def setup(linux_dir="../linux", makeopts=""):
# TODO generate config from oldconfig
# install kernel
with lcd(linux_dir):
kvern = local("make kernelversion", capture=True)
kver = "{}-test".format(kvern)
local("make {}".format(makeopts))
with cd("/boot"):
put("arch/x86/boot/bzImage",
"vmlinuz-{}".format(kver),
use_sudo=True)
put("System.map", "System.map-{}".format(kver), use_sudo=True)
put(".config", "config-{}".format(kver), use_sudo=True)
# install modules
with lcd(linux_dir):
local("make {} modules_install INSTALL_MOD_PATH=temp/ KDIR={}".format(
makeopts, linux_dir))
dest_base = "/lib/modules"
dest = os.path.join(dest_base, kver)
src_dir = os.path.join("temp/lib/modules/", kvern)
sudo("rm -rf {}".format(dest), warn_only=True)
sudo("mkdir -p {}".format(dest_base))
put(src_dir, dest_base, use_sudo=True)
sudo("mv {}/{} {}".format(dest_base, kvern, dest))
sudo("update-initramfs -c -k {}".format(kver))
sudo("update-grub2")
reboot()
def reboot_machine():
"""
FABRIC task to reboot machine remotely.
:return:
"""
with settings(warn_only=True):
reboot()
def reboot(self, wait=300):
"""Reboot this server
:param wait: wait for the server to come up
"""
from fabric.api import reboot, settings
with settings(**self.construct_settings(warn_only=True)):
reboot(wait=wait)
def ssserver(port, password, method):
try:
sudo('hash yum')
sudo('hash python')
sudo('yum -y update 1>/dev/null')
sudo('yum -y install python-setuptools 1>/dev/null')
sudo('yum -y install m2crypto 1>/dev/null')
sudo('easy_install pip 1>/dev/null')
sudo('pip install shadowsocks 1>/dev/null')
sudo('hash ssserver')
sudo("sed -i '/ssserver/d' /etc/rc.d/rc.local")
cmd = '/usr/bin/python /usr/bin/ssserver -p %s -k %s -m %s --user nobody -d start' % \
(port, password, method)
sudo("sed -i '$a %s' /etc/rc.d/rc.local" % cmd)
sudo('chmod +x /etc/rc.d/rc.local')
sudo('firewall-cmd --zone=public --add-port=%s/tcp --permanent' % port)
with settings(warn_only=True):
reboot()
sudo('ps -ef | grep ssserver')
return True
except BaseException as e:
logging.error(e)
return False
def install_docker():
check_valid_os()
print(":: Installing Docker on {}".format(env.host_string))
ver = run("cat /etc/lsb-release | grep DISTRIB_RELEASE | cut -d '=' -f2")
reboot_needed = False
sudo("apt-get update")
sudo('sh -c "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list"')
sudo('sudo sh -c "wget -qO- https://get.docker.io/gpg | apt-key add -"')
# extras
if ver == "12.04":
sudo("apt-get install -y linux-image-generic-lts-raring linux-headers-generic-lts-raring")
print("* You will need to reboot in order to use the new kernel and aufs module")
reboot_needed = True
else:
sudo("apt-get install -y linux-image-extra-`uname -r`")
sudo("apt-get update")
# docker
sudo("apt-get install -y lxc-docker git-core")
sudo('echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf ; sysctl -p /etc/sysctl.conf')
# check ufw
sudo("sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g' /etc/default/ufw")
sudo("service ufw restart")
# set to listen on local addr
local_ip = get_local_ip()
with open(".tmpcfg", "w") as f:
f.write('DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://127.0.0.1:4243"')
put(".tmpcfg", "/etc/default/docker", use_sudo=True)
os.remove(".tmpcfg")
sudo("service docker restart")
if reboot_needed:
print("Setup complete. Rebooting...")
reboot(wait=60)
def restart_workers():
with settings(warn_only=True):
# reboot(use_sudo=False)
reboot(use_sudo=True)
def reboot_if_required():
"""Reboots the machine only if the system indicates a restart is required for updates.
