From 25890451206aca026339e411e86485dfa454a3ba Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Mon, 18 Jun 2018 15:37:18 -0400 Subject: [PATCH 01/14] Fixed the deprecated repo issue with the Centos repo we were pointing at. Added Jenkins file. --- Jenkinsfile | 32 ++++++++++++++++++++++++++++++++ build/online-configure.sh | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 Jenkinsfile diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..699feec --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,32 @@ +#!/usr/bin/groovy + +// load pipeline functions +// Requires pipeline-github-lib plugin to load library from github + +node { + def app + + + + def pwd = pwd() + def user_id = '' + wrap([$class: 'BuildUser']) { + echo "userId=${BUILD_USER_ID},fullName=${BUILD_USER},email=${BUILD_USER_EMAIL}" + user_id = "${BUILD_USER_ID}" + } + + sh "env" + + stage('Clone repository') { + /* Let's make sure we have the repository cloned to our workspace */ + checkout scm + } + + stage('Build image') { + sh "make iso" + } + + stage('Move ISO to /home/jenkins') { + sh "mv EDCOP-dev.iso /home/jenkins/" + } +} diff --git a/build/online-configure.sh b/build/online-configure.sh index fefed56..7b0e540 100755 --- a/build/online-configure.sh +++ b/build/online-configure.sh @@ -1,7 +1,7 @@ #!/bin/bash BUILDDIR=~/build ISOLINUXDIR=$BUILDDIR/isolinux -BASEURL=http://mirror.umd.edu/centos/7.4.1708/os/x86_64 +BASEURL=http://mirror.umd.edu/centos/7/ mkdir -p $ISOLINUXDIR curl -s --list-only $BASEURL/repodata/ | sed -n 's/.*href="\([^"]*comps.xml\)[^.].*/\1/p' | xargs -I% curl --create-dirs $BASEURL/repodata/% -o $BUILDDIR/comps.xml From 2f926dde4b97de9e0319d3b638d0e734d7969f8d Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Mon, 18 Jun 2018 15:49:50 -0400 Subject: [PATCH 02/14] d --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 699feec..0be380a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -27,6 +27,6 @@ node { } stage('Move ISO to /home/jenkins') { - sh "mv EDCOP-dev.iso /home/jenkins/" + sh "mv EDCOP-dev.iso /tmp/" } } From b2495923f01055e3b305a3f86f5309d6313bf2e6 Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Mon, 18 Jun 2018 15:57:56 -0400 Subject: [PATCH 03/14] Fixed up build --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0be380a..0ac71f2 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -26,7 +26,7 @@ node { sh "make iso" } - stage('Move ISO to /home/jenkins') { + stage('Move ISO to /tmp of the Jenkins CONTAINER') { sh "mv EDCOP-dev.iso /tmp/" } } From fe6c4e49ce168ed76e1fd808e2e64a02065dd030 Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Tue, 19 Jun 2018 10:45:01 -0400 Subject: [PATCH 04/14] dafasdf --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45bc5d2..00e16d6 100644 --- a/README.md +++ b/README.md @@ -132,5 +132,5 @@ EDCOP uses [Cockpit ](https://github.com/cockpit-project/cockpit) for server/clu ## Building all required packages --- -The Makefile and Dockerfile pull the necessary RPM packages from both CentOS and EDCOP repos. If you want to build/update the RPMs yourself, you can use the steps outlined in build-packages.md. +The Makefile and Dockerfile pull the necessary RPM packages from both CentOS and EDCOP repos. If you want to build/update the RPMs yourself, you can use the steps outlined in build-packages.md. From 0631e4b9fdcc149497b7aa065178291169c5b550 Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Sat, 7 Jul 2018 07:56:41 -0400 Subject: [PATCH 05/14] Made updates to do the following: -Created user accounts and fixed up permissions on the local file system for tools using hostpaths -Integrated Ceph/Rook into the installer -Moved all urls to sub-domains --- .DS_Store | Bin 8196 -> 8196 bytes build/online-configure.sh | 2 +- ext-packages/.DS_Store | Bin 0 -> 6148 bytes ext-packages/edcop-cockpit/.DS_Store | Bin 0 -> 6148 bytes ext-packages/edcop-cockpit/branding/.DS_Store | Bin 0 -> 6148 bytes firstboot/firstboot.sh | 34 ++ kickstarts/.DS_Store | Bin 0 -> 6148 bytes kickstarts/minion/main.ks | 16 +- kickstarts/post-chroot.ks | 2 +- kubernetes/.DS_Store | Bin 8196 -> 8196 bytes .../ingress/traefik-ingress-controller.yaml | 2 +- kubernetes/platform-apps/cockpit.yaml | 4 +- .../kubernetes-dashboard-http.yaml | 4 +- kubernetes/storage/cluster.yaml | 142 +++++++ kubernetes/storage/edcop-block.yaml | 30 ++ kubernetes/storage/nfs-provisioner.yaml | 2 - kubernetes/storage/operator.yaml | 349 ++++++++++++++++++ kubernetes/storage/rook-ingress.yaml | 18 + 18 files changed, 595 insertions(+), 10 deletions(-) create mode 100644 ext-packages/.DS_Store create mode 100644 ext-packages/edcop-cockpit/.DS_Store create mode 100644 ext-packages/edcop-cockpit/branding/.DS_Store create mode 100644 kickstarts/.DS_Store create mode 100755 kubernetes/storage/cluster.yaml create mode 100755 kubernetes/storage/edcop-block.yaml create mode 100755 kubernetes/storage/operator.yaml create mode 100644 kubernetes/storage/rook-ingress.yaml diff --git a/.DS_Store b/.DS_Store index 9d474e6f9dd68d10df6fcdd75773103cbbe5dae1..58e14a98f432505a9b5095d98378e936c97aa0af 100644 GIT binary patch delta 297 zcmZvWO%8%E6oiKe7EGfk8!q7;xPc2VAU{fsNR@(drwb0CG4URzcVlUMH34Gcri+`QOq{&i|#E%sIW!WGnB$a0)ZH^9qN!{jWbHj zaX?7rj^32AAIQOmbOj`V5jh0P)wF8sjrQCvIDzITJ;w= gEsH!8c}l&ZxH~kQ&iUZ3uV&N6Qp|5m_4e4{16{L6TL1t6 delta 68 zcmZp1XmOa}FUrEez`)4BAi%&-#E{33%1{Et#TyH!u}^H^-OSFx!okS0`IP`0<7Ppj XZ>$p={%>ZN_{OsNk0>|O#D+frHTe`0 diff --git a/build/online-configure.sh b/build/online-configure.sh index 7b0e540..79638fa 100755 --- a/build/online-configure.sh +++ b/build/online-configure.sh @@ -1,7 +1,7 @@ #!/bin/bash BUILDDIR=~/build ISOLINUXDIR=$BUILDDIR/isolinux -BASEURL=http://mirror.umd.edu/centos/7/ +BASEURL=http://mirror.umd.edu/centos/7/os/x86_64/ mkdir -p $ISOLINUXDIR curl -s --list-only $BASEURL/repodata/ | sed -n 's/.*href="\([^"]*comps.xml\)[^.].*/\1/p' | xargs -I% curl --create-dirs $BASEURL/repodata/% -o $BUILDDIR/comps.xml diff --git a/ext-packages/.DS_Store b/ext-packages/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0301358275fb5e62ab069e2e261bd7aeb80fcb6d GIT binary patch literal 6148 zcmeHKyH3ME5S)b+K?o@&<^2E!e_%!73-|#9eDZwD6qJUXxZ+v?* zck&co9{^jv^|!zRz?