mirror of
https://github.com/quay/quay.git
synced 2026-01-29 08:42:15 +03:00
224 lines
6.7 KiB
JSON
224 lines
6.7 KiB
JSON
{% macro overridelist() -%}
|
|
|
|
TOKEN={{ token }}
|
|
SERVER={{ manager_hostname }}
|
|
{% if http_proxy %}
|
|
HTTP_PROXY={{ http_proxy }}
|
|
{% elif https_proxy %}
|
|
HTTPS_PROXY={{ https_proxy }}
|
|
{% elif no_proxy %}
|
|
NO_PROXY={{ no_proxy }}
|
|
{% endif %}
|
|
# TODO: Remove this eventually
|
|
GODEBUG=x509ignoreCN=0
|
|
|
|
{%- endmacro %}
|
|
|
|
|
|
{% macro journalgatewayservice() -%}
|
|
|
|
[Unit]
|
|
Description=Journal Gateway Service Socket
|
|
[Socket]
|
|
ListenStream=/var/run/journald.sock
|
|
Service=systemd-journal-gatewayd.service
|
|
[Install]
|
|
WantedBy=sockets.target
|
|
|
|
{%- endmacro %}
|
|
|
|
|
|
{% macro disableawsmetadataservice() -%}
|
|
|
|
[Unit]
|
|
Description=Disable AWS metadata service
|
|
Before=network-pre.target
|
|
Wants=network-pre.target
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/local/bin/disable-aws-metadata.sh
|
|
RemainAfterExit=yes
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
{%- endmacro %}
|
|
|
|
|
|
{% macro machinelifetimeservice() -%}
|
|
|
|
[Unit]
|
|
Description=Machine Lifetime Service
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/bin/sh -xc "/bin/sleep {{ max_lifetime_s }}; /usr/bin/systemctl --no-block poweroff"
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
{%- endmacro %}
|
|
|
|
{% macro podmanregistryconfig() -%}
|
|
|
|
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io", "quay.io"]
|
|
short-name-mode="permissive"
|
|
|
|
{%- endmacro %}
|
|
|
|
|
|
{
|
|
"ignition": {
|
|
"version": "3.0.0"
|
|
},
|
|
"passwd": {
|
|
"users": [
|
|
{
|
|
{% if ssh_authorized_keys -%}
|
|
"sshAuthorizedKeys": {{ ssh_authorized_keys | jsonify }},
|
|
{%- endif %}
|
|
"groups": [
|
|
"sudo"
|
|
],
|
|
"name": "core"
|
|
}
|
|
]
|
|
},
|
|
"storage": {
|
|
"files": [
|
|
{
|
|
"path": "/etc/pki/ca-trust-source/anchors/ssl.cert",
|
|
"contents": {
|
|
"source": {{ ca_cert | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
},
|
|
{% if container_runtime == "podman" %}
|
|
{
|
|
"path": "/etc/containers/certs.d/{{ registry_hostname }}/client.crt",
|
|
"contents": {
|
|
"source": {{ ca_cert | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"overwrite": true,
|
|
"path": "/etc/containers/registries.conf",
|
|
"contents": {
|
|
"source": {{ podmanregistryconfig() | dataurl | jsonify }}
|
|
},
|
|
"mode": 444
|
|
},
|
|
{% else %}
|
|
{
|
|
"path": "/etc/docker/certs.d/{{ registry_hostname }}/client.crt",
|
|
"contents": {
|
|
"source": {{ ca_cert | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
},
|
|
{% endif %}
|
|
{
|
|
"path": "/etc/hostname",
|
|
"contents": {
|
|
"source": {{ build_uuid | default('quay-builder', True) | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"overwrite": true,
|
|
"path": "/etc/zincati/config.d/90-disable-auto-updates.toml",
|
|
"contents": {
|
|