"""
out = runner.silent('[ -f /var/run/reboot-required ]')
if not out.return_code:
runner.state("System requires reboot => Rebooting NOW")
reboot()
def config_nfs_server():
cmds = [
'apt-get -y install nfs-kernel-server',
'service nfs-kernel-server stop',
'mkdir -p /export',
'chmod 777 /export',
]
for c in cmds:
sudo(c)
Xput('config/etc/hosts.deny', '/etc/hosts.deny', use_sudo=True)
hosts_allow_fn = 'config/etc/hosts.allow'
template_ha = string.Template(open(hosts_allow_fn).read())
exports_fn = 'config/etc/exports'
template_e = string.Template(open(exports_fn).read())
export_options = "(rw,fsid=0,insecure,no_subtree_check,async)"
ip_options = []
for ip in env.roledefs['all']:
ip_options.append("{ip}{opt}".format(ip=ip, opt=export_options))
contents = StringIO.StringIO(template_e.substitute(host_and_options= \
' '.join(ip_options)))
Xput(contents, "/etc/exports", use_sudo=True)
ip_list = ' '.join(env.roledefs['all'])
contents = StringIO.StringIO(template_ha.substitute(ip_list=ip_list))
logging.info("/etc/hosts.allow :\n{}".format(contents.getvalue()))
Xput(contents, '/etc/hosts.allow', use_sudo=True)
sudo('exportfs -a')
reboot()
def main():
connection = common.connect()
region = common.prompt_region(connection)
connection = common.connect(region)
zone = common.prompt_zone(connection)
security_group = common.prompt_security_group(connection)
prefix = "{}-{}-".format(security_group, zone.split("-")[-1])
name = _prompt_name(connection, prefix)
instance_type = _prompt_instance_type()
key_path = common.prompt_key_path()
key_name = os.path.basename(key_path).split(".")[0]
arguments = _LaunchArguments(instance_type=instance_type,
key_name=key_name,
name=name,
security_group=security_group,
zone=zone)
env.host_string = _launch(connection, arguments, region)
env.key_filename = key_path
env.user = _USERNAME
common.wait_until_remote_reachable()
sudo("hostname {}".format(name))
_update_system_files(name)
_install()
_update_installed_files()
reboot()
if instance_type.ephemeral_disk_count > 1:
_create_ephemeral_raid(instance_type.ephemeral_disk_count)
if _GIT_REPO:
_clone()
def bootstrap(username='******',
password='******',
authorized_keys='authorized_keys',
**kw):
"""bootstrap a freshly booted nanopi NEO Air to make it ansible ready"""
# (temporarily) set the user to the user set up during bootstrapping
hostname = env.instance.uid
env.host_string = '%s@%s' % (username, hostname)
env.password = password
if not path.isabs(authorized_keys):
authorized_keys = path.join(env['config_base'], '..', authorized_keys)
with fab.settings(warn_only=True):
# enable passwordless root login via ssh
fab.sudo("""mkdir /root/.ssh""")
fab.sudo("""chmod 700 /root/.ssh""")
fab.put(local_path=authorized_keys,
remote_path='/root/.ssh/authorized_keys',
use_sudo=True,
mode='0700')
fab.sudo("""chown root:root /root/.ssh/authorized_keys""")
fab.sudo(
"""echo 'PermitRootLogin without-password' > /etc/ssh/sshd_config"""
)
fab.sudo("""apt update""")
fab.sudo("""apt upgrade -y""")
fab.reboot()
def install_docker():
check_valid_os()
print(':: Installing Docker on {}'.format(env.host_string))
ver = run('cat /etc/lsb-release | grep DISTRIB_RELEASE | cut -d \'=\' -f2')
reboot_needed = False
sudo('apt-get update')
sudo('sh -c "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list"')
sudo('sudo sh -c "wget -qO- https://get.docker.io/gpg | apt-key add -"')
# extras
if ver == '12.04':
sudo('apt-get install -y linux-image-generic-lts-raring linux-headers-generic-lts-raring')
reboot_needed = True
else:
sudo('apt-get install -y linux-image-extra-`uname -r`')
sudo('apt-get update')
# docker
sudo('apt-get install -y lxc-docker git-core')
sudo('echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf ; sysctl -p /etc/sysctl.conf')
# check ufw
sudo("sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g' /etc/default/ufw")
sudo('service ufw restart')
# set to listen on local addr
with open('.tmpcfg', 'w') as f:
f.write('DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://127.0.0.1:4243"')
put('.tmpcfg', '/etc/default/docker', use_sudo=True)
os.remove('.tmpcfg')
sudo('service docker restart')
if reboot_needed:
print(':: Setup complete. Rebooting to apply new kernel...')
reboot(wait=60)
def wipefs():
disks = sudo('lsblk | grep T').split('\n')
for disk in disks[1:]:
disk = disk.split(' ')[0]
sudo("sudo wipefs -af /dev/%s" % disk)
with settings(warn_only=True):
reboot(600)
def _reboot_server(self):
env.update({
'user': self.env.management_user_name,
'key_filename': get_actual_keypath(self.env,
self.env.management_key_path),
'host_string': self.env.management_ip,
})
reboot()
def worker_init():
nfs()
run('mkdir -p /home/ps/data/')
run('cp /home/ps/share/ssd/script/run_worker.sh /home/ps/data/')
sudo('cp /home/ps/share/ssd/conf/worker.conf /etc/supervisor/conf.d/')
# sudo('supervisorctl reload')
with settings(warn_only=True):
reboot(600)
def reboot_if_required():
"Reboots the machine only if it's required"
if file_exists('/var/run/reboot-required'):
puts("Rebooting...")
reboot()
puts("Machine is back online.")
else:
puts("No reboot required.")
def reboot(self, wait=300):
"""Reboot this server
:param wait: wait for the server to come up
"""
from fabric.api import reboot, settings
with settings(**self.construct_settings(
is_warn_only=True, n_attempts=self.N_CONNECTION_ATTEMPTS)):
reboot(wait=wait)
def paso_1_install():
install_git()
install_supervisor()
install_sensors()
supervisor_conf()
change_sensors_file_mod()
config_hostname()
create_permissions_loggers()
reboot(wait=5)
def reload():
"""Restart the server."""
