Initial files (#1)

.github/workflows/generate_image.yaml

@@ -0,0 +1,49 @@
+name: Create and publish a Docker image
+
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+
+
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -0,0 +1,3 @@
+FROM docker.io/library/php:apache
+
+COPY src/ /var/www/html/

src/fcos/configs/customizations/customizations.php

@@ -0,0 +1,26 @@
+<?php
+
+// Public key for "core" user
+$ssh_key = "";
+
+// Public key of CA that can sign SSH keys
+$ssh_ca_key = "";
+
+// List of time servers. Each entry is an entire line in /etc/chrony.conf
+$timeservers = [
+    "pool pool.ntp.org prefer iburst"
+];
+
+// URL of fleet lock server for reboot management
+$fleet_lock_server = "";
+
+// PHP code to generate hostname
+$name_format = "";
+
+//Primary disk device path
+$primary_disk = "/dev/sda";
+
+// Second disk device path
+$second_disk = "/dev/sdb";
+
+?>

src/fcos/configs/files/kubernetes.repo

@@ -0,0 +1,6 @@
+[kubernetes]
+name=Kubernetes
+baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

src/fcos/configs/files/prep-machine.service

@@ -0,0 +1,12 @@
+[Unit]
+Requires=network-online.target
+ConditionFirstBoot=true
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStartPre=bash -c "while ! curl https://packages.cloud.google.com 1>/dev/null; do sleep 1; done"
+ExecStart=/bin/bash /usr/local/src/prep-machine.sh
+
+[Install]
+WantedBy=multi-user.target

src/fcos/configs/files/prep-machine.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -ex
+
+rpm-ostree install qemu-guest-agent kubeadm
+
+for path in /var/lib/etcd /etc/kubernetes/pki /etc/kubernetes/pki/etcd /etc/cni/net.d
+do
+  mkdir -p $path
+  chcon -t svirt_sandbox_file_t $path
+done
+
+mkdir /etc/containerd || true
+containerd config default > /etc/containerd/config.toml
+sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
+
+ln -s /usr/lib/systemd/system/kubelet.service /etc/systemd/system/multi-user.target.wants/kubelet.service
+
+systemctl disable docker.socket
+
+systemctl reboot

src/fcos/configs/files/var-lib-containerd.mount

@@ -0,0 +1,10 @@
+[Unit]
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-partlabel/containerd
+Where=/var/lib/containerd
+Type=xfs
+
+[Install]
+WantedBy=local-fs.target

src/fcos/configs/hostname.ign.php

@@ -0,0 +1,19 @@
+<?php
+
+require "customizations/customizations.php";
+
+$ignition = (object)[];
+$ignition->ignition = (object)[];
+$ignition->ignition->version = "3.3.0";
+$ignition->storage = (object)[];
+$ignition->storage->files = [];
+
+$file = (object)[];
+$file->path = "/etc/hostname";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$file->contents->source = "data:," . rawurlencode($name_format);
+$ignition->storage->files[] = $file;
+
+print(json_encode($ignition, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+?>

src/fcos/configs/kubernetes.ign.php

@@ -0,0 +1,83 @@
+<?php
+
+$ignition = (object)[];
+
+$ignition->ignition = (object)[];
+$ignition->ignition->version = "3.3.0";
+
+$ignition->storage = (object)[];
+$ignition->storage->files = [];
+
+$ignition->systemd = (object)[];
+$ignition->systemd->units = [];
+
+// Add Kubernetes Repo
+$file = (object)[];
+$file->path = "/etc/yum.repos.d/kubernetes.repo";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$file->contents->source = "data:," . rawurlencode(file_get_contents("files/kubernetes.repo"));
+$ignition->storage->files[] = $file;
+
+// Override service entries
+$systemd_unit = (object)[];
+$systemd_unit->name = "containerd.service";
+$systemd_unit->enabled = true;
+$systemd_unit->dropins = [];
+$override = (object)[];
+$override->name = "override.conf";
+$content = "[Service]
+Restart=always
+RestartSec=5
+OOMScoreAdjust=-999
+LimitNOFILE=infinity
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+";
+$override->contents = $content;
+$systemd_unit->dropins[] = $override;
+$ignition->systemd->units[] = $systemd_unit;
+
+
+// Enable modules
+$file = (object)[];
+$file->path = "/etc/modules-load.d/containerd.conf";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$content = "overlay
+br_netfilter
+";
+$file->contents->source = "data:," . rawurlencode($content);
+$ignition->storage->files[] = $file;
+
+// Blacklist ip_tables
+$file = (object)[];
+$file->path = "/etc/modprobe.d/blacklist_iptables.conf";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$content = "blacklist ip_tables
+";
+$file->contents->source = "data:," . rawurlencode($content);
+$ignition->storage->files[] = $file;
+
+// Configure for CRI
+$file = (object)[];
+$file->path = "/etc/sysctl.d/99-kubernetes-cri.conf";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$content = "net.bridge.bridge-nf-call-iptables  = 1
+net.ipv4.ip_forward                 = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+
+fs.inotify.max_user_instances       = 8192
+fs.inotify.max_user_watches         = 524288
+";
+$file->contents->source = "data:," . rawurlencode($content);
+$ignition->storage->files[] = $file;
+
+
+
+print(json_encode($ignition, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+?>

