x
/
osops-tools-contrib
Code Issues Proposed changes

Merge "initial commit of deis"

This commit is contained in:
Jenkins 2016-01-19 18:03:31 +00:00 committed by Gerrit Code Review
parent b40a754b1e c3a21dfab4
commit a9e0c26fc3
7 changed files with 744 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
terraform/deis-coreos/.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.tfstate
*.tfstate.backup
files/discovery_url
*.override

14
terraform/deis-coreos/LICENSE Normal file
View File

@ -0,0 +1,14 @@
Copyright 2013, 2014 Engine Yard, Inc.
Copyright 2016 Paul Czarkowski
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

235
terraform/deis-coreos/README.md Normal file
View File

@ -0,0 +1,235 @@
# DEIS on Openstack with Terraform
Provision a DEIS cluster with [Terraform](https://www.terraform.io) on
Openstack.
## Status
This will install a DEIS cluster on an Openstack Cloud. It is tested on a
OpenStack Cloud provided by [BlueBox](https://www.blueboxcloud.com/) and
should work on most modern installs of OpenStack that support the basic
services.
## Requirements
- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
- [Install DEIS CLI](http://docs.deis.io/en/latest/using_deis/install-client/)
- ]Upload a CoreOS](https://coreos.com/os/docs/latest/booting-on-openstack.html) image to glance and remember the image name.
## Terraform
Terraform will be used to provision all of the OpenStack resources required to
run Docker Swarm. It is also used to deploy and provision the software
requirements.
### Prep
#### OpenStack
Ensure your OpenStack credentials are loaded in environment variables. This is
how I do it:
```
$ source ~/.stackrc
```
You will need two networks before installing, an internal network and
an external (floating IP Pool) network. The internet network can be shared as
we use security groups to provide network segregation. Due to the many
differences between OpenStack installs the Terraform does not attempt to create
these for you.
By default Terraform will expect that your networks are called `internal` and
`external`. You can change this by altering the Terraform variables `network_name` and `floatingip_pool`.
You can also change the number of instances `cluster_size` (default `3`); the
path to your public key `public_key_path` (default `~/.ssh/id_rsa.pub`); and
the flavor `flavor` to use (default `m1.medium`).
All OpenStack resources will use the Terraform variable `cluster_name` (
default `example`) in their name to make it easier to track. For example the
first compute resource will be named `example-deis-1`.
#### Terraform
Ensure your local ssh-agent is running and your ssh key has been added. This
step is required by the terraform provisioner:
```
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_rsa
```
Ensure that you have your Openstack credentials loaded into Terraform
environment variables. Likely via a command similar to:
```
$ export TF_VAR_username=${OS_USERNAME}
$ export TF_VAR_password=${OS_PASSWORD}
$ export TF_VAR_tenant=${OS_TENANT_NAME}
$ export TF_VAR_auth_url=${OS_AUTH_URL}
```
Terraform expects an SSH keypair to exist `keys/deis` and `keys/deis.pub`
which it will upload to the instances so they can communicate with eachother
over SSH, if this keypair doesn't exist it will attempt to create them.
Terraform will attempt to fetch a _Discovery URL_ for etcd. If you want to
provide your own write it to the text file `files/discovery_url` and set the
Terraform variable `generate_discovery_url` to `0`.