|ubcORzV>z8c94sit_&RCA%bKE6}%?re?a7<){VJRi1)ar_1DQCSEuPYoAQx1!hxlf&JbwjZ@ zo%I%USeK|#4##^56 zwmik#w*YMYHLidqfPwCaZy)C7`|dNltB4WlJY&Qj@7Rr>Z--g--vQ?i*y01PWd7oB zkH>>=%A|l4kOERb3P^#ADp2Khc(~}PI!p>kfm=|(zYmS>*bAq`_;hfH7J#^5IE?e? zC5X)f#9lZhGD5SY5|e7xVp!4{ZNQd=AjZ#1goGWmj z%ca-A`l3oply ck(7DO=iKjwQ)18=4?0ml1Fnlq3S3)(AC@Z>b^rhX literal 0 HcmV?d00001 diff --git a/ext-packages/edcop-cockpit/branding/.DS_Store b/ext-packages/edcop-cockpit/branding/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7f8d6e73f148e0f7789b148e8c83f38f7b1d4100 GIT binary patch literal 6148 zcmeH~J&pn~427Thk&w2b+%nA`fEz>zPOuk1Fxw%`N{Bv3=h<~34a%#zaHMMo^<*;l%EbnaI#n7ym!wLhM)esFLAOaHt%N}q2{6ErP_5YI+ zg(4sV|BQgG4&R48Un&gsGKLUY4 Jg9yBpzyl;r6M+B# literal 0 HcmV?d00001 diff --git a/firstboot/firstboot.sh b/firstboot/firstboot.sh index 38ff876..ade9159 100644 --- a/firstboot/firstboot.sh +++ b/firstboot/firstboot.sh @@ -23,6 +23,14 @@ fi } +useradd -r -u 2000 elasticsearch +mkdir /EDCOP/bulk/esdata +chown elasticsearch:elasticsearch /EDCOP/bulk/esdata + +useradd -r -u 2001 moloch +mkdir /EDCOP/bulk/moloch/ /EDCOP/bulk/moloch/raw /EDCOP/bulk/moloch/logs +chown moloch:moloch /EDCOP/bulk/moloch/ /EDCOP/bulk/moloch/raw /EDCOP/bulk/moloch/logs + # Increase VM max map count & disable swap sysctl -w vm.max_map_count=262144 echo 'vm.max_map_count=262144' >> /etc/sysctl.conf @@ -68,6 +76,7 @@ sed -i --follow-symlinks "s//$MASTERIP/g" /EDCOP/kubernetes/pl sed -i --follow-symlinks "s//$HOSTNAME/g" /EDCOP/kubernetes/platform-apps/kubernetes-dashboard-http.yaml sed -i --follow-symlinks "s//$HOSTNAME/g" /EDCOP/kubernetes/ingress/traefik-ingress-controller.yaml sed -i --follow-symlinks "s//$HOSTNAME/g" /EDCOP/kubernetes/platform-apps/kubeapps.yaml +sed -i --follow-symlinks "s//$HOSTNAME/g" /EDCOP/kubernetes/storage/rook-ingress.yaml # # Copy configuration file to root's home directory. Add to minion deployment # This ensures that "kubectl" commands can be run by root on all systems @@ -135,6 +144,15 @@ kubectl apply --token $token -f /EDCOP/kubernetes/ingress/traefik-ingress-contro kubectl label node $(hostname | awk '{print tolower($0)}') edcop.io/nfs-storage=true kubectl apply --token $token -f /EDCOP/kubernetes/storage/nfs-provisioner.yaml +# +# Initial Persistent Volume based on Rook +# +mkdir /EDCOP/bulk/ceph +kubectl apply --token $token -f /EDCOP/kubernetes/storage/operator.yaml +kubectl apply --token $token -f /EDCOP/kubernetes/storage/cluster.yaml +kubectl apply --token $token -f /EDCOP/kubernetes/storage/rook-ingress.yaml +kubectl apply --token $token -f /EDCOP/kubernetes/storage/edcop-block.yaml + # # Create the Kubernetes Dashboard (already in nginx proxy as https:///dashboard) @@ -152,3 +170,19 @@ kubectl apply --token $token -f /EDCOP/kubernetes/platform-apps/cockpit.yaml kubectl apply --token $token -f /EDCOP/kubernetes/platform-apps/kubeapps.yaml + +openssl genrsa -out /root/edcop_wild.key 2048 +openssl req -new -sha256 -key /root/edcop_wild.key -out /root/edcop_wild.csr -subj "/C=US/ST=MD/L=Columbia/O=EDCOP/CN=*.$HOSTNAME" + +openssl x509 -req -days 3650 -in /root/edcop_wild.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out /root/edcop_wild.crt -sha256 + +#make cn wild card + +kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n kube-system edcop-wild +kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n default edcop-wild + +update-ca-trust force-enable +cp /etc/kubernetes/pki/ca.crt /etc/pki/ca-trust/source/anchors/ +update-ca-trust extract + + diff --git a/kickstarts/.DS_Store b/kickstarts/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..884c6dd51047c291ded7b1106585594f16784e73 GIT binary patch literal 6148 zcmeHKISv9b4733uBpOP}e1RWC2wuPk5YQk2TOj(aco$D&d=#LC4hqm%awc&+i894{ zEh0L<>}Dbp5gEY^6^$E}G4U=FOTNiu&z1zj(T64dh4#sKB!V{a8+{{x9Kg z`u}GVS5$xs{FMSaSgaOvJSl5y=W$kR3w#Z?oEzK>bEjbNat!oxjD?lssV7BVu{ri@ VVjJjm#GMZ0&w%MdqXOSn;10FC6`%kB literal 0 HcmV?d00001 diff --git a/kickstarts/minion/main.ks b/kickstarts/minion/main.ks index 3dfcd80..8aa346c 100644 --- a/kickstarts/minion/main.ks +++ b/kickstarts/minion/main.ks @@ -154,7 +154,7 @@ EOF cat < edcop-master.local master" >> /etc/hosts sed -i "/localhost/ s/$/ $(hostname)/" /etc/hosts +useradd -r -u 2000 elasticsearch +mkdir /EDCOP/bulk/esdata +chown elasticsearch:elasticsearch /EDCOP/bulk/esdata + +useradd -r -u 2001 moloch +mkdir /EDCOP/bulk/moloch/ /EDCOP/bulk/moloch/raw /EDCOP/bulk/moloch/logs +chown moloch:moloch /EDCOP/bulk/moloch/ /EDCOP/bulk/moloch/raw /EDCOP/bulk/moloch/logs + + +mkdir /EDCOP/bulk/ceph + + %end + + diff --git a/kickstarts/post-chroot.ks b/kickstarts/post-chroot.ks index 0dd2afa..358e021 100644 --- a/kickstarts/post-chroot.ks +++ b/kickstarts/post-chroot.ks @@ -81,7 +81,7 @@ cat <1_}DPWn>1s5wQSVCJ04WhWTRj8m;wx#7F?d;9~6J}@X&g?Ew zO8TZz@y#0=6EzwM8ht>FxAIys)|U!t>V>y)2CB#hHcZcyr$5G2l4Ah~`>-9O)%@tiUw70r$#yMe=t}e(G zeAn&s1Ba*CI~3Z-LT;O38rm25g|J&B8`kw=VDGjmms7HPC}S|>(3Ct-hkEYjCCL>l z*R1Qy5yi9Eu`k_Gtx$vqF+=F^0{}KLAYzw_M+)~mK(-iuHR}|wxuXabA=eq={x1A z+MI5UlnPtM+F1|V$wp{Tjj_}01$K^|XBXH9>~r=dn`Bqm&+Iq$JNuLU#r{SDRhWnQ zsDpt%Xv$6y!@dwG7G>&$1;+gByIJs^6wg&CN8<)mE z+|2LoqQ$o~EJ>|gy|%sco~={&e%hVBhKyG;P!LZtOE9j&D9Li8acNU>nRe@Jdt-n& zY9CWL(e#?hrpBelirbP&ol{K_!`f9zjrM{n25VN4EkPEZR$G^BQ;G3m_!X{X|Ut2aNbxi$%oH6~xYU z*o6Cto!#ic1K36U%%C3wI7l2diKR!0qaJ)5!*Pt^Bu?S+h^eRX9G=IEID?n*2HwP5 zIE!;Qj|=z^AK_zsf-mqDzMjU_9n-k_{Y? z|K}hw@seW%<_-d=?#c9Y(RyclGV)qGMaKvoym7w?DMbi%q8ukF%5joWIWBxt#?DlK$@YMI>`+L7r@*_qt} zwWNj^G{I<$x99_2qCW7V2}FI+7%z!IgE2NC66MLn_+sMqLF45=b7mXbvc8a*Cd^6B z`Oo=pXa9e`GbjHnV+<_?J;hiJV@#sXsXCvAt28d>eMXA}oC=~Kd&V?2z>MsOJDjy< zXork217QZj41^g7GZ1EAHe`VAY~G|Y_r8#ZW0-+31J`8+`1>J2ozrwc#|8CY9W?kQ z08w57_>JaN2lzILfTjaFE~sxxK1KC_z!X7=0bx$^1Xm}T4(Pa`!kj^vGXy&$s8HbV zPId`jogpn~IEEPrGcYp){P@gcF7uef@>kaHPL?F+v%{9@dJPR15t&m_Id`5UQ(GY4 z-#zGzbbFdta9gzeet%`^MmCuDIF26@$9UVDYTSo^ix0IhrEM z>~o#G*Xld#SJi@R>@vugSv1ifFPt5v{3R zvhTxMM!o?aTC9AI7bBItNOdFLZN!8`umX@xd~{m6c2f3m;XKVXm%MJ?*E z3Q4TS9axWMY{VwC<38*{H~KLM6Ng~oFpgmqV>pfzIEBaY1fImRIE|O^3SPw-oW(i3 zgLm;EKEvm@fG=68{))_v%#SGI*G5WM?8y=me^Kw3X20Kk}&%7AHZ8 z?8lSV?eg#Aa+Guy&vmJFo{C?8AQa!N35)_CW%!ha!&PD1r9`9>GaGipTI2o+ju% zhv)G!LH9MhjyLco-tr;*Ha;K-e}s?m34!<`zL^Hu&Z&^aw=*GI?9SVkV-Jv|1oWv! z;p!SQFh|(e@cMsi`S1VNxJzgrW+2SKY|a2G+Pd3X=oglI&qhd=pniZlZ(MI&P~U_G ouEP0#IZkx)4?~(K0$Dns diff --git a/kubernetes/ingress/traefik-ingress-controller.yaml b/kubernetes/ingress/traefik-ingress-controller.yaml index 4af4406..e3bb462 100644 --- a/kubernetes/ingress/traefik-ingress-controller.yaml +++ b/kubernetes/ingress/traefik-ingress-controller.yaml @@ -162,4 +162,4 @@ spec: serviceName: traefik-web-ui servicePort: 80 tls: - - secretName: edcop-tls + - secretName: edcop-wild diff --git a/kubernetes/platform-apps/cockpit.yaml b/kubernetes/platform-apps/cockpit.yaml index 898819f..152cce0 100644 --- a/kubernetes/platform-apps/cockpit.yaml +++ b/kubernetes/platform-apps/cockpit.yaml @@ -36,10 +36,10 @@ metadata: traefik.frontend.redirect.entryPoint: https spec: rules: - - host: + - host: admin. http: paths: - - path: /admin + - path: / backend: serviceName: cockpit servicePort: 9090 diff --git a/kubernetes/platform-apps/kubernetes-dashboard-http.yaml b/kubernetes/platform-apps/kubernetes-dashboard-http.yaml index 99d6eac..1449e5d 100644 --- a/kubernetes/platform-apps/kubernetes-dashboard-http.yaml +++ b/kubernetes/platform-apps/kubernetes-dashboard-http.yaml @@ -171,10 +171,10 @@ metadata: traefik.frontend.rule.type: PathPrefixStrip spec: rules: - - host: + - host: kubernetes. http: paths: - - path: /kubernetes-ui + - path: / backend: serviceName: kubernetes-dashboard servicePort: 80 diff --git a/kubernetes/storage/cluster.yaml b/kubernetes/storage/cluster.yaml new file mode 100755 index 0000000..fd86501 --- /dev/null +++ b/kubernetes/storage/cluster.yaml @@ -0,0 +1,142 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rook-ceph +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-ceph-cluster + namespace: rook-ceph +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-cluster + namespace: rook-ceph +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: [ "get", "list", "watch", "create", "update", "delete" ] +--- +# Allow the operator to create resources in this cluster's namespace +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-cluster-mgmt + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-cluster-mgmt +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph-system +--- +# Allow the pods in this namespace to work with configmaps +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-cluster + namespace: rook-ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-cluster +subjects: +- kind: ServiceAccount + name: rook-ceph-cluster + namespace: rook-ceph +--- +apiVersion: ceph.rook.io/v1alpha1 +kind: Cluster +metadata: + name: rook-ceph + namespace: rook-ceph +spec: + # The path on the host where configuration files will be persisted. If not specified, a kubernetes emptyDir will be created (not recommended). + # Important: if you reinstall the cluster, make sure you delete this directory from each host or else the mons will fail to start on the new cluster. + # In Minikube, the '/data' directory is configured to persist across reboots. Use "/data/rook" in Minikube environment. + dataDirHostPath: /EDCOP/bulk/ceph + # The service account under which to run the daemon pods in this cluster if the default account is not sufficient (OSDs) + serviceAccount: rook-ceph-cluster + # set the amount of mons to be started + mon: + count: 3 + allowMultiplePerNode: true + # enable the ceph dashboard for viewing cluster status + dashboard: + enabled: true + network: + # toggle to use hostNetwork + hostNetwork: false + # To control where various services will be scheduled by kubernetes, use the placement configuration sections below. + # The example under 'all' would have all services scheduled on kubernetes nodes labeled with 'role=storage' and + # tolerate taints with a key of 'storage-node'. +# placement: +# all: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: role +# operator: In +# values: +# - storage-node +# podAffinity: +# podAntiAffinity: +# tolerations: +# - key: storage-node +# operator: Exists +# The above placement information can also be specified for mon, osd, and mgr components +# mon: +# osd: +# mgr: + resources: +# The requests and limits set here, allow the mgr pod to use half of one CPU core and 1 gigabyte of memory +# mgr: +# limits: +# cpu: "500m" +# memory: "1024Mi" +# requests: +# cpu: "500m" +# memory: "1024Mi" +# The above example requests/limits can also be added to the mon and osd components +# mon: +# osd: + storage: # cluster level storage configuration and selection + useAllNodes: true + useAllDevices: false + deviceFilter: + location: + config: + # The default and recommended storeType is dynamically set to bluestore for devices and filestore for directories. + # Set the storeType explicitly only if it is required not to use the default. + # storeType: bluestore + databaseSizeMB: "1024" # this value can be removed for environments with normal sized disks (100 GB or larger) + journalSizeMB: "1024" # this value can be removed for environments with normal sized disks (20 GB or larger) +# Cluster level list of directories to use for storage. These values will be set for all nodes that have no `directories` set. +# directories: +# - path: /rook/storage-dir +# Individual nodes and their config can be specified as well, but 'useAllNodes' above must be set to false. Then, only the named +# nodes below will be used as storage resources. Each node's 'name' field should match their 'kubernetes.io/hostname' label. +# nodes: +# - name: "172.17.4.101" +# directories: # specific directories to use for storage can be specified for each node +# - path: "/rook/storage-dir" +# resources: +# limits: +# cpu: "500m" +# memory: "1024Mi" +# requests: +# cpu: "500m" +# memory: "1024Mi" +# - name: "172.17.4.201" +# devices: # specific devices to use for storage can be specified for each node +# - name: "sdb" +# - name: "sdc" +# config: # configuration can be specified at the node level which overrides the cluster level config +# storeType: filestore +# - name: "172.17.4.301" +# deviceFilter: "^sd." diff --git a/kubernetes/storage/edcop-block.yaml b/kubernetes/storage/edcop-block.yaml new file mode 100755 index 0000000..162d14f --- /dev/null +++ b/kubernetes/storage/edcop-block.yaml @@ -0,0 +1,30 @@ +apiVersion: ceph.rook.io/v1alpha1 +kind: Pool +metadata: + name: replicapool + namespace: rook-ceph +spec: + replicated: + size: 1 + # For an erasure-coded pool, comment out the replication size above and uncomment the following settings. + # Make sure you have enough OSDs to support the replica size or erasure code chunks. + #erasureCoded: + # dataChunks: 2 + # codingChunks: 1 +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: edcop-block + annotations: + storageclass.beta.kubernetes.io/is-default-class: "true" +provisioner: ceph.rook.io/block + +parameters: + pool: replicapool + # Specify the namespace of the rook cluster from which to create volumes. + # If not specified, it will use `rook` as the default namespace of the cluster. + # This is also the namespace where the cluster will be + clusterNamespace: rook-ceph + # Specify the filesystem type of the volume. If not specified, it will use `ext4`. + # fstype: ext4 diff --git a/kubernetes/storage/nfs-provisioner.yaml b/kubernetes/storage/nfs-provisioner.yaml index 914a64e..837fddd 100644 --- a/kubernetes/storage/nfs-provisioner.yaml +++ b/kubernetes/storage/nfs-provisioner.yaml @@ -88,8 +88,6 @@ apiVersion: storage.k8s.io/v1 metadata: name: edcop-nfs namespace: kube-system - annotations: - storageclass.beta.kubernetes.io/is-default-class: "true" provisioner: edcop.io/nfs --- kind: DaemonSet diff --git a/kubernetes/storage/operator.yaml b/kubernetes/storage/operator.yaml new file mode 100755 index 0000000..5f6c12f --- /dev/null +++ b/kubernetes/storage/operator.yaml @@ -0,0 +1,349 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rook-ceph-system +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusters.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + shortNames: + - rcc + scope: Namespaced + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: filesystems.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: Filesystem + listKind: FilesystemList + plural: filesystems + singular: filesystem + shortNames: + - rcfs + scope: Namespaced + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: objectstores.