aboutsummaryrefslogtreecommitdiffstats
path: root/resources/tools/testbed-setup/ansible/roles
diff options
context:
space:
mode:
authorpmikus <pmikus@cisco.com>2020-12-04 08:44:21 +0000
committerpmikus <pmikus@cisco.com>2020-12-04 08:44:21 +0000
commit938d89a6d00a6bd4e2dd9ca870d0f1e62f144f93 (patch)
tree0ae0a30c2e0cc0da4dbb80586a410eaa301d04bd /resources/tools/testbed-setup/ansible/roles
parent523c6e6e24101206ff1318ca17c310dff8b3c9d2 (diff)
Terraform: csit-shim refactor
- remove snergster image dependency Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I76fef60371e35dddc6da56db5f9207e003d1c792
Diffstat (limited to 'resources/tools/testbed-setup/ansible/roles')
-rw-r--r--resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile61
-rw-r--r--resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub1
-rw-r--r--resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig3
-rw-r--r--resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker113
-rw-r--r--resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml32
5 files changed, 210 insertions, 0 deletions
diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile
new file mode 100644
index 0000000000..2b2e1eae55
--- /dev/null
+++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/Dockerfile
@@ -0,0 +1,61 @@
+# Copyright (c) 2020 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:18.04
+LABEL Description="CSIT vpp-device ubuntu 18.04 shim image"
+LABEL Version="master"
+
+# Setup the environment
+ENV DEBIAN_FRONTEND=noninteractive
+ENV NOTVISIBLE "in users profile"
+RUN echo "export VISIBLE=now" >> /etc/profile
+
+ADD files/wrapdocker /usr/local/bin/wrapdocker
+RUN chmod +x /usr/local/bin/wrapdocker
+
+# Install packages and Docker
+RUN apt-get -q update \
+ && apt-get install -y -qq \
+ bash \
+ curl \
+ iproute2 \
+ locales \
+ ssh \
+ sudo \
+ tzdata \
+ uuid-runtime \
+ && curl -fsSL https://get.docker.com | sh \
+ && rm -rf /var/lib/apt/lists/*
+
+# Configure locales
+RUN locale-gen en_US
+
+RUN mkdir /var/run/sshd
+RUN echo 'root:Csit1234' | chpasswd
+RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+
+# SSH login fix. Otherwise user is kicked off after login
+RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+# Need volume for sidecar docker launches
+VOLUME /var/lib/docker
+
+# SSH to listen on port 6022 in shim
+RUN echo 'Port 6022' >>/etc/ssh/sshd_config
+RUN echo 'Port 6023' >>/etc/ssh/sshd_config
+ADD files/badkeypub /root/.ssh/authorized_keys
+ADD files/sshconfig /root/.ssh/config
+
+# Start sshd by default
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"] \ No newline at end of file
diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub
new file mode 100644
index 0000000000..4530b66b05
--- /dev/null
+++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/badkeypub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyUNd/iRk5Ajw4ZBB0gXyjzecEzQHh/MctgvHGJjasqJDkwYyZBrunUorOZ3n82W8VGdd5+eNINCWOM/ERjuaHjnutfade+ocPgZRdk+kEgTvetDVNWIgBd0PMVcnp57jJfx7CZVqTNgGeVQ8OJ2RbJGeOb/EKApQI74IPkAfc0PSieSw5gC0eqEOHb39Awgp0ycrzsUHF/OEicfCmo+6vvrMGenDe7frKUoTKYMWs7l3DOyFC8NaOxhGD3J1Ne5u3A/r4w6mN1HVI0rFwIcoms+t0B4lb2ODWKZiZikQdn8/eqwsmbSEZZsWN3FkshgjPS83+dNqVwB6pPY5Yqte7 ejk@bhima.local \ No newline at end of file
diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig
new file mode 100644
index 0000000000..e7bd90757e
--- /dev/null
+++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/sshconfig
@@ -0,0 +1,3 @@
+Host 172.17.0.*
+ StrictHostKeyChecking no
+ UserKnownHostsFile=/dev/null \ No newline at end of file
diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker
new file mode 100644
index 0000000000..d13f8b7c5e
--- /dev/null
+++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/files/files/wrapdocker
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver
+dmsetup mknodes
+
+# First, make sure that cgroups are mounted correctly.
+CGROUP=/sys/fs/cgroup
+: {LOG:=stdio}
+
+[ -d $CGROUP ] ||
+ mkdir $CGROUP
+
+mountpoint -q $CGROUP ||
+ mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
+ echo "Could not make a tmpfs mount. Did you use --privileged?"
