Cloud-init
-
Cloud Stack Conference talk.
-
Distribution image containing pre-installed Cloud Init
-
Script configurable installation options
|
|
resource "hcloud_server" "web" {
name = var.server_name
...
user_data = file("userData.yml")
}
#cloud-config
packages:
- nginx
runcmd:
- systemctl enable nginx
- rm /var/www/html/*
- >
echo "I'm Nginx @ $(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com)
created $(date -u)" >> /var/www/html/index.html
|
...
users:
- name: ${loginUser}
... |
...
users:
- name: devops
... |
-
# cloud-init schema --system --annotate
... apt: # E1 - debconf_selections: openssh-server openssh-server/password-authentication boolean false openssh-server openssh-server/permit-root-login boolean false ... # Errors: ------------- # E1: [{'debconf_selections': 'openssh-server ....boolean false'}] is not of type 'object'
-
# cloud-init schema --config-file /var/lib/cloud/instance/user-data.txt
Valid cloud-config: /var/lib/cloud/instance/user-data.txt
|
...
ssh_keys:
ed25519_private: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUA...
-----END OPENSSH PRIVATE KEY----- |
# E1: File gen/user_data.yml is not valid YAML.
in "<unicode string>", line 19, column 1:
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUA ... |
main.tf |
gen/usr_data.yml |
---|---|
resource "local_file" "user_data" { content = templatefile("tpl/userData.yml", { host_ed25519_private = indent(4, tls_private_key.host.private_key_openssh) ...}) filename = "gen/user_data.yml" } |
|
root@hello:~# journalctl -f May 06 04:41:20 hello cloud-init[898]: Cloud-init v. 22.4.2 finished at Mon, 06 May 2024 04:41:20 +0000. Datasource DataSourceHetzner. Up 11.78 seconds ... May 06 04:46:16 hello sshd[927]: Invalid user abc from 43.163.218.130 port 33408 May 06 04:46:17 hello sshd[927]: Received disconnect from 43.163.218.130 port 33408:11: Bye Bye [preauth] May 06 04:46:17 hello sshd[927]: Disconnected from invalid user abc 43.163.218.130 port 33408 [preauth] ... May 06 04:50:54 hello sshd[930]: fatal: Timeout before authentication for 27.128.243.225 port 59866 ... May 06 04:52:45 hello sshd[933]: Invalid user cos from 43.163.218.130 port 59776 ... May 06 04:53:04 hello sshd[935]: Invalid user admin from 194.169.175.35 port 51128 May 06 04:53:49 hello sshd[937]: User root from 43.163.218.130 not allowed because not listed in AllowUsers May 06 04:53:49 hello sshd[937]: Disconnected from invalid user root 43.163.218.130 port 50592 [preauth]
No. 7
Working on Cloud-init
Q: |
We continue our exercise series Incrementally creating a base system by adding a Cloud-init configuration:
|
Problem of repeated terraform
apply
:
$ ssh root@128.140.108.60
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
resource "local_file" "known_hosts" {
content = "${hcloud_server.helloServer.ipv4_address} ...
... ${tls_private_key.host.public_key_openssh}"
filename = "gen/known_hosts"
file_permission = "644"
}
main.tf |
tpl/ssh.sh |
---|---|
|
|
No. 8
Solving ~/.ssh/known_hosts
quirk
Q: |
Extend Working on Cloud-init
generating both a |
#cloud-config
write_files:
- content:
${base64encode(private_key_pem)}
encoding: base64
path: /etc/nginx/snippets/cert/private.pem
Note
Congrats to paultyng