--- /dev/null
+#!/bin/bash
+
+# ============LICENSE_START=======================================================
+# Copyright (C) 2018 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+# This script sets up base instances to create snapshots to provision Jenkins slaves
+# for cloud infra work (OpenStack, Kubernetes, ONAP)
+# The user to configure Jenkins OpenStack Cloud plugin is infra.
+# The SSH public key is stored as /home/infra/.ssh/id_rsa.pub but private key is not
+# there and it is expected to be put in place by the jobs to ensure key is there only
+# when the slaves are provisioned by Nordix Jenkins.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+main () {
+ source /etc/os-release || source /usr/lib/os-release
+ case ${ID,,} in
+ rhel|centos)
+ export pkg_mgr_cmd="yum"
+ ;;
+ debian|ubuntu)
+ export pkg_mgr_cmd="apt"
+ ;;
+ *suse*)
+ export pkg_mgr_cmd="zypper"
+ ;;
+ *)
+ echo "ERROR: Supported package manager not found. Supported: apt, yum, zypper"
+ exit 1
+ ;;
+ esac
+
+ echo "Info: Waiting for completion of an existing $pkg_mgr_cmd process before proceeding..."
+ set +o pipefail
+ timeout 600 bash <<"EOF"
+while true; do
+ pkg_mgr_process=$(pgrep -f $pkg_mgr_cmd | cat)
+ if [[ -n $pkg_mgr_process ]]; then
+ sleep 10
+ else
+ break
+ fi
+done
+EOF
+ set -o pipefail
+ echo "Info: $pkg_mgr_cmd process done. Continuing..."
+ echo "Info: Starting to configure the base instance. This may take some time."
+ echo "-------------------------------------------------------------"
+ # install basic packages
+ install_packages
+
+ # install docker
+ install_docker
+
+ # enable nested virtualization
+ enable_nested_virtualization
+
+ # create and configure local user
+ create_local_user
+
+ echo "Info : Done! It is time to shutdown and snapshot this system."
+}
+
+install_packages() {
+ echo "Info : Installing basic packages"
+ echo "-------------------------------------------------------------"
+ local install_map
+
+ declare -A PKG_MAP
+
+ CHECK_CMD_PKGS=(
+ git
+ vim
+ curl
+ wget
+ chrony
+ jre
+ )
+
+ # determine the distro
+ source /etc/os-release || source /usr/lib/os-release
+
+ case ${ID,,} in
+ debian|ubuntu)
+ OS_FAMILY="Debian"
+ export DEBIAN_FRONTEND=noninteractive
+ INSTALLER_CMD="sudo -H -E apt-get -y -q=3 install"
+ CHECK_CMD="dpkg -l"
+ CHRONY_SERVICE=chrony
+ PKG_MAP=(
+ [git]=git
+ [vim]=vim
+ [curl]=curl
+ [wget]=wget
+ [chrony]=chrony
+ [jre]=openjdk-11-jre-headless
+ )
+ EXTRA_PKG_DEPS=( apt-utils apt-transport-https ca-certificates gnupg-agent software-properties-common )
+ sudo apt-get update -qq
+ sudo apt-get upgrade -y -qq
+ ;;
+
+ rhel|centos)
+ OS_FAMILY="RedHat"
+ INSTALLER_CMD="sudo -H -E yum -q -y install"
+ CHECK_CMD="rpm -q"
+ CHRONY_SERVICE=chronyd
+ PKG_MAP=(
+ [git]=git
+ [vim]=vim
+ [curl]=curl
+ [wget]=wget
+ [chrony]=chrony
+ [jre]=java-11-openjdk
+ )
+ EXTRA_PKG_DEPS=( deltarpm yum-utils epel-release device-mapper-persistent-data lvm2 )
+ sudo yum updateinfo
+ ;;
+
+ *suse*)
+ OS_FAMILY="Suse"
+ INSTALLER_CMD="sudo -H -E zypper -q install -y --no-recommends"
+ CHECK_CMD="zypper search --match-exact --installed"
+ PKG_MAP=(
+ [git]=git
+ [vim]=vim
+ [curl]=curl
+ [wget]=wget
+ [chrony]=chrony
+ [jre]=java-11-openjdk
+ )
+ EXTRA_PKG_DEPS=( )
+ sudo zypper -n ref
+ # NOTE (cinerama): we can't install python without removing this package
+ # if it exists
+ if $(${CHECK_CMD} patterns-openSUSE-minimal_base-conflicts &> /dev/null); then
+ sudo -H zypper remove -y patterns-openSUSE-minimal_base-conflicts
+ fi
+ echo "ERROR: openSUSE is not supported fully!"
