.0 { + option routers 192.168.100.1; + option domain-name-servers 192.168.100.1; + option subnet-mask 255.255.254.0; + range dynamic-bootp 192.168.100.10 192.168.101.250; + default-lease-time 21600; + max-lease-time 43200; + next-server $next_server; + class "pxeclients" { + match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; + if option pxe-system-type = 00:02 { + filename "ia64/elilo.efi"; + } else if option pxe-system-type = 00:06 { + filename "grub/grub-x86.efi"; + } else if option pxe-system-type = 00:07 { + filename "grub/grub-x86_64.efi"; + } else { + filename "pxelinux.0"; + } + } + +} + +#for dhcp_tag in $dhcp_tags.keys(): + ## group could be subnet if your dhcp tags line up with your subnets + ## or really any valid dhcpd.conf construct ... if you only use the + ## default dhcp tag in cobbler, the group block can be deleted for a + ## flat configuration +# group for Cobbler DHCP tag: $dhcp_tag +group { + #for mac in $dhcp_tags[$dhcp_tag].keys(): + #set iface = $dhcp_tags[$dhcp_tag][$mac] + host $iface.name { + hardware ethernet $mac; + site-option-space "pxelinux"; + option pxelinux.magic f1:00:74:7e; + if exists dhcp-parameter-request-list { + # Always send the PXELINUX options (specified in hexadecimal) + option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list,d0,d1,d2,d3); + } + option pxelinux.reboottime 30; + #if $iface.hostname: + option host-name "$iface.hostname"; + #end if + #if $iface.netmask: + option subnet-mask $iface.netmask; + #end if + #if $iface.gateway: + option routers $iface.gateway; + #end if + #if $iface.enable_gpxe: + if exists user-class and option user-class = "gPXE" { + filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner"; + } else if exists user-class and option user-class = "iPXE" { + filename "http://$cobbler_server/cblr/svc/op/gpxe/system/$iface.owner"; + } else { + filename "undionly.kpxe"; + } + #else + filename "$iface.filename"; + #end if + ## Cobbler defaults to $next_server, but some users + ## may like to use $iface.system.server for proxied setups + next-server $next_server; + ## next-server $iface.next_server; + } + #end for +} +#end for + diff --git a/docker/build/cobbler/conf/distributions b/docker/build/cobbler/conf/distributions new file mode 100644 index 0000000..7f61215 --- /dev/null +++ b/docker/build/cobbler/conf/distributions @@ -0,0 +1,8 @@ +Origin: ppa +Label: ppa_repo +Suite: stable +Codename: ppa +Version: 0.1 +Architectures: i386 amd64 source +Components: main +Description: ppa repo diff --git a/docker/build/cobbler/conf/modules.conf b/docker/build/cobbler/conf/modules.conf new file mode 100644 index 0000000..5c3b941 --- /dev/null +++ b/docker/build/cobbler/conf/modules.conf @@ -0,0 +1,84 @@ +# cobbler module configuration file +# ================================= + +# authentication: +# what users can log into the WebUI and Read-Write XMLRPC? +# choices: +# authn_denyall -- no one (default) +# authn_configfile -- use /etc/cobbler/users.digest (for basic setups) +# authn_passthru -- ask Apache to handle it (used for kerberos) +# authn_ldap -- authenticate against LDAP +# authn_spacewalk -- ask Spacewalk/Satellite (experimental) +# authn_pam -- use PAM facilities +# authn_testing -- username/password is always testing/testing (debug) +# (user supplied) -- you may write your own module +# WARNING: this is a security setting, do not choose an option blindly. +# for more information: +# https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface +# https://github.com/cobbler/cobbler/wiki/Security-overview +# https://github.com/cobbler/cobbler/wiki/Kerberos +# https://github.com/cobbler/cobbler/wiki/Ldap + +[authentication] +module = authn_configfile + +# authorization: +# once a user has been cleared by the WebUI/XMLRPC, what can they do? +# choices: +# authz_allowall -- full access for all authneticated users (default) +# authz_ownership -- use users.conf, but add object ownership semantics +# (user supplied) -- you may write your own module +# WARNING: this is a security setting, do not choose an option blindly. +# If you want to further restrict cobbler with ACLs for various groups, +# pick authz_ownership. authz_allowall does not support ACLs. configfile +# does but does not support object ownership which is useful as an additional +# layer of control. + +# for more information: +# https://github.com/cobbler/cobbler/wiki/Cobbler-web-interface +# https://github.com/cobbler/cobbler/wiki/Security-overview +# https://github.com/cobbler/cobbler/wiki/Web-authorization + +[authorization] +module = authz_allowall + +# dns: +# chooses the DNS management engine if manage_dns is enabled +# in /etc/cobbler/settings, which is off by default. +# choices: +# manage_bind -- default, uses BIND/named +# manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dhcp below +# NOTE: more configuration is still required in /etc/cobbler +# for more information: +# https://github.com/cobbler/cobbler/wiki/Dns-management + +[dns] +module = manage_bind + +# dhcp: +# chooses the DHCP management engine if manage_dhcp is enabled +# in /etc/cobbler/settings, which is off by default. +# choices: +# manage_isc -- default, uses ISC dhcpd +# manage_dnsmasq -- uses dnsmasq, also must select dnsmasq for dns above +# NOTE: more configuration is still required in /etc/cobbler +# for more information: +# https://github.com/cobbler/cobbler/wiki/Dhcp-management + +[dhcp] +module = manage_isc + +# tftpd: +# chooses the TFTP management engine if manage_tftp is enabled +# in /etc/cobbler/settings, which is ON by default. +# +# choices: +# manage_in_tftpd -- default, uses the system's tftp server +# manage_tftpd_py -- uses cobbler's tftp server +# + +[tftpd] +module = manage_in_tftpd + +#-------------------------------------------------- + diff --git a/docker/build/cobbler/conf/setup.conf b/docker/build/cobbler/conf/setup.conf new file mode 100755 index 0000000..e67cac4 --- /dev/null +++ b/docker/build/cobbler/conf/setup.conf @@ -0,0 +1,25 @@ +#centos6.5 +NTP=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/ntp-4.2.6p5-1.el6.centos.x86_64.rpm +SSH_CLIENTS=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/openssh-clients-5.3p1-94.el6.x86_64.rpm +OPENSSH=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/openssh-5.3p1-94.el6.x86_64.rpm +IPROUTE=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/iproute-2.6.32-31.el6.x86_64.rpm +WGET=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/wget-1.12-1.8.el6.x86_64.rpm +NTPDATE=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm +YUM_PRIORITIES=http://mirror.centos.org/centos/6.5/os/x86_64/Packages/yum-plugin-priorities-1.1.30-14.el6.noarch.rpm +JSONC=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/json-c-0.9-4.el6.x86_64.rpm +LIBESTR=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/libestr-0.1.9-1.el6.x86_64.rpm +LIBGT=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/libgt-0.3.11-1.el6.x86_64.rpm +LIBLOGGING=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/liblogging-1.0.4-1.el6.x86_64.rpm +RSYSLOG=http://rpms.adiscon.com/v7-stable/epel-6/x86_64/RPMS/rsyslog-7.6.3-1.el6.src.rpm +CHEF_CLIENT_CENTOS=http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.8.0-1.el6.x86_64.rpm + +#ubuntu12.04 +CHEF_CLIENT_UBUNTU=http://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef_11.8.0-1.ubuntu.12.04_amd64.deb + +#iso +CENTOS_ISO=http://mirror.rackspace.com/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso +UBUNTU_ISO=http://releases.ubuntu.com/12.04/ubuntu-12.04.4-server-amd64.iso + +#repos +EPEL7=http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm +ATOMIC=http://www6.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/atomic-release-1.0-19.el7.art.noarch.rpm diff --git a/docker/build/cobbler/conf/ssl.conf b/docker/build/cobbler/conf/ssl.conf new file mode 100644 index 0000000..07f1e22 --- /dev/null +++ b/docker/build/cobbler/conf/ssl.conf @@ -0,0 +1,221 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +# SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/docker/build/cobbler/conf/tftpd.template b/docker/build/cobbler/conf/tftpd.template new file mode 100644 index 0000000..31f4d36 --- /dev/null +++ b/docker/build/cobbler/conf/tftpd.template @@ -0,0 +1,21 @@ +# default: off +# description: The tftp server serves files using the trivial file transfer \ +# protocol. The tftp protocol is often used to boot diskless \ +# workstations, download configuration files to network-aware printers, \ +# and to start the installation process for some operating systems. +service tftp +{ + disable = no + log_type = SYSLOG local5 info + socket_type = dgram + protocol = udp + wait = yes + user = $user + server = $binary + server_args = -B 1380 -v -s $args + instances = 1000 + per_source = 1000 + cps = 1000 2 + flags = IPv4 +} + diff --git a/docker/build/cobbler/scripts/start b/docker/build/cobbler/scripts/start new file mode 100644 index 0000000..055ffe6 --- /dev/null +++ b/docker/build/cobbler/scripts/start @@ -0,0 +1,17 @@ +#!/bin/bash + +service httpd start +service cobblerd start + +# import distros +cobbler import --path=/var/lib/cobbler/mount_point/CentOS-6.5-x86_64 --name=CentOS-6.5-x86_64 --arch=x86_64 --kickstart=/var/lib/cobbler/kickstarts/default.ks --breed=redhat +cobbler import --path=/var/lib/cobbler/mount_point/Ubuntu-12.04-x86_64 --name=Ubuntu-12.04-x86_64 --arch=x86_64 --kickstart=/var/lib/cobbler/kickstarts/default.seed --breed=ubuntu + +# add profiles +cobbler profile add --name=CentOS-6.5-x86_64 --repo=centos_ppa_repo --distro=CentOS-6.5-x86_64 --ksmeta="tree=http://10.145.89.200:8080/cobbler/ks_mirror/CentOS-6.5-x86_64 compass_server=10.145.89.200" --kickstart=/var/lib/cobbler/kickstarts/default.ks +cobbler profile add --name=Ubuntu-12.04-x86_64 --repo=ubuntu_ppa_repo --distro=Ubuntu-12.04-x86_64 --ksmeta="tree=http://10.145.89.200:8080/cobbler/ks_mirror/Ubuntu-12.04-x86_64 compass_server=10.145.89.200" --kickstart=/var/lib/cobbler/kickstarts/default.seed --kopts="netcfg/choose_interface=auto" + + +cobbler reposync +cobbler sync +cobbler check diff --git a/install/roles/cobbler/handlers/main.yml b/install/roles/cobbler/handlers/main.yml new file mode 100644 index 0000000..bbe5b95 --- /dev/null +++ b/install/roles/cobbler/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart dhcp-relay + shell: service isc-dhcp-relay restart diff --git a/install/roles/cobbler/tasks/dhcp-relay-debian.yml b/install/roles/cobbler/tasks/dhcp-relay-debian.yml index cf04b13..48aadbf 100644 --- a/install/roles/cobbler/tasks/dhcp-relay-debian.yml +++ b/install/roles/cobbler/tasks/dhcp-relay-debian.yml @@ -12,3 +12,5 @@ lineinfile: dest=/etc/default/isc-dhcp-relay regexp='^INTERFACES' line='INTERFACES="compass0"' + notify: + restart dhcp-relay