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: ObjectStore + listKind: ObjectStoreList + plural: objectstores + singular: objectstore + shortNames: + - rco + scope: Namespaced + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pools.ceph.rook.io +spec: + group: ceph.rook.io + names: + kind: Pool + listKind: PoolList + plural: pools + singular: pool + shortNames: + - rcp + scope: Namespaced + version: v1alpha1 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: volumes.rook.io +spec: + group: rook.io + names: + kind: Volume + listKind: VolumeList + plural: volumes + singular: volume + shortNames: + - rv + scope: Namespaced + version: v1alpha2 +--- +# The cluster role for managing all the cluster-specific resources in a namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-cluster-mgmt + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + - secrets + - pods + - services + - configmaps + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - extensions + resources: + - deployments + - daemonsets + - replicasets + verbs: + - get + - list + - watch + - create + - update + - delete +--- +# The role for the operator to manage resources in the system namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: rook-ceph-system + namespace: rook-ceph-system + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch + - create + - update + - delete +--- +# The cluster role for managing the Rook CRDs +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-global + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + # Pod access is needed for fencing + - pods + # Node access is needed for determining nodes where mons should run + - nodes + - nodes/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + # PVs and PVCs are managed by the Rook provisioner + - persistentvolumes + - persistentvolumeclaims + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - ceph.rook.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - rook.io + resources: + - "*" + verbs: + - "*" +--- +# The rook system service account used by the operator, agent, and discovery pods +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-ceph-system + namespace: rook-ceph-system + labels: + operator: rook + storage-backend: ceph +--- +# Grant the operator, agent, and discovery agents access to resources in the rook-ceph-system namespace +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-system + namespace: rook-ceph-system + labels: + operator: rook + storage-backend: ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-system +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph-system +--- +# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-global + namespace: rook-ceph-system + labels: + operator: rook + storage-backend: ceph +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-global +subjects: +- kind: ServiceAccount + name: rook-ceph-system + namespace: rook-ceph-system +--- +# The deployment for the rook operator +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: rook-ceph-operator + namespace: rook-ceph-system + labels: + operator: rook + storage-backend: ceph +spec: + replicas: 1 + template: + metadata: + labels: + app: rook-ceph-operator + spec: + serviceAccountName: rook-ceph-system + containers: + - name: rook-ceph-operator + image: rook/ceph:master + args: ["ceph", "operator"] + volumeMounts: + - mountPath: /var/lib/rook + name: rook-config + - mountPath: /etc/ceph + name: default-config-dir + env: + # To disable RBAC, uncomment the following: + # - name: RBAC_ENABLED + # value: "false" + # Rook Agent toleration. Will tolerate all taints with all keys. + # Choose between NoSchedule, PreferNoSchedule and NoExecute: + # - name: AGENT_TOLERATION + # value: "NoSchedule" + # (Optional) Rook Agent toleration key. Set this to the key of the taint you want to tolerate + # - name: AGENT_TOLERATION_KEY + # value: "" + # Set the path where the Rook agent can find the flex volumes + # - name: FLEXVOLUME_DIR_PATH + # value: "" + # Rook Discover toleration. Will tolerate all taints with all keys. + # Choose between NoSchedule, PreferNoSchedule and NoExecute: + # - name: DISCOVER_TOLERATION + # value: "NoSchedule" + # (Optional) Rook Discover toleration key. Set this to the key of the taint you want to tolerate + # - name: DISCOVER_TOLERATION_KEY + # value: "" + # Allow rook to create multiple file systems. Note: This is considered + # an experimental feature in Ceph as described at + # http://docs.ceph.com/docs/master/cephfs/experimental-features/#multiple-filesystems-within-a-ceph-cluster + # which might cause mons to crash as seen in https://github.com/rook/rook/issues/1027 + - name: ROOK_ALLOW_MULTIPLE_FILESYSTEMS + value: "false" + # The logging level for the operator: INFO | DEBUG + - name: ROOK_LOG_LEVEL + value: "INFO" + # The interval to check if every mon is in the quorum. + - name: ROOK_MON_HEALTHCHECK_INTERVAL + value: "45s" + # The duration to wait before trying to failover or remove/replace the + # current mon with a new mon (useful for compensating flapping network). + - name: ROOK_MON_OUT_TIMEOUT + value: "300s" + # Whether to start pods as privileged that mount a host path, which includes the Ceph mon and osd pods. + # This is necessary to workaround the anyuid issues when running on OpenShift. + # For more details see https://github.com/rook/rook/issues/1314#issuecomment-355799641 + - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED + value: "false" + # The name of the node to pass with the downward API + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # The pod name to pass with the downward API + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # The pod namespace to pass with the downward API + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: rook-config + emptyDir: {} + - name: default-config-dir + emptyDir: {} \ No newline at end of file diff --git a/kubernetes/storage/rook-ingress.yaml b/kubernetes/storage/rook-ingress.yaml new file mode 100644 index 0000000..beedd60 --- /dev/null +++ b/kubernetes/storage/rook-ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: rook-ingress + namespace: rook-ceph + annotations: + kubernetes.io/ingress.class: traefik + # ingress.kubernetes.io/auth-type: "basic" + # ingress.kubernetes.io/auth-secret: "ingress-auth" +spec: + rules: + - host: ceph. + http: + paths: + - path: / + backend: + serviceName: rook-ceph-mgr-dashboard + servicePort: 7000 \ No newline at end of file From 97b3c8db50b1ab4667936127096c275e7b38ec59 Mon Sep 17 00:00:00 2001 From: dlohin Date: Mon, 9 Jul 2018 10:07:32 -0400 Subject: [PATCH 06/14] Update online-configure.sh --- build/online-configure.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/online-configure.sh b/build/online-configure.sh index 79638fa..fefed56 100755 --- a/build/online-configure.sh +++ b/build/online-configure.sh @@ -1,7 +1,7 @@ #!