diff --git a/README.md b/README.md index e5365f35..2906eceb 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,10 @@ Used by both K8s Helm chart [stackstorm-ha](https://github.com/StackStorm/stacks - `make push` - push the Docker images for all the required StackStorm components to the private docker registry. The following ENV vars can be passed to control the push: - `DOCKER_TAG` (optional, ex: `2.8.0`) - tag pushed to the docker registry, defaults to ST2_VERSION when not set + +## Experimental +Dockerfiles to build and push CentOS/RPM based Stackstorm images + +This builds a "all-in-one" container. Services can be started/stopped for each Stackstorm component. + +This is initially for review, discussion, and verifying an alternative pathway. diff --git a/centos/README.md b/centos/README.md new file mode 100644 index 00000000..81f1c1b6 --- /dev/null +++ b/centos/README.md @@ -0,0 +1,162 @@ +# StackStorm CentOS Docker Container + +This is a fork off of the the StackStorm container (https://github.com/StackStorm/st2-dockerfiles) to change the OS to CentOS instead of Ubuntu. It fixes the systemd errors associated with a CentOS container and runs the container in a non-privileged environment. + +## Disclaimer +This is an experimental release of the CentOS container. The container is not guaranteed to be in a stable condition. + +## TL;DR + +Open `https://localhost` in a browser. The default password is `admin:admin`. The password can be changed in `conf/stackstorm.env` + +## Usage + +### Prerequisites +* Docker Engine 1.13.0+ + +### development + +Stackstorm Docs link + +Packs should be developed in their own repository. This is to allow StackStorm the ability to install the packs in a production environment. Eventually submodules of these packs will be added to the `packs/` directory. No packs will be allowed in the master branch unless they are submodules. + + +### systemd fix +There are four fixes to allowing systemd to work inside a container. +1. Mounting /run as a tmpfs +2. Mounting the /sys/fs/cgroup as a read-only volume inside the Container +3. Removing all default systemd wants and only enabling services necessary to the application +4. Entrypoint is /sbin/init + +## Known Issues + +## Kubernetes Deployments +Below are Helm Chart snippets to run this container + +### Values yaml +Sample of some expected Helm Values yaml +``` +logLevel: INFO + +# mongodb: +# host: +# mongodbDatabase: +# userName: +# password: + +# rabbitmq: +# host: +# secret: +# name: +# userKey: +# passKey: + +# redis: +# host: +# secret: +# name: +# passKey: + +stackstorm: + # base image + image: + registry: "docker.io" + repository: "stackstorm/st2/all-in-one-st2" + tag: "3.5.0-1" + pullPolicy: "IfNotPresent" + user: "stackstorm" + password: "stanley" + + # for st2web + dnsresolver: + image: + registry: docker.io + repository: janeczku/go-dnsmasq + tag: release-1.0.7 + + # components scaling + actionrunner: + replicas: 4 + api: + replicas: 1 + auth: + replicas: 1 + scheduler: + replicas: 4 + rulesengine: + replicas: 2 + web: + replicas: 2 + timersengine: + replicas: 1 + stream: + replicas: 2 + sensor: + replicas: 1 + notifier: + replicas: 2 + garbagecollector: + replicas: 1 + workflowengine: + replicas: 4 + +st2conf: + docker: |+ + [actionrunner] + + +# rbac: +# assignments: +# mappings: +# roles: +``` + + +### Deployment +In the Deployment yaml for `containers`, the command to run a ST2 Component, the `st2api` as an example: + +`st2api` +``` + containers: + - name: st2api + image: {{ .Values.stackstorm.image.registry }}/{{ .Values.stackstorm.image.repository }}:{{ .Values.stackstorm.image.tag }} + imagePullPolicy: {{ .Values.stackstorm.image.pullPolicy }} + command: + - /opt/stackstorm/st2/bin/st2api + - --config-file=/etc/st2/st2.conf + - --config-file=/etc/st2/st2.docker.conf + - --config-file=/etc/st2/st2.user.conf + env: + value: st2api + ports: + - containerPort: 9101 + protocol: TCP + name: http +``` + + +`st2web` example: +``` + containers: + - name: st2web + image: {{ .Values.stackstorm.image.registry }}/{{ .Values.stackstorm.image.repository }}:{{ .Values.stackstorm.image.tag }} + imagePullPolicy: {{ .Values.stackstorm.image.pullPolicy }} + command: + - /bin/bash + - -c + - ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template' && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;' + env: + - name: ST2_SERVICE + value: st2web + ports: + - containerPort: 443 + - name: dns-resolver + image: {{ .Values.stackstorm.dnsresolver.image.registry }}/{{ .Values.stackstorm.dnsresolver.image.repository }}:{{ .Values.stackstorm.dnsresolver.image.tag }} + imagePullPolicy: {{ .Values.stackstorm.image.pullPolicy }} + env: + - name: DNSMASQ_ENABLE_SEARCH + value: "1" + ports: + - containerPort: 53 + protocol: UDP +``` \ No newline at end of file diff --git a/centos/base/Dockerfile b/centos/base/Dockerfile new file mode 100644 index 00000000..e36c5e7f --- /dev/null +++ b/centos/base/Dockerfile @@ -0,0 +1,216 @@ +FROM centos:8 AS base + +# Installs all necessary development packages for a full python compilation. +RUN dnf update -y \ + && dnf groupinstall -y "development tools" \ + && dnf install epel-release -y \ + && dnf -y install dnf-plugins-core -y \ + && dnf config-manager --set-enabled powertools -y \ + && dnf install -y \ + wget \ + gcc \ + openssl-devel \ + bzip2-devel \ + libffi \ + libffi-devel \ + epel-release \ + crudini \ + wget \ + zlib-devel \ + ncurses-devel \ + sqlite-devel \ + readline-devel \ + tk-devel \ + gdbm-devel \ + libpcap-devel \ + xz-devel \ + expat-devel \ + diffutils + +## Installs Python3.7 from source - this is for running Packs with Python other than 3.6 +RUN wget https://www.python.org/ftp/python/3.7.6/Python-3.7.6.tar.xz \ + && tar -xf ./Python-3.7.6.tar.xz \ + && cd ./Python-3.7.6 \ + && ./configure \ + --enable-optimizations \ + --with-ensurepip=install \ + # --enable-loadable-sqlite-extensions \ + # --enable-shared \ + # --with-system-expat \ + # --with-system-ffi \ + && make -j "$(nproc)" \ + && cd .. + +FROM centos:8 AS release + +ENV container docker + +ARG ST2_VERSION +ARG ST2CHATOPS_VERSION +ARG ST2WEB_VERSION + +RUN : "${ST2_VERSION:?Docker build argument needs to be set and non-empty.}" + +LABEL maintainer="StackStorm " +LABEL com.stackstorm.vendor="StackStorm" +LABEL com.stackstorm.support="Community" +LABEL com.stackstorm.version="${ST2_VERSION}" +LABEL com.stackstorm.name="StackStorm K8s HA CentOS" +LABEL com.stackstorm.description="Docker CentOS image, optimized to run StackStorm \ +components and core services with Highly Available requirements in Kubernetes environment" +LABEL com.stackstorm.url="https://stackstorm.com/#product" + + + +ENV LANG=en_US.UTF-8 \ + LANGUAGE=en_US:en \ + LC_ALL=en_US.UTF-8 + +RUN dnf update -y \ + && dnf install -y \ + make \ + glibc-langpack-en \ + glibc-locale-source \ + glibc-langpack-en \ + glibc-locale-source \ + openssl \ + epel-release \ + sudo \ + wget \ + git \ + httpd-tools \ + systemd \ + bind \ + bind-utils \ + gcc \ + openldap-devel \ + gettext \ + patch \ + diffutils \ + zlib-devel \ + && localedef --no-archive -i en_US -f UTF-8 en_US.UTF-8 \ + && curl -s https://packagecloud.io/install/repositories/StackStorm/stable/script.rpm.sh | bash \ + && curl -sL https://rpm.nodesource.com/setup_14.x | bash - \ + && dnf install -y \ + st2-${ST2_VERSION} \ + st2web-${ST2WEB_VERSION} \ + st2chatops-${ST2CHATOPS_VERSION} \ + crudini \ + && dnf clean expire-cache -y \ + && dnf clean all + + +COPY --from=base /Python-3.7.6 /Python-3.7.6 + +RUN cd /Python-3.7.6 \ + && make -j "$(nproc)" altinstall \ + && cd .. \ + && rm -rf /Python-3.7.6 + +ENV LANG=en_US.UTF-8 \ + LANGUAGE=en_US:en \ + LC_ALL=en_US.UTF-8 \ + REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt + +ENV LANG=en_US.UTF-8 +ENV LC_ALL=en_US.UTF-8 + +# Add custom st2 empty config file, used to override original st2.conf +COPY conf/st2.docker.conf /etc/st2/ +COPY conf/st2.user.conf /etc/st2/ +# Overrides $ST2_CONF for st2ctl to inject several config files +COPY conf/st2ctl /etc/default/ +COPY conf/logging.docker.conf /etc/st2/ + +# Creats the encryption key for the datastore +RUN mkdir -p /etc/st2/keys \ + && st2-generate-symmetric-crypto-key --key-path /etc/st2/keys/datastore_key.json \ + && usermod -a -G st2 st2 && chgrp st2 /etc/st2/keys && chmod o-r /etc/st2/keys \ + && chgrp st2 /etc/st2/keys/datastore_key.json && chmod o-r /etc/st2/keys/datastore_key.json + +# Creates stanley user +RUN mkdir -p /home/stanley/.ssh && chmod 0700 /home/stanley/.ssh \ + && ssh-keygen -f /home/stanley/.ssh/stanley_rsa -P "" \ + && cat /home/stanley/.ssh/stanley_rsa.pub >> /home/stanley/.ssh/authorized_keys \ + && chown -R stanley:stanley /home/stanley/.ssh \ + && echo "stanley ALL=(ALL) NOPASSWD: SETENV: ALL" >> /etc/sudoers.d/st2 \ + && chmod 0440 /etc/sudoers.d/st2 \ + && sed -i -r "s/^Defaults\s+\+?requiretty/# Defaults +requiretty/g" /etc/sudoers + +RUN dnf install dnf-plugins-core epel-release -y +# Generates nginx ssl key +RUN rpm --import http://nginx.org/keys/nginx_signing.key \ + && yum-config-manager --add-repo http://nginx.org/packages/centos/7/x86_64 \ + #&& dnf update -y \ + && dnf --disablerepo='epel' install -y nginx \ + && mkdir -p /etc/ssl/st2 \ + && openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt \ + -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information \ + Technology/CN=$(hostname)" + +# Copys all in one nginx config +COPY conf/st2-base.cnf /etc/nginx/conf.d/st2-base.cnf +COPY conf/nginx.conf /etc/nginx/nginx.conf + +# Setup 1ppc nginx +COPY conf/st2-https.template /etc/nginx/conf.d/st2-https.template +COPY conf/st2.conf-https.patch /tmp +RUN patch /etc/nginx/conf.d/st2-https.template < /tmp/st2.conf-https.patch + +# Systemd requires a SIGRTMIN+3 signal to terminate properly. +STOPSIGNAL SIGRTMIN+3 + +# Remove unnecessary systemd targets +RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*;\ +rm -f /etc/systemd/system/*.wants/*;\ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*;\ +rm -f /lib/systemd/system/anaconda.target.wants/*; + +# named (dns server) service +RUN systemctl enable named.service + +# Adds the run directory for systemd. This directory will need to run as a +# tmpfs directory for systemd to properly work. +VOLUME /run + +# Systemd enabling all st2 components to run at container start time. +# Results tracker removed https://github.com/StackStorm/st2/issues/5070 +RUN systemctl enable \ + st2actionrunner \ + st2api \ + st2auth \ + st2garbagecollector \ + st2notifier \ + st2rulesengine \ + st2sensorcontainer \ + st2scheduler \ + st2workflowengine \ + st2timersengine \ + st2workflowengine \ + nginx + +# Systemd runs as user st2. This changes the log files to allow st2 to run +RUN chown -R st2 /var/log/st2 + +# Opens ssh and https ports. +EXPOSE 22 443 + +# Used by all stackstorm services +VOLUME ["/etc/st2"] +WORKDIR /opt/stackstorm + +COPY bin/entrypoint.sh /st2-docker/bin/entrypoint.sh + +ENTRYPOINT ["/st2-docker/bin/entrypoint.sh"] + +# For all-in-one docker-compose development +RUN mkdir /opt/stackstorm/packs.dev + +# Update oslo/crudini +RUN source /opt/stackstorm/st2/bin/activate && pip install --upgrade oslo.config +COPY conf/st2.conf /etc/st2/st2.conf +RUN pip3.7 install virtualenv diff --git a/centos/base/bin/entrypoint.sh b/centos/base/bin/entrypoint.sh new file mode 100755 index 00000000..11b38f24 --- /dev/null +++ b/centos/base/bin/entrypoint.sh @@ -0,0 +1,154 @@ +#!