src/fcos/configs/prepmachine.ign.php

@@ -0,0 +1,31 @@
+<?php
+
+$ignition = (object)[];
+
+$ignition->ignition = (object)[];
+$ignition->ignition->version = "3.3.0";
+
+$ignition->storage = (object)[];
+$ignition->storage->files = [];
+
+$ignition->systemd = (object)[];
+$ignition->systemd->units = [];
+
+// Add prep-machine.sh script
+$file = (object)[];
+$file->path = "/usr/local/src/prep-machine.sh";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$file->contents->source = "data:," . rawurlencode(file_get_contents("files/prep-machine.sh"));
+$ignition->storage->files[] = $file;
+
+// Add prep-machine service
+$systemd_unit = (object)[];
+$systemd_unit->name = "prep-machine.service";
+$systemd_unit->enabled = true;
+$systemd_unit->contents = file_get_contents("files/prep-machine.service");
+$ignition->systemd->units[] = $systemd_unit;
+
+
+print(json_encode($ignition, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+?>

src/fcos/configs/second_disk.ign.php

@@ -0,0 +1,41 @@
+<?php
+
+require "customizations/customizations.php";
+
+$ignition = (object)[];
+$ignition->ignition = (object)[];
+$ignition->ignition->version = "3.3.0";
+
+$ignition->storage = (object)[];
+$ignition->storage->disks = [];
+$ignition->storage->filesystems = [];
+
+$ignition->systemd = (object)[];
+$ignition->systemd->units = [];
+
+$disk = (object)[];
+$disk->device = $secondary_disk;
+$disk->wipeTable = true;
+$disk->partitions = [];
+$partition = (object)[];
+$partition->label = "containerd";
+$partition->number = 0;
+$partition->sizeMiB = 0;
+$disk->partitions[] = $partition;
+$ignition->storage->disks[] = $disk;
+
+$filesystem = (object)[];
+$filesystem->device = "/dev/disk/by-partlabel/containerd";
+$filesystem->format = "xfs";
+$filesystem->path = "/var/lib/containerd";
+$filesystem->label = "containerd";
+$ignition->storage->filesystems[] = $filesystem;
+
+$systemd_unit = (object)[];
+$systemd_unit->name = "var-lib-containerd.mount";
+$systemd_unit->enabled = true;
+$systemd_unit->contents = file_get_contents("files/var-lib-containerd.mount");
+$ignition->systemd->units[] = $systemd_unit;
+
+print(json_encode($ignition, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+?>

src/fcos/configs/ssh.ign.php

@@ -0,0 +1,58 @@
+<?php
+
+require "customizations/customizations.php";
+
+$ignition = (object)[];
+$ignition->ignition = (object)[];
+$ignition->ignition->version = "3.3.0";
+$ignition->passwd = (object)[];
+$ignition->passwd->users = [];
+
+// Core User
+$user = (object)[];
+$user->name = "core";
+$user->sshAuthorizedKeys = [];
+$user->sshAuthorizedKeys[] = $ssh_key;
+
+$ignition->passwd->users[] = $user;
+$ignition->storage = (object)[];
+$ignition->storage->files = [];
+
+// Create Trusted User CA Key
+$file = (object)[];
+$file->path = "/etc/ssh/trusted-user-ca-keys.pem";
+$file->contents = (object)[];
+$file->contents->compression = "";
+$file->contents->source = "data:," . rawurlencode($ssh_ca_key);
+$ignition->storage->files[] = $file;
+
+// Enable Trusted User CA Key
+$file = (object)[];
+$file->path = "/etc/ssh/sshd_config";
+$file->append = [];
+$file_content = (object)[];
+$file_content->compression = "";
+$content = "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem";
+$file_content->source = "data:," . rawurlencode($content);
+$file->append[] = $file_content;
+$ignition->storage->files[] = $file;
+
+// Configure time sync
+$file = (object)[];
+$file->path = "/etc/chrony.conf";
+$file->overwrite = true;
+$file->contents = (object)[];
+$file->contents->compression = "";
+$content = "driftfile /var/lib/ntp/drift
+";
+foreach($timeservers as $timeserver) {
+    $content .= $timeserver . "\n";
+}
+$content .= "makestep 1.0 3
+rtcsync
+logdir /var/log/chrony";
+$file->contents->source = "data:," . rawurlencode($content);
+$ignition->storage->files[] = $file;
+
+print(json_encode($ignition, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+?>