/bin/bash BUILDDIR=~/build ISOLINUXDIR=$BUILDDIR/isolinux -BASEURL=http://mirror.umd.edu/centos/7/os/x86_64/ +BASEURL=http://mirror.umd.edu/centos/7.4.1708/os/x86_64 mkdir -p $ISOLINUXDIR curl -s --list-only $BASEURL/repodata/ | sed -n 's/.*href="\([^"]*comps.xml\)[^.].*/\1/p' | xargs -I% curl --create-dirs $BASEURL/repodata/% -o $BUILDDIR/comps.xml From 7ed1bfa24b8b1ff083e2ae6de40623e777b641a8 Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Wed, 11 Jul 2018 09:27:47 -0400 Subject: [PATCH 07/14] Updated documentation, fixed traefik --- .DS_Store | Bin 8196 -> 10244 bytes docs/installation_guide.rst | 63 +++++++++++------- ext-packages/.DS_Store | Bin 6148 -> 0 bytes ext-packages/edcop-cockpit/.DS_Store | Bin 6148 -> 0 bytes ext-packages/edcop-cockpit/branding/.DS_Store | Bin 6148 -> 0 bytes firstboot/firstboot.sh | 1 + kickstarts/post-chroot.ks | 2 +- kubernetes/.DS_Store | Bin 8196 -> 0 bytes .../ingress/traefik-ingress-controller.yaml | 4 +- kubernetes/storage/.DS_Store | Bin 6148 -> 0 bytes kubernetes/storage/operator.yaml | 11 +++ 11 files changed, 53 insertions(+), 28 deletions(-) delete mode 100644 ext-packages/.DS_Store delete mode 100644 ext-packages/edcop-cockpit/.DS_Store delete mode 100644 ext-packages/edcop-cockpit/branding/.DS_Store delete mode 100644 kubernetes/.DS_Store delete mode 100644 kubernetes/storage/.DS_Store diff --git a/.DS_Store b/.DS_Store index 58e14a98f432505a9b5095d98378e936c97aa0af..ef9379fce3bd498d16afc28ef560fedb06b6ea50 100644 GIT binary patch delta 1459 zcmeH{TTC2P7{|Xqv~Z5F>{-fQW(%^E(ju&Ox0cI7FAIfUs9NfRP+Oz3J5!l-FR(M) z6)4gsG`@%tMjxz3V;WyHX+o+|W1{hzT2nO!H75F?FFqQLMtw1!oi)Y>`{fA2gth8|P3OlK(mVReWGfo-0=46y+rH!!@C4GNhmru?4-u8BdkD1btP#JfW z@U5JWoxaP+YQmHrN~WSaxiX$slX_ZcoHh`G7JPC}e?;}VBD>NY3I+ueR~d7{ zt!*-_kQ7;I1t`2DC@WPaDxEO6gGZUyLdO3q{N1DHpcsz1hOcq%IUp4&OH?| zF36dCur0_17-y~V_A-F6teVmP#&JU!&(n+aI=xTVB!tiD8~ToZpx;2Kf`AWx1hE-S z*oJm=pcCN{bfE_^^r0U^7{);yk~|U^!#$Y5amgd)@R-63@~}{lT+ZRVgmM9oNGz+c z@dTcfST5N<|Mn}_OS>Cae)rT>t)2SmdiOQ*rw%&(QUyYW~: This will point to the network address of the master server -- apps.: This will also point to the master and be used for the EDCOP marketplace. -- minion addresses: This can be setup after the minions are built. It is reccomended to load balance traffic to the minions if possible. In this case, a VIP would be created on a load balancer and then forward requests down to the minions in a round robin fashion. Building ISO image @@ -123,20 +128,21 @@ Accessing Cockpit If you have configured the DNS entry correctly, then Cockpit should be available at this point. Open a web browser and go to: -https:///admin/ +https://admin./ -(Note that the trailing slash is important) Logon with root as the user and the password you set earlier Building the Minions ==================== +Once the master is successfully running, minions can be PXE booted off of the main system. This is not needed on single node deployments. + Boot off of the PXE Interface in startup (see system manual for this process) If the PXE is configured correctly, an Install the Expandable DCO Platform (EDCOP) option will be displayed, select Enter -After the installation process is completed and the system reboots. Access cockpit and select Cluster -> Nodes and your new node should appear here after a bit. +After the installation process is completed and the system reboots. Access cockpit and select Cluster -> Nodes and your new node should appear here after a bit and the status should be set to ready. From the command line, it is also possible to do this from the command line on the master using: @@ -150,39 +156,46 @@ Labeling nodes NOTE: This section will need to change when more granular roles are configured -Nodes must be given roles in order to take certain tasks. In the Helm charts there are often options to select NodeSelectors. Log on to the master node and run the command: +Nodes must be given roles in order to take certain tasks. For mid to large scale deployments it is best to not label the master with these and instead focus on the minions. For single node and very small deployments it is possible to apply these to the master. In the Helm charts there are often options to select NodeSelectors. Log on to the master node and run the command: .. code-block:: bash - kubectl label node nodetype=worker + kubectl label node nodetype=worker + kubectl label node sensor=true + kubectl label node data=true + kubectl label node infrastructure=true + kubectl label node ingest=true + +For single node deployments it is necessarry to apply all these labels to the master node. For multiple node deployments it is possible to choose which nodes take certain roles. -This process will be repeated for each node. -Datastorage workaround +Verifying installation ====================== -This is temporary fix in the prototype. -On the master and all minions run: +After a few minutes all the pods should be either in a "running" or "completed" state. To verify these have come up, run the command. .. code-block:: bash + + kubectl get pods --all-namespaces + + + +Accessing other Services +======================== + +EDCOP has deployed a number of internal web inferfaces automatically for you. To view these: + +https://admin./ +https://kubernetes./ +https://loadbalancer./ +https://apps./ +https://ceph./ - mkdir /EDCOP/bulk/esdata - chmod 777 /EDCOP/bulk/esdata -Configuring Nodes -================= -An application called host-setup will need to be run in order to configure all the interfaces and neworks. -Go to apps. -#. Select Deploy one -#. Select Host-setup -#. Select Deploy using Helm -View the Optimization Guide for how to configure interfaces. If this is EDCOP supported hardware this process will have been done for you. -#. Enter in a name such as hostsetup -#. Select Submit diff --git a/ext-packages/.DS_Store b/ext-packages/.DS_Store deleted file mode 100644 index 0301358275fb5e62ab069e2e261bd7aeb80fcb6d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyH3ME5S)b+K?o@&<^2E!e_%!73-|#9eDZwD6qJUXxZ+v?* zck&co9{^jv^|!zRz?|ubcORzV>z8c94sit_&RCA%bKE6}%?re?a7<){VJRi1)ar_1DQCSEuPYoAQx1!hxlf&JbwjZ@ zo%I%USeK|#4##^56 zwmik#w*YMYHLidqfPwCaZy)C7`|dNltB4WlJY&Qj@7Rr>Z--g--vQ?i*y01PWd7oB zkH>>=%A|l4kOERb3P^#ADp2Khc(~}PI!p>kfm=|(zYmS>*bAq`_;hfH7J#^5IE?e? zC5X)f#9lZhGD5SY5|e7xVp!4{ZNQd=AjZ#1goGWmj z%ca-A`l3oply ck(7DO=iKjwQ)18=4?0ml1Fnlq3S3)(AC@Z>b^rhX diff --git a/ext-packages/edcop-cockpit/branding/.DS_Store b/ext-packages/edcop-cockpit/branding/.DS_Store deleted file mode 100644 index 7f8d6e73f148e0f7789b148e8c83f38f7b1d4100..