Configurable http proxy per host (#389)

kontena · May 29, 2018 · 8dbcdf0 · 8dbcdf0
1 parent 921e020
commit 8dbcdf0
Show file tree

Hide file tree

Showing 11 changed files with 126 additions and 6 deletions.
diff --git a/examples/vagrant/Vagrantfile b/examples/vagrant/Vagrantfile
@@ -32,6 +32,7 @@ Vagrant.configure("2") do |config|
         vb.cpus = 1
       end
       host.vm.network "private_network", ip: "192.168.100.#{i + 100}"
+      host.vm.provision("shell", path: 'proxy-only.sh') if ENV['VAGRANT_HTTP_PROXY']
     end
   end
 end
diff --git a/examples/vagrant/proxy-only.sh b/examples/vagrant/proxy-only.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+/sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
+/sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
diff --git a/lib/pharos/config_schema.rb b/lib/pharos/config_schema.rb
@@ -54,6 +54,7 @@ def self.messages
               optional(:user).filled
               optional(:ssh_key_path).filled
               optional(:container_runtime).filled(included_in?: ['docker', 'cri-o'])
+              optional(:http_proxy).filled(:str?)
             end
           end
         end

diff --git a/lib/pharos/configuration/host.rb b/lib/pharos/configuration/host.rb
@@ -17,6 +17,7 @@ class Host < Dry::Struct
       attribute :user, Pharos::Types::Strict::String.default('ubuntu')
       attribute :ssh_key_path, Pharos::Types::Strict::String.default('~/.ssh/id_rsa')
       attribute :container_runtime, Pharos::Types::Strict::String.default('docker')
+      attribute :http_proxy, Pharos::Types::Strict::String
 
       attr_accessor :os_release, :cpu_arch, :hostname, :api_endpoint, :private_interface_address, :checks
 

diff --git a/lib/pharos/phase.rb b/lib/pharos/phase.rb
@@ -53,6 +53,7 @@ def resource_path(*path)
     end
 
     # @param script [String] name of file under ../scripts/
+    # @param vars [Hash]
     def exec_script(script, vars = {})
       @ssh.exec_script!(
         script,
@@ -61,6 +62,9 @@ def exec_script(script, vars = {})
       )
     end
 
+    # @param path [String]
+    # @param vars [Hash]
+    # @return [Pharos::YamlFile]
     def parse_resource_file(path, vars = {})
       Pharos::YamlFile.new(resource_path(path)).read(vars)
     end

diff --git a/lib/pharos/phases/configure_host.rb b/lib/pharos/phases/configure_host.rb
@@ -22,7 +22,12 @@ class ConfigureHost < Pharos::Phase
 
       def call
         logger.info { "Configuring essential packages ..." }
-        exec_script('configure-essentials.sh')
+        configure_script_library
+        exec_script(
+          'configure-essentials.sh',
+          HTTP_PROXY: @host.http_proxy.to_s,
+          SET_HTTP_PROXY: @host.http_proxy.nil? ? 'false' : 'true'
+        )
 
         logger.info { "Configuring package repositories ..." }
         configure_repos
@@ -52,6 +57,14 @@ def call
         end
       end
 
+      def configure_script_library
+        path = "/usr/local/share/pharos"
+        @ssh.exec("sudo mkdir -p #{path}")
+        @ssh.file("#{path}/util.sh").write(
+          File.read(File.join(__dir__, '..', 'scripts', 'pharos.sh'))
+        )
+      end
+
       def configure_repos
         exec_script('repos/cri-o.sh') if crio?
         exec_script('repos/kube.sh')

diff --git a/lib/pharos/scripts/configure-cri-o.sh b/lib/pharos/scripts/configure-cri-o.sh
@@ -2,13 +2,33 @@
 
 set -ue
 
+reload_daemon() {
+    if systemctl is-active --quiet crio; then
+        systemctl daemon-reload
+        systemctl restart crio
+    fi
+}
+
 mkdir -p /etc/systemd/system/crio.service.d
 cat <<EOF >/etc/systemd/system/crio.service.d/10-cgroup.conf
 [Service]
 Environment='CRIO_STORAGE_OPTIONS=--cgroup-manager=cgroupfs --stream-address=$CRIO_STREAM_ADDRESS --pause-image=${IMAGE_REPO}/pause-${CPU_ARCH}:3.1'
 ExecStartPre=/sbin/sysctl -w net.ipv4.ip_forward=1
 EOF
 
