Installation in Digital Ocean droplets

README.md

@@ -2,3 +2,39 @@ fleet
 =====
 
 WIP for managing a collection of docker hosts
+
+
+#Digital Ocean
+
+##Prerequisites
+
+* SSH access for `root` user added to ssh-agent
+* SSH access for `ubuntu` user added to ssh-agent
+* SSH public key to configure `ubuntu` user in `ssh_keys/authorized_keys_for_ubuntu` file
+* The inventory file `docker_hosts` must have the following format
+
+```
+public_ip_address_host_1 host_id=1 other_hosts="private_ip_address_host_2 private_ip_address_host_3"
+public_ip_address_host_2 host_id=2 other_hosts="private_ip_address_host_1"
+public_ip_address_host_3 host_id=3 other_hosts="private_ip_address_host_1"
+```
+
+##Prepare the servers
+
+```
+ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook --inventory-file=docker_hosts ansible-playbooks/prepare-digital-ocean-server.yml
+```
+
+##Configure the servers as docker's hosts
+
+```
+ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook --inventory-file=docker_hosts ansible-playbooks/docker.yml
+```
+
+##Notes
+
+* The host 1 will act as *network concentrator*, all traffic will pass through it.
+* The docker service will be available in IP address 10.10.X.1, X is the `host_id`
+* The containers in host X will have an IP address like 10.10.X.Y, X is the `host_id`
+
+**ENJOY!**

ansible-playbooks/docker.yml

@@ -0,0 +1,73 @@
+---
+- hosts: all
+  remote_user: ubuntu
+  sudo: yes
+  vars:
+    openvswitch_deps:
+      - linux-headers-3.11.0-12-generic
+      - openvswitch-datapath-dkms
+      - bridge-utils
+    docker_deps:
+      - python-software-properties
+      - python-apt
+      - python-pycurl
+  tasks:
+
+    - name: Firewall configuration
+      command: ufw allow from 10.10.0.0/16
+      tags: firewall config
+
+    - name: Firewall configuration
+      command: ufw allow from 192.168.250.0/24
+      tags: firewall config
+
+    - name: Enable traffic in firewall
+      lineinfile: dest=/etc/default/ufw state=present regexp='DEFAULT_FORWARD_POLICY="(.*)"' line='DEFAULT_FORWARD_POLICY="ACCEPT"'
+      tags: firewall config
+
+    - name: Restart firewall
+      command: ufw reload
+      tags: firewall config
+
+    - name: OpenVSwitch dependencies
+      apt: pkg={{ item }} state=latest
+      with_items: openvswitch_deps
+      tags: network repo
+
+    - name: Install OpenVSwitch
+      apt: pkg=openvswitch-switch state=latest update_cache=yes
+      tags: network repo
+
+    - name: Copy configuration for bridges and tunnels
+      copy: src=../provisioning_scripts/prepare_docker_network.sh dest=/home/ubuntu/prepare_docker_network.sh owner=ubuntu group=ubuntu mode=0755
+      tags: network configure
+
+    - name: Configure bridges and tunnels
+      command: /home/ubuntu/prepare_docker_network.sh {{host_id}} "{{other_hosts}}"
+      tags: network configure
+
+    - name: Copy routes config
+      copy: src=../provisioning_scripts/route_docker_network.sh dest=/home/ubuntu/route_docker_network.sh owner=ubuntu group=ubuntu mode=0755
+      tags: network configure
+
+    - name: Configure docker routes
+      command: /home/ubuntu/route_docker_network.sh
+      tags: network configure
+
+    - name: Docker dependencies
+      apt: pkg={{ item }} state=latest
+      with_items: docker_deps
+      tags: docker repo
+
+    - name: Add docker repository key
+      apt_key: url=https://get.docker.io/gpg state=present
+      tags: docker repo
+
+    - name: Add docker repository
+      apt_repository: repo='deb http://get.docker.io/ubuntu docker main' state=present
+      tags: docker repo
+
+    - name: Install docker
+      apt: pkg=lxc-docker state=latest update_cache=yes
+      tags: docker repo
+

ansible-playbooks/prepare-digital-ocean-server.yml

@@ -0,0 +1,4 @@
+---
+- include: ubuntu-user.yml
+- include: ubuntu-mirrors.yml
+- include: secure-system.yml

ansible-playbooks/secure-system.yml

@@ -0,0 +1,35 @@
+---
+- hosts: all
+  remote_user: ubuntu
+  sudo: yes
+  vars:
+    security_packages:
+      - ufw
+      - fail2ban
+    ufw_rules:
+      - logging low
+      - allow 22/tcp
+
+  tasks:
+
+    - name: Ensure secure packages
+      apt: pkg={{ item }} state=present
+      with_items: security_packages
+      tags: install
+
+    - name: Firewall configuration
+      command:    ufw {{ item }}
+      with_items: ufw_rules
+      tags: config
+
+    - name: Firewall status
+      action: shell yes | ufw enable
+      tags: activate
+
+    - name: Attacks protection configuration
+      lineinfile: dest=/etc/ssh/sshd_config state=present regexp='PermitRootLogin yes' line='PermitRootLogin no'
+      tags: config
+
+    - name: Attacks protection
+      service: name=ssh state=restarted
+      tags: activate

ansible-playbooks/ubuntu-mirrors.yml

@@ -0,0 +1,13 @@
+---
+- hosts: all
+  remote_user: ubuntu
+  sudo: yes
+  tasks:
+
+    - name: Use UK mirros, ES mirrors are painfully slow
+      command: sed -i -e 's/es.archive.ubuntu.com/mirror.math.ucdavis.edu/g' /etc/apt/sources.list
+      tags: config-mirrors
+
+    - name: Update packages sources
+      apt: update_cache=yes
+      tags: config-mirrors

