From 46dab60613a37fbfe8eed2e6be79574054db6292 Mon Sep 17 00:00:00 2001 From: Muzi Li Date: Thu, 26 Aug 2021 17:28:31 +0800 Subject: [PATCH] refine config.yaml file (#8) * chore(*): refine config.yaml file and remove nginx push server * chore(*): fix ntp server address typo --- compose.yaml | 4 +- config.yaml | 50 ++++++++++------- config/compose/nginx.conf | 46 ---------------- install.sh | 98 +++++++++++++++------------------ {scripts => library}/common.sh | 99 ++++++++++++++++++++++------------ {scripts => library}/remove.sh | 2 +- library/system.sh | 81 ++++++++++++++++++++++++++++ scripts/bootstrap.sh | 46 ---------------- scripts/system.sh | 94 -------------------------------- 9 files changed, 222 insertions(+), 298 deletions(-) rename {scripts => library}/common.sh (67%) rename {scripts => library}/remove.sh (97%) create mode 100644 library/system.sh delete mode 100644 scripts/bootstrap.sh delete mode 100644 scripts/system.sh diff --git a/compose.yaml b/compose.yaml index 125d740..02dfc5f 100644 --- a/compose.yaml +++ b/compose.yaml @@ -8,13 +8,11 @@ services: restart: always volumes: - ./resources/nginx:/usr/share/nginx - - ./config/compose/auth.htpasswd:/etc/nginx/conf.d/auth.htpasswd - ./config/compose/certs/domain.crt:/etc/nginx/conf.d/domain.crt - ./config/compose/certs/domain.key:/etc/nginx/conf.d/domain.key - ./config/compose/nginx.conf:/etc/nginx/conf.d/default.conf ports: - 443:443 - - 5000:5000 - 8080:8080 registry: @@ -23,3 +21,5 @@ services: restart: always volumes: - ./resources/registry:/var/lib/registry + ports: + - 127.0.0.1:5000:5000 \ No newline at end of file diff --git a/config.yaml b/config.yaml index 8079f80..eaa0048 100644 --- a/config.yaml +++ b/config.yaml @@ -1,21 +1,10 @@ compose: + # Compose bootstrap node ip, default is local internal ip + internal_ip: 172.20.0.25 # Nginx http server bind port for download files and packages nginx_http_port: 8080 - # For container runtime pull image, use 443 as default - registry_https_port: 443 - # For user push image to this registry, use 5000 as default - registry_push_port: 5000 - # Registry host ip for add to /etc/hosts by domain - registry_ip: 172.20.0.25 - # Registry domain for CRI runtime download image + # Registry domain for CRI runtime download images registry_domain: kube.registry.local - # Auto generate self-signed certificate for registry domain - generate_crt: true - # User and password for push image to registry - registry_auth_user: "Username" - registry_auth_password: "Password" - # Registry image repo, default library - image_repo: library kubespray: # Kubernetes version by default, only support v1.20.6 @@ -24,10 +13,6 @@ kubespray: external_apiserver_access_ip: 127.0.0.1 # Set network plugin to calico with vxlan mode by default kube_network_plugin: calico - # Set true to download and cache container - download_container: false - # Use nginx and registry provide all offline resources - offline_resources_enabled: true #Container runtime, only support containerd if offline deploy container_manager: containerd # Now only support host if use containerd as CRI runtime @@ -35,9 +20,8 @@ kubespray: # Settings for etcd event server etcd_events_cluster_setup: true etcd_events_cluster_enabled: true - # Kubespray container image for deploy user cluster - kubespray_image: "" +# Cluster nodes inventory info inventory: all: vars: @@ -79,3 +63,29 @@ inventory: hosts: {} calico_rr: hosts: {} + +### Default parameters ### +## This filed not need config, will auto update, +## if no special requirement, do not modify these parameters. +default: + # NTP server ip address or