Commit c52562f7 authored by eric pellegrini's avatar eric pellegrini
Browse files

added config and templates file

parent 7c2c7a81
templates:
base-ill: {}
base-ntp:
extends: base-ill
base-autofs:
extends: base-ntp
# visa-all-apps:
# extends: base-autofs
# packages: ['*']
parameters:
base_image: "base-ntp"
vm_name: base-autofs
build_output_directory: builds
ssh_username: root
packer:
description: "Template for ILL + ntp + autofs"
builders:
- name: qemu
type: qemu
vm_name: "{{ parameters.vm_name }}"
boot_command: none
iso_checksum_type: none
iso_checksum_url: none
disk_image: True
iso_url: "./builds/{{ parameters.base_image }}-qemu-base/{{ parameters.base_image }}"
ssh_username: "{{ parameters.ssh_username }}"
ssh_password: "{{ environment.root_password }}"
shutdown_command: "shutdown -P now"
output_directory: "{{ parameters.build_output_directory }}/{{ parameters.vm_name }}-qemu-base"
provisioners:
- type: shell
inline:
[
"apt install -y autofs cifs-utils autofs5 autofs-ldap autofs5-ldap sssd",
]
- type: file
source: system/etc/ssh/sshd_config
destination: /etc/ssh/sshd_config
- type: file
source: system/etc/sssd/sssd.conf
destination: /etc/sssd/sssd.conf
- type: file
source: system/etc/nsswitch.conf
destination: /etc/nsswitch.conf
- type: file
source: system/etc/auto.net
destination: /etc/auto.net
- type: file
source: system/etc/auto.net4
destination: /etc/auto.net4
- type: file
source: system/etc/default/autofs
destination: /etc/default/autofs
- type: file
source: system/etc/ntp.conf
destination: /etc/ntp.conf
- type: shell
inline: ["chmod 600 /etc/sssd/sssd.conf"]
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
opts="-fstype=nfs4,sec=sys,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
opts="-fstype=nfs4,sec=sys,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
#MASTER_MAP_NAME="/etc/auto.master"
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,ou=system,dc=ill,dc=fr"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
# failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# MOUNT_WAIT - time to wait for a response from mount(8).
# Setting this timeout can cause problems when
# mount would otherwise wait for a server that
# is temporarily unavailable, such as when it's
# restarting. The defailt of waiting for mount(8)
# usually results in a wait of around 3 minutes.
#
#MOUNT_WAIT=-1
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="no"
#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
# mount.nfs(8). Since we can't identify
# the default automatically we need to
# set it in our configuration.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level "none", "verbose" or "debug"
#
LOGGING="verbose"
#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
# <proto>://<server>[/] where <proto> can be ldap
# or ldaps. The option can be given multiple times.
# Map entries that include a server name override
# this option.
#
# This configuration option can also be used to
# request autofs lookup SRV RRs for a domain of
# the form <proto>:///[<domain dn>]. Note that a
# trailing "/" is not allowed when using this form.
# If the domain dn is not specified the dns domain
# name (if any) is used to construct the domain dn
# for the SRV RR lookup. The server list returned
# from an SRV RR lookup is refreshed according to
# the minimum ttl found in the SRV RR records or
# after one hour, whichever is less.
#
LDAP_URI="ldap://ldap.ill.fr"
#
# LDAP__TIMEOUT - timeout value for the synchronous API calls
# (default is LDAP library default).
#
#LDAP_TIMEOUT=-1
#
# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
#
#LDAP_NETWORK_TIMEOUT=8
#
# Define base dn for map dn lookup.
#
# SEARCH_BASE - base dn to use for searching for map search dn.
# Multiple entries can be given and they are checked
# in the order they occur here.
#
SEARCH_BASE="ou=automount,ou=system,dc=ill,dc=fr"
#
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
#MAP_OBJECT_CLASS="nisMap"
#ENTRY_OBJECT_CLASS="nisObject"
#MAP_ATTRIBUTE="nisMapName"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="nisMapEntry"
#
# Other common LDAP nameing
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="ou"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="automountInformation"
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="automountMapName"
#ENTRY_ATTRIBUTE="automountKey"
#VALUE_ATTRIBUTE="automountInformation"