/bin/bash + +# Create htpasswd file and login to st2 using specified username/password +htpasswd -b /etc/st2/htpasswd ${ST2_USER} ${ST2_PASSWORD} + +mkdir -p /root/.st2 + +ROOT_CONF=/root/.st2/config +ST2_CONF=/etc/st2/st2.conf +LOG_LEVEL=${LOG_LEVEL:="INFO"} + +touch ${ROOT_CONF} + +crudini --set ${ROOT_CONF} credentials username ${ST2_USER} +crudini --set ${ROOT_CONF} credentials password ${ST2_PASSWORD} + +# change the logging to use logging docker configuration +crudini --set ${ST2_CONF} stream logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} sensorcontainer logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} rulesengine logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} actionrunner logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} resultstracker logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} notifier logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} exporter logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} garbagecollector logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} timersengine logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} auth logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} api logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} workflowengine logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} workflow_engine logging /etc/st2/logging.docker.conf +crudini --set ${ST2_CONF} scheduler logging /etc/st2/logging.docker.conf + +# change the systemd targets to use the st2 configuration for logs +SYSD_PATH=/etc/systemd/system/multi-user.target.wants + +## ST2API Service +crudini --set ${SYSD_PATH}/st2api.service Service User root +crudini --set ${SYSD_PATH}/st2api.service Service Group root +crudini --set ${SYSD_PATH}/st2api.service Service Environment "\"DAEMON_ARGS=-k eventlet -b 127.0.0.1:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --log-config /etc/st2/logging.docker.conf\"" +crudini --set ${SYSD_PATH}/st2api.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/gunicorn st2api.wsgi:application $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2AUTH Service +crudini --set ${SYSD_PATH}/st2auth.service Service User root +crudini --set ${SYSD_PATH}/st2auth.service Service Group root +crudini --set ${SYSD_PATH}/st2auth.service Service Environment "\"DAEMON_ARGS=-k eventlet -b 127.0.0.1:9100 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --log-config /etc/st2/logging.docker.conf\"" +crudini --set ${SYSD_PATH}/st2auth.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/gunicorn st2auth.wsgi:application $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2STREAM Service +crudini --set ${SYSD_PATH}/st2stream.service Service User root +crudini --set ${SYSD_PATH}/st2stream.service Service Group root +crudini --set ${SYSD_PATH}/st2stream.service Service Environment "\"DAEMON_ARGS=-k eventlet -b 127.0.0.1:9102 --workers 1 --threads 10 --graceful-timeout 10 --timeout 30 --log-config /etc/st2/logging.docker.conf\"" +crudini --set ${SYSD_PATH}/st2stream.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/gunicorn st2stream.wsgi:application $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2ACTIONRUNNER Service +crudini --set ${SYSD_PATH}/st2actionrunner.service Service User root +crudini --set ${SYSD_PATH}/st2actionrunner.service Service Group root +crudini --set ${SYSD_PATH}/st2actionrunner.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/st2actionrunner --config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf &> /proc/1/fd/1'" + +## ST2GARBAGECOLLECTOR Service +crudini --set ${SYSD_PATH}/st2garbagecollector.service Service User root +crudini --set ${SYSD_PATH}/st2garbagecollector.service Service Group root +crudini --set ${SYSD_PATH}/st2garbagecollector.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2garbagecollector.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2garbagecollector $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2NOTIFIER Service +crudini --set ${SYSD_PATH}/st2notifier.service Service User root +crudini --set ${SYSD_PATH}/st2notifier.service Service Group root +crudini --set ${SYSD_PATH}/st2notifier.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2notifier.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2notifier $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2RESULTSTRACKER Service +crudini --set ${SYSD_PATH}/st2resultstracker.service Service User root +crudini --set ${SYSD_PATH}/st2resultstracker.service Service Group root +crudini --set ${SYSD_PATH}/st2resultstracker.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2resultstracker.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2resultstracker $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2RULESENGINE Service +crudini --set ${SYSD_PATH}/st2rulesengine.service Service User root +crudini --set ${SYSD_PATH}/st2rulesengine.service Service Group root +crudini --set ${SYSD_PATH}/st2rulesengine.