+if [ -n "$HTTP_PROXY" ]; then
+    cat <<EOF >/etc/systemd/system/crio.service.d/http-proxy.conf
+[Service]
+Environment="HTTP_PROXY=${HTTP_PROXY}"
+EOF
+    reload_daemon
+else
+    if [ -f /etc/systemd/system/crio.service.d/http-proxy.conf ]; then
+        rm /etc/systemd/system/crio.service.d/http-proxy.conf
+        reload_daemon
+    fi
+fi
+
 DEBIAN_FRONTEND=noninteractive apt-get install -y cri-o-$CRIO_VERSION
 systemctl enable crio
 # remove unnecessary cni plugins

diff --git a/lib/pharos/scripts/configure-docker.sh b/lib/pharos/scripts/configure-docker.sh
@@ -17,6 +17,27 @@ cat <<EOF >/etc/docker/daemon.json
 }
 EOF
 
+reload_daemon() {
+    if systemctl is-active --quiet docker; then
+        systemctl daemon-reload
+        systemctl restart docker
+    fi
+}
+
+if [ -n "$HTTP_PROXY" ]; then
+    mkdir -p /etc/systemd/system/docker.service.d
+    cat <<EOF >/etc/systemd/system/docker.service.d/http-proxy.conf
+[Service]
+Environment="HTTP_PROXY=${HTTP_PROXY}"
+EOF
+    reload_daemon
+else
+    if [ -f /etc/systemd/system/docker.service.d/http-proxy.conf ]; then
+        rm /etc/systemd/system/docker.service.d/http-proxy.conf
+        reload_daemon
+    fi
+fi
+
 export DEBIAN_FRONTEND=noninteractive
 
 apt-mark unhold $DOCKER_PACKAGE

diff --git a/lib/pharos/scripts/configure-essentials.sh b/lib/pharos/scripts/configure-essentials.sh
@@ -2,13 +2,26 @@
 
 set -e
 
+. /usr/local/share/pharos/util.sh
+
+env_file="/etc/environment"
+
+if [ "${SET_HTTP_PROXY}" = "true" ]; then
+    lineinfile "^http_proxy=" "http_proxy=${HTTP_PROXY}" $env_file
+    lineinfile "^HTTP_PROXY=" "HTTP_PROXY=${HTTP_PROXY}" $env_file
+    lineinfile "^HTTPS_PROXY=" "HTTPS_PROXY=${HTTP_PROXY}" $env_file
+else
+    linefromfile "^http_proxy=" $env_file
+    linefromfile "^HTTP_PROXY=" $env_file
+    linefromfile "^HTTPS_PROXY=" $env_file
+fi
+
 if ! dpkg -l apt-transport-https software-properties-common > /dev/null; then
     export DEBIAN_FRONTEND=noninteractive
     apt-get update -y
     apt-get install -y apt-transport-https software-properties-common
 fi
 
-cat <<EOF >/etc/apt/apt.conf.d/20auto-upgrades
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Unattended-Upgrade "0";
-EOF
+autoupgrade_file="/etc/apt/apt.conf.d/20auto-upgrades"
+lineinfile "^APT::Periodic::Update-Package-Lists " 'APT::Periodic::Update-Package-Lists "1";' $autoupgrade_file
+lineinfile "^APT::Periodic::Unattended-Upgrade " 'APT::Periodic::Unattended-Upgrade "0";' $autoupgrade_file
diff --git a/lib/pharos/scripts/configure-etcd.sh b/lib/pharos/scripts/configure-etcd.sh
@@ -3,7 +3,7 @@
 set -e
 
 etcd_healthy() {
-  response=$(curl -s --cacert /etc/pharos/pki/ca.pem --cert /etc/pharos/pki/etcd/client.pem --key /etc/pharos/pki/etcd/client-key.pem https://${PEER_IP}:2379/health)
+  response=$(curl -s --noproxy "*" --cacert /etc/pharos/pki/ca.pem --cert /etc/pharos/pki/etcd/client.pem --key /etc/pharos/pki/etcd/client-key.pem https://${PEER_IP}:2379/health)
   [ "${response}" = '{"health": "true"}' ]
 }
 

diff --git a/lib/pharos/scripts/pharos.sh b/lib/pharos/scripts/pharos.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+## @param file
+file_exists() {
+    if [ -f "$1" ]; then
+        return 0
+    fi
+    return 1
+}
+
+## @param match
+## @param line
+## @param file
+lineinfile() {
+    [[ $# -lt 3 ]] && return 1
+
+    match=$1
+    line=$2
+    shift
+    shift
+
+    for file in "$@"; do
+        file_exists "$file" || return 1
+        grep -q "${match}" $file && sed "s/${match}.*/${line}/" -i $file || echo $line >> $file
+    done
+
+    return 0
+}
+
+## @param match
+## @param file
+linefromfile() {
+    [[ $# -lt 2 ]] && return 1
+
+    match=$1
+    shift
+
+    for file in "$@"; do
+        file_exists "$file" || return 1
+        sed -i "/${match}/d" $file
+    done
+}