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
#
# AUTH_CONF_FILE - set the default location for the SASL
# authentication configuration file.
#
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
#
# MAP_HASH_TABLE_SIZE - set the map cache hash table size.
# Should be a power of 2 with a ratio roughly
# between 1:10 and 1:20 for each map.
#
#MAP_HASH_TABLE_SIZE=1024
#
# General global options
#
OPTIONS=""
#
\ No newline at end of file
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
automount ldap
\ No newline at end of file
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
entry_negative_timeout = 0
[pam]
reconnection_retries = 3
debug-level = 5
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ILL
[domain/ILL]
debug_level = 0
# Providers
id_provider = ldap
access_provider = ldap
auth_provider = ldap
# LDAP settings
ldap_schema = rfc2307
ldap_uri = ldaps://ldap.ill.fr
ldap_search_base = dc=ill,dc=fr
ldap_user_search_base = ou=illaccount,dc=ill,dc=fr
ldap_user_object_class = posixAccount
ldap_access_order = filter
ldap_access_filter = (ILLHost=unix)
ldap_group_search_base = ou=Group,dc=ill,dc=fr
ldap_group_member = memberUid
ldap_group_object_class = posixGroup
ldap_group_name = cn
# Localisation configuration
d-i debian-installer/locale string en_US
d-i debian-installer/language string en
d-i debian-installer/country string US
openssh-server openssh-server/permit-root-login boolean true
# Mirror configuration
#d-i mirror/http/proxy string http://193.49.43.123:8888/
d-i mirror/country string manual
d-i mirror/http/hostname string fr.archive.ubuntu.com
d-i mirror/http/directory string /ubuntu
# Time andclock configuration
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Paris
d-i clock-setup/ntp boolean false
# Console setup
d-i console-setup/ask_detect boolean false
# Keyboard configuraton
d-i keyboard-configuration/xkb-keymap select us
d-i keyboard-configuration/layoutcode string us
d-i keyboard-configuration/layout string USA
d-i keyboard-configuration/variant string USA
# Bootloader configuration
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
# Partitioning configuration
d-i partman-auto/disk string /dev/vda
d-i partman-auto/method string regular
d-i partman/alignment select cylinder
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman/mount_style select label
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# Individual additional packages to install
tasksel tasksel/first multiselect ubuntu-server
d-i pkgsel/include string ca-certificates openssh-server cryptsetup build-essential libssl-dev libreadline-dev zlib1g-dev linux-source dkms cloud-init
d-i pkgsel/install-language-support boolean false
d-i pkgsel/update-policy select unattended-upgrades
d-i pkgsel/upgrade select full-upgrade
# Create ubuntu user account and allow root login
d-i passwd/root-login boolean true
d-i passwd/make-user boolean false
d-i user-setup/allow-password-weak boolean true
d-i finish-install/reboot_in_progress note
d-i preseed/late_command string \
in-target /bin/sed -i 's/^#PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config; \
in-target /bin/sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config; \
in-target update-initramfs -u
# Verbose output and no boot splash screen.
d-i debian-installer/quiet boolean false
d-i debian-installer/splash boolean false
parameters:
vm_name: base-ill
proxy: http://proxy.ill.fr:8888
no_proxy: localhost,127.0.0.1,apt.ill.fr,*.ill.eu,*.ill.fr
dns_servers: 195.83.126.2 195.83.126.11
gateway: 192.168.180.254
cpus: 2
memory: 4096
disk_size: 40000
ubuntu_mirror: http://archive.ubuntu.com/ubuntu/dists
ubuntu_codename: bionic
ubuntu_docker_image: ubuntu:18.04
preseed_file_name: preseed-base-ill.cfg
ssh_username: root
user: si-admin
user_fullname: si-admin
headless: false
build_output_directory: builds
packer:
description: "Base template for ILL"
variables: {}
builders:
- name: qemu
type: qemu
vm_name: "{{ parameters.vm_name }}"
format: qcow2
iso_checksum_type: sha256
iso_checksum_url: "{{ parameters.ubuntu_mirror }}/{{ parameters.ubuntu_codename }}-updates/main/installer-amd64/current/images/SHA256SUMS"
iso_url: "{{ parameters.ubuntu_mirror }}/{{ parameters.ubuntu_codename }}-updates/main/installer-amd64/current/images/netboot/mini.iso"
ssh_username: "{{ parameters.ssh_username }}"
ssh_password: "{{ environment.root_password }}"
ssh_wait_timeout: 60m
accelerator: kvm
headless: "{{ parameters.headless }}"
output_directory: "{{ parameters.build_output_directory }}"
shutdown_command: "shutdown -P now"
qemuargs:
- - "-m"
- "{{ parameters.memory }}"
- - "-smp"
- "{{ parameters.cpus }}"
boot_wait: 5s
boot_command:
- "<tab> "
- "preseed/url=http://{% raw %}{{ .HTTPIP }}:{{ .HTTPPort }}{% endraw %}/{{ parameters.preseed_file_name }} "
- "auto-install/enable=true "
- "net.ifnames=0 "
- "netcfg/get_hostname={{ parameters.vm_name }} "
- "netcfg/get_gateway={{ parameters.gateway}} "
- "netcfg/get_nameservers={{ parameters.dns_servers }} "
- "netcfg/hostname={{ parameters.vm_name }} "
- "mirror/http/proxy={{ parameters.proxy}} "
- "clock-setup/ntp-server={{ parameters.ntp_servers }} "
- "passwd/user-fullname={{ parameters.user }} "
- "passwd/username={{ parameters.user_fullname }} "
- "passwd/user-password= {{ environment.user_password }} "
- "passwd/user-password-again= {{ environment.user_password }} "
- "passwd/root-password={{ environment.root_password }} "
- "passwd/root-password-again={{ environment.root_password }} "
- "no_proxy={% raw %}{{ .HTTPIP }}{% endraw %},{{ parameters.no_proxy }} "
- "<enter>"
disk_size: "{{ parameters.disk_size }}"
http_directory: "http"
provisioners:
- type: file
source: "system/etc/apt/sources.list_{{ parameters.ubuntu_codename }}"