+ exit 1
+ }
+
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
+then
+ mount -t securityfs none /sys/kernel/security || {
+ echo "Could not mount /sys/kernel/security."
+ echo "AppArmor detection and --privileged mode might break."
+ }
+fi
+
+# Mount the cgroup hierarchies exactly as they are in the parent system.
+for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
+do
+ [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
+ mountpoint -q $CGROUP/$SUBSYS ||
+ mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS
+
+ # The two following sections address a bug which manifests itself
+ # by a cryptic "lxc-start: no ns_cgroup option specified" when
+ # trying to start containers withina container.
+ # The bug seems to appear when the cgroup hierarchies are not
+ # mounted on the exact same directories in the host, and in the
+ # container.
+
+ # Named, control-less cgroups are mounted with "-o name=foo"
+ # (and appear as such under /proc/<pid>/cgroup) but are usually
+ # mounted on a directory named "foo" (without the "name=" prefix).
+ # Systemd and OpenRC (and possibly others) both create such a
+ # cgroup. To avoid the aforementioned bug, we symlink "foo" to
+ # "name=foo". This shouldn't have any adverse effect.
+ echo $SUBSYS | grep -q ^name= && {
+ NAME=$(echo $SUBSYS | sed s/^name=//)
+ ln -s $SUBSYS $CGROUP/$NAME
+ }
+
+ # Likewise, on at least one system, it has been reported that
+ # systemd would mount the CPU and CPU accounting controllers
+ # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
+ # but on a directory called "cpu,cpuacct" (note the inversion
+ # in the order of the groups). This tries to work around it.
+ [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
+done
+
+# Note: as I write those lines, the LXC userland tools cannot setup
+# a "sub-container" properly if the "devices" cgroup is not in its
+# own hierarchy. Let's detect this and issue a warning.
+grep -q :devices: /proc/1/cgroup ||
+ echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
+grep -qw devices /proc/1/cgroup ||
+ echo "WARNING: it looks like the 'devices' cgroup is not mounted."
+
+# Now, close extraneous file descriptors.
+pushd /proc/self/fd >/dev/null
+for FD in *
+do
+ case "$FD" in
+ # Keep stdin/stdout/stderr
+ [012])
+ ;;
+ # Nuke everything else
+ *)
+ eval exec "$FD>&-"
+ ;;
+ esac
+done
+popd >/dev/null
+
+
+# If a pidfile is still around (for example after a container restart),
+# delete it so that docker can start.
+rm -rf /var/run/docker.pid
+
+# If we were given a PORT environment variable, start as a simple daemon;
+# otherwise, spawn a shell as well
+if [ "$PORT" ]
+then
+ exec dockerd -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \
+ $DOCKER_DAEMON_ARGS
+else
+ if [ "$LOG" == "file" ]
+ then
+ dockerd $DOCKER_DAEMON_ARGS &>/var/log/docker.log &
+ else
+ dockerd $DOCKER_DAEMON_ARGS &
+ fi
+ (( timeout = 60 + SECONDS ))
+ until docker info >/dev/null 2>&1
+ do
+ if (( SECONDS >= timeout )); then
+ echo 'Timed out trying to connect to internal docker host.' >&2
+ break
+ fi
+ sleep 1
+ done
+ [[ $1 ]] && exec "$@"
+ exec bash --login
+fi \ No newline at end of file
diff --git a/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml
new file mode 100644
index 0000000000..bdba4f6563
--- /dev/null
+++ b/resources/tools/testbed-setup/ansible/roles/csit_shim_image/tasks/main.yaml
@@ -0,0 +1,32 @@
+---
+# file: roles/csit_shim_image/tasks/main.yaml
+
+- name: Create a directory if it does not exist
+ file:
+ path: "{{ item }}"
+ state: "directory"
+ mode: 0755
+ with_items:
+ - "/opt/csit-shim/"
+ - "/opt/csit-shim/files"
+ tags: csit-shim-image
+
+- name: Copy Build Items
+ copy:
+ src: "{{ item }}"
+ dest: "/opt/csit-shim/{{ item }}"
+ owner: "root"
+ group: "root"
+ mode: 0655
+ with_items:
+ - "Dockerfile"
+ - "files/badkeypub"
+ - "files/sshconfig"
+ - "files/wrapdocker"
+ tags: csit-shim-image
+
+- name: Build CSIT shim Docker Image
+ shell: "docker build -t csit_shim-ubuntu1804:local ."
+ args:
+ chdir: "/opt/csit-shim"
+ tags: csit-shim-image \ No newline at end of file