domain, default is internal_ip + ntp_server: + - internal_ip + # Registry ip address, default is internal_ip + registry_ip: internal_ip + # Offline resource url for download files, default is internal_ip:nginx_http_port + offline_resources_url: internal_ip:nginx_http_port + # Use nginx and registry provide all offline resources + offline_resources_enabled: true + # Image repo in registry + image_repository: library + # Kubespray container image for deploy user cluster or scale + kubespray_image: "kubespray" + # Auto generate self-signed certificate for registry domain + generate_domain_crt: true + # For nodes pull image, use 443 as default + registry_https_port: 443 + # For push image to this registry, use 5000 as default, and only bind at 127.0.0.1 + registry_push_port: 5000 + # Set false to disable download all container images on all nodes + download_container: false diff --git a/config/compose/nginx.conf b/config/compose/nginx.conf index 1d331eb..a769c2d 100644 --- a/config/compose/nginx.conf +++ b/config/compose/nginx.conf @@ -75,49 +75,3 @@ server { proxy_read_timeout 900; } } - -# This server listen at 5000 for push image by auth_basic auth -server { - listen 5000 ssl; - listen [::]:5000; - server_name kube.registry.local; - - # SSL - ssl_certificate /etc/nginx/conf.d/domain.crt; - ssl_certificate_key /etc/nginx/conf.d/domain.key; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - location /v2/ { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - - # To add basic authentication to v2 use auth_basic setting. - auth_basic "Registry realm"; - auth_basic_user_file /etc/nginx/conf.d/auth.htpasswd; - - ## If $docker_distribution_api_version is empty, the header is not added. - ## See the map directive above where this variable is defined. - add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; - - proxy_pass http://docker-registry; - proxy_set_header Host $http_host; # required for docker client's sake - proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - } -} diff --git a/install.sh b/install.sh index e7dc4e8..42703a7 100644 --- a/install.sh +++ b/install.sh @@ -2,7 +2,7 @@ INSTALL_TYPE=$1 : ${INSTALL_TYPE:=all} -# Common utilities, variables and checks for all build scripts. +# Common utilities, variables and checks for all scripts. set -o errexit set -o nounset set -o pipefail @@ -12,7 +12,7 @@ USR_BIN_PATH=/usr/local/bin export PATH="${PATH}:${USR_BIN_PATH}" ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') -# Define glob vars +# Define glob variables KUBE_ROOT="$(cd "$(dirname "$0")" && pwd)" CERTS_DIR="${KUBE_ROOT}/config/certs" CONFIG_FILE="${KUBE_ROOT}/config.yaml" @@ -25,10 +25,10 @@ RESOURCES_NGINX_DIR="${KUBE_ROOT}/resources/nginx" KUBESPRAY_CONFIG_DIR="${KUBE_ROOT}/config/kubespray" INSTALL_STEPS_FILE="${KUBESPRAY_CONFIG_DIR}/.install_steps" -# Import all functions from scripts/*.sh -for file in ${KUBE_ROOT}/scripts/*.sh; do source ${file}; done +# Include all functions from library/*.sh +for file in ${KUBE_ROOT}/library/*.sh; do source ${file}; done -# Get os release info +# Gather os-release variables if ! source /etc/os-release; then errorlog "Every system that we officially support has /etc/os-release" exit 1 @@ -39,63 +39,49 @@ if [ ! -f ${CONFIG_FILE} ]; then exit 1 fi -usage(){ - cat < /dev/null - cp -f linux-amd64/helm ${USR_BIN_PATH}/helm + tar -xf ${helm_tar_file} > /dev/null + cp -f linux-${ARCH}/helm ${USR_BIN_PATH}/helm chmod a+x ${USR_BIN_PATH}/helm - rm -rf linux-amd64 - infolog "helm installed successfully" + rm -rf linux-${ARCH} # Install skopeo cp -f ${RESOURCES_NGINX_DIR}/tools/skopeo-linux-${ARCH} ${USR_BIN_PATH}/skopeo