+ exit 1
+ ;;
+
+ *)
+ echo "ERROR: Supported package manager not found. Supported: apt, yum, zypper"
+ exit 1
+ ;;
+ esac
+
+ for pkgmap in ${CHECK_CMD_PKGS[@]}; do
+ install_map+=(${PKG_MAP[$pkgmap]} )
+ done
+
+ install_map+=(${EXTRA_PKG_DEPS[@]} )
+
+ ${INSTALLER_CMD} ${install_map[@]}
+
+ # enable/start chrony and sync time
+ sudo systemctl enable $CHRONY_SERVICE
+ sudo systemctl start $CHRONY_SERVICE
+ sudo chronyc -a 'burst 4/4' && sudo chronyc -a makestep
+
+ echo "-------------------------------------------------------------"
+}
+
+install_docker() {
+ echo "Info: Installing docker"
+ echo "-------------------------------------------------------------"
+ # determine the distro
+ source /etc/os-release || source /usr/lib/os-release
+
+ case ${ID,,} in
+ debian|ubuntu)
+ INSTALLER_CMD="sudo -H -E apt-get -y -q=3 install"
+ sudo apt remove -y docker docker-engine docker.io containerd runc # > /dev/null 2>&1
+ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+ sudo add-apt-repository \
+ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+ $(lsb_release -cs) \
+ stable" # > /dev/null 2>&1
+ sudo apt update > /dev/null 2>&1
+ ;;
+
+ rhel|centos)
+ INSTALLER_CMD="sudo -H -E yum -q -y install"
+ sudo yum remove -y docker docker-client docker-client-latest docker-common docker-latest \
+ docker-latest-logrotate docker-logrotate docker-engine # > /dev/null 2>&1
+ sudo yum-config-manager -y --add-repo https://download.docker.com/linux/centos/docker-ce.repo # > /dev/null 2>&1
+ sudo yum updateinfo > /dev/null 2>&1
+ ;;
+
+ *suse*)
+ echo "ERROR: openSUSE is not supported fully!"
+ exit 1
+ ;;
+
+ *)
+ echo "ERROR: Supported package manager not found. Supported: apt, yum, zypper"
+ exit 1
+ ;;
+ esac
+
+ $INSTALLER_CMD docker-ce docker-ce-cli containerd.io # > /dev/null 2>&1
+ sudo systemctl enable docker
+ sudo systemctl start docker
+ echo "-------------------------------------------------------------"
+}
+
+enable_nested_virtualization() {
+ echo "Info: Enabling nested virtualization"
+ echo "-------------------------------------------------------------"
+ # determine the distro
+ source /etc/os-release || source /usr/lib/os-release
+
+ case ${ID,,} in
+ debian|ubuntu)
+ sudo bash -c 'cat << EOF > /etc/modprobe.d/qemu-system-x86.conf
+options kvm-intel nested=y enable_apicv=n
+EOF'
+ ;;
+
+ rhel|centos)
+ sudo bash -c 'cat << EOF > /etc/modprobe.d/dist.conf
+options kvm-intel nested=y enable_apicv=n
+EOF'
+ ;;
+ *suse*)
+ echo "ERROR: openSUSE is not supported fully!"