# TODO: Duplicated elsewhere
if env.settings in ('staging', 'production'):
require('hosts', provided_by=[staging, production])
reboot(60)
else:
require('hosts', provided_by=[vagrant])
local('vagrant reload')
def _checkpoint_initial():
log("Updating server OS")
check_result(sudo("apt-get update"), "apt-get update")
check_result(sudo("apt-get dist-upgrade"), "apt-get dist-upgrade")
check_result(sudo("apt-get autoremove"), "apt-get autoremove")
log("Rebooting")
reboot()
_write_checkpoint(1)
_checkpoint_one()
def install():
install_git()
install_supervisor()
install_sensors()
install_bibliotecas_humedad()
supervisor_conf()
change_sensors_file_mod()
config_hostname()
create_permissions_loggers()
reboot(wait=5)
def _reboot_server(self):
env.update({
'user':
self.env.management_user_name,
'key_filename':
get_actual_keypath(self.env, self.env.management_key_path),
'host_string':
self.env.management_ip,
})
reboot()
def prepare_new_server(name):
_add_line_if_not_present('/etc/hosts', '127.0.0.1 %s' % name, sudo)
sudo('hostname %s' % name)
sudo('apt-get update')
sudo('apt-get upgrade -y')
sudo('apt-get update')
sudo('apt-get install -y git ruby1.9.1 ruby1.9.1-dev build-essential')
sudo('gem install chef --no-ri --no-rdoc')
print 'Rebooting to apply stuff...'
reboot()
def __prepare_new_server():
"""
Preparando o ambiente
"""
run('apt-get update')
run('apt-get upgrade -y')
run('apt-get update')
run('apt-get install -y git ruby1.9.1 ruby1.9.1-dev build-essential')
run('gem install chef --no-ri --no-rdoc')
print 'Rebooting to apply stuff...'
reboot()
def dependency():
require('stage')
with settings(warn_only=True):
sudo('rm -rf {0}'.format(env['configs']['temp_dir']))
if env['configs'].get('clean', {}).get('mode', 'soft') == 'soft':
sudo('docker rm -f `docker ps -a -q`')
else:
sudo('systemctl stop docker && systemctl disable docker')
sudo('rm -rf /var/lib/docker')
sudo('systemctl daemon-reload && systemctl enable docker')
reboot()
def setup_group():
current_user = run('id -u -n')
with settings(warn_only=True):
if run('grep sharkeyes /etc/group').return_code != 0:
sudo('groupadd sharkeyes')
sudo('usermod -a -G sharkeyes apache')
sudo('usermod -a -G sharkeyes mysql')
sudo('usermod -a -G sharkeyes ' + current_user)
#sudo('exec sudo su -l $USER')
if 'sharkeyes' not in run('id'):
if env.user == 'vagrant':
local('vagrant reload') # if we're in vagrant, a normal restart doesn't reconnect things it needs to
else:
reboot()
def install_server(publichost, admin_privkey_path, monitor_pubkey,
monitor_privkey_path, stdout, stderr):
set_host_and_key(publichost, admin_privkey_path)
print >> stdout, "Updating server..."
sudo_apt_get('update')
sudo_apt_get('dist-upgrade -y')
print >> stdout, "Rebooting server (this will take a while)..."
api.reboot(240)
print >> stdout, "Installing dependencies..."
sudo_apt_get('install -y python-dev')
sudo_apt_get('install -y python-setuptools')
sudo_apt_get('install -y exim4-base')
sudo_apt_get('install -y darcs')
sudo_apt_get('install -y python-foolscap')
sudo_apt_get('remove -y --purge whoopsie')
run('wget %s' % (INSTALL_TXAWS_URL, ))
run('tar -xzvf txAWS-%s.tar.gz' % (INSTALL_TXAWS_VERSION, ))
with cd('/home/ubuntu/txAWS-%s' % (INSTALL_TXAWS_VERSION, )):
sudo('python ./setup.py install')
create_account('customer', None, stdout, stderr)
create_account('monitor', monitor_pubkey, stdout, stderr)
# verify that the account exists and can be logged into
set_host_and_key(publichost, monitor_privkey_path, username="******")
# do the rest of the installation as 'customer', customer doesn't actually have its own ssh keys
# I don't know if creating one would be useful.XXX
set_host_and_key(publichost, admin_privkey_path, username="******")
print >> stdout, "Getting Tahoe-LAFS..."
run('rm -rf /home/customer/LAFS_source')
run('darcs get --lazy https://tahoe-lafs.org/source/tahoe/ticket999-S3-backend LAFS_source'
)
print >> stdout, "Building Tahoe-LAFS..."
with cd('/home/customer/LAFS_source'):
run('python ./setup.py build')
print >> stdout, "Creating introducer and storage server..."
run('mkdir -p introducer storageserver')
run('LAFS_source/bin/tahoe create-introducer introducer || echo Assuming that introducer already exists.'
)
run('LAFS_source/bin/tahoe create-node storageserver || echo Assuming that storage server already exists.'
)
print >> stdout, "Finished server installation."
def deploy(hostname, pubkey, username, passwd=None, first_run='True'):
runone = (first_run.lower() == 'true')
if runone:
env.user = '******'
chpasswd('pi')
else:
env.user = username
env.key_filename = pubkey[:-4]
setup_wifi()
remove_x11()
upgrade()
setup_unattended_upgrades()
harden(hostname, pubkey, username, passwd, first_run)
reboot()
def setup_group():
current_user = run('id -u -n')
with settings(warn_only=True):
if run('grep sharkeyes /etc/group').return_code != 0:
sudo('groupadd sharkeyes')
sudo('usermod -a -G sharkeyes apache')
sudo('usermod -a -G sharkeyes mysql')
sudo('usermod -a -G sharkeyes ' + current_user)
#sudo('exec sudo su -l $USER')
if 'sharkeyes' not in run('id'):
if env.user == 'vagrant':
local(
'vagrant reload'
) # if we're in vagrant, a normal restart doesn't reconnect things it needs to
else:
reboot()
def setup_docker(force=False):
"""Setup docker on the target host.
:param force: Whether to continue with installation even if
docker already appears to be installed. Defaults to False.