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~J&pn~427Thk&w2b+%nA`fEz>zPOuk1Fxw%`N{Bv3=h<~34a%#zaHMMo^<*;l%EbnaI#n7ym!wLhM)esFLAOaHt%N}q2{6ErP_5YI+ zg(4sV|BQgG4&R48Un&gsGKLUY4 Jg9yBpzyl;r6M+B# diff --git a/firstboot/firstboot.sh b/firstboot/firstboot.sh index ade9159..a2fd820 100644 --- a/firstboot/firstboot.sh +++ b/firstboot/firstboot.sh @@ -180,6 +180,7 @@ openssl x509 -req -days 3650 -in /root/edcop_wild.csr -CA /etc/kubernetes/pki/ca kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n kube-system edcop-wild kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n default edcop-wild +kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n kubeapps edcop-wild update-ca-trust force-enable cp /etc/kubernetes/pki/ca.crt /etc/pki/ca-trust/source/anchors/ diff --git a/kickstarts/post-chroot.ks b/kickstarts/post-chroot.ks index 358e021..1600c4f 100644 --- a/kickstarts/post-chroot.ks +++ b/kickstarts/post-chroot.ks @@ -79,7 +79,7 @@ EOF cat <1_}DPWn>1s5wQSVCJ04WhWTRj8m;wx#7F?d;9~6J}@X&g?Ew zO8TZz@y#0=6EzwM8ht>FxAIys)|U!t>V>y)2CB#hHcZcyr$5G2l4Ah~`>-9O)%@tiUw70r$#yMe=t}e(G zeAn&s1Ba*CI~3Z-LT;O38rm25g|J&B8`kw=VDGjmms7HPC}S|>(3Ct-hkEYjCCL>l z*R1Qy5yi9Eu`k_Gtx$vqF+=F^0{}KLAYzw_M+)~mK(-iuHR}|wxuXabA=eq={x1A z+MI5UlnPtM+F1|V$wp{Tjj_}01$K^|XBXH9>~r=dn`Bqm&+Iq$JNuLU#r{SDRhWnQ zsDpt%Xv$6y!@dwG7G>&$1;+gByIJs^6wg&CN8<)mE z+|2LoqQ$o~EJ>|gy|%sco~={&e%hVBhKyG;P!LZtOE9j&D9Li8acNU>nRe@Jdt-n& zY9CWL(e#?hrpBelirbP&ol{K_!`f9zjrM{n25VN4EkPEZR$G^BQ;G3m_!X{X|Ut2aNbxi$%oH6~xYU z*o6Cto!#ic1K36U%%C3wI7l2diKR!0qaJ)5!*Pt^Bu?S+h^eRX9G=IEID?n*2HwP5 zIE!;Qj|=z^AK_zsf-mqDzMjU_9n-k_{Y? z|K}hw@seW%<_-d=?#c9Y(RyclGV)qGMaKvoym7w?DMbi%q8ukF%5joWIWBxt + - host: traefik. http: paths: - - path: /loadbalancer + - path: / backend: serviceName: traefik-web-ui servicePort: 80 diff --git a/kubernetes/storage/.DS_Store b/kubernetes/storage/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 Date: Wed, 11 Jul 2018 09:30:31 -0400 Subject: [PATCH 08/14] fixed formatting --- docs/installation_guide.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/installation_guide.rst b/docs/installation_guide.rst index 333f517..a3d6f64 100644 --- a/docs/installation_guide.rst +++ b/docs/installation_guide.rst @@ -185,11 +185,11 @@ Accessing other Services EDCOP has deployed a number of internal web inferfaces automatically for you. To view these: -https://admin./ -https://kubernetes./ -https://loadbalancer./ -https://apps./ -https://ceph./ +- https://admin./ +- https://kubernetes./ +- https://loadbalancer./ +- https://apps./ +- https://ceph./ From 6c10908c6a10f66c8bf7dfb1e137ed55011ddf2e Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Wed, 11 Jul 2018 14:33:24 -0400 Subject: [PATCH 09/14] Updated documentation --- .DS_Store | Bin 10244 -> 12292 bytes README.md | 113 ++---------------------------------- docs/ingress_design.rst | 41 +++++++++++++ docs/installation_guide.rst | 15 +++++ firstboot/firstboot.sh | 2 + 5 files changed, 63 insertions(+), 108 deletions(-) create mode 100644 docs/ingress_design.rst diff --git a/.DS_Store b/.DS_Store index ef9379fce3bd498d16afc28ef560fedb06b6ea50..b9dd851d040ed4319e619405a26dd02740240c34 100644 GIT binary patch delta 384 zcmZn(Xh~3DU|?W$DortDV9)?EIe-{M3-B;7uy8RjC~!|yP?u!}DFR|)AO^Ap7#NZn zvKfjQN*EFuiZ&K5W}a-I!omtt!7}-Sn8fDOf{U3p7YH*lva>LxFyu2NPi_%01eypo z1W0jkZ!8pN*{sgUCp z)aocy8ycCK>L{3-Og=AeCIdB^p*W>DIVUMUKL>0-)V`B~w;A_tUMh43?u5-PA`=-I z_f8fQyDI|MS{7WCmy@5D4s_FGa{(7d#?3VXW{ivslTBodWPpOKKnw&L+(5z=IaD?l bzGt4yui^;`FOaV|CTFP3oV-djn-m)WZYEK+ delta 194 zcmZokXbF&DU|?W$DortDU{C-uIe-{M3-C-V6q~3gIoUvmMI6Xy;0Izxpg03VN=k8Z zPEvk;&Spc&TWk{>PICgqL4boBC?d|XS)JzzGb8_G9tC9%n9|8%YA%cnn`f(;F)}hv z-l#6IS%YOU6PTeQ(8w*w3^7508%Vo?Y~L)%@tt`xzmDf*e;y7FCWyl{CMW33oV-v` PesaFb*Ug&+-!lRLsJ$w( diff --git a/README.md b/README.md index 00e16d6..c0442e5 100644 --- a/README.md +++ b/README.md @@ -21,116 +21,13 @@ The EDCOP is a scalable cluster to deploy virtual network defense tools on. It i ![EDCOP Architecture](https://github.com/sealingtech/EDCOP/raw/master/docs/images/stacked_platform_concept.png) -EDCOP is designed to be a platform to deploy any CND tools. Once deployed you will have Bro, Suricata, ELK stack and other tools made available to you. There is a seperate Github Repository available here: [EDCOP-TOOLS](https://github.com/sealingtech/EDCOP-TOOLS) +EDCOP is designed to be a platform to deploy any CND tools. Once deployed you will have Bro, Suricata, ELK stack and other tools made available to you. Each tool has a seperate Github repository viewable here: +https://github.com/sealingtech/ -## Quickstart ---- -For the more adventurous, you can [download the latest release installation ISO](https://github.com/sealingtech/EDCOP/releases/download/0.9.1/EDCOP-0.9.1.iso), and give it a try (we'd love the feedback). - -To build the ISO, simply clone the repo and run `make iso` (requires docker on the host system and ~10GB free space). Validated on Mac, CentOS, and Ubuntu. - -```shell -git clone https://github.com/sealingtech/EDCOP.git -make iso -``` -This will create the docker build container and build the installer ISO from online. - -If successful, you should have a file called "EDCOP-dev.iso" in your folder. - -The system is installed with the following default UN/PW: - -**Default Username:** root - -**Default Password:** open.local.box - -## Installation -Deploying EDCOP first involves booting the ISO and running the install setup on the master node. Once this is complete, minions can be automatically built over the network through PXE services. - -### Hardware Pre-Requisites -The EDCOP installer has been tested on both physical and VMs, however it expects a minimum amount of resources on both the Master server and Minions. At this time, the **Master and Minion must have the same hardware specs**. - -| Resource | Minimum Spec | -| ------------------------ |:-------------:| -| CPU | 4 cores | -| Memory | 8 GB | -| Harddrive 1 (OS) | 80 GB | -| Harddrive 2 (Data) | 300 GB | -| Network Interfaces | 2 NICs | - - - -After booting from the install disk, you'll be asked a series of questions to set the Network and Storage: - -![Install Prompt](https://github.com/sealingtech/EDCOP/raw/master/docs/images/installation_prompt.png) - -### Network Settings: - -The installer will make a feeble attempt to guess what your network settings should be. This is normally incorrect and should probably be answered _**N**_ and entered manually. - -+ **Enter hostname (entire FQDN):** - - EDCOP requires a FQDN and corresponding DNS entry (e.g. "edcop.example.com" or "dev.edcop.io"). After installation, you must access the Admin panel with the FQDN (not IP address). - -+ **TEAM the network interfaces on Master? (Y/N):** - - For large clusters, it's recommended to team multiple interfaces (if testing in VMs, recommend answering **_N_**). Answering **_Y_** will use LACP to team the provided interfaces, which must be configured on the switch as well. The new interface will be called "team0". - -+ **Enter CLUSTER Interface:** +EDCOP is designed to work in a number of deployment scenarios including a single physical system as well as large cluster with a traffic