+ exit 1
+ ;;
+ *)
+ echo "ERROR: Supported package manager not found. Supported: apt, yum, zypper"
+ exit 1
+ ;;
+ esac
+ sudo modprobe -r kvm_intel kvm
+ sudo modprobe -a kvm_intel kvm
+ sudo lsmod | grep kvm_intel
+ sudo cat /sys/module/kvm_intel/parameters/nested
+ echo "-------------------------------------------------------------"
+}
+
+create_local_user() {
+ echo "Info: Creating and configuring local user"
+ echo "-------------------------------------------------------------"
+ # determine the distro
+ source /etc/os-release || source /usr/lib/os-release
+
+ case ${ID,,} in
+ debian|ubuntu)
+ SUDO_GROUP=sudo
+ ;;
+
+ rhel|centos)
+ SUDO_GROUP=wheel
+ ;;
+ *suse*)
+ echo "ERROR: openSUSE is not supported fully!"
+ exit 1
+ ;;
+ *)
+ echo "ERROR: Supported package manager not found. Supported: apt, yum, zypper"
+ exit 1
+ ;;
+ esac
+
+ # create local user
+ export LOCAL_USER=infra
+ sudo useradd -G $SUDO_GROUP,docker -m -s /bin/bash -U $LOCAL_USER
+ id -a $LOCAL_USER
+
+ # copy authorized_keys as id_rsa.pub
+ sudo /bin/mkdir -p /home/$LOCAL_USER/.ssh
+ echo /home/$LOCAL_USER/.ssh/{id_rsa.pub,authorized_keys} | xargs -n 1 sudo /bin/cp -f $HOME/.ssh/authorized_keys
+ sudo chown -R $LOCAL_USER:$LOCAL_USER /home/$LOCAL_USER/.ssh && sudo chmod -R go-rwx /home/$LOCAL_USER/.ssh
+
+ # modify sudoers
+ sudo sed -i "s/^Defaults.*env_reset/#&\nDefaults:$LOCAL_USER \!requiretty/" /etc/sudoers
+ sudo sed -i "s/^%$SUDO_GROUP.*ALL/%$SUDO_GROUP ALL=(ALL:ALL) NOPASSWD: ALL/" /etc/sudoers
+
+ # create slave_root
+ SLAVE_ROOT=/home/$LOCAL_USER/nordix/slave_root
+ sudo /bin/mkdir -p $SLAVE_ROOT && sudo chown -R $LOCAL_USER:$LOCAL_USER $SLAVE_ROOT/..
+
+ # get .vimrc and .gitconfig
+ sudo curl -s https://gist.githubusercontent.com/fdegir/9d43718dd4c2984c2e7c/raw/bd52530b856c1f84ae8a56e0083ab8c1d8262f92/.vimrc -o /home/$LOCAL_USER/.vimrc
+ sudo curl -s https://gist.githubusercontent.com/fdegir/a09cddad69fc0e5ca673/raw/182d4e5d730e33764a6c46333ccf4341ae9045e9/.gitconfig -o /home/$LOCAL_USER/.gitconfig
+
+ # disable PasswordAuthentication, enable PubkeyAuthentication, allow only the local user to SSH
+ sudo sed -i "s/PasswordAuthentication.*\|PubkeyAuthentication.*//g" /etc/ssh/sshd_config
+ sudo /bin/cp -f /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+ sudo bash -c "echo >> /etc/ssh/sshd_config"
+ sudo bash -c "echo PasswordAuthentication no >> /etc/ssh/sshd_config"
+ sudo bash -c "echo PubkeyAuthentication yes >> /etc/ssh/sshd_config"
+ sudo bash -c "echo AllowUsers $LOCAL_USER >> /etc/ssh/sshd_config"
+ sudo systemctl restart sshd
+ echo "-------------------------------------------------------------"
+}
+
+main "$@"