You can also change the version of DEIS to install by setting `deisctl_version`
and you can set `deis_domain` if you have a custom URL (otherwise it will use
`.xip.io`).
# Provision a Deis Cluster on OpenStack
With all our variables set we can go ahead and provision our cluster adding any
extra variables you wish to pass through like this:
_The steps that install and start deis can take quite some time, be patient._
```
$ terraform apply \
-var "image=coreos-alpha-884-0-0"
...
...
Apply complete! Resources: 12 added, 0 changed, 0 destroyed.
The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.
State path: terraform.tfstate
Outputs:
msg = Your hosts are ready to go! Continue following the documentation to install and start Deis. Your hosts are: x.x.x.x, y.y.y.y, z.z.z.z
register = Run the following to register your first [admin] user: $ deis register http://deis.x.x.x.x.xip.io
```
# Create first user and deploy a demonstration app:
Create admin user:
```
$ deis register http://deis.x.x.x.x.xip.io
username: admin
password:
password (confirm):
email: admin@example.com
Registered admin
upgrading.
Logged in as admin
```
Upload a SSH key:
```
$ deis keys:add ~/.ssh/id_rsa.pub
Uploading id_rsa.pub to deis... done
```
Deploy an example application:
```
$ git clone https://github.com/deis/example-python-flask.git
$ cd example-python-flask
$ deis create
Creating Application... o..done, created hungry-knapsack
$ git push deis master
Counting objects: 98, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (88/88), done.
Writing objects: 100% (98/98), 22.55 KiB | 0 bytes/s, done.
Total 98 (delta 38), reused 0 (delta 0)
-----> Python app detected
-----> Installing runtime (python-2.7.10)
-----> Installing dependencies with pip
...
-----> Discovering process types
-----> Compiled slug size is 37M
-----> Building Docker image
remote: Sending build context to Docker daemon 38.33 MB
...
Step 1 : ENV GIT_SHA 774eded22b5bab907c89a29b100ccc7f2423b729
---> Running in 75274e449a86
---> 3ec06b68ed87
Removing intermediate container 75274e449a86
Successfully built 3ec06b68ed87
-----> Pushing image to private registry
-----> Launching...
done, hungry-knapsack:v2 deployed to Deis
http://hungry-knapsack.x.x.x.x.xip.io
To learn more, use `deis help` or visit http://deis.io
To ssh://git@deis.x.x.x.x.xip.io:2222/hungry-knapsack.git
* [new branch] master -> master
```
Test that it works:
```
$ curl http://hungry-knapsack.x.x.x.x.xip.io/
Powered by Deis
```
Scale it up:
```
$ deis scale web=3
Scaling processes... but first, coffee!
..o
=== hungry-knapsack Processes
--- web:
web.1 up (v2)
web.2 up (v2)
web.3 up (v2)
$ curl http://hungry-knapsack.x.x.x.x.xip.io/
Powered by Deis
```
Configure it:
```
$ deis config:set POWERED_BY=OpenStack
Creating config... ..o
done, v3
=== hungry-knapsack Config
POWERED_BY OpenStack
$ curl http://hungry-knapsack.x.x.x.x.xip.io/
Powered by OpenStack
```
Destroy it:
```
$ deis destroy
! WARNING: Potentially Destructive Action
! This command will destroy the application: hungry-knapsack
! To proceed, type "hungry-knapsack" or re-run this command with --confirm=hungry-knapsack
> hungry-knapsack
Destroying hungry-knapsack...
done in 3s
Git remote deis removed
```
# clean up:
```
$ terraform destroy
Do you really want to destroy?
Terraform will delete all your managed infrastructure.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
...
...
Apply complete! Resources: 0 added, 0 changed, 12 destroyed.
```