:type force: bool
"""
fastprint(yellow('Setting up docker on host: %s\n' % env.host))
if is_installed('lxc-docker'):
fastprint(green(
'This system already appears to have docker installed on it\n'))
else:
version = run('uname -r')
if '3.2' in version:
# LTS 3.2 version is too old so we install a backported one
# see http://docs.docker.io/en/latest/installation/ubuntulinux/
# #ubuntu-precise-12-04-lts-64-bit
fastprint(red('Upgrading kernel to 3.8!\n'))
response = prompt('Do you wish to continue? y/n :')
if response != 'y':
fastprint(red('Docker install aborted by user.\n'))
return
fastprint(blue('Ok upgrading kernel.'))
require_packages([
'linux-image-generic-lts-raring',
'linux-headers-generic-lts-raring'])
fastprint(red('\nWe need to reboot the system now!\n'))
response = prompt('Do you wish to continue? y/n :')
if response is not None:
reboot()
else:
require_package('linux-image-extra-%s' % version)
require_ppa('ppa:dotcloud/lxc-docker')
apt_get_update()
require_packages([
'software-properties-common',
'lxc-docker'])
# Ensure ufw forwards traffic.
# http://docs.docker.io/en/latest/installation/ubuntulinux/#ufw
sed(
'/etc/default/ufw',
'DEFAULT_FORWARD_POLICY="DROP"',
'DEFAULT_FORWARD_POLICY="ACCEPT"',
use_sudo=False)
setup_docker_image()
setup_docker_user()
def install_server(publichost, admin_privkey_path, monitor_pubkey, monitor_privkey_path, stdout,
stderr):
set_host_and_key(publichost, admin_privkey_path)
print >>stdout, "Updating server..."
sudo_apt_get('update')
sudo_apt_get('dist-upgrade -y')
print >>stdout, "Rebooting server (this will take a while)..."
api.reboot(240)
print >>stdout, "Installing dependencies..."
sudo_apt_get('install -y python-dev')
sudo_apt_get('install -y python-setuptools')
sudo_apt_get('install -y exim4-base')
sudo_apt_get('install -y darcs')
sudo_apt_get('install -y python-foolscap')
sudo_apt_get('remove -y --purge whoopsie')
run('wget %s' % (INSTALL_TXAWS_URL,))
run('tar -xzvf txAWS-%s.tar.gz' % (INSTALL_TXAWS_VERSION,))
with cd('/home/ubuntu/txAWS-%s' % (INSTALL_TXAWS_VERSION,)):
sudo('python ./setup.py install')
create_account('customer', None, stdout, stderr)
create_account('monitor', monitor_pubkey, stdout, stderr)
# verify that the account exists and can be logged into
set_host_and_key(publichost, monitor_privkey_path, username="******")
# do the rest of the installation as 'customer', customer doesn't actually have its own ssh keys
# I don't know if creating one would be useful.XXX
set_host_and_key(publichost, admin_privkey_path, username="******")
print >>stdout, "Getting Tahoe-LAFS..."
run('rm -rf /home/customer/LAFS_source')
run('darcs get --lazy https://tahoe-lafs.org/source/tahoe/ticket999-S3-backend LAFS_source')
print >>stdout, "Building Tahoe-LAFS..."
with cd('/home/customer/LAFS_source'):
run('python ./setup.py build')
print >>stdout, "Creating introducer and storage server..."
run('mkdir -p introducer storageserver')
run('LAFS_source/bin/tahoe create-introducer introducer || echo Assuming that introducer already exists.')
run('LAFS_source/bin/tahoe create-node storageserver || echo Assuming that storage server already exists.')
print >>stdout, "Finished server installation."
def setup_docker(force=False):
"""Setup docker on the target host.
:param force: Whether to continue with installation even if
docker already appears to be installed. Defaults to False.
:type force: bool
"""
fastprint(yellow('Setting up docker on host: %s\n' % env.host))
if is_installed('lxc-docker'):
fastprint(
green(
'This system already appears to have docker installed on it\n')
)
else:
version = run('uname -r')
if '3.2' in version:
# LTS 3.2 version is too old so we install a backported one
# see http://docs.docker.io/en/latest/installation/ubuntulinux/
# #ubuntu-precise-12-04-lts-64-bit
fastprint(red('Upgrading kernel to 3.8!\n'))
response = prompt('Do you wish to continue? y/n :')
if response != 'y':
fastprint(red('Docker install aborted by user.\n'))
return
fastprint(blue('Ok upgrading kernel.'))
require_packages([
'linux-image-generic-lts-raring',
'linux-headers-generic-lts-raring'
])
fastprint(red('\nWe need to reboot the system now!\n'))
response = prompt('Do you wish to continue? y/n :')
if response is not None:
reboot()
else:
require_package('linux-image-extra-%s' % version)
require_ppa('ppa:dotcloud/lxc-docker')
apt_get_update()
require_packages(['software-properties-common', 'lxc-docker'])