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2rulesengine.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2rulesengine $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2SCHEDULER Service +crudini --set ${SYSD_PATH}/st2scheduler.service Service User root +crudini --set ${SYSD_PATH}/st2scheduler.service Service Group root +crudini --set ${SYSD_PATH}/st2scheduler.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2scheduler.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2scheduler $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2SENSORCONTAINER Service +crudini --set ${SYSD_PATH}/st2sensorcontainer.service Service User root +crudini --set ${SYSD_PATH}/st2sensorcontainer.service Service Group root +crudini --set ${SYSD_PATH}/st2sensorcontainer.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2sensorcontainer.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2sensorcontainer $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2TIMERSENGINE Service +crudini --set ${SYSD_PATH}/st2timersengine.service Service User root +crudini --set ${SYSD_PATH}/st2timersengine.service Service Group root +crudini --set ${SYSD_PATH}/st2timersengine.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2timersengine.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2timersengine $DAEMON_ARGS &> /proc/1/fd/1'" + +## ST2WORKFLOWENGINE Service +crudini --set ${SYSD_PATH}/st2workflowengine.service Service User root +crudini --set ${SYSD_PATH}/st2workflowengine.service Service Group root +crudini --set ${SYSD_PATH}/st2workflowengine.service Service Environment "\"DAEMON_ARGS=--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf\"" +crudini --set ${SYSD_PATH}/st2workflowengine.service Service ExecStart "/bin/sh -c 'exec /opt/stackstorm/st2/bin/st2workflowengine $DAEMON_ARGS &> /proc/1/fd/1'" + +# set log level +crudini --set /etc/st2/logging.docker.conf logger_root level ${LOG_LEVEL} +crudini --set /etc/st2/logging.docker.conf handler_consoleHandler level ${LOG_LEVEL} +# set auth configuration to true by default +crudini --set ${ST2_CONF} auth enable True + +ST2_CONF=/etc/st2/st2.conf +crudini --set ${ST2_CONF} content packs_base_paths /opt/stackstorm/packs.dev + +ST2_API_URL=${ST2_API_URL:-http://127.0.0.1:9101} + +# Sets the metrics host +if [ ! -z ${STATSD_HOST} ];then + crudini --set ${ST2_CONF} metrics host ${STATSD_HOST} +fi + +if [ ! -z ${STATSD_PORT} ];then + crudini --set ${ST2_CONF} metrics port ${STATSD_PORT} +fi + + +crudini --set ${ST2_CONF} auth api_url ${ST2_API_URL} +crudini --set ${ST2_CONF} messaging url \ + amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@${RABBITMQ_HOST}:${RABBITMQ_PORT} +crudini --set ${ST2_CONF} coordination url \ + redis://:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT} +crudini --set ${ST2_CONF} database host ${MONGO_HOST} +crudini --set ${ST2_CONF} database port ${MONGO_PORT} +if [ ! -z ${MONGO_DB} ]; then + crudini --set ${ST2_CONF} database db_name ${MONGO_DB} +fi +if [ ! -z ${MONGO_USER} ]; then + crudini --set ${ST2_CONF} database username ${MONGO_USER} +fi +if [ ! -z ${MONGO_PASS} ]; then + crudini --set ${ST2_CONF} database password ${MONGO_PASS} +fi + +## Garbage Collection +crudini --set ${ST2_CONF} garbagecollector action_executions_ttl 30 +crudini --set ${ST2_CONF} garbagecollector action_executions_output_ttl 30 +crudini --set ${ST2_CONF} garbagecollector trigger_instances_ttl 30 + +# Ensure the base st2 nginx config is used + +( cd /etc/nginx/conf.d && ln -sf st2-base.cnf st2.conf ) + +exec /sbin/init \ No newline at end of file diff --git a/centos/base/build.sh b/centos/base/build.sh new file mode 100755 index 00000000..09792e8a --- /dev/null +++ b/centos/base/build.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Check https://packagecloud.io/StackStorm/stable for newer versions +ST2_VERSION="3.5.0-1" +ST2WEB_VERSION="3.5.0-1" +ST2CHATOPS_VERSION="3.5.0-1" + +docker build \ + --build-arg ST2_VERSION=${ST2_VERSION} \ + --build-arg ST2WEB_VERSION=${ST2WEB_VERSION} \ + --build-arg ST2CHATOPS_VERSION=${ST2CHATOPS_VERSION} \ + -t stackstorm/st2/all-in-one-st2:${ST2_VERSION} \ + . + diff --git a/centos/base/conf/logging.docker.conf b/centos/base/conf/logging.docker.conf new file mode 100644 index 00000000..58a75c09 --- /dev/null +++ b/centos/base/conf/logging.docker.conf @@ -0,0 +1,36 @@ +[loggers] +keys=root + +[handlers] +keys=consoleHandler + +[formatters] +keys=simpleConsoleFormatter, verboseConsoleFormatter, gelfFormatter, jsonFormatter + +[logger_root] +level=INFO +handlers=consoleHandler + +[handler_consoleHandler] +class=StreamHandler +level=INFO +formatter=simpleConsoleFormatter +args=(sys.stdout,) + +[formatter_simpleConsoleFormatter] +class=st2common.logging.formatters.ConsoleLogFormatter +format=%(asctime)s %(levelname)s [-] %(message)s +datefmt= + +[formatter_verboseConsoleFormatter] +class=st2common.logging.formatters.ConsoleLogFormatter +format=%(asctime)s %(thread)s %(levelname)s %(module)s [-] %(message)s +datefmt= + +[formatter_gelfFormatter] +class=st2common.logging.formatters.GelfLogFormatter +format=%(message)s + +[formatter_jsonFormatter] +class=pythonjsonlogger.jsonlogger.JsonFormatter +format=%(asctime) %(thread) %(levelname) %(module) %(message) \ No newline at end of file diff --git a/centos/base/conf/nginx.conf b/centos/base/conf/nginx.conf new file mode 100644 index 00000000..13a38731 --- /dev/null +++ b/centos/base/conf/nginx.conf @@ -0,0 +1,65 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + +# Settings for a TLS enabled server. +# +# server { +# listen 443 ssl http2 default_server; +# listen [::]:443 ssl http2 default_server; +# server_name _; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/pki/nginx/server.crt"; +# ssl_certificate_key "/etc/pki/nginx/private/server.key"; +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 10m; +# ssl_ciphers PROFILE=SYSTEM; +# ssl_prefer_server_ciphers on; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + +} diff --git a/centos/base/conf/st2-base.cnf b/centos/base/conf/st2-base.cnf new file mode 100644 index 00000000..74fc6407 --- /dev/null +++ b/centos/base/conf/st2-base.cnf @@ -0,0 +1,148 @@ +# +# nginx configuration to expose st2 webui, redirect HTTP->HTTPS, +# provide SSL termination, and reverse-proxy st2api and st2auth API endpoint. +# To enable: +# cp ${LOCATION}/st2.conf /etc/nginx/sites-available +# ln -l /etc/nginx/sites-available/st2.conf /etc/nginx/sites-enabled/st2.conf +# see https://docs.stackstorm.com/install.html for details + +server { + listen *:80 default_server; + + client_max_body_size 0; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; + + if ($ssl_protocol = "") { + return 301 https://$host$request_uri; + } + + index index.html; + + access_log /var/log/nginx/st2webui.access.log combined; + error_log /var/log/nginx/st2webui.error.log; +} + +server { + listen *:443 ssl; + + client_max_body_size 0; + + ssl on; + + ssl_certificate /etc/ssl/st2/st2.crt; + ssl_certificate_key /etc/ssl/st2/st2.key; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + index index.html; + + access_log /var/log/nginx/ssl-st2webui.access.log combined; + error_log /var/log/nginx/ssl-st2webui.error.log; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; + + location @apiError { + add_header Content-Type application/json always; + return 503 '{ "faultstring": "Nginx is unable to reach st2api. Make sure service is running." }'; + } + + location /api/ { + error_page 502 = @apiError; + + rewrite ^/api/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9101/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + proxy_set_header Host $host; + } + + location @streamError { + add_header Content-Type text/event-stream; + return 200 "retry: 1000\n\n"; + } + + # For backward compatibility reasons, rewrite requests from "/api/stream" + # to "/stream/v1/stream" and "/api/v1/stream" to "/stream/v1/stream" + rewrite ^/api/stream/?$ /stream/v1/stream break; + rewrite ^/api/(v\d)/stream/?$ /stream/$1/stream break; + location /stream/ { + error_page 502 = @streamError; + + rewrite ^/stream/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9102/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # Disable buffering and chunked encoding. + # In the stream case we want to receive the whole payload at once, we don't + # want multiple chunks. + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + } + + location @authError { + add_header Content-Type application/json always; + return 503 '{ "faultstring": "Nginx is unable to reach st2auth. Make sure service is running." }'; + } + + location /auth/ { + error_page 502 = @authError; + + rewrite ^/auth/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9100/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Authorization; + + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + proxy_set_header Host $host; + } + + location /nginx_status { + stub_status on; + access_log off; + } + + location / { + root /opt/stackstorm/static/webui/; + index index.html; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + } +} diff --git a/centos/base/conf/st2-https.template b/centos/base/conf/st2-https.template new file mode 100644 index 00000000..8f1c4a34 --- /dev/null +++ b/centos/base/conf/st2-https.template @@ -0,0 +1,143 @@ +# +# nginx configuration to expose st2 webui, redirect HTTP->HTTPS, +# provide SSL termination, and reverse-proxy st2api and st2auth API endpoint. +# To enable: +# cp ${LOCATION}/st2.conf /etc/nginx/sites-available +# ln -l /etc/nginx/sites-available/st2.conf /etc/nginx/sites-enabled/st2.conf +# see https://docs.stackstorm.com/install.html for details + +server { + listen *:80 default_server; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; + + if ($ssl_protocol = "") { + return 308 https://$host$request_uri; + } + + index index.html; + + access_log /var/log/nginx/st2webui.access.log combined; + error_log /var/log/nginx/st2webui.error.log; +} + +server { + listen *:443 ssl; + + ssl on; + + ssl_certificate /etc/ssl/st2/st2.crt; + ssl_certificate_key /etc/ssl/st2/st2.key; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + index index.html; + + access_log /var/log/nginx/ssl-st2webui.access.log combined; + error_log /var/log/nginx/ssl-st2webui.error.log; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; + + location @apiError { + add_header Content-Type application/json always; + return 503 '{ "faultstring": "Nginx is unable to reach st2api. Make sure service is running." }'; + } + + location /api/ { + error_page 502 = @apiError; + + rewrite ^/api/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9101/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + proxy_set_header Host $host; + } + + location @streamError { + add_header Content-Type text/event-stream; + return 200 "retry: 1000\n\n"; + } + + # For backward compatibility reasons, rewrite requests from "/api/stream" + # to "/stream/v1/stream" and "/api/v1/stream" to "/stream/v1/stream" + rewrite ^/api/stream/?