145
terraform/deis-coreos/deis.tf Normal file
View File

@ -0,0 +1,145 @@
resource "null_resource" "discovery_url" {
count = "${var.generate_discovery_url}"
provisioner "local-exec" {
command = "curl -s 'https://discovery.etcd.io/new?size=${var.cluster_size}' > files/discovery_url"
}
}
resource "null_resource" "update_cloud_init" {
provisioner "local-exec" {
command = "sed -i \"s|^ discovery:.*$| discovery: $(cat files/discovery_url)|\" files/cloud-init"
}
depends_on = [
"null_resource.discovery_url"
]
}
resource "null_resource" "generate_ssh_keys" {
provisioner "local-exec" {
command = "if [ ! -e keys/${var.deis_keyname} ]; then ssh-keygen -f keys/${var.deis_keyname} -P ''; fi"
}
}
resource "openstack_networking_floatingip_v2" "deis" {
count = "${var.cluster_size}"
pool = "${var.floatingip_pool}"
}
resource "openstack_compute_keypair_v2" "deis" {
name = "${var.cluster_name}-deis"
public_key = "${file(var.public_key_path)}"
}
resource "openstack_compute_secgroup_v2" "deis" {
name = "${var.cluster_name}-deis"
description = "Deis Security Group"
rule {
ip_protocol = "tcp"
from_port = "22"
to_port = "22"
cidr = "0.0.0.0/0"
}
rule {
ip_protocol = "tcp"
from_port = "2222"
to_port = "2222"
cidr = "0.0.0.0/0"
}
rule {
ip_protocol = "tcp"
from_port = "80"
to_port = "80"
cidr = "0.0.0.0/0"
}
rule {
ip_protocol = "icmp"
from_port = "-1"
to_port = "-1"
cidr = "0.0.0.0/0"
}
rule {
ip_protocol = "icmp"
from_port = "-1"
to_port = "-1"
self = true
}
rule {
ip_protocol = "tcp"
from_port = "1"
to_port = "65535"
self = true
}
rule {
ip_protocol = "udp"
from_port = "1"
to_port = "65535"
self = true
}
}
resource "openstack_compute_instance_v2" "deis" {
name = "${var.cluster_name}-deis-${count.index+1}"
count = "${var.cluster_size}"
image_name = "${var.image}"
flavor_id = "${var.flavor}"
key_pair = "${openstack_compute_keypair_v2.deis.name}"
user_data = "${file("files/cloud-init")}"
network {
name = "${var.network_name}"
}
security_groups = [ "${openstack_compute_secgroup_v2.deis.name}" ]
floating_ip = "${element(openstack_networking_floatingip_v2.deis.*.address, count.index)}"
provisioner "file" {
source = "keys/"
destination = "/home/core/.ssh/"
connection {
user = "core"
}
}
provisioner "remote-exec" {
inline = [
"chown core:core /home/core/.ssh/${var.deis_keyname}*",
"chmod 0600 /home/core/.ssh/${var.deis_keyname}",
"cat /home/core/.ssh/${var.deis_keyname}.pub >> /home/core/.ssh/authorized_keys",
]
connection {
user = "core"
}
}
depends_on = [
"null_resource.update_cloud_init",
"null_resource.generate_ssh_keys"
]
}
resource "null_resource" "install_deis" {
provisioner "remote-exec" {
inline = [
"sudo mkdir -p /opt/bin",
"if [[ ! -e /opt/bin/deictl ]]; then curl -sSL http://deis.io/deisctl/install.sh | sudo sh -s ${var.deisctl_version}; fi",
"export DOMAIN=${var.deis_domain}",
"if [[ -z $DOMAIN ]]; then export DOMAIN=${openstack_networking_floatingip_v2.deis.0.address}.xip.io; fi",
"/opt/bin/deisctl config platform set domain=$DOMAIN",
"/opt/bin/deisctl config platform set sshPrivateKey=/home/core/.ssh/${var.deis_keyname}",
"/opt/bin/deisctl install platform",
"/opt/bin/deisctl start platform",
]
connection {
user = "core"
host = "${openstack_networking_floatingip_v2.deis.0.address}"
}
}
depends_on = [
"openstack_compute_instance_v2.deis",
]
}
output "msg" {
value = "Your hosts are ready to go! Continue following the documentation to install and start Deis. Your hosts are: ${join(", ", openstack_networking_floatingip_v2.deis.*.address )}"
}
output "register" {
value = "Run the following to register your first [admin] user: $ deis register http://deis.${openstack_networking_floatingip_v2.deis.0.address}.xip.io"
}

