#cloud-config
# SSH config
no_ssh_fingerprints: false
ssh:
emit_keys_to_console: false
# update and upgrade instance
package_update: true
package_upgrade: true
# install some packages
packages:
- chrony
%{ if username == "centos" }
- iscsi-initiator-utils
- nfs-utils
%{ endif }
%{ if username == "ubuntu" }
- open-iscsi
- nfs-common
%{ if ncsa_security }
- rsyslog-relp
%{ endif }
%{ endif }
users:
- default
%{ if ncsa_security }
- name: qualys
gecos: Qualys Service
groups: users
system: true
shell: /bin/bash
ssh_authorized_keys:
- ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGAwkmzfc0NyhjOdi1qfI5SVQ0prU1luu24xUNeEyEvH9CX80hmXt+ZnQt8Dc7HExUXDcSZo25g71WnuvlYbZefBgHkOLY5JpDcTGuQcb7W6CXD9UG7Unu4YbmBErQhs3u2iuNLYCDxAhoVvfK4Op/sNvMKME72KM3hQ6GE+H1QD8xZZA==
%{ endif }
# set timezone
timezone: America/Chicago
# files to be created on the system
write_files:
%{ if taiga_enabled ~}
- path: /etc/fstab
permissions: "0644"
owner: root:root
content: |
taiga-nfs.ncsa.illinois.edu:/taiga/ncsa/radiant/${project_name}/${cluster_name} /taiga nfs defaults 0 0
append: true
%{ endif ~}
- path: /etc/docker/daemon.json
permissions: "0644"
owner: root:root
content: |
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
%{ if ncsa_security }
- path: /etc/rsyslog.d/00-ncsa.conf
permissions: "0644"
owner: root:root
content: |
# Load Output RELP module (at top)
$ModLoad omrelp
$WorkDirectory /var/spool/rsyslog # Directory to store buffer files (must exist!)
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName syslog-security-buffer # set file name, also enables disk mode
$ActionQueueMaxDiskSpace 10g # space limit (use as much as possible)
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* :omrelp:syslog.security.ncsa.illinois.edu:1514
%{ endif }
%{ if ncsa_security }
- path: /etc/sysctl.d/50-disable-ipv6.conf
permissions: "0644"
owner: root:root
content: |
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
%{ endif }
%{ if username == "ubuntu" }
- path: /etc/sysctl.d/50-increase-inotify.conf
permissions: "0644"
owner: root:root
content: |
fs.inotify.max_user_instances=8192
%{ endif }
%{ if ncsa_security }
%{ if username == "ubuntu" }
- path: /etc/chrony/sources.d/ncsa.sources
permissions: "0644"
owner: root:root
content: |
# University of Illinois NTP Servers
pool ntp.illinois.edu iburst maxsources 3
# NCSA's NTP Server
pool ntp.ncsa.illinois.edu iburst maxsources 2
%{ endif }
%{ endif }
- path: /usr/local/bin/rke1
permissions: "0700"
owner: root:root
content: |
#!/usr/bin/bash
echo "sleeping to wait for network"
while ! curl --fail --silent --output /dev/null http://ncsa.illinois.edu ; do echo "Sleep 10s"; sleep 10; done
%{ if ncsa_security }
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.route.flush=1
%{ if username == "ubuntu" }
systemctl disable --now rpcbind
systemctl disable --now rpc-statd
%{ endif }
%{ endif }
%{ if username == "ubuntu" }
sysctl fs.inotify.max_user_instances=8192
%{ endif }
%{ if install_docker ~}
echo "install docker"
curl https://releases.rancher.com/install-docker/24.0.sh | sh
apt-get -qq update
apt-get -y dist-upgrade
systemctl enable --now docker
usermod -aG docker ${username}
%{ endif ~}
echo "connect to rancher"
${node_command} ${node_options} ${node_labels}
%{ if taiga_enabled ~}
echo "mounting taiga"
mkdir /taiga
%{ endif ~}
echo "all done"
# run this command once the system is booted
runcmd:
- /usr/local/bin/rke1
%{ if ncsa_security }
%{ if username == "ubuntu" }
# clean up default pool sources if we are using ncsa security
- /usr/bin/sed -i 's/^pool/# pool/' /etc/chrony/chrony.conf
- /usr/bin/systemctl restart chronyd
%{ endif }
%{ endif }
power_state:
delay: "+5"
mode: reboot