chmod a+x ${USR_BIN_PATH}/skopeo - infolog "skopeo installed successfully" # Install yq cp -f ${RESOURCES_NGINX_DIR}/tools/yq-linux-${ARCH} ${USR_BIN_PATH}/yq chmod a+x ${USR_BIN_PATH}/yq - infolog "yq installed successfully" # Install containerd and buildkit local nerdctl_tar_file=$(find ${RESOURCES_NGINX_DIR}/tools -type f -name "nerdctl-full-*-linux-${ARCH}.tar.gz" | sort -r --version-sort | head -n1) tar -xf ${nerdctl_tar_file} -C /usr/local systemctl enable buildkit containerd systemctl restart buildkit containerd - infolog "containerd and buildkit installed successfully" + infolog "Common tools installed successfully" } common::rudder_config(){ # Gather variables form config.yaml + INTERNAL_IP=$(yq eval '.compose.internal_ip' ${CONFIG_FILE}) + if [[ -z ${INTERNAL_IP} ]]; then + INTERNAL_IP=$(ip r get 1 | sed 's/ uid .*$//' | awk 'NR==1 {print $NF}') + internal_ip=${INTERNAL_IP} yq eval --inplace '.compose.internal_ip = strenv(internal_ip)' ${CONFIG_FILE} + fi + NGINX_HTTP_PORT=$(yq eval '.compose.nginx_http_port' ${CONFIG_FILE}) - REGISTRY_HTTPS_PORT=$(yq eval '.compose.registry_https_port' ${CONFIG_FILE}) - REGISTRY_PUSH_PORT=$(yq eval '.compose.registry_push_port' ${CONFIG_FILE}) - REGISTRY_IP=$(yq eval '.compose.registry_ip' ${CONFIG_FILE}) REGISTRY_DOMAIN=$(yq eval '.compose.registry_domain' ${CONFIG_FILE}) - REGISTRY_AUTH_USER=$(yq eval '.compose.registry_auth_user' ${CONFIG_FILE}) - REGISTRY_AUTH_PASSWORD=$(yq eval '.compose.registry_auth_password' ${CONFIG_FILE}) - GENERATE_CRT=$(yq eval '.compose.generate_crt' ${CONFIG_FILE}) - IMAGE_REPO=$(yq eval '.compose.image_repo' ${CONFIG_FILE}) - PUSH_REGISTRY="${REGISTRY_DOMAIN}:${REGISTRY_PUSH_PORT}" + NGINX_HTTP_URL="http://${INTERNAL_IP}:${NGINX_HTTP_PORT}" + + IMAGE_REPO=$(yq eval '.default.image_repo' ${CONFIG_FILE}) + GENERATE_DOMAIN_CRT=$(yq eval '.default.generate_domain_crt' ${CONFIG_FILE}) + REGISTRY_HTTPS_PORT=$(yq eval '.default.registry_https_port' ${CONFIG_FILE}) + REGISTRY_PUSH_PORT=$(yq eval '.default.registry_push_port' ${CONFIG_FILE}) + REGISTRY_HTTPS_URL="https://${REGISTRY_DOMAIN}:${REGISTRY_HTTPS_PORT}" + PUSH_REGISTRY="127.0.0.1:${REGISTRY_PUSH_PORT}" + + OFFLINE_RESOURCES_URL=$(yq -e eval '.default.offline_resources_url' ${CONFIG_FILE}) + if [[ "${OFFLINE_RESOURCES_URL}" == "internal_ip:nginx_http_port" ]]; then + OFFLINE_RESOURCES_URL=${NGINX_HTTP_URL} + offline_resources_url=${NGINX_HTTP_URL} yq eval --inplace '.default.offline_resources_url = strenv(offline_resources_url)' ${CONFIG_FILE} + fi + + NTP_SERVER=$(yq -e eval '.default.ntp_server[0]' ${CONFIG_FILE} 2>/dev/null) + if [[ ${NTP_SERVER} == "internal_ip" ]]; then + NTP_SERVER=${INTERNAL_IP} + ntp_server=${INTERNAL_IP} yq eval --inplace '.default.ntp_server[0] = strenv(ntp_server)' ${CONFIG_FILE} + fi + + REGISTRY_IP=$(yq -e eval '.default.registry_ip' ${CONFIG_FILE}) + if [[ ${REGISTRY_IP} == "internal_ip" ]]; then + REGISTRY_IP=${REGISTRY_IP} + registry_ip=${INTERNAL_IP} yq eval --inplace '.default.registry_ip = strenv(registry_ip)' ${CONFIG_FILE} + fi # Update compose.yaml nginx ports filed nginx_http_port="${NGINX_HTTP_PORT}:8080" yq eval --inplace '.services.nginx.ports[0] = strenv(nginx_http_port)' ${COMPOSE_YAML_FILE} registry_https_port="${REGISTRY_HTTPS_PORT}:443" yq eval --inplace '.services.nginx.ports[1] = strenv(registry_https_port)' ${COMPOSE_YAML_FILE} - registry_push_port="${REGISTRY_PUSH_PORT}:5000" yq eval --inplace '.services.nginx.ports[2] = strenv(registry_push_port)' ${COMPOSE_YAML_FILE} + registry_push_port="${PUSH_REGISTRY}:5000" yq eval --inplace '.services.registry.ports[0] = strenv(registry_push_port)' ${COMPOSE_YAML_FILE} # Generate kubespray's env.yaml and inventory file - : ${NGINX_HTTP_URL:="http://${REGISTRY_IP}:${NGINX_HTTP_PORT}"} - : ${REGISTRY_HTTPS_URL:="https://${REGISTRY_DOMAIN}:${REGISTRY_HTTPS_PORT}"} - echo "offline_resources_url: ${NGINX_HTTP_URL}" > ${KUBESPRAY_CONFIG_DIR}/env.yml + yq eval '.default' ${CONFIG_FILE} > ${KUBESPRAY_CONFIG_DIR}/env.yml yq eval '.compose' ${CONFIG_FILE} >> ${KUBESPRAY_CONFIG_DIR}/env.yml yq eval '.kubespray' ${CONFIG_FILE} >> ${KUBESPRAY_CONFIG_DIR}/env.yml yq eval '.inventory' ${CONFIG_FILE} > ${KUBESPRAY_CONFIG_DIR}/inventory @@ -83,7 +120,7 @@ common::rudder_config(){ # Generate registry domain cert common::generate_domain_certs(){ - if [[ ${GENERATE_CRT} == "true" ]]; then + if [[ ${GENERATE_DOMAIN_CRT} == "true" ]]; then rm -rf ${CERTS_DIR} ${RESOURCES_NGINX_DIR}/certs mkdir -p ${CERTS_DIR} ${RESOURCES_NGINX_DIR}/certs cp -f ${CA_CONFIGFILE} ${CERTS_DIR} @@ -137,18 +174,14 @@ common::generate_domain_certs(){ fi } -common::generate_auth_htpasswd(){ - htpasswd -cB -b ${COMPOSE_CONFIG_DIR}/auth.htpasswd ${REGISTRY_AUTH_USER} ${REGISTRY_AUTH_PASSWORD} -} - # Add registry domain with ip to /etc/hosts file common::update_hosts(){ sed -i "/${REGISTRY_DOMAIN}/d" /etc/hosts - echo "${REGISTRY_IP} ${REGISTRY_DOMAIN}" >> /etc/hosts + echo "${INTERNAL_IP} ${REGISTRY_DOMAIN}" >> /etc/hosts } # Load all docker archive images -common::local_images(){ +common::load_images(){ local IMAGES=$(find ${IMAGES_DIR} -type f -name '*.tar') for image in ${IMAGES}; do if nerdctl load -i ${image} >/dev/null; then @@ -156,8 +189,8 @@ common::local_images(){ fi done : ${KUBESPRAY_IMAGE:=$(nerdctl images | awk '{print $1":"$2}' | grep '^kubespray:*' | sort -r --version-sort | head -n1)} - kubespray_image="${REGISTRY_DOMAIN}/${KUBESPRAY_IMAGE}" yq eval --inplace '.kubespray.kubespray_image = strenv(kubespray_image)' ${CONFIG_FILE} - kubespray_image="${REGISTRY_DOMAIN}/${KUBESPRAY_IMAGE}" yq eval --inplace '.kubespray.kubespray_image = strenv(kubespray_image)' ${KUBESPRAY_CONFIG_DIR}/env.yml + kubespray_image="${REGISTRY_DOMAIN}/${IMAGE_REPO}/${KUBESPRAY_IMAGE}" yq eval --inplace '.default.kubespray_image = strenv(kubespray_image)' ${CONFIG_FILE} + kubespray_image="${REGISTRY_DOMAIN}/${IMAGE_REPO}/${KUBESPRAY_IMAGE}" yq eval --inplace '.kubespray_image = strenv(kubespray_image)' ${KUBESPRAY_CONFIG_DIR}/env.yml } common::compose_up(){ @@ -206,14 +239,12 @@ common::run_kubespray(){ nerdctl rm -f kubespray-runner >/dev/null 2>&1 || true nerdctl run --rm -it --net=host --name kubespray-runner \ -v ${KUBESPRAY_CONFIG_DIR}:/kubespray/config \ - -e KUBESPRAY_IMAGE=${KUBESPRAY_IMAGE} \ ${KUBESPRAY_IMAGE} $1 } # Push kubespray image to registry common::push_kubespray_image(){ : ${KUBESPRAY_IMAGE:=$(nerdctl images | awk '{print $1":"$2}' | grep '^kubespray:*' | sort -r --version-sort | head -n1)} - nerdctl login -u "${REGISTRY_AUTH_USER}" -p "${REGISTRY_AUTH_PASSWORD}" ${PUSH_REGISTRY} nerdctl tag ${KUBESPRAY_IMAGE} ${PUSH_REGISTRY}/${IMAGE_REPO}/${KUBESPRAY_IMAGE} nerdctl push ${PUSH_REGISTRY}/${IMAGE_REPO}/${KUBESPRAY_IMAGE} } diff --git a/scripts/remove.sh b/library/remove.sh similarity index 97% rename from scripts/remove.sh rename to library/remove.sh index fa1074d..9055f7a 100644 --- a/scripts/remove.sh +++ b/library/remove.sh @@ -8,7 +8,7 @@ remove::cleanup(){ # Remove registry domain form /etc/hosts sed -i "/${REGISTRY_DOMAIN}/d" /etc/hosts - # Remove binart tools file + # Remove binary tools file rm -f ${USR_BIN_PATH}/{yq,helm,kubectl,skopeo} # Remove registry domain rootCA crt file from ca trust diff --git a/library/system.sh b/library/system.sh new file mode 100644 index 0000000..7eb18e2 --- /dev/null +++ b/library/system.