279
terraform/deis-coreos/files/cloud-init Normal file
View File

@ -0,0 +1,279 @@
#cloud-config
coreos:
etcd2:
# generate a new token for each unique cluster from https://discovery.etcd.io/new
discovery: https://discovery.etcd.io/f492560139d27c040399c5b1e0ef8440
# multi-region and multi-cloud deployments need to use $public_ipv4
advertise-client-urls: http://$private_ipv4:2379
initial-advertise-peer-urls: http://$private_ipv4:2380
# listen on both the official ports and the legacy ports
# legacy ports can be omitted if your application doesn't depend on them
listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
listen-peer-urls: http://$private_ipv4:2380,http://$private_ipv4:7001
data-dir: /var/lib/etcd2
fleet:
public-ip: $private_ipv4
metadata: controlPlane=true,dataPlane=true,routerMesh=true
update:
reboot-strategy: "off"
units:
- name: etcd.service
mask: true
- name: etcd2.service
command: start
- name: fleet.service
command: start
- name: docker-tcp.socket
command: start
enable: true
content: |
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=2375
Service=docker.service
BindIPv6Only=both
[Install]
WantedBy=sockets.target
- name: update-engine.service
command: stop
enable: false
- name: docker.service
drop-ins:
- name: 10-require-flannel.conf
content: |
[Unit]
Requires=flanneld.service
After=flanneld.service
- name: 50-insecure-registry.conf
content: |
[Service]
Environment="DOCKER_OPTS=--insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16 --insecure-registry 100.64.0.0/10"
- name: flanneld.service
command: start
drop-ins:
- name: 50-network-config.conf
content: |
[Service]
ExecStartPre=-/usr/bin/etcdctl mk /coreos.com/network/config '{"Network": "10.244.0.0/16", "SubnetLen": 24, "SubnetMin": "10.244.0.0", "Backend": {"Type": "vxlan"}}'
- name: graceful-deis-shutdown.service
content: |
[Unit]
Description=Clean up
DefaultDependencies=no
After=fleet.service etcd2.service docker.service docker.socket deis-store-admin.service deis-store-daemon.service deis-store-volume.service deis-store-monitor.service
Requires=fleet.service etcd2.service deis-store-admin.service deis-store-daemon.service deis-store-volume.service docker.service docker.socket deis-store-monitor.service
[Install]
WantedBy=shutdown.target halt.target reboot.target
[Service]
ExecStop=/opt/bin/graceful-shutdown.sh --really
Type=oneshot
TimeoutSec=1200
RemainAfterExit=yes
- name: install-deisctl.service
command: start
content: |
[Unit]
Description=Install deisctl utility
ConditionPathExists=!/opt/bin/deisctl
[Service]
Type=oneshot
ExecStart=/usr/bin/sh -c 'curl -sSL --retry 5 --retry-delay 2 http://deis.io/deisctl/install.sh | sh -s 1.12.2'
- name: increase-nf_conntrack-connections.service
command: start
content: |
[Unit]
Description=Increase the number of connections in nf_conntrack. default is 65536
[Service]
Type=oneshot
ExecStartPre=/usr/sbin/modprobe nf_conntrack
ExecStart=/bin/sh -c "sysctl -w net.netfilter.nf_conntrack_max=262144"
write_files:
- path: /etc/deis-release
content: |
DEIS_RELEASE=v1.12.2
- path: /etc/motd