load balancer. - If you answer **_N_** to the teaming, you must enter an interface to communicate with the rest of the cluster. +Installation takes place by building a "master" node which is then used to build more "minion" nodes. Once this process is completed then it is possible to deploy tools in a scalable fashion. -+ **Would you like to set the CLUSTER interface for DHCP? (Y/N)** +![Installation instructions are located here.](https://github.com/sealingtech/EDCOP/blob/master/docs/installation_guide.rst) - You can set the CLUSTER interface for DHCP, however remember that this required a corresponding DNS entry. If answering _**N**_ you'll be prompted for IP Address, Netmask, Gateway, and DNS. - -+ **Enter PXE-Server Interface:** - - EDCOP installs a PXEboot server on the Master server that allows for auto-installing the minions. The PXE-interface should be on a separate network/vlan. This network should have no DHCP servers on it (the master will start a DHCP server for PXE). - -+ **Enter PXE-Server IP Address:** - - Since this is on closed network, any IP address should work (e.g. 10.50.50.10) - -+ **Enter PXE-Server Netmask:** - - Ensure a large enough network to cover all minions/nodes to be installed. - -+ **Enter last octet of DHCP starting IP:** - - Enter only the last octet for the DHCP server, for example _**100**_ - -+ **Enter last octet of DHCP ending IP:** - - Enter only the last octet for the DHCP server, for example entering _**150**_ will give you 51 IP addresses for the PXEboot server - -### Storage Settings: - -At this time, EDCOP allows for an OS disk and a DATA disk. The installation will show the device-id (e.g. sda or sdb) and the corresponding size. Follow the instructions to select which disk is for the OS and which is for the DATA (such as ElasticSearch event storage) - -## Using EDCOP - -The system is installed with the following default UN/PW: - -**Default Username:** root - -**Default Password:** open.local.box - -After installation, EDCOP runs a service called "EDCOP-firstboot" to finish installing kubernetes, calico, multus, and the other internal cluster components. For normal operations, this requires internet access (a completely offline installer is in development). The service will attempt to ping 8.8.8.8 to verify internet connectivity. If no connectivity is found, the service will fail. - -You can validate the service is running with: `systemctl status EDCOP-firstboot` - -Once the service has finished installing everything, the follwing URLs can be accessed: - -| URL | Role | -| --------------------------- |:----------------------------:| -| https://\/admin | Cockpit Admin Panel | -| https://\/kubernetes-ui|Kubernetes Dashboard | -| https://\/loadbalancer |Traefik Ingress Loadbalancer| -| https://apps.\ |Kubeapps DCO deployment UI | - -EDCOP uses [Cockpit ](https://github.com/cockpit-project/cockpit) for server/cluster administration. Login with the UN/PW shown above. - -## Building all required packages ---- -The Makefile and Dockerfile pull the necessary RPM packages from both CentOS and EDCOP repos. If you want to build/update the RPMs yourself, you can use the steps outlined in build-packages.md. diff --git a/docs/ingress_design.rst b/docs/ingress_design.rst new file mode 100644 index 0000000..47d9cd7 --- /dev/null +++ b/docs/ingress_design.rst @@ -0,0 +1,41 @@ + +#################### +EDCOP Ingress Design +#################### + +By default it is not possible to communicate with services internal to the cluster from outside of the cluster.. To communicate with services inside the cluster two methods are used. ![Traefik](https://traefik.io) provides access to all web services over https and nodeports provide access to all non-web services. It is important to understand some of these concepts for deploying applications as well as designing scalable solutions. + + +####### +Traefik +####### + +Traefik is deployed on all nodes including the masterin EDCOP. This means that if a web request comes in to any node the traffic will be forwarded to the proper location inside of the cluster regardless of which host the service is running on. Traefik terminates SSL and uses a certificate called edcop-wild that is created when you install. When new capabilities are deployed an ingress is created which is how Traefik know where to send traffic. Treafik uses ![SNI]() https://en.wikipedia.org/wiki/Server_Name_Indication) which means that users must browse to websites using the domain name and on the IP address. The purpose of the wild card DNS entry is to make sure that all requests to a specific sub-domain is forwarded to traefik so that it can figure out where to send data. + +In smaller deployments you can point these DNS records to the master. In larger deployments this can become an issue as all traffic is being processed by the master node. A more scalable option is to use a network load balancer which forwards network traffic to all nodes (master and minions). This serves to spread the load of this traffic as well as provides redundancy in case a node fails. In this situation, the wild card DNS entry must be pointed at the load balancer IP. + +When configuring any charts with an ingress (such as Kibana), it is important to look for the value host and change this value to any subdomain under the FQDN value you selected when you built the cluster. If this option is not selected then the default value will be deployed incorrectly. Once deployed and the service is up, it is possible to browse to this host name. + +To view Traefik ingresses, browse to loadbalancer. where you can view all current ingresses as well as view their status. From the console it is possible to run the command from the command line. + +.. code-block:: bash + + kubectl get ingress --all-namespaces + + + +######## +NodePort +######## + +NodePort services traffic for all non web traffic. NodePorts instruct kube-proxy which lives on every node to forward traffic to the proper location inside of the cluster. Nodeports are a port number between 30,000 and 32,767. When deploying capabilities (such as ingress) containing node ports set the port number to a unique number. To view current node ports from the command line use the following command: + +.. code-block:: bash + + kubectl get service --all-namespaces | grep NodePort + +Traffic can be load balanced here if desired using an external load balancer or it is possible to point clients to specific nodes and spread out the traffic in the way. + + + + diff --git a/docs/installation_guide.rst b/docs/installation_guide.rst index a3d6f64..b460ad0 100644 --- a/docs/installation_guide.rst +++ b/docs/installation_guide.rst @@ -192,6 +192,21 @@ EDCOP has deployed a number of internal web inferfaces automatically for you. T - https://ceph./ +SSL Certificate Management +========================== + +By