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash + +DEFAULT_ARCH=amd64 +DEFAULT_URL="http://127.0.0.1:8080" +COMMON_PKGS="curl vim bash-completion rsync ca-certificates chrony wget" + +system::centos::disable_selinux(){ + sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config + setenforce 0 || warnlog "Warning: setenforce 0 failed" + infolog "Disabled selinux service successfully" +} + +system::centos::config_repo(){ + infolog "Updated the yum repo file" + yum clean -q all || true + cp -f ${RESOURCES_NGINX_DIR}/repos/CentOS-7-All-in-One.repo /etc/yum.repos.d/offline-resources.repo + sed -i "s#${DEFAULT_URL}#file://${RESOURCES_NGINX_DIR}#g" /etc/yum.repos.d/offline-resources.repo + if yum makecache -q > /dev/null; then + infolog "Updated the repo file successfully" + fi +} + +system::debian::config_repo(){ + infolog "Update the apt list file" + echo "deb [trusted=yes] file://${RESOURCES_NGINX_DIR}/debian/${ARCH} ${VERSION_CODENAME}/" \ + > /etc/apt/sources.list.d/offline-resources.list + if apt-get update -qq > /dev/null; then + infolog "Updated the repo file successfully" + fi +} + +system::ubuntu::config_repo(){ + infolog "Updated the apt list file" + echo "deb [trusted=yes] file://${RESOURCES_NGINX_DIR}/ubuntu/${ARCH} ${VERSION_CODENAME}/" \ + > /etc/apt/sources.list.d/offline-resources.list + if apt-get update -qq > /dev/null; then + infolog "Updated the repo file successfully" + fi +} + +system::disable_firewalld(){ + if systemctl list-unit-files | grep -q firewalld >/dev/null; then + infolog "Disable firewalld service" + systemctl stop firewalld && systemctl disable firewalld + infolog "Disabled firewalld service successfully" + fi + + if systemctl list-unit-files | grep -q ufw >/dev/null; then + infolog "Disable firewalld service" + systemctl stop ufw && systemctl disable ufw + infolog "Disabled firewalld service successfully" + fi +} + +system::install_pkgs(){ + if command -v yum > /dev/null; then + yum install -q -y libseccomp createrepo ${COMMON_PKGS} > /dev/null + elif command -v apt-get > /dev/null; then + apt-get install -qq -y libseccomp2 dpkg-dev ${COMMON_PKGS} > /dev/null + fi +} + +system::install_chrony(){ + infolog "Installing chrony as NTP server" + timedatectl set-ntp true + + CHRONY_CONF_FILE=$(find /etc/chrony* -type f -name 'chrony.conf' | head -n1) + sed -i '/.*iburst$/d' ${CHRONY_CONF_FILE} + sed -i "1 i server ${NTP_SERVER} iburst" ${CHRONY_CONF_FILE} + + # Restart chrony daemon, in redhat is chronyd and debian is chrony + systemctl enable chrony || systemctl enable chronyd + systemctl restart chrony || systemctl restart chronyd + + if chronyc activity -v | grep -q '^200 OK$' ; then + infolog "Chrony server is running." + else + warnlog "Failed to synchronize time with server: ${NTP_SERVER}" + exit 1 + fi +} diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh deleted file mode 100644 index 311a76c..0000000 --- a/scripts/bootstrap.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash - -bootstrap::centos(){ - system::centos::disable_firewalld - system::centos::disable_selinux - system::centos::config_repo - system::centos::install_packages -} - -bootstrap::debian(){ - system::debian::disable_firewalld - system::debian::config_repo - system::debian::install_packages -} - -bootstrap::ubuntu(){ - system::ubuntu::disable_ufw - system::ubuntu::config_repo - system::ubuntu::install_packages -} - -bootstrap(){ - case ${ID} in - Debian|debian) - bootstrap::debian - ;; - CentOS|centos) - bootstrap::centos - ;; - Ubuntu|ubuntu) - bootstrap::ubuntu - ;; - *) - warnlog "Not support system: ${ID}" - usage - ;; - esac - common::install_tools - common::rudder_config - common::update_hosts - common::generate_domain_certs - common::generate_auth_htpasswd - common::local_images - common::compose_up - common::health_check -} diff --git a/scripts/system.sh b/scripts/system.sh deleted file mode 100644 index f3f9339..0000000 --- a/scripts/system.