X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a9b9c6ff05e0268570b829bd62a6f683cf9f1d19..0682082cb56e3f1d9d2c4432ee7f6089792a1756:/tools/salt-install/provision.sh diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 7ac120e5fd..8bca9d0bd5 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # Copyright (C) The Arvados Authors. All rights reserved. # @@ -49,6 +49,7 @@ usage() { echo >&2 " for the selected role/s" echo >&2 " - writes the resulting files into " echo >&2 " -v, --vagrant Run in vagrant and use the /vagrant shared dir" + echo >&2 " --development Run in dev mode, using snakeoil certs" echo >&2 } @@ -60,7 +61,7 @@ arguments() { fi TEMP=$(getopt -o c:dhp:r:tv \ - --long config:,debug,dump-config:,help,roles:,test,vagrant \ + --long config:,debug,development,dump-config:,help,roles:,test,vagrant \ -n "${0}" -- "${@}") if [ ${?} != 0 ]; @@ -98,6 +99,10 @@ arguments() { DUMP_CONFIG="yes" shift 2 ;; + --development) + DEV_MODE="yes" + shift 1 + ;; -r | --roles) for i in ${2//,/ } do @@ -131,6 +136,27 @@ arguments() { done } +copy_custom_cert() { + cert_dir=${1} + cert_name=${2} + + mkdir -p /srv/salt/certs + + if [ -f ${cert_dir}/${cert_name}.crt ]; then + cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem + else + echo "${cert_dir}/${cert_name}.crt does not exist. Exiting" + exit 1 + fi + if [ -f ${cert_dir}/${cert_name}.key ]; then + cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key + else + echo "${cert_dir}/${cert_name}.key does not exist. Exiting" + exit 1 + fi +} + +DEV_MODE="no" CONFIG_FILE="${SCRIPT_DIR}/local.params" CONFIG_DIR="local_config_dir" DUMP_CONFIG="no" @@ -142,8 +168,7 @@ CLUSTER="" DOMAIN="" # Hostnames/IPs used for single-host deploys -HOSTNAME_EXT="" -HOSTNAME_INT="127.0.1.1" +IP_INT="127.0.1.1" # Initial user setup INITIAL_USER="" @@ -159,6 +184,10 @@ WEBSOCKET_EXT_SSL_PORT=8002 WORKBENCH1_EXT_SSL_PORT=443 WORKBENCH2_EXT_SSL_PORT=3001 +SSL_MODE="self-signed" +USE_LETSENCRYPT_ROUTE53="no" +CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" + ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the # package version (including the iteration, e.g. X.Y.Z-1) of the @@ -175,9 +204,9 @@ VERSION="latest" # BRANCH="main" # Other formula versions we depend on -POSTGRES_TAG="v0.41.6" -NGINX_TAG="temp-fix-missing-statements-in-pillar" -DOCKER_TAG="v1.0.0" +POSTGRES_TAG="v0.43.0" +NGINX_TAG="v2.8.0" +DOCKER_TAG="v2.0.7" LOCALE_TAG="v0.3.4" LETSENCRYPT_TAG="v2.1.0" @@ -225,15 +254,36 @@ if ! grep -qE '^[[:alnum:]]{5}$' <<<${CLUSTER} ; then fi # Only used in single_host/single_name deploys -if [ "x${HOSTNAME_EXT}" = "x" ] ; then +if [ ! -z "${HOSTNAME_EXT}" ] ; then + # We need to add some extra control vars to manage a single certificate vs. multiple + USE_SINGLE_HOSTNAME="yes" +else + USE_SINGLE_HOSTNAME="no" + # We set this variable, anyway, so sed lines do not fail and we don't need to add more + # conditionals HOSTNAME_EXT="${CLUSTER}.${DOMAIN}" fi if [ "${DUMP_CONFIG}" = "yes" ]; then echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit" else - apt-get update - apt-get install -y curl git jq + # Install a few dependency packages + # First, let's figure out the OS we're working on + OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d= |cut -f 2 -d \") + echo "Detected distro: ${OS_ID}" + + case ${OS_ID} in + "centos") + echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019" + sed -i 's/SELINUX=enforcing/SELINUX=permissive' /etc/sysconfig/selinux + setenforce permissive + yum install -y curl git jq + ;; + "debian"|"ubuntu") + DEBIAN_FRONTEND=noninteractive apt update + DEBIAN_FRONTEND=noninteractive apt install -y curl git jq + ;; + esac if which salt-call; then echo "Salt already installed" @@ -246,6 +296,8 @@ else # Set salt to masterless mode cat > /etc/salt/minion << EOFSM +failhard: "True" + file_client: local file_roots: base: @@ -267,18 +319,23 @@ rm -rf ${F_DIR}/* || exit 1 git clone --quiet https://github.com/saltstack-formulas/docker-formula.git ${F_DIR}/docker ( cd docker && git checkout --quiet tags/"${DOCKER_TAG}" -b "${DOCKER_TAG}" ) +echo "...locale" git clone --quiet https://github.com/saltstack-formulas/locale-formula.git ${F_DIR}/locale ( cd locale && git checkout --quiet tags/"${LOCALE_TAG}" -b "${LOCALE_TAG}" ) -git clone --quiet https://github.com/netmanagers/nginx-formula.git ${F_DIR}/nginx +echo "...nginx" +git clone --quiet https://github.com/saltstack-formulas/nginx-formula.git ${F_DIR}/nginx ( cd nginx && git checkout --quiet tags/"${NGINX_TAG}" -b "${NGINX_TAG}" ) +echo "...postgres" git clone --quiet https://github.com/saltstack-formulas/postgres-formula.git ${F_DIR}/postgres ( cd postgres && git checkout --quiet tags/"${POSTGRES_TAG}" -b "${POSTGRES_TAG}" ) +echo "...letsencrypt" git clone --quiet https://github.com/saltstack-formulas/letsencrypt-formula.git ${F_DIR}/letsencrypt ( cd letsencrypt && git checkout --quiet tags/"${LETSENCRYPT_TAG}" -b "${LETSENCRYPT_TAG}" ) +echo "...arvados" git clone --quiet https://git.arvados.org/arvados-formula.git ${F_DIR}/arvados # If we want to try a specific branch of the formula @@ -315,7 +372,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do s#__CLUSTER__#${CLUSTER}#g; s#__DOMAIN__#${DOMAIN}#g; s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g; - s#__HOSTNAME_INT__#${HOSTNAME_INT}#g; + s#__IP_INT__#${IP_INT}#g; s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g; s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g; s#__INITIAL_USER__#${INITIAL_USER}#g; @@ -356,16 +413,21 @@ fi mkdir -p ${T_DIR} # Replace cluster and domain name in the test files for f in $(ls "${SOURCE_TESTS_DIR}"/*); do - sed "s#__CLUSTER__#${CLUSTER}#g; + FILTERS="s#__CLUSTER__#${CLUSTER}#g; s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g; s#__DOMAIN__#${DOMAIN}#g; - s#__HOSTNAME_INT__#${HOSTNAME_INT}#g; + s#__IP_INT__#${IP_INT}#g; s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g; s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g s#__INITIAL_USER__#${INITIAL_USER}#g; s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g; - s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g" \ - "${f}" > ${T_DIR}/$(basename "${f}") + s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g" + if [ "$USE_SINGLE_HOSTNAME" = "yes" ]; then + FILTERS="s#__CLUSTER__.__DOMAIN__#${HOSTNAME_EXT}#g; + $FILTERS" + fi + sed "$FILTERS" \ + "${f}" > ${T_DIR}/$(basename "${f}") done chmod 755 ${T_DIR}/run-test.sh @@ -380,7 +442,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g; s#__DOMAIN__#${DOMAIN}#g; s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g; - s#__HOSTNAME_INT__#${HOSTNAME_INT}#g; + s#__IP_INT__#${IP_INT}#g; s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g; s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g; s#__INITIAL_USER__#${INITIAL_USER}#g; @@ -432,9 +494,21 @@ EOFPSLS # States, extra states if [ -d "${F_DIR}"/extra/extra ]; then - for f in $(ls "${F_DIR}"/extra/extra/*.sls); do + SKIP_SNAKE_OIL="snakeoil_certs" + + if [[ "$DEV_MODE" = "yes" || "${SSL_MODE}" == "self-signed" ]] ; then + # In dev mode, we create some snake oil certs that we'll + # use as CUSTOM_CERTS, so we don't skip the states file. + # Same when using self-signed certificates. + SKIP_SNAKE_OIL="dont_add_snakeoil_certs" + fi + for f in $(ls "${F_DIR}"/extra/extra/*.sls | grep -v ${SKIP_SNAKE_OIL}); do echo " - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls done + # Use byo or self-signed certificates + if [ "${SSL_MODE}" != "lets-encrypt" ]; then + mkdir -p "${F_DIR}"/extra/extra/files + fi fi # If we want specific roles for a node, just add the desired states @@ -442,13 +516,22 @@ fi if [ -z "${ROLES}" ]; then # States echo " - nginx.passenger" >> ${S_DIR}/top.sls - # Currently, only available on config_examples/multi_host/aws - if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then - grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + if [ "${SSL_MODE}" = "lets-encrypt" ]; then + if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs, as both bring-your-own and self-signed are copied using this state + # Copy certs to formula extra/files + # In dev mode, the files will be created and put in the destination directory by the + # snakeoil_certs.sls state file + mkdir -p /srv/salt/certs + cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/ + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls fi + echo " - postgres" >> ${S_DIR}/top.sls echo " - docker.software" >> ${S_DIR}/top.sls echo " - arvados" >> ${S_DIR}/top.sls @@ -465,16 +548,72 @@ if [ -z "${ROLES}" ]; then echo " - nginx_workbench2_configuration" >> ${P_DIR}/top.sls echo " - nginx_workbench_configuration" >> ${P_DIR}/top.sls echo " - postgresql" >> ${P_DIR}/top.sls - # Currently, only available on config_examples/multi_host/aws - if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + + if [ "${SSL_MODE}" = "lets-encrypt" ]; then + if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls fi - grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls + grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do + if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then + # Are we in a single-host-single-hostname env? + CERT_NAME=${HOSTNAME_EXT} + else + # We are in a single-host-multiple-hostnames env + CERT_NAME=${c}.${CLUSTER}.${DOMAIN} + fi + + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \ + ${P_DIR}/nginx_${c}_configuration.sls + done + else + # Use custom certs (either dev mode or prod) + grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls + # And add the certs in the custom_certs pillar + echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls + echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls + + for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do + # Are we in a single-host-single-hostname env? + if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then + # Are we in a single-host-single-hostname env? + CERT_NAME=${HOSTNAME_EXT} + else + # We are in a multiple-hostnames env + CERT_NAME=${c} + fi + + if [[ "$SSL_MODE" == "bring-your-own" ]]; then + copy_custom_cert ${CUSTOM_CERTS_DIR} ${CERT_NAME} + fi + + grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo " - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls + + # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \ + ${P_DIR}/nginx_${c}_configuration.sls + done fi else # If we add individual roles, make sure we add the repo first echo " - arvados.repo" >> ${S_DIR}/top.sls + # We add the extra_custom_certs state + grep -q "extra.custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + + # And we add the basic part for the certs pillar + if [ "${SSL_MODE}" != "lets-encrypt" ]; then + # And add the certs in the custom_certs pillar + echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls + echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls + grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls + fi + for R in ${ROLES}; do case "${R}" in "database") @@ -489,18 +628,23 @@ else grep -q "postgres.client" ${S_DIR}/top.sls || echo " - postgres.client" >> ${S_DIR}/top.sls grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls ### If we don't install and run LE before arvados-api-server, it fails and breaks everything - ### after it so we add this here, as we are, after all, sharing the host for api and controller + ### after it. So we add this here as we are, after all, sharing the host for api and controller # Currently, only available on config_examples/multi_host/aws - if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "${SSL_MODE}" = "lets-encrypt" ]; then + if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls fi - grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs + if [ "${SSL_MODE}" = "bring-your-own" ]; then + copy_custom_cert ${CUSTOM_CERTS_DIR} controller + fi + grep -q controller ${P_DIR}/extra_custom_certs.sls || echo " - controller" >> ${P_DIR}/extra_custom_certs.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls - grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls grep -q "postgresql" ${P_DIR}/top.sls || echo " - postgresql" >> ${P_DIR}/top.sls grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls @@ -509,26 +653,78 @@ else # States grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws - if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "${SSL_MODE}" = "lets-encrypt" ]; then + if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + else + # Use custom certs, special case for keepweb + if [ ${R} = "keepweb" ]; then + if [ "${SSL_MODE}" = "bring-your-own" ]; then + copy_custom_cert ${CUSTOM_CERTS_DIR} download + copy_custom_cert ${CUSTOM_CERTS_DIR} collections + fi + else + if [ "${SSL_MODE}" = "bring-your-own" ]; then + copy_custom_cert ${CUSTOM_CERTS_DIR} ${R} + fi + fi fi # webshell role is just a nginx vhost, so it has no state if [ "${R}" != "webshell" ]; then - grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls + grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls fi # Pillars grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + grep -q "nginx_download_configuration" ${P_DIR}/top.sls || echo " - nginx_download_configuration" >> ${P_DIR}/top.sls + grep -q "nginx_collections_configuration" ${P_DIR}/top.sls || echo " - nginx_collections_configuration" >> ${P_DIR}/top.sls + fi + # Currently, only available on config_examples/multi_host/aws - if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xyes" ]; then + if [ "${SSL_MODE}" = "lets-encrypt" ]; then + if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls + + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + for kwsub in download collections; do + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + ${P_DIR}/nginx_${kwsub}_configuration.sls + done + else + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + ${P_DIR}/nginx_${R}_configuration.sls + fi + else + # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them + # Special case for keepweb + if [ ${R} = "keepweb" ]; then + for kwsub in download collections; do + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \ + ${P_DIR}/nginx_${kwsub}_configuration.sls + grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo " - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls + done + else + sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g; + s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g; + s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \ + ${P_DIR}/nginx_${R}_configuration.sls + grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls + fi fi ;; "shell") @@ -536,11 +732,10 @@ else grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars - grep -q "" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls + grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls ;; "dispatcher") # States - grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars # ATM, no specific pillar needed @@ -580,6 +775,10 @@ echo '\pset pager off' >> /root/.psqlrc # Now run the install salt-call --local state.apply -l ${LOG_LEVEL} +# Finally, make sure that /etc/hosts is not overwritten on reboot +# TODO: will this work on CentOS? +sed -i 's/^manage_etc_hosts: true/#manage_etc_hosts: true/g' /etc/cloud/cloud.cfg.d/* + # FIXME! #16992 Temporary fix for psql call in arvados-api-server if [ "x${DELETE_PSQL}" = "xyes" ]; then echo "Removing .psql file" @@ -593,19 +792,26 @@ fi # END FIXME! #16992 Temporary fix for psql call in arvados-api-server # Leave a copy of the Arvados CA so the user can copy it where it's required -echo "Copying the Arvados CA certificate to the installer dir, so you can import it" -# If running in a vagrant VM, also add default user to docker group -if [ "x${VAGRANT}" = "xyes" ]; then - cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem - - echo "Adding the vagrant user to the docker group" - usermod -a -G docker vagrant -else - cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem +if [ "$DEV_MODE" = "yes" ]; then + echo "Copying the Arvados CA certificate to the installer dir, so you can import it" + # If running in a vagrant VM, also add default user to docker group + if [ "x${VAGRANT}" = "xyes" ]; then + cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + + echo "Adding the vagrant user to the docker group" + usermod -a -G docker vagrant + else + cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + fi fi # Test that the installation finished correctly if [ "x${TEST}" = "xyes" ]; then cd ${T_DIR} - ./run-test.sh + # If we use RVM, we need to run this with it, or most ruby commands will fail + RVM_EXEC="" + if [ -x /usr/local/rvm/bin/rvm-exec ]; then + RVM_EXEC="/usr/local/rvm/bin/rvm-exec" + fi + ${RVM_EXEC} ./run-test.sh fi