default EDCOP will create a wild card certificate that is used by all domains. This certificate has been signed by an auto-generated Certificate Authority (CA) that is used for internal CA operations. This CA is generally not trusted by your browser. To make SSL error messages go away a user can trust the internal kubernetes certificate authority. + +The certificate is stored in /root/ca.cer and can be added to user's internal Root CA store. + +For windows follow this guide: +https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/ + + +Deploying Capabilities +====================== + +To deploy additional tools users can go to apps. and select the applications to they want to deploy. Selecting "Available Capabilities" will bring up a number of charts that can then be deployed. Each chart will have built in instructions. Many of these charts values are set to defaults that will work with smaller deployments but more planning is required for larger deployments to get more performance out of the tools. diff --git a/firstboot/firstboot.sh b/firstboot/firstboot.sh index a2fd820..a1de9cc 100644 --- a/firstboot/firstboot.sh +++ b/firstboot/firstboot.sh @@ -176,6 +176,8 @@ openssl req -new -sha256 -key /root/edcop_wild.key -out /root/edcop_wild.csr -su openssl x509 -req -days 3650 -in /root/edcop_wild.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out /root/edcop_wild.crt -sha256 +openssl x509 -outform der -in /etc/kubernetes/pki/ca.crt -out /root/ca.cer + #make cn wild card kubectl create secret tls --cert=/root/edcop_wild.crt --key=/root/edcop_wild.key -n kube-system edcop-wild From 0a8e86029c83fa4645e6220e7cefd6a5818935d2 Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Wed, 11 Jul 2018 14:42:41 -0400 Subject: [PATCH 10/14] one more update --- docs/installation_guide.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/installation_guide.rst b/docs/installation_guide.rst index b460ad0..3410143 100644 --- a/docs/installation_guide.rst +++ b/docs/installation_guide.rst @@ -156,7 +156,8 @@ Labeling nodes NOTE: This section will need to change when more granular roles are configured -Nodes must be given roles in order to take certain tasks. For mid to large scale deployments it is best to not label the master with these and instead focus on the minions. For single node and very small deployments it is possible to apply these to the master. In the Helm charts there are often options to select NodeSelectors. Log on to the master node and run the command: +Nodes must be given roles in order to take certain tasks. Each of these labels must be applied somwhere throughout the cluster. For small deployments, simply label the master as all of them. For larger deployments it is possible to selectively apply the labels to specific nodes throughout the cluster. + .. code-block:: bash @@ -166,7 +167,7 @@ Nodes must be given roles in order to take certain tasks. For mid to large scal kubectl label node infrastructure=true kubectl label node ingest=true -For single node deployments it is necessarry to apply all these labels to the master node. For multiple node deployments it is possible to choose which nodes take certain roles. + Please see the ![node labeling guide](https://github.com/sealingtech/EDCOP/blob/master/docs/node_labels.rst). Verifying installation @@ -191,6 +192,8 @@ EDCOP has deployed a number of internal web inferfaces automatically for you. T - https://apps./ - https://ceph./ +Please view the ![ingress guide](https://github.com/sealingtech/EDCOP/blob/master/docs/ingress_design.rst) for more details. + SSL Certificate Management ========================== From 60643c878b42f28e09ce6f157cd90f87e2c77df6 Mon Sep 17 00:00:00 2001 From: dlohin Date: Wed, 11 Jul 2018 14:44:40 -0400 Subject: [PATCH 11/14] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0442e5..8a46623 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ EDCOP is designed to work in a number of deployment scenarios including a single Installation takes place by building a "master" node which is then used to build more "minion" nodes. Once this process is completed then it is possible to deploy tools in a scalable fashion. -![Installation instructions are located here.](https://github.com/sealingtech/EDCOP/blob/master/docs/installation_guide.rst) + +![Installation instructions are located here](https://github.com/sealingtech/EDCOP/blob/master/docs/installation_guide.rst) From 1e76e1ce24516f70f988eee0f19176e616929041 Mon Sep 17 00:00:00 2001 From: dlohin Date: Wed, 11 Jul 2018 14:47:12 -0400 Subject: [PATCH 12/14] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 8a46623..da7b4cc 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,5 @@ EDCOP is designed to work in a number of deployment scenarios including a single Installation takes place by building a "master" node which is then used to build more "minion" nodes. Once this process is completed then it is possible to deploy tools in a scalable fashion. -![Installation instructions are located here](https://github.com/sealingtech/EDCOP/blob/master/docs/installation_guide.rst) - +Install: https://github.com/sealingtech/EDCOP/blob/master/docs/installation_guide.rst From 9a0c36c9a425bf31e9a02913342dfd043937ae26 Mon Sep 17 00:00:00 2001 From: dlohin Date: Wed, 11 Jul 2018 14:48:53 -0400 Subject: [PATCH 13/14] Update installation_guide.rst --- docs/installation_guide.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/installation_guide.rst b/docs/installation_guide.rst index 3410143..97c9cdc 100644 --- a/docs/installation_guide.rst +++ b/docs/installation_guide.rst @@ -167,7 +167,8 @@ Nodes must be given roles in order to take certain tasks. Each of these labels kubectl label node infrastructure=true kubectl label node ingest=true - Please see the ![node labeling guide](https://github.com/sealingtech/EDCOP/blob/master/docs/node_labels.rst). + +Please see the node labelling guide https://github.com/sealingtech/EDCOP/blob/master/docs/node_labels.rst Verifying installation @@ -192,7 +193,7 @@ EDCOP has deployed a number of internal web inferfaces automatically for you. T - https://apps./ - https://ceph./ -Please view the ![ingress guide](https://github.com/sealingtech/EDCOP/blob/master/docs/ingress_design.rst) for more details. +Please view the ingress guide https://github.com/sealingtech/EDCOP/blob/master/docs/ingress_design.rst for more details. SSL Certificate Management From 5e50c9ef4bc533c225f2fa208ea3faa9895744bf Mon Sep 17 00:00:00 2001 From: Daniel Lohin Date: Thu, 12 Jul 2018 08:56:35 -0400 Subject: [PATCH 14/14] Why does this keep coming back? --- .DS_Store | Bin 12292 -> 12292 bytes build/online-configure.sh | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.DS_Store b/.DS_Store index b9dd851d040ed4319e619405a26dd02740240c34..919288d438c1acfce71188d115bcb543e2c5ca16 100644 GIT binary patch delta 16 XcmZokXi3