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env bash - -DEFAULT_ARCH=amd64 -DEFAULT_URL="http://127.0.0.1:8080" -COMMON_PKGS="curl vim net-tools bash-completion rsync ca-certificates chrony wget" - -# Install mutiple rpm packages -system::yum_install(){ - if ! yum -q -y install "$@" >/dev/null; then - errorlog " Error: yum install failed on $(hostname):" - exit 1 - fi - infolog "$* package install completed successfully" -} - -# Install mutiple deb packages -system::apt_install(){ - if ! apt-get install -q -y "$@" >/dev/null; then - errorlog " Error: apt install failed on $(hostname):" - errorlog " sudo apt-get -q -y install $*" - exit 1 - fi - infolog "$* package install completed successfully" -} - -system::centos::disable_firewalld(){ - if systemctl list-unit-files | grep firewalld >/dev/null; then - warnlog "Disable firewalld service and selinux" - systemctl stop firewalld && systemctl disable firewalld - infolog "Disabled firewalld service successfully" - fi -} - -system::centos::disable_selinux(){ - sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config - setenforce 0 || warnlog "Warning: setenforce 0 failed" - infolog "Disabled selinux service successfully" -} - -system::centos::config_repo(){ - infolog "Updated the yum repo file" - yum clean -q all || true - cp -f ${RESOURCES_NGINX_DIR}/repos/CentOS-7-All-in-One.repo /etc/yum.repos.d/CentOS-7-All-in-One.repo - sed -i "s#${DEFAULT_URL}#file://${RESOURCES_NGINX_DIR}#g" /etc/yum.repos.d/CentOS-7-All-in-One.repo - if yum makecache -q > /dev/null; then - infolog "Updated the repo file successfully" - fi -} - -system::centos::install_packages(){ - system::yum_install libseccomp createrepo httpd-tools ${COMMON_PKGS} -} - -system::debian::disable_firewalld(){ - if systemctl list-unit-files | grep firewalld >/dev/null; then - infolog "Disable firewalld service" - systemctl stop firewalld && systemctl disable firewalld - infolog "Disabled firewalld service successfully" - fi -} - -system::debian::config_repo(){ - infolog "Update the apt list file" - echo "deb [trusted=yes] file://${RESOURCES_NGINX_DIR}/debian/${ARCH} ${VERSION_CODENAME}/" \ - > /etc/apt/sources.list.d/Debian-${VERSION_CODENAME}-All-in-One.list - if apt-get update -qq > /dev/null; then - infolog "Updated the repo file successfully" - fi -} - -system::debian::install_packages(){ - system::apt_install libseccomp2 dpkg-dev apache2-utils ${COMMON_PKGS} -} - -system::ubuntu::disable_ufw(){ - if systemctl list-unit-files | grep ufw >/dev/null; then - infolog "Disable firewalld service" - systemctl stop ufw && systemctl disable ufw - infolog "Disabled firewalld service successfully" - fi -} - -system::ubuntu::config_repo(){ - infolog "Updated the apt list file" - echo "deb [trusted=yes] file://${RESOURCES_NGINX_DIR}/ubuntu/${ARCH} ${VERSION_CODENAME}/" \ - > /etc/apt/sources.list.d/Ubuntu-${VERSION_CODENAME}-All-in-One.list - if apt-get update -qq > /dev/null; then - infolog "Updated the repo file successfully" - fi -} - -system::ubuntu::install_packages(){ - system::apt_install libseccomp2 dpkg-dev apache2-utils ${COMMON_PKGS} -}