$ /stream/v1/stream break; + rewrite ^/api/(v\d)/stream/?$ /stream/$1/stream break; + location /stream/ { + error_page 502 = @streamError; + + rewrite ^/stream/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9102/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # Disable buffering and chunked encoding. + # In the stream case we want to receive the whole payload at once, we don't + # want multiple chunks. + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + } + + location @authError { + add_header Content-Type application/json always; + return 503 '{ "faultstring": "Nginx is unable to reach st2auth. Make sure service is running." }'; + } + + location /auth/ { + error_page 502 = @authError; + + rewrite ^/auth/(.*) /$1 break; + + proxy_pass http://127.0.0.1:9100/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Authorization; + + proxy_set_header Connection ''; + chunked_transfer_encoding off; + proxy_buffering off; + proxy_cache off; + proxy_set_header Host $host; + } + location /nginx_status { + stub_status on; + access_log off; + } + + location / { + root /opt/stackstorm/static/webui/; + index index.html; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + } +} diff --git a/centos/base/conf/st2.conf b/centos/base/conf/st2.conf new file mode 100644 index 00000000..a9696613 --- /dev/null +++ b/centos/base/conf/st2.conf @@ -0,0 +1,98 @@ +# System-wide configuration + +[api] +# Host and port to bind the API server. +host = 127.0.0.1 +port = 9101 +logging = /etc/st2/logging.api.gunicorn.conf +mask_secrets = True +# allow_origin is required for handling CORS in st2 web UI. +# allow_origin = http://myhost1.example.com:3000,http://myhost2.example.com:3000 + +[stream] +logging = /etc/st2/logging.stream.gunicorn.conf + +[sensorcontainer] +logging = /etc/st2/logging.sensorcontainer.conf + +[rulesengine] +logging = /etc/st2/logging.rulesengine.conf + +[actionrunner] +logging = /etc/st2/logging.actionrunner.conf +python_binary = /usr/local/bin/python3.7 +virtualenv_binary = /usr/local/bin/virtualenv +stream_output = False + +[resultstracker] +logging = /etc/st2/logging.resultstracker.conf + +[notifier] +logging = /etc/st2/logging.notifier.conf + +[exporter] +logging = /etc/st2/logging.exporter.conf + +[garbagecollector] +logging = /etc/st2/logging.garbagecollector.conf +purge_inquiries = True +trigger_instances_ttl = 7 +action_executions_ttls = 30 +action_executions_output_ttl = 30 + +[timersengine] +logging = /etc/st2/logging.timersengine.conf + +[auth] +host = 127.0.0.1 +port = 9100 +use_ssl = False +debug = False +enable = False +logging = /etc/st2/logging.auth.gunicorn.conf + +mode = standalone + +# Note: Settings below are only used in "standalone" mode +backend = flat_file +backend_kwargs = {"file_path": "/etc/st2/htpasswd"} + +# Base URL to the API endpoint excluding the version (e.g. http://myhost.net:9101/) +api_url = + +[system] +base_path = /opt/stackstorm + +[webui] +# webui_base_url = https://mywebhost.domain + +[syslog] +host = 127.0.0.1 +port = 514 +facility = local7 +protocol = udp + +[log] +excludes = requests,paramiko +redirect_stderr = False +mask_secrets = True + +[system_user] +user = stanley +ssh_key_file = /home/stanley/.ssh/stanley_rsa + +[messaging] +url = amqp://guest:guest@127.0.0.1:5672/ + +[ssh_runner] +remote_dir = /tmp + +[workflow_engine] +logging = /etc/st2/logging.workflowengine.conf + +[scheduler] +logging = /etc/st2/logging.scheduler.conf + +[rbac] +enable = True +backend = default diff --git a/centos/base/conf/st2.conf-https.patch b/centos/base/conf/st2.conf-https.patch new file mode 100644 index 00000000..e74b93a4 --- /dev/null +++ b/centos/base/conf/st2.conf-https.patch @@ -0,0 +1,51 @@ +--- /etc/nginx/conf.d/st2.template 2019-05-27 14:11:20.000000000 -0700 ++++ /etc/nginx/conf.d/st2.conf 2019-05-27 14:22:11.000000000 -0700 +@@ -18,8 +18,8 @@ + + index index.html; + +- access_log /var/log/nginx/st2webui.access.log combined; +- error_log /var/log/nginx/st2webui.error.log; ++ access_log /proc/self/fd/1 combined; ++ error_log stderr; + } + + server { +@@ -37,8 +37,8 @@ + + index index.html; + +- access_log /var/log/nginx/ssl-st2webui.access.log combined; +- error_log /var/log/nginx/ssl-st2webui.error.log; ++ access_log /proc/self/fd/1 combined; ++ error_log stderr; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; +@@ -53,7 +53,7 @@ + + rewrite ^/api/(.*) /$1 break; + +- proxy_pass http://127.0.0.1:9101/; ++ proxy_pass ${ST2_API_URL}; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; +@@ -83,7 +83,7 @@ + + rewrite ^/stream/(.*) /$1 break; + +- proxy_pass http://127.0.0.1:9102/; ++ proxy_pass ${ST2_STREAM_URL}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +@@ -111,7 +111,7 @@ + + rewrite ^/auth/(.