"source": {{ "[updates]\nenabled = false" | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
},
|
|
{
|
|
"path": "/usr/local/bin/disable-aws-metadata.sh",
|
|
"contents": {
|
|
"source": {{ "#!/bin/bash\niptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1" | dataurl | jsonify }}
|
|
},
|
|
"mode": 493
|
|
},
|
|
{
|
|
"path": "/root/overrides.list",
|
|
"contents": {
|
|
"source": {{ overridelist() | dataurl | jsonify }}
|
|
},
|
|
"mode": 420
|
|
}
|
|
]
|
|
},
|
|
"systemd": {
|
|
"units": [
|
|
{% if container_runtime == "podman" %}
|
|
{% if debug %}
|
|
{{ dockersystemd("quay-builder",
|
|
worker_image,
|
|
container_runtime,
|
|
quay_username,
|
|
quay_password,
|
|
worker_tag,
|
|
extra_args='--privileged --env-file /root/overrides.list -v /var/run/podman/podman.sock:/var/run/podman/podman.sock -v /etc/pki/ca-trust-source/anchors:/certs -e CONTAINER_RUNTIME=podman -e DOCKER_HOST=unix:/var/run/podman/podman.sock',
|
|
restart_policy='no',
|
|
oneshot=True,
|
|
timeout_start_sec=timeout_start_sec,
|
|
) | indent(6) }},
|
|
{% else %}
|
|
{{ dockersystemd("quay-builder",
|
|
worker_image,
|
|
container_runtime,
|
|
quay_username,
|
|
quay_password,
|
|
worker_tag,
|
|
extra_args='--privileged --env-file /root/overrides.list -v /var/run/podman/podman.sock:/var/run/podman/podman.sock -v /etc/pki/ca-trust-source/anchors:/certs -e CONTAINER_RUNTIME=podman -e DOCKER_HOST=unix:/var/run/podman/podman.sock',
|
|
exec_stop_post=['/bin/sh -xc "/bin/sleep 120; /usr/bin/systemctl --no-block poweroff"'],
|
|
restart_policy='no',
|
|
oneshot=True,
|
|
timeout_start_sec=timeout_start_sec,
|
|
) | indent(6) }},
|
|
{% endif %}
|
|
{% else %}
|
|
{% if debug %}
|
|
{{ dockersystemd("quay-builder",
|
|
worker_image,
|
|
container_runtime,
|
|
quay_username,
|
|
quay_password,
|
|
worker_tag,
|
|
extra_args='--net=host --privileged --env-file /root/overrides.list -v /var/run/docker.sock:/var/run/docker.sock -v /etc/pki/ca-trust-source/anchors:/certs',
|
|
restart_policy='no',
|
|
oneshot=True,
|
|
timeout_start_sec=timeout_start_sec,
|
|
) | indent(6) }},
|
|
{% else %}
|
|
{{ dockersystemd("quay-builder",
|
|
worker_image,
|
|
container_runtime,
|
|
quay_username,
|
|
quay_password,
|
|
worker_tag,
|
|
extra_args='--net=host --privileged --env-file /root/overrides.list -v /var/run/docker.sock:/var/run/docker.sock -v /etc/pki/ca-trust-source/anchors:/certs',
|
|
exec_stop_post=['/bin/sh -xc "/bin/sleep 120; /usr/bin/systemctl --no-block poweroff"'],
|
|
restart_policy='no',
|
|
oneshot=True,
|
|
timeout_start_sec=timeout_start_sec,
|
|
) | indent(6) }},
|
|
{% endif %}
|
|
{% endif %}
|
|
{
|
|
"name": "systemd-journal-gatewayd.socket",
|
|
"enabled": true,
|
|
"contents": {{ journalgatewayservice() | jsonify }}
|
|
},
|
|
{
|
|
"name": "disable-aws-metadata.service",
|
|
"enabled": true,
|
|
"contents": {{ disableawsmetadataservice() | jsonify }}
|
|
},
|
|
{
|
|
"name": "machine-lifetime.service",
|
|
"enabled": true,
|
|
"contents": {{ machinelifetimeservice() | jsonify }}
|
|
}
|
|
]
|
|
}
|
|
}
|