-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathbootstrap
executable file
·270 lines (226 loc) · 7.04 KB
/
bootstrap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
#!/bin/bash
##
# A quick/simple script to get agentless ansible deployed and configured.
# See help text (./bootstrap -h) and README.rst for requirements.
#
# skeys.gpg, generated with:
# printf .vaultpass | gpg --symmetric --cipher-algo TWOFISH -o skeys.gpg
#
# BS_*: This script will dump all "BS_*" environment variables into configuration
#
# Critical Order:
# 1. Prepare apt
# 2. Install dependencies
# 3. Install ansible
# 4. Check permissions
##
set -x
main() {
parse_options "$@"
# Pre-flight
safety_checks
lock acquire "$0" || die 'Unable to acquire lock'
pristine_apt || die 'Failed to set pristine apt configuration'
# Hack: IPv6 is often incorrectly implemented and first boot is very touchy
echo 'precedence ::ffff:0:0/96 100' >>/etc/gai.conf
echo 'Acquire::ForceIPv4 "true";' >/etc/apt/apt.conf.d/99force-ipv4
# Install and configure (local) ansible
install_ansible || die 'Failed to install ansible'
configure_ansible || die 'Failed to configure ansible'
deploy_key || die 'Failed to unpack key'
# Run Highstate and Configure System
run_maintenance || die 'Provisioning process (playbook) failed'
# Cleanup
lock destroy "$0"
}
show_usage() {
t="$(printf '\t')"
cat <<-EOF
Deploy agentless ansible on a host managed by MTecknology.
Usage: $0 [-h] <options>
Options:
-k [http]${t}Location of encrypted blob containing ansible-vault key (can be file)
-p [path]${t}File with password used to decrypt gpg blob
-l X${t}Log level (0=Debug, 1=Info, 2=Warn, 3=Error)
-h${t}${t}Print this help text
Environment Variables (Defaults):
TH_ANSGPG${t}https://raw.githubusercontent.com/MTecknology/teckhost/master/conf/key.gpg
TH_ANSGPG_PRIV${t}/tmp/gpgpassphrase
LOG_LEVEL${t}1 (info)
BS_*${t}${t}<none>
EOF
}
# Parse options, prioritizing args > env > defaults
parse_options() {
# Default values
# These can be overridden by setting environment variables
export TH_ANSGPG="${TH_ANSGPG:-https://raw.githubusercontent.com/MTecknology/teckhost/master/conf/key.gpg}"
export TH_ANSGPG_PRIV="${TH_ANSGPG_PRIV:-/tmp/gpgpassphrase}"
export LOG_LEVEL="${LOG_LEVEL:-1}"
# Modify defaults
while getopts 'k:p:l:h' opt; do
case "$opt" in
k) TH_ANSGPG="$OPTARG";;
p) TH_ANSGPG_PRIV="$OPTARG";;
l) LOG_LEVEL="$OPTARG";;
h) show_usage; exit 0;;
*) die "Unexpected argument provided: '$OPT'";;
esac
done
}
# Verify all expected data is currently present or else die with reason
safety_checks() {
command_present apt-get || die 'Must have apt-get available'
}
# Ensure a clean apt state prior to configuration management
pristine_apt() {
# Find $OSCODENAME
# Seems excessive when only one path is likely, but who knows how this might get used
if [[ -n "$OSCODENAME" ]]; then
log "$DEBUG" "Found \$OSCODENAME=$OSCODENAME in environment"
elif [[ -f /etc/os-release ]]; then
# most likely path
. /etc/os-release
OSCODENAME="$VERSION_CODENAME"
elif command_present 'lsb_release'; then
OSCODENAME="$(lsb_release -cs)"
else
die 'Could not figure out OSCODENAME'
fi
# Force a pristine/known-good apt configuration
rm -rf /etc/apt/sources.list*
mkdir /etc/apt/sources.list.d
cat >/etc/apt/sources.list <<-EOF
deb http://deb.debian.org/debian $OSCODENAME main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security $OSCODENAME-security main contrib non-free non-free-firmware
deb http://deb.debian.org/debian $OSCODENAME-updates main contrib non-free non-free-firmware