*) /$1 break; + +- proxy_pass http://127.0.0.1:9100/; ++ proxy_pass ${ST2_AUTH_URL}; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_redirect off; diff --git a/centos/base/conf/st2.docker.conf b/centos/base/conf/st2.docker.conf new file mode 100644 index 00000000..450259fe --- /dev/null +++ b/centos/base/conf/st2.docker.conf @@ -0,0 +1,6 @@ +# /etc/st2/st2.docker.conf +# +# This is override st2 config file which will be passed to any st2 command, like this: +# `--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf --config-file /etc/st2/st2.user.conf` +# making possible to keep custom st2 config directives in it, instead of modifying the original st2.conf every time. +# The order of merging: st2.conf < st2.docker.conf < st2.user.conf \ No newline at end of file diff --git a/centos/base/conf/st2.tmp.conf b/centos/base/conf/st2.tmp.conf new file mode 100644 index 00000000..73ac68ab --- /dev/null +++ b/centos/base/conf/st2.tmp.conf @@ -0,0 +1,21 @@ +# Temporary st2 conf file, which will apply settings on top of default st2.conf during the Docker build +# Set all Docker and st2.conf values here you want to hardcode + +[auth] +enable = True +host = 0.0.0.0 +[api] +host = 0.0.0.0 +[stream] +host = 0.0.0.0 + +# Don't try to reconnect to MQ and exit early and allow k8s to handle reconnection's instead +[messaging] +connection_retry_wait = 0 +connection_retries = 0 + +# Don't try to reconnect to database and exit early and allow k8s to handle reconnection's instead +[database] +connection_retry_max_delay_m = 0 +connection_retry_backoff_max_s = 0 +connection_retry_backoff_mul = 0 \ No newline at end of file diff --git a/centos/base/conf/st2.user.conf b/centos/base/conf/st2.user.conf new file mode 100644 index 00000000..f4d2336a --- /dev/null +++ b/centos/base/conf/st2.user.conf @@ -0,0 +1,6 @@ +# /etc/st2/st2.user.conf +# +# This is override st2 config file which will be passed to any st2 command, like this: +# `--config-file /etc/st2/st2.conf --config-file /etc/st2/st2.docker.conf --config-file /etc/st2/st2.user.conf` +# making possible to keep custom st2 config directives in it, instead of modifying the original st2.conf every time. +# The order of merging: st2.conf < st2.docker.conf < st2.user.conf \ No newline at end of file diff --git a/centos/base/conf/st2ctl b/centos/base/conf/st2ctl new file mode 100644 index 00000000..7006462f --- /dev/null +++ b/centos/base/conf/st2ctl @@ -0,0 +1 @@ +export ST2_CONF="/etc/st2/st2.conf --config-file=/etc/st2/st2.docker.conf --config-file=/etc/st2/st2.user.conf" diff --git a/centos/stackstorm-compose/Makefile b/centos/stackstorm-compose/Makefile new file mode 100644 index 00000000..c4e784b7 --- /dev/null +++ b/centos/stackstorm-compose/Makefile @@ -0,0 +1,37 @@ +SHELL ?= /bin/bash +RED=\033[0;31m +NC=\033[0m +################################################################################ +# Setup and Help # +################################################################################ + +.PHONY: help +help: ## This help. + @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) + +.DEFAULT_GOAL := help + +# build: +# docker build --build-arg CIRCLE_SHA1="$(SHA)" -t stackstorm/stackstorm:latest images/stackstorm + +# dev-build: +# docker build --build-arg ST2_REPO=unstable --build-arg CIRCLE_SHA1="$(SHA)" -t stackstorm/stackstorm:local-dev images/stackstorm + +env: ## This help. + bin/write-env.sh conf + +up: ## docker-compose up -d + docker-compose up -d + +down: ## docker-compose down + docker-compose down + +rmi: ## docker rmi dangling images + docker rmi $$(docker images -f dangling=true -q) + +exec: ## exec into stackstorm container + docker-compose exec stackstorm /bin/bash + +.PHONY: list +list: + @$(MAKE) -pRrq -f $(lastword $(MAKEFILE_LIST)) : 2>/dev/null | awk -v RS= -F: '/^# File/,/^# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | sort | egrep -v -e '^[^[:alnum:]]' -e '^$@$$' | xargs diff --git a/centos/stackstorm-compose/conf/mongo.env b/centos/stackstorm-compose/conf/mongo.env new file mode 100644 index 00000000..54dc2310 --- /dev/null +++ b/centos/stackstorm-compose/conf/mongo.env @@ -0,0 +1,5 @@ +MONGO_HOST=mongo +MONGO_PORT=27017 +#MONGO_DB= +#MONGO_USER= +#MONGO_PASS= diff --git a/centos/stackstorm-compose/conf/rabbitmq.env b/centos/stackstorm-compose/conf/rabbitmq.env new file mode 100644 index 00000000..d45798dd --- /dev/null +++ b/centos/stackstorm-compose/conf/rabbitmq.env @@ -0,0 +1,4 @@ +RABBITMQ_DEFAULT_USER=admin +RABBITMQ_DEFAULT_PASS=admin +RABBITMQ_HOST=rabbitmq +RABBITMQ_PORT=5672 diff --git a/centos/stackstorm-compose/conf/rbac/assignments/admin.yaml b/centos/stackstorm-compose/conf/rbac/assignments/admin.yaml new file mode 100644 index 00000000..2d430e2f --- /dev/null +++ b/centos/stackstorm-compose/conf/rbac/assignments/admin.yaml @@ -0,0 +1,6 @@ +--- + username: "admin" + roles: + - "admin" + - "system_admin" + - "observer" diff --git a/centos/stackstorm-compose/conf/rbac/assignments/stanley.yaml b/centos/stackstorm-compose/conf/rbac/assignments/stanley.yaml new file mode 100644 index 00000000..304b7cda --- /dev/null +++ b/centos/stackstorm-compose/conf/rbac/assignments/stanley.yaml @@ -0,0 +1,4 @@ +--- + username: "stanley" + roles: + - "admin" diff --git a/centos/stackstorm-compose/conf/rbac/htpasswd b/centos/stackstorm-compose/conf/rbac/htpasswd new file mode 100644 index 00000000..bf690f0d --- /dev/null +++ b/centos/stackstorm-compose/conf/rbac/htpasswd @@ -0,0 +1 @@ +admin:$apr1$3Iqe9oNf$Kfh7JmhpvnW3Uo89JDLJJ1 diff --git a/centos/stackstorm-compose/conf/rbac/mappings/.gitkeep b/centos/stackstorm-compose/conf/rbac/mappings/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/centos/stackstorm-compose/conf/rbac/roles/valid_globals b/centos/stackstorm-compose/conf/rbac/roles/valid_globals