content: " \e[31m* * \e[34m* \e[32m***** \e[39mddddd eeeeeee iiiiiii ssss\n\e[31m* * \e[34m* * \e[32m* * \e[39md d e e i s s\n \e[31m* * \e[34m***** \e[32m***** \e[39md d e i s\n\e[32m***** \e[31m* * \e[34m* \e[39md d e i s\n\e[32m* * \e[31m* * \e[34m* * \e[39md d eee i sss\n\e[32m***** \e[31m* * \e[34m***** \e[39md d e i s\n \e[34m* \e[32m***** \e[31m* * \e[39md d e i s\n \e[34m* * \e[32m* * \e[31m* * \e[39md d e e i s s\n\e[34m***** \e[32m***** \e[31m* * \e[39mddddd eeeeeee iiiiiii ssss\n\n\e[39mWelcome to Deis\t\t\tPowered by Core\e[38;5;45mO\e[38;5;206mS\e[39m\n"
- path: /etc/profile.d/nse-function.sh
permissions: '0755'
content: |
function nse() {
docker exec -it $1 bash
}
- path: /run/deis/bin/get_image
permissions: '0755'
content: |
#!/usr/bin/env bash
# usage: get_image <component_path>
IMAGE=`etcdctl get $1/image 2>/dev/null`
# if no image was set in etcd, we use the default plus the release string
if [ $? -ne 0 ]; then
RELEASE=`etcdctl get /deis/platform/version 2>/dev/null`
# if no release was set in etcd, use the default provisioned with the server
if [ $? -ne 0 ]; then
source /etc/deis-release
RELEASE=$DEIS_RELEASE
fi
IMAGE=$1:$RELEASE
fi
# remove leading slash
echo ${IMAGE#/}
- path: /run/deis/bin/preseed
permissions: '0755'
content: |
#!/usr/bin/env bash
COMPONENTS=(builder controller database logger logspout publisher registry router store-daemon store-gateway store-metadata store-monitor)
for c in "${COMPONENTS[@]}"; do
image=`/run/deis/bin/get_image /deis/$c`
docker history $image >/dev/null 2>&1 || docker pull $image
done
- path: /opt/bin/deis-debug-logs
permissions: '0755'
content: |
#!/usr/bin/env bash
echo '--- VERSIONS ---'
source /etc/os-release
echo $PRETTY_NAME
source /etc/deis-release
echo "Deis $DEIS_RELEASE"
etcd2 -version | head -n1
fleet -version
printf "\n"
echo '--- SYSTEM STATUS ---'
journalctl -n 50 -u etcd --no-pager
journalctl -n 50 -u fleet --no-pager
printf "\n"
echo '--- DEIS STATUS ---'
deisctl list
etcdctl ls --recursive /deis
printf "\n"
- path: /home/core/.toolboxrc
owner: core
content: |
TOOLBOX_DOCKER_IMAGE=alpine
TOOLBOX_DOCKER_TAG=3.1
TOOLBOX_USER=root
- path: /etc/environment_proxy
owner: core
content: |
HTTP_PROXY=
HTTPS_PROXY=
ALL_PROXY=
NO_PROXY=
http_proxy=
https_proxy=
all_proxy=
no_proxy=
- path: /etc/systemd/coredump.conf
content: |
[Coredump]
Storage=none
- path: /opt/bin/graceful-shutdown.sh
permissions: '0755'
content: |
#!/usr/bin/bash
if [ "$1" != '--really' ]; then
echo "command must be run as: $0 --really"
exit 1
fi
# procedure requires the store-admin
ADMIN_RUNNING=$(docker inspect --format="{{ .State.Running }}" deis-store-admin)
if [ $? -eq 1 ] || [ "$ADMIN_RUNNING" == "false" ]; then
echo "deis-store-admin container is required for graceful shutdown"
exit 2
fi
set -e -x -o pipefail
# determine osd id
CURRENT_STATUS=$(docker exec deis-store-admin ceph health | awk '{print $1}')
OSD_HOSTS=($(etcdctl ls /deis/store/hosts/| awk -F'/' '{print $5}'))
for HOST in "${OSD_HOSTS[@]}"
do
PUBLIC_IP=$(fleetctl list-machines -fields="machine,ip" -full -no-legend| grep `cat /etc/machine-id` | awk '{print $2}')
if [ "$HOST" = "$PUBLIC_IP" ] ; then
OSD_ID=$(etcdctl get /deis/store/osds/$PUBLIC_IP)
break
fi
done
# if we own an osd and its healthy, try to gracefully remove it
if [ ! -z "$OSD_ID" ] && [[ "$CURRENT_STATUS" == *"HEALTH_OK"* ]] && [ ${#OSD_HOSTS[@]} -gt "3" ]; then
docker exec deis-store-admin ceph osd out $OSD_ID
sleep 30
TIMEWAITED=0
until [[ $(docker exec deis-store-admin ceph health) == *"HEALTH_OK"* ]]
do
if [ $TIMEWAITED -gt "1200" ]
then
echo "ceph graceful removal timeout exceeded"
break
fi
echo "waiting" && sleep 5
TIMEWAITED=$((TIMEWAITED+5))
done
docker stop deis-store-daemon
docker exec deis-store-admin ceph osd crush remove osd.$OSD_ID
docker exec deis-store-admin ceph auth del osd.$OSD_ID
docker exec deis-store-admin ceph osd rm $OSD_ID
etcdctl rm /deis/store/osds/$PUBLIC_IP
etcdctl rm /deis/store/hosts/$PUBLIC_IP && sleep 10
# remove ceph mon
docker stop deis-store-monitor || true
docker exec deis-store-admin ceph mon remove `hostname -f` # fixme
docker stop deis-store-metadata || true
fi
# removing the node from etcd
NODE=$(etcdctl member list | grep `cat /etc/machine-id` | cut -d ':' -f 1)
etcdctl member remove $NODE
- path: /opt/bin/wupiao
permissions: '0755'
content: |
#!/usr/bin/env bash
# [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen
[ -n "$1" ] && \
until curl -o /dev/null -sIf http://${1}; do \
sleep 1 && echo .;
done;
exit $?
- path: /opt/bin/download-k8s-binary
permissions: '0755'
content: |
#!/usr/bin/env bash
export K8S_VERSION="v1.0.1"
mkdir -p /opt/bin
FILE=$1
if [ ! -f /opt/bin/$FILE ]; then
curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
chmod +x /opt/bin/$FILE
else
# we check the version of the binary
INSTALLED_VERSION=$(/opt/bin/$FILE --version)
MATCH=$(echo "${INSTALLED_VERSION}" | grep -c "${K8S_VERSION}")
if [ $MATCH -eq 0 ]; then
# the version is different
curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
chmod +x /opt/bin/$FILE
fi
fi
- path: /opt/bin/scheduler-policy.json
content: |
{
"kind": "Policy",
"apiVersion": "v1",
"predicates": [{"name": "PodFitsPorts"},{"name": "PodFitsResources"},{"name": "NoDiskConflict"},{"name": "MatchNodeSelector"},{"name": "HostName"}],
"priorities": [{"name": "LeastRequestedPriority","weight": 1},{"name": "BalancedResourceAllocation","weight": 1},{"name": "ServiceSpreadingPriority","weight": 2},{"name": "EqualPriority","weight": 1}]
}

2
terraform/deis-coreos/keys/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!.gitignore

65
terraform/deis-coreos/variables.tf Normal file
View File

@ -0,0 +1,65 @@
variable "cluster_size" {
default = "3"
}
variable "cluster_name" {
default = "example"
}
variable "flavor" {
default = "m1.medium"
}
variable "public_key_path" {
description = "The path of the ssh pub key"
default = "~/.ssh/id_rsa.pub"
}
variable "image" {
description = "the image to use"
default = "coreos"
}
variable "network_name" {
description = "name of the internal network to use"
default = "internal"
}
variable "floatingip_pool" {
description = "name of the floating ip pool to use"
default = "external"
}
variable "username" {
description = "Your openstack username"
}
variable "password" {
description = "Your openstack password"
}
variable "tenant" {
description = "Your openstack tenant/project"
}
variable "auth_url" {
description = "Your openstack auth URL"
}
variable "generate_discovery_url" {
default = 1
description = "set to 0 if you do not want to autogenerate the discovery url"
}
variable "deisctl_version" {
default = "1.12.2"
}
variable "deis_domain" {
default = ""
description = "set if you have a custom domain"
}
variable "deis_keyname" {
default = "deis"
}