# Ensure ufw forwards traffic.
# http://docs.docker.io/en/latest/installation/ubuntulinux/#ufw
sed('/etc/default/ufw',
'DEFAULT_FORWARD_POLICY="DROP"',
'DEFAULT_FORWARD_POLICY="ACCEPT"',
use_sudo=False)
setup_docker_image()
setup_docker_user()
def bootstrap(boot_ip=None,
authorized_keys='authorized_keys',
configure_ethernet="yes"):
"""bootstrap a freshly booted Raspberry PI 3 to make it ansible ready"""
# (temporarily) set the user to `pi`
if not path.isabs(authorized_keys):
authorized_keys = path.join(env['config_base'], '..', authorized_keys)
final_ip = env.instance.config['ip']
if boot_ip:
env.instance.config['ip'] = boot_ip
hostname = env.instance.uid
env.host_string = 'pi@%s' % hostname
env.password = '******'
fab.sudo("""apt update""")
fab.sudo("""apt upgrade -y""")
AV = env.instance.get_ansible_variables()
# TODO: Move defaults into ploy.conf
AV.setdefault('eth_ip', final_ip)
AV.setdefault('eth_iface', 'eth0')
AV.setdefault('eth_netmask', '255.255.255.0')
AV.setdefault('eth_gateway', '192.168.1.1')
AV.setdefault('eth_dns', '8.8.8.8')
with fab.settings(warn_only=True):
fab.sudo("systemctl stop dhcpcd")
fab.sudo("systemctl disable dhcpcd")
if configure_ethernet == "yes":
eth_config = eth_interface.format(**AV)
fab.sudo('echo """%s""" > /etc/network/interfaces.d/%s' %
(eth_config, AV['eth_iface']))
fab.sudo(
'echo "source-directory /etc/network/interfaces.d" > /etc/network/interfaces'
)
fab.sudo('echo "nameserver %s" | resolvconf -a %s' %
(AV['eth_gateway'], AV['eth_iface']))
# enable passwordless root login via ssh
fab.sudo("""mkdir -p /root/.ssh""")
fab.sudo("""chmod 700 /root/.ssh""")
fab.put(local_path=authorized_keys,
remote_path='/root/.ssh/authorized_keys',
use_sudo=True,
mode='0700')
fab.sudo("""chown root:root /root/.ssh/authorized_keys""")
fab.reboot()
def bootstrap(boot_ip=None, authorized_keys='authorized_keys', static_ip=True):
"""bootstrap a freshly booted Pine64 to make it ansible ready"""
# (temporarily) set the user to `ubuntu`
if not path.isabs(authorized_keys):
authorized_keys = path.join(env['config_base'], '..', authorized_keys)
final_ip = env.instance.config['ip']
if boot_ip:
env.instance.config['ip'] = boot_ip
hostname = env.instance.uid
env.host_string = 'ubuntu@%s' % hostname
env.password = '******'
AV = env.instance.get_ansible_variables()
AV.setdefault('eth_ip', final_ip)
AV.setdefault('eth_iface', 'eth0')
AV.setdefault('eth_netmask', '255.255.255.0')
AV.setdefault('eth_gateway', '192.168.1.1')
AV.setdefault('eth_dns', '8.8.8.8')
with fab.settings(warn_only=True):
fab.sudo('echo """%s""" > /etc/network/interfaces.d/%s' %
(eth_interface.format(**AV), AV['eth_iface']))
# enable passwordless root login via ssh
from fabric.contrib.files import exists
if not exists('/root/.ssh', use_sudo=True):
fab.sudo("""mkdir /root/.ssh""")
fab.sudo("""chmod 700 /root/.ssh""")
if not exists('/root/.ssh/authorized_keys', use_sudo=True):
fab.put(local_path=authorized_keys,
remote_path='/root/.ssh/authorized_keys',
use_sudo=True,
mode='0700')
fab.sudo("""chown root:root /root/.ssh/authorized_keys""")
fab.sudo(
"""echo 'PermitRootLogin without-password' > /etc/ssh/sshd_config"""
)
fab.sudo("""/usr/local/sbin/resize_rootfs.sh""")
fab.sudo("""/usr/local/sbin/pine64_update_uboot.sh""")
fab.sudo("""/usr/local/sbin/pine64_update_kernel.sh""")
fab.sudo("""apt-get install python -y""")
# finally override DNS
fab.sudo('echo """%s""" > /etc/resolvconf/resolv.conf.d/tail' %
eth_resolvconf.format(**AV))
fab.reboot()
def install_docker():
check_valid_os()
print(':: Installing Docker on {}'.format(env.host_string))
ver = run(
'cat /etc/lsb-release | grep DISTRIB_RELEASE | cut -d \'=\' -f2')
reboot_needed = False
sudo('apt-get update')
sudo(
'sh -c "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list"'
)
sudo('sudo sh -c "wget -qO- https://get.docker.io/gpg | apt-key add -"')
# extras
if ver == '12.04':
sudo(
'apt-get install -y linux-image-generic-lts-raring linux-headers-generic-lts-raring'
)
reboot_needed = True
else:
sudo('apt-get install -y linux-image-extra-`uname -r`')
sudo('apt-get update')
# docker
sudo('apt-get install -y lxc-docker git-core')
sudo(
'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf ; sysctl -p /etc/sysctl.conf'
)
# check ufw
sudo(
"sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g' /etc/default/ufw"
)
sudo('service ufw restart')
# set to listen on local addr
with open('.tmpcfg', 'w') as f:
f.write(
'DOCKER_OPTS="-H unix:///var/run/docker.sock -H tcp://127.0.0.1:4243"'
)
put('.tmpcfg', '/etc/default/docker', use_sudo=True)
os.remove('.tmpcfg')
sudo('service docker restart')
if reboot_needed:
print(':: Setup complete. Rebooting to apply new kernel...')