new file mode 100644 index 00000000..56f94ff2 --- /dev/null +++ b/centos/stackstorm-compose/conf/rbac/roles/valid_globals @@ -0,0 +1,31 @@ +- "action_alias_help" +- "action_alias_list" +- "action_alias_match" +- "action_list" +- "api_key_create" +- "api_key_list" +- "execution_list" +- "execution_views_filters_list" +- "inquiry_list" +- "inquiry_respond" +- "inquiry_view" +- "pack_config" +- "pack_create" +- "pack_install" +- "pack_list" +- "pack_register" +- "pack_search" +- "pack_uninstall" +- "pack_views_index_health" +- "policy_create" +- "policy_list" +- "policy_type_list" +- "rule_enforcement_list" +- "rule_list" +- "runner_type_list" +- "sensor_type_list" +- "stream_view" +- "timer_list" +- "trace_list" +- "trigger_list" +- "webhook_list" diff --git a/centos/stackstorm-compose/conf/redis.env b/centos/stackstorm-compose/conf/redis.env new file mode 100644 index 00000000..3aacae3e --- /dev/null +++ b/centos/stackstorm-compose/conf/redis.env @@ -0,0 +1,3 @@ +REDIS_PASSWORD=redis +REDIS_HOST=redis +REDIS_PORT=6379 diff --git a/centos/stackstorm-compose/conf/st2.docker.conf b/centos/stackstorm-compose/conf/st2.docker.conf new file mode 100644 index 00000000..e69de29b diff --git a/centos/stackstorm-compose/conf/stackstorm.env b/centos/stackstorm-compose/conf/stackstorm.env new file mode 100644 index 00000000..b5852921 --- /dev/null +++ b/centos/stackstorm-compose/conf/stackstorm.env @@ -0,0 +1,2 @@ +ST2_USER=admin +ST2_PASSWORD=admin diff --git a/centos/stackstorm-compose/docker-compose.yml b/centos/stackstorm-compose/docker-compose.yml new file mode 100644 index 00000000..1cbbc8aa --- /dev/null +++ b/centos/stackstorm-compose/docker-compose.yml @@ -0,0 +1,112 @@ +version: '3' + +services: + stackstorm: + image: stackstorm/st2/all-in-one-st2:3.5.0-1 + environment: + OS_ACTIONRUNNER__PYTHON_BINARY: /usr/local/bin/python3.7 + env_file: + - conf/stackstorm.env + - conf/mongo.env + - conf/rabbitmq.env + - conf/redis.env + ports: + - "443:443" + - "9100:9100" + networks: + - mypublic + - myprivate + volumes: + - /run:/run + - /sys/fs/cgroup:/sys/fs/cgroup + - stackstorm-virtualenvs-volume:/opt/stackstorm/virtualenvs + - stackstorm-configs-volume:/opt/stackstorm/configs + - ./packs.dev:/opt/stackstorm/packs.dev + - ./conf/stackstorm.env:/st2-docker/env + - ./conf/rbac/htpasswd:/etc/st2/htpasswd + - ./conf/rbac/assignments:/opt/stackstorm/rbac/assignments + - ./conf/rbac/roles:/opt/stackstorm/rbac/roles + - ./conf/rbac/mappings:/opt/stackstorm/rbac/mappings + dns_search: . + depends_on: + - mongo + - rabbitmq + - redis + +### External Services + + mongo: + image: mongo:4.0.23 + env_file: + - conf/mongo.env + ports: + - "27017:27017" + networks: + - myprivate + volumes: + - mongo-volume:/data/db + - mongo-configdb-volume:/data/configdb + dns_search: . + healthcheck: + test: echo 'db.stats().ok' | mongo --quiet + interval: 5s + timeout: 5s + retries: 5 + rabbitmq: + image: rabbitmq:3.8.14-management-alpine + env_file: + - conf/rabbitmq.env + networks: + - myprivate + volumes: + - rabbitmq-volume:/var/lib/rabbitmq + dns_search: . + healthcheck: + test: + - "CMD" + - "rabbitmqctl status" + timeout: 5s + interval: 5s + retries: 5 + redis: + image: redis:4.0 + env_file: + - conf/redis.env + networks: + - myprivate + volumes: + - redis-volume:/data + ports: + - "6379:6379" + dns_search: . + command: [ + "bash", "-c", + ' + docker-entrypoint.sh + --requirepass "$$REDIS_PASSWORD" + ' + ] + healthcheck: + test: + - "CMD" + - "redis-cli PING" + timeout: 5s + interval: 5s + retries: 5 + +volumes: + mongo-volume: + mongo-configdb-volume: + rabbitmq-volume: + redis-volume: + stackstorm-packs-volume: + stackstorm-virtualenvs-volume: + stackstorm-configs-volume: + +networks: + mypublic: + external: + name: mypublic + myprivate: + external: + name: myprivate diff --git a/centos/stackstorm-compose/packs.dev/.gitkeep b/centos/stackstorm-compose/packs.dev/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/centos/stackstorm-compose/run_st2.sh b/centos/stackstorm-compose/run_st2.sh new file mode 100755 index 00000000..46673f1b --- /dev/null +++ b/centos/stackstorm-compose/run_st2.sh @@ -0,0 +1,67 @@ +#! /bin/bash + + + +function stop_st2(){ + echo stop st2 + make down || error_exit 'could not stop st2' + +} + +function start_st2(){ + echo start st2 + make down || error_exit 'could not contact Docker daemon - please start docker' + make up + sleep 15 + init_auth_st2 + init_st2 +} + + +function init_auth_st2(){ + echo initializing rbac + sleep 10 + docker-compose exec stackstorm /bin/bash -c 'st2-apply-rbac-definitions --config-file=/etc/st2/st2.conf' + cd $HOME_DIR +} + +function docker_network(){ + echo "Check Docker Network" + if [ ! "$(docker network ls | grep myprivate)" ]; then + echo "Creating myprivate network ..." + docker network create --subnet 10.1.1.0/24 myprivate + else + echo "myprivate network exists." + fi + if [ ! "$(docker network ls | grep mypublic)" ]; then + echo "Creating mypublic network ..." + docker network create --subnet 192.168.0.0/20 mypublic + else + echo "mypublic network exists." + fi +} + + +function init_st2(){ + echo init st2 + + docker-compose exec stackstorm /bin/bash -c 'st2ctl reload' + +} + + + + +# Main + + + +start=`date +%s` + +docker_network +start_st2 + + +end=`date +%s` +echo -- run time was $((end-start)) seconds. +echo -- stackstorm available at https://localhost