CoreOS用cloud-config.ymlメモ2

参考

• Setup CoreOS with iptables on DigitalOcean · Matt Carrier
• Scheduling Tasks with systemd Timers
• CoreOS用cloud-config.ymlメモ - Qiita

cloud-config.yml

user,ssh鍵

userのパスワード文字列生成

$ openssl passwd -salt coreos -1 fjpoaeifji
$1$coreos$5tow1kTF0qjJ0qi.G8N9/1

cloud-config.yml

users:
  - name: core
    passwd: $1$coreos$5tow1kTF0qjJ0qi.G8N9/1
    ssh-authorized-keys: 
      - ssh-rsa ... osx/id_rsa
  - groups:
      - sudo
      - docker

hostname

clod-config.yml

hostname: core01

reboot strategy

clod-config.yml

coreos:
  update:
    reboot-strategy: off

手動アップデートする場合以下コマンド

update_engine_client -update

sshd

clod-config.yml

coreos:
  units:

    - name: sshd.socket
      command: start
      content: |
        [Socket]
        #ListenStream=22
        ListenStream=2222
        Accept=yes
        #
        PermitRootLogin no
        PasswordAuthentication no
        AllowUsers core

iptables

clod-config.yml

coreos:
  units:

    - name: iptables-restore.service
      enable: true
      command: start

write_files:
  - path: /var/lib/iptables/rules-save
    permissions: 0644
    owner: 'root:root'
    content: |
      *filter
      :INPUT DROP [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -i lo -j ACCEPT
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
      COMMIT

screen

clod-config.yml

write_files:

  - path: /home/core/install_screen.sh
    permissions: 0700
    owner: core:core
    content: |
      sudo wget -q https://raw.githubusercontent.com/tukiyo/coreos-screen.run/master/screen.run -O /usr/share/oem/screen.run
      sudo sh /usr/share/oem/screen.run