reboot(wait=120)
def bootstrap(boot_ip=None, authorized_keys='authorized_keys', static_ip=True):
"""bootstrap a freshly booted Raspberry PI 3 to make it ansible ready"""
# (temporarily) set the user to `pi`
if not path.isabs(authorized_keys):
authorized_keys = path.join(
env['config_base'],
'..',
authorized_keys)
final_ip = env.instance.config['ip']
if boot_ip:
env.instance.config['ip'] = boot_ip
hostname = env.instance.uid
env.host_string = 'pi@%s' % hostname
env.password = '******'
fab.sudo("""apt update""")
fab.sudo("""apt upgrade -y""")
AV = env.instance.get_ansible_variables()
AV.setdefault('eth_ip', final_ip)
AV.setdefault('eth_iface', 'eth0')
AV.setdefault('eth_netmask', '24')
AV.setdefault('eth_gateway', '192.168.1.1')
AV.setdefault('eth_dns', '8.8.8.8')
with fab.settings(warn_only=True):
if static_ip:
fab.sudo(
'echo """%s""" >> /etc/dhcpcd.conf' %
eth_interface.format(**AV))
# enable passwordless root login via ssh
fab.sudo("""mkdir /root/.ssh""")
fab.sudo("""chmod 700 /root/.ssh""")
fab.put(
local_path=authorized_keys,
remote_path='/root/.ssh/authorized_keys',
use_sudo=True,
mode='0700')
fab.sudo("""chown root:root /root/.ssh/authorized_keys""")
fab.reboot()
def restart():
reboot()
def harden(ssh_port=22):
"""Harden the server a little.
:param ssh_port:
Warning: We make no claim that this makes your server intruder proof. You
should always check any system yourself and make sure that it is
adequately secured.
.. todo:: Make this work more gracefully if harden has been run previously.
"""
# Create a user name because after we are done remote login as root will
# be disabled. Username will match your local user.
user = prompt('Choose a user name')
password = prompt('Choose a password for the new user')
create_user(user, password)
ssh_copy_id() # this does not work on OSX
if not contains('/etc/group', 'admin'):
sudo('groupadd admin')
sudo('usermod -a -G admin %s' % user)
sudo('dpkg-statoverride --update --add root admin 4750 /bin/su')
fabtools.deb.update_index(quiet=True)
# Set up ufw and mosh
fabtools.require.deb.package('ufw')
setup_mosh()
sudo('ufw default deny incoming')
sudo('ufw default allow outgoing')
sudo('ufw allow 8697')
sudo('ufw allow http')
sudo('ufw allow ssh')
sudo('ufw allow mosh')
sudo('ufw allow 25') # mail
#Irc freenode
sudo('ufw allow from 127.0.0.1/32 to 78.40.125.4 port 6667')
sudo('ufw allow from 127.0.0.1/32 to any port 22')
sudo('ufw allow 443')
sudo('ufw allow 53/udp') # dns
sudo('ufw allow 53/tcp')
sudo('ufw allow 1053') # dns client
sed('/etc/ssh/sshd_config', 'Port 22', 'Port 8697', use_sudo=True)
sed('/etc/ssh/sshd_config', 'PermitRootLogin yes',
'PermitRootLogin no', use_sudo=True)
sed('/etc/ssh/sshd_config', '#PasswordAuthentication yes',
'PasswordAuthentication no', use_sudo=True)
sed('/etc/ssh/sshd_config', 'X11Forwarding yes',
'X11Forwarding no', use_sudo=True)
sudo('ufw enable')
append_if_not_present(
'/etc/ssh/sshd_config', 'Banner /etc/issue.net', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.conf.default.rp_filter=1', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.conf.setup_env.rp_filter=1', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.conf.setup_env.accept_redirects = 0', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.conf.setup_env.send_redirects = 0', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.conf.setup_env.accept_source_route = 0', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.icmp_echo_ignore_broadcasts = 1', use_sudo=True)
append_if_not_present(
'/etc/sysctl.conf',
'net.ipv4.icmp_ignore_bogus_error_responses = 1', use_sudo=True)
fabtools.require.deb.package('denyhosts')
# Must come before mailutils
fabtools.require.postfix.server(env.host)
fabtools.require.deb.package('mailutils')
fabtools.require.deb.package('byobu')
fabtools.service.restart('ssh')
# Some hints and tips from:
# http://www.thefanclub.co
# .za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
secure_tmp = (
'tmpfs /dev/shm tmpfs defaults,noexec,'
'nosuid 0 0')
append_if_not_present('/etc/fstab', secure_tmp, use_sudo=True)
sysctl = '/etc/sysctl.conf'
append_if_not_present(
sysctl, '# IP Spoofing protection', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.setup_env.rp_filter = 1', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.default.rp_filter = 1', use_sudo=True)
append_if_not_present(
sysctl, '# Ignore ICMP broadcast requests', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.icmp_echo_ignore_broadcasts = 1', use_sudo=True)
append_if_not_present(
sysctl, '# Disable source packet routing', use_sudo=True)
append_if_not_present(
sysctl,
'net.ipv4.conf.setup_env.accept_source_route = 0', use_sudo=True)
append_if_not_present(
sysctl,
'net.ipv6.conf.setup_env.accept_source_route = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.default.accept_source_route = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv6.conf.default.accept_source_route = 0', use_sudo=True)
append_if_not_present(
sysctl, '# Ignore send redirects', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.setup_env.send_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.default.send_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, '# Block SYN attacks', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.tcp_syncookies = 1', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.tcp_max_syn_backlog = 2048', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.tcp_synack_retries = 2', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.tcp_syn_retries = 5', use_sudo=True)
append_if_not_present(
sysctl, '# Log Martians', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.setup_env.log_martians = 1', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.icmp_ignore_bogus_error_responses = 1', use_sudo=True)
append_if_not_present(
sysctl, '# Ignore ICMP redirects', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.setup_env.accept_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv6.conf.setup_env.accept_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.conf.default.accept_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv6.conf.default.accept_redirects = 0', use_sudo=True)
append_if_not_present(
sysctl, '# Ignore Directed pings', use_sudo=True)
append_if_not_present(
sysctl, 'net.ipv4.icmp_echo_ignore_all = 1', use_sudo=True)
sudo('sysctl -p')
reboot()
print 'You need to log in and install mailutils yourself as automated ' \
'installation causes interactive prompting.'
print 'sudo apt-get install mailutils'
def harden(ssh_port=22):
"""Harden the server a little.