# Newer Packages (use with extreme caution)
deb http://deb.debian.org/debian testing main non-free non-free-firmware contrib
deb http://deb.debian.org/debian sid main non-free non-free-firmware contrib
EOF
cat >/etc/apt/preferences.d/pinning <<-EOF
Package: *
Pin: release a=stable
Pin-Priority: 700
Package: *
Pin: release a=stable-security
Pin-Priority: 700
Package: *
Pin: release a=testing
Pin-Priority: 400
Package: *
Pin: release a=unstable
Pin-Priority: 300
EOF
# Update package cache
apt-get update
}
# Install ansible and other basic dependencies
install_ansible() {
# Dependencies
apt-get update || return 1
# rsync required for ansible.posix.synchronize
apt-get install -y debconf-utils wget git gpg rsync || return 1
# Application
apt-get install -y ansible || return 1
}
# Run configuration (playbook:maintenance)
run_maintenance() {
# Ensure /dev/shm is mounted
if ! mountpoint -q /dev/shm; then
test -d /dev/shm || mkdir /dev/shm
mount -t tmpfs none /dev/shm
fi
# Run ansible
cd /etc/ansible && ansible-playbook "${BS_PLAYBOOK:-conf/maintenance.yml}"
}
# Create default minion configuration
configure_ansible() {
if [ -e /etc/ansible ]; then
log "$INFO" '/etc/ansible already exists, not replacing'
else
git clone --depth=1 --branch "${BS_GITREV:-master}" "${BS_gitrepo:-https://github.com/MTecknology/teckhost.git}" /etc/ansible
fi
chmod 0700 /etc/ansible
}
# Download and unpack ansible-vault key
# NOTE: This requires a password, shared among admins
deploy_key() {
# Get the encrypted keys
gpgblob="$(mktemp)"
if [[ -f "$TH_ANSGPG" ]]; then
log "$DEBUG" "Copying GPG blob from $TH_ANSGPG"
cp "$TH_ANSGPG" "$gpgblob" || return 1
else
log "$DEBUG" "Downloading GPG blob from $TH_ANSGPG"
wget "$TH_ANSGPG" -O "$gpgblob" || return 1
fi
# Decrypt key
unset pwfile; [[ -f "$TH_ANSGPG_PRIV" ]] && pwfile=('--passphrase-file' "$TH_ANSGPG_PRIV")
gpg --batch "${pwfile[@]}" --decrypt "$gpgblob" >/etc/ansible/.vaultpass
chmod 0600 /etc/ansible/.vaultpass
# Cleanup (leave broken for investigation)
rm "$gpgblob"
}
##
# Copied from https://github.com/MTecknology/script-helpers
##
# Log Levels
DEBUG=0; INFO=1; WARN=2; ERROR=3
readonly DEBUG INFO WARN ERROR
export DEBUG INFO WARN ERROR
# Check if a command (or alias/function) is available.
# Usage: command_present bin
command_present() {
command -v "$1" >/dev/null && return 0
alias | grep -q "\s$1=" 2>/dev/null && return 0
return 1
}
# Print a formatted (critical) message and exit with status.
# Usage: die [exit_status] message
die() {
lock destroy "$0"
# If first argument was an integer, use as exit_status
case "$1" in
(*[!0123456789]*) _exit_status=1;;
(*) _exit_status="$1"; shift;;
esac
printf '*** CRITICAL: %s ***\n' "$1"
exit "$_exit_status"
}
# Manage a lock file.
# Usage: lock operation [key]
lock() {
_h="$(printf '%s' "${2:-$0}" | cksum | awk '{print $1}')"
case "$1" in
(acquire) _lock_acquire "/tmp/$_h.lock";;
(destroy) rm -f "/tmp/$_h.lock";;
esac
}
# Create a lock file and populate it with PID.
_lock_acquire() {
# Check if running
[ -e "$1" ] && kill -0 "$(cat "$1")" && return 1
# make sure the lockfile is removed when we exit and then claim it
# shellcheck disable=SC2064 #[we want this expanding now]
trap "rm -f '$1'; exit" INT TERM EXIT
echo $$ > "$1"
return 0
}
# Print a formatted message if env[LOG_LEVEL] >= level.
log() {
if [ "${LOG_LEVEL:-2}" -le "$1" ]; then
case "$1" in
(0) _lvl='DEBUG';;
(1) _lvl='INFO';;
(2) _lvl='WARN';;
(3) _lvl='ERROR';;
(*) _lvl='UNKNOWN';;
esac
printf '*** %s: %s ***\n' "$_lvl" "$2"
fi
}
##
# Kick off the script
##
main "$@"