ansible-playbooks/ubuntu-user.yml

@@ -0,0 +1,20 @@
+---
+- hosts: all
+  remote_user: root
+  tasks:
+
+    - name: Ubuntu user as sudoer
+      user: name=ubuntu home=/home/ubuntu shell=/bin/bash
+      tags: ensure-user
+
+    - name: Configure sudoers
+      lineinfile: dest=/etc/sudoers.d/ubuntu create=yes state=present line="ubuntu ALL=(ALL) NOPASSWD:ALL" regexp='^ubuntu'
+      tags: config-sudoers
+
+    - name: SSH config directory
+      file: path=/home/ubuntu/.ssh owner=ubuntu group=ubuntu state=directory mode=0744
+      tags: ssh
+
+    - name: Set ssh keys to user
+      copy: src=../ssh_keys/authorized_keys_for_ubuntu dest=/home/ubuntu/.ssh/authorized_keys owner=ubuntu group=ubuntu mode=0644
+      tags: ssh-keys

provisioning_scripts/prepare_docker_network.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# The 'other' host
+HOST_NUMBER=$1
+OTHER_HOSTS=$2
+
+# Bridge address
+BRIDGE_ADDRESS=10.10.$HOST_NUMBER.1/24
+UNION_IP=192.168.250.$HOST_NUMBER
+UNION_ADDRESS=$UNION_IP/24
+
+# Add the docker0 bridge
+brctl addbr docker0
+# Set up the IP for the docker0 bridge
+ip address add $BRIDGE_ADDRESS dev docker0
+# Activate the bridge
+ip link set docker0 up
+
+# Add the br0 Open vSwitch bridge
+ovs-vsctl add-br br0
+# Create the tunnel to the other host and attach it to the
+# br0 bridge
+COUNTER=0
+for REMOTE_IP in $OTHER_HOSTS; do
+  let COUNTER=COUNTER+1
+  ovs-vsctl add-port br0 gre$COUNTER -- set interface gre$COUNTER type=gre options:remote_ip=$REMOTE_IP
+done
+ovs-vsctl add-port br0 tep0 -- set interface tep0 type=internal
+ip address add $UNION_ADDRESS dev tep0
+ip link set tep0 up
+
+# Add the br0 bridge to docker0 bridge
+brctl addif docker0 br0

provisioning_scripts/route_docker_network.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+BRIDGE_NETWORK=10.10.0.0
+BRIDGE_MASK=255.255.0.0
+
+route add -net $BRIDGE_NETWORK netmask $BRIDGE_MASK dev tep0

ssh_keys/authorized_keys_for_ubuntu

@@ -0,0 +1,2 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAN/yPl3jQc4MxqjARRRD5WiVOyBnP2QJmBSE0R364GkaUaVmQ6XfCYADaMlmdfedTGbTbLOs13D3cymwQkxROAx5ysJSeh6aWPRJ574wxUtOW51R45PIW6/B5+3u2+rpzBSD4+qekeKq7B2N1MiwLLGoEEOtLa5mSxBRI85AB5bnAAAAFQCOZn1Lo1uUbiknzeVTIdXCNMotAQAAAIAGUXmj6gYM+9nNvclGfLmavbS5l98lr78nNoDo9Do9SQ7e2sC1Jybz3U/vJUERcfsq7VuBZmKYU/bZ+I/cINzF/zTA9V7xJuhrPoOBo7c7Anep8mHLF3cvu9HiTwkef+T7UfE+bozdz/XBQTtHfnxTafzdOH1WL0uxA8IdODlToQAAAIAub9F+OrbTEOvUS+7Y9czdGzoUEpCkGZybE4ZpbdB8EDGRrtDKu3qSkWSfYjftyYOUkYZkYgd89dhSks6EnOeVpwMKjf7dTtucMMzJVDGsc+EPW7DwsFc8ZTsDLruVz5achzYRimRtGCPUvWepnSkVN1umaDky1VOdCE0fME+bPQ== [email protected]
+ssh-dss AAAAB3NzaC1kc3MAAACBALaQcNgQvjq6ByzskVzF/Q4zpCNx96yO9pwD6tlUj5mJs8FNAC5E+asDJNPBL32OX3TTDgFGpHvxd5TuBbNFi4/PbyxuD/Q6BAeOl9iamG8yewdRLh7O5KrXwRZ8zZz3I+OS6MpQ/fpK5hASO8B8R3BcDt3RE4X/cQ77zy4i7lqnAAAAFQDZ+m4EYI/EaKMyeyuBzcgkICbajQAAAIBDD5iMEQNv/HC/B3MBtLZwwYGrvY2VZU8Roqx90il/3A9fpPnZj/bDcqNLzd71cDh99upZdcij/TpYmUo/zFoC8IRtAhfWEyKJlI1uSpOxMpTFAfwkjzwgyINpHIoPZKB4WgMPEej6Twvt5dvUjbtP5Lr3dQLz6ty/SSM9n5B1EgAAAIEArLUtvaKfwmd7Haxi0aaKU+fKHsR8eNpxfqYPKOUzYTYqNv6zd5X3wHlsKO1+HuIQHsGIVic0KPBNB0XtJ2gAdnZDI+xYzRu07+mtOCI0kN2MOZ0hruWvJcQlbXETIkmxhSWHVD4KRkf+GkY4Fvbqb7QJu4xsgNQ14ZAdl+UPUIY= [email protected]