:param ssh_port:
Warning: We make no claim that this makes your server intruder proof. You
should always check any system yourself and make sure that it is
adequately secured.
.. todo:: Make this work more gracefully if harden has been run previously.
"""
# Create a user name because after we are done remote login as root will
# be disabled. Username will match your local user.
user = prompt('Choose a user name')
password = prompt('Choose a password for the new user')
create_user(user, password)
ssh_copy_id() # this does not work on OSX
if not contains('/etc/group', 'admin'):
sudo('groupadd admin')
sudo('usermod -a -G admin %s' % user)
sudo('dpkg-statoverride --update --add root admin 4750 /bin/su')
fabtools.deb.update_index(quiet=True)
# Set up ufw and mosh
fabtools.require.deb.package('ufw')
setup_mosh()
sudo('ufw default deny incoming')
sudo('ufw default allow outgoing')
sudo('ufw allow 8697')
sudo('ufw allow http')
sudo('ufw allow ssh')
sudo('ufw allow mosh')
sudo('ufw allow 25') # mail
#Irc freenode
sudo('ufw allow from 127.0.0.1/32 to 78.40.125.4 port 6667')
sudo('ufw allow from 127.0.0.1/32 to any port 22')
sudo('ufw allow 443')
sudo('ufw allow 53/udp') # dns
sudo('ufw allow 53/tcp')
sudo('ufw allow 1053') # dns client
sed('/etc/ssh/sshd_config', 'Port 22', 'Port 8697', use_sudo=True)
sed('/etc/ssh/sshd_config',
'PermitRootLogin yes',
'PermitRootLogin no',
use_sudo=True)
sed('/etc/ssh/sshd_config',
'#PasswordAuthentication yes',
'PasswordAuthentication no',
use_sudo=True)
sed('/etc/ssh/sshd_config',
'X11Forwarding yes',
'X11Forwarding no',
use_sudo=True)
sudo('ufw enable')
append_if_not_present('/etc/ssh/sshd_config',
'Banner /etc/issue.net',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.conf.default.rp_filter=1',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.conf.setup_env.rp_filter=1',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.conf.setup_env.accept_redirects = 0',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.conf.setup_env.send_redirects = 0',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.conf.setup_env.accept_source_route = 0',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.icmp_echo_ignore_broadcasts = 1',
use_sudo=True)
append_if_not_present('/etc/sysctl.conf',
'net.ipv4.icmp_ignore_bogus_error_responses = 1',
use_sudo=True)
fabtools.require.deb.package('denyhosts')
# Must come before mailutils
fabtools.require.postfix.server(env.host)
fabtools.require.deb.package('mailutils')
fabtools.require.deb.package('byobu')
fabtools.service.restart('ssh')
# Some hints and tips from:
# http://www.thefanclub.co
# .za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
secure_tmp = ('tmpfs /dev/shm tmpfs defaults,noexec,'
'nosuid 0 0')
append_if_not_present('/etc/fstab', secure_tmp, use_sudo=True)
sysctl = '/etc/sysctl.conf'
append_if_not_present(sysctl, '# IP Spoofing protection', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.setup_env.rp_filter = 1',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.default.rp_filter = 1',
use_sudo=True)
append_if_not_present(sysctl,
'# Ignore ICMP broadcast requests',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.icmp_echo_ignore_broadcasts = 1',
use_sudo=True)
append_if_not_present(sysctl,
'# Disable source packet routing',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.setup_env.accept_source_route = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv6.conf.setup_env.accept_source_route = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.default.accept_source_route = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv6.conf.default.accept_source_route = 0',
use_sudo=True)
append_if_not_present(sysctl, '# Ignore send redirects', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.setup_env.send_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.default.send_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl, '# Block SYN attacks', use_sudo=True)
append_if_not_present(sysctl, 'net.ipv4.tcp_syncookies = 1', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.tcp_max_syn_backlog = 2048',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.tcp_synack_retries = 2',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.tcp_syn_retries = 5',
use_sudo=True)
append_if_not_present(sysctl, '# Log Martians', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.setup_env.log_martians = 1',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.icmp_ignore_bogus_error_responses = 1',
use_sudo=True)
append_if_not_present(sysctl, '# Ignore ICMP redirects', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.setup_env.accept_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv6.conf.setup_env.accept_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.conf.default.accept_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl,
'net.ipv6.conf.default.accept_redirects = 0',
use_sudo=True)
append_if_not_present(sysctl, '# Ignore Directed pings', use_sudo=True)
append_if_not_present(sysctl,
'net.ipv4.icmp_echo_ignore_all = 1',
use_sudo=True)
sudo('sysctl -p')
reboot()
print 'You need to log in and install mailutils yourself as automated ' \
'installation causes interactive prompting.'
print 'sudo apt-get install mailutils'
def reboot_system():
reboot_answer = prompt("You have to reboot your system. Do you want to reboot now?", default=YES_ANSWER)
if reboot_answer.lower() == YES_ANSWER:
reboot(wait=30)
else:
print "Remember to reboot manually"
def restart_cheifmanager():
with settings(warn_only=True):
reboot(use_sudo=True)
def restart():
reboot()
def reboot():
fab.reboot()
def install_termopar_paso_1():
install_ds18b20()
modprobes_enable()
reboot(wait=5)
def run_unattended_upgrade(api, seconds_for_reboot_pause):
sudo_apt_get('update')
sudo('unattended-upgrade --minimal_upgrade_steps')
api.reboot(seconds_for_reboot_pause)
def install_infrastructure_server(publichost, admin_privkey_path, website_pubkey, leastauth_repo,
la_commit_hash, secretconf_repo, sc_commit_hash,
stdout, stderr):
"""
This is the code that sets up the infrastructure server.
This is intended to be idempotent.
Known sources of non-idempotence:
- setup_git_deploy
"""
api.env.host_string = '%s@%s' % ('ubuntu', publichost)
api.env.reject_unknown_hosts = True
api.env.key_filename = admin_privkey_path
api.env.abort_on_prompts = True
print >>stdout, "Updating server..."
postfixdebconfstring="""# General type of mail configuration:
# Choices: No configuration, Internet Site, Internet with smarthost, Satellite system, Local only
postfix postfix/main_mailer_type select No configuration"""
sudo_apt_get('update')
sudo_apt_get('-y dist-upgrade')
sudo_apt_get('-y autoremove')
print >>stdout, "Rebooting server..."
api.reboot(300)
print >>stdout, "Installing dependencies..."
sudo_apt_get('install -y python-dev python-setuptools git-core python-jinja2 python-nevow '
'python-dateutil fabric python-foolscap python-twisted-mail python-six '
'python-unidecode python-tz python-docutils python-markdown')
write(postfixdebconfstring, '/home/ubuntu/postfixdebconfs.txt')
sudo('debconf-set-selections /home/ubuntu/postfixdebconfs.txt')
sudo_apt_get('install -y postfix')
sudo_apt_get('install -y darcs')
# sudo_apt_get('install -y nginx')
# write(NGINX_CONFIG, '/etc/nginx/sites-enabled/mailman', True)
# sudo('rm /etc/nginx/sites-enabled/default')
# sudo('service nginx restart')
run('wget https://pypi.python.org/packages/source/p/pelican/pelican-3.2.2.tar.gz')
run('tar zxf pelican-3.2.2.tar.gz')
with cd('pelican-3.2.2'):
sudo('python setup.py install')
create_account('website', website_pubkey, stdout, stderr)
sudo_apt_get('install -y authbind')
sudo('touch /etc/authbind/byport/{443,80}')
sudo('chown website:root /etc/authbind/byport/{443,80}')
sudo('chmod 744 /etc/authbind/byport/{443,80}')
run('wget -O txAWS-%s.tar.gz %s' % (INSTALL_TXAWS_VERSION, INSTALL_TXAWS_URL))
run('tar -xzvf txAWS-%s.tar.gz' % (INSTALL_TXAWS_VERSION,))
with cd('/home/ubuntu/txAWS-%s' % (INSTALL_TXAWS_VERSION,)):
sudo('python ./setup.py install')
# patch twisted to send intermediate certs, cf. https://github.com/LeastAuthority/leastauthority.com/issues/6
sudo("sed --in-place=bak 's/[.]use_certificate_file[(]/.use_certificate_chain_file(/g' $(python -c 'import twisted, os; print os.path.dirname(twisted.__file__)')/internet/ssl.py")
set_host_and_key(publichost, admin_privkey_path, 'website')
setup_git_deploy(publichost, '/home/website/leastauthority.com', leastauth_repo, la_commit_hash)
setup_git_deploy(publichost, '/home/website/secret_config', secretconf_repo, sc_commit_hash)
with cd('/home/website/'):
if not files.exists('signup_logs'):
run('mkdir signup_logs')
if not files.exists('secrets'):
run('mkdir secrets')
with cd('/home/website/secret_config'):
run('chmod 400 *pem')
with cd('/home/website/leastauthority.com'):
#FIXME: make idempotent
if not files.exists('/home/website/leastauthority.com/flapp'):
run('flappserver create /home/website/leastauthority.com/flapp')
run('flappserver add /home/website/leastauthority.com/flapp run-command --accept-stdin --send-stdout /home/website/leastauthority.com /home/website/leastauthority.com/full_signup.py | tail -1 | cut -d " " -f3 > /home/website/secret_config/signup.furl')
run('./runsite.sh')
def reboot(self):
"""Reboot this server.
"""
# The decorator requires this to be an instance method
# pylint: disable=R0201
reboot(120)
def install_termopar_paso_1():
install_ds18b20()
modprobes_enable()
reboot(wait=5)
def maintenance_reboot():
"""
Reboots the machine and waits 3 minutes (180s) before reconnecting
"""
reboot(wait=180)
def restart():
"Restarts the machine."
reboot()
def reboot_if_needed():
if exists("/var/run/reboot-required"):
print("["+ env.host_string + "] System needs Restart :")
print("---------------------------------------------")
reboot()
def restart_othermanagers():
with settings(warn_only=True):
reboot(use_sudo=True)
def reboot_server(self):
self.get_env()
reboot()
def task8():
reboot("5")
def os_reboot(): reboot()
def restart():
with settings(warn_only=True):
reboot(600)
def reboot():
fab.reboot()
def reboot(self):
"""Reboot this server.
"""
# The decorator requires this to be an instance method
# pylint: disable=R0201
reboot(120)