Overview

Skill Level: Beginner

Intended for IBM Cloud Orchestrator Administrators and Heat Template Creators

This recipe helps to ICO Managers to orchestrate a Linux RHEL Atomic automatic deploy listing the cloud base configuration and creating the automated tasks in IBM Bigfix.

Ingredients

  • IBM Cloud Orchestrator v2.4.0.x
  • IBM Endpoint Manager ‚Äď Bigfix
  • Linux RHEL Atomic v7.x Vmware Image

Step-by-step

  1. Configure the Linux RHEL Image

    First you need modify the cloud.cfg file available at /etc/cloud/cloud.cfg with the following values:

    disable_root: 0

    ssh_pwauth: 1

    ssh_deletekeys: 1

    disable_ec2_metadata: true

    datasource_list: [‘ConfigDrive’]

     

    Then you need modify the ifcfg-ens32 file delete all content in /etc/sysconfig/network-scripts/ifcfg-ens32 and then add the following values:

     

    TYPE=Ethernet

    BOOTPROTO=none

    DEFROUTE=yes

    NAME=ens32

    DEVICE=ens32

    ONBOOT=yes

    NM_CONTROLLED=no

     

    Then you need modify the ifcfg-eth0 file delete all content if exists or create in /etc/sysconfig/network-scripts/ifcfg-eth0 and then add the following values:

     

    TYPE=Ethernet

    BOOTPROTO=none

    NAME=eth0

    DEVICE=eth0

    ONBOOT=no

    NM_CONTROLLED=no

     

    Also you need disable IPV6, you can do this checking if IPV6 is enable with the following command:

    # ifconfig |grep inet6

    inet6 addr: fe10::d5be:d9ff:fe66:5a77/64 Scope:Link

    inet6 addr: fe10::d5be:d9ff:fe66:5a77/64 Scope:Link

     

    To disable IPV6 you can modify the file /etc/modprobe.d/ipv6.conf or create if not already present with the following parameter:

     

    options ipv6 disable=1

     

    Next you can disable the ip6tables services with the command:

     

    # chkconfig ip6tables off

     

    Also you need append bellow lines to the file /etc/sysctl.conf

     
    # IPv6 support in the kernel, set to 0 by default

    net.ipv6.conf.all.disable_ipv6 = 1

    net.ipv6.conf.default.disable_ipv6 = 1

     

    To make the settings effective, execute:

     

    # sysctl -p

     

    You must remove the network persistence rules in the image, because the interface record the MAC address. You can do this with the following:

    Replace¬†/etc/udev/rules.d/70-persistent-net.rules¬†with an empty file if exists(this file contains network persistence rules, including MAC address), if don’t exist exclude this lines.

     
    Replace¬†/lib/udev/rules.d/75-persistent-net-generator.rules¬†with an empty file if exists, if don’t exist exclude this lines.

  2. Create the Heat Template

    To create the IBM Cloud Orchestrator Heat Template you can use the example below:

     

    heat_template_version: 2013-05-23

    description: Linux RHEL Atomic Template to deploy a single compute instance with custom software

    parameters:

    serverName:

    description: Server hostname

    label: ServerName

    type: string

    default: ServerName

    flavor:

    type: string

    label: Flavor

    description: Type of instance (flavor) to be used

    default: low

    variable:

    type: string

    label: Variable

    description: You can add other parameter here

    default: XXXX

    private_network:

    type: string

    label: Private network name or ID

    description: Network to attach instance to

    default: Network VLAN

    resources:

    rhel_instance:

    type: OS::Nova::Server

    properties:

    name: { get_param: serverName }

    image: rhelatomic-image

    flavor: { get_param: flavor }

    key_name: linux_key

    networks:

    – network: { get_param: private_network }

    user_data:

    str_replace:

    template: |

    #!/bin/bash

    sed -i -e ‘s/eth0/ens32/g’ /etc/sysconfig/network-scripts/ifcfg-eth0

    rm /etc/sysconfig/network-scripts/ifcfg-ens32

    cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-ens32

    rm /etc/sysconfig/network-scripts/ifcfg-eth0

    echo “DNS1=IP_ADDRESS_1” >> /etc/sysconfig/network-scripts/ifcfg-ens32

    echo “DNS2=IP_ADDRESS_2” >> /etc/sysconfig/network-scripts/ifcfg-ens32

    echo “DOMAIN=domain.com.pe” >> /etc/sysconfig/network-scripts/ifcfg-ens32

    systemctl restart network

    echo “Network Interface Configured” >> /var/log/trace.log

    vgcreate vg_swap /dev/sdb1

    lvcreate vg_swap -n lv_swap01 -L 15.5G

    mkswap -L swap -f /dev/vg_swap/lv_swap01

    echo “/dev/vg_swap/lv_swap01 swap swap 0 0” >> /etc/fstab

    swapoff -a y swapon -a

    echo “SWAP Configured” >> /var/log/trace.log

    host=$(hostname | cut -d ‘.’ -f1)

    hostnamectl set-hostname $host

    host=$(hostname)

    echo “Change the name server” >> /var/log/trace.log

    subscription-manager config ‚Äďserver.proxy_hostname=proxy.domain.com.pe –server.proxy_port=80

    subscription-manager register –username user@domain.com.pe –password password –auto-attach

    echo “Register Server in Linux” >> /var/log/trace.log

    params:

    $var1: { get_param: variable }

     

    With this template you can deploy an Linux RHEL Atomic with Name, Network Interface and Swap configured. But you can automate the sudoers, groups and users create also with the next steps.

  3. Automate security configuration

    For the sudoers automate with Bigfix, you need to add the lines specified in the steps between the #!/bin/bash line and the params line in the Heat Template:

    Step 1: You need capture the IP Address of the new provisioned server.

    IP=$(ifconfig | grep -A 1 ‘ens32’ | tail -1 | cut -d ‘t’ -f2 | cut -d ‘n’ -f1 | cut -d ‘ ‘ -f2 | cut -d ‘ ‘ -f1)

     

    Step 2: You have to create a XML file to execute a Bigfix Task with the copy of files from a SSH connecion

    echo ‘<?xml version=”1.0″ encoding=”utf-8″?>’ >>/tmp/action.xml

    echo ‘<BES xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:noNamespaceSchemaLocation=”BES.xsd”>’ >>/tmp/action.xml

    echo ‘ <SourcedFixletAction>’ >>/tmp/action.xml

    echo ‘ <SourceFixlet>’ >>/tmp/action.xml

    echo ‘ <Sitename>Task Site Name</Sitename>’ >>/tmp/action.xml

    echo ‘ <FixletID>Task ID</FixletID>’ >>/tmp/action.xml

    echo ‘ <Action>Action1</Action>’ >>/tmp/action.xml

    echo ‘ </SourceFixlet>’ >>/tmp/action.xml

    echo ‘ <Target>’ >>/tmp/action.xml

    echo ‘ <ComputerName>PIVOT_SERVER</ComputerName>’ >>/tmp/action.xml

    echo ‘ </Target>’ >>/tmp/action.xml

    echo ‘ <Parameter Name=”IP”>’$IP'</Parameter>’ >>/tmp/action.xml

    echo ‘ </SourcedFixletAction>’ >>/tmp/action.xml

    echo ‘</BES>’ >>/tmp/action.xml

     

    Step 3: You could invoke the task using the Bigfix Rest API

    curl -X POST –data-binary @/tmp/action.xml –user BigfixUser:BigfixPassword -k https://BigfixServerAddress:52311/api/actions >>/tmp/copy.log

     

    Step 4: the script wait to the remote copy and then replace the configuration files.

    while [ ! -f /tmp/sudoers ]; do sleep 2; done

    cp /tmp/sudoers /etc/sudoers

    cp /tmp/issue.net /etc/issue.net

    Previously, you need to create the Bigfix Task and the copy scripts in the PIVOT_SERVER.

  4. Create the Bigfix Task and the copy scripts in the PIVOT_SERVER

    The Bigfix task is very simple, just call an Expect script stored in the PIVOT_SERVER.

     
    // Copy Task

    action parameter query “IP” with description “Input the IP Address Server to copy files”

    delete “{(client folder of current site as string) & “/__appendfile”}”

    appendfile #!/bin/sh

    appendfile # Enter your action script here

    appendfile /opt/ibm/scripts/rhel-atomic/user_copy.exp {parameter “IP” of action} 1>> /tmp/sh1.log 2>> /tmp/sh1error.log

    wait chmod 555 “{(client folder of current site as string) & “/__appendfile”}”

    wait /bin/sh “{(client folder of current site as string) & “/__appendfile”}”

     

    You will need to install in the PIVOT_SERVER the Expect Package to exec expect scripts.

     

    The Expect file just copy with a scp command all the content in the rhel-atomic repository server (PIVOT_SERVER) to new provisioned server /tmp folder

     

    #!/usr/bin/expect

    set arg1 [lindex $argv 0]

    spawn bash -c “scp /opt/ibm/repository/rhel-atomic/* root@$arg1:/tmp”

    expect “yes/no)? “

    send “yes\r”

    expect “assword: “

    send “Root_Password\r”

    interact

     

    The Expect file has to expect calls, the first one is for the connecion because is a new server you need confirm the security of the server and the second one is to input the root password.

     

  5. Automate the creation of groups and the users

    For automate the creation of Users and Groups you need store in the repository server (PIVOT_SERVER) a CSV file with this format:

    TEAM,NAME,USER,GROUP1,GROUP2,EMAIL

     

    Then in the Heat template between the #!/bin/bash and the params you can add the next lines:

     

    Step 1: Wait to the CSV copy in the /tmp folder with the Bigfix task previously executed

    while [ ! -f /tmp/users.csv ]; do sleep 2; done

    echo “Copy finish” >> /var/log/trace.log

     

    Step 2: Read the CSV file and create the groups

     

    i=0; while read line; do i=$(($i+1)) grupo=$(echo $line | cut -d ‘,’ -f4); if [ $i -ne 1 ] && [ -n “$grupo” ];then groupadd -f “$grupo”; echo “$grupo”; fi; done < “/tmp/users.csv” >>/tmp/groups.txt

    echo “Groups created” >> /var/log/trace.log

     

    Step 3: Read the CSV file and create the script to create users and save the passwords for all

     
    i=0;while read line;do i=$(($i+1)) name=$(echo $line | cut -d ‘,’ -f2) user=$(echo $line | cut -d ‘,’ -f3) group=$(echo $line | cut -d ‘,’ -f4) email=$(echo $line | cut -d ‘,’ -f6) password=$(openssl rand -hex 4);if [ $i -ne 1 ] && [ -n “$name” ];then echo ‘useradd -c “‘$name'” -d /home/’$user’ -g ‘$group’ -s /bin/bash -p ‘$password $user >>/tmp/users-create.sh; echo “$user,$email,$password” >> /tmp/passwords.txt;fi; done < “/tmp/users.csv”

     

    Step 4: Change the properties to the create user script and exec

     

    chmod 555 /tmp/users-create.sh

    /tmp/users-create.sh

    echo “Users created” >> /var/log/trace.log

     

    Finally you has the users and the groups created, also you store the password and the email for each user in /tmp/passwords.txt. If you has an email server, you can read this file and send the a mail for each user.

    The last step is clean the orchestration with this lines in the Heat Template:

     
    rm -f /tmp/issue.net

    rm -f /tmp/sudoers

    rm -f /tmp/*.sh

    rm -f /tmp/*.rpm

    rm -f /tmp/*.txt

    rm -f /tmp/*.log

    rm -f /tmp/*.csv

    rm -f /tmp/*.xml

    echo “Clean the temporary files” >> /var/log/trace.log

    echo “Provisioning Succesfully” >